[HN Gopher] Installing Windows 11 on Legacy BIOS Without Secure ...
___________________________________________________________________
Installing Windows 11 on Legacy BIOS Without Secure Boot
Author : methyl
Score : 51 points
Date : 2021-06-25 11:22 UTC (1 days ago)
(HTM) web link (allthings.how)
(TXT) w3m dump (allthings.how)
| tyingq wrote:
| Windows 10 does have mbr2gpt.exe now, so migrating from Legacy to
| UEFI isn't a terrible experience, provided you do it from the
| recovery/boot/troubleshoot Windows screen.
| gjsman-1000 wrote:
| In other bad news, Microsoft developers on Twitter stated that
| 8th Gen Intel or 2nd Gen Ryzen CPUs will, actually, be required
| to install Windows 11 at all by RTM. If you are on 7th gen Intel
| or 1st gen Ryzen, there is no mercy. A 2013 MacBook gets more
| support than a 2017 Windows laptop.
|
| https://linustechtips.com/topic/1351028-microsoft-makes-thin...
|
| A security director now says that a blog post "clarifying the
| floor" is coming. But frankly, if this turns out to be a
| miscommunication, if you read those tweets Microsoft would have
| to be unbelievably incompetent in their use of words.
| JohnTHaller wrote:
| If you meant an Early 2013 MacBook Pro, the current macOS Big
| Sur doesn't support that. If you meant a Late 2013 MacBook Pro,
| macOS Monterey releasing later this year drops support for it
| and all MacBook Air/Pro before 2015 as well as all MacBooks
| before 2016.
| gjsman-1000 wrote:
| Old versions of MacOS get about 2-3 years of additional
| security updates. So if you bought a 2017 laptop with a 7th
| gen processor, you got 8 years of support from 2017 to 2025.
| Unless you bought Surface Studio 2, which is $3499 from
| Microsoft and comes with a 7th gen chip so it only gets 4
| years of support. If you bought a 2013 MacBook which just got
| cut off at Big Sur, you'll probably get supported to 2024, or
| 11 years.
| Wowfunhappy wrote:
| Yes, Apple sucks at legacy support in many respects. Luckily,
| Macs are only ~10% of the PC market, so they can't create as
| much of an e-waste disaster.
|
| Two wrongs don't make a right and I expect better of
| Microsoft.
| advael wrote:
| It's amazing how no amount of altering the deal to be worse for
| consumers seems to get people to mass-exodus from these
| proprietary platforms, despite the existence of numerous
| alternatives
| staticassertion wrote:
| Windows support will continue to at least 2025, so it's hardly
| like users are being left behind - they have multiple years to
| upgrade, and Microsoft has typically extended its support
| window when the time comes.
|
| What MS is doing here is forcing OEMs to package TPM 2.0, which
| will be a massive win for security.
|
| The intel generation is seemingly a bit arbitrary, we'll see
| how that plays out. But again, it's not like people are being
| left behind - they have 4+ years of support left.
| userbinator wrote:
| "security" that is _against_ the user. Some people knew what
| was coming 12 years ago...
|
| http://techrights.org/2009/04/23/bill-gates-security-as-a-
| lo...
|
| http://techrights.org/2009/06/25/security-as-a-lock-in-
| gates...
| tehbeard wrote:
| If people are going to downvote the other child comment for
| either FUD or whatever, could they at least provide reading
| material/counterpoints as to the benefits for those of us
| without the MSc in cryptographic systems?
| staticassertion wrote:
| A TPM holds a secret. It's useful for establishing
| identity, performing signing, etc. Think about the fact
| that an attacker on your system can take a session cookie,
| move to another computer, and connect as you. A TPM can
| prevent this by establishing a cryptographic identity.
|
| This is a very significant win and critical to 'zero
| trust', which is now something the government is telling
| people to embrace.
|
| The whole thing with security is silly. They said it about
| UEFI - and yet I run Linux on UEFI systems all the time. I
| also have systems with TPMs that run Linux. Works fine.
| techrat wrote:
| That CPU list was missing CPUs that were still being sold in
| new builds even less than 3 years ago. That's quite the severe
| cut off point.
|
| My older box, an i7 4790k, is still quite the performer. It,
| however, has no secure boot capabilities. No TPM socket on the
| motherboard, even.
| R0b0t1 wrote:
| Is there any justification for the cutoff? It might be
| possible to just patch out the cpuid check and have the OS
| run.
|
| If it's boot attestation someone will do it. This is probably
| to force enterprise vendors to move to devices that better
| support enterprise management, but yes, it drags us kicking
| and screaming along with it, at nontrivial personal expense.
| SSLy wrote:
| There isn't any justification for the 6th to 7th to 8th gen
| of intel core, at all. They're the same CPUs, just
| faster/more cores.
| gjsman-1000 wrote:
| According to Microsoft's security director, it's
| ARBITRARY.
|
| https://twitter.com/dwizzzleMSFT/status/14085395334659850
| 24
|
| "Seems like you are assuming there is a specific security
| feature that defines 8th gen as the CPU floor. The floor
| is set for a range of quality, performance, support, and
| reliability reasons to ensure a great experience."
| R0b0t1 wrote:
| Oof. I'm starting to think there's a bit of old Intel CPU
| stock they want to make unsaleable.
| Dylan16807 wrote:
| If there's going to be a cutoff based on performance,
| having it almost unconnected to actual performance is
| pretty exasperating.
| FridayoLeary wrote:
| That sounds quite unreasonable. "You don't deserve to
| "experience" Windows 11, unless you can afford the newest
| computers. And if you can't, we won't let you have it.
| Because maybe it won't work perfectly. Even though you
| got your computer 4 years ago."
| tyingq wrote:
| Especially considering that there are plenty of slower
| clocked Celerons on the list.
| mattgreenrocks wrote:
| > i7 4790k
|
| This is what I run. It doesn't have firmware TPM according to
| Intel (https://ark.intel.com/content/www/us/en/ark/products/8
| 0807/i...), but the regular version does.
|
| TPM >=1.2 is a hard requirement for Win11, and if your mobo
| doesn't have a socket for it, you're out in the cold.
|
| So much for future-proofing.
| tibbydudeza wrote:
| Just "upgraded" to a i7-6700 last year since I buy my
| computers used because I am cheap.
| undfg wrote:
| I have that CPU and I have secure boot. Pretty sure that's a
| motherboard feature
| 2OEH8eoCRo0 wrote:
| The list of supported Windows 10 CPUs doesn't even list my
| current CPU (Xeon E5-1680v2). I'm excited for the release but
| they've really bungled their messaging and scared people.
| swiley wrote:
| Damn, they're really going full Andrew Lee.
| morsch wrote:
| What's the EOL for Windows 10? Apparently it's 13 Dec 2022 or
| 09 May 2023 (education/enterprise) for the currently released
| versions -- I guess that's it? https://endoflife.date/windows
| JohnTHaller wrote:
| October 14th, 2025: https://docs.microsoft.com/en-
| us/lifecycle/products/windows-...
| zozbot234 wrote:
| That's the official line, but my guess is that it _will_ be
| extended way past that. Windows 10 is going to be the new
| XP.
| snazz wrote:
| LTSC versions are officially supported for 10 years, so
| some version of Windows 10 will be supported for at least
| a decade. Windows Server 2019/client v1809 LTSC is
| supported until 2029, for example.
| Causality1 wrote:
| In one way it's funny: if I have to use an insecure OS I
| may as well go back to Windows 7.
| neilv wrote:
| Alternatively, you can avoid repeating the historical cycle of
| lobster-boiling, with the help of https://www.debian.org/ ,
| https://archlinux.org/ , or other distros.
| Wowfunhappy wrote:
| For the Legacy BIOS piece, has anyone tried using Clover? It's a
| bootloader designed for Hackintosh systems. macOS is and always
| has been EFI-only on Intel computers, and when Clover was
| released EFI was still uncommon on PCs. So, Clover has its own
| EFI implementation that can be started from a BIOS boot.
| Causality1 wrote:
| I wonder if an AME version of W11 will get released. Requiring me
| to have a Microsoft account to log into my own computer is a do-
| not-pass-Go unacceptable condition.
| FridayoLeary wrote:
| I wonder how long it will take MS to close this gap.
| teekert wrote:
| Psst, you can install Linux directly on the metal, no need for
| WSL!
| lazypenguin wrote:
| Linux as the main OS with windows as a guest VM feels like the
| right idea for me. Setting this up with gpu pass-through is on
| my todo list!
| djrogers wrote:
| Not unless your hypervisor can emulate a TPM chip.
| Sherl wrote:
| So my perfectly fine Thinkpad P51 can't run a win11 because of
| processor requirements? Are they selling CPU chips or Windows 11
| to the market??
| gruez wrote:
| Are you sure it doesn't have PTT? AFAIK recent-ish intel CPUs
| should have TPM support using the trusted computing
| capabilities of the CPU itself, without the need for a discrete
| TPM chip.
| gjsman-1000 wrote:
| Microsoft has clarified on Twitter of all places that TPM 2.0
| isn't the only requirement. It _must_ be 8th Gen Intel or 2nd
| Gen Ryzen or newer regardless of whether it has a TPM.
| homero wrote:
| What CPUs have TPMs?
| gruez wrote:
| >Firmware TPMs are firmware-based (e.g. UEFI) solutions
| that run in a CPU's trusted execution environment. Intel,
| AMD and Qualcomm have implemented firmware TPMs.
|
| https://en.wikipedia.org/wiki/Trusted_Platform_Module
| temac wrote:
| It's very probable that Windows 11 will run on your P51. You
| may have a warning advising you to stay on Windows 10, but it
| will fit the hard floor so you will be able to upgrade
| regardless.
|
| IIRC the hard minimal req different from Win 10 is a TPM, 64
| bits >= dual core, I think UEFI + secure boot, and WDDM >= 2.0.
| I just checked on a Kaby Lake and I have everything needed.
|
| The published list of processors is probably for the soft floor
| and/or for OEMs.
|
| Now, knowing MS and especially the situation in regard with
| some processors following the Win7 -> 10 migration, there is
| always the risk they fuck up the support even more for unlisted
| processor, voluntarily or not...
| Dah00n wrote:
| It is very clearly stated that TPM isn't the requirement but
| "intel 8th gen and Ryzen 2nd gen" is the cut-off.
|
| https://linustechtips.com/topic/1351028-microsoft-makes-
| thin...
| walterbell wrote:
| For those considering a new machine for Windows 11, remember that
| _upcoming_ Intel and AMD CPUs will include the built-in Microsoft
| Pluton (inspired by XBox) hardware root of trust, which will play
| a role similar to Apple T2 or Google Titan. This may offer new
| functionality beyond TPMs.
|
| Announcement:
| https://www.microsoft.com/security/blog/2020/11/17/meet-the-...
|
| Speculation:
| https://www.reddit.com/r/Windows11/comments/o5r2qz/speculati...
|
| Background on secure boot:
| https://cacm.acm.org/magazines/2020/3/243026-securing-the-bo...
| easton wrote:
| Microsoft said that the secure boot and TPM requirements will not
| be enforced by the OS now but will by time Windows 11 hits RTM
| (which is why the Windows 11 installer enforces it even though
| the OS runs fine).
|
| https://blogs.windows.com/windows-insider/2021/06/24/prepari...
| swiley wrote:
| Personal computing is completely dead except for enthusiasts.
| We've completed our regression to the late 70s.
| nijave wrote:
| What does this even mean? Secure boot has little impact on
| anything except reducing the complexity of Windows (since it
| doesn't need as many boot configurations)
| selfhoster11 wrote:
| It makes Linux more complicated to deploy, for one. And if
| they ever change their mind and don't allow it on x86 any
| more, Linux is basically exiled from the PC OEM market.
| easton wrote:
| It shouldn't, as Microsoft made sure that the major
| distros (Ubuntu, RHEL, Fedora, CentOS, maybe Debian?)
| have access to a signing key that is trusted by the major
| OEMs. And you can trust your own keys, per the Microsoft
| guidelines that require that x86 machines allow their
| secure boot to be disabled.
|
| https://docs.microsoft.com/en-us/windows-
| hardware/drivers/br...
| dataflow wrote:
| > per the Microsoft guidelines that require that x86
| machines allow their secure boot to be disabled.
|
| Yeah but then you can't boot into Windows? Who is
| actually going to go into the firmware settings to switch
| settings on and off for _every single boot_ to the other
| OS?
| blibble wrote:
| you can boot debian/redhat/... out of the box without
| disabling it, as the shim used as part of the boot
| process has been signed by MS
|
| if you want to sign your own kernels: the shim will also
| let you do that relatively easily ("machine owner keys")
|
| if you want to own your entire boot process you can
| replace the platform key and sub-keys with your own, and
| then trust whoever you want (even adding MS' keys if you
| wish, so Windows can boot in secure mode)
| geofft wrote:
| Ah, yes, the golden era of the '90s and '00s, when Linux
| was easy to deploy and PC manufacturers supported you
| running Linux.
|
| We made it work and we'll make it work again.
| brutal_chaos_ wrote:
| I think for x86 you are (at least very close to) correct,
| but I've been seeing a serious shift towards ARM chips
| and (my pipe dream) soon RISCV. X86 may just need to fall
| to the wayside at this point. Maybe PineBooks could be
| released with ARM chips too! (RISCV as well, but
| peripherals need to be a real thing(TM) first). Heck, the
| Pi400 is a good start in that direction (though obviously
| isn't enterprise ready yet).
| userbinator wrote:
| The openness situation for ARM is even worse.
|
| Case in point: the countless Android devices out there.
| zozbot234 wrote:
| Reducing the complexity how? Their Legacy boot code is
| already written, and legacy BIOSes aren't going to change
| either. That code basically comes for free to MS.
| swiley wrote:
| I guess if the firmware allows users to install their own
| CA it's ok. I wouldn't be surprised if that feature was
| neglected by the OEMs or intentionally removed with windows
| 12.
| zozbot234 wrote:
| To their credit, Microsoft has signed a secure boot
| "shim" that allows the user to do that, with explicit
| prompting. It's being used in the boot flow of many Linux
| distributions.
| userbinator wrote:
| In other words, it was _Microsoft_ who effectively "gave
| permission" for Linux to run.
|
| One OS company has control over whether they allow
| competitor's OSs, on hardware that the company doesn't
| even produce. That should be an absolutely horrifying
| thing to anyone who believes in software freedom.
| wildrhythms wrote:
| I understand the risk and want to forego secure boot.
| What's wrong with that?
| philistine wrote:
| I'm on the Mac side, and I wanted to reinstall macOS. I
| messed up the hard drive wipe and ended up breaking the
| chain of trust. That meant Apple could no longer
| guarantee the correctness of my install, and no longer
| allowed my laptop to decrypt my data to reach the login
| screen directly. I had to input the password for my login
| at an earlier step during boot, which comes with a litany
| of small caveats.
|
| I'm sure Microsoft hopes to achieve something similar
| here at some point: secure boot would give them enough
| trust to decrypt an install upon boot all the way to the
| login screen.
| Datagenerator wrote:
| Nothing wrong with freedom. Not running the master of all
| telemetry OS increases the possibility to read and study
| what you want without feeding the data hungry sensors
| Microsoft has set in stone for you. These datasets are
| brought to market _with_ your consent (see the thousands
| of EULA pages you accepted directly and indirectly).
| swiley wrote:
| Also, turning off secure boot doesn't change the boot
| process on Microsoft's side, they have to _ask the
| firmware_ after booting if it was disabled.
|
| Sorry for replying twice but I'm almost always stuck on
| noprocrast so I can't usually edit my comments.
| zozbot234 wrote:
| What's even the point of enforcing these requirements when the
| OS seems to be running quite fine otherwise? Users who are
| running without SB or a compliant TPM will simply stay on
| Windows 10, and maybe stay on it past the official EOL date.
| ocdtrekkie wrote:
| Because they want to set a minimum configuration they have to
| test and support for the next ten years. It might work fine
| today, but will it work after five feature updates?
|
| Yeah, you can run Windows 10 on some pretty ancient
| unsupported hardware too, but when they break support for a
| driver a couple years in, you end up with a nonworking
| machine.
| wubbert wrote:
| They're doing this to force people to buy new hardware and a
| new Windows licence. If they let you upgrade from Windows 10
| for free, they don't make any money. They've already gotten
| people used to free updates, so they can't charge money for
| Windows 11 upgrades directly. Most people buy pre-built
| computers, so a Windows 11 licence will be included by
| default for most, so they will make more money.
| staticassertion wrote:
| This is silly. Microsoft doesn't even consider Windows to
| be their major priority in terms of money - they're
| investing much more heavily in Azure. They also have given
| free updates repeatedly, so this is an especially weird
| argument...
|
| The reason they're doing this is because Microsoft doesn't
| control OEMs directly. They can't _make_ Dell or whoever
| put in good hardware unless it 's a hard-requirement to run
| their OS. They obviously want to start leveraging TPM 2.0,
| probably in order to properly compete with Chromebooks,
| which all require that tech already.
|
| Chromebooks and GSuite are a meaningful threat to Microsoft
| - Google has a huge head start in that they've enforced
| much stricter restrictions from day 1 on Chromebook
| hardware. Microsoft is just getting aggressive about doing
| the same. And it's going to take at least 4 years for them
| to catch up, given that Windows 10 EOLs in 2015 at the
| earliest.
|
| This fits far more into their business model of 0365,
| Sentinel, and Azure than it does with their Windows
| business model.
|
| edit: Expanding on this, TPM technology is critical to Zero
| Trust Networking, which I'm quite sure Microsoft is going
| to want to push - especially since Active Directory is
| getting ripped out of networks practically by government
| order at this point. If they follow through on this, in 4
| years Windows networks could be radically more secure than
| they are today. This fits in well with where Microsoft is
| taking its business (cloud, security, organization
| support).
| userbinator wrote:
| They're essentially promoting the creation of e-waste.
|
| Not to mention the rise of DRM and other user-hostile shit
| that they are now forcing you to have.
|
| I fucking _hate_ what this industry has become...
| kawsper wrote:
| > They're doing this to force people to buy new hardware
|
| Forcing people to buy new hardware while there's a global
| chip shortage is going to be interesting.
| vetinari wrote:
| First-gen Threadrippers are not supported by Windows 11.
| Freaking Treadrippers. If they think their owners are
| going to get new ones for Windows 11, they must be
| deluded.
| ospray wrote:
| Best guess is that win 11 will require full disk encryption
| at some point. With both secure boot and tpm Microsoft will
| be able to lock down windows in ways they simply couldn't
| before.
| temac wrote:
| That's an early build, maybe Windows 11 RTM will actually
| always use a TPM (1.2 is advertised as minimally supported
| though).
|
| As for secure boot, I don't see how that could be anything
| else than policy (that can have an impact on a security model
| and so on associated security measures, granted, but not
| having secure boot should technically not prevent booting /
| installation unless it is enforced by an explicit artificial
| limitation). But they could at least remove legacy boot
| support, in which case it just won't work without UEFI.
| omegalulw wrote:
| I suppose they don't want to support legacy hardware. If they
| let it install, people _will_ complain when something breaks.
| opencl wrote:
| If the other requirements they've posted are accurate then
| the CPU list alone will eliminate anything more than about
| 3 years old.
| arsome wrote:
| Is Windows 11 likely to perform some sort of attestation for
| this? Or are we likely to see something like the way the old
| Windows cracks used to work - a hacked up version of Grub or
| another bootloader able to patch the necessary firmware and
| BIOS information before chainloading Windows.
| userbinator wrote:
| Unless it's doing some sort of remote-code-download-and-
| execute(!) based on the attestation results, it will always
| be possible to crack everything locally. All the checks just
| need to be patched out, and finding them all is the hard
| part, but it is theoretically possible as long as you still
| have full control over the hardware.
|
| But such a setup will be very fragile to automatic updates
| (which are already difficult enough to turn off completely as
| it is), and with this whole "update mentality" I wouldn't be
| surprised if they eventually leave in certain security holes
| and use those as an additional force to coerce people to take
| their updates --- along with everything else the users _didn
| 't_ want.
| blibble wrote:
| how would you patch them out?
|
| the disk will be encrypted with a key stored in the TPM
| that will only be supplied to a signed OS, so you can't
| alter the contents on disk
|
| if you've booted in secure mode you can't interfere with
| the boot process and the OS won't let you patch it online
|
| if they pull it off correctly there's not much you can do
|
| they can even detect the effects of exploits using remote
| attestation
|
| if a machine has had its environment compromised it won't
| be able to get updates/watch youtube/play games/...
|
| (using old software/firmware with known exploits can be
| similarly blocked, until you upgrade)
| codetrotter wrote:
| I thought they said that Windows 10 would be the only version of
| Windows forever, and that everything would be updates of Windows
| 10. Did they change their mind or did I misunderstand in the
| first place?
| mirthflat83 wrote:
| Yes. They're copying macOS. Apple decided to change their
| numbering with Big Sur
| Dah00n wrote:
| This has nothing to do with Apple. Big Sur, released in 2020,
| cannot possibly have any impact on the naming of Windows that
| started in 2009 with Windows 7.
| Dylan16807 wrote:
| Big Sur is when they went from "everything is 10" to 11.
| The accusation is that moving off of TenVer is following
| them, as was getting onto TenVer in the first place. And
| Microsoft was definitely on TenVer. If they were merely
| incrementing from 7 they wouldn't have skipped 9 and they
| wouldn't have stuck on 10 nearly as long.
| meowkit wrote:
| It is a free update. That quote is out of context and has
| become a meme. 0
|
| The continuous build integration system for windows makes it so
| that new builds come out every week. Under the hood W10 and W11
| are the same thing barring UI refresh and regular feature
| updates.
|
| Its Windows 11 because marketers know most people are
| technically illiterate and want higher version numbers. Its
| mainly about the UI refresh to pull more people away from Apple
| and build out the MSFT store.
|
| https://www.theverge.com/2015/5/7/8568473/windows-10-last-ve...
| Wowfunhappy wrote:
| > Under the hood W10 and W11 are the same thing barring UI
| refresh and regular feature updates.
|
| Well, then why does it require TPM and EFI, and drop support
| for all CPUs more than ~5 years old?
| curiousmindz wrote:
| It has been debunked that this was never an official statement
| from Microsoft.
|
| Instead, it was made by an employee making an off-the-cuff
| comment without context.
| billforsternz wrote:
| They changed their mind. Annoying.
| sixothree wrote:
| Just imagine how upset people would be if MS updated someone's
| Windows 10 install to "this".
___________________________________________________________________
(page generated 2021-06-26 23:00 UTC)