MtnDewManiac wrote:With the Samsung laptop that I had a chance to play with (install Mint on), it wasn't a bug - USB simply wasn't an option on the boot list at all.
The two aren't necessarily contradictory.
srs5694 wrote:First, on x86-64 computers, it's normally possible to disalbe Secure Boot, and in fact Microsoft requires manufacturers to provide an option to disable Secure Boot.
Yes, I know. The only real reason that I can think of that would account for that is that Microsoft is wary of an antitrust action. Otherwise, they might possibly convince the hardware manufacturers to make it mandatory, permanent, 100% of the time - and then it would actually serve its stated purpose.
srs5694 wrote:Second, when enabled, Secure Boot normally applies to all bootable devices, including USB flash drives.
I hadn't even considered that.
srs5694 wrote:Thus, disabling the ability to boot from a USB medium wouldn't serve any useful purpose vis-a-vis Secure Boot, since there are other ways to "get around" Secure Boot and since the feature normally applies to external media, too.
I see what you mean; with the current poor implementation of Secure boot - allowing anyone to walk by and disable it within seconds of powering the computer on (if it is not password-protected) - it is starting to seem completely pointless, as far as its stated
srs5694 wrote:Furthermore, disabling the ability to boot from a USB medium limits disaster recovery options, even with a bootable Windows-based medium. Thus, there's no benefit to be gained and considerable drawback to doing this deliberately.
Yes, I agree with you. My own failing laptop has a DVD/CD reader/writer, but it hasn't functioned properly since a few days after I bought the thing when I attempted to use it to create "recovery" media. If not for the fact that it allows me to boot from USB, I would have never been able to install its first linux OS one it and, if the hard drive would have failed, it would have been useless unless I could have somehow pre-installed an OS onto the replacement hard drive (possibly along with initial BIOS settings, since I think it stores them on the drive (not positive)).
srs5694 wrote:It's also not clear why a manufacturer would want to prevent users from "copying the data from the laptop's hard drive," unless you're talking about DRM type measures -- but Secure Boot has little or nothing to do with DRM.
Respectfully, that comment leads me to believe that you must have led a very sheltered life up to this point to still have such wonderful naivety
If by "users," you actually meant "owners," then, no, I suppose not. But I did not use the term "owner" (or "user," either). Perhaps I wasn't being entirely clear when I, instead, used the generic "people." I apologize for that.
But as for why it might be a good thing to offer some protection against people who aren't the owner of the computer
in question to access/copy/change data on the hard drive... Some people use their computer for work-related purposes, often even laptops while at work. I would hazard a guess that not every one of them takes that laptop wherever es goes, even to the toilet. Especially since many of them have a Kensington Security Slot to which a cable can be locked to provide a modicum of protection against actual physical theft. Some people might even go to lunch occasionally without taking their laptop with them (and, I would assume, [/i]usually[/i], if their computer happens to be a desktop
). They might even, for whatever reason, leave the computer at work when they leave for the day. In all of those possible situations - to one degree or another - a person with nefarious goals in mind might wish to either harvest that computer's stored data (to see what a coworker is doing in regards to a project that they are both competing on, to sell the information to a competing business (or to give it to said business, if the person is employed by it), to pass along sensitive information to another country, et cetera). If a person is not using the computer for business purposes, es might - probably does - still have private information such as various website account names/passwords, email account information (and emails), information that might be useful to a person that wished to access their bank account(s), credit card information, a copy of their electronically-filed tax returns, et cetera. A person who is not as pure as the driven snow might steal the computer, or the owner might inadvertently leave it somewhere; there have even been cases of people's children looking for - and finding - credit card information in order to make purchases that they were not allowed to. And there would be like possibilities why it would be to those dishonest person's advantage to install things such as keyloggers, "phone-home" apps, et cetera.
Oddly, I read a blog by a Microsoft employ which stated that the purpose of Secure Boot was no 'compromises on security" and another Microsoft post which stated that was supposed to protect the computer during the pre-boot environment. <SCRATCHES HEAD> If all it takes - on a computer which has this stuff but which has not
disabled booting from a USB or other external device - is for someone to place the OS of their choice onto a USB flash drive, insert it, power up the computer, press the button(s) to enter the BIOS/CMOS menu, change a setting or two (well, three if one counts changing the boot priority of the devices), and exit in order to access the data (all of that having been done in the "pre-boot environment," lol)... Then I would say that Microsoft's goal of accomplishing their stated purpose is a definite [/FAIL].
Overall, if a computer lacks an obvious way to enable an external boot medium, two explanations spring to mind:
- Poor user interface -- It could be that the option exists but is not obvious in the user interface. It might be necessary to enable BIOS/CSM/legacy-mode booting before booting a BIOS-mode medium, for instance; or there might be an option outside of the "boot" menu to enable USB devices. (The latter is the case with my ASUS motherboard, for instance.)
- A bug --EFI is a complex system, and the user interfaces layered atop it are very new. This combination means that bugs are not just likely, they're a certainty. Thus, Hanlon's razor applies: "Never attribute to malice that which is adequately explained by stupidity."
You discount the possibility of the manufacturer either not including external-booting or including a prohibition on same in the specifications given to whichever Chinese company builds the motherboards because your two scenarios are the only "obvious" possibilities
BtW, I distinctly remember not
stating that this lack of external booting capability was due to malice.
srs5694 wrote:Either of these is a far more likely explanation than a conspiracy to prevent users from booting legitimate OSes.
Quite positive I did not use the term, "conspiracy," either. (Again) respectfully, while I cannot control what you think after reading my words, please do not infer that I used entirely different ones. At best, it increases the possibility that others might also misunderstand them; and, at worst, it might cause some people to think I am a bit of an @ss when I have to explain this basic thing. With the open nature of Internet forums, such behavior can turn minor misunderstandings between two people into greater misunderstandings amongst a considerably larger number of them.
Have a good evening (/morning/afternoon, whichever the case may be),