The "security thing" is a
TPM (Trusted Platform Module) which handles a couple different functions: Firstly it can verify that the initial boot code being executed is "trusted"
(1), and it can also hold keys like BitLocker keys. These
can be built-in to the CPU, and are, but it's still possible to use an external TPM as an external TPM will have additional features that internal ones do not. For instance a lot of higher-end Dell machines (for instance the XPS line) use a physical TPM rather than the ones built-in to the CPUs.
Having a TPM can actually be useful even for Linux as it solves the "how can I trust the bootloader hasn't been tampered with" problem; even if you have an encrypted boot partition, it's still possible that the initial Grub EFI bootloader (2) that resides on the EFI partition is compromised, which compromises the entire boot process.
That said it's not perfect; every executable in the bootloader chain needs to attest that anything it further loads is also trusted, but that's not necessarily the case. For instance I remember seeing a compile flag in the kernel that would allow unsigned kernel modules to be loaded when booted securely.
Now as far as what Microsoft is requiring, I believe they set the cutoffs where they did because that was the generation of chips where TPM 2.0 was built-in to the CPUs, which is what Windows 11 requires. Before then it would still be possible to have TPM 2.0 but it would have had to have been a physical TPM if they had one at all. For some machines it is/was even possible to upgrade the TPM chip as it resided on a removable board inside the computer; I personally had one of these on a 4th gen intel desktop motherboard that had a TPM 1.2 chip.
I'm guessing that one of two things happened:
- Microsoft finally pulled their heads out of their ass and realized that effectively bricking millions of computers was a bad idea, both for their environment but also their reputation and marketshare. On top of that, Linux is a lot more viable for gaming now thanks to Valve versus when Windows 11 first came out, thus they're losing a lot of what is locking people into their platform.
- Either the current DOJ or the incoming Trump administration or maybe even the EU went to Microsoft and reminded them that their monopoly has been tolerated at this point as they haven't done anything to majorly piss anyone off, and causing chaos by making people who might not be able to afford one to buy a new computer and introduce a ton of ewaste would definitely get them under the scrutiny of the legal system.
I wouldn't use this as an opportunity to run to Apple either as Apple is even worse, regularly pruning machines around the 5/6 year mark for dubious reasons. On top of that, their machines are glued together and non-upgradable (3), and they take a very anti-consumer (4) stance on things. Recently for instance they got rid of the option to be able to run unsigned apps entirely, with no official way of turning it off, which means that Apple is now the ultimate arbitrator of what you're allowed to run on a machine you supposedly own, and anyone that wants to distribute their own Mac software needs to get the blessing of Apple and pay their $100/year ransom.
You can compare Apple's ecosystem to "ok"
(5) authoritarian countries like Singapore: On the surface it seems like you can do anything you want to do, but try to step outside the box and you'll find yourself in a world of hurt. For instance, the penalty for "
dropping or spilling of substances of liquid, sand, saw dust and falling fragments of any article or thing" is $2,000 for the first offense; in most cases that wouldn't even be considered littering in the US. For what would be considered littering, "dumping and disposal of refuse/waste from a vehicle," carries a penalty of up to $50,000 and up to 12 months in prison. Imagine spending 12 months in prison because you spit a piece of gum out the window. (not defending people that do this, but the punishment doesn't fit the crime according to US standards).
Note that I'm not saying that Apple's hardware is bad, it's actually fairly impressive, but I can't bring myself to give them my money, especially now that I've been entrenched in the Linux ecosystem for so long.
Footnotes:
- via cryptographic keys built in to the bios, though you can add/remove keys as well
- assuming Grub since systemd-boot and unified kernel images rely on the kernel images residing on the fat32 partition which can't be encrypted
- Yes I know you can upgrade the storage now on the Ultra and Mini computers but you're still going to pay at least 2-3x what it should cost for the same amount of storage. Some try to justify this by saying that Apple uses the "best" chips available but in reality there's only a handful of manufacturers of NAND chips and Apple just sources their chips from them, which are the same ones that show up in consumer NVME drives. In fact there are many drives on the market that perform way better than Apple's.
- You're constantly punished for not being a good enough customer of Apple. Want to buy the ear pods to use with your Android phone? Have fun with severely reduced functionality. Need to re-image your new Macbook because your boot partition somehow got corrupted? I hope you have another Mac lying around because the new M machines are incapable of recovering themselves. Oh, you only have last year's iPhone? Well, you can't use this shiny new feature that this year's iPhone came with even though it's a software only change.
- Using "ok" here in the sense that you'd be able to travel to this place and as long as you don't cause a commotion you won't be constantly harassed by police, immigration, or other government agencies. For instance as a foreigner in China if you leave the tourist areas you're going to constantly have your passport checked, questioned as to what you're doing, etc., which would be "not ok".
On Sat, Dec 14, 2024, at 1:00 AM, David Schwartz via PLUG-discuss wrote:
I think the official EOL is sometime next year.
MS got themselves into a bit of a pickle from what I can tell. Win11 requires some security thing in a separate chip or inside of Intel CPUs built after some point. They’ve played a hard line saying nothing will work on Win11 without that bit of hardware. By EOLing all Win10 machines and forcing them to upgrade to Win11, they’ll turn a LOT of hardware into bricks. Last week they announced they’re going to back-down on that and will allow Win11 to be installed on older hardware without that chip. And ... they just announced they’ll even offer a subscription to keep Win10 updated with security patches for another 5 years or so, like they’ve been doing with Win7 for a while now.
I think they’ve figured out that bricking millions of computers around the world and forcing their owners to upgrade their hardware might not be very good for their bottom-line. I’d expect they’ll bury AI in all of their new software and it will slow all of these older machines way down to the point where they’ll be unusable. DOS runs pretty damn fast on even 10yo hardware!
Frankly, even when I tell Windows to STOP UPDATING, it just keeps on doing it. The best reason to keep Win10 is the prospect that it might, finally, REALLY STOP UPDATING it’s damn self!
People love talking about the “Apple Tax” but this broken record that MS goes through with every new generation of Windows is getting really old. First it was Win95, then XP, then Win7, now Win10. Sheesh.
I can’t upgrade MacOS on my two older Mac Mini’s any more, but they keep telling me of upgrades. I just bought a new M4 Mac Mini, so I’ll be able to start upgrading some of my software, but frankly this old hardware is fine by me as long as it keeps running. One is a 2014 model and one is a 2018 model. Now they have a new little brother, a brand new Fall 2024 model. :)
-David Schwartz
>
> Keith Smith via PLUG-discuss said on Tue, 10 Dec 2024 12:14:54 -0700
>
>> Hi David,
>>
>> I'm sure you know this... W10 will be at end of life in about 10
>> months.
>
> I thought W10 was already EOL'ed. I thought there were no more security
> updates.
>
> My wife has a W10 laptop that performs like a 1024 baud modem, so she
> bought a new one. I'm trying to convince here to give the old one
> (which is pretty much useless) to me so I can slap on Void Linux and
> give it another 3 years of life.
>
> SteveT
>
> Steve Litt
>
> ---------------------------------------------------
> To subscribe, unsubscribe, or to change your mail settings:
---------------------------------------------------
To subscribe, unsubscribe, or to change your mail settings: