If your BIOS allows it. Some don't, or if you disable Secure Boot you lose other motherboard features. My home server is an ASUS motherboard that loses Intel integrated graphics without UEFI, which makes installing an OS awkward. https://www.reddit.com/r/ASUS/comments/s68b25/psa_enabling_l...
Also like a sucker I thought secure boot was doing something to help secure the boot of my computer and was worth the bother.
Disabling Secure Boot is not the same as enabling CSM (non-UEFI boot). You can disable Secure Boot while still booting via UEFI without CSM, and that shouldn't affect your graphics at all.
Which systems enforce Secure Boot out of the box and lose functionality without it? You mention something ASUS and Intel graphics being broken without UEFI which isn't the same thing.
It does. Except they call it verified boot. Maybe rooting was the wrong term, it’s more about installing custom ROM, where this mechanism prevent your custom ROM from getting hold of DRM keys.
> I thought secure boot was doing something to help secure the boot of my computer and was worth the bother.
it does, and it is. SecureBoot makes sure that the firmware your computer boots to begin the boot process is signed by a trusted authority. it does not check the firmware for bugs or somehow sense them and skip over that code or something.
SB is definitely imperfect, but a useful tool in moving toward a trusted boot. I think we'd all agree having a trusted boot sequence is desirable, the point of contention being who gets to decide the criteria for trust. It's been a few years since I worked in the space but I think SB gets a bit of an undeserved bad rep (I'm sure because people were vocal early on). There is a SB signed uefi application that allows for enrolling other loaders based on the hash of the loader.
That trusted authority can be you if you choose to enroll your own signing key. While its true that most motherboards come pre-seeded with Microsoft's keys there is absolutely nothing to stop you from removing those keys and replacing them with ones you specifically trust.
That's not secure boot. It's possible your memory test only runs in BIOS/CSM mode, but that setting has little to do with secure boot. CSM disables secure boot, yes, but only as a side effect.
If you're on Windows, try launching Windows' memory test instead. That'll work both on secure boot and UEFI.
I don’t feel comfortable depending on a vendor to expose that switch. Once all the Secure Boot infrastructure is built out all it will take is one more decision for them to stop giving me an option.
At which point all hardware that currently exists which you already own will get remotely updated out from under you so you can't boot your own kernel?
I get that being allowed to run the code you want on hardware you own is paramount, but let's not live in fear of hypotheticals. There are already secured platforms like the Xbox/PS5/iphone where we don't have that option and the world hasn't ended.
How do you expect the ecosystem to look in 20 years? You're simply not thinking far enough ahead.
"it's only a few right now don't worry about it" More happen. "okay maybe I see where you're coming from but it's still avoidable!" It continues. "I still have options I don't know what your problem is." Eventually, no choice. "How did we get here!?!?!"
We need protective regulations that ensure that general computing is accessible to every citizen. Giants of industry are not entitled to control devices that they sell after they are sold.
20 years from now, we're still going to want to run our own software. You're worried about falling down a slippery slope, and your concerns are valid, but it's called the slippery slope fallacy for a reason.
> 20 years from now, we're still going to want to run our own software
And you'll be able to, on hobby machines or VMs. But the general purpose machine where the owner controls the OS will fade.
Banks, popular sites and other choke points will demand attestation of an unmodified system for access. People will talk about internet access the way they do about driving in the US - a privilege, not a right.
What about Internet access deserves to be considered a privilege and not a right? What human is less entitled to accessing the wealth of knowledge and information available on the Internet? Discriminating who can and cannot access the Internet is not something that will be popular or defensible.
If the search for knowledge itself is considered dangerous, then what of all the knowledge gathered on the public against its will?
Internet access isn't remotely comparable to driving. By driving, you're exposing yourself and others to potential mortal danger. Nothing is automatic, you must be aware of, and follow, all laws concerning how it is to be operated. You have to have a license.
The Internet's spirit will die the day you need a license to access it. The body will take a lot longer.
Unfortunately, I don't think anyone would frame it in that way. It will just be a matter of saying "to protect everyone's security and privacy, only known good devices will be allowed on the web/internet". Software and hardware vendors will provide the right attestations, but if you write a custom kernel, that device will not be allowed to connect by any attested device.
But, you as a person will not be denied the right to access the internet. It's just that you'll need to use a device that doesn't "risk the security of the internet" to do so. Just like if you build a custom vehicle, you aren't allowed to drive it on national roads, because it risks the safety of the road system and all its participants.
I'm not making a normative claim - I don't want a corporate mall, either.
I'm making a prediction. The unregulated internet is a risk to some very powerful interests. They cannot tolerate that. And despite what some people thought early on (me included), IT is a power-amplifier, not an equalizer.
In that vein I agree, nation states are about control, and giving any control to people comes with risk. Personally, I would argue that if they can't trust their own people with basic computing power, it says a lot about the administration's character and capabilities to defend itself. Maybe don't piss off people who outnumber you and are responsible for the prosperity of the state? Royal "you", of course.
That's why I think we have to go the legal route, as little as I trust society and its policies, others do. We need to consider the personal use of property as an extension of the 1st amendment, at least in the States. If I purchase a computer, I should be able to do whatever I want with it, especially if I'm not hurting anyone or violating rights. Ownership needs to mean something, or capitalism's core tenet is lost and the veil begins to slip.
Building spying nanny chips and other "safeguards" are really just obstacles to ownership. It should be considered anti-consumer and a form of military-grade espionage. The John Deere escapades are a prime example of what will happen to general computing if we don't make some sort of effort to protect and enshrine computing freedom.
Maybe it won't be an issue and we'll be 3D-printing PCBs from open or patent-expired schematics so it won't matter. Maybe e-waste will be enough of a problem that there will be enough to hobble along until something bigger coalesces.
I'd rather not go on maybes though, and would rather vote for legislation that ensures the government will punish any business that sells me something and then tries to prevent me from exerting control over it as the owner. That is such obvious fraudulent behavior, there's no good defense for it. Business already enjoys the protection of copyright, trademark, and patent. An important aspect of business is actually parting with what you are selling, and giving up control.
If you want to go dystopian, we're already seeing the glimpses of such a future
with Covid, where alternative "facts" are considered dangerous. It's easy to dismiss now, when it's because it's because sane people don't buy that there are microchips in the vaccine, but a future where information is so dangerous that you need proof of government programming in order to access the unrestricted Internet isn't too far down the slippery slope you're sliding down.
> sane people don't buy that there are microchips in the vaccine
That kind of rhetoric is itself part of the dystopia. There were and still are much more rational perspectives that are deemed wrongthink and lumping them together with obvious crazies is one tactic used to suppress them.
It's a logical fallacy but a rhetorical argument. Slippery slope is entirely about how likely and probable that it is you fall down the slope. We have direct evidence that the same organizationa calling for Secure Boot intend to use it for DRM, because they are quoted in sales documents touting it for that.
This is 100% supported by manufacturers own documentation. I'm not sure it's even a slippery slope argument, when it's that clear. It's more like a murderer, caught red handed and having already dictated and signed a confession, saying "That was just a joke, I didn't really kill him"
That's your opinion. Smartphones have already brought about the trusted computing only world you fear, for non-technical users. The biggest distinction of general computing then, is the ability to run untrusted executables. Hardware is cheap enough these days that having a secure device dedicated to banking/whatever isn't out of the question. And with Google making virtual machines basically a primitive on Android, having an unlocked system but with trusted VMs inside seems to be the next step in allowing users to have local admistrative access, if they so choose. I don't doubt that ChromeBooks and iPadOS devices will. continue to be popular, but at the very least, there will always be a need for developers to have unrestricted systems to develop on, which, I believe, means that they'll exist until all software ever needed has been written.
> Smartphones have already brought about the trusted computing only world you fear, for non-technical users.
What's the purpose of this statement? "You've already lost" anime-style bullshit? This is proof that it's gotten worse as time has gone on. That is, it's evidence that the slope is slippery.
Receding into a VM doesn't give people control; the host OS can still view everything happening in that VM. It has to in order to do its job virtualizing.
I agree that we will always have a need somewhere for machines to just run code. However, I do not trust that developers will be steadfast enough to resist the inevitable anti-features that make their way into products to take control from the user.
Smartphones and UEFI+secure boot enabled devices are a testament to this. It's possible to root and install your own ROM, on some models, but for how long? It's been a cat and mouse game between hackers and phone manufacturers.
Today's developer systems are already infected with nannyware, unless they're running OpenPOWER or a similarly open and unencumbered system. I'm on a Librem 14 with a mostly-neutered IME (so, still x86_64), and honestly I wonder if what Purism was able to do to isolate it was enough. AMD pushes PSP with their chips, and ARM is its own strange song and dance, and licensing is a bitch.
We need hardware that can be verified and trusted not by business, but by consumers. How do you think people will get developer systems if this culture of "no code is good unless it's corpo code" continues to prevail?
Technology ultimately can't protect you from government and corpo snooping. It's only laws that can limit what happens, at least to some extent. And those laws are better focused on the actual collection and uses of data, than minutiae about the hardware/software. It's ultimately irrelevant that the OS could listen on you if it doesn't.
> an unlocked system but with trusted VMs inside seems to be the next step in allowing users to have local admistrative access
There's not a single example of that happening, as far as I know. What we get is "oh, you want general purpose access? here's a sandbox for you to play in", with the system itself remaining locked.
Even with it disabled sometimes you're still locked into this UEFI mess that I certainly didn't order.
I love my thinkpad p1 g3 more than most laptops but I miss having a simple BIOS. Stupid thing can't boot off normal USB keys like I've been making for decades.
You can boot usb from UEFI. The only tool that I found is best to handle is Rufus. I used it to clean install my Windows through UEFI. Even Linux Live USB works. BalenaEtcher gives me problems, Rufus does it well for me.
Also I remember there is a setting in UEFI to allow booting from USB.
It's possible, I've done it, it just involved a lot more steps. Simpler when I can `fdisk && mkfs && debootstrap` to make a key. Plus then I need to keep two bootable usb keys, I think... it's just... "Who ordered this??"
Strange, I have that laptop model and booting off USB drives works just fine for me (GPT+1 giant FAT32 partition+the UEFI capable ISO just extracted onto the disk). Maybe update the firmware? It could also be some kind of weird compatibility issue with specific USB drives, I wouldn't know.
Lenovo also recently released a CVE fix, possibly even for this vulnerability, so you may want to check for firmware updates regardless!
