[HN Gopher] Installing Windows 11 on Legacy BIOS Without Secure ... ___________________________________________________________________ Installing Windows 11 on Legacy BIOS Without Secure Boot Author : methyl Score : 51 points Date : 2021-06-25 11:22 UTC (1 days ago) (HTM) web link (allthings.how) (TXT) w3m dump (allthings.how) | tyingq wrote: | Windows 10 does have mbr2gpt.exe now, so migrating from Legacy to | UEFI isn't a terrible experience, provided you do it from the | recovery/boot/troubleshoot Windows screen. | gjsman-1000 wrote: | In other bad news, Microsoft developers on Twitter stated that | 8th Gen Intel or 2nd Gen Ryzen CPUs will, actually, be required | to install Windows 11 at all by RTM. If you are on 7th gen Intel | or 1st gen Ryzen, there is no mercy. A 2013 MacBook gets more | support than a 2017 Windows laptop. | | https://linustechtips.com/topic/1351028-microsoft-makes-thin... | | A security director now says that a blog post "clarifying the | floor" is coming. But frankly, if this turns out to be a | miscommunication, if you read those tweets Microsoft would have | to be unbelievably incompetent in their use of words. | JohnTHaller wrote: | If you meant an Early 2013 MacBook Pro, the current macOS Big | Sur doesn't support that. If you meant a Late 2013 MacBook Pro, | macOS Monterey releasing later this year drops support for it | and all MacBook Air/Pro before 2015 as well as all MacBooks | before 2016. | gjsman-1000 wrote: | Old versions of MacOS get about 2-3 years of additional | security updates. So if you bought a 2017 laptop with a 7th | gen processor, you got 8 years of support from 2017 to 2025. | Unless you bought Surface Studio 2, which is $3499 from | Microsoft and comes with a 7th gen chip so it only gets 4 | years of support. If you bought a 2013 MacBook which just got | cut off at Big Sur, you'll probably get supported to 2024, or | 11 years. | Wowfunhappy wrote: | Yes, Apple sucks at legacy support in many respects. Luckily, | Macs are only ~10% of the PC market, so they can't create as | much of an e-waste disaster. | | Two wrongs don't make a right and I expect better of | Microsoft. | advael wrote: | It's amazing how no amount of altering the deal to be worse for | consumers seems to get people to mass-exodus from these | proprietary platforms, despite the existence of numerous | alternatives | staticassertion wrote: | Windows support will continue to at least 2025, so it's hardly | like users are being left behind - they have multiple years to | upgrade, and Microsoft has typically extended its support | window when the time comes. | | What MS is doing here is forcing OEMs to package TPM 2.0, which | will be a massive win for security. | | The intel generation is seemingly a bit arbitrary, we'll see | how that plays out. But again, it's not like people are being | left behind - they have 4+ years of support left. | userbinator wrote: | "security" that is _against_ the user. Some people knew what | was coming 12 years ago... | | http://techrights.org/2009/04/23/bill-gates-security-as-a- | lo... | | http://techrights.org/2009/06/25/security-as-a-lock-in- | gates... | tehbeard wrote: | If people are going to downvote the other child comment for | either FUD or whatever, could they at least provide reading | material/counterpoints as to the benefits for those of us | without the MSc in cryptographic systems? | staticassertion wrote: | A TPM holds a secret. It's useful for establishing | identity, performing signing, etc. Think about the fact | that an attacker on your system can take a session cookie, | move to another computer, and connect as you. A TPM can | prevent this by establishing a cryptographic identity. | | This is a very significant win and critical to 'zero | trust', which is now something the government is telling | people to embrace. | | The whole thing with security is silly. They said it about | UEFI - and yet I run Linux on UEFI systems all the time. I | also have systems with TPMs that run Linux. Works fine. | techrat wrote: | That CPU list was missing CPUs that were still being sold in | new builds even less than 3 years ago. That's quite the severe | cut off point. | | My older box, an i7 4790k, is still quite the performer. It, | however, has no secure boot capabilities. No TPM socket on the | motherboard, even. | R0b0t1 wrote: | Is there any justification for the cutoff? It might be | possible to just patch out the cpuid check and have the OS | run. | | If it's boot attestation someone will do it. This is probably | to force enterprise vendors to move to devices that better | support enterprise management, but yes, it drags us kicking | and screaming along with it, at nontrivial personal expense. | SSLy wrote: | There isn't any justification for the 6th to 7th to 8th gen | of intel core, at all. They're the same CPUs, just | faster/more cores. | gjsman-1000 wrote: | According to Microsoft's security director, it's | ARBITRARY. | | https://twitter.com/dwizzzleMSFT/status/14085395334659850 | 24 | | "Seems like you are assuming there is a specific security | feature that defines 8th gen as the CPU floor. The floor | is set for a range of quality, performance, support, and | reliability reasons to ensure a great experience." | R0b0t1 wrote: | Oof. I'm starting to think there's a bit of old Intel CPU | stock they want to make unsaleable. | Dylan16807 wrote: | If there's going to be a cutoff based on performance, | having it almost unconnected to actual performance is | pretty exasperating. | FridayoLeary wrote: | That sounds quite unreasonable. "You don't deserve to | "experience" Windows 11, unless you can afford the newest | computers. And if you can't, we won't let you have it. | Because maybe it won't work perfectly. Even though you | got your computer 4 years ago." | tyingq wrote: | Especially considering that there are plenty of slower | clocked Celerons on the list. | mattgreenrocks wrote: | > i7 4790k | | This is what I run. It doesn't have firmware TPM according to | Intel (https://ark.intel.com/content/www/us/en/ark/products/8 | 0807/i...), but the regular version does. | | TPM >=1.2 is a hard requirement for Win11, and if your mobo | doesn't have a socket for it, you're out in the cold. | | So much for future-proofing. | tibbydudeza wrote: | Just "upgraded" to a i7-6700 last year since I buy my | computers used because I am cheap. | undfg wrote: | I have that CPU and I have secure boot. Pretty sure that's a | motherboard feature | 2OEH8eoCRo0 wrote: | The list of supported Windows 10 CPUs doesn't even list my | current CPU (Xeon E5-1680v2). I'm excited for the release but | they've really bungled their messaging and scared people. | swiley wrote: | Damn, they're really going full Andrew Lee. | morsch wrote: | What's the EOL for Windows 10? Apparently it's 13 Dec 2022 or | 09 May 2023 (education/enterprise) for the currently released | versions -- I guess that's it? https://endoflife.date/windows | JohnTHaller wrote: | October 14th, 2025: https://docs.microsoft.com/en- | us/lifecycle/products/windows-... | zozbot234 wrote: | That's the official line, but my guess is that it _will_ be | extended way past that. Windows 10 is going to be the new | XP. | snazz wrote: | LTSC versions are officially supported for 10 years, so | some version of Windows 10 will be supported for at least | a decade. Windows Server 2019/client v1809 LTSC is | supported until 2029, for example. | Causality1 wrote: | In one way it's funny: if I have to use an insecure OS I | may as well go back to Windows 7. | neilv wrote: | Alternatively, you can avoid repeating the historical cycle of | lobster-boiling, with the help of https://www.debian.org/ , | https://archlinux.org/ , or other distros. | Wowfunhappy wrote: | For the Legacy BIOS piece, has anyone tried using Clover? It's a | bootloader designed for Hackintosh systems. macOS is and always | has been EFI-only on Intel computers, and when Clover was | released EFI was still uncommon on PCs. So, Clover has its own | EFI implementation that can be started from a BIOS boot. | Causality1 wrote: | I wonder if an AME version of W11 will get released. Requiring me | to have a Microsoft account to log into my own computer is a do- | not-pass-Go unacceptable condition. | FridayoLeary wrote: | I wonder how long it will take MS to close this gap. | teekert wrote: | Psst, you can install Linux directly on the metal, no need for | WSL! | lazypenguin wrote: | Linux as the main OS with windows as a guest VM feels like the | right idea for me. Setting this up with gpu pass-through is on | my todo list! | djrogers wrote: | Not unless your hypervisor can emulate a TPM chip. | Sherl wrote: | So my perfectly fine Thinkpad P51 can't run a win11 because of | processor requirements? Are they selling CPU chips or Windows 11 | to the market?? | gruez wrote: | Are you sure it doesn't have PTT? AFAIK recent-ish intel CPUs | should have TPM support using the trusted computing | capabilities of the CPU itself, without the need for a discrete | TPM chip. | gjsman-1000 wrote: | Microsoft has clarified on Twitter of all places that TPM 2.0 | isn't the only requirement. It _must_ be 8th Gen Intel or 2nd | Gen Ryzen or newer regardless of whether it has a TPM. | homero wrote: | What CPUs have TPMs? | gruez wrote: | >Firmware TPMs are firmware-based (e.g. UEFI) solutions | that run in a CPU's trusted execution environment. Intel, | AMD and Qualcomm have implemented firmware TPMs. | | https://en.wikipedia.org/wiki/Trusted_Platform_Module | temac wrote: | It's very probable that Windows 11 will run on your P51. You | may have a warning advising you to stay on Windows 10, but it | will fit the hard floor so you will be able to upgrade | regardless. | | IIRC the hard minimal req different from Win 10 is a TPM, 64 | bits >= dual core, I think UEFI + secure boot, and WDDM >= 2.0. | I just checked on a Kaby Lake and I have everything needed. | | The published list of processors is probably for the soft floor | and/or for OEMs. | | Now, knowing MS and especially the situation in regard with | some processors following the Win7 -> 10 migration, there is | always the risk they fuck up the support even more for unlisted | processor, voluntarily or not... | Dah00n wrote: | It is very clearly stated that TPM isn't the requirement but | "intel 8th gen and Ryzen 2nd gen" is the cut-off. | | https://linustechtips.com/topic/1351028-microsoft-makes- | thin... | walterbell wrote: | For those considering a new machine for Windows 11, remember that | _upcoming_ Intel and AMD CPUs will include the built-in Microsoft | Pluton (inspired by XBox) hardware root of trust, which will play | a role similar to Apple T2 or Google Titan. This may offer new | functionality beyond TPMs. | | Announcement: | https://www.microsoft.com/security/blog/2020/11/17/meet-the-... | | Speculation: | https://www.reddit.com/r/Windows11/comments/o5r2qz/speculati... | | Background on secure boot: | https://cacm.acm.org/magazines/2020/3/243026-securing-the-bo... | easton wrote: | Microsoft said that the secure boot and TPM requirements will not | be enforced by the OS now but will by time Windows 11 hits RTM | (which is why the Windows 11 installer enforces it even though | the OS runs fine). | | https://blogs.windows.com/windows-insider/2021/06/24/prepari... | swiley wrote: | Personal computing is completely dead except for enthusiasts. | We've completed our regression to the late 70s. | nijave wrote: | What does this even mean? Secure boot has little impact on | anything except reducing the complexity of Windows (since it | doesn't need as many boot configurations) | selfhoster11 wrote: | It makes Linux more complicated to deploy, for one. And if | they ever change their mind and don't allow it on x86 any | more, Linux is basically exiled from the PC OEM market. | easton wrote: | It shouldn't, as Microsoft made sure that the major | distros (Ubuntu, RHEL, Fedora, CentOS, maybe Debian?) | have access to a signing key that is trusted by the major | OEMs. And you can trust your own keys, per the Microsoft | guidelines that require that x86 machines allow their | secure boot to be disabled. | | https://docs.microsoft.com/en-us/windows- | hardware/drivers/br... | dataflow wrote: | > per the Microsoft guidelines that require that x86 | machines allow their secure boot to be disabled. | | Yeah but then you can't boot into Windows? Who is | actually going to go into the firmware settings to switch | settings on and off for _every single boot_ to the other | OS? | blibble wrote: | you can boot debian/redhat/... out of the box without | disabling it, as the shim used as part of the boot | process has been signed by MS | | if you want to sign your own kernels: the shim will also | let you do that relatively easily ("machine owner keys") | | if you want to own your entire boot process you can | replace the platform key and sub-keys with your own, and | then trust whoever you want (even adding MS' keys if you | wish, so Windows can boot in secure mode) | geofft wrote: | Ah, yes, the golden era of the '90s and '00s, when Linux | was easy to deploy and PC manufacturers supported you | running Linux. | | We made it work and we'll make it work again. | brutal_chaos_ wrote: | I think for x86 you are (at least very close to) correct, | but I've been seeing a serious shift towards ARM chips | and (my pipe dream) soon RISCV. X86 may just need to fall | to the wayside at this point. Maybe PineBooks could be | released with ARM chips too! (RISCV as well, but | peripherals need to be a real thing(TM) first). Heck, the | Pi400 is a good start in that direction (though obviously | isn't enterprise ready yet). | userbinator wrote: | The openness situation for ARM is even worse. | | Case in point: the countless Android devices out there. | zozbot234 wrote: | Reducing the complexity how? Their Legacy boot code is | already written, and legacy BIOSes aren't going to change | either. That code basically comes for free to MS. | swiley wrote: | I guess if the firmware allows users to install their own | CA it's ok. I wouldn't be surprised if that feature was | neglected by the OEMs or intentionally removed with windows | 12. | zozbot234 wrote: | To their credit, Microsoft has signed a secure boot | "shim" that allows the user to do that, with explicit | prompting. It's being used in the boot flow of many Linux | distributions. | userbinator wrote: | In other words, it was _Microsoft_ who effectively "gave | permission" for Linux to run. | | One OS company has control over whether they allow | competitor's OSs, on hardware that the company doesn't | even produce. That should be an absolutely horrifying | thing to anyone who believes in software freedom. | wildrhythms wrote: | I understand the risk and want to forego secure boot. | What's wrong with that? | philistine wrote: | I'm on the Mac side, and I wanted to reinstall macOS. I | messed up the hard drive wipe and ended up breaking the | chain of trust. That meant Apple could no longer | guarantee the correctness of my install, and no longer | allowed my laptop to decrypt my data to reach the login | screen directly. I had to input the password for my login | at an earlier step during boot, which comes with a litany | of small caveats. | | I'm sure Microsoft hopes to achieve something similar | here at some point: secure boot would give them enough | trust to decrypt an install upon boot all the way to the | login screen. | Datagenerator wrote: | Nothing wrong with freedom. Not running the master of all | telemetry OS increases the possibility to read and study | what you want without feeding the data hungry sensors | Microsoft has set in stone for you. These datasets are | brought to market _with_ your consent (see the thousands | of EULA pages you accepted directly and indirectly). | swiley wrote: | Also, turning off secure boot doesn't change the boot | process on Microsoft's side, they have to _ask the | firmware_ after booting if it was disabled. | | Sorry for replying twice but I'm almost always stuck on | noprocrast so I can't usually edit my comments. | zozbot234 wrote: | What's even the point of enforcing these requirements when the | OS seems to be running quite fine otherwise? Users who are | running without SB or a compliant TPM will simply stay on | Windows 10, and maybe stay on it past the official EOL date. | ocdtrekkie wrote: | Because they want to set a minimum configuration they have to | test and support for the next ten years. It might work fine | today, but will it work after five feature updates? | | Yeah, you can run Windows 10 on some pretty ancient | unsupported hardware too, but when they break support for a | driver a couple years in, you end up with a nonworking | machine. | wubbert wrote: | They're doing this to force people to buy new hardware and a | new Windows licence. If they let you upgrade from Windows 10 | for free, they don't make any money. They've already gotten | people used to free updates, so they can't charge money for | Windows 11 upgrades directly. Most people buy pre-built | computers, so a Windows 11 licence will be included by | default for most, so they will make more money. | staticassertion wrote: | This is silly. Microsoft doesn't even consider Windows to | be their major priority in terms of money - they're | investing much more heavily in Azure. They also have given | free updates repeatedly, so this is an especially weird | argument... | | The reason they're doing this is because Microsoft doesn't | control OEMs directly. They can't _make_ Dell or whoever | put in good hardware unless it 's a hard-requirement to run | their OS. They obviously want to start leveraging TPM 2.0, | probably in order to properly compete with Chromebooks, | which all require that tech already. | | Chromebooks and GSuite are a meaningful threat to Microsoft | - Google has a huge head start in that they've enforced | much stricter restrictions from day 1 on Chromebook | hardware. Microsoft is just getting aggressive about doing | the same. And it's going to take at least 4 years for them | to catch up, given that Windows 10 EOLs in 2015 at the | earliest. | | This fits far more into their business model of 0365, | Sentinel, and Azure than it does with their Windows | business model. | | edit: Expanding on this, TPM technology is critical to Zero | Trust Networking, which I'm quite sure Microsoft is going | to want to push - especially since Active Directory is | getting ripped out of networks practically by government | order at this point. If they follow through on this, in 4 | years Windows networks could be radically more secure than | they are today. This fits in well with where Microsoft is | taking its business (cloud, security, organization | support). | userbinator wrote: | They're essentially promoting the creation of e-waste. | | Not to mention the rise of DRM and other user-hostile shit | that they are now forcing you to have. | | I fucking _hate_ what this industry has become... | kawsper wrote: | > They're doing this to force people to buy new hardware | | Forcing people to buy new hardware while there's a global | chip shortage is going to be interesting. | vetinari wrote: | First-gen Threadrippers are not supported by Windows 11. | Freaking Treadrippers. If they think their owners are | going to get new ones for Windows 11, they must be | deluded. | ospray wrote: | Best guess is that win 11 will require full disk encryption | at some point. With both secure boot and tpm Microsoft will | be able to lock down windows in ways they simply couldn't | before. | temac wrote: | That's an early build, maybe Windows 11 RTM will actually | always use a TPM (1.2 is advertised as minimally supported | though). | | As for secure boot, I don't see how that could be anything | else than policy (that can have an impact on a security model | and so on associated security measures, granted, but not | having secure boot should technically not prevent booting / | installation unless it is enforced by an explicit artificial | limitation). But they could at least remove legacy boot | support, in which case it just won't work without UEFI. | omegalulw wrote: | I suppose they don't want to support legacy hardware. If they | let it install, people _will_ complain when something breaks. | opencl wrote: | If the other requirements they've posted are accurate then | the CPU list alone will eliminate anything more than about | 3 years old. | arsome wrote: | Is Windows 11 likely to perform some sort of attestation for | this? Or are we likely to see something like the way the old | Windows cracks used to work - a hacked up version of Grub or | another bootloader able to patch the necessary firmware and | BIOS information before chainloading Windows. | userbinator wrote: | Unless it's doing some sort of remote-code-download-and- | execute(!) based on the attestation results, it will always | be possible to crack everything locally. All the checks just | need to be patched out, and finding them all is the hard | part, but it is theoretically possible as long as you still | have full control over the hardware. | | But such a setup will be very fragile to automatic updates | (which are already difficult enough to turn off completely as | it is), and with this whole "update mentality" I wouldn't be | surprised if they eventually leave in certain security holes | and use those as an additional force to coerce people to take | their updates --- along with everything else the users _didn | 't_ want. | blibble wrote: | how would you patch them out? | | the disk will be encrypted with a key stored in the TPM | that will only be supplied to a signed OS, so you can't | alter the contents on disk | | if you've booted in secure mode you can't interfere with | the boot process and the OS won't let you patch it online | | if they pull it off correctly there's not much you can do | | they can even detect the effects of exploits using remote | attestation | | if a machine has had its environment compromised it won't | be able to get updates/watch youtube/play games/... | | (using old software/firmware with known exploits can be | similarly blocked, until you upgrade) | codetrotter wrote: | I thought they said that Windows 10 would be the only version of | Windows forever, and that everything would be updates of Windows | 10. Did they change their mind or did I misunderstand in the | first place? | mirthflat83 wrote: | Yes. They're copying macOS. Apple decided to change their | numbering with Big Sur | Dah00n wrote: | This has nothing to do with Apple. Big Sur, released in 2020, | cannot possibly have any impact on the naming of Windows that | started in 2009 with Windows 7. | Dylan16807 wrote: | Big Sur is when they went from "everything is 10" to 11. | The accusation is that moving off of TenVer is following | them, as was getting onto TenVer in the first place. And | Microsoft was definitely on TenVer. If they were merely | incrementing from 7 they wouldn't have skipped 9 and they | wouldn't have stuck on 10 nearly as long. | meowkit wrote: | It is a free update. That quote is out of context and has | become a meme. 0 | | The continuous build integration system for windows makes it so | that new builds come out every week. Under the hood W10 and W11 | are the same thing barring UI refresh and regular feature | updates. | | Its Windows 11 because marketers know most people are | technically illiterate and want higher version numbers. Its | mainly about the UI refresh to pull more people away from Apple | and build out the MSFT store. | | https://www.theverge.com/2015/5/7/8568473/windows-10-last-ve... | Wowfunhappy wrote: | > Under the hood W10 and W11 are the same thing barring UI | refresh and regular feature updates. | | Well, then why does it require TPM and EFI, and drop support | for all CPUs more than ~5 years old? | curiousmindz wrote: | It has been debunked that this was never an official statement | from Microsoft. | | Instead, it was made by an employee making an off-the-cuff | comment without context. | billforsternz wrote: | They changed their mind. Annoying. | sixothree wrote: | Just imagine how upset people would be if MS updated someone's | Windows 10 install to "this". ___________________________________________________________________ (page generated 2021-06-26 23:00 UTC)