Windows 10 and Slackware Dualboot (bootloader issues)
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I just came across the same article. So the current assumption would be that for desktops allowing or not the user to disable Secure Boot is up to the OEM in all cases. That is still an assumption, though, as I didn't see any official information coming from Microsoft, as the one found here for Windows 8.
Anyway that shouldn't be a show stopper for Linux users as long as signed EFI binaries are available, provided that their signatures be accepted by the firmware, of course. Stay tuned
While we are making hypothesis, the really worrying scenario for Windows 10 users, IMHO, would be that their system may no boot after installing new hardware. For Windows 8 desktop users the workaround is to disable Secure Boot before installing the new hardware as explained in this article (cookies mandatory), but what if you are using Windows 10 and the OEM doesn't allow to disable Secure Boot?
I realize that I am going way off topic after having told others not to, sorry.
Last edited by Didier Spaier; 10-18-2015 at 09:22 PM.
Reason: Link fixed, thanks Dutchy013
As stated in a later post, I am not sure that my quoted statement was true.
I am bored by Microsoft bashing again and again. Just don't buy a machine with Windows 10 pre-installed if you don't like it.
You don't have that choice outside France! Each and every laptop has Windows pre-installed! Some brands sell one or two models that are preloaded with Ubuntu but that's it. Only companies like bto.eu sell winless laptops but at a price. Their entry level system would cost me at least EUR 550, instead of a similar system preloaded with Windows costing around 400 euro.
It's time this kind of business is flagged to the EU antitrust offices again.
I am bored by Microsoft bashing again and again. Just don't buy a machine with Windows 10 pre-installed if you don't like it.
but I'm bored as M$ again and again manages to fool people.
Like dutchy013 said if they remain only machines with preinstalled Windows / the feature/ my liking or not will have no meaning, and you will never again be bored by Microsoft bashing again and again :-)
Universal happiness.
Former Throw in the ass lamented Balmer will be healed.
6.8 UEFI and Secure Boot
Windows 10 for desktop editions and Windows 10 Mobileand Windows 10 IoT Core must boot into UEFI mode by default and ship with UEFI Secure Boot enabled. System firmware must be compliant with the UEFI Specification Version 2.3.1 or higher. OEM systems for special purpose commercial systems, build to order, and customer systems with a custom image are not required to ship with UEFI Secure Boot enabled.
Windows 10 for desktop editions and Windows 10 IoT Core systems can optionally support the ability to disable Secure Boot via firmware setup. Windows 10 Mobile systems must not implement the ability to disable Secure Boot. Windows 10 for desktop editions and Windows 10 Mobile systems must implement measurements into PCR [7].
Note No systems should allow programmatic disabling of Secure Boot during boot services or after exiting EFI boot services.
The highlighted sections are the parts relevant to OEM resellers. It can be interpreted reversely: it is not demanded of the OEM anymore that they allow the Secure Boot to be disabled.
I'm sorry Eric, but you just really made my day, and now I can't stop laughing. Okay sides hurting...
Why?
You stated "Windows 10 has a mandate Secure Boot be mandatory on all PCs." (really bad english by the way) but I still have not seen a source where this statement of yours is backed with facts.
it is not demanded of the OEM anymore that they allow the Secure Boot to be disabled.
That's how I understand it too, thanks for the link. At least there is a demand to be compliant to version 2.3.1 or greater of the UEFI specification, which is a good thing IMO as so providers of EFI images and applications now know what they should expect from the firmware of such machines.
The highlighted sections are the parts relevant to OEM resellers. It can be interpreted reversely: it is not demanded of the OEM anymore that they allow the Secure Boot to be disabled.
It did not take the wisdom of Solomon to see that coming.
Quote:
At least there is a demand to be compliant to version 2.3.1 or greater of the UEFI specification, which is a good thing IMO as so providers of EFI images and applications now know what they should expect from the firmware of such machines.
Perhaps your glee will be subdued by considering how M$ is manoeuvring in this space. Consider the requirements for Windows 10 on SoC. https://msdn.microsoft.com/en-us/lib...v=vs.8529.aspx
Under Security requirements -> UEFI secure boot
Quote:
Requirement 5: MANDATORY. A Microsoft-provided UEFI KEK shall be included in the UEFI KEK database. No additional KEKs shall be present.
which according to http://www.uefi.org/sites/default/fi...Spec_2_3_1.pdf Section 27.5 p 1444 translates to an OEM can only ship Windows 10 with no other OS installed. With the historical close link between M$ and OEMs, that becomes a given.
Quote:
Requirement 7: MANDATORY. The initial signature databases shall be stored in firmware flash and may be updated only with an OEM-signed firmware update or through UEFI authenticated variable write.
Updating the signature database is being pushed to the OEMs discretion.
Quote:
Requirement 8: MANDATORY. Images in the boot path that fails signature verification must not be executed, and the reason for the failure shall be added to the EFI_IMAGE_EXECUTION_TABLE. Further, the recommended approach in these situations is that the UEFI boot manager initiates recovery according to an OEM-specific strategy.
What is to stop the OEM from simply deleting the offending image?
Quote:
Requirement 9: MANDATORY. Physically present user override must not be permitted for UEFI images that fail signature verification.
The user is no longer in charge.
Quote:
Requirement 10: OPTIONAL. An OEM may implement the ability for a physically present user to turn off Secure Boot either with access to the PKpriv or with Physical Presence through the firmware setup. Access to the firmware setup may be protected by platform specific means (administrator password, smart card, static configuration, etc.)
The ability to turn off Secure Boot is at the OEMs discretion, not mandatory as per previous.
Quote:
Requirement 11: MANDATORY if requirement 10 is implemented. If Secure Boot is turned off then all existing UEFI variables shall not be accessible.
The user has no recourse.
Requirements 12 to 21 do not seem quite so draconian.
It is me, or is UEFI from a technological viewpoint somewhat massively flawed in design? No set standards like traditional BIOS where you have traditional template BIOS ROMs from AMI or Award that are fairly uniform so chances of systems ending up with buggy UEFI can occur other than what Microsoft wants which is still fairly loose in design. EF00 partition is formatted in FAT style which can be dangerous for data loss if mounted and you have a system failure compared to an MBR or an EF02 BIOS boot partition which can not be mounted so no data loss could occur, or lessens the chance greatly of loss to data from the bootloader. Secure Boot is nothing really seemingly but a bandaid to BIOS Protection Mode which accomplishes fairly the same thing minus some minor aspects that are just outlandish like signing bootloaders. I mean in all honesty, UEFI from a point of view can look very halfassed and slapped together. I mean GPT was the real gain here in solving the problem of MBR systems limited to a certain amount of partitions.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
