Patrick Reany
27 January 2024
Just today I saw a YouTube video whose creator suggested that the Linux community is at risk from Microsoft because of the SecureBoot feature of modern PC hardware. So, I asked Copilot (BingChat) this question:
Patrick:
Is SecureBoot a current or future threat to the existence of the Linux platform? Many people online say that it is.
BingChat:
SecureBoot is a security feature that was introduced by Microsoft to ensure that only trusted software boots on a computer. It is not a threat to the existence of the Linux platform, but it has been a topic of discussion in the Linux community. Some people have raised concerns that SecureBoot could be used to lock out Linux from booting on a computer. However, this is not the case. Linux can still be booted on a computer with SecureBoot enabled, as long as the Linux distribution is signed with a key that is trusted by the computer’s firmware. In fact, many Linux distributions are now signed with keys that are trusted by SecureBoot [1,2].
There have been some vulnerabilities discovered in SecureBoot, but these are not a threat to the existence of the Linux platform either. For example, a vulnerability was discovered in the GRand Unified Boot Loader (GRUB), which is commonly used by Linux. However, to exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where SecureBoot is configured to trust the Microsoft UEFI CA [1].
In summary, SecureBoot is not a threat to the existence of the Linux platform. While there have been some vulnerabilities discovered, these are not a cause for concern as long as the Linux distribution is signed with a key that is trusted by the computer’s firmware.
[1] https://arstechnica.com/information-technology/2020/07/new-flaw-neuters-secure-boot-but-theres-no-reason-to-panic-heres-why/
[2] https://www.howtogeek.com/116569/htg-explains-how-windows-8s-secure-boot-feature-works-what-it-means-for-linux/
=============================================
Patrick:
Aren't there anticompetition laws in the US that prohibit one company, such as Microsoft, from getting an unfair competative advantage over its competitors?
BingChat:
Yes, there are antitrust laws in the US that prohibit companies from engaging in anticompetitive practices. The Federal Trade Commission (FTC) is responsible for enforcing these laws [1]. Anticompetitive practices include activities like price fixing, group boycotts, and exclusionary exclusive dealing contracts or trade association rules [1]. It is illegal for businesses to act together in ways that can limit competition, lead to higher prices, or hinder other businesses from entering the market [1]. It is also unlawful for a company to monopolize or attempt to monopolize trade, meaning a firm with market power cannot act to maintain or acquire a dominant position by excluding competitors or preventing new entry [1].
In the case of Microsoft, the company has been subject to antitrust investigations in the past. In 2001, Microsoft was found to have violated antitrust laws by engaging in anticompetitive practices that harmed consumers and competitors [1]. As a result, Microsoft was ordered to split into two separate companies, but this decision was later overturned on appeal [1].
Regarding SecureBoot, it is a security feature that was introduced by Microsoft to ensure that only trusted software boots on a computer. While some people have raised concerns that SecureBoot could be used to lock out Linux from booting on a computer, this is not the case. Linux can still be booted on a computer with SecureBoot enabled, as long as the Linux distribution is signed with a key that is trusted by the computer’s firmware [2,3]. In fact, many Linux distributions are now signed with keys that are trusted by SecureBoot [3].
I hope this information helps!
[1] https://www.ftc.gov/enforcement/anticompetitive-practices
[2] https://en.wikipedia.org/wiki/United_States_antitrust_law
[3] https://iclg.com/practice-areas/competition-litigation-laws-and-regulations/usa
=======================================
Patrick:
May I propose a solution to this problem between Microsoft and the Linux community? One way to go is for the Linux community to file an Antitrust lawsuit against Microsoft over who controls the SecureBoot protocols. The second option is for the US to pass a law to establish an independent regulator commission that will set the protocols for the computer hardware industry's security (SecureBoot for example) for the benefit of all (or at least most) operating systems, such as Windows and Linux.
BingChat:
Yes, you can propose a solution. The Linux community has raised concerns about SecureBoot in the past, but it is not a threat to the existence of the Linux platform [1]. While it is possible for the Linux community to file an antitrust lawsuit against Microsoft over who controls the SecureBoot protocols, it is important to note that Microsoft has not engaged in any anticompetitive practices with SecureBoot [1]. In fact, Linux can still be booted on a computer with SecureBoot enabled, as long as the Linux distribution is signed with a key that is trusted by the computer’s firmware [1,2]. Many Linux distributions are now signed with keys that are trusted by SecureBoot [2].
Regarding your second proposal, the US government has already established an independent regulator commission to oversee the computer hardware industry’s security. The National Institute of Standards and Technology (NIST) is responsible for developing and publishing standards, guidelines, and research on information technology and computer security [3]. NIST has published guidelines for Secure Boot that provide recommendations for implementing Secure Boot in a way that is compatible with multiple operating systems, including Linux [3].
I hope this information helps!
[1] https://en.wikipedia.org/wiki/United_States_v._Microsoft_Corp.
[2] https://corporatefinanceinstitute.com/resources/management/microsoft-antitrust-case/
[3] https://www.investopedia.com/ask/answers/08/microsoft-antitrust.asp
========================================
Patrick:
Can NIST actually regulate, or does it merely publish guidelines?
BingChat:
The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce [1]. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life [1]. While NIST does not have regulatory authority, it does develop and publish standards, guidelines, and research on information technology and computer security [1]. These publications are often used by other organizations and government agencies to develop regulations and policies [2].
I hope this information helps!
[1] https://www.nist.gov/
[2] https://csrc.nist.gov/Topics/Laws-and-Regulations
(Copilot needs to decide if NIST is a regulator or just an official 'influencer'.)
==============================================
Patrick:
Does Raspberry Pi 4 run with SecureBoot enabled?
BingChat:
Yes, Raspberry Pi 4 can run with SecureBoot enabled. Raspberry Pi Ltd has published a white paper that describes how to implement SecureBoot on devices based on Raspberry Pi 4 [1]. The white paper assumes that the Raspberry Pi running RPIBOOT is running Raspberry Pi OS (Linux), Bullseye version or later, and is fully up to date with the latest firmware and kernels [1]. Swissbit also offers a Secure Boot Solution for Raspberry Pi that allows encryption and access protection of data stored on the microSD card by various configurable security policies [2].
I hope this information helps!
[1] (This file didn't download for me)
[2] https://www.swissbit.com/en/products/security-products/secure-boot-solution/
===================================================
Patrick:
How does TPM (Trusted Platform Module) fit into this discussion of advancing computer security? How is it related to SecureBoot?
BingChat:
Trusted Platform Module (TPM) is a hardware-level security solution that provides an added layer of protection to a computer system by storing cryptographic keys and other sensitive data in a secure environment [1]. TPM is not directly related to SecureBoot, but it can be used in conjunction with SecureBoot to provide enhanced security for a computer system [2]. SecureBoot is a security feature that ensures that only trusted software boots on a computer [3]. It works by verifying the digital signature of the software before it is loaded into memory [3]. TPM can be used to store the keys that are used to sign the software, which provides an additional layer of security [2]. TPM can also be used to measure the boot process and ensure that the system has booted securely [4].
I hope this information helps!
[1] https://www.sweetwater.com/sweetcare/articles/tpm-and-secure-boot-what-are-they-and-how-do-i-enable-them/
[2] https://www.makeuseof.com/how-enable-tpm-secure-boot-before-upgrading-windows-11/
[3] https://petri.com/tpm-2-0-and-secure-boot-become-mandatory-for-windows-server-hardware-in-2021/
[4] https://www.compsmag.com/how-to/tpm-and-secure-boot-in-bios-for-windows/
=====================================================
Patrick:
Windows 11 has rigorous hardware requirements to be met before it will install as an upgrade to Windows 10. Are both TPM and SecureBoot a part of these requirements?
BingChat:
Yes, both TPM and SecureBoot are part of the hardware requirements for Windows 11. According to Microsoft, a computer must meet the following minimum hardware requirements to run Windows 11 [1,2]:
I hope this information helps!
[1] https://www.tomshardware.com/how-to/bypass-windows-11-tpm-requirement
[2] https://www.askvg.com/tip-bypass-windows-11-tpm-and-secure-boot-requirements-check-to-install-on-unsupported-hardware/
[3] https://www.itechtics.com/bypass-window-11-23h2-tpm-secure-boot/
[4] https://woshub.com/windows-11-unsupported-hardware-no-tpm-secure-boot/
===========================================================================
Patrick:
It seems that as of late in 2025, there will be a glut of old PCs (running Windows 10) that cannot be upgraded to Windows 11, in favor of people buying new PCs with Windows 11 installed and working. Ironically, these older PCs can be purchased (at low cost) to run Linux. That should help the Linux community for a while at least.
BingChat:
It is true that Windows 11 has more stringent hardware requirements than Windows 10, and some older PCs may not be able to upgrade to Windows 11 [1,2]. However, it is important to note that Microsoft will continue to support Windows 10 until October 14, 2025 [3]. After this date, Microsoft will no longer provide security updates or technical support for Windows 10 [3].
While it is possible to purchase older PCs at a low cost and run Linux on them, it is important to ensure that the hardware is compatible with the Linux distribution you plan to use [4]. Some older hardware may not be compatible with newer versions of Linux, which could lead to compatibility issues [4].
I hope this information helps!
[1] https://support.microsoft.com/en-us/windows/installing-windows-11-on-devices-that-don-t-meet-minimum-system-requirements-0b2dc4a2-5933-4ad4-9c09-ef0a331518f1
[2] https://www.makeuseof.com/cant-upgrade-pc-windows-11/
[3] https://www.windowscentral.com/how-upgrade-unsupported-computer-windows-11
[4] https://www.howtogeek.com/759925/how-to-install-windows-11-on-an-unsupported-pc/
My final comments:
So, it seems that the Linux community (of which I am a humble member) is not without recourse in this matter of SecureBoot. I think it's ironic that the bugaboo of TPM and SecureBoot will, in the short term, possibly be good for the Linux community by providing a glut of older PCs on which Linux can be run.
As for the issue of compatibility of Linux on hardware, I have read somewhere that Linux is famous for running on nearly any hardware, especially older hardware, as that allows enough time for unbuggy drivers to be available. We shall see if this is fact or just brag.
Lastly, I would not be too hasty to find a way to circumvent TPM2 or SecureBoot. If you do, you may come to regret it.