@TobiSGD sorry if I was unclear, I did not mean that root kits were a corner case, but that specifically modifying the kernel or bootloader was. I'd also gotten the impression that denial of booting physical media was a primary object, which also doesn't make sense. However you and 273 have clarified the situation.

Is Microsoft the only company that is currently handling the root keys that come preinstalled with the BIOS?

If yes then this is probably 100% not fair, right?
Meaning: it's a company that is directly competing with whoever wishes to use those keys to boot some other bootloader (to then probably boot some other OS) => MS can be as nice as possible, but the temptation to favour its own OS or just hinder other OSs will always be present.

Verisign manages the keys, not Microsoft.

Ooohh, that's good, actually great! :D

So, is this information correct and if yes, why was MS involved? Why not getting the keys directly from Verisign?

If OEMs are going to lock us into a windows operating system, it's better to build the desktop from scratch.

It's a good thing I have experience in building computers. I bought a gigabyte motherboard last year and once I built the system, I went to the bios settings and choose to use legacy mode over uefi. No need to worry about secure boot and stupid keys.

For desktops I'm not sure I would do anything but build my own -- even if I wanted to run Windows. However, it is laptops which are the problem and, really, always have been with Linux anyhow since they can't be home built in the same way.
Then there are the people who want to try Linux but can't.
I think, as I mentioned, that for people like most of us posting in this thread this will just mean another thing to look out for when buying computers. The real problem is people who knew no better when buying which could mean fewer people trying Linux.

Just to avoid any misconceptions , UEFI and Secure Boot are not the same and you can use UEFI without Secure Boot just fine.

@ 273

With a custom built computer you can choose the the bios mode, I know because I did and linux installed just fine.

However, I don't know for sure if desktops already built and with a windows OS is going to be easy to change the bios settings. Like you said, the consumer will have to do their research before buying a computer in the next coming years.

But to honest, I think this mandatory option to disable secure boot is going to be fought by the linux community for years. It's not right to lock users to using one operating system.

Some may say, to use linux as a guest OS in a windows host machine. But its not the same performance wise. Linux runs better using your real hardware.

Thanks TobisGD for the correction. I though if UEFI is enable in the bios, the secure boot will show up as an option.

Secure Boot can only be used if your system is in UEFI mode. You can use UEFI without Secure Boot, but you can't use Secure Boot without UEFI.

This 'secure boot' thing is an utter lie. If the end result is that you can only boot windows, then it should be called 'absolutely-not-secure boot'. And this is not a joke.

As was stated previously in this thread already, if your distribution supports Secure Boot is up to your distribution. There is no reason at all that Linux wouldn't be able to run on systems with Secure Boot enabled.

Yes, but I don't see why MS should be involved ever in the process of installing *any* OS on your machine. Because even if the keys come from Verisign, it was MS who initiated the whole thing.

I'm getting more and more tired of all their relentless marketing bullshit and the huge conflict of interest they're in. They may well be extremely commercially successful, when it comes to security, they're the most inept company ever. By OS design and by numbers. Because they don't care that much about secure computing, what they *do* really care about are f###ing *sales*.

So if it would come from Red Hat or IBM you wouldn't have a problem with it? I can't say that I understand where the difference is when key management is done by an independent entity.
Actually, the security features in Windows are superior to what most Linux distros deliver by default, only that they are mostly disabled in the consumer versions by default. So again, I fail to see a difference in Windows in its default state (enhanced security features, but disabled in consumer versions) and Linux distros that have security features like SELinux and AppArmor at hand, but don't see the need to implement them.

I was just saying that the whole secure boot idea comes from MS, and I can't help finding this rather suspicious.

What is the point of having security features mostly disabled by default for the average user, the same user who has no idea of how to strengthen his machine security, or why he should do that? Do you think this is what a truly security-focused company should be doing? And what is the proportion of average vs tech savvy Windows users?

Edit: TobiSGD, I appreciate your impartiality, and I agree you can possibly re-configure a Windows machine to be more secure. But I just dislike MS attitude. Sales are their number one priority. But security, beyond all they pretend, who cares?