back to article Choosing a non-Windows OS on Lenovo Secured-core PCs is trickier than it should be

Lenovo's laptops caused a disturbance last week after a security engineer found himself unable to boot up a copy of Linux due to restrictions that are apparently insisted upon by Microsoft. Matthew Garrett, an information security architect, was keen to check out Lenovo's latest Pluton-equipped wares but found himself unable …

  1. mark l 2 Silver badge

    I still think that letting one software vendor (IE Microsoft) have control over the proprietary keys to what alternative OS can be booted on a piece of hardware was a bad idea. And now along with Intel and AMD having their own management software running underneath the OS we have Microsoft adding their own 'security' processor baked into the hardware doing who knows what.

    1. oiseau Silver badge
      Facepalm

      ... doing who knows what.

      Who knows what?

      Hmmm ....

      Remember what went on with the ME also known as the Intel Management Engine?

      The autonomous subsystem incorporated in virtually all of Intel's processor chipsets since 2008?

      Well. it is probably that and who knows what.

      That's what.

      O.

    2. Updraft102

      Any OS vendor can create secure boot keys for use with their own signed bootloaders. MS is not the only vendor that can do that. It's just that the hardware OEMs likely would not care to include the keys for any OS they don't offer as a preinstalled or supported choice on their hardware. With that in mind, the various Linux vendors use the MS third party signed shim instead (with their own keys used as they go down the boot chain from that initial shim).

      As long as MS does not demand hardware vendors enforce secure boot with no option to disable it, it's the hardware vendor's fault if there is no way to turn it off. Personally, I do have it enabled on my Linux machines where it won't interfere with anything; where it will, I disable it. My big problem at the moment is not with Microsoft, but the Linux kernel people. Linus gave in to the idiot(s) who decided that secure boot being enabled means kernel lockdown mode is used, which in turn turns off hibernation. The gist of it is that the hibernation file is stored unencrypted, so allowing a secure boot PC to hibernate could leave the keys to the store easily available to miscreants.

      It simply is not true, though, to say that if you are going to occasionally use hibernation, there is no value in secure boot at all. All those times you didn't use hibernation even though you had the option, secure boot is still doing its job. Having it enabled does not imply it gets used all the time, of course, but even if hibernation is used, it raises the level of effort required to successfully exploit the boot chain if it is necessary to search for and find secure boot keys first. Linus held firm on this for a while, but I guess they wore him down.

      For those of us who use UEFI-level full disk encryption... well, our swap partitions are encrypted with the system off, which is when the hibernation file is relevant, but you still insist that we can't use hibernation because some kernel devs I never met can't be certain my swap partition is protected (that's a "me" problem, not a "you" problem, kernel guys). They thereby require me to turn the security feature completely off instead, in the name of ensuring my security. Sounds almost Redmondian in its illogic.

      I have one laptop that handles secure boot in a really neat way. I can use the options in the UEFI to select a bootloader as trusted, and from that point forward the UEFI will securely boot that bootloader. Bootloaders already signed with an OEM key don't need to be added to the whitelist, obviously, but this option makes it easy to enable secure boot for any bootloader that is not pre-approved.

      1. RAMChYLD

        > Any OS vendor can create secure boot keys for use with their own signed bootloaders.

        Unfortunately that is also not necessarily true. As I've mentioned many times there are badly programmed UEFI BIOSes that would brick the computer the moment a key that isn't from Microsoft is injected into the secure boot keyring. In my case, the Ventoy key on an Gigabyte X470 Aorus Gaming 5. Injecting the Ventoy key causes the machine to immediately start exhibiting a bad slowdown (noticeable delay between keypress and response on screen), and upon reboot, the machine will never come to until the CMOS is cleared which results in all keys getting purged.

    3. RAMChYLD

      RE: independent keyholder

      What I've been saying all this time. The keys to secure boot should be held by a third party that does not have a product that would result in conflict of interest.

    4. Binraider Silver badge

      In a related Reg article on the Surface Pro update, I called out MS on their behaviour regarding locking down secure boot to prevent alternate OS use.

      I was downvoted. Probably by MS shills.

      And here we are with the smoking gun. Again.

    5. Anonymous Coward
      Anonymous Coward

      re. bad idea

      there are many bad ideas for end-users, which are great ideas for software and hardware vendors (perhaps you can never have a win-win, if one side of the 'deal' has the power to shift that balance, guess towards which solution).

      Sorry for the bleeding obvious, you'd think that the product is meant to be great idea for... end user. Well, no, the product is merely a means to the end, the means being many end users, and the end is the great idea of greatER profits for software and hardware vendors. Nothing personal, just business :/

  2. Franco Silver badge

    I'll wait till there's more info to pass full judgement, but Lenovo are (IMO) not overly trustworthy when it comes to what they do with their BIOS and who's fault it is. They've already stopped BIOS reconfig via script as they claim it's a security issue (which HP and Dell don't seem to agree with, in their opinion it's fine as long as you also secure the BIOS with a password when you do it) which means the little Enterprise market share they still have is going away very quickly. They've also been known in the past to not bother to support any flavour of Linux with their storage drivers and blame that on other people too.

    1. oiseau Silver badge
      Devil

      Hello:

      ... also been known in the past to not bother to support any flavour of Linux ...

      Which is the main reason I do not come near that crap.

      Should I receive one (or similarly crippled) for my birthday/anniversary/xmas or whatever (doubtful but remotely possible) I'll quickly sell it at a discount to some WinFan and go purchase decent hardware with the cash.

      Or maybe just blow it all on something worthwhile.

      Like broads and booze.

      O.

    2. Gene Cash Silver badge

      Lenovo are (IMO) not overly trustworthy

      Let's see, there's:

      * the Lenovo Service Engine that phoned home and installed bloatware

      * the pre-installed Superfish malware

      * the Lenovo Customer Feedback Program that shopped your info to Omniture daily

      * the Lenovo Solution Center with TWO privilege escalations that allowed remote code execution

      And that's just a quick Google.

      I wouldn't touch 'em with somebody else's 10-foot barge pole.

      1. RAMChYLD

        And then there's the fact that they shipped one laptop in the past that does not allow disabling Secure Boot (fine, some Distros will still boot, but not all) and one particular laptop they decided to enable hardware FakeRAID, for which there are no drivers for Linux, without giving users an option to turn it off.

        And yet FOSS influencers like Cory Doctrow still swear by them. Very odd.

      2. Marcelo Rodrigues
        Trollface

        "I wouldn't touch 'em with somebody else's 10-foot barge pole."

        Would You touch somebody else's barge pole? Isn't it kinda private?

        I know, I know.

        Coat

        Door

        1. Anonymous Coward
          Anonymous Coward

          Seems like the fascination is embedded in the human psyche. I suspect many people who say they are offended by the sight - actually are being irresistibly attracted. It seems many morality laws are supported by people who are trying - often unsuccessfully - to control their own "dark" thoughts.

    3. MrDamage Silver badge

      >> "They've already stopped BIOS reconfig via script as they claim it's a security issue (which HP and Dell don't seem to agree with

      And guess how many HPs and Dells end up coming into my shop after a Windows update has changed BIOS settings....AGAIN.

    4. eionmac

      while an organisation I work with has L______ computers, I only use De__ to ensure I can use Linux

      distros. Maybe De__ market share will improve?

  3. NickHolland

    Unfortunate, considering how well Lenovo machines have worked for OpenBSD up to this point. And they are generally decent machines.

  4. Adair Silver badge

    So vendors are content ...

    to act as though Microsoft owns general purpose computing hardware.

    Yellow bellied, greedy cowards.

    1. Charlie Clark Silver badge

      Re: So vendors are content ...

      Well, when it is a requirement for the volume discount licensing program that saves them millions. The requirement is buried in the agreement which has to be kept confidential because it contains business "secrets" (Microsoft's anti-competitive behaviour). Considering that > 99% of all users will want to use the pre-installed Windows on the machine, it's difficult to understand why Microsoft continues with this strategy.

    2. bombastic bob Silver badge
      Megaphone

      Re: So vendors are content ...

      Requiring, rewarding, or coercing Lenovo into blocking/hampering/disallowing Linux...

      If it is FORCED by contract, ANTI-TRUST LAWSUIT

      If it is COERCED by pricing, ANTI-TRUST LAWSUIT

      If it is REWARDED somehow, ANTI-TRUST LAWSUIT.

      ANY interference with competing operating systems, EVEN IF THEY ARE NOT PAID FOR, would be an UNFAIR BUSINESS PRACTICE and (in the USA) be subject to PROSECUTION under EXISTING ANTI-TRUST LAWS. (opinion, IANAL)

      I just wanted to point this out. And YES, if Microsoft IS doing this, they SHOULD be SUED for it.

      Maybe the EFF?

  5. steviebuk Silver badge

    How

    have they not been hit with a massive anti-trust suit again? Like back in the 2000 with IE which they lost. They are doing the same again with Edge and now this. Surely this is an anti-trust case screaming out.

    I like Linux but don't use it but recommend it to people on a tight budget for laptops. Also recommended Lenovo as I like them despite the Chinese link (CCP will be in there somewhere now sadly) but no more. Will have to look elsewhere.

    Very tempted by a Framework laptop. Microsoft are loosing control with Satnav incharge, especially with the buy now pay later debt creator they were going to bake into Edge (I assume that never happened as seen no word of it since)

    1. Yet Another Anonymous coward Silver badge

      Re: How

      >have they not been hit with a massive anti-trust suit again?

      Because they are sure that the current lot are dependant on Silicon Valley for funding

      The lot who are going to take over in October are 'pro-business'

      The big red flashing anti-trust light over Android and Apple mean that Microsoft can smile sweetly and say "why us?"

      1. Charlie Clark Silver badge

        Re: How

        And there was only anti-trust proceedings in the US after the EU took up the case. In the US "good for the consumer" only exists on bumper stickers.

    2. Updraft102

      Re: How

      It is not an encouraging sign, but you can supposedly go into the UEFI setup and turn on MS third party module signing. The default setting only works with the MS key on Windows, but when you enable that setting, the Lenovo behaves like other PCs. I would not let having to change one setting dissuade me from buying a machine I like (though I must also add that I have never owned a Lenovo).

  6. David 132 Silver badge
    Linux

    Well, he was doing it wrong.

    The preferred, “approved” way to install Linux these days is on top of Windows using WSL. That way, Microsoft can ensure that you get the best possible Linux experience.

    (I couldn’t decide whether to go with the Trollface icon, because I worried that people might think the above comment is serious…)

    1. bombastic bob Silver badge
      Devil

      Re: Well, he was doing it wrong.

      I would be installing FreeBSD. If Secure Boot can NOT be "just turned off" it's NO SALE.

  7. gerryg

    Seems to be more illegal in the EU than USA

    https://core.ac.uk/download/pdf

    Article from journal discusses.

    However it does feel like we've gone back to browsers and OSes (FSFE ECJ case) and definitely revisiting EEE.

    It must certainly be terrible PR?

    1. Anonymous Coward
      Anonymous Coward

      Re: Seems to be more illegal in the EU than USA - FAIL

      https://core.ac.uk/download/pdf/pdf returns 404

    2. Anonymous Coward
      Anonymous Coward

      Re: It must certainly be terrible PR?

      unfortunately not, because 99.99% of users don't have a f... clue what 'bios' is, let alone other 'bits' mentioned in the comments. You turn it on, it's SECURE, hurrah! The end. The rest of us freaks can be safely ignored...

  8. SImon Hobson Silver badge

    Really, is anyone actually in the least bit surprised ?

    Secure boot came in, and was originally easy to turn off - so "don't worry, you can turn it off and boot somehting else".

    Then it became always on and this signed shim was needed.

    This is simply the next step - put an extra obstacle in the way of someone performing unauthorised computation with the hardware they thought they had bought. Good god, anyone not running Windows must be some sort of criminal. At least, that would appear to be the approach being taken in Redmond.

    1. morningtea

      Am I the only one here who thinks SecureBoot is actually a good thing?

      The massive mistake was to hand over CA responsibilities to Microsoft, not SecureBoot itself.

      Manufacturers screw up the non-Windows experience in many ways these days, it seems, but they really are not always to blame. Sometimes it's the whole industry that's screwed up...

      1. Anonymous Coward
        Anonymous Coward

        You're right that the issue is that Microsoft appear to be the main CA for these certs and this is the big problem. But can't manufactures load other keys to into their secure boot key store, playing around on some older HP ProLiants recently I had to reload the secure boot keys to cope with HPE being a separate company. The tools that does this shows all the keys they've loaded and I noted that as well as the MS keys and the manufactures own keys, HP was loading keys for SUSE (but not Red Hat).

        The PK (Platform Key) is from HP

        firmware keys:

        PK:

        /O=Hewlett-Packard Company/OU=Long Lived CodeSigning Certificate/CN=HP UEFI Secure Boot 2013 PK Key

        The Microsoft and SUSE keys are then listed as key exchange keys

        KEK:

        /CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de

        /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation KEK CA 2011

        /O=Hewlett-Packard Company/OU=Long Lived CodeSigning Certificate/CN=HP UEFI Secure Boot 2013 KEK key

        While the "whitelist" database contains the HP, Microsoft Windows and "other" keys and the SUSE keys.

        db:

        /CN=SUSE Linux Enterprise Secure Boot Signkey/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de

        /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011

        /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011

        /O=Hewlett-Packard Company/OU=Long Lived CodeSigning Certificate/CN=HP UEFI Secure Boot 2013 DB key

        There's tons of stuff in the blacklist database but I've never tried to turn any of this into something human readable.

        Given that the main platform key is from the manufacture isn't it up to them to load the keys. Not that Microsoft aren't specifying to some extent which keys needs to be loaded, but it looks at least to some extent that it is possible for them to load other keys.

        dbx:

    2. Updraft102

      Secure boot is not always on unless the hardware vendor chooses for it to be. With 8.x on PCs, MS required secure boot be on by default, but there had to be an option to turn it off. With Windows 10, they removed the bit about there having to be an option to turn it off, leaving that choice to the hardware manufacturer. Windows 11 requiring secure boot does not mean that MS is demanding that hardware vendors get rid of the option to disable it.

      Certainly I would avoid any PC that has always-on secure boot, but it's not Microsoft at fault for that. If MS changes its policy and starts demanding that, then they will be the bad guy, but that would provoke legal action for sure,

      1. DuncanLarge Silver badge

        The problem with your assertion, that because MS has not decreed secure boot should never have an option to be turned off, that this means it is up to the manufacturer thus we will have options to turn it off, is that you assume that manufacturers see beyond the MS borders.

        You have to realise that most MB manufacturers are lambs and MS play the role of Mary.

        MS dominate the x86 desktop/laptop architecture. That is more than enough incentive to not have the off option, as MS windows requires secure boot thus why have an off option? (note that I didnt suggest the server market, that has a very different mix).

        The option to turn it off will thus become "unsupported" by most MB manufacturers as they design their hardware to work with windows. They test their hardware to work with windows. They warranty their hardware to work with windows. And windows REQUIRES secure boot, so supporting and testing an option to turn it off is surplus and only will be utilised by a small minority anyway, some of which will do so by accident and create noise on the support desk.

        Take the BIOS for example. The UEFI has essentially replaced the BIOS, for MOST operating systems, and certainly the main one. But the BIOS is still required by any number of older operating systems and older hardware that require the CSM in UEFI to function. Yet many UEFI's dont have a CSM anymore, why? Windows dont need it, thats why. And if the manufacturers even considered the Linux minority, even WE don need it. But does QNX boot on UEFI? Does DOS? Why did I mention DOS? Well there are plenty of DOS installs out there that can continue to do their DOSsy things controlling breweries etc on modern hardware, if only they can boot.

        Backwards compatibility for the BIOS was recently sacrificed for the sake of reducing support requirements, because the majority (windows) does not need it and has not needed it for a long time.

        So yes, I think your assertion that MB manufacturers will maintain and support the ability to turn off secure boot is wishful thinking at best. Only if it is mandated by LAW will such a feature be maintained, just like it was mandated by law that MS did not lock down the X86 TPM. Nothing stopped them locking down the ARM TPM, find me a ARM based windows machine that has the option to let a user control or even disable secure boot...

        Lets not forget that MB manufactures only develop and test their UEFI boot process to SUPPORT WINDOWS. The UEFI specification is very clear as to how it works and how any OS can be booted but there are plenty of manufacturers who only test it boots windows and some that actually actively try to "correct" the Linux boot entry because it must be a corrupted windows boot entry, HP I'm looking at you. So if Linux isnt even properly supported by the UEFI boot process in so many cases, today, what makes you think secure boot will be any better?

  9. Claverhouse Silver badge
    Thumb Down

    The Dog Returns To His Vomit

    They really never stop, do they ?

    1. Scotthva5

      Re: The Dog Returns To His Vomit

      No and they never will as long as their focus is fixated on market share and pleasing Wall Street instead of customer experience.

  10. Kev99 Silver badge

    I've often read a clean install of Windows will fix beaucoup problems in Windows. So, go nuclear, wipe the HDD/SDD, install you Linux flavor of choice and then install windows on a separate partition. I guess.

    1. Updraft102

      Except for that final step, yes.

    2. Anonymous Coward
      Anonymous Coward

      If it's left shit in the firmware you've still got the shit.

  11. DeathSquid

    A leopard never changes its spots.

    I hope all the people who said Microsoft had "changed" have learned their lesson. Nothing has changed. Microsoft still needs to be put down like a mad dog, for the good of humanity.

    1. Anonymous Coward
      Anonymous Coward

      Re: A leopard never changes its spots.

      I'm afraid people, in general, don't learn any lessons (just look at the elections, for starters)

    2. Plest Silver badge

      Re: A leopard never changes its spots.

      They've done some good, they've handed out a few crumbs to the masses for free, VSCode is a nice simple IDE tool ( certainly not a pro tool for coding ) and they play FOSS advocate but there simply to find out what the competition is up to, however they're always going to be a wolf in sheep's clothing and take everything they do with a pinch of salt.

  12. martinusher Silver badge

    Coincidence?

    I read just today that Q2 sales of PCs have plummeted. I must admit that I'd like a new PC but I don't want all of that corporate crap on it, I'm a great fan of KISS. The more things you put on a system to secure it the more attack surfaces you expose; eventually the PC becomes the point of the exercise with any user software being just an afterthought (user software? Surely that just means MS Office? There is no other user software...)

    So I'll just limp along with whatever junk I can lay my hands on. It will probably work just fine, especially as its running Linux most of the time.

    1. Plest Silver badge

      Re: Coincidence?

      Every single PC I've owned since 1991, whether I built it myself or bought a boxed deal, the second the power goes on the CD/DVD/USB goes in and wipes the supplied Windows O/S. I've always got my Windows ISOs from MSDN, they're built for enterprises to start with a base, they don't have the crapware installed by some paid advertisers and the core builds expect you to tweak them.

      I'm not pushing Windows or Linux, each person has to decide what they like, but one thing you never, ever do is run with the supplied crap-filled, bloated quagmire of a free copy of Windows on a PC from a shop. Buy it, plug in in, switch it on and wipe it clean, then do what you will.

  13. Kevin McMurtrie Silver badge
    Big Brother

    Triopoly

    There's no foul as long as it's not a monopoly. You may use a locked-down Apple or Google booting device if you don't like your locked-down Microsoft device.

    1. Richard Crossley
      Thumb Down

      Re: Triopoly

      I would rather use the device for the purposes I require, rather than being spied on by; Microsoft, Apple or Google. I'd rather have a device with no requirement to MS to issue keys to boot my OS of choice.

      1. Kevin McMurtrie Silver badge

        Re: Triopoly

        You all missed the sarcasm and Apple's now ironic use of the 1984 visuals.

  14. Updraft102

    "A Microsoft spokesperson told The Register in January that using the tech with Linux was "an unsupported scenario.""

    I'm sorry, Microsoft, were you under the impression we wanted you to provide any support?

    1. Peter Gathercole Silver badge

      The problem is that Microsoft can in theory restrict or refuse support for Windows on a system with Linux also installed in a dual boot configuration.

      Not a problem for me, I've mainly been microsoft free for years, but would be for anybody who still needs a dual boot environment.

      1. Ken Hagan Gold badge

        It's also not a problem for the vast majority of Windows users, who get no support guarantees from Microsoft.

    2. ITMA Bronze badge

      How does Microsoft go about helping its customers?

      Well a good start is TAKE YOUR F**CKING BOOT OFF THEIR NECKS... Let them do what THEY want with THEIR property (computers).

  15. Anonymous Coward
    Anonymous Coward

    Pluton

    God of Wealth, Death and the Underworld.

  16. Dan 55 Silver badge

    Coming soon in Windows 12

    Special BIOS key management software to enable boot for non-MS OSes, requiring you to complete Windows set up and download the app from the MS Store first. For security, like.

  17. Ashto5

    Let the buyer beware

    MS have provided OS and IDE that have allowed me to have a very profitable career.

    So thank you MS, BUT ffs can you please stop shooting yourself in the face.

  18. localzuk Silver badge

    It is inevitable...

    The EU court case can be seen coming from miles away.

    A software manufacturer requiring hardware manufacturers to make using other OS's more difficult, in favour of their own? Yeah, I can't see the EU accepting that one.

  19. sreynolds Silver badge

    Pathetic...

    What's the next excuse "The Devil made me do it"

    1. Plest Silver badge
      Facepalm

      Re: Pathetic...

      Some bigger boys from the other side of the playground made me do it!

      ha ha!!

  20. navarac

    I get pissed off with autocratic companies who think they own my PC. Apple is just as bad. Who the hell do they think they are? They need to put a big label on PCs like this that syas, "Hobbled by order of Microsoft". See how many that sells.

  21. Anonymous Coward
    Anonymous Coward

    M$....leopard, spots.......and so on

    Once upon a time, BillG engineered MS-DOS so that DR-DOS would not run.

    Yup.....M$ engineering a competitor lockout......who'd have thunk it?

    So.....nothing really changes in Redmond, WA. It's still "Evangelism is War".....see: http://edge-op.org/iowa/www.iowaconsumercase.org/011607/3000/PX03096.pdf

    That was January 2000......same leopard, same spots today!!

    1. Plest Silver badge

      Re: M$....leopard, spots.......and so on

      They got shareholders and our pension funds tied up in their stock, they're never going to change and anything they can do to increase profits they will do, no matter who it locks out and whomever they have to crap to get that cash rolling through the door and ther stock price rising ever higher.

    2. Charlie van Becelaere

      Re: M$....leopard, spots.......and so on

      "Once upon a time, BillG engineered MS-DOS so that DR-DOS would not run."

      A bit later it was, "Windows ain't done till Lotus won't run."

      Plus ça change.

  22. Anonymous Coward
    Anonymous Coward

    Linux was "an unsupported scenario'

    plain English: banned. No, wait there! - strictly speaking, if you put a fence around your luvely garden, you don't 'BAN!!!!' anyone - you just make the fence high enough or the bars close enough so people can open the gate or climb it, by means of an MS ladder / key, right? Enter YOUR garde. Or 'associated space'. Nothing personal, just business. I mean, why would you spend money to support an 'alternative' scenario, while support means money, eh.

    ...

    fast forward 25 years and many happy lawyers later, MS have agreed to change the scenario, only that they're no longer relevant to anything other than ancient history, but hey, victory for fair competition!

  23. DuncanLarge Silver badge

    Well well well, who would have guessed.

    I used to be quite a MS basher but have mellowed in recent years as Gates left, thus letting go of the reins and the FUD and Halloween documents were a fond nostalgic memory of a time when GNU/Linux was so scary and revolutionary to the big wigs, what with windows refund days etc, the creation of Open Source to help rebrand elements of Free Software to win over business execs that care about profit, saving money etc vs freedom.

    Then Trusted Computing reared its ugly head, threatening to lock down computers to the point that they would be queried for their trustworthiness as a function of merely browsing to a website, and the big OS giants (OK, giANT) already had cornered the vast majority of PC use thus had no intention on trusting anything other than their own OS. It looked like there was a future where I, a Free Software loving Richard Stallman fanboy was thinking of hoarding "free" motherboards before the d-day of trusted computing made it impossible to run GNU/Linux. I was ready to buy as many boards and cpu's as I could to have spares all my life. I still have a hoard of old laptops recovered form the IT skip where I worked just for this reason. So what, if in 30 years my machine was going to be slow and unable to communicate over the trusted internet? I would be free to use a computer it for my own reasons, offline with spares to last decades.

    Then Trusted Computing got its balls kicked in!

    As the plans of the giant(s) lay on the floor clutching its nether regions the TPM came out as a mere shadow of what it was supposed to be. Apart from on ARM, MS rules there.

    The TPM was required to be under full user control, even turned off if desired. No website today says "Your TPM is not enabled". Now the TPM is a useful cryptographic store and a very good random number generator which adds high quality randomness to Linux's random pool. The user can even create their own certificate chain and self sign anything they wish. As stated in the article, MS even supplied a cert for signing a shim for other OS's to use. Why? Well so that secure boot can be kept on, to help fight the virus', which is one of the reasons why a TPM was wanted in the first place, besides the ability to allow censorship.

    But here we go, my old self, the MS bashing one, seem to be more active recently. Sure he was placated by MS loving open source this and that, bash in azure, WSL and more hints of a different MS but he is still a bit of a cynic. The recent announcement of the banning of sale of anything that can be seen as FLOSS on the MS store, with that pathetic attempt to explain it away, rattled him too.

    Now we have it all over again. A dominating giant, creating a TPM replacement (why??), blatantly locking out other OS's. Eliminating competition. All very familiar territory. Sure a user can re-enable the third party cert, but for how long? Who is making it clear to MS that this cert, even if disabled, must be supported going forward as a requirement? Or are they merely just going to eventually say "this machine is designed for windows" and wipe their hands of any responsibility of maintaining compatibility when they finally delete the cert for "security reasons".

    Microsoft used underhanded tactics against business and school children alike to become the dominant OS on the x68 platform. Competition was driven almost underground, and thats how GNU/Linux looked back then, as an underground breakthrough OS seemingly coming up from beneath the floorboards with MS execs jumping onto tables screaming like in a Tom and Jerry cartoon. Those days were fun but the execs stopped screaming and started learning up on extermination. Many years later, co-existence looks like the norm, MS being the main dominant choice and GNU/Linux the enthusiast one, which MS was happily bringing parts of into their own offerings.

    It feels like the old days again, MS have embraced and extended, now they look like they are setting up the ability to extinguish. WSL may be the only way anything Linux like will run on such machines in the future.

    1. UdoGoetz

      Re: Well well well, who would have guessed.

      Please don't freak out, there have always been options to buy well-supported Linux machines. The more we buy from these vendors, the stronger they will be when we need them. Just don't expect to get a cheap communist Laptop without shackles.

      See my other post.

      (I admit to having bought communist computers in the past, but I will defintely not do this again)

      1. DuncanLarge Silver badge

        Re: Well well well, who would have guessed.

        > there have always been options to buy well-supported Linux machines

        But who makes the MB's that go into those machines?

        In another reply to someone who asserted that we will always have the option to turn off secure boot I described the reality of the situation and it applies here.

        No matter how many pre-built systems we buy that come with Linux, we will never tip the balance enough to guarantee such support in the hardware used to build these machines. Now, besides laptops, I avoid pre-built, I just upgrade bits as I go in my PC's but I will be affected there too eventually especially if I cant buy PC components anymore as the markets seem to be going (PC parts are increasingly regarded as enthusiast PC-builder stuff, as long as gamers buy such things we can too).

        For a while we will have the ability to turn off secure boot or in this case re-enable the cert. Till the MB manufacturers remove support, say in 10 years at a stretch.

        They will do this because they will need to save money and they wont want to employ someone who knows how to test stuff that isnt windows just to satisfy a minority of what are considered hobbyists?

        MB manufacturers barely even supply a UEFI that can BOOT Linux. Thats because they test it on windows only, as long as the worlds main OS boots, requirements are satisfied. Some MB manufacturers actually supply a UEFI that corrects a linux boot option, because it is clearly a corrupted windows boot option, isnt it HP?

        So if MB manufacturers cant be arsed to develop and test a UEFI to the specification, which would boot Linux happily, why do you think they will continue to support a little used feature, that of re-enabling the cert, if the vast majority of "real" customers dont need it. They already dropped the CSM that provided BIOS compatibility for so many other OS's that dont support UEFO not to mention hardware that need the CSM to hook in their BIOS. All of that was/is being dropped because windows dont need the CSM and heck neither do the tiny amount of Linux users out there.

        Thus we would have to make our own motherboards and UEFI's, maybe we will find a way to reflash broken by design UEFI's with our own to gain control.

        Chances are, we wont be using many x86 systems if this goes the way I see it trying to go. We all will be using RISC V systems.

  24. This post has been deleted by a moderator

    1. aerogems Silver badge

      Re: Here Is The Fix

      Wow... where to even begin with this level of stupid.

      For one, Bill Gates hasn't been at Microsoft for quite a few years now. Not even as Chairman of the Board. Second, Gates had nothing to do with covid vaccine development, so no clue where this nonsense about him wanting to inject people with tracking chips came from. You think a grain of rice doesn't seem very big, but think about the bore size of the needle that would be needed to inject it. You'd notice that. Then, assuming they did inject you with this thing the size of a grain of rice, how would they power it? If it's just some kind of passive NFC type thing, you're going to be limited to a very short distance for detection, making it kind of pointless. Making it even more pointless is that everyone already carries a far more potent tracking device with them all day long, and they PAY people for the privilege. It's called a cell phone. You get far more info from those than you ever could a tracking chip embedded into your arm.

      Gates, like Soros, is just a target of these right-wing conspiracy nutters because he doesn't act like the typical rich person. He's not out bemoaning tax rates, he's not trying to hoard his wealth like some miserly old coot, he's slowly donating most of it to charity and setting up foundations that try to do social good. That makes right-wingers suspicious of him, so they target him with all kinds of nonsense conspiracy theories.

      1. This post has been deleted by a moderator

        1. This post has been deleted by a moderator

        2. aerogems Silver badge

          Re: Nice Strawman

          Speaking of strawmen, any time someone brings up the VARES database you know they're completely full of shit and talking out of an orifice commonly associated with shit. That's a database that just collects every report someone files. It's not verified information. You stub your toe 3 weeks after getting vaccinated, and file a report in VARES, it stays in there despite being nonsense. You have no clue what you're looking at, let alone how to interpret it, but bravely carry on as if your couple months (charitably) of time with Dr. Google (the biggest quack on the planet) makes you more of an expert than people who have literally devoted their entire professional lives to studying these things.

          And as if that weren't enough, you follow it up by a simple name swap of an old Soros trope which is rooted in antisemitism. Soros is Jewish, he invests in media outlets, the Jews allegedly control the media, so obviously Soros is an evil Jewish media master. All you've done is replace Soros with Gates.

          Since in the space of two posts you've gone from just spreading dangerous misinformation to peddling in antisemitic tropes, I will end my involvement here and hope that El Reg does a little house cleaning. At the very least removing your posts, but if they want to also nuke your account, I'd support that too. Clearly you'd be happier on some Internet Nazi Bar site like The Daily Stormer, Truth Social, Gab, or Parler.

          1. SundogUK Silver badge

            Re: Nice Strawman

            Despising Soros doesn't make you anti-Semitic.

      2. Mr. Flibble

        Re: Here Is The Fix

        Maybe, but he's still a dick....

  25. UdoGoetz

    More Fixes

    + Raspberry PI, which is by now more than good enough for libreoffice, for personal webserving, SVN server, personal file server etc. Also for light WWW surfing.

    + Fujtsu Servers based on SPARC are a powerful alternative to Intel and their ME backdoor. https://www.fujitsu.com/us/products/computing/servers/unix/sparc/

    +IBM Power https://en.wikipedia.org/wiki/IBM_Power_Systems

    + ARM

    https://www.gigabyte.com/Enterprise/Rack-Server/R152-P30-rev-100

    https://www.asacomputers.com/ampere-altra-arm.html

    https://www.solid-run.com/arm-servers-networking-platforms/honeycomb-servers-workstation/#overview

    We must actively use, buy or influence the buying of alternatives to the Wintel monopoly.

  26. aerogems Silver badge

    Little Column A, Little Column B

    It has long been the practice of OEM support reps to blame Microsoft/Windows for just about anything, and then for Microsoft support reps to pretty much do the same. Everyone points the finger at everyone else because SLAs are based on getting people off the phone within a certain amount of time, not about taking the time to actually solve the problem... you know, provide support.

    So, my personal guess is that Microsoft is simply recommending a particular setting, but Lenovo is then misrepresenting it as a hard requirement. Probably not even the fault of whatever poor sod told this researcher that it was something Microsoft was insisting on. Likely that came from several rounds of the workplace version of the telephone kids game where someone asked someone who asked someone else and so by the time the question got to someone who knew the answer it likely didn't bear any resemblance to the original, just like the response that came back.

    Or, it could be a case of the OEM screwing up either intentionally or not. I remember back when XP SP3 came out, HP systems with AMD CPUs were having issues. Everyone was quick to blame Microsoft for somehow targeting AMD CPUs, but turns out it was HP who got lazy and was using the same OS image for Intel and AMD CPUs, which worked fine until it didn't.

    1. UdoGoetz

      Yeah "Recommendation"

      "we recommned you pay us, or your nice pizzeria will no longer be protected by us. Also, your school children will not be protected either".

      1. aerogems Silver badge

        Re: Yeah "Recommendation"

        I strongly suggest you seek help from a qualified professional in your area for your issues with paranoia and delusional thinking.

    2. Dan 55 Silver badge

      Re: Little Column A, Little Column B

      This is all agreed beforehand in the contract between the OEM and MS. They can then point their fingers at each other afterwards but there are no hard feelings, it's all part of the game.

  27. Anonymous Coward
    Anonymous Coward

    >>

    >> A Microsoft spokesperson told The Register in January that using the tech with Linux was "an unsupported scenario."

    >>

    Haha. They are either naive or probably just plain idiots.

    If every machine goes (broken) Pluton... well, it can't; Linux 100% rules the increasingly connected world of cloud / servers and us engineers who write software for the servers tend to only want to do it exclusively on *nix running on our workstations and laptops.

    It is getting to the point where crooked reactionary attempts like this from Microsoft are... just a bit embarrassing for them.

    1. DuncanLarge Silver badge

      I see your optimism.

      The servers will be fine.

      But these developers will be told to use WSL or older hardware.

      1. karlkarl Silver badge

        WSL currently translate to "use a Linux VM". This will never be an option because the virtualizer does not expose the actual hardware (and certainly not Microsoft's basic Hyper-V). That's why developers don't do this currently. The majority never will.

        Older hardware is good. Until they need to buy us newer hardware to get more work out of us. Ultimately the industry will cater to us.

  28. Anonymous Coward
    Anonymous Coward

    Echo chamber

    My friend was on the new employee onboarding in MS; there was a comment about the computer setup - “there are always 2 who have a Mac but everyone else is on Windows” - as in being annoyed. The ratio is like 2 to 150. This is not even Linux I am talking about. What do you expect? Employees probably do not even know that Linux is a thing when they make “informed” decisions.

  29. Randin1

    Shameful Lenovo

    Open letter to Lenovo

    Such action strikes at the very heart of Open Source...

    To restrict hardware based on what the user wants to use as an OS

    is quite frankly deplorable on IBM's part

    I have nothing against UEFI or any type of secure boot process however

    when you use such to restrict what can be used on said machine such

    can only lead to more restrictions

    Next thing you know there will be a wattage and or CPU restriction when

    in certain states or locations!!

    P.s. California already does this with gaming computer orders!!

  30. FlamingDeath Silver badge

    Unsurprised

    Uh-Murica

  31. Missing Semicolon Silver badge

    Time is running out

    There are only so many T440p's left to recondition.

  32. 3arn0wl

    China 2025

    It's surprising that the CCP hasn't put some pressure on the American Chinese multinational, given its commitment to weaning its population off US IP.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022