Why don't PC makers lock the bootloader?

Question

Mobile phone makers always lock their device's bootloader - that is, they prevent you from getting root access to your device, or uninstalling the default operating system and installing something else. There are ways to unlock the bootloader, but you have to jump through hoops to get it done (difficulty varies by brand, up to being impossible).

Meanwhile, the bootloader of a PC always come unlocked. You can insert a USB stick into a brand new device (no extra steps required) and install whatever you want. I do not own Mac devices so I may be wrong, but I heard that Mac bootloaders aren't locked either; that's why Asahi Linux is possible.

It makes every sense for PC makers (and Mac if I'm correct?) to lock the bootloader just as phone makers do, i.e., to control what softwares could be run on their devices thus maintain market share. Why don't they? It makes even less sense when many PC brands also make phones, but their PC comes with the bootloader unlocked while the phone is locked. Why is there this disparity?

1. Are there financial incentives for companies to keep their PC's bootloaders unlocked (e.g. corporate customers)?

2. Are there legal requirements that PC bootloaders must not be locked (e.g. antitrust laws)?

Answer 1

When using devices which needs to be accredited to security standards, due to the sensitivity of the data being processed, there are guidance documents about how to apply device security (aka locking down the device). As well as the Secure Boot in the other answer, you may need to also consider TPM and DMA protection. E.g. the UK NCSC Device Security Guidance - Choosing devices includes:

Devices that are Modern Standby certified must meet all the requirements for UEFI secure boot and ship with it enabled. They should not have ports that allow DMA access and will have TPM 2.0 or later.

A TPM is a separate cryptographic co-processor that provides hardware-backed security features. These significantly improve the physical security of the device, and are required for the use of data at rest encryption in its most secure configuration. Devices that include a TPM 2.0 should be preferred where possible.

Since some device lockdown is operating system dependent, e.g. to support data at rest encryption Bitlocker is used for Windows .vs. UKS/dm-crypt disk encryption for Ubuntu, can understand why the PC manufacturer supplies unlocked devices.

Answer 2

There are many different levels of "why". From a practical perspective, your phone is in your pocket or purse and is unlikely to acquire any peripherals. In other words, it has poor physical security and won't need to power anything new on boot. Since every decision about security is also a decision about user convenience, tight security on the phone's boot loader makes a lot of sense.

Conversely, your PC is likely behind a physical lock (at your home or business) and has many "upgradeable" parts which may need to be powered after you install a new video card, a new drive, more RAM, etc... The security tradeoffs here are different - there is value for the user to tinker and there is a higher expectation of physical security.