Battlefield 6 Dev Apologizes For Requiring Secure Boot To Power Anti-Cheat Tools

An anonymous reader quotes a report from Ars Technica: Earlier this month, EA announced that players in its Battlefield 6 open beta on PC would have to enable Secure Boot in their Windows OS and BIOS settings. That decision proved controversial among players who weren't able to get the finicky low-level security setting working on their machines and others who were unwilling to allow EA's anti-cheat tools to once again have kernel-level access to their systems. Now, Battlefield 6 technical director Christian Buhl is defending that requirement as something of a necessary evil to combat cheaters, even as he apologizes to any potential players that it has kept away.

"The fact is I wish we didn't have to do things like Secure Boot," Buhl said in an interview with Eurogamer. "It does prevent some players from playing the game. Some people's PCs can't handle it and they can't play: that really sucks. I wish everyone could play the game with low friction and not have to do these sorts of things." Throughout the interview, Buhl admits that even requiring Secure Boot won't completely eradicate cheating in Battlefield 6 long term. Even so, he offered that the Javelin anti-cheat tools enabled by Secure Boot's low-level system access were "some of the strongest tools in our toolbox to stop cheating. Again, nothing makes cheating impossible, but enabling Secure Boot and having kernel-level access makes it so much harder to cheat and so much easier for us to find and stop cheating." [...]

Despite all these justifications for the Secure Boot requirement on EA's part, it hasn't been hard to find people complaining about what they see as an onerous barrier to playing an online shooter. A quick Reddit search turns up dozens of posts complaining about the difficulty of getting Secure Boot on certain PC configurations or expressing discomfort about installing what they consider a "malware rootkit" on their machine. "I want to play this beta but A) I'm worried about bricking my PC. B) I'm worried about giving EA complete access to my machine," one representative Redditor wrote.

And it doesn't stop anything.

[Myria]

You can always make your own custom Secure Boot key database and sign whatever you want.

It's even easier on millions of Dell and Alienware computers that used the test key as their production Platform Key. You can just use the leaked private key to modify the keys without being easily detectable.

Re: And it doesn't stop anything.

[ArmoredDragon]

What you're describing is verified boot, not secure boot, which often refers to OEM verified boot. The OS can be told which it is, but it can also be lied to, unless they're also asking for measured boot with hardware attestation. And even without that, you're relying on local (and thus, detectable) files to poke at kernel memory.

But why do that when you can just remotely poke the kernel memory via the PCI bus using a DMA card?

Re:

[Pinky's Brain]

That's okay, there's TPM-fail as well as PKfail. Enough fail to go around to get every needed key to fake a proper boot, while having a cheating VM in place.

Re: Buy a console for online games

[OrangeTide]

Have two PCs, one for games and a cheap laptop for regular computing. Best of both worlds, plus you can watch porn on both, something that isn't practical on a console. (Especially Nintendo)

Re: Buy a console for online games

[paul_engr]

Their fucking 2FA for console login is broken

It's really about handing over ownership

[evanh]

This is going to be just like HP killing all its inkjets after sale.

SecureBoot (and TPM 2.0) has(have) been mandatory

[williamyf]

As a matter of fact, SecureBoot was introduced with Win8, and many an OEM turned it on by default even back then... And has been mandatory on Win11 since day one.

So, how come in the year of our lord 2025 there are still gamers having trouble with Secure Boot?

If you want to play battlefield 6:
Update your firmware to the latest version available.
Turn on SecureBoot and TPM 2.0 , disable CSM compatibility in Firmware.
Include the relevant keys in secureboot if you multiboot other OSs (like Linux Distros or *BSD)

Re:

[SlydogSZ]

Not required for Linux. In fact not mandatory for Win11. I play on console so it won't be an issue for me. Mouse & Keyboard too.

Re:

[thegarbz]

Actually it is mandatory on Windows 11 by policy. The fact you found a workaround is notwithstanding.

Re:

[QuantumLeaper]

Windows 11 requires TPM 2.0, but not Secure Boot. My Windows 11 didn't have Secure Boot and did have TPM2.0 turned on, but it was running Windows 11 without a problem. I turned Secure Boot on in UEFI for Battlefield 6 to run.

Re:

[thegarbz]

False, Windows 11 refuses to install if you disable secure boot. In fact disabling Secure Boot was and is one of the Slashdot favourite ways of preventing Windows 10 updating to Windows 11 through nefarious tactics.

You found a workaround to a policy, that is disable it after install. Something that incidentally will cause a standing error to be present in your Windows Security settings.

Re:

[drinkypoo]

False, Windows 11 refuses to install if you disable secure boot.

It might now, but windows 11 used to allow disabling all of the checks. TPM 2, Secure Boot, the works. I know because I did this when I did my VM install. My Windows 11 VM now has an emulated TPM 2.0 which works fine, and I have enabled secure boot which also works fine, but I installed it without either of those things. In fact, there was no TPM in the VM when I installed at all. If you installed it without Secure Boot, it will continue to run without it.

Re:

[Anonymous Coward]

The better alternative: Don't trust software that doesn't trust you. Tell them to fuck off and take you business elsewhere.

Re:

[sound+vision]

There are machines sold as recently as 2020 that don't have the full TPM 2.0 feature set. (I'm thinking HP "Z" series workstations, but certainly others.)

Without knowing exactly what EA's DRM is looking for, it's hard to say if earlier versions of TPM would cut it. But being in the process of migrating hundreds of PCs to Windows 11, I can confirm there are definitely beefy machines in circulation without the full complement of TPM features.

Re:

[mysidia]

And has been mandatory on Win11 since day one.

Win11 has 51% market share, So at least 49% of people are Not running Windows 11.

And there is a crap ton of people on computers that are not TPM 2 capable. Otherwise Microsoft would likely have forced their systems to Win11 by now.

Also, people do install Win11 without secure boot.

Re:

[thegarbz]

Win11 has 51% market share, So at least 49% of people are Not running Windows 11.

Lies, damn lies, and statistics. Yours falls in the latter. No Windows 11 does not have 51% market share *AMONG GAMERS*. Market share is not equally divided among segment. The overall market share for gamers is more like 65-70%. If you narrow gamers down to those who play FPS games with advanced graphics you end up with an even higher market share.

Remember to focus your statistics on the conversation.

Re:

[leonbev]

What I find amusing is that I enabled TPM 2.0 in my BIOS and even though Windows 11 knows this, the beta still doesn't seem to recognize it.

It will be a cold day in hell before I reinstall Windows 11 just to play a game demo.

Re:

[HouseOfMisterE]

Secure Boot is not required for Windows 11 and, depending on your install media, you may have to disable it in the BIOS to perform a bare metal OS install. The OS runs without problems and doesn't complain about anything if you have Secure Boot disabled, though.

You do have to have TPM 2.0 or later enabled for Windows 11 to run, and there may even be a registry hack to bypass that requirement. I'm not sure, I have both TPM and Secure Boot enabled.

Re:

[snowshovelboy]

It's not unreasonable to expect a game to just work.

Re: SecureBoot (and TPM 2.0) has(have) been mandat

[paul_engr]

Unless your mobo mfg fucked up tom and doesn't care, so you can't make it work. Looking at you, asrock and asus

"not cool" is 'cool'

[NotEmmanuelGoldstein]

Children have to choose between being the 'cool kid' with the latest iShiny, or protecting their medium-security, high-performance, general-computing device from criminals (which may include Electronic Arts).

I imagine that Windows 11 with its increased spyware, I mean, 'trust platform', already uses Secure Boot, so this will not be a problem to most children.

Re: "not cool" is 'cool'

[OrangeTide]

I remember simpler times when you could smoke or raid your parents liquor cabinet to be the cool kid. And you could make a lot of friends just by smoking weed while learning how to play a few hair band riffs on guitar.

Kids these days have it way harder. And it takes a huge financial investment to socialize with their peers.

Bullshit.

[dgatwood]

It's not a necessary requirement to prevent cheaters. Just have two groups of servers, one for people with Secure Boot, and one for people without. Tell the people who are on the second server that because the anti-cheat technology is unsupported on their machine, they are limited to Anything Goes servers, which means you can't guarantee that other players won't cheat against them. Problem solved.

Re:

[tlhIngan]

Yeah, you can have a group of people playing on the anti-cheat servers and people whose PCs use lesser anti-cheats (ones that don't use secure boot) to have servers that work for them.

I mean, they already have it so cheaters get routed to an anything goes server anyways

Re:

[thegarbz]

Just have two groups of servers, one for people with Secure Boot, and one for people without.

Yeah just build a whole lot of extra infrastructure for extra cost for the explicit purpose of segregating a player base. What a winning idea that sounds like. I take it you're the CEO of We've Gone Bankrupt Ltd?

Re:

[dgatwood]

Just have two groups of servers, one for people with Secure Boot, and one for people without.

Yeah just build a whole lot of extra infrastructure for extra cost for the explicit purpose of segregating a player base. What a winning idea that sounds like. I take it you're the CEO of We've Gone Bankrupt Ltd?

No extra infrastructure needed. Just a separate VM. The number of users would be the same, so the total load would be the same. This is basically a no-op in terms of operating costs.

Well, that's not strictly true. There would probably be a decent number of users who would buy the game if they could play it, and wouldn't if they couldn't, so with that approach, you'd likely have more players, and thus more load, but you'd also have more revenue. :-)

Re:

[thegarbz]

No extra infrastructure needed. Just a separate VM.

Yes because VMs are free infinite resources that you can spin up at will.

The number of users would be the same, so the total load would be the same. This is basically a no-op in terms of operating costs.

That's not how servers work. The software (to say nothing of you saying you want to spin up a whole separate VM) requires significant resources. You clearly have no idea how software works.

And you've still segregated your player base, you've still appeased cheaters, you've flushed the reputation of those servers down the toilet, and you've spent a lot of money doing it.

Re:

[dgatwood]

No extra infrastructure needed. Just a separate VM.

Yes because VMs are free infinite resources that you can spin up at will.

Infinite, no, but if the number of users is the same, the amount of load caused by having 1,000 users on one VM and 1,000 users on a second VM is not significantly different from having 2,000 users on one VM, assuming you architected your systems correctly and aren't wasting a huge amount of RAM on redundantly stored data. I'll elaborate more below.

The number of users would be the same, so the total load would be the same. This is basically a no-op in terms of operating costs.

That's not how servers work. The software (to say nothing of you saying you want to spin up a whole separate VM) requires significant resources.

I literally deal with multibillion user software for a living at every day. If you seriously think you know more about the subject, please provide details abou

Re:

[vivian]

I'd rather that games have stronger and legally enforceable financial penalties for those that cheat, with penalty damages to the cheats based on the cost to developers to detect and enforce anti cheating. If a hotel can charge you extra for trashing a room after you checked out, a game company should be able to charge you for trashing a game.

When you buy a multiplayer game to play and compete against other players according to the game rules laid down by the developer , there's injury done to players who a

Re:

[Baron_Yam]

>I'd rather that games have stronger and legally enforceable financial penalties for those that cheat,

Classify cheating as 'unauthorized access to computer systems' and go after cheaters under cyber trespass laws. That can involve jail time.

The corporate argument for this (quite justifiably, for once) can be the financial harm they suffer from cheaters driving away customers who are frustrated and unable to use their purchased access as intended.

Re: Bullshit.

[paul_engr]

Honestly they should host an open class, anything goes set of servers. Let them cheat and fingerprint their cheats while you're at it.

VM

[drinkypoo]

QEMU/KVM, GPU passthrough, emulated TPM.

It's the year of the windows desktop on linux for cheaters.

Re:

[mysidia]

Cool idea.. But 1. They will add virtual machine detection.

Unless you have a way of making that KVM virtualization indistinguishable from a Windows host computer that looks like
a Hyper-V VM due to having Hyper-V enabled or virtualization-based-security or WSL.

2 Passing through the GPU to a VM seems impractical.. Since you presumably cannot have your display controlled
by two computers at the same time. How are you going to physically control that host after you start the VM then If you have
"passed your

Re:

[drinkypoo]

Unless you have a way of making that KVM virtualization indistinguishable from a Windows host computer that looks like
a Hyper-V VM due to having Hyper-V enabled or virtualization-based-security or WSL.

It will take some work no doubt, but it's probably possible. You'd have to twiddle it to evade fingerprinting.

2 Passing through the GPU to a VM seems impractical.. Since you presumably cannot have your display controlled
by two computers at the same time. How are you going to physically control that host after you start the VM then If you have
"passed your GPU over to the VM" ?

Either you use integrated graphics plus a discrete GPU, or just put in a second discrete GPU.

Re:

[Mirddes]

or webui into the host

Re:

[drinkypoo]

It does seem like there must be some way to tell linux not to initialize a graphical console. I have no idea how to prevent it correctly (some searching around didn't turn up any easy answers) but I've been thinking about this subject for a while because there would be advantages to always using virtualized systems. You could use a USB display to control the underlying system, or some keyboards have little screens on them which you could potentially use to control switching between VMs.

Re:

[Pinky's Brain]

Cheaters don't really care about whether it's open source, they can just use HyperV with their cheat software loaded in the hypervisor context next to VBS.

Re:VM

[DrMrLordX]

It's worse than that. They use external hardware to cheat, and people have been doing this for years:

https://youtu.be/RwzIq04vd0M?t... [youtu.be]

(timestamp is for 33:12 if for some reason the link doesn't take you there automatically).

Once your aimbot is running on external hardware, the kernel-level anticheat can't detect it, at least not explicitly.

Re:

[sizzlinkitty]

TIL... dang, I didn't think pi's or arduino's were powerful enough for real time image recognition.

There's ways to detect this behavior, it could be meta in such a way of looking to see who has installed development tools, visited certain sites, or met other behavioral markers that could flag you as a person of suspicion. Further, in game, randomly showing some test patterns that could trigger the behavior to know what is being automated or not. Otherwise some data analytics on mouse movements and response

Re: VM

[paul_engr]

That looks like some flavor of teensy, not na arduino. The 4.1's have a 600mhz arm cpu. They are not fucking around 8 bit micros

Re:

[ffkom]

Funny how defeating "anti-cheat" measures has become the actual game that appears to be fun playing. Reminds me of the C64 era, when crackers were not that interested in playing the games, but breaking their "copy protection" was the real fun, and thus ever more excessive efforts to prevent copying, by companies like Datasoft, were actually appreciated as new, advanced levels in the game of cracking.

Re:

[sound+vision]

How are you handling the licensing? I do have a Windows 11 Home license for the machine in question, but I'm assuming the regular license doesn't apply to virtual machines.

Re:

[drinkypoo]

Well first of all, I'm not actually doing this. If games won't run on Linux I just don't play them.

But second, I don't care if the license covers a VM or not. I don't foresee Microsoft going after anyone for running the license they paid for in a VM. There's just no money in it, even if they win. Frankly, I don't see them going after any home users who activate without authorization for the same reason, either. The money is in business compliance shakedowns.

Cheaters gonna cheat

[CommunityMember]

And this is why we can't have nice things.

Re:

[ffkom]

You can have nice multi-player games with real people you met in real life and have reason to trust. And video game companies could encourage such by allowing customers to run their own local game servers. But "match making" among arbitrary large groups of random accounts on the Internet, that isn't going to be a nice experience.

Choose not to buy

[JimToo]

Both the most likely to be effective and the least likely to happen.

Perhaps I have less faith in people's ability to achieve long-term goals at the cost of a short-term inconvenience than I should.

No money

[Shakes Fist]

EA wants me to give them kernel access so I can give them money? I'll pass, thanks for offering.

Did they remove it?

[allo]

So they apologize for it. But did they roll it back?

As as heruistic for quality control

[Growlley]

if it has EA in the title you can skip it.

Their game ecosystem is a mess

[paul_engr]

Installed the pc version,.got secure boot notification even though I have secure boot turned on. Gave up. Downloaded the ps5 version, had to log in to account to get playing. Did 2FA, entered code, logged in, asked for another 2FA code, hit send me code, it never came. Tried again, it tells me i have to wait a minute, try again repeatedly over 15 minutes and have three codes total for the five times I was prompted for new codes. Gave up at 15 minutes. Fuck those asshats.

Given the state of cheat tools..

[philmarcracken]

.. there is no chance of ever playing a FPS shooter in a fair scenario online, not without private servers we can self moderate. A capture card sent to a secondary PC can run all the cheat software you like, and send positional data back to a mouse.