|
FF4me
Anon
2011-Sep-21 9:10 am
Windows 8 Secure Boot Would 'Exclude' LinuxFrom The Register: Computer scientists warn that proposed changes in firmware specifications may make it impossible to run unauthorised operating systems such as Linux and FreeBSD on PCs.
Proposed changes to the Unified Extensible Firmware Interface (UEFI) firmware specifications would mean PCs would only boot from a digitally signed image derived from a keychain rooted in keys built into the PC. Microsoft is pushing to make this mandatory in a move that could not be overridden by users and would effectively exclude alternative operating systems, according to Professor Ross Anderson of Cambridge University and other observers.
UEFI is a successor to the BIOS ROM firmware designed to shorten boot times and improve security. The framework, a key part of Windows 8, is designed to work on a variety of CPU architectures.
If the draft for UEFI is adopted without modification, then any system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux. A signed version of Linux would work, but this poses problems, as tech blogger Matthew Garrett explains.
The upshot of the changes is that considerable roadblocks might be placed in the way of running alternative operating systems on PCs. Anderson describes this as a return to the rejected Trusted Computing architecture which at that point involved force-feeding DRM copy-protection restrictions which may be far worse than its predecessor.
Anderson concludes that the technology might violate EU competition law in a rallying call on Cambridge University's Light Blue Touchpaper blog here. More: Next-gen boot spec could forever lock Linux off Windows 8 PCs Will Windows 8 succeed in locking out GNU/Linux? Windows 8 OEM Specs to Prevent Linux Dual Boot? |
|
JohnInSJ Premium Member join:2003-09-22 Aptos, CA
2 recommendations |
JohnInSJ
Premium Member
2011-Sep-21 10:13 am
Seems simple enough - don't buy hardware that includes a win8 license you'll never use anyway, if you don't intend to use it.
For IT people this would be a feature - they already attempt to lock down corporate PCs as much as possible, this would just be yet another tool in the toolbox.
For someone who wants to go to Frys and build a PC from parts to run linux, they would just select a motherboard that supported any OS.
Seems like the market will easily shake this out as either a great thing, or a bad idea. |
|
LiontaurLets Get Boincing Already
join:2001-11-03 Salmon Arm, BC
1 recommendation |
to FF4me
From my rather limited reading on the subject, it's only OEM computers that would have this limitation. So don't buy a dell or hp or other OEM and you'll be ok. i'm thinking that most (not all by any means) people who are running non-MS OSs are the kind of people who build their own rig anyways. But this is still going to hurt the cause until a workaround is discovered. People can run unsigned code on gaming consoles using various methods so i'm sure someone will figure out how to do it on an OEM computer too. |
|
1 recommendation |
to JohnInSJ
said by JohnInSJ: Seems simple enough - don't buy hardware that includes a win8 license you'll never use anyway, if you don't intend to use it.
For IT people this would be a feature - they already attempt to lock down corporate PCs as much as possible, this would just be yet another tool in the toolbox.
For someone who wants to go to Frys and build a PC from parts to run linux, they would just select a motherboard that supported any OS.
Seems like the market will easily shake this out as either a great thing, or a bad idea.
ms will FORCE/MANDATE that this be included in all MB's so who's MB will you purchase that doesn't have this feature? And if its not an option to disable via jumper or option in the BIOS? ? ? Which you can bet that it won't be! This is a clear attack at stopping the spread of Linux to the desktop. One of the reasons I prefer to purchase parts and build my own, I get what I want, not some limited selection, and I don't pay to support crud I don't use... but if the MB makers are the only ones with the ways to make signed images then, and you can be sure that a certain company will push that... This has huge implications down the roads for all kinds of hardware... and needs to be cut off now. |
|
TuxRaiderPen2 |
to Liontaur
said by Liontaur: From my rather limited reading on the subject, it's only OEM computers that would have this limitation. So don't buy a dell or hp
That would be a pretty big loophole, along with with issues in the supply chain. If it makes it in one place it will spread. Nothing good can come of this for Linux. |
|
|
FF4me to FF4me
Anon
2011-Sep-21 10:36 am
to FF4me
Here's a video which details Microsoft's plans. |
|
Cabal Premium Member join:2007-01-21
1 recommendation |
to Liontaur
said by Liontaur:So don't buy a dell or hp or other OEM and you'll be ok. i'm thinking that most (not all by any means) people who are running non-MS OSs are the kind of people who build their own rig anyways. And if you never plan on using a laptop, that will work great. |
|
MaxoYour tax dollars at work. Premium Member join:2002-11-04 Tallahassee, FL
1 recommendation |
to JohnInSJ
said by JohnInSJ:Seems simple enough - don't buy hardware that includes a win8 license you'll never use anyway, if you don't intend to use it. Sure, that's good if you know in advanced that the computer you are purchasing will always only run Windows. But that's impossible to know, and it creates a huge roadblock to competition. If a Windows user is curious about Linux, then they would have to purchase a completely brand new computer, probably one built from scratch with a MOBO that doesn't have this /feature/, just to see if Linux is a good alternative for them. This becomes a huge roadblock for any alternative OS, and any user who is interested in pursuing an alternative OS. I don't think there is any chance of the market shaking this one out. People just buy PCs, they happen to come with Windows on them, as the de facto default, and this move will make the hurdle of them thinking that anything else out there is viable so large that it simply would not be reasonable for them to pursue such an idea. So they won't and the market will keep artificially pushing forward with an unhealthy monoculture. |
|
DigitalXeronThere is a lack of sanity join:2003-12-17 Hamilton, ON
1 recommendation |
to TuxRaiderPen2
said by TuxRaiderPen2:[snip] ms will FORCE/MANDATE that this be included in all MB's so who's MB will you purchase that doesn't have this feature? And if its not an option to disable via jumper or option in the BIOS? ? ? Which you can bet that it won't be! [snip] Windows 8 would effectively be phasing out BIOS completely on "Certified" computers and replacing it with UEFI, a different kind of firmware that includes the "Secure Boot" feature, so there wouldn't be a jumper available considering EFI is software-based. This is largely a move to make computers more of a consumable rather than a system as it will force people who do not like Windows 8 to replace their computers or at least the mainboard to be able to get away from Windows 8 and likely will drive up the cost of non-Windows hardware. |
|
ExodusYour Daddy Premium Member join:2001-11-26 Earth |
to FF4me
I don't have much faith in this being "uncrackable". Apply third-party update, install Linux, receive cookie. |
|
|
SnakeoilIgnore Button. The coward's feature. Premium Member join:2000-08-05 united state |
to FF4me
So is this an attempt by MS to force a standard across that board? That the user experience with win 8 will be a happy one, VS the varied experiences that users had when they installed the older Win OSes on mixed hardware?
If so, then good for MS, for trying to improve user experience. At the same time, I would hope that MOBO makers would still build parts for linux boxes. |
|
|
to FF4me
Lawsuit City, Part 37? |
|
markofmayhemWhy not now? Premium Member join:2004-04-08 Pittsburgh, PA
1 recommendation |
Too much FUD and speculation to cause panic for a user. However, a call to action for development should be realized. A signed PK for Linux with user configured kernel KEK input and bootloaders are a good thing in the future.
Microsoft had it's "BUILD" conference and a keynote speech (video linked to above) was a marketing tool trumpeting higher security. The video is inline with the "fast enterprise adoption" push that Microsoft has placed on Windows 8. "Context" is missing in many articles.
- Windows 8 has an upgrade version. How does one upgrade if the "secure boot" is required for Windows 8 and NO HARDWARE exists today for it? It doesn't... so we know of versions that boot without "Secure Boot".
- The word "required" is used LOOSELY across the sites... "SUPPORTS" is the official term used by Microsoft outside of marketing blitzes. Windows 8 logo certification was the very specific topic of "Secure Boot" when combined with "required", not "will only boot on".
- Only AMI has a prototype working UEFI implementing Secure Boot in Aptio's developer release. Time to market is against Microsoft, not for. The "Secure Boot" version of UEFI, 2.3.1, has NOT been adopted yet and is "optional" in the specifications.
- Mobo manufacturers will sell consumer-retail pieces in "Setup" mode or they won't be able to sell their goods to the public at all: Add your own PK keys! Mobo manufacturers will not abandon their most profitable groups whom use "not Windows 8" OS's: hardware jumper, UEFI user setting, and/or "I'm secure I swear" spoofing in the name of "hybrid" will certainly be commonplace. You don't wake up one day and say "Microsoft is correct, we should stop selling products usable to the 2-3 billion PC users in India, Pakistan, Asia, and Western Europe not to count government, large corporations, and other high-profit consumers (like gamers and hobbyists)". Anti-trust, anti-competition, and general market pressure will be on the side of "options WILL exist".
- This is 100% technically feasible with Linux. Logistics of keys and possible "jail breaks" needed to force the UEFI into setup mode to add the PK will materialize when the need to do so arises.
Is it possible that one day an OEM PC could be purchased that is locked to one version (and COPY) of an OS? YES!
Is it probable? Sorta.... the details lean to no, but this is certainly not something to sit back and "hope". Getting a Linux kernel and bootloader up to speed to support "Secure Boot" should be happening. |
|
EUSKill cancer Premium Member join:2002-09-10 canada |
EUS to FF4me
Premium Member
2011-Sep-21 3:45 pm
to FF4me
Disguised anti-competitive tactics extolled as security features. But I'm no lawyer. |
|
JohnInSJ Premium Member join:2003-09-22 Aptos, CA |
to Maxo
said by Maxo:said by JohnInSJ:Seems simple enough - don't buy hardware that includes a win8 license you'll never use anyway, if you don't intend to use it. If a Windows user is curious about Linux, They can run it in a vm. If they're using a corporate crippled firmware machine, then they were stuck running windows already. |
|
MaxoYour tax dollars at work. Premium Member join:2002-11-04 Tallahassee, FL |
Maxo
Premium Member
2011-Sep-21 4:12 pm
Running an OS in a VM is not a good way to actually experience the OS. The experience is crippled, and does nothing to test hardware compatibility. |
|
|
FF4me to FF4me
Anon
2011-Sep-21 4:38 pm
to FF4me
Will Windows 8 block users from dual-booting Linux? Microsoft won't say - by Mary Jo Foley: I cant resist a rant here: The Windows teams decision not to comment on this report is an example of the new communication strategy that Microsoft seems to be instituting with Windows 8: Clarification on any Windows 8 topic not only features and policies that are still unannounced, but also those that already have been disclosed publicly apparently will not be provided by anyone from Microsoft in an official capacity. The result: An increasing amount of misinformation about Windows 8 is circulating, and Microsoft is doing little or nothing to correct it.
I understand Microsofts increased desire for secrecy around its Windows plans, something company officials began pushing post-Vista. (I havent always agreed with the goal, especially when it results in FUD for customers attempting to make rational buying decisions or OEM/ISV partners attempting to build products that work with Windows.) But allowing wrong information to go unchecked in the name of wanting to control the message and the way it is delivered seems like bad business to me
.
Ars Technicas take: "Ultimately, the Windows 8 changes arent likely to wipe out Linux dual-boot scenarios, but they could restrict the types of hardware that will allow them." |
|
|
to FF4me
said by FF4me :Here's a video which details Microsoft's plans. In this video a question was asked about dual booting. The Microsoft presenter mentioned that even Windows 7 will not boot with this secure boot functionality either. So you couldn't even dual boot older versions of Windows. He mentioned that secure boot would have to be disabled in the UEFI settings. But UEFI is still in development, so he couldn't fully explain how it will work. |
|
|
What I'm worried about is m$ doing a bit of nudge-nude wink-wink with the OEM's so they don't include the option to turn off UEFI. That't should be stupid-easy in comparison with including the winblows tax. |
|
LiontaurLets Get Boincing Already
join:2001-11-03 Salmon Arm, BC |
to Cabal
said by Cabal:said by Liontaur:So don't buy a dell or hp or other OEM and you'll be ok. i'm thinking that most (not all by any means) people who are running non-MS OSs are the kind of people who build their own rig anyways. And if you never plan on using a laptop, that will work great. Very good point and not one that I had thought of. |
|
El QuintronCancel Culture Ambassador Premium Member join:2008-04-28 Tronna
1 recommendation |
to FF4me
Like others have said here, I'm all fine and dandy with building my own Desktop machine but I doubt I'd want to spend the time and effort to "build" my own laptop, so something has to be done so that another OS can be installed on these new machines.
Assuming MS doesn't cooperate, I can predict a few scenarios:
-Win 7 pulls a Windows XP and ends up living 10 years beyond its planned expiry date.
-Hardware manufacturers start releasing "L" series boards where Windows isn't intended to be installed.
-A workaround is discovered within six months, and MS starts another patent litigation against a hardware manufacturer that won't close the loophole.
I don't think this is the end, but it would certainly be an annoying hurdle to deal with. |
|
|
Let's say the OEM uses a generic motherboard and flashes their own BIOS on it, wouldn't it be possible to flash it with the generic one which would allow you to disable secure boot? |
|
disturbed1 Premium Member join:2003-09-06 Columbus, OH |
to FF4me
Google's CR-48 has the same secure/verified boot feature. Easy to bypass by flashing a new ROM. |
|
El QuintronCancel Culture Ambassador Premium Member join:2008-04-28 Tronna |
to grunze510
Sure, but then you have to choose between Win 8 or Linux because this process as currently proposed would exclude Linux, or you couldn't have Win 8 if you disabled the "secure" boot.
It's not very cool if you do most of your stuff on Linux and boot into Windows for work or gaming. |
|
|
My biggest issue lies in laptops. It's not like we have a large affordable market for building our own or I would have been doing it for a while now. |
|
maartenaElmo Premium Member join:2002-05-10 Orange, CA |
to FF4me
Too much panic guys.
This "feature" is not going to prevent linux users from buying a laptop. I think we are overreacting here. |
|
|
to FF4me
I'm seeing more Macs in my future... at least they run Unix... |
|
MaxoYour tax dollars at work. Premium Member join:2002-11-04 Tallahassee, FL |
to disturbed1
The CR-48 was made to make it easy to turn this feature off with a hardware switch. |
|
disturbed1 Premium Member join:2003-09-06 Columbus, OH |
That gets you to dev mode. Then the CR-48 warns you that OS verification is turned off. But it still has the verified boot. You need to use flashrom to re-flash the CR-48 with a different rom image than that provided by Google. This gives it an Insyde UEFI bios and allows you to do what you want with the laptop. Should a person purchase a proclaimed locked UEFI Windows 8 PC, they would only need to re-flash the rom image -- if/when this rom image is developed. |
|
|
FF4me to FF4me
Anon
2011-Sep-22 10:44 am
to FF4me
From The H: Referring to a presentation (PowerPoint .pptx file) at the Build developer conference, Garrett said that all client systems desktop PCs, notebooks, tablets with a Windows 8 logo must support UEFI Secure Boot and have this feature enabled. However, the way it is described in this document, the second condition at least isn't necessarily mandatory: it could also be that the function must explicitly be enabled by the computer's owner or administrator. Also, as has so far been the case, most systems with UEFI will probably be able to load an optional Compatibility Support Module (CSM) that allows operating systems to be booted in BIOS mode. This is a prerequisite for installing 32-bit versions of Windows because only the x64 versions of Windows since Vista can be installed in UEFI mode. Microsoft refers to systems that can boot either in UEFI or in BIOS mode as "Class 2" systems; systems without CSM are referred to as "Class 3".
However, the situations that will allow multiple operating systems, where some start in UEFI mode while others start in BIOS mode, to be installed on the same hard disk remain unclear this will probably make it difficult to install dual-boot systems on notebooks, tablets and other devices that only have one mass storage device. There may be no choice in some circumstances; the Windows 8 mobile computers with ARM SoCs that have been announced will only ever be available as Class 3 devices. On these devices, however, Microsoft plans to increase platform security by allowing only apps from the app store that have been checked and signed to be installed on the Metro user interface.
Another problem when booting alternative operating systems could arise from hard disks that are fully encrypted with TCG Opal or BitLocker, if the boot loader is required to include functions that allow a key to be submitted to a Self-Encrypting Drive (SED). |
|