Let's put aside all of the privacy issues for a minute. There needs to be more discussion around the practical use for this feature.

My question is, what problem does this feature solve?

Speaking as someone who uses computers in a professional capacity, and has done so for several decades, this feature seems like the answer to a question nobody is asking.
Don't worry dudes, your wife won't be able to find your porn history.
Hmmm.
And what about PCs connected to a domain controller? Is it part of a roaming profile?

So, summing up, we have a solution to a problem that doesn't exist, which won't get you into trouble with your wife, but keeps your usernames & passwords on your computer... And it's all being gifted to you by Microsoft.

What could possibly go wrong?

Seriously, it'd take a special level of naivety to believe that this honeypot of rich information is not going to become a target.

Well, it was cheaper for me to go to Newegg and pick one up. In January, I picked up a laptop (HP 15.6" FHD Laptop, AMD Ryzen 5-5500U Processor, 32GB RAM, 2TB PCIe SSD, AMD Radeon Graphics) that was on sale for my dad. KUbuntu loaded over the top of Windows just fine (and also for the last 5 or 6 laptops previously I've owned or been given). My dad (who is 83) really likes it. But from your comments, it looks like I may have to be a bit more careful the next time when I have a need for a new laptop. Laptops are the only machines I have to 'buy' as a unit as I build my own Linux desktops and servers from the ground up.

Bingo.

But remember this is 'marketing' spin to sell MORE hardware and software... Whether the consumer needs it or not. Just the like the AI marketing that is currently going on... You (and I) are the target to fall for all the marketing babble and spend $$$ doing so.

The Arm situation is interesting. Early Arm sbcs had make-it-up-as-you-go-along type setups which loaded firmware & config profiles. The RazPis, for instance had the GPU hard coded to load the gpu firmware. From there, everything was controllable, but it loaded cpu firmware, and that took over.

I personally find it difficult to imagine m$ trying for the server market. They'd be laughed out of it. So normal Bios will surely survive

Now since 2020 there's the "Arm system ready" program, which basically means it will boot to a state where you can install your choice of OS, or boot that OS. So maybe linux heads will just have to ditch x86_64 in favour of Aarch64. Arm are getting good enough. The performance/power ratio is much better than X86_64. The Apple laptops and Ampere servers showed us that. It's only a matter of time before we have serious competition there, or something like Arm CPU + AMD GPU all with native Linux support.

Can you give some examples/sources of Windows machines locking out BIOS configurability?

I'd relax for a bit. The M$ private key was leaked or otherwise broken by hackers last year, so viruses could get through even secure boot. M$ are in the process of replacing stuff, so I'd let that percolate through. It should finish in the July patch Tuesday (I think). It would be fairly easy for them to lock users out of their own systems

What's the connection? BIOS configurability has not been mentioned. Though it, too, is now a problem and mention of it does turn up from time to time in other forums, in IRC, and twice IRL here. The locking out of Linux is a separate matter. Some work-arounds include turning off Restricted Boot, and that is an option which is already starting to go away.

There were also debates over UEFI itself, prior to its adoption, pointing out how unnecessary and complex it is. Support for very large partitions could have been added to an improved BIOS rather than infecting systems with a small, parallel operating system like what UEFI has become. Here's are some CVEs on UEFI from this year, but there are others:

https://www.itnews.com.au/news/ubiqu...ilities-604126

See also the early debates on the 'shim' and certificates. Non-M$ operating systems must otherwise pay jizyah to m$ for as long as m$ deigns to allow booting. Ubuntu caused quit a stir at the time when it folded on that.

That's the meaning I extracted from "no BIOS", "third party UEFI certificates have been disabled", and "The era of general purpose computing is drawing to a close". I haven't heard of cases that extreme before so I want more than a claim in a forum thread.

No problem. Here are two links, the first one via an archive in case m$ changes it:

"Secure the Windows boot process":

https://archive.is/q69Mx/again?url=h...0-boot-process

and "Using your own keys"
https://wiki.archlinux.org/title/Uni..._your_own_keys

Though the first one has a lot of weasel-wording it still makes the point. Notice that you have to actually parse the document:

The word "default" is not used specifically, yet the default is exactly what is being described.

Also, the gotcha there is certified. Those which are not certified and those which are certified but not in compliance are not going to permit that. Talk with people who deal with resale of used systems and you will get plenty of first hand anecdotes, there are certainly such shops or individuals in your geographical area.

If you have not gone out of your way to follow trends in ICT lately then it would not be strange that you have not heard of third party certificates being disabled by default. Again, there was a lot of discussion and detailed analysis before UEFI was even rolled out. All that is buried somewhere in the search engines, assuming the pages are even still up.

Edit: See also:
Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party
Certificate to be disabled by default. This means that for any of these Lenovo
platforms shipped with Windows preinstalled an extra step is needed to allow Linux to
boot with secure boot enabled.

UEFI + Secureboot was always just a lot of "security theatre" marketing for the gullible. For proprietary OS vendors, security is a feature which can be sold for profit. The aim was always to lock out alternative OS such as Linux. UEFI itself was dreamed up by a consortium of the x86 hardware/bios vendors, MS and Apple.

Those who still believe that Secureboot is really about security and preventing "evil maid" attacks need to pull their heads out of the sand. Business often invents the problem, then sells the solution and this was very similar, but not quite the same. It also came packaged with MS' anti-competitive, hostile agenda to destroy Linux - all dreamed up during the Steve "Linux is a cancer" Ballmer era.

It astounds me that users of FOSS operating systems who post on sites like this one, happily walked down that path, eagerly supporting sell outs like Canonical and Red Hat and are still parroting the marketing speak about Secureboot, many years later. Many of these people were running Linux on hardware which was not configured for dual booting Windows 8.0/8.1, yet still they took great pride in running a UEFI only system, disabling legacy boot, jumping through hoops to configure their OS to boot by this horrible convoluted broken and ironically, insecure MS design, which even uses the antiquated MS FAT file system.

MS wants to ensure that only a Microsoft OS can boot from the bare metal, it has been paving the way for this for years. For Linux it has invested in WSL/WSL2 and it has lured people across with the convenience of that.

The TPM/TPM2 is a further assault on your freedom to install what you want to install on the hardware you paid for. It is one of the latest advances in "Trusted Computing", which is anything but trustworthy...

https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

In the world of "Big Tech", the words "trust", "security" and "privacy" don't mean what you think they mean.

How about google as well?

CALLER: Is this Pizza Hut?

GOOGLE: No sir, it’s Google Pizza.

CALLER: I must have dialed a wrong number, sorry.

GOOGLE: No sir, Google bought Pizza Hut last month.

CALLER: OK. I would like to order a pizza.

GOOGLE: Do you want your usual, sir?

CALLER: My usual? You know me?

GOOGLE: According to our caller ID data sheet, the last 12 times you called you ordered an extra-large pizza with three cheeses, sausage, pepperoni, mushrooms and meatballs on a thick crust.

CALLER: Super! That’s what I’ll have.

GOOGLE: May I suggest that this time you order a pizza with ricotta, arugula, sun-dried tomatoes and olives on a whole wheat gluten-free thin crust?

CALLER: What? I don’t want a vegetarian pizza!

GOOGLE: Your cholesterol is not good, sir.

CALLER: How the hell do you know that?

GOOGLE: Well, we cross-referenced your home phone number with your medical records. We have the result of your blood tests for the last 7 years.

CALLER: Okay, but I do not want your rotten vegetarian pizza! I already take medication for my cholesterol.

GOOGLE: Excuse me sir, but you have not taken your medication regularly. According to our database, you purchased only a box of 30 cholesterol tablets once at Lloyds Pharmacy, 4 months ago.

CALLER: I bought more from another Pharmacy.

GOOGLE: That doesn’t show on your credit card statement.

CALLER: I paid in cash.

GOOGLE: But you did not withdraw enough cash according to your bank statement.

CALLER: I have other sources of cash.

GOOGLE: That doesn’t show on your latest tax returns, unless you bought them using an undeclared income source, which is against the law!

CALLER: WHAT THE HECK?

GOOGLE: I’m sorry sir, we use such information only with the sole intention of helping you.

CALLER: Enough already! I’m sick of Google, Facebook, Twitter, WhatsApp and all the others. I’m going to an island without the internet, TV, where there is no phone service and no one to watch me or spy on me.

GOOGLE: I understand sir, but you need to renew your passport first. It expired 6 weeks ago…

Or lured the managers with the illusion of convenience, a situation without actual convenience and thus one which serves m$ better. Either way, the managers pay m$ for the privilege of booting Linux.

Below are two more links. Neither are found easily (or perhaps at all) via the search engines any more. When you take both together and consider the time scale, the only option out is returning to a Windows free market. Interestingly if you look at data from Statcounter regarding OS market share, and if you count Android¹, then Windows is already back down to low double-digit or smaller in a large number of countries. Even globally, m$ is down to way under a third. How accurate those stats are is anyone's guess but it does indicate that the numbers are far below the approximately 85% desktop market share required to maintain the monopoly rents which where the source of their OS income.

1) Their ongoing, long term, fanatical hate for all systems other than Windows was already well established decades ago. However, it is more important to look at the context of their words from PXE 7068. Not that many years ago, Windows was fringe and did not have the illusion of being mainstream. Schools were Apple, and developers and other technical people were mostly all about UNIX or Linux then:

That is an excerpt of Plaintiff's Exhibit 7068 from the Comes v Microsoft case via the late, great Groklaw also mirrored at Techrights. There are about another 10k similar documents there.

2) Also, the boot loader process had to be mentioned in post 30 above. M$ has been interfering with that for ages:

That is an excerpt from He Who Controls the Bootloader by Scott Hacker.



¹ That's a whole other discussion.

That's a great article on BeOS and the x86 bootloader (MS' secret exclusivity deal with the OEMs). BeOS was frozen out and ultimately killed by MS' control over the OEMs and serves as a great example, which few know of or care about. UEFI and Secureboot was merely a doubling down of this strategy.

The secret OEM deal prevented anyone from getting a pre-installed alternative OS on any box supplied by the major vendors. Incredibly still the case today.

UEFI and Secureboot was designed by Microsoft, with collaboration from the x86 OEMs, along with the hardware and BIOS vendors, to stop the individual from installing an alternative OS on any box supplied by those major vendors.

MS laid the foundations for the time when they could amend their secret deal to make Secureboot mandatory - and in the meantime create obstacles for the average person. And that's often all that's needed. You don't have to utterly lock out the competition - that just invites bad press and attracts the wrong kind of attention - no, instead of doing that, you wrap the whole thing up in a lot of security theatricals and present it as a necessity. Then you make the end user jump through hoops to disable it, with plenty of scaremongering along the way.

I have just this moment seen a colleague disable secure boot on an HP desktop (which I've done a few times in the past) for booting a cloning software from a memory stick. You are presented with a few options a few menus deep, followed by a warning, then after reboot you have to enter a 4 or 5 digit number to confirm... this is the kind of nonsense they put in place to deter the uninitiated and coerce them into backing off and leaving things as they are.

It's nearly enough to drive you to Apple next time. With their own GPU, Asahi Linux and the M1-M4 CPUs. They beat the pants off any x86_64 laptop in terms of cpu power & battery life.

I found a nice way out of their advertising crap when I registered my wife. I made her as old as I could. Apple's system threw an error when I set her birthday as 1/1/1885, but it took 1886. Then, because she's so Ancient of Days, nobody wants to sell her anything .

macOS runs on x86 hardware and Apple (along with ARM) are one of the members of the UEFI Forum: https://uefi.org/members

Personally, I don't see Apple Silicon, which is a locked down and undocumented platform, as the answer to the Microsoft problem.

Just an FYI, for Windoze users....

https://www.tomshardware.com/softwar...tup-workaround