Secure Boot complaint filed against Microsoft

[spaceelf]

Acer-/ Emachine - Gateway to name a few...

I still haven't seen an example.

Even on the off chance they don't let you disable it, Linux has already worked around the Secure Boot issue. It's not even an issue anymore.

[redvamp128]

I still haven't seen an example.

I had a friend bring me his All in one with Windows 8

Acer Aspire AZS600-UR15

and wanted me to install Windows 7 on it- there was no option to turn off the check.

Windows 7 would pretend like it would install then at the point of installing boot loader - Fail- even when I placed a fresh drive int the machine.

It would not let it write to the boot sector.

I looked and there was nothing -- the only options were - to control boot order- check for extra hard drives and turn to compatibility mode.

I had to end up restoring the Windows 8.

[+Red King Subscriber²]

No this has nothing to do with LINUX not being good but Microsoft forcing Windows 8 on you....

I mean let me take Linux out of the equation for you.

Windows 8 runs like a snail or you just don't like it and you decide you want to buy and install Windows 7 instead

Whoops Not GOING TO ALLOW IT...

. you can't because the only OS your computer thinks is a Valid install is Windows 8.

And in some of the OEM's there is no bios option to remove or disable this check.

The easy way to edit this is allow the OEM's to have a bios that can be downloaded to allow people to turn it off.

What this boils down to is Allow the user the choice.

What a non argument!

A non-techie user will be content with latest Windows.

A techie user on the other hand should know better.

You have the choice either buy from a large company or build it yourself and install whatever you want on it.

[redvamp128]

What a non argument!

A non-techie user will be content with latest Windows.

A techie user on the other hand should know better.

You have the choice either buy from a large company or build it yourself and install whatever you want on it.

So a user should be content with a system that lags? then? And they want to run a lower OS? - Priceless-

And upgrade of processor is not a valid option since it is a cpu/gpu built into an all in one .

Or you should be stuck with something they don't like then?

[seta-san]

Probably because theoretically, They are knocking at the door and microsoft is behind the locked door giggling while Linux users scratch their heads.

it's abuse of a monopoly by locking out the competition from even experimenting with alternatives.

[rfirth]

Acer- Emachine - Gateway to name a few... There is no option to disable it at all-- it is missing.

Microsoft REQUIRES that all x86/x86-64 machines have the option to turn off Secure Boot...

I had a friend bring me his All in one with Windows 8

Acer Aspire AZS600-UR15

and wanted me to install Windows 7 on it- there was no option to turn off the check.

Windows 7 would pretend like it would install then at the point of installing boot loader - Fail- even when I placed a fresh drive int the machine.

It would not let it write to the boot sector.

I looked and there was nothing -- the only options were - to control boot order- check for extra hard drives and turn to compatibility mode.

I had to end up restoring the Windows 8.

Secure Boot was obviously disabled.

It shouldn't even let you boot from a DVD if Secure Boot is enabled.

Compatibility mode? Perhaps they're calling it that? By the way, Secure Boot doesn't prevent the writing of the boot sector, I don't think. I think it only prevents booting from a boot sector that doesn't have a valid certificate stored in the UEFI. I think. So if malware overwrites it, you will be blocked from booting... and will have to run the recovery DVD to re-write the boot sector.

[goretsky Supervisor]

Hello,

Can you please list the brands and models of computers that vendors have shipped that have Windows 8 preloaded and no option to disable UEFI Secure Boot in their firmware? Please note that by computer, I mean an IA-32 instruction set compatible CPU such as those made by AMD or Intel, and not tablet devices with ARM CPUs that run Windows RT. Thank you.

Regards,

Aryeh Goretsky

No this has nothing to do with LINUX not being good but Microsoft forcing Windows 8 on you....

I mean let me take Linux out of the equation for you.

Windows 8 runs like a snail or you just don't like it and you decide you want to buy and install Windows 7 instead

Whoops Not GOING TO ALLOW IT...

. you can't because the only OS your computer thinks is a Valid install is Windows 8.

And in some of the OEM's there is no bios option to remove or disable this check.

The easy way to edit this is allow the OEM's to have a bios that can be downloaded to allow people to turn it off.

What this boils down to is Allow the user the choice.

I mean what if people buy a PC with Windows 8 and decide they don't like it at all... and they want to install the following.

Windows 7

Linux

Hackintosh

But their computer won't allow them to do this.

This is as they are trying to show is the same option as Microsoft locking people into having IE installed by default.

The other thing to look at is -- people say "BUY a Linux Computer" well that limits the choices and those choices are not very strong computers.

Other than -

https://www.system76.com

But still there are not a lot of options- They don't even offer any AMD chip-sets.

Some of these people don't mind paying for a computer with Windows but also like the CHOICE to have a dual boot as well.

I mean would you want a computer where you can't even choose which OS you want on it?

[The_Decryptor Veteran]

I can't see this going anywhere, Microsoft aren't locking anybody out, the Linux guys can sign their own releases (Or they can do what Red Hat tried to do, and patch the kernel to read the signed binary MS provides), or they can simply turn it off (I can't even enable it on my PC since my GFX card isn't up to spec, Windows 8 doesn't have an issue with it)

...

Compatibility mode? Perhaps they're calling it that? By the way, Secure Boot doesn't prevent the writing of the boot sector, I don't think. I think it only prevents booting from a boot sector that doesn't have a valid certificate stored in the UEFI. I think. So if malware overwrites it, you will be blocked from booting... and will have to run the recovery DVD to re-write the boot sector.

"Compatibility Mode" (Or Compatibility Support Module) is the UEFI name for "BIOS", great isn't it? Turning that option on causes it to boot the the classic BIOS method and disables any nice functionality UEFI provides (like Secure Boot)

[Alwaysonacoffebreak]

I wonder if Linux users feel sorry for this group or not? If not they should.

[nub]

Microsoft forcing Windows 8 on you....

You do know that Microsoft REQUIRES that secure boot can be disabled, right? Microsoft isn't doing ****. You're a god damn idiot. Stop blabbering bull****.

I had a friend bring me his All in one with Windows 8

Acer Aspire AZS600-UR15

Funny... I was able to find it in the manual.

https://mega.co.nz/#!VkFRXaAT!LLt1iRqH54ssGoLDI_tvIggvWulOt87OZUTc7T7DWOU

[redvamp128]

I can't see this going anywhere, Microsoft aren't locking anybody out, the Linux guys can sign their own releases (Or they can do what Red Hat tried to do, and patch the kernel to read the signed binary MS provides), or they can simply turn it off (I can't even enable it on my PC since my GFX card isn't up to spec, Windows 8 doesn't have an issue with it)

"Compatibility Mode" (Or Compatibility Support Module) is the UEFI name for "BIOS", great isn't it? Turning that option on causes it to boot the the classic BIOS method and disables any nice functionality UEFI provides (like Secure Boot)

Actually that option listed turned the SATA drive as an ATA drive when choosing Compatibility mode.

It would boot the Windows 7 DVD but when it went to write to the Drive that was when it failed.

There was no listed option to turn it off.. the bios options were sparse.

[redvamp128]

You do know that Microsoft REQUIRES that secure boot can be disabled, right? Microsoft isn't doing ****. You're a god damn idiot. Stop blabbering bull****.

Funny... I was able to find it in the manual.

https://mega.co.nz/#...t87OZUTc7T7DWOU

Seriously There was no Authentication Tab when I was in it-- and I just called the guy and he booted to the bios and it is not there.

[rfirth]

There was no listed option to turn it off.. the bios options were sparse.

I don't know, seems like it's pretty obvious to me:

Funny... I was able to find it in the manual.

Seriously There was no Authentication Tab when I was in it-- and I just called the guy and he booted to the bios and it is not there.

Fine, but Microsoft does require that you have the ability to disable it. Your dispute isn't with Microsoft, but with Acer. This isn't an instance of Microsoft being anti-competitive or intentionally locking others out.

[redvamp128]

I don't know, seems like it's pretty obvious to me:

What bios revision did the screen come from

Fine, but Microsoft does require that you have the ability to disable it. Your dispute isn't with Microsoft, but with Acer. This isn't an instance of Microsoft being anti-competitive or intentionally locking others out.

What bios revision?

[nub]

What bios revision?

In the picture? P11-A0 built on 8/8/12

[Torolol]

the one who need the secure boot most is the corporates environtment,

however current 'secure boot' implementation is less desired

as the fact that key was handled by Microsoft & hardware vendor, and NOT by hardware owner.

If hardware owner can create its own unique keys,

they can sign the OS files with it,

and the computer can only works if it run using said 'apporved' OS,

this is the ideal way of using Secure Boot in corporate environtment.

While in current situation, suppose corporate using secure boot Windows 8,

but employess managed to install some other OS,

because the fact that OS signed with the SAME Key as used by the W8,

the secure boot protocols will accept and run that OS.

From Corporate's security point of view thats are not desireable,

and thus doesn't achieve alleged security that suppose to be delieverd by 'Secure Boot'.

Sure you can disable the Secure Boot,

but can you specify/modify the key? NO. Only hardware vendor can do that.

And if the current Secure Boot's Keys are compromised just like how PlayStation 3's keys was compromised,

that means all existing secure boot can be compromised as the key management was handled by MS & hardware vendor.

[The_Decryptor Veteran]

...

Sure you can disable the Secure Boot,

but can you specify/modify the key? NO. Only hardware vendor can do that.

...

If it's any good you can, my motherboard lets me install/remove any keys (including the default MS keys)

[Alwaysonacoffebreak]

the one who need the secure boot most is the corporates environtment,

however current 'secure boot' implementation is less desired

as the fact that key was handled by Microsoft & hardware vendor, and NOT by hardware owner.

If hardware owner can create its own unique keys,

they can sign the OS files with it,

and the computer can only works if it run using said 'apporved' OS,

this is the ideal way of using Secure Boot in corporate environtment.

While in current situation, suppose corporate using secure boot Windows 8,

but employess managed to install some other some other OS

because the fact that OS signed with the SAME Key as used by the W8,

the secure boot protocols will accept and run that OS.

From Corporate's security point of view thats are not desireable,

and thus doesn't achieve alleged security that suppose to be delieverd by 'Secure Boot'.

Sure you can disable the Secure Boot,

but can you specify/modify the key? NO. Only hardware vendor can do that.

And if the current Secure Boot's Keys are compromised just like how PlayStation 3's keys was compromised,

that means all existing secure boot can be compromised as the key management was handled by MS & hardware vendor.

Stopped reading at "keys handled by Microsoft".

No they are not. Verisign is handling Secure Boot keys. Microsoft bought they key like everyone else can do, they even offered keys for Linux distros for free for a while but since Linus is too stuck up on his own views it went all sour, this is nothing you can blame MS on.

[articuno1au]

the one who need the secure boot most is the corporates environtment,

however current 'secure boot' implementation is less desired

as the fact that key was handled by Microsoft & hardware vendor, and NOT by hardware owner.

If hardware owner can create its own unique keys,

they can sign the OS files with it,

and the computer can only works if it run using said 'apporved' OS,

this is the ideal way of using Secure Boot in corporate environtment.

While in current situation, suppose corporate using secure boot Windows 8,

but employess managed to install some other some other OS

because the fact that OS signed with the SAME Key as used by the W8,

the secure boot protocols will accept and run that OS.

From Corporate's security point of view thats are not desireable,

and thus doesn't achieve alleged security that suppose to be delieverd by 'Secure Boot'.

Sure you can disable the Secure Boot,

but can you specify/modify the key? NO. Only hardware vendor can do that.

And if the current Secure Boot's Keys are compromised just like how PlayStation 3's keys was compromised,

that means all existing secure boot can be compromised as the key management was handled by MS & hardware vendor.

You can load your own signing keys in some implementations..

That is, however, the reason it's set up the way it is. It's beyond confusing for the average user. That's why Microsoft mandated that you be able to turn it off.

If you want secure boot that you hold the keys to, awesome. Find an OEM provider that allows you to, then find a way to sign the MS bootloader and you're in.. You are at best a borderline use case >.<

[redvamp128]

In the picture? P11-A0 built on 8/8/12

That explains it. His is 5/22/12 I guess I should email acer for a download of an updated bios.

[rfirth]

That explains it. His is 5/22/12 I guess I should email acer for a download of an updated bios.

Why would a computer that shipped with Windows 8... which was released in October 2012... ship with a BIOS revision from May 2012 instead of the more current version from August 2012? Interesting...

And if that's a revision from May 2012, and that was written before Windows 8 was released... why can't you boot Windows 7?

See? Microsoft isn't screwing with you. Acer is.

[Alwaysonacoffebreak]

That explains it. His is 5/22/12 I guess I should email acer for a download of an updated bios.

BIOS updates should be listed on their site download sections as well. At least most OEM's have it this way.

[redvamp128]

Why would a computer that shipped with Windows 8... which was released in October 2012... ship with a BIOS revision from May 2012 instead of the more current version from August 2012? Interesting...

And if that's a revision from May 2012, and that was written before Windows 8 was released... why can't you boot Windows 7?

See? Microsoft isn't screwing with you. Acer is.

that one was oops a miss typed I am

on my phone.

8/22/12 was what it should have been whichit was September 2012 when he wanted me to put 7 on it... there were no updated bios on their site when I checked that month

[Torolol]

If it's any good you can, my motherboard lets me install/remove any keys (including the default MS keys)

whats your motherboard type?

i would like to recommend it to some client,

as most Secure Boot capable motherboard i've seen, doesn't allow you to installing your own keys easily,

some said that user can change the key during Firmware Updates,

which mean the key must be specified somewhere in the firmware binaries!

Stopped reading at "keys handled by Microsoft".

No they are not. Verisign is handling Secure Boot keys. Microsoft bought they key like everyone else can do, they even offered keys for Linux distros for free for a while but since Linus is too stuck up on his own views it went all sour, this is nothing you can blame MS on.

yes, but doesn't change the fact that almost (all?) windows 8 in existance are signed by the very same key, which pose pending problem of key compromise i mentioned above.

And, the corporates actually want to sign the OS they use with their own unique keys,

as that would give them control on what OS allowed to be used in their environtment,

and less likely affected whenever the world-wide Windows-8 Secure Boot keys compromise happens.

but:

then find a way to sign the MS bootloader and you're in..

signing MS OS's component using your own unique keys...,

i read the report that some one did try and of course the Windows 8 was complaining afterward (which is a good thing from OS security's POV btw),

Thats however, unable to achieves what the corporates want.

You can load your own signing keys in some implementations..

That is, however, the reason it's set up the way it is.

It's beyond confusing for the average user. That's why Microsoft mandated that you be able to turn it off.

If you want secure boot that you hold the keys to, awesome. Find an OEM provider that allows you to.

yes, by firmwire updates some OEM did offering that, but it also mean OEM will know the half about the unique key,

some corps would like if if none of the outsider would know about their keys.

And currently, only open-sourced OS (linux flavor for example) components than can easly signed, not Windows 8.

so why Coprs not switch to Linux?

well, due the fact that Corporation still need windows, and OS migration are costly & painful process.

[redvamp128]

Hello,

Can you please list the brands and models of computers that vendors have shipped that have Windows 8 preloaded and no option to disable UEFI Secure Boot in their firmware? Please note that by computer, I mean an IA-32 instruction set compatible CPU such as those made by AMD or Intel, and not tablet devices with ARM CPUs that run Windows RT. Thank you.

Regards,

Aryeh Goretsky

I think we figured it out...bios needs flahing... his was for august 2012 ... which did not have that as an option... the october bios says that was added.. but when I checked in september there were no bios updates ... which I then gave it back to him.... so there is a fix....problem is on acer