If Your Machine Still Has "Secure Boot" Enabled, Then Microsoft Has a de Facto Kill Switch (Even If Your Machine Doesn't Have Windows and Never Had Windows)

posted by Roy Schestowitz on Sep 08, 2025,
updated Sep 08, 2025

Reminders (some sites over-dramatise that a bit, but the basic premise isn't false):

It is not incorrect to call UEFI 'secure boot' a "kill switch" or a step towards that (it is the lesser marketed potential functionality); it's a matter of how one says it and what exactly one means by "kill switch".

Changing the firmware introduces additional risk, e.g. placing a proprietary blob from China in some Lenovo laptop that may have shipped with something benign to pass fundamental if not shallow compliance thresholds ("smell tests" and superficial audits).

Unprecedented? No.

The leadership of the NSA told the media around 2013 (Edward Snowden's leaks) that it had caught China trying to back-door computers near the hardware level (BIOS). This was months later. Of course the NSA was being hypocritical.

The German government rightly had reservations, which the FSFE (before it began taking massive bribes from Microsoft) spoke of:

Yesterday the German Ministry of the Interior published a white paper about "Trusted Computing" and "Secure Boot". The white paper says that "device owners must be in complete control of (able to manage and monitor) all the trusted computing security systems of their devices." This has been one of FSFE's key demands from the beginning. The document continues that "delegating this control to third parties requires conscious and informed consent by the device owner".

Another demand by the FSFE is adressed by the government's white paper. That before purchasing a device, buyers must be informed concisely about the technical measures implemented in this device, as well as the specific usage restrictions and their consequences for the owner: "Trusted computing security systems must be deactivated (opt-in principle)" when devices are delivered. "Based on the necessary transparency with regard to technical features and content of trusted computing solutions, device owners must be able to make responsible decisions when it comes to product selection, start-up, configuration, operation and shut-down." And "Deactivation must also be possible later (opt- out function) and must not have any negative impact on the functioning of hard- and software that does not use trusted computing functions."

"It is an important step, that a government now takes a firm stand on "Secure Boot", too. We as a society have to make sure, that we are in control of our computers, so everyone can install arbitrary software and is able to retain exclusive control over his own data. Full, sole and permanent control over security subsystems is necessary for this.", says Matthias Kirschner, German Coordinator of the FSFE. "Now the Government has to implement their position when buying new hardware."

Don't let this become memory-holed. █

From "The Coming War on General Computation" (2011):

So today we have marketing departments who say things like "we don't need computers, we need... appliances. Make me a computer that doesn't run every program, just a program that does this specialized task, like streaming audio, or routing packets, or playing Xbox games, and make sure it doesn't run programs that I haven't authorized that might undermine our profits". And on the surface, this seems like a reasonable idea -- just a program that does one specialized task -- after all, we can put an electric motor in a blender, and we can install a motor in a dishwasher, and we don't worry if it's still possible to run a dishwashing program in a blender. But that's not what we do when we turn a computer into an appliance. We're not making a computer that runs only the "appliance" app; we're making a computer that can run every program, but which uses some combination of rootkits, spyware, and code-signing to prevent the user from knowing which processes are running, from installing her own software, and from terminating processes that she doesn't want. In other words, an appliance is not a stripped-down computer -- it is a fully functional computer with spyware on it out of the box.

Human rights activists have raised alarms over U-EFI, the new PC bootloader, which restricts your computer so it runs signed operating systems, noting that repressive governments will likely withhold signatures from OSes unless they have covert surveillance operations.

By Cory Doctorow; Chaos Communication Congress in Berlin on December 26, 2011.