dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
14220

FF4me
@rr.com

FF4me

Anon

Windows 8 Secure Boot Would 'Exclude' Linux

From The Register:

Computer scientists warn that proposed changes in firmware specifications may make it impossible to run “unauthorised” operating systems such as Linux and FreeBSD on PCs.

Proposed changes to the Unified Extensible Firmware Interface (UEFI) firmware specifications would mean PCs would only boot from a digitally signed image derived from a keychain rooted in keys built into the PC. Microsoft is pushing to make this mandatory in a move that could not be overridden by users and would effectively exclude alternative operating systems, according to Professor Ross Anderson of Cambridge University and other observers.

UEFI is a successor to the BIOS ROM firmware designed to shorten boot times and improve security. The framework, a key part of Windows 8, is designed to work on a variety of CPU architectures.

If the draft for UEFI is adopted without modification, then any system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux. A signed version of Linux would work, but this poses problems, as tech blogger Matthew Garrett explains.

The upshot of the changes is that considerable roadblocks might be placed in the way of running alternative operating systems on PCs. Anderson describes this as a return to the rejected Trusted Computing architecture – which at that point involved force-feeding DRM copy-protection restrictions – which may be far worse than its predecessor.

Anderson concludes that the technology might violate EU competition law in a rallying call on Cambridge University's Light Blue Touchpaper blog here.

More:
Next-gen boot spec could forever lock Linux off Windows 8 PCs
Will Windows 8 succeed in locking out GNU/Linux?
Windows 8 OEM Specs to Prevent Linux Dual Boot?

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

2 recommendations

JohnInSJ

Premium Member

Seems simple enough - don't buy hardware that includes a win8 license you'll never use anyway, if you don't intend to use it.

For IT people this would be a feature - they already attempt to lock down corporate PCs as much as possible, this would just be yet another tool in the toolbox.

For someone who wants to go to Frys and build a PC from parts to run linux, they would just select a motherboard that supported any OS.

Seems like the market will easily shake this out as either a great thing, or a bad idea.

Liontaur
Lets Get Boincing Already

join:2001-11-03
Salmon Arm, BC

1 recommendation

Liontaur to FF4me

to FF4me
From my rather limited reading on the subject, it's only OEM computers that would have this limitation. So don't buy a dell or hp or other OEM and you'll be ok. i'm thinking that most (not all by any means) people who are running non-MS OSs are the kind of people who build their own rig anyways. But this is still going to hurt the cause until a workaround is discovered. People can run unsigned code on gaming consoles using various methods so i'm sure someone will figure out how to do it on an OEM computer too.

TuxRaiderPen2
Make America Great Again
join:2009-09-19

1 recommendation

TuxRaiderPen2 to JohnInSJ

Member

to JohnInSJ
said by JohnInSJ:
Seems simple enough - don't buy hardware that includes a win8 license you'll never use anyway, if you don't intend to use it.

For IT people this would be a feature - they already attempt to lock down corporate PCs as much as possible, this would just be yet another tool in the toolbox.

For someone who wants to go to Frys and build a PC from parts to run linux, they would just select a motherboard that supported any OS.

Seems like the market will easily shake this out as either a great thing, or a bad idea.

ms will FORCE/MANDATE that this be included in all MB's so who's MB will you purchase that doesn't have this feature? And if its not an option to disable via jumper or option in the BIOS? ? ? Which you can bet that it won't be!

This is a clear attack at stopping the spread of Linux to the desktop.

One of the reasons I prefer to purchase parts and build my own, I get what I want, not some limited selection, and I don't pay to support crud I don't use... but if the MB makers are the only ones with the ways to make signed images then, and you can be sure that a certain company will push that...

This has huge implications down the roads for all kinds of hardware... and needs to be cut off now.
TuxRaiderPen2

TuxRaiderPen2 to Liontaur

Member

to Liontaur
said by Liontaur:
From my rather limited reading on the subject, it's only OEM computers that would have this limitation. So don't buy a dell or hp
That would be a pretty big loophole, along with with issues in the supply chain. If it makes it in one place it will spread. Nothing good can come of this for Linux.

FF4me
@rr.com

FF4me to FF4me

Anon

to FF4me
Here's a video which details Microsoft's plans.

Cabal
Premium Member
join:2007-01-21

1 recommendation

Cabal to Liontaur

Premium Member

to Liontaur
said by Liontaur:

So don't buy a dell or hp or other OEM and you'll be ok. i'm thinking that most (not all by any means) people who are running non-MS OSs are the kind of people who build their own rig anyways.

And if you never plan on using a laptop, that will work great.

Maxo
Your tax dollars at work.
Premium Member
join:2002-11-04
Tallahassee, FL

1 recommendation

Maxo to JohnInSJ

Premium Member

to JohnInSJ
said by JohnInSJ:

Seems simple enough - don't buy hardware that includes a win8 license you'll never use anyway, if you don't intend to use it.

Sure, that's good if you know in advanced that the computer you are purchasing will always only run Windows.
But that's impossible to know, and it creates a huge roadblock to competition. If a Windows user is curious about Linux, then they would have to purchase a completely brand new computer, probably one built from scratch with a MOBO that doesn't have this /feature/, just to see if Linux is a good alternative for them.
This becomes a huge roadblock for any alternative OS, and any user who is interested in pursuing an alternative OS.
I don't think there is any chance of the market shaking this one out. People just buy PCs, they happen to come with Windows on them, as the de facto default, and this move will make the hurdle of them thinking that anything else out there is viable so large that it simply would not be reasonable for them to pursue such an idea. So they won't and the market will keep artificially pushing forward with an unhealthy monoculture.

DigitalXeron
There is a lack of sanity
join:2003-12-17
Hamilton, ON

1 recommendation

DigitalXeron to TuxRaiderPen2

Member

to TuxRaiderPen2
said by TuxRaiderPen2:

[snip]
ms will FORCE/MANDATE that this be included in all MB's so who's MB will you purchase that doesn't have this feature? And if its not an option to disable via jumper or option in the BIOS? ? ? Which you can bet that it won't be!
[snip]

Windows 8 would effectively be phasing out BIOS completely on "Certified" computers and replacing it with UEFI, a different kind of firmware that includes the "Secure Boot" feature, so there wouldn't be a jumper available considering EFI is software-based.

This is largely a move to make computers more of a consumable rather than a system as it will force people who do not like Windows 8 to replace their computers or at least the mainboard to be able to get away from Windows 8 and likely will drive up the cost of non-Windows hardware.

Exodus
Your Daddy
Premium Member
join:2001-11-26
Earth

Exodus to FF4me

Premium Member

to FF4me
I don't have much faith in this being "uncrackable". Apply third-party update, install Linux, receive cookie.

Snakeoil
Ignore Button. The coward's feature.
Premium Member
join:2000-08-05
united state

Snakeoil to FF4me

Premium Member

to FF4me
So is this an attempt by MS to force a standard across that board? That the user experience with win 8 will be a happy one, VS the varied experiences that users had when they installed the older Win OSes on mixed hardware?

If so, then good for MS, for trying to improve user experience. At the same time, I would hope that MOBO makers would still build parts for linux boxes.

Derspankster
Premium Member
join:2003-02-12
Marion, OH

Derspankster to FF4me

Premium Member

to FF4me
Lawsuit City, Part 37?

markofmayhem
Why not now?
Premium Member
join:2004-04-08
Pittsburgh, PA

1 recommendation

markofmayhem

Premium Member

Too much FUD and speculation to cause panic for a user. However, a call to action for development should be realized. A signed PK for Linux with user configured kernel KEK input and bootloaders are a good thing in the future.

Microsoft had it's "BUILD" conference and a keynote speech (video linked to above) was a marketing tool trumpeting higher security. The video is inline with the "fast enterprise adoption" push that Microsoft has placed on Windows 8. "Context" is missing in many articles.

- Windows 8 has an upgrade version. How does one upgrade if the "secure boot" is required for Windows 8 and NO HARDWARE exists today for it? It doesn't... so we know of versions that boot without "Secure Boot".

- The word "required" is used LOOSELY across the sites... "SUPPORTS" is the official term used by Microsoft outside of marketing blitzes. Windows 8 logo certification was the very specific topic of "Secure Boot" when combined with "required", not "will only boot on".

- Only AMI has a prototype working UEFI implementing Secure Boot in Aptio's developer release. Time to market is against Microsoft, not for. The "Secure Boot" version of UEFI, 2.3.1, has NOT been adopted yet and is "optional" in the specifications.

- Mobo manufacturers will sell consumer-retail pieces in "Setup" mode or they won't be able to sell their goods to the public at all: Add your own PK keys! Mobo manufacturers will not abandon their most profitable groups whom use "not Windows 8" OS's: hardware jumper, UEFI user setting, and/or "I'm secure I swear" spoofing in the name of "hybrid" will certainly be commonplace. You don't wake up one day and say "Microsoft is correct, we should stop selling products usable to the 2-3 billion PC users in India, Pakistan, Asia, and Western Europe not to count government, large corporations, and other high-profit consumers (like gamers and hobbyists)". Anti-trust, anti-competition, and general market pressure will be on the side of "options WILL exist".

- This is 100% technically feasible with Linux. Logistics of keys and possible "jail breaks" needed to force the UEFI into setup mode to add the PK will materialize when the need to do so arises.

Is it possible that one day an OEM PC could be purchased that is locked to one version (and COPY) of an OS? YES!

Is it probable? Sorta.... the details lean to no, but this is certainly not something to sit back and "hope". Getting a Linux kernel and bootloader up to speed to support "Secure Boot" should be happening.

EUS
Kill cancer
Premium Member
join:2002-09-10
canada

EUS to FF4me

Premium Member

to FF4me
Disguised anti-competitive tactics extolled as security features.
But I'm no lawyer.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ to Maxo

Premium Member

to Maxo
said by Maxo:

said by JohnInSJ:

Seems simple enough - don't buy hardware that includes a win8 license you'll never use anyway, if you don't intend to use it.

If a Windows user is curious about Linux,

They can run it in a vm. If they're using a corporate crippled firmware machine, then they were stuck running windows already.

Maxo
Your tax dollars at work.
Premium Member
join:2002-11-04
Tallahassee, FL

Maxo

Premium Member

Running an OS in a VM is not a good way to actually experience the OS. The experience is crippled, and does nothing to test hardware compatibility.

FF4me
@rr.com

FF4me to FF4me

Anon

to FF4me
Will Windows 8 block users from dual-booting Linux? Microsoft won't say - by Mary Jo Foley:

I can’t resist a rant here: The Windows team’s decision not to comment on this report is an example of the new communication strategy that Microsoft seems to be instituting with Windows 8: Clarification on any Windows 8 topic — not only features and policies that are still unannounced, but also those that already have been disclosed publicly — apparently will not be provided by anyone from Microsoft in an official capacity. The result: An increasing amount of misinformation about Windows 8 is circulating, and Microsoft is doing little or nothing to correct it.

I understand Microsoft’s increased desire for secrecy around its Windows plans, something company officials began pushing post-Vista. (I haven’t always agreed with the goal, especially when it results in FUD for customers attempting to make rational buying decisions or OEM/ISV partners attempting to build products that work with Windows.) But allowing wrong information to go unchecked in the name of wanting to control the message and the way it is delivered seems like bad business to me….

Ars Technica’s take: "Ultimately, the Windows 8 changes aren’t likely to wipe out Linux dual-boot scenarios, but they could restrict the types of hardware that will allow them."


Ctrl Alt Del
Premium Member
join:2002-02-18

Ctrl Alt Del to FF4me

Premium Member

to FF4me
said by FF4me :

Here's a video which details Microsoft's plans.

In this video a question was asked about dual booting. The Microsoft presenter mentioned that even Windows 7 will not boot with this secure boot functionality either. So you couldn't even dual boot older versions of Windows. He mentioned that secure boot would have to be disabled in the UEFI settings. But UEFI is still in development, so he couldn't fully explain how it will work.

FiReSTaRT
Premium Member
join:2010-02-26
Canada

FiReSTaRT

Premium Member

What I'm worried about is m$ doing a bit of nudge-nude wink-wink with the OEM's so they don't include the option to turn off UEFI. That't should be stupid-easy in comparison with including the winblows tax.

Liontaur
Lets Get Boincing Already

join:2001-11-03
Salmon Arm, BC

Liontaur to Cabal

to Cabal
said by Cabal:

said by Liontaur:

So don't buy a dell or hp or other OEM and you'll be ok. i'm thinking that most (not all by any means) people who are running non-MS OSs are the kind of people who build their own rig anyways.

And if you never plan on using a laptop, that will work great.

Very good point and not one that I had thought of.

El Quintron
Cancel Culture Ambassador
Premium Member
join:2008-04-28
Tronna

1 recommendation

El Quintron to FF4me

Premium Member

to FF4me
Like others have said here, I'm all fine and dandy with building my own Desktop machine but I doubt I'd want to spend the time and effort to "build" my own laptop, so something has to be done so that another OS can be installed on these new machines.

Assuming MS doesn't cooperate, I can predict a few scenarios:

-Win 7 pulls a Windows XP and ends up living 10 years beyond its planned expiry date.

-Hardware manufacturers start releasing "L" series boards where Windows isn't intended to be installed.

-A workaround is discovered within six months, and MS starts another patent litigation against a hardware manufacturer that won't close the loophole.

I don't think this is the end, but it would certainly be an annoying hurdle to deal with.
grunze510
join:2009-02-14
Cote Saint-Luc, QC

grunze510

Member

Let's say the OEM uses a generic motherboard and flashes their own BIOS on it, wouldn't it be possible to flash it with the generic one which would allow you to disable secure boot?

disturbed1
Premium Member
join:2003-09-06
Columbus, OH

disturbed1 to FF4me

Premium Member

to FF4me
Google's CR-48 has the same secure/verified boot feature. Easy to bypass by flashing a new ROM.

El Quintron
Cancel Culture Ambassador
Premium Member
join:2008-04-28
Tronna

El Quintron to grunze510

Premium Member

to grunze510
Sure, but then you have to choose between Win 8 or Linux because this process as currently proposed would exclude Linux, or you couldn't have Win 8 if you disabled the "secure" boot.

It's not very cool if you do most of your stuff on Linux and boot into Windows for work or gaming.

FiReSTaRT
Premium Member
join:2010-02-26
Canada

FiReSTaRT

Premium Member

My biggest issue lies in laptops. It's not like we have a large affordable market for building our own or I would have been doing it for a while now.

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

maartena to FF4me

Premium Member

to FF4me
Too much panic guys.

This "feature" is not going to prevent linux users from buying a laptop. I think we are overreacting here.

wmcbrine
join:2002-12-30
Laurel, MD

wmcbrine to FF4me

Member

to FF4me
I'm seeing more Macs in my future... at least they run Unix...

Maxo
Your tax dollars at work.
Premium Member
join:2002-11-04
Tallahassee, FL

Maxo to disturbed1

Premium Member

to disturbed1
The CR-48 was made to make it easy to turn this feature off with a hardware switch.

disturbed1
Premium Member
join:2003-09-06
Columbus, OH

disturbed1

Premium Member

That gets you to dev mode. Then the CR-48 warns you that OS verification is turned off. But it still has the verified boot.

You need to use flashrom to re-flash the CR-48 with a different rom image than that provided by Google. This gives it an Insyde UEFI bios and allows you to do what you want with the laptop.

Should a person purchase a proclaimed locked UEFI Windows 8 PC, they would only need to re-flash the rom image -- if/when this rom image is developed.

FF4me
@rr.com

FF4me to FF4me

Anon

to FF4me
From The H:

Referring to a presentation (PowerPoint .pptx file) at the Build developer conference, Garrett said that all client systems – desktop PCs, notebooks, tablets – with a Windows 8 logo must support UEFI Secure Boot and have this feature enabled. However, the way it is described in this document, the second condition at least isn't necessarily mandatory: it could also be that the function must explicitly be enabled by the computer's owner or administrator. Also, as has so far been the case, most systems with UEFI will probably be able to load an optional Compatibility Support Module (CSM) that allows operating systems to be booted in BIOS mode. This is a prerequisite for installing 32-bit versions of Windows because only the x64 versions of Windows since Vista can be installed in UEFI mode. Microsoft refers to systems that can boot either in UEFI or in BIOS mode as "Class 2" systems; systems without CSM are referred to as "Class 3".

However, the situations that will allow multiple operating systems, where some start in UEFI mode while others start in BIOS mode, to be installed on the same hard disk remain unclear – this will probably make it difficult to install dual-boot systems on notebooks, tablets and other devices that only have one mass storage device. There may be no choice in some circumstances; the Windows 8 mobile computers with ARM SoCs that have been announced will only ever be available as Class 3 devices. On these devices, however, Microsoft plans to increase platform security by allowing only apps from the app store that have been checked and signed to be installed on the Metro user interface.

Another problem when booting alternative operating systems could arise from hard disks that are fully encrypted with TCG Opal or BitLocker, if the boot loader is required to include functions that allow a key to be submitted to a Self-Encrypting Drive (SED).