[fujigawa]

> This was not the case with the initial rollout of Secure Boot, it was combined with locked BIOS to lock PCs so that they could only boot Windows 8 on some devices. This was the case on Windows RT ARM machines from that era.

Okay, but, that was like 15 years ago, on some shitty first-run computers that no one bought. A failed first attempt. I've never met a single person that owned, or has ever used, a Windows RT device.

The world has moved on. But oddly continues to buy bootloader-locked iPhones and Androids by the bucketful.

Dwelling on the past isn't going to move us forward. Anyone pushing the "Secure Boot and TPM are evil" trope in 2025 is objectively a fool and should be ignored. Most don't even realize what a TPM does, they think it's some secret chip inserted by glowies into their computers to prevent them from running free software. No.

[trinsic2]

Normally I would agree that security measures are needed in many, but not all cases, but only if they are in complete control of the user and cannot by altered by any one organization. For-profit companies cannot be in control of these mechanisms. We have seen how they can be abused with the latest decision by Google to limit side-loading to people who identify themselves. So your take is really a misdirection from how these tools are being used against our property.

[fujigawa]

> For-profit companies cannot be in control of these mechanisms.

But they are not in control of Secure Boot.

Microsoft runs a root CA that is pre-installed on most PCs. It could have been Verisign or someone else, but MS made sense at the time, likely because they had additional code signing expertise.

You are free to delete these keys and/or install your own. If there wasn't preexisting infrastructure, Secure Boot would be DOA for most people.

[trinsic2]

Microsoft can force manufacturers to can change the way that works at any time, its vendor specific and they are totally in control, via pressure on manufactures to toe that line if they want to continue sell computers with Windows.

[rightbyte]

> But they are not in control of Secure Boot.

> Microsoft runs a root CA that is pre-installed on most PCs.

How can you write those two statements on two adjacent rows? In practice that makes MS a gatekeeper.

[xp84]

Don’t confuse the real point with the caricature. There’s a very real risk of only giant corporations being able to control software, because the general public does not even draw a distinction between “having control over what software is running on your computer,” and “being able to run a curated collection of software blessed by the manufacturer and subject to their exclusive discretion.” The full acceptance of the Apple iOS platform proves this. Apple must bless all binaries, and except for cases that are getting less and less common where jailbreaks are possible, the user has no authority and you could argue they do not own the device.

Some combination of the advertising industry and those with a vested interest in anti-fraud such as banks will eventually try to sneak remote attestation in there, which has the potential to put a complete end to ownership of devices as we have always understood it.

[maybewhenthesun]

> Dwelling on the past isn't going to move us forward.

Forgetting the past will make PC's as closed as phones.

[3form]

I wouldn't mind that if in fact the parent poster didn't try to make it look like an argument that Microsoft is kind and playing nice. They did a bad thing there, there was an outrage, they fixed it, the end. If possible, they will do another bad thing again, should it benefit them.

[heavyset_go]

> Okay, but, that was like 15 years ago, on some shitty first-run computers that no one bought.

I wouldn't call the first Microsoft Surface, Surface 2, Dell XPS 10, and Lenovo IdeaPad Yoga 11 products that no one bought.

> I've never met a single person that owned, or has ever used, a Windows RT device.

I have and I also regrettably bought one myself.

> Dwelling on the past isn't going to move us forward.

The past dictates the future, and history repeats itself. Microsoft made their intentions known, it would be foolish to pretend they haven't. They continue to make their intentions known today with the Pluton cryptographic co-processor, that paired with a TPM, can enforce remote attestation by design. That is literally the intent of the Pluton chip: ensuring platform integrity and securely attesting to 3rd parties that your system is Blessed/trusted.

> Anyone pushing the "Secure Boot and TPM are evil" trope in 2025 is objectively a fool and should be ignored

Anyone tearing down this strawman is tilting at windmills for some reason.

> Most don't even realize what a TPM does, they think it's some secret chip inserted by glowies into their computers to prevent them from running free software.

I wouldn't project ignorance on those you don't actually know. You can understand what a TPM does, understand how it can be abused today and acknowledge how it was abused in the past.