Hasnt really been mentioned
by CloudReady now renamed Google FlexOS
is actually a pretty good option particularly for 2nd hand i5 and i7
It is basically Google Chromebook turns computer onto a basic phone like interface and super fast of 8GB Ram
If someone is not capable to install Windows on a 2nd hand machine, there is not a doubt they will find Chromebook super easy for opening email, youtube etc.
https://support.google.com/chromeosflex/answer/11552529
Thereâs plenty of Youtube videos comparing Zorin & Mint to MS Windows - some good some not so good. After a viewing recent videos and using these OSs it seems to me it is about as technically challenging as moving from an iPhone to Android. If you choose a good Linux version/distro the days of Linux being a challenge to a home user are becoming history.
Be aware that Chrome FlexOS comes with some limitations, it does not support the following.
The google doco for this is a good short read Differences between ChromeOS Flex and ChromeOS
ChromeOS Flex seems to be targeting the corporations that want to save money and lock down laptops in bulk.
According to some folks you can safely ignore Googles âCertified Modelsâ list as long as the machine is not older than 2010, meets the minimum specs and has an Intel or AMD CPU.
Installation time and possible problems are not the only issues. The cost in time to learn to use a new OS is not negligible. There may also be a cost in time and money in acquiring new apps and then there is the time it will take to learn them too. An OS is not a new game to be mastered by diligence and patience, it ought to stay in the background minding its own business and allow you to do what you want to do.
At the bigger picture level ⊠choice of two different things that the loud screaming was about ⊠no. I was just pointing out that it was not about the TPM and in the process I did gloss over the details.
At the exact details level, yes, I am aware of the various options to work around it. There is more to it though e.g.
However this is probably all yesterdayâs argument. Microsoft is not today in the position of industry dominance that it was once. Some people may even see a desktop / laptop as a little quaint. 
The misinformation that continues to be spread about all this is staggering.
So for clarity, no one else after MS, made the effort to be a CA until Canonical. So the members of the Linux Foundation are the problem if your view that MS should not have been allowed to do anything with this. The many members of the Linux Foundation instead were happy for this to occur as noted in some of the posts made in other forums, that I supplied in this thread.
To be very clear, Canonical are a CA for the purposes of SB, it just is that currently in UEFI the standard default key is signed by MS. The shim allows the Canonical key to be used, but at the moment it is encrypted into the bootcode so if the default key is not used by setting it so in the UEFI, the Canonical one is used when the MS one is not present or ignored. Any distro that has the Canonical key can take advantage of this. It could be included in the UEFI as the standard allows for this scenario, just no MB manufacturers have bothered. Who to blame for that? The MB manufacturers not MS and no there is no compulsion to make them do it or not to do it, conspiracy theories aside.
Yes, you can expunge the default keys and SB is just part of the UEFI makeup that can be used or not, as is including that ability to use another CA key or to use your own. Have I done it? Yes, I trialled my own self signed key, I just went back to the MS one as anything that meets the MS required level of quality is fairly safe for my machine. If I find an unsigned distro and I want to try it I can just turn off SB for it or in my case I am more likely to run it up in a sandboxed VM. Want to use your own selfed signed modules/code then use MOK to do so Machine Owner Key (MOK) - Understanding the UEFI Secure Boot Chain
Donât like how SB is implemented with MS or Canonical as the key signers, then just turn it off. If you donât trust them then donât use SB, after all if the Linux or other OS is not signed; then you must trust the producer of that code that it isnât malicious so you donât need SB anyway.
Finally back to your single root of trust issue, this is not MSâs fault. This comes about because no one else made the effort to be one until later when Canonical did so and they donât sign for much outside their stable of distributions. It is in fact a requirement that other keys can be enrolled, just no one other than Canonical have become SB key signers and the major reason is that it is expensive to do this work. After becoming a signer the SB key certifiiers have to convince the MB producers to include the key in the UEFI (again a probable further expense).
As a CA they have to certify that the product is safe, which means there is testing, there is verification of identity and trust and all this costs money that many are just willing to allow someone else to do. That is not MSâs problem. As part of being the SB key signer they work with Verisign, who are the main lifter on this (so really a second one you have to trust beyond MS), to ensure the requirements are met.
Yep. To be clear, I started out by saying: Microsoft should never have been allowed to have anything to do with this
(emphasis added on the requote)
So 100% I am not blaming Microsoft. I donât blame them for taking the opportunities that come their way. I am blaming governments (competition authorities) for failing to act when a player that already has substantial market power is able to extend that power into other areas or take other anti-competitive actions.
I think the best party to undertake the task would be an industry body made up of BIOS/UEFI implementers. They after all are going to be the ones actually including any root signing keys - and they clearly have the expertise to examine early stage boot code as they are themselves writing the very earliest stage boot code.
While government may not necessarily have the power to force them to undertake this task, probably they can be forced de facto by ruling out other players and by other harassment measures (or BIOS/UEFI implementers could choose not to do SB at all if they donât want the burden of doing it on a level playing field).
If the BIOS/UEFI implementers are on board then that covers every motherboard manufacturer.
With the benefit of 10+ years of hindsight, I think governments were also far too sanguine about the single root of trust. You can imagine, for example, that these days the Chinese government would be thinking about the security implications for them that the BIOS/UEFI comes with only root signer(s) that is/are evil West companies.
We can already see in the smartphone world that that is either difficult or impossible. (It is not hard to find discussion of Android phone models where you can replace the operating system and those that are useless for that purpose because they are completely locked down. When it is difficult but not impossible, it is difficult because you effectively have to get permission from the manufacturer for each individual phone in order to replace the operating system.)
There is no guarantee that turning it off in the desktop/laptop world will continue to be a thing. Bad ideas tend to spread.
I am clearly expressing opinion here about competition policy and security policy, so I think itâs harsh to call it misinformation.
I keep meaning to have a look at BIOS/UEFI on my own computer that I am using now to see what functionality it has available to view, add or replace signing keys but by the time I think of it (reading this topic) it is obviously too late.
Self-regulation has never worked. At least Microsoft is not an implementer and so hopefully does not have an incentive to sign code for anyone and everyone, although is clearly not the ideal signing body.
The signing costs them far more than the money they take to do it. Why no one else bothers (other than Canonical)? The cost to do the certification. .
MS wanted to help secure their OS so they have an incentive to have their bootcode signed to help protect against malware insertion, so they sign their code and offer a cheap way for others to get theirs signed.
Just as MS are not the ideal signing body in others eyes, the same can then be said of many CAs (I am not inferring that they are, just stating that if one isnât suitable what makes the others suitable instead), there have been breaches of trust with some CAs
See Timeline of Certificate Authority Failures - SSLMate
As for the UEFI specs it isnât MS who alone have input to the Standard, there is enough info out there to see that MS are only part of the membership and they have implemented for their OS the keys, anyone else, as I keep repeating can go ahead and do the same, i.e. they can become a key signer and ask the Motherboard manufacturers to put the keys in the UEFI (they just donât do that as their choice and not some MS conspiracy to lock them out)âŠCanonical do now and decided to use shim to load their keys if needed but no one else. SB is part of the Standard, and the way it is designed it is found in the UEFI and that is decided by a whole lot of people in the Industry. If you want to use an unsigned distro or other OS turn off SB.
No it isnât more difficult for others, they just donât choose to be key signers and get their own keys to enroll themâŠthat isnât MS that is the barrierâŠthe barrier are the ones who donât want to be key signers. Why isnât the UEFI organisation/forum doing it, I guess because they donât want to as a forum to be key signers/CA.
That was an IBM thing when they started the PC revolution, they used IBM DOS (provided by MS)âŠthey could have used anything they wanted but they didnât.
Intel not MS still own the patent on EFI 1.0, the forerunner to UEFI, and that isnât MS again.
For a lot more UEFI information, people should read the UEFI Organisationâs pages
From the FAQs page of the UEFI site
" What is UEFI?
UEFI stands for âUnified Extensible Firmware Interface.â The UEFI Specification defines a new model for the interface between personal-computer operating systems and platform firmware. The interface consists of data tables that contain platform-related information, plus boot and runtime service calls that are available to the operating system and its loader. Together, these provide a standard environment for booting an operating system and running pre-boot applications.
Through a collaborative approach with world-class companies, institutions and experts, the UEFI Forum advances innovation in firmware technology standards. These extensible, globally-adopted UEFI specifications bring new functionality and enhanced security to the evolution of devices, firmware and operating systems.
The UEFI Specification provides interfaces and mechanisms to allow for support of new technologies, improved development, and enhanced customer experience during the time before the operating system loads. The UEFI Specification has benefits for both the business and consumer end-user. Across multiple interfaces, the Specification supports a more secure system, a faster boot time, improved performance, platform feature innovation and a quicker, more cost-effective time-to-market product shipment. With regard to security, UEFI Secure Boot helps defend against malware attacks before the operating system loads.
For developers, the UEFI Specification increases efficiency because they allow developers to reuse code. In contrast to prior coding structures, UEFI standards allow for extensibility, modularity and easy prototyping during development.
The UEFI Forum promotes the implementation of the UEFI Specification by BIOS vendors, operating system vendors and add-in card vendors.
The UEFI specification is based on the EFI 1.10 specification published by IntelÂź, with corrections and changes managed by the UEFI Forum. Intel still holds the copyright on the EFI 1.10 specification, but has contributed it to the Forum so that the Forum can evolve it. There will not be any future versions of the EFI specification, but customers who license it can still use it under the terms of their license from Intel. The license to the Unified EFI Specification will come from the Forum, not from Intel.
While it is designed to protect the system by only allowing authenticated binaries in the boot process, UEFI Secure Boot is an optional feature for most general-purpose systems. By default, UEFI Secure Boot can be disabled on the majority of general-purpose machines. It is up to the system vendors to decide which system policies are implemented on a given machine. However, there are a few casesâsuch as with kiosks, ATM or subsidized device deploymentsâin which, for security reasons, the owner of that system doesnât want the system changed.
UEFI specifications are platform-independent, supporting multiple platforms and architectures. In addition, UEFI specifications are designed to promote cross-functionality, as well as to support broad adoption across multiple operating systems, including Windows as well as Linux-based operating systems. The specifications are robust and can potentially complementâor even advanceâother distributions, such as Linux-based distributions.
UEFI specifications have benefits for both the business and consumer end-user. Across multiple interfaces, they support a more secure system, faster boot times, innovation and a faster time-to-market. In contrast to prior coding structures, UEFI standards allow for extensibility, modularity and easy prototyping during development. The UEFI Forum promotes the implementation of UEFI specifications by BIOS vendors, operating system vendors and add-in card vendors. UEFI specifications promote more efficient development because they allow developers to reuse code during the building process.
BIOS is typically used to refer to an IntelÂź Architecture firmware implementation rooted in the IBM PC design. Based on older standards and methods, BIOS was originally coded in 16-bit real mode x86 assembly code and remained substantially unchanged until its recent decline in use.
By contrast, UEFI standards reflect the past 30 years of PC evolution by describing an abstract interface set for transferring control to an operating system or building modular firmware from one or more silicon and firmware suppliers. The abstractions of UEFI Forum specifications are designed to decouple development of producer and consumer code, allowing each to innovate more independently and with faster time-to-market for both. UEFI also overcame the hardware scaling limitations that the IBM PC design assumed, allowing its broad deployment across high-end enterprise servers to the embedded devices. UEFI is âprocessor architecture-agnostic,â supporting x86, x64, ARM and Itanium.
The UEFI specifications define an interface and the BIOS refers to a specific implementation of the firmware that initializes the platform and loads an OS setup. UEFI specifications define an interface in which the implementation of UEFI performs the equivalent of the BIOS, by initiating the platform and loading the operating system.
Today, UEFI implementation enables the ability for modern, high-level programming principals to be applied to the firmware space. There are many possible implementations of UEFI that encourage code reuse, modularization, flexibility and modernization. UEFI specifications contain interfaces that streamline and aid in firmware innovation by promoting interoperability between devices, software and systems. One typical implementation is done in high-level C programming language, which is fundamentally different than the Legacy BIOS by encouraging the use of modern software practices.
There is no charge for use of the specification itself. The promoters of UEFI specifications have agreed that any IP needed to implement the specification will be made available on reasonable and non-discriminatory terms."
Only if you look only at the revenue that is directly derived from the signing and the expenditure to do it.
Itâs kind of nice for them though that there is no such thing as an x86 computer that canât boot Windows. Itâs kind of nice for them though that to boot a random Linux kernel, you have to go into BIOS and disable SecureBoot. These must surely have some financial benefit to them in entrenching itself and making it more difficult for its competitor. They very much play into the impression that âLinux is too hardâ.
The esoterics of UEFI and EFI may be interesting ⊠getting back to the what to do with an computer you have purchased with no operating system.
This recent comparison between the two most popular commercial versions of Linux highlights their usability, software management and gaming for Windows and Mac users.
The Battle of the Linux Titans: Zorin OS 16.2 Vs Pop OS 22.04 (Youtube,March 2023)
Trying these on your exiting Windows laptop for free is not that difficult, they both can be tried using Virtualbox. Thereâs a lot of information on how to play with Virtualbox on Youtube and other internet sources.
Although Virtualbox is a mature product from Oracle the additional Extension Pack may require some work to get some of its features functioning. The extension pack is not mandatory but nice add-on if you want to use Virtual box long term. Playing Youtube and other videos from within Linux using virtualbox may not be the best experience because it may require more computing resources that your laptop can provide.
Since these are ex-government, maybe the government should kick Microsoft into touch and make it the law that a licence must be allowed to be transferred when the PC itself is transferred, at least where the original licence was to the government. (Microsoft might respond of course by limiting or eliminating licences of this nature for any future purchases.)
In other words, that is tackling the problem at source rather than just accepting the idea that the PC has no operating system.
However in the long term it is a band-aid, as is suggested above I think. If it wouldnât be possible to reinstall Windows with a new licence on the PC then that is risky; and the PC may eventually become âunsupportedâ, and beyond that may eventually become ânot workingâ. Once Microsoft decides that end-of-life has come to your hardware, for most people the hardware will go to the waste stream.
A different direction that the government could go in is just to install Linux on each such ex-government PC and encourage the purchaser to stay with Linux rather than go down the support / end-of-life rabbit hole with Microsoft.
Personally I only run Linux - and I mostly run Ubuntu (with some Mint and some Raspbian - sounds very flavoursome ).
Most businesses and government would have been using MS software under corporate licencing.
I canât see how that corporate licencing could be transferred to private use.
Also, corporate versions of the operating system would be substantially different in features compared to home versions. That goes for both Windows and Linux.
And enabled to function in large networked environments for much of their security, support, and applications.
Really, one needs to start clean with a new operating system. So which one depends on needs, and hardware supported.
By definition ex PCs would be past their support levels and a dodgy proposition for trying to use current versions of Windows certainly.
My experiences with Linux remain hit and miss when it comes to peripherals, depending on the age and origins of the host PC.
Is Googleâs CromeOS another option for those less technically motivated? An option that might appeal to those familiar with Android on their other devices, and already part of the Google-verse. YMMV.
That is potentially the case. (Even logging in to Windows is a problem like that.) However it is more the licence to use Microsoft Windows than anything else that should survive a sale.
Well indeed and those features have been paid for.
Not necessarily. It depends on the reason for sale. If itâs an organisation that just has a policy (directly or indirectly) of turning over the entire fleet every 3 years, there may be nothing wrong with the computers at that point in time.
Not a chance. A government entity will have its own corporate licensing, which allows for multiple machines. It will also deploy its own build of Windows, locking down settings to secure the machines as much as possible and to provide for the other proprietary software it installs.
And of course reinstalling an OS on a machine that will sell for possibly $50.00 at auction is not considered value for money. (Many years ago, Commonwealth entities were able to sell old equipment to employees. The Howard government decided that employees did not deserve such perks, and so now the old equipment is sold in bulk at auction for a fraction of its real value.)
As an asset class, they are generally given a useful life of three or four years (the ATO apparently says four years as of 2020-21 , per page 272 of the linked PDF). In the real world computers can last a lot longer than that and be supported for many more years.
Once again though, I am proposing that itâs the licence that is transferred (the right to use), not the software itself.
The disk itself would have to be securely erased before disposal, thus removing the software and everything else.
But the licence to use the software in a corporate world would be used on the new PCs replacing the old ones.
It is also given to the business, not individual PCs.
Maybe. Maybe not. If that is the case i.e. the licence is transferred from the old PC to the new PC and no new licence is required by or paid for by the business / government then you have a point.
That doesnât solve the problem that Microsoft is thereby creating technotrash. It starts to look like any other case of âpollutionâ / âexternalityâ for a company.
Perhaps Microsoft should be required to acquire all the orphaned PCs at fair market value for the orphaned hardware.
One issue here is that licenses are penned by lawyers to protect a business interest. They are written any way the business desires. Large businesses as well as larger governments have customised licenses.
Therein may lie the underlying problem. As with the difference between OEM and retail and commercial software licenses they vary in what one can legally do which varies from what one can technically do.
Going OT but related, Microsoft and Intel seemed in cahoots for many years in that each edition of Windows required more hardware capability that resulted in obsolescence and new PC sales feeding Intelâs (and AMDâs) P/L. For example if a CPU did not have a specific instruction there is no reason an interrupt could not be generated and a software implementation invoked (even if opening a security door).
It could be framed as capitalism versus environmentalism, but that discussion is not for here.
