29 comments

[ 5.4 ms ] story [ 71.8 ms ] thread
Yet another reminder that PCs boot alternate operating systems only because Microsoft allows it for the time being.
In the EU you can boot any OS you want. It's a little annoying to click through 15 "are you sure?" screens but it works.
Reminder that PC hardware has multiple sources and even if it splits into Windows-booting and OtherOS-booting hardware, someone will probably sell you such hardware when the time comes.
Yes, but pretty much everybody got their start with Linux by installing it on a computer they already had and experimenting with it, whether it was the family computer, an old laptop, etc.

If you start needing to buy specialist hardware before you can even try out something other than Windows, the barrier to entry and inertia this creates will mean less and less people ever even develop a desire to try it.

Older unlocked hardware will still be available. Also people still buy the Raspberry Pi anyway which doesn't even run Windows.
The barrier to use Linux is lower than ever and doesn't require installing a new base os. On Windows you can just install Ubuntu from the microsoft store or run "wsl --install"
Rather than think "use Linux", think "not use Windows".
Reminder that there are a finite number of chip fabs and, as challenging as it is for the Free Software Foundation, hardware is worse.
and then there will be software you depend upon that disallows OtherOS-booting hardware.

tangential example: banking apps on non-google androids

Consumers can just turn "secure boot" off.
You can on x86 machines, but AIUI they require ARM machines that ship with Windows to have secure boot permanently enabled. That hasn't been much of a factor so far given the false starts that Windows ARM has gone through, but with Qualcomm set to launch their Apple M-series competitor soon it might start to actually matter.
All of this is moot if essential services like government or banking require root of trust attestation that is only available on windows. New chips already have Microsoft's pluton core.
Which is why Linux distros should be investing heavily in security now so they can prove to manufacturers / Microsoft / the government that they are secure (compared to other consumer operating systems) to avoid a future like that.
It's pretty hard to compete with open source plus byte-reproducible builds for anyone serious about security. Not only is MS neither of those, it's also the premier malware target and a voracious surveillance instrument on its own.
>compete with open source

Open source doesn't necessarily imply it is secure. Security isn't free and open source projects can struggle funding such development.

>byte-reproducible builds

This is mostly a party trick. Meanwhile the system is one curl | sh away from having all its cookies stolen, files cryptolocked, mic spied on, keylogger installed, clipboard sniffed, etc. Reproducible builds can't save you from insecure design which my comment was referring to investing in fixing and is what this patch being highlighted in the article is doing.

>it's also the premier malware target

Having a large market share is why. If Linux overnight gained a ton of marketshare the malware situation would be worse than windows.

That's true if your definition of security is "I hope we found all the vulns" from the 1990s. Today we expect defense in depth and Linux is behind Windows in sandboxing, VBS, etc.
(comment deleted)
Linux distros should not have to prove anything to Microsoft for any reason. It's a major failure that our governments ever let a major operating system vendor get into a position where they can gatekeep other operating systems.
Linux distros are still free to create their own CA and convince manufacturers to trust it.
What would prevent Microsoft from requiring its removal for Windows installs?
Technically correct, but obsolete. Windows 10 run on ARM and had that requirement that you talk about, Windows 11 runs on ARM64 without that requirement.
Don't say "alternate" like that! Have some respect. Windows is the most popular alternative OS to linux, right after macOS.
I'm not sure when booting a computer became so complicated. Reasoning about this patch is near impossible unless you know the inner workings of EFI and TPM. It does not bode well for user privacy.
Rather than blame the Linux patch process & iteration for obfuscating, I kind of want to throw the shade & nastiness at Microsoft for iterating security posture & requirements in a subtle way over time where it wasn't clear up front why Linux would need to leap through Gates' hoop of fire here.

If it were crystal clear what the need being satisfied were, these patches would probably explain themselves.

(comment deleted)
TL;DR; Microsoft requires pages to be either writable or executable, but not at the same time in a certain scenario, which is actually a good practice.