Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
bri3d 6 hours ago

> Most motherboards include only Microsoft keys as trusted

Is this really true, in 2019 when this was written or today? I haven’t seen a motherboard that didn’t let me enroll my own keys in a really long time. Laptops are a different story but even there, it’s been awhile.

> Microsoft forbid to sign software licensed under GPLv3 because of tivoization restriction license rule

Ah yes, GPLv3 is now Microsoft’s fault?

NekkoDroid 5 hours ago | parent | next [-]

> Is this really true, in 2019 when this was written or today?

This is true in the sense that they only ship with MS' keys as trusted, but all MoBos (including laptops) I had allow enrolling your own. Some might handle not having MS' keys better (or at all) than others, but it should in theory be possible to remove them, whether it will boot after is a different question (see option-ROM [1])

[1]: https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom

TacticalCoder 5 hours ago | parent | prev [-]

>Ah yes, GPLv3 is now Microsoft’s fault?

You are missing the point. It's the fault of those who pushed SecureBoot down our throats (and don't get me wrong: I use SecureBoot) to have decided that Microsoft had both a free-pass to have its certs by default in every UEFI out there but no other certs.

So users either have to understand how to enroll their own certs or to use a shim signed by... Microsoft.

Let's not forget that we're talking about the company responsible for Windows 11 here.

bri3d 3 hours ago | parent [-]

> You are missing the point

Of the GPLv3 sentence? No, it's dishonest rhetorically. Of the piece? Also I don't think so, exploiting the shims is a fun way to prove that Secure Boot is silly but we already knew that, and by 2019 claiming that "most" systems only allowed Microsoft keys is just flat out dishonest as well.

> It's the fault of those who pushed SecureBoot down our throats (and don't get me wrong: I use SecureBoot) to have decided that Microsoft had both a free-pass to have its certs by default in every UEFI out there but no other certs.

I really don't get this argument in general; Microsoft certs are enrolled by default as a combination of: a matter of convenience for majority users who are going to use Microsoft OSes, the unfortunate design of Option ROM signature checking, and the desire to get a Windows logo on the packaging and Microsoft OEM discounts.

There's no Secure Boot or UEFI related reason that boards can't come in Setup Mode with no PK, and most industrial boards do indeed come this way, since they don't need Option ROMs and customers don't want a Microsoft logo.

> So users either have to understand how to enroll their own certs or to use a shim signed by... Microsoft.

This seems like the best outcome for end-user computers which will have Windows installed to me? Users get a computer that checks that the OS it came with is valid (well, tries to, but that's a different can of worms), and still have the option to do whatever they want with it if they so desire. They can choose the Microsoft signed shim for convenient dual-booting, or erase the platform keys and own their system end to end if they wish.

> Let's not forget that we're talking about the company responsible for Windows 11 here.

I've never really understood these arguments, and it's even weirder to bring Windows 11 into it. Is the thing we're railing against here Ballmer-Borg Microsoft? Shitty Product Management Kills Products Microsoft? AI Infested Microsoft? The Venn diagram of overlap between 1990s Microsoft (genesis of UEFI), 2012 Microsoft (Secure Boot introduction), and 2025 Microsoft (Windows 11) seems likely to be... quite small.