Post by Deleted on Apr 12, 2015 13:46:50 GMT -6
Secure Boot. Anyone heard of it? Sounds innocent enough, doesn't it? Perhaps....an anti-theft or privacy protection scheme, you might think? The name sounds right for it...eh?
Neigh Neigh, and if it only were so innocent a thing......
Source: Microsoft
Now you need to understand, that right there is the biggest bunch of double talk to protect self interest that ever babbled from a public description, and it rankles every hair of my consumer protection minded fur.
To read between the lines for the effective result? You can install NOTHING BUT those operating systems listed, or those specified by the manufacturer of the hardware.
I discovered this over the past couple days, while trying to install Linux to an HP laptop that is too laughably weak to run windows with more than a single browser window open at a time.
The computer you try and install something outside the Secure approved list to (stored within the programmable areas of the computer chips within the hardware) may give no indication that this is the problem. In my case, I tried a half dozen different Linux distributions, to see each of them almost boot completely before crashing to an odd command prompt and emergency mode my Linux books haven't even talked about existing. (Now that is saying something for confusion!)
So, through a material I have found to share from around the net, lets see if I can help explain this a bit and save others from the trial and error I just enjoyed.
Let me be clear on this....It is related TO...but NOT A PART OF Windows. This is BIOS based, and innovation Microsoft has championed among the hardware manufacturers. It looks to see if you are booting an approved operating system which include Windows 8. SecureBoot being on a machine is separate from whether Windows is still there.
This is also solving at least one real problem, which is how it came to be.
Secure Boot does effectively solve the issue described above, but at the loss of free use of your own hardware. If that were all it did, it would be ok. However, at present, you need to know it exists, then know how to get into your BIOS, then disable Secure Boot in the BIOS boot options section.
Whew.. That is a lot of stuff for average folks who may not have known what BIOS was before reading about it. It is also a work around which won't even exist into the future, as Microsoft envisions it.
Source
There is hardware out there now which won't allow this to be disabled, and I just got lucky that my first encounter with it was on a machine that allowed me to shut it down. I got Linux installed as the sole and primary OS to that Laptop, but by the sound of this? Microsoft will insure I can't do that reliably in the future. It sounds as though some equipment may allow freedom, but most won't.
That could certainly represent one effective way to kill Linux in the consumer markets, in its budding stage. It is already a bit of a challenge at times, in its most user friendly form. Add real serious obstacles to that, as average people see it? That may well be enough to kick Linux back into the commerical/server market by manipulation of the products people buy.
---
This is what Secure Boot looks like to see in the BIOS menus, and may help mentally place what I'm referring to, if someone has only seen that part of a computer a couple times.
Now, more than ever, it matters to look up the specifications of a computer you are going to buy. Even a $250 refurbished machine could have a surprise like SecureBoot lurking within it, to find in the most inconvenient way, and never at a good time.
It isn't a difficult thing to do, and entering the computer's model number with "spec sheet" added in Google will often bring up the details to know what you're buying, and not simply what it is advertised or claimed to be.
Failing that, it always helps to know how to access your BIOS, and as a parting thought, I will leave a link to a guide explaining precisely that. On this HP Laptop, it was a matter of just hitting ESC as it powered up, in the first seconds. Nothing showed on screen to know I was doing it right or wrong, until it was activated and already loading the BIOS screen. That alone is important to know, as that lack of feedback leave many feeling foolish to be hitting ESC, DEL, F2 or whatever key is required, on a blank or unchanging screen.
Also, it is perfectly safe to go and look around your BIOS. You must select SAVE AND EXIT (F-10 in most cases), as a combined step, for anything you do there to be retained as a change and impact anything else. Do not hit F-10 or Exit & Save, and nothing about looking around will be harmful.
How to Enter your PC's BIOS
....and for those who like the geek porn side of everything, I have more!
Ultimate BIOS Guide: Every Setting Decrypted and Explained!
So, above all, remember......If Linux is failing to boot from a USB or CD, and will not advance for installing itself without a clear reason why? Think to check for deliberate measures blocking it. Think to check for SecureBoot. It may save you long hours of chasing gremlins that don't even exist as bugs.
Neigh Neigh, and if it only were so innocent a thing......
Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.
When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are good, the PC boots, and the firmware gives control to the operating system.
The following versions of Windows support Secure Boot: Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 8, Windows Server 2012, and Windows RT.
When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are good, the PC boots, and the firmware gives control to the operating system.
The following versions of Windows support Secure Boot: Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 8, Windows Server 2012, and Windows RT.
Now you need to understand, that right there is the biggest bunch of double talk to protect self interest that ever babbled from a public description, and it rankles every hair of my consumer protection minded fur.
To read between the lines for the effective result? You can install NOTHING BUT those operating systems listed, or those specified by the manufacturer of the hardware.
I discovered this over the past couple days, while trying to install Linux to an HP laptop that is too laughably weak to run windows with more than a single browser window open at a time.
The computer you try and install something outside the Secure approved list to (stored within the programmable areas of the computer chips within the hardware) may give no indication that this is the problem. In my case, I tried a half dozen different Linux distributions, to see each of them almost boot completely before crashing to an odd command prompt and emergency mode my Linux books haven't even talked about existing. (Now that is saying something for confusion!)
So, through a material I have found to share from around the net, lets see if I can help explain this a bit and save others from the trial and error I just enjoyed.
Whether you plan on using Windows 8 or not, everyone buying a PC in the future will end up with the Microsoft-driven Secure Boot feature enabled. Secure Boot prevents “unauthorized” operating systems and software from loading during the startup process.
Secure Boot is a feature enabled by UEFI – which replaces the traditional PC BIOS – but Microsoft mandates specific implementations for x86 (Intel) and ARM PCs. Any computer with a Windows 8 logo sticker has Secure Boot enabled.
Secure Boot is a feature enabled by UEFI – which replaces the traditional PC BIOS – but Microsoft mandates specific implementations for x86 (Intel) and ARM PCs. Any computer with a Windows 8 logo sticker has Secure Boot enabled.
Let me be clear on this....It is related TO...but NOT A PART OF Windows. This is BIOS based, and innovation Microsoft has championed among the hardware manufacturers. It looks to see if you are booting an approved operating system which include Windows 8. SecureBoot being on a machine is separate from whether Windows is still there.
This is also solving at least one real problem, which is how it came to be.
The traditional BIOS will boot any software. Normally, your BIOS boots the Windows boot loader or maybe a Linux boot loader, like GRUB. However, it’s possible for malware, such as a rootkit, to replace your boot loader. The rootkit could load your normal operating system with no indication that anything was wrong, staying completely invisible and undetectable on your system. The BIOS doesn’t know the different between malware and a trusted boot loader, so it allows either to boot.
Secure Boot does effectively solve the issue described above, but at the loss of free use of your own hardware. If that were all it did, it would be ok. However, at present, you need to know it exists, then know how to get into your BIOS, then disable Secure Boot in the BIOS boot options section.
Whew.. That is a lot of stuff for average folks who may not have known what BIOS was before reading about it. It is also a work around which won't even exist into the future, as Microsoft envisions it.
In addition to not supporting third-party applications on the traditional Windows desktop and being limited to Metro apps, ARM-based Windows RT machines will have a locked boot loader. You won’t be able to disable Secure Boot and install your own operating system – Microsoft mandatesthat every ARM device with Windows RT won’t allow you to disable Secure Boot.
There is hardware out there now which won't allow this to be disabled, and I just got lucky that my first encounter with it was on a machine that allowed me to shut it down. I got Linux installed as the sole and primary OS to that Laptop, but by the sound of this? Microsoft will insure I can't do that reliably in the future. It sounds as though some equipment may allow freedom, but most won't.
That could certainly represent one effective way to kill Linux in the consumer markets, in its budding stage. It is already a bit of a challenge at times, in its most user friendly form. Add real serious obstacles to that, as average people see it? That may well be enough to kick Linux back into the commerical/server market by manipulation of the products people buy.
---
This is what Secure Boot looks like to see in the BIOS menus, and may help mentally place what I'm referring to, if someone has only seen that part of a computer a couple times.
As other articles online will note, this honestly won't impact the majority of consumer users. The majority will buy a system, never open the case and never fiddle with the operating system deeper than changing wallpaper, screen savers and personal settings.
However, I have a hard time seeing it as anyone's right to manipulate the market so all but 'approved' products are blocked from whole classes of what, until now, has been open hardware. The world of "Microsoft hardware" vs "Unlocked hardware" takes a sharp turn BACK in time, to a period when "IBM Clone" acutally had a different meaning from the general "PC" reference, and mistaking them in the wrong context could leave a person with an expensive boat anchor of little practical value.
Even if, at some point, this insane idea to lock up the computer hardware market is given a proper death and burial, I just found how real the issue is to encounter on existing equipment.
The Bunny's Bottom Line:
However, I have a hard time seeing it as anyone's right to manipulate the market so all but 'approved' products are blocked from whole classes of what, until now, has been open hardware. The world of "Microsoft hardware" vs "Unlocked hardware" takes a sharp turn BACK in time, to a period when "IBM Clone" acutally had a different meaning from the general "PC" reference, and mistaking them in the wrong context could leave a person with an expensive boat anchor of little practical value.
Even if, at some point, this insane idea to lock up the computer hardware market is given a proper death and burial, I just found how real the issue is to encounter on existing equipment.
The Bunny's Bottom Line:
Now, more than ever, it matters to look up the specifications of a computer you are going to buy. Even a $250 refurbished machine could have a surprise like SecureBoot lurking within it, to find in the most inconvenient way, and never at a good time.
It isn't a difficult thing to do, and entering the computer's model number with "spec sheet" added in Google will often bring up the details to know what you're buying, and not simply what it is advertised or claimed to be.
Failing that, it always helps to know how to access your BIOS, and as a parting thought, I will leave a link to a guide explaining precisely that. On this HP Laptop, it was a matter of just hitting ESC as it powered up, in the first seconds. Nothing showed on screen to know I was doing it right or wrong, until it was activated and already loading the BIOS screen. That alone is important to know, as that lack of feedback leave many feeling foolish to be hitting ESC, DEL, F2 or whatever key is required, on a blank or unchanging screen.
Also, it is perfectly safe to go and look around your BIOS. You must select SAVE AND EXIT (F-10 in most cases), as a combined step, for anything you do there to be retained as a change and impact anything else. Do not hit F-10 or Exit & Save, and nothing about looking around will be harmful.
How to Enter your PC's BIOS
....and for those who like the geek porn side of everything, I have more!
Ultimate BIOS Guide: Every Setting Decrypted and Explained!
So, above all, remember......If Linux is failing to boot from a USB or CD, and will not advance for installing itself without a clear reason why? Think to check for deliberate measures blocking it. Think to check for SecureBoot. It may save you long hours of chasing gremlins that don't even exist as bugs.