"Matthew Garrett discovered that Linux wouldn't boot by default on the new Lenovo Thinkpad Z13 due to it by default not trusting bootloaders/drivers signed with the Microsoft 3rd Party UEFI CA Key"
 |
 Nothing Ever Happens Shirt $21.68 |
|
"Matthew Garrett discovered that Linux wouldn't boot by default on the new Lenovo ThinkPad Z13 due to it by default not trusting bootloaders...
"This means that given the default firmware configuration, nothing other than Windows will boot. It also means that you won't be able to boot from any third-party external peripherals that are plugged in via Thunderbolt. There's no security benefit to this. If you want security here you're paying attention to the values measured into the TPM, and thanks to Microsoft's own specification for measurements made into PCR 7, switching from booting Windows to booting something signed with the 3rd party signing key will change the measurements and invalidate any sealed secrets. It's trivial to detect this. Distrusting the 3rd party CA by default doesn't improve security, it just makes it harder for users to boot alternative operating systems."
Can you still install your own Secure Boot CA?
>users to boot alternative operating systems
Why would you want that?
alternative = not windows
microsoft should have never been left to exist after the shit they pulled with internet explorer
>IQfy discovers UEFI
>after it being around for a decade or so
you people are actually, unironically moronic
>Windows reportedly only uses proprietary Edge browser by default
Are you really surprised the board full of larpers that use 20 year old Thinkpads to rice their i3 config all day don't know anything about technology after 2005?
Just disable secure boot or sign your own secure boot keys? I don't see why being on by default is such a problem. You have to go into the BIOS anyway to select the installer boot media.
>The restriction to only Windows by default is rather silly but at least it sounds like it still can be disabled from within the UEFI BIOS to allowing alternative operating systems to boot.
>microsoft realized people can just boot up linux and delete all of their passwords and then login to windows
>instead of encrypting the disk, they go full hardware moron
figures
>freetard seethes about something and does mental gymnastics to call it unsecure
Microsoft can't even write software that validates certificates correctly
I’m not defending this as a practice but it actually does make the system more secure.
>I’m not defending this as a practice but it actually does make the system more secure.
you are defending it, moron
Microsoft's OS has so many fricking holes, you're literally saying that a computer is more secure by forcing the user to install a closed-source, unaudited and insecure operating system
It’s secure in the sense that a fence around your unlocked house is more secure than no fence
that's stupid, you're fricking stupid
read what he said, because it's true:
> you're literally saying that a computer is more secure by forcing the user to install a closed-source, unaudited and insecure operating system
double the systems means double the security holes, double the attack surface
>more barriers means more cracks in the barriers so don't protect yourself
This is the dumbest thing I have ever heard
stop being a useless homosexual posting sensationalist headlines
you just turn that setting off and it works
> IQfy schizo predictions stay winning
Oh no! Who could have guessed this?... Oh yeah, everyone with a brain.
>Just turn the settings off bro
Said the frog in the pot.
i wish i could meet you in real life. ive always wanted to know how paid actors look like. i would probably glance at you for a few seconds before grabbing the closest solid object i could see and repeatedly smash it onto your head over and over and over and over and over and over again and again and again until it looks like my shit the morning after i have mexican food
>STOP DOING WHAT YOU WANT WITH THE HARDWARE YOU PAID FOR
>NOOOOOOOOO YOU CAN'T USE YOUR OWN HARDWARE
Unironcially have a nice day.
Yep. I do. Once again, Richard Stallman was right.
If you want to get frisky motherfricker, then have it. Lots of luck. Hope you bring a lot of guns and a lot of friends. You're still going to die, but maybe there will be somebody left to carry your body back to your momma's house so she can put your "deadname" on your gravestone.
While the headline is sensationalist, there is still a concern. Its no so much about Pluton, which even at their CES big show advertised that it is designed to be TURNED OFF by the user or OEM, used as a keystore same as the TPM, or used as a keystore for something else.
The problem is what happens/if you are able to relock the bootloader and turn on secure boot with your own keys etc. You shouldn't HAVE to turn off secure boot, which does have a potential security function, for shit to work. We don't want to see a future where remote attestation is powered by ARM style TrustZone "Oh you unlocked the bootloader? Sorry, this app won't run hurrrdurr" like we're seeing on Android and the like.
>You shouldn't HAVE to turn off secure boot, which does have a potential security function
You shouldn't need to disable but the overlap of people who'd want to use another OS and actually want secure boot is very slim.
I'm sure MS and Lenovo know this and didn't bother to make it work right away
>We don't want to see a future where remote attestation is powered by ARM style TrustZone
My dude... the AMD PSP *is* TrustZone.
https://freundschafter.com/research/about-amd-trustzone-amd-platform-security-processor-psp-amd-secure-technology/
It's here already.
>As in, you turn it off and stuff just works.
You turn it off and it will boot your shit, but stuff requiring attestation will not work anymore. Unbreakable DRM is the real goal. It *is* about security, just not for you. Just like when they say "our democracy" they're not including you.
>While the headline is sensationalist, there is still a concern. Its no so much about Pluton, which even at their CES big show advertised that it is designed to be TURNED OFF by the user or OEM
It should stay turned off
Here is the slippery slope
Xbox One -> Corporate computers -> All computers
>t. Microsoft Marketing employee
Standard normalization of tyranny by degrees
>just turn it off Black person
>what all you have to do is request permission from Microsoft to turn it off
>you can't turn it off that's just industry standard why are you like this?
So how did he boot it?
With windows
>chink brand
>it sucks
who knew
Feels good, man
I will also celebrate christmas FFFUUUCCCKKK CCCHHHIIINNNAAA
There has been zero info about Pluton in Zen4, i wonder if it will make its way there. In any case i'm glad i got Alder Lake. Even with just Win11 now it will refuse to start unless you enable Secure Boot so you won't be able to dualboot effortlessly unless you generate keys for your distro to make both OSes work with Secure Boot...
Aids I just used Rufus to turn it off.
I doubt those workarounds will work for long.
>that image
YAAAAAAY
"Secure" boot is a scam
Reminder: Secure boot only exists because Microsoft didn't want people injecting SLIC license tables for OEM crack-tivation like they used to on Win7/Vista/XP.
weren't windows users supposed to be IT professionals who earn 6 figures and can easily afford windows licenses for everyone in their extended family tree?
>weren't windows users supposed to be IT professionals who earn 6 figures and can easily afford windows licenses for everyone in their extended family tree?
yes, but i'd rather spend it on hookers and blow. frick microsoft
poorgay cope, with the money you spend on a license you couldn't buy even half a decent hooker
>missing the entire point
No, the point he made is very valid.
To that post? No. Just to everything in general.
>moving the goalpost
Sorry for having fun on the internet, sheesh.
Maybe you need to take that dragon dildo out of your butthole every now and then.
Ok
>yes, but i'd rather spend it on hookers and blow. frick microsoft
That's the spirit, kiddo.
>everyone in their extended family tree
I told those pieces of shit I work construction and to not call me about their computer again.
.. that's why Microsoft mandated that on all x86 "Windows compatible" devices there must be a way to enroll third party root certs?
No it isnt. Microsoft fixed SLIC cracking on Windows 8 by mandating online activation for SLIC keys as well.
>No anon, it wouldn't have been trivial to inject a newer SLIC table version and have a fake server sign it. MS signature security is impenetrable, and KMS definitely isn't already cracked this way. We were right to hand MS complete end-to-end control of what used to be an open platform.
Absolute shillotry.
Same can be said for UEFI/GPT
You can change it in the firmware configuration menu for now, wait another 5 years and that will no longer be the case. You will have to install custom BIOS just to be able to boot Linux. Wait another 5 years and even that will be impossible, Linux will be relegated to old and enthusiast hardware. You chose this future.
I fully expect Pluton to have self-burning fuses like on the Xbox360 if it doesn't already. Crap like "yeah you can install a patched BIOS for Ubuntu using an exploit but ONLY if you're lucky enough to have this rare untouched v1.00001a version of the board from the first month of production that luckily was never connected to the internet" that you see on consoles is Microsoft's vision of the future PC
You'd have to be insane to believe this
you probably also have to be insane to believe my shock when me rooting my samsung phone voided its warranty because a fuse, designed to blow when you overwrite the stock rom, did the needful
You would have to be insane to A. Not research your phone before buying it and B. Buying a Samsung.
>he got KNOX'd
>Linux will be relegated to old and enthusiast hardware.
you saying it's not now? the only reason i installed linux because my hardware was shit
I don't want to downplay this (Pluton is garbage), but isn't this basically the same as secure boot was? As in, you turn it off and stuff just works.
So we finally arrive at the "extinguish" part of the old MS textbook.
You can turn it off. Or buy a dell. Dell doesn't ship with pluton turned on.
buy a real laptop and not a troonypad and it will not be an issue
It's still a pain in my butthole everytime i set up a new motherboard, whats your point? You may not have had to deal with it because you're a wintoddler, but other people have.
And so it begins.
so turn off secure boot you dumb Black person
>filtered by secure boot toggle
I remember it, the FSF was crying wolf then and they're crying wolf now. Hardware manufacturers could _always_ restrict their hardware to an approved OS. This has never not been the case. You are paying them to let you into their playground. Remember when Sony added the ability to run Linux on the PS3 and then later deleted it?
Sounds like you should have bought approved hardware.
>Hardware manufacturers could _always_ restrict their hardware to an approved OS. This has never not been the case.
not quite, see
. If they restricted to Windows only, they would lose certification, and not be able to buy OEM Windows to run on their devices
>Hardware manufacturers could _always_ restrict their hardware to an approved OS
Why should that kind of behavior be tolerated?
>Why should that kind of behavior be tolerated?
What are you going to do about it?
>They are crying wolf......
>What are you gonna do about it? :^)
actual shill
I'm just poking fun at impotent morons screaming into the void about m-muh general computing when even the wild west that is the internet is little more than a few walled gardens nowadays and normies cheer on it
custom bios lmao, enjoy dying alone
>you want things to change because you think vendor lock in is idiotic?
>lol ur le virgin updoots to the left
Guess I should just let satya frick me up the ass for not wanting to use wangblows?
Shill for whom?
Big tech
>Why should that kind of behavior be tolerated?
Because it already is for many smartphones brands.
Phones were always pozzed
Because it is the basics of electronics?
What's your great plan to stop hardware manufacturers from burning firmware into ROM chips, when this has been done since the invention of transitors?
>What's your great plan to stop hardware manufacturers from burning firmware into ROM chips, when this has been done since the invention of transitors?
Make new ones without them.
We're getting close anon.
Your quantum meme doesn't change anything about it
That would be a really fast way to lose an antitrust lawsuit, especially back in the day. Bill Gates spent ten years in court over people not being able to uninstall Internet explorer.
What's bad about this ?
You could load a Linux USB drive and basically read out the windows password and all data with 0 effort
Now people are chomping out because there's a security measure that prevents that ? You can just disable it if you don't need it but I hope it's password protected
not a problem if your system is fully encrypted.
>inb4 but muh nothing to hide
then why do you fear an usb boot?
kys subhuman chill.
>Now people are chomping out because there's a security measure that prevents that ?
There were already several ways to prevent that, techlet. Educate yourself before speaking on matters you don't understand.
>removes unencrypted drive
>places in tpm-disabled machine
nothing personal skid
Windows machines come with disk encryption by default and the key is stored in the TPM, which only reveals the key when Secure Boot is enabled. Transplanting the drive nets you with exactly what you'd expect: An encrypted drive that you don't have the key to.
Utterly and completely incorrect. Windows is still so stuck in the past that their shitty BitLocker encryption can't do FDE.
i actually like it that way, it saved me a few times already when my laptop died.
Just don't have your shit stolen like a moron
Almost every laptop boots windows by default, no surprises.
Many distros support secure boot and are signed by Microsoft (Fedora, openPEPE, Ubuntu...) and they should have no problems.
Either way, aren't linuxbros tech nerds? Don't they know how to disable secure boot? Shitty clickbait title.
>Many distros support secure boot and are signed by Microsoft (Fedora, openPEPE, Ubuntu...) and they should have no problems.
>default not trusting bootloaders/drivers signed with the Microsoft 3rd Party UEFI CA Key"
yeah, no problems
TPMs and Secure Boot keys get zapped and corrupted all the time by chinky BIOS updates - MS pajeets better come up with a more reliable standard for flashing firmware, that shit already gets delivered via windows update. Just imagine if it took your drive encryption and keychains out with it, wingays.
>Just imagine if it took your drive encryption and keychains out with it, wingays.
I think we had that happen recently with a bunch of our bitlockered computers failing to boot (no BCF found, no windows installation found either) all on the same day, all the same model, affecting all computers of that model and none of the others.
I've absolutely had more than a few models of chinkpads and dells get their TPM contents BTFO by bios updates. MS hadji's want to have all the same automation that Android/iOS have for firmware updates, but they've done none of the work to make sure its something thats actually safe to do. My phone doesn't brick itself when there's a new quarterly update. Its one of those things those greedy homosexuals would actually test on a Surface.
>My phone doesn't brick itself when there's a new quarterly update
clearly you've never used non-flagship android phones
>Its one of those things those greedy homosexuals would actually test on a Surface.
I guarantee plenty of surfaces also bricked themselves because they didn't sanity check/power check etc, before forcing a firmware update.
Microsoft is still shit, what's new?
go burn some Microsoft buildings or something
>that Linux wouldn't boot by default
So nothing-burger then?
NAKADASHI SEX SEX SEX SEX SEX COOM SEX UUUUOOOOOOOHHHHHHHHJJ
cool, i'll be using my corebooted w520 with 32gb ram and an ivy bridge cpu
do you actually make use of those 32gb? i'm asking because i recently bought a w530 with 16gb and 2 free slots, so i'm wondering if i should upgrade the ram to 32gb.
i do when compiling blender and qtwebengine
This is why I bought the 5000 series
Even lenovo hates this shit
next time post the fricking link to the article too so I don't have to go looking for it myself you fricking c**t.
>buy OEM
>get OEM lock in
wow!
Pluton will turn your PC into an Xbox.
You vill own nothing and you vill be happy.
Just disable secure boot?
>that Linux wouldn't boot by default
as if Linux ever worked by default lmao
Where are the naysayers calling people squizos for pairing out the obvious? IQfy said this was going to happen 10 years ago.
Except nothing has happened
If you where to boot anything but corporate distros, you'd be disabling secure boot anyway.
>he thinks he'll be able to disable it
Oh I'm laffin
You must be 18 to post here
It should not be necessary to change this BIOS setting, no matter how simple it is to change. This should not be required just to install an OS.
Zzzzz
Oh no! Secure boot! Linux is finished!
Said someone many, many years ago. Panic more please.
reminder that the turbohomosexual who's responsible for leading the development of pluton and marketing it looks like this and has the biggest shiteating grin on the planet. they're getting away with implementing this because no one gives enough of a shit about pluton to actually make a fuss about it
It literally doesn't matter. Turn secure boot off and you can install Linux. You can also turn pluton off
You can turn it off, *for now*.
Any action, no matter how small, that impedes your ability to use custom OS should be fought relentlessly.
Of all the words of tongue and pen, the saddest are these: Stallman was right again.
Is there a way to start uploading keys that distrust Microsoft's signatures by default?
I will make it my duty to buy as many laptops as possible and replace the keys so the average normie can't install windows
The schizos were right again
Who the hell ships with BIOS anymore? It's UEFI now.
Nobody makes this distinction.
It's a muddy topic since the correct term for the interface with all the settings is "BIOS Setup" and "UEFI Setup".
Intel motherboards are not mandated to be BIOS-compatible since 2020, but manufacturers can still implement CSM if they wish.
So, how do I install Tribblix now?
Gee you mean exactly like anyone with an IQ over 36 was saying from the second this shit was announced? Microsoft: bringing the locked down hardware of ARM to an x86 machine near you!
>all apple products preloaded with iOS and macOS
>blocks any lincuck distro from even booting with T2
>shifts entire industry to ARM
>ARM allows all PC OEMs to have a unique proprietary locked bootloader for each product they release
>soon ARM stinkpads will come locked to winblows
>every single ARM laptop will be a unique special snowflake like phones and need a custom bootloader exploit and distro built for it
>736 arm laptops released each year mean 736 device specific root exploits, 736 special snowflake builds of the loonix kernel, and 736 custom builds of ubuntu
>multiplied by 521 different distros that's like over a million different distros have to be specifically built to be arm compatible EVERY UPDATE
>freetards will be lucky to crack 10-20 device bootloaders a year
>hobby loonix distros wiped out instantly because neckbeard neets cant just release 1 ISO for 23,768 laptops anymore
>desktops and custom built devices completely extinct without economy of scale manufacturing when corporate purchases shift entirely to ARM
>only major distros will survive on 2-3 stinkpad models that get cracked each year
>loonix market share tanks from 1% to 0.00001% like it is on android vs lineage
>loonix purged from all of technology within this decade
>Stallman and FSF cancelled
>freetards all neck themselves
Say it with me now:
THANKYOUBASEDAPPLE