Linux is quite well established now on home pc’s and servers to the dismay of Microsoft and Apple. I hated Secureboot , built into UEFI, during startup by verifying the digital signatures of firmware, drivers, and the OS bootloader. Reading into Deep State Mass surveillance helps:
Nothing says that Linux could eventually evolve into the same thing or fail to ever really function for the masses.
I would say if/when PCs move over to ARM than we very well may see the same issues mobile devices have. There is a severe lack of Linux compatibility due to proprietary drivers, sometimes no drivers at all, no software support, and no device trees.
I have the ubuntu 25 concept installed on my snapdragon HP Omnibook 14
Other than a few software hiccups you would expect of a “concept build” it works almost perfectly and is now my daily driver. Actually getting the OS on the machine was pretty easy too, it has something akin to a bios. the process isn’t all that different.
The more difficult bit was getting the drivers working after installing the OS. no all of them have been released under license yet so some of them you have to poach from the windows partition. also audio required some tweaking.
Well yes many arm PCs do work, im just saying eventually they will be locked down
there is another… but, it may be RISCy
As much as I love RISC-V I’m afraid it will turn just like arm now, the architecture is open but every chipset that came out is not, there isn’t an unified booting standard like UEFI+ACPI for RISC-V
God I hope i’m wrong
Also ARM is way less standard. While UEFI does exist on ARM, most just use some custom bootloader. And let’s not forget how ARM is protecting its Mali Linux drivers.
Removed by mod
Removed by mod
Removed by mod
Removed by mod
Removed by mod
Removed by mod
Removed by mod
Removed by mod
You’re describing Secure Boot. It happened years ago.
And, btw, the Android thing also doesn’t affect anyone without gapps. Chill out.
When I was tasked with buying laptops for a company, I made sure to test Linux compatibility on every machine. If the model didn’t support Linux, we didn’t buy it.
Most of the devs were windows users, but there were enough devs and sysadmins that preferred Linux that it just made more sense to only buy hardware that supports both windows and Linux. I’m sure a lot of tech companies have a similar policy (it’s one reason think pads are so ubiquitous)
Corporate pressure would never allow such lockdown in the market
And, btw, the Android thing also doesn’t affect anyone without gapps. Chill out.
so only 99% are affected, that really calms me down.
Many services that are connected to finance/payment require gapps, car sharing, banking etc.
you are right about secure boot, but this was rolled out with proper alternative routes from the beginning. i did not see anything like this for Android at this time
Don’t install gapps. And ffs don’t use banking on insecure devices anyway
Define insecure devices.
If I don’t install gapps my banking apps don’t work.
Does the bank app do anything that the mobile bank website can’t? I’ve never felt the need to install an actual bank app. You can use micro g or sandbox gapps.
Some banks the website works only if you install some kernel modules. Worst than use the cellphone app.
I would literally switch banks over this
If it is possible yes, but sometimes it is not or the other options are even worst.
There is no requirement for it, and can be disabled
Exactly.
For now.
You’re describing Secure Boot.
Secure Boot is literally configurable. You can create your own key and sign whatever you want with it. See sbctl.
If you change platform keys, it looks to me like you can brick your system if hardware component drivers that execute during boot are signed by microsoft keys.
Microsoft will make sure many of their partners sign hardware drivers with their keys, to be windows 11 certified of course. No other reason.
They will encourage manufacturers to only allow secure boot in UEFI. Then at some point they will stop signing UEFI loaders, like shim, that linux distros rely on to boot.
…and Bob’s your uncle.
Yes and no. Most firmware this is impossible.
Microsoft are smart enough to not piss off every giant corporation and destroy their entire business overnight, so you can count on it never being forced by them.
They certainly wouldn’t roll it out overnight but they’ve had their long term targets on OS as a service since Windows 8 and these things tend to come bundled.
Nah, they know their limits. They will keep trying to make an optional locked down OS for regular users a thing, but there will always be a fully “unlocked” version available due to legacy software and the entire worlds reliance on it.
While microsoft also plays in the quarter to quarter economic BS they still have long term planning.
It’s precisely because they have a monopoly on enterprise class software that they could pull this off. That’s why the shift in euro-gov agencies to linux is such a big deal.
MS already has updates as a “free” service and windows insider which requires a paid azure sub which means they already use the threat of “security risks” to force companies to subscribe to azure, which is in effect equivalent to a sub to the OS.
I’m suggesting that they’re going to do what they’ve said they want to do. Just maybe on the longer term or in a novel way.
The biggest motivation they have to keep individual licenses OTP is it gets people used to the ecosystem (customer capture) and they’re massively profiting on all of
yourthat data.Making their OS subscription based is not what we’re talking about though. We’re talking about it becoming locked down and only running signed and approved software like Android is going to do.
That fundamentally breaks windows for most of the corporate world. Literally would break the world as we know it lol.
This kind of stuff never happens overnight. It happens slowly, incrementally, and the people are never mad enough at too much sudden change to be motivated enough to do anything. People should feel good about the imposition of boundaries, and it helps that for the average user, the boundaries often result in a better user experience.
I don’t think you guys understand that forcing windows to only run approved by Microsoft software would literally break the world as we know it. Microsoft know this. There’s no way around it.
I was responding to this:
Microsoft is smart enough not to piss off every giant corporation
Yeah, and they can’t get rid of “sideloading” without literally killing their entire company because gigantic corporations, where they make the majority of their money, are the ones the most beholden to legacy software that would be blocked if they did. Banks, governments, hospitals, schools…….everything would not be able to function.
Well I think you’re moving the goalpoast a little here 😅, but believe me, they already do, lots of soft that doesn’t get around the windows defender.
You can literally always install software no matter what defender says. Did you not know this?
Wow shows you don’t know anything about computers 😂
pissing off customers never stopped them for decades different versions of office programs ran side by side with no issues. they auto uninstall other versions of office automatically while stopping the install with a big pop up about compatibility issues.
this impacts all businesses using old versions of access programs alongside more new versions of office with newer installers. along with a byzantine licensing model with bizarre “incompatibilities” between the same year versions in different licensing channels, yeah tell me how microsoft won’t piss off corpo and government clients.
they seem to specialize in pissing off corpo and gov clients.
Sounds like the businesses you’re talking about have incompetent IT staff.
Last time I used windows in a big corpo settings, there were so many things pudding off both us Devs but also IT.
Switch out a bad RAM stick? Spend an hour with IT.
Use a software? Spend an hour (or days) with IT
Compile your own software? Believe it or not, spend large amounts of time with IT
Like the compiler on a windows PC can’t work without different windows protection systems gets in the way, repeatedly. And then your executable, or some .d’ll just get wiped off the disk 😐🤷🏼♀️
I don’t think they do it intentionally, but big corpos don’t give a shit about their workers conditions, so if they were to enforce things (with backdoors ofc, so that if needed you can deactivate things, remember the unique installation code for windows like 95 or 98?) the grunts will just have to eat it up. And they would probably not have a much harder time, everything is already locked down hardware wise so they are used to all that jazz.
None of your examples at the start I’d that comment make sense or are true.
Also you’re talking about corporate policies for businesses that use windows, not windows itself. Management of devices is one of the biggest reasons why windows is the only real option for big corporations.
Oh I’m very absolutely talking about windows itself, it’s the reason you have go through so many loops to do the tiniest thing.
My point: Microsoft is already doing what you’re supposing they never will.
BTW your first phrase doesn’t make any sense?
Microsoft is already starting to lay the groundwork with their CPU, SecureBoot, and TPM 2.0 requirements.
Apple has been doing this for a long time, though there are ways to get around it on MacOS, for now.
On PC, the answer is Linux. For mobile devices, things are looking more bleak.
Linux won’t be an option if the boot loader is locked. I think Linux is just about popular enough that options should remain but they might become reduced unless it becomes more popular than it currently is.
If the private key were to leak, we’d be home free
Linux is heavily used on servers. Losing server sector means a huge chunk of revenue.
Linux is servers.
Hell, VMware migrated to a Linux base a while back, and with their new exorbitant pricing, large environments are switching to things like Proxmox.
The next ten years, VMware will be second string virtualization, even in data centers.
I’m not sure what’s going to happen, but there was a “BIOS War” in the 80’s,when IBM wouldn’t release their BIOS code, so other devs reverse engineered it. No reason why that couldn’t happen again.
I’d imagine not every mobo manufacturer will play ball with whoever mandates a locked bootloader.
Right now, we have google and apple with a duopoly on mobile devices.
The grand majority of all laptops and desktop devices are using motherboards manufactured specifically for those devices (or device series). It’s not much of a stretch to imagine them adding restrictions to their already mature supply chain.
Sure, but there’s Tuxedo Computers, Framework, the PopOS guys selling PCs and many more. Those won’t go away.
Yeah, but for 99.9% of computer users that doesn’t matter.
They’re getting their hardware from major manufacturers or second hand from people who bought them from major manufacturers.
Which means the negative effects will be felt across the board except for the few people who specifically purchase hardware from niche manufacturers.
Next phone I get I’ll get fairphone and check the market for an alternative OS at that time. This might be the push that the Linux phone community needs to make it proper and good.
We currently need a KDE phone that they sell where I can buy a KDE phone and support them that way.
The pieces are coming together for Linux notably:
- SPA support instead of apps.
- Waydroid
- Core components such as calling, sim card actions, recording, speakers can be provided by fairphone via drivers.
I’m getting pretty sick of Google and other corpos locking down Android so fuck them, third best phone OS will have to do and I’ll do banking in the mobile browser page.
I just bought the cheapest fairphone I could get to replace my old pixel. Now it’s time to try proper linux on mobile for the first time. I’m excited!
Almost 15 years on Android finally coming to an end! My first Android phone came with Android 2.1 and now 14 shall be the last version I’ll ever use.
The situation is actually quite awful. I remember when TPM was palladium and there were apocalyptic talks in tech conferences about it being the end of general purpose computers. The idea that your computer could veto what it was used for.
The backlash only set them back a few decades apparently. Everyone forgot and now it’s a literal requirement for the latest Windows and in two months they’ll stop supporting the old Windows…
https://youtu.be/HUEvRyemKSg might be relevant.
Turns out some people can predict the future if they pay attention
Linux on the phone has come a long way I hear. I have been meaning to buy one and see if it can be my daily driver. Google being shitty would definitely push me there
I even liked the idea I saw mentioned today where maybe it’s time for 2 devices.
One that just does phone calls and SMS.
The other is a tiny portable Linux computer that does everything else. Who needs android or apps anyway?
I’m starting to think I don’t want calls and SMS on a device. I use signal for that anyways. I’d be fine without and a corpo world burner phone for that
That seems inconvenient. Can Linux phones not do calls and SMS?
Calls and SMS work in more than half of the phones that can run Linux. Here’s a list: https://wiki.postmarketos.org/wiki/Devices
I’d argue that if it doesn’t do calls it’s not really a phone.
Edit: Also most of the phones are pretty ancient, the newest one is 4 years old, are 7-8+.
Most of them do do calls, though.
You can get a retro phone for like £15 or so. Mine even has a (shit) camera and a 64GB SD card to expand the internal 32MB (yes MB) storage.
There’s also Europe, which has led the way in regulating against monopolistic power for Big Tech.
Yeah, i’m pretty sure the EU wont approve of locking down PCs that way. I’m also pretty sure that Googles current moves regarding the registration of developers and locking down sideloading will not be seen positively in the current climate, where the EU seeks to become more independent from Silicon Valley. The EU has been adamant in their view that users should not be limited to one market on phones; i believe that trying to lock down PCs would lead to legislation forbidding that.
Didn’t MS already try this with Windows S editions?
And just like that I’m all about Ubuntu phones now
Which devices are you planning to get at right now?
Either buy pine or try out userland for current but I haven’t completed the research yet
This is already happening, but it’s on an organisational level by policy. These policies can be applied to systems that follow trusted computing rules, which is most Windows 10 systems and pretty much all windows 11 systems. Google has laid the groundwork for this since the pixel 3 was released in 2018.
Since then, we have seen Google put the Titan security module in all phones and I’m certain Chromebooks are requiring TPM modules that serve the same function.
Apple has been doing the same since God knows when. Their systems have had unique chips that ensure that when MacOS is installed, it is only installed in Apple computers. There are ways around this, just as there are ways around the TPM requirement for Windows 11.
The trusted computing model, when fully imposed, can basically stop any applications from running that have not been given the blessing of the security team.
As far as I’m aware, the only people taking advantage of the technology are government institutions.
The fact that this can be wielded to enforce control over private individuals by our corporate masters is becoming a very real possibility, but the fact that it hasn’t happened yet, by any vendor, is, in my opinion, good evidence to say that it’s unlikely, but not impossible. Maybe that’s wishful thinking on my part.
In any case, the only truly free operating system left is GNU/Linux, with few other exceptions.
Gnu Hurd ftw ! (I’ll see myself out)
They’re waiting until all the products in the wild can be locked down.
Right now, they’re struggling to get people.to jump to Windows 11, and people are hoarding their old computers. They want all the products that don’t have TPM or its equivalent to be outmoded before they remove the mask.
Maybe. In my experience business isn’t that patient.
A TPM is otherwise a good thing. It can extend cryptographic capabilities and the overall security stance of the system.
But I digress. I will reserve judgement for now. Time will tell either way, and I don’t think anyone will feel like gloating if they start to lock it down like you believe they will.
I kind of expect this to happen with Apple’s rumored $600 macbook. Since they just updated ipadOS to run like a locked down version of macOS. I bet they will offer this cheap mac with the same locked down OS since it will have a “phone” processor in it.
They will say this was a compromise needed, but the majority of people will not care. After a few years, the macs that are open will get more and more expensive.
I’m guessing Windows will slowly start to move in thie direction, but I think they will try to push their remote computers thing to accomplish this.
I’m not sure about bootloaders being locked, I am guessing there will always be something that is unlocked and able to run linux though. It is needed for servers and stuff like that. In the worst case, someone will likely sell arm or risc-v powered boards that can be used to run linux.
It’s not going to happen.
Motherboard manufacturers are not going to start making Windows only BIOS.
Microsofts target audience isn’t the private user. It’s companies. The money they make selling their OS to private persons are table scraps compared to their enterprise licenses. Any such initiative would fuck over every single enterprise customer.
It’s been attempted in two ways.
First is secure boot. There were a handful of computers sold that did not allow disabling of secure boot, or changing the loaded keys. So it was basically essentially a Windows only computer.
More recently is there was Microsoft Windows S. This was a cheap version of Windows Home that ran on low end computers and was locked to only allow installing apps from the Microsoft store. It was possible to unlock it but as I recall it required an additional fee.Enterprises almost all run Windows anyway so they DGAF.
Isn’t secure boot signed by Microsoft anyway IIRC? I know Lenovo had their own signing too. From my knowledge, installing a secure-boot supported linux version requires a ‘shim’ to allow it, and there was an issue that came up as the keys are due to expire for older OS versions.
Of course, Secure Boot can be switched off as well. (for now)
Enterprises use a lot, and I do mean A LOT of custom software. Either developed in house or by others. They absolutely care.
What Microsoft does within their own OS, as the “S” version you’re talking about. That’s a non issue given you can just flash the drive and install whatever OS you want.
As for the concern that you’d somehow be unable to install another OS. Due to Secure Boot. I personally have never come across a computer that I’ve had full BIOS access to that didn’t allow disabling secure boot. Though some have been more cooperative than others. But maybe I’m just lucky.
But I’m also pretty sure there are linux distributions that support Secure Boot.
Secure Boot for what it’s intended to do, is a pretty good feature. Which is to stop unauthorized software from running before initiating your OS
I was talking about secure boot. If the computer only runs Windows, enterprise doesn’t care. If the computer only runs Windows S, it’s an absolute nonstarter in enterprise tons of apps aren’t on the app store. But Windows S is never targeted to enterprise, only low end home users.
Anything can support secure boot, the question is, are the keys included in the BIOS so it can run that particular OS without loading extra keys?
I’ve also not personally encountered a computer where secure boot couldn’t be disabled or the list of keys modified, but I’ve definitely heard about them existing.
What exactly is your argument? Why would a computer only be able to run Windows?
Secure Boot doesn’t restrict anyone to only windows. Even if we play with the idea that it’s impossible to disable it. You can still install some Linux distributions.
Anything can support secure boot, the question is, are the keys included in the BIOS so it can run that particular OS without loading extra keys?
I don’t even understand what you’re trying to say… You don’t need keys in BIOS to install either Windows, or Linux. The only purpose for the BIOS key is for users to be able to just boot up their new computer that they bought factory new WITH their OS of choice without having to go through extra steps of verifying your OS license.
But you don’t NEED a key in BIOS. You can still buy a key separately to set up Windows. Same goes with paid versions of Linux distributions, such as Red Hat.
Fedora supports secure boot out of the box
So does Ubuntu, but there is a catch. Secure boot relies on signature checking, so you can manually add the signature of your OS manually to the UEFI db, but can’t do that on locked UEFI. Major Linux providers went another route, they paid Microsoft to sign a
shimbinary, which in turn can verify and boot the matching Linux kernels. Microsoft refusing to sign shims would be a rather crippling move, but they would get a massive backlash from that.
That’s probably why risc-v is getting quite popular in embedded stuff - smaller companies wanting more supply chain independence. Hopefully it’ll start to get more powerful soon for more serious computing. Its nice that stuff like debian now has risk-v version too.
Nahhhhhh that’s far more interesting in cause. Moore’s law has been dead for like… I dunno’, at least a decade by now? Bigger and bigger instruction sets have similarly hit their max return on investment. RISC-V is making a comeback solely because it’s literally competative now that frequency and even fancy inctructions have long since tapped out for performance gains.
Especially with GPU compute becoming more and more of a thing since DX11+. Parallel computation has become more and more of a well understood task with great ROI while increasing single threaded performance has been a wizard’s game for yeeeaaaaars.
It’s gotten to the point where some companies are aiming to produce competative RISC-V desktops and servers.
Eh, just means it isn’t plug and play. Once you have the hardware, you are the admin.
It may get tougher, but it’ll never be impossible.
Tell that to the Intel management engine or secure platform module
Hi intel management system, you can be thrown into abnormal states where you sit there eating glue.
