Microsoft has asked Lenovo to make it harder to boot Linux on their computers.

obviously I know some really cool people who work at Microsoft but it's very funny to me that people have been harping on us FOSS types for not instantly forgiving them for 20 years of malice, and now we've got this. [1]

when Microsoft is asking manufacturers to prevent people from booting other OSes and not communicating as to why, they are positioning themselves as the enemy. it's that simple. if they want to be trusted by Linux users, they need to earn that trust.

we're about 2y away, by my estimation, from living in a bizarro world where x86 PCs are less open to free desktops than ARM Macs.


@tindall wait, do they actually want lenovo to make laptops where you can't enter setup mode and add your own keys in?

@devurandom right now they are shipping laptops where that is the default, yes.

@devurandom @tindall I mean you already can't, right? Linux boots using a shim signed by Microsoft

@tindall @alexandria @devurandom To elaborate, they've disabled the key for that shim by default now. There's a switch in the UEFI settings to enable the shim's key, but it's off by default so you have to know it exists.

@vwbusguy @be @tindall @alexandria @devurandom

This is exactly the point!

All those who are calling criticism of alarming vendor-lock-in "alarmist" are missing it ... entirely.

Freedom is not when they let you have the choice. Freedom is when they can't deny you the choice.

@vwbusguy @be @tindall @alexandria @devurandom

To rebut some of the talking points that inevitably crop up:

"it concerns only a tiny fraction of devices" (so what? This is part of a long-term strategy to consolidate control),

"it's good for security" (nope, single points of trust or failure never are),

"majority don't need or want alternate OSes" (or maybe they just don't know they maybe would, and now never will???)

@alexandria @tindall i'm not a security person, this is not security advice, but

iirc: on my laptop it goes like this: it starts off in "user mode", where keys are predefined and unchangeable. booting a system signed with the wrong key fails. but i can enter "setup mode", in which the uefi allows you to add other allowed keys. once the keys are added, the system goes back into "user mode" and prohibits other keys, but allows the ones you've added.

i added some hooks to make the linux kernel compile with my own personal key whenever it's updated, added the key to uefi using a special tool and now it will boot my distro, but not a third-party kernel.

this is useful if you have an encrypted drive setup, because you can't encrypt the boot partition, so if you think someone can use that to slip in a counterfeit bootloader/kernel that'll leak the encryption keys, you need to prevent that by using secure boot and signing the kernel with a key they don't have access to.

Sign in to participate in the conversation

cybrespace: the social hub of the information superhighway jack in to the mastodon fediverse today and surf the dataflow through our cybrepunk, slightly glitchy web portal support us on patreon or liberapay!