So Microsoft demands(!) that all x86 PCs and laptops which are sold in its certification program have to have Secure Boot easily disable-able in the BIOS/uEFI by the end user...

So these Linux-computer companies either buy laptops from manufacturers directly or produce their own, but somehow the laptops they're buying are unable to have Secure Boot turned off even though that is the industry standard and literally what every single laptop retailer's laptops do?

This whole thing makes no logical sense at all.

I totally doubt that anyone is producing x86 laptops where you cannot disable Secure Boot, if for no other reason that it would make these laptops ineligible for Windows/Microsoft certification which consumers care about.

These companies might be going out of business, but trying to tie it to Secure Boot is nonsensical.

Plus on top of everything I just said several Linux distributions now support Secure Boot out of the box. So these companies don't even have to go into the BIOS/uEFI and change the settings, just install Ubuntu like they always have.

So OP: PROVE that Secure Boot is the cause of these companies going under? Or at least explain the logic to it.

There are costs involved in preparing a Linux system, which makes many manufacturers opt to simply abandon their non-OS/Linux lines.

Also some indirect proof:

* timing: secure boot gets introduced, suddenly all Linux shops here close * M$ has a track record of abusing its monopoly

The enormous number of articles on the web shows turning off secure boot isn't always that easy either:http://www.zdnet.com/2013-installing-linux-on-windows-8-pc-i...

Also if you click through to the "Windows Certification Program" you'll find this Microsoft requirement (for the Windows 8 logo program):

> Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows Server may also disable Secure Boot remotely using a strongly authenticated (preferably public-key based) out-of-band management connection, such as to a baseboard management controller or service processor. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure Boot must not be possible on ARM systems.

So your links are really hurt you a lot here.

> The enormous number of articles on the web shows turning off secure boot isn't always that easy either:http://www.zdnet.com/2013-installing-linux-on-windows-8-pc-i....

That article doesn't say what you claim it says. In fact it says quite the opposite.

It lists several distributions which work "out of the box" with no modifications to the system at all. It then goes on to talk about disabling Secure Boot.

It does quite correctly whine that you cannot install Windows on Surface RT hardware, which is a valid complaint, but outside the scope of this thread.

Yes, Win 8 won't boot without it. You can disable the feature in the BIOS if you are going to install a different OS.

You say "easily disable-able" but that's not the case. The process of disabling SecureBoot is anything but easy, and it's undocumented.

Security (tab) -> Secure Boot -> Disabled -> Save

And it is documented. It is right there in the manual. This is an ASRock motherboard produced in the last few years.

It literally is as complicated as turning on and off the internal sound or networking, or switching on USB legacy mode.

PS - This web-site shows a different ASRock motherboard with the same-ish setup: http://www.eightforums.com/tutorials/17058-secure-boot-enabl...

What has your terrible experience been and on what model of computer?

Making things up does not somehow make your argument more convincing, it reflects poorly on you for anyone who actually uses a laptop/desktop with uEFI. If an end-user knows how to get into a BIOS, they can find the plain-text labeled option to disable.

Can you tell me how to disable it? I tried everything, and it did not worked...

Yes, the BIOS does have a option to disable secure boot there, but even using that option, secure boot still stays active and refuse to boot anything unsigned.

- It used to be that most technical people ( and some non-technical) would buy desktops. You can sidestep the Windows tax and attendant issues by building a desktop (from parts you know work well with Linux), and maybe hit a competitive price in the high end. Now that desktops are a tiny sliver of the market, these stores are enslaved by OEMs, reboxing existing laptop designs.

- Starting from the same wholesale price, Linux resellers 'add value' by installing Linux. But this value-add isn't really apparent to a large enough audience - there isn't enough public awareness, and people aren't willing to pay a premium. Especially if they're competent enough to install Linux themselves. In my experience people expect ANY OS to be free; when we used to try and sell Win XP as an upgrade (over 2K), people were aghast that the software cost money.

- People want free support if you sell them on Linux. If they nuke the system, you either scare them off with your hourly service rate, or you eat the cost of the labour and go broke.

- So the vendor either charges a higher sticker price and doesn't sell many, or eats the labour cost for developing Linux support, fixing and reboxing laptops and tries to make up the tiny (or even negative) gross margin on volume.

When I moved to a bigger chain store, they subsidized the low-margin laptop market by aggressively pushing house-brand accessories: cables, cases, blank media, printer ink. These small stores are typically much less aggressive about selling high-margin commodities along with a system (it's harder to do with less capital, space and by mail).

So it isn't a problem of freedom and choice. It isn't a problem of Microsoft crushing little independents (not consciously). The computer business is very hard to do well at small scale, and you should expect that on a medium time-scale most will die. This is only exacerbated by the rush to laptops, then tablets and smartphones, where it's impossible to differentiate.

1) SecureBoot on WART (windows on ARM) 2) SecureBoot on x86/64

The first issue (WART) is easily explained. Microsoft stipulates that ARM vendors may not accept any other operating system than Windows to run. This is a case where one company (Microsoft) colludes with other companies (Asus etc.) to create a product that is closed to the competition.

The second issue (x86/64) is more nuanced. Microsoft stipulates that other OSes need to be able to run on these devices. However to do so one has to obtain a boot key from microsoft. The bios mechanism to restrict boot also has to work. There are a couple issues with this: 1) microsoft so far has issued barely any secure boot keys 2) Obtaining a secure boot key costs money 3) Microsoft can revoke those keys at any time 4) The implementation of secure boot on some devices is hardcoded to windows and won't work otherwise

Both topics are not a "market issue" because there are multiple companies involved, many of which are monopoly holders in an area or other. Dell/HP/Asus etc. are monopoly holders to personal computing hardware. And Microsoft is a monopoly holder to personal computing operating systems. When you get multiple monopoly holders banding together forming one company, you are talking of a syndicate. Syndicates are explicitely forbidden to be formed under monopoly laws. Thus Microsoft and its OEMs are in deep shit, at least in theory.

  | Dell/HP/Asus etc. are monopoly holders to
  | personal computing hardware

No.

Microsoft stipulates that other OSes must be supported AND that Secure Boot must have an off-switch in the BIOS/uEFI.

Secure Boot has three "modes:"

- Use my built in keys (aka Microsoft signing only).

- Use user supplier keys (aka Custom Mode).

- Off

Only Microsoft-mode and off-mode are relevant to this discussion, because outside of government entities it isn't viable to produce and distribute custom keys.

>Microsoft stipulates that other OSes need to be able to run on these devices. However to do so one has to obtain a boot key from microsoft.

No, Microsoft stipulates that the secure boot should be able to be disabled without needing to obtain a boot key from Microsoft. In fact you can install your own personal key and remove Microsoft's to prevent Windows from booting.

>The implementation of secure boot on some devices is hardcoded to windows and won't work otherwise

Reference?

>Dell/HP/Asus etc. are monopoly holders to personal computing hardware

If there are multiple companies in the market with comparable market share, by definition they are not monopolies.

Perhaps the market is just too small to make financial sense, or these Dutch shops have no money.

I used the Wayback machine to have a look at the products and the results are not too exciting. For example, a year ago, the 1.9kg Mingos LT-13-2 laptop had a 1.3GHz Pentium, 2GB of RAM and a 160GB hard drive for €540.00 ($708) with Ubuntu.

http://web.archive.org/web/20120603005911/http://www.mingos....

I can't see how any rational person would buy that, even if they were totally clueless, rabid anti-Microsoft fanboys. It's not like installing Ubuntu is hard ...

This whole thing makes no sense.

> http://linuxcomputers.nl/

They don't appear to even mention secure boot as the reason, but pricing, margin and lack of interest, both from consumers as from vendors.

You had a choice.

That choice has been killed. High-end laptops are now the only option if you want freedom, and that's not an accidental thing, it's by microsoft's design.

Of course, being able to have it ship disabled by default is ideal, but for the HN crowd and for Linux shops, disabling Secure Boot in BIOS/EFI is trivial.

Previously they could buy branded laptops (HP, Lenovo, and such) without Windows. Consumers can already buy such laptops with Windows, and then install Linux on them. These shops made it possible to buy laptops free of Windows, so without having to pay "Windows-tax".

Hettes.nl have received an outpouring of support and have started a petition with the intent to get this practice of product tying discussable in the Dutch House of Representatives and in a well known Dutch consumers' rights television show, and raise awareness of this to the European Union.

They write (my translation):

"At this moment we are receiving many comments about the stopping of Hettes.nl, also on the Internet we are mentioned multiple times and many visitors of Hettes.nl are disappointed that we are stopping. Because of these comments we want to start a petition to make the Dutch government and the European union see that this product tying should stop and that it should be possible to buy computers (any brand) without Windows. So that we can offer computers without Windows to consumers that prefer other operating systems!"

The petition is the link in the last paragraph on this page: http://www.hettes.nl/hettes-stopt

Edit: added translation of Hettes.nl paragraph about their petition.

https://www.system76.com/home/shippinginformation

I really did not know what to do. I simply refuse to pay for an OS I really don't want.

My only option seemed to buy a Loongson, but that would make me incompatible with the rest of my team:

http://www.tekmote.nl/epages/61504599.sf/nl_NL/?ObjectPath=/...

The only issue is that they only do it occasionally with a limited set of units.

You are welcome to make your own personal demands on the market only if you are willing to pay for them, or in this case, if you can find many thousands of other people also willing to pay the price.

It's pointless just claiming a "right". You have no rights. You can't force anybody to supply what you want except by enabling the supplier to make a profit. As it is, you're expecting them to make a significant loss.

It's not just a question of removing Windows (or whatever OS you have installed for burn in and testing). There's the huge cost of qualifying parts for a different operating system, the extra tracking and stock-keeping costs, extra advertising and marketing costs (that will reflect the small number of units shipped), and the high cost of supporting Linux.

Since any 157 Linux buyers typically want at least 57 different versions of Linux, and a fair few want to dual boot because they actually do use Windows (for games, iTunes, whatever), the whole idea is a non-starter....

Ie at one point you could argue that if you didn't like AT&T, then the market would create a viable alternative. It never did, and was broken up as we know the free market does not solve everything.

In this situation, you could argue the market would create a viable alternative, but Microsoft has a consistent track record of influencing the market monopolistically.

As mentioned previously, it used to be the case that you could make a living off of making custom PCs and selling them for a premium. You can still actually do this, charging for a 15% premium or something like that, and make a part time job out of it. But then you have to provide services such as overclocking and water-cooling. Back in the days of XP and Vista, all you had to do was assemble a system from OEM parts and sell it. You could offer higher quality parts + a Windows OS + better performance/price ratio and still be profitable because the system you made would still be cheaper than a pre-built computer.

The thing that has changed is, as I said, the market. You can't do that anymore because the margins are prohibitively small. You need to buy in bulk and sell in bulk to make any kind of money.

But that's not an issue with Microsoft or this secure boot thing, that's just the way that prices have changed in the market. A lot of companies can no longer afford to sell systems without the extra money from MS sales and the bloatware. It was never all that profitable to sell Linux machines to begin with, and it's even harder now. But it's still possible. It's just that you have to sell huge numbers of them, more than before, in order to stay afloat.

Another thing that you have to take into account is that it's a niche market to begin with. Most people who enjoy Linux also know how to manage it, know how to assemble a computer, and would prefer to set up the software/hardware themselves rather than have a company do it for them.

I could be wrong in some of what I have above but that's my understanding of this whole issue.

Also, none of the websites says why they can't just buy their laptops directly from Chinese white box PC suppliers. Am I supposed to believe it's cheaper to buy them via another European company that actually buys them from a Chinese white box supplier? Really?

Microsoft's record of trying to influence the market dates from around 1992-95, and it spent the 2000's under close judicial control, so your fact-free monopoly assertion doesn't carry a lot of weight now.

Either way, Apple has conclusively demonstrated that the market certainly will support a viable alternative -- and one that commands huge profit margins. This doesn't mean suppliers of crappy low-spec/high-priced Linux laptops are entitled top a free lunch, or that politicians should interfere with the market to prop up their failing businesses.

OK, but what does that have to do with secure boot?

None of this has anything to do with Secureboot.

"In this situation, you could argue the market would create a viable alternative"

So blame the OEMs for not viewing the Linux-using crowd as a viable market. Target the persons who see you as unprofitable.

What is sad though is that antitrust regulators worldwide have looked at this practice and saw nothing wrong with it.

To quote the Linux Foundation: "Linux and other open operating systems will be able to take advantage of secure boot if it is implemented properly in the hardware. This document is intended to describe how the UEFI secure boot specification can be implemented to interoperate well with open systems and to avoid adversely affecting the rights of the owners of those systems while providing compliance with proprietary software vendors' requirements." http://www.linuxfoundation.org/publications/making-uefi-secu...

Correct. But the steps to do so vary wildly from motherboard to motherboard and are not documented anywhere.

In fact, one of the things HispaLinux requested is that OEMs provide clear documentation of the technical steps required to disable SecureBoot.

  | what is secure boot

  | microsoft corporation has leveraged their
  | existing dominant position in the desktop OS
  | market and mandated that OEMs include microsoft's
  | encryption key in their motherboards, to the
  | exclusion of all other encryption keys, as a
  | prerequisite to their logo certification program.

2. EFI Secure Boot was designed to allow for multiple keys, not just the 'one true Microsoft key.'

3. It's the OEMs that are creating crappy implementations, and not documenting how to disable Secure Boot. These are not things (at least officially) mandated by Microsoft. [Though one could make an argument that Microsoft should mandate that these things be documented instead of just stating that 'the ability to do X should exist.']

My words in your ears, dear friends. We have to stop the engine of slavery, the software that limits our hardware, it will limit our horizon when we allow it mature and manifest itself within our technology. Viva Freedom!

http://mjg59.dreamwidth.org/12368.html This a more technical perspective: http://www.rodsbooks.com/efi-bootloaders/secureboot.html

The day people start doing more than watching youtube videos with their ARM computers is certainly a possible future. Smartphones are becoming a stronger selling factor than the PC industry. We all agree that the future is mobile and everbody is betting on this future.

Although not a BIOS disadvantage per se, switching from EFI mode to BIOS mode requires re-installing your OS(es), or at least reconfiguring their boot loaders.

Secure boot is evil until we can provide our own key. Even if GNU keys are permitted, it is still bad enough.

http://i.imgur.com/XkJ11If.png

[1] https://www.system76.com/

simple issue of hardware and operating system separation.

http://usatoday30.usatoday.com/news/washington/2003-09-06-po...

The Surface Pro is not locked down. You can even remove Microsoft's key and stop Windows from booting and install Ubuntu's key or your own.

>Consumer harm comes into play when microsoft leverages their existing desktop OS monopoly to twist OEMs' arms into including an encryption key that OEMs gain no direct benefit from.

The OEMs benefit is that their customer's PCs are not vulnerable to undetectable rootkits as soon as they get on the internet and get hit by a Java, Flash exploit or download a fake codec or toolbar. Interesting how no one seems to talk about benefits of secure boot to real users in this discussion.

Look, microsoft should be working to fix their software instead of leaving it as it is and instead making life miserable for those who want digital freedom.

This is how they are working to fix their software.

The only way to make an OS more secure is iOS style DRM walled garden sandbox lockdown.

If what you say is true, why are Android, OS X and even Linux susceptible to viruses and rootkits? For example, Java, Flash and Adobe Reader PDF exploits are all the rage now, and OS X and Linux are as vulnerable to them as Windows is.

First, I completely fail to see what this has to do with Secure Boot. If you're a System Builder and you're able to install Linux but are unable to turn off a checkbox in the settings, then you're a shitty system builder and deserve to have your business shut down.

Second, I completely fail to see what this has to do with Windows 8. The main complaint seems to be that the big OEMs are not shipping laptops without Windows being already installed. Wasn't this true with Windows 7 too?

It looks like the magic words "Windows 8 Secure Boot" were included in the headline and post only to gain HN karma points.

If you're a business and want laptops without an OS, you need to go to the ODMs like Clevo, Compal, Asus, MSI, Quanta, Wistron, Mitac, Arima and Invente. http://en.wikipedia.org/wiki/Original_design_manufacturer

They will happily sell you laptops in bulk without an OS installed. For example http://www.system76.com does exactly that.

Looks like the computer shops linked seem to just want Lenovo to sell them bare laptops so they can skim a profit by just loading Linux on them and then selling them for a higher price. Guess what, Lenovo doesn't want to increase their costs by creating a separate assembly line process which won't make them any money.

Asus sells barebones laptop kits if I am not mistaken.

It's interesting how yelling "OMG WINDOWS 8 SECURE BOOT!!!" gets you a lot of karma here even though it has nothing to do with the issue at hand.

The user is in control of the PC. They can load any key they trust or roll their own personal key and even remove Microsoft's key to prevent Windows from booting on their computer.

I don't see why tens of millions of PCs used by non-technical people should be susceptible to undetectable rootkits out of the box just to appease some stupid system builders who can't find the setting to turn it off in the BIOS menu.

No, I'm a consumer who wants the same variety of laptops/specs/price points that are sold with windows eight preinstalled, to be available without microsoft's contraptions, be they operating systems or encryption keys.

microsoft doesn't want me to have that choice, and this is the topic at hand, and by the way, you should consider sticking to the topic at hand.

If there was a viable market of people willing to pay an economic price for a Linux laptop then there would be companies to provide them. Several have tried. Some are still trying (eg Dell) though it's hard to make money selling to cheapskates.

As it is, whatever Linux market there is depends on the economies of scale created by the Windows market. You're saving far more money thanks to Windows than you would ever pay for Windows licences.

This is especially true for "basic" systems, were they sell them at almost cost price... As OEMs make all their profits on upgrades and higher spec systems that they can sell at a markup.

He didn't say he wanted a Linux machine, he said he wanted one without "windows eight preinstalled".

Otherwise, you're free to spend $1,500 on a decent Mac or Windows laptop and install your distro of choice....

Linus uses a Mac laptop, doesn't he?

You're welcome to point me to the evidence for a large group of open source enthusiasts shopping for high-margin laptops.

In order to buy a product from company X, which I like and want to use, I'm also required to give money to company Y for a product I do not like and am not going to use. I don't want to reward company Y for making a product I do not like, and I am angry company X has made a business/marketing deal that means I can't get its product without rewarding company Y.

As others have pointed out already, PC makers get most of their profits at the low-end from bundling. I'd rather pay the same price with no bundled crapware and no bundled OS because dislike crapware and I dislike Microsoft's current operating systems and I do not want the companies that made them to get my money.

In any case, you're not buying two separate products, you are buying one, integrated product. The thing you think you want does not exist. No OEM says "Hey, I'll make a laptop and then decide which OS to load." Their business is making Windows laptops. If they were designing, qualifying and building Linux laptops, they'd have to charge you a lot more, and you wouldn't pay it. That's why no one does it.

I am at my third Sony Z laptop (~2k to ~3k laptops). Every time, the first thing I did with them was to dump the original windows partition and install linux . The "windows tax" on them were negligible and did not impact my choice at all, so would Sony do anything for people like me ? Of course not except if a competitor would produce a successful similar hardware with Linux on it, and that doesn't happen because people don't show interest for linux.

It was a few months back so I guess it could have changed.

http://www.dell.com/de/unternehmen/p/xps-13-linux/pd?refid=x...

There have been a lot of Linux OEMs over the years. e.g. http://en.wikipedia.org/wiki/Geeknet

Walmart was selling Linux PCs. If there was demand they would've thrived. There are some like System 76 and the new Dell Ubuntu ultrabook.

The OEMs are barely making money as-is. Without the crapware they install their profit is much much less. http://www.tuaw.com/2013/04/17/apple-sells-5-of-pcs-world-wi...

At the low-end, they've usually used some no-name distribution with nonstandard components and a skin that looks just like Windows at first glance. I think making it look like Windows is probably the worst thing they could do for user comfort; regardless of looks, they'll eventually run in to something that doesn't work like Windows. The experience is less jarring if it looks different from the start. Getting help from technical friends and relatives is definitely easier if it looks, feels and works like a popular distribution.

The low-end Linux machines usually aren't cheaper than Windows, and little explanation of the advantages that might matter to that market segment can be found in the marketing materials for such machines. The advantages as I see them are easy access to a large amount of free, safe software through the distribution's repository, and reduced maintenance relative to Windows; it doesn't become slow, get malware, etc... if you just use it without messing with anything.

There have been some really puzzling decisions at the high-end too. Dell's Ubuntu developer machine having the lowest available screen resolution comes to mind. Usually, when large computer manufacturers offer professional machines with Linux, it's hard to find them. There's usually a "customize this model" page that offers a choice of OS - any of several versions of Windows. The Linux versions are treated as separate products and not listed where the standard models are. People only find them if they're actively looking.

It almost seems like these ventures were set up to fail so PC manufacturers and/or Microsoft could say "Look. We keep trying and nobody buys these things.".

Speaking for myself, I sent a private e-mail to Neelie Kroes saying that I support the position of HispaLinux and that I regard it as an anticompetitive, exclusionary practice for there to be only microsoft's encryption key by default on all new motherboards, to the exclusion of say the GNU/Linux community's key.

But there's only so much one private e-mail can do.

The whole problem is that there is no "GNU/Linux community's key" because no one is stepping up to provide it. The big OEMs had already told Red Hat that they're willing to include the community's keys so I fail to see the "anticompetitive, exclusionary practice". Microsoft does not mandate that only its key should be included by default on all new motherboards. The OEMs are free to include any other keys.

There is no single vendor I trust with the decision about which distro's bootloaders can be signed. I only trust the distro I am using, and only because I can switch to another distro at will (which I have done three times since I began experimenting with Linux all those years ago). That is the problem with the UEFI design: it does not let me, the user, decide who to trust, unless I am technically adept enough to install custom keys (I personally am, but even a lot of people at the local LUG and 2600 meetups are not).

What we really need a system that allows me to install whatever OS I want, and allows that OS to optionally enable bootloader signing with its own key. I should be able to hit a button while booting up to enable a special "OS installation mode," which will boot from a USB device or a DVD to install an OS. During that process, the OS installer can load keys for bootloader signing. The user should always be able to install the OS of their choice, and should not have to rely on Microsoft or anyone else to "approve" a bootloader, OS, or anything else.

The winner is always who has the big money. They don't need to put an encryption key in motherboards. They do this f.cking shit already without key.

Do you have a source for this? I can't find any.