This enables hardware owners to specify custom kernel driver signing requirements, enabling kernel mode code to run without having to submit it to Microsoft for signing.
The backside fingerprint reader could even be used as an input device on some models for scrolling, or pulling down/up the notification bar. Great for scrolling through content or swiping through screens without having to cover your display for gesture input: https://www.androidauthority.com/miss-rear-fingerprint-scann...
Even before the virtualization-based security feature was introduced this has been the Hyper-V architecture, on server and client SKUs. The management OS is referred to as the "parent partition" or "root partition," and it runs on top of the hypervisor: https://learn.microsoft.com/en-us/virtualization/hyper-v-on-...
This is true for certification, which is mandatory for Server OS, distributing through Windows Update, or certain classes of drivers such as anti-malware or biometric authentication, but you can still submit drivers to Microsoft for "attestation signing" that will load without warnings on desktop OS without having to run them through the testing suite.
In any case, running the certification tests does not provide runtime protection for drivers running in kernel mode, as demonstrated by CrowdStrike. Only Windows 10 started introducing hardware virtualization-based isolation of kernel components (to provide isolation of security subsystems, not runtime checks to prevent crashes): https://learn.microsoft.com/en-us/windows-hardware/design/de...
> They actually advise OEMs not to install this second key by default ("Secured Core" PCs), and some vendors have followed the advice, such as Lenovo. Resulting in yet another hoop to install non-MS OSes.
True, 3rd party not trusted by default is a "Secured-Core PC" requirement, but so is the BIOS option for enabling that trust [0]. On my "Secured-Core" ARM ThinkPad T14s it's a simple toggle option.
> Even recently, a Windows updated added a number of Linux distributions to the Secure Boot blacklist, resulting in working dual boot systems being suddenly cripped. Of course, _ancient_ MS OSes are never going to be blacklisted.
Actually they are in the process of blacklisting their currently used 2011 Windows certificate, i.e. the Microsoft cert installed on every pre-~2024 machine, also invalidating all Windows boot media not explicitly created with the new cert. It's a manually initiated process for now, with an automatic rollout coming later [1].
It'll be very interesting to watch how well that's going to work on such a massive scale. :)
> I think drivers are going to be the biggest PITA for ARM-based PC users for the first couple years — for example, Google Drive doesn't work for that reason.
Google Drive does ship with Arm64 drivers, and patching the platform check out of the installer gets them installed just fine (40 84 f6 74 08 -> 40 84 f6 90 90).
It's so ridiculous. You ever wanted Explorer's "details" file list view to have horizontal blank space between rows so rather than selecting the nearest item you could just click through the list into a blank void and select nothing? Yeah, that's what the default setting is now. For a list view. It's like making up unusable space between cells in Excel for no reason.
In any case, you're free to remove Microsoft's certificates and enroll your own.