Feeds

back to article MS denies secure boot will exclude Linux

Microsoft has hit back at concerns that secure boot technology in UEFI firmware could lock out Linux from Windows 8 PCs, saying that consumers will be free to run whatever they want on their PCs. Unified Extensible Firmware Interface (UEFI) specifications, designed to reduce start-up times and improve security, allow computers …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Be careful now...

Maybe I'm over analyzing but technically speaking its true what they say. Solely focusing on Linux now; Grub or Lilo can be made to boot from a partition instead of the MBR. The Windows boot manager is capable of activating such a partition.

As such it would always be possible to boot / use Linux while secure boot is in effect and give the owner "complete control".

So be very careful about what is being said here... Because although what they claim maybe true, it doesn't take the initial problem away. IMO that is.

6
6
Anonymous Coward

So you'd need to own OS A in order to boot OS B?

17
1
Anonymous Coward

@ShelLuser

Could you please read again what you have written in your post ?

You mean I have to buy Windows8 and fiddle with its boot manager in order to be able to boot Linux ? That will be a price tag of 375CAD for every copy of Linux and *BSD payable to ... why yes, to Microsoft of course.

You're not over analyzing at all. Au contraire mon ami!

15
3
Silver badge

Missing the point here?

@AC's

THAT is /exactly/ why I say "be careful wrt what is being said".

Yes; booting one OS to boot another; think about this before posting or voting please.

You pick up a new PC; /WHAT/ OS is pre-installed by default ?

SO when they say "you have full control" do you really? From their point of view you do (see my comment above) but in reality...

As such my comment: be careful (or mindful) about what is being said. /technically/ they are right, but in the end it doesn't change sh*t for us.

2
3
Bronze badge

Generally when I pick up the parts for a new PC they are in separate boxes and nothing is installed on them other than maybe the firmware.

10
0
Silver badge

@Peter2: Sure, same here. Unfortunately the majority does otherwise, and ironically enough those are the people who MS will have in mind when they claim that this boot mechanism will still give you "full control".

Its one big scam, they're merely twisting words.

0
0
Silver badge
WTF?

Here Mr OEM have this {brown envelope}

MS OEM Salesman to OEM Purchasing Mgr

"All you have to do is make it impossible to boot anything but Windows on every machine you ship."

OEM rolls over and accepts the incentive.

MS Guy smiles, puts away the loaded 45 and says,

"Now how hard was that?"

35
3
Silver badge

No envelope required

The only thing MS needs is the loaded .45 and that is what they will use - lock out Linux or we stop supplying you with OEM copies of Windows.

They've done it many times before and they'll continue doing it because it's how they run their business.

4
1
Paris Hilton

"can be disabled, if OEMs want"

OEMs wouldn't probably able to make up their minds about the subject all by themselves / They "sit alone, waiting for suggestions" (RevCo)

0
0

As for those annoying anti-trust suits

MS will just smile and say that the OEMs are the ones who are stifling choice. Nice way to shift liability for your legal indiscretions onto your customers.

1
0
Holmes

Storm in a glass of water. Surely this will just be a setting in your boot-setup screen?

3
14

Comparing the BIOS options on my Abit mobo with those of my Dell work machines :-

If you buy your own mobo, then probably yes.

If you buy a pre-built machine, then possibly not.

11
1
Bronze badge
FAIL

@Dirk Vandenheuvel

Yes, it will. Until it isn't.

6
0

Setting in BIOS

Given that the ability to disable this 'feature' is not a requirement of the spec, then I would expect lots of muscle ($$) being applied to hardware vendors to not include it. Now you might think that having this ability as a requirement would solve any issues, but there is no requirement for accessory makers to ignore the setting, meaning that any fancy new graphics card you buy may require the setting be enabled, effectively shutting out all (*cough*LINUX*cough*) who do not have keys.. and because this CAN be done, and because such action would in effect slowly crush the competition, i'd bank on it being implemented.

3
0
Coffee/keyboard

BIOS option

There is no BIOS option to turn on Intel VT-x bit in Sony VAIO VGN-UX BIOS, and the same is true for many other contemporary VAIO notebooks: SZ, TZ, TX series just to name a few. I suspect the similar story will most probably happen with Windows 8 VAIO notebooks, with no BIOS option to turn off boot signature verification.

4
0

linux users want security too

Linux users also want security. I see TPM as being good for me.

I just want the ability to upload new signing keys, and for the ability to upload a key to be blocked with a physical key that turns a mechanical switch to make an electrical connection.

7
1
Silver badge
Devil

Be careful for what you wish

If you can easily upload your own keys so can any exploit code.

Want to find yourself in the interesting situation where you are not allowed to run a "clean" non-troianed OS?

Dunno, we will have to go down that route sooner or later and it is a lose/lose in any case where you do not have a "personal" certificate which signifies your ownership of things solid or digital and it is your unalienable right to upload a cert signed by this "ownership" cert into anything you own.

How - that is for standardmongers to figure out.

On the negative side - bye-bye anonymity, it was nice knowing you. On the positive side, anyone trying to define what is essentially a monopoly license can be told to f*** off on two counts:

1. You have the right to upload

2. He has _NO_ technical reason whatsoever to deny this because he can now identify you and your equipment for purposes of commerce.

Every time I think of it, nothing short of this will stop attempts by people like MSFT, Sony and the like to push this through the backdoor. Let's face it - we are going into the direction which Neil Gibbson (Neuromancer) and Peter F. Hamilton (Commonwealth) have foreseen. We might as well bite the bullet and lead there as free people instead of being lead on a slaver's chain.

3
2
Bronze badge
Stop

RE: Be careful for what you wish

"blocked with a physical key that turns a mechanical switch to make an electrical connection."

I think that makes it clear - I am yet to see any code able to operate *mechanical* switch, without use of motors etc (which aren't normally present inside a PC).

6
0
Silver badge

Actually..

I think you mean William Gibson

0
0
Silver badge

"If OEMs want to"?

Really? Just like OEMs can ship with any OS thy want, assuming they also want to swallow inflated license costs.

Just like OEMs don't have to "recommend" any particular OS, if they want to swallow inflated license costs.

I would not trust MS in this matter, they are far from impartial and have too long a history of attacking GNU/Linux and F/LOSS in general. If they need to solve this issue, then I suggest two courses of action:

1) Write an OS that does not leap on to the Interwebs and scream "I am open, have at me like a cheap tart! I'll take all comers in any port!"

2) Let OEMs sell a "bolt on" to people who need this kind of control (certain corporates, certified environments etc).

28
2
Silver badge
Thumb Up

re "courses of action"

Fortunately I had just finished my cup of tea when I read your action (1). Brilliant.

1
0
Silver badge
Stop

Yogi Berra was right

"It's like deja vu all over again."

It's not like we haven't already seen this activity on Micros~1's part. Do we really have that short of a memory span?

7
1
Silver badge

MS Partners

"Microsoft has effectively batted the question over to its hardware partners and firmware suppliers."

...who are controlled my Microsoft. MS has long been occupying a central position it does not deserve in the PC market. If it continues to behave in this way, the world might just stop bothering with Microsoft alltogether. Which would be bad. Microsoft - please stop controlling and start competing.

18
2
Black Helicopters

Dream on, junior.

M$ has sabotaged every boot manager I have ever had -- from OS/2 on -- this will be no different.

They'll just use the old "you have nothing to hide, do you' defense, blame it on the manufacturers, and there you go. Every PC will be in any OS you want as long as M$ gets their cut.

On a lighter note, now that world+dog sees this for what it is, they'll back off and look for another port to slip the ol' wazoo into, as people will be looking for the antitrust angle on this now.

Too bad they can't just compete on the merits of their product, rather than resort to dirty tricks -- oh, wait. There *are* no merits. I guess they *do* have to resort to underhanded tactics to move their shite.

1
0
Anonymous Coward

ACPI precedent

It's presumably not Microsoft's fault that motherboards often report incorrect information to non-windows operating systems via ACPI. That's down to the manufacturer too, but for the most part they don't care if it doesn't affect Windows.

6
0

Youngsters

Post talks about the famous and REAL halloween documents where MS was busted talking about using ACPI as a weapon against Linux.

Actually they succeeded for a while, especially bugging home users and portable users.

If you ever heard Linux is not working fine with plug and play, portable setups, that comes from that era.

3
0

Buyer

The buyer should be given the option to enable/disable this option NOT the OEM.

Problem sorted. Damn, I should be the next HP CEO.

18
0
Silver badge

um...am I missing something?

Isn't this just the moving of WGA into the BIOS?

9
1
Silver badge

@WGA

That might be part of the reason, as if you can verify the boot loader, it can then verify the rest of the system* and so stop hacks that check for invalid activation keys, etc.

I don't care about MS screwing it users for non-licensed software, if you want Windows then pay for it. What I do care about is such a system being abused to prevent alternative OS from running.

Unfortunately if you can bypass the boot check, then you can also bypass all other DRM/license protection steps (given the time to hack the OS components). If MS are only doing this to stop root kits, fine, but I can't see it being very useful (in this context) and open at the same time.

* time-dependent of course, how long to check the signatures of a multi-GB OS installation?

2
0
FAIL

"What I do care about is such a system being abused to prevent alternative OS from running."

Yeah! Because the PC is a a well-known "open source" standard that was invented by Richard Stallman!

Oh, wait, no it wasn't.

Why the f*ck aren't GNU / FOSS advocates *specifying their OWN platform* instead of demanding that *commercial entities* do all that stuff on their behalf for no adequately explored reason?

After all, GNU / Linux distros are usually "free as in beer" as well as "free as in speech", and there's Open/LibreOffice to replace MS Office! How hard can it be to compete with a *paid-for* commercial platform?

Twenty years of incessant, childish bickering has resulted in a string of wasted opportunities. Hands up all those who think "open source" is more important than open _standards_? (Hint: 99.99% of computer users cannot read your source code—not least because you can't even decided on a simple set of languages to write it in. Or even whether you should use tabs or spaces!)

The GNU / FOSS community is about to get the wake-up call it has so desperately needed for years. Time to grow up, children. A little less idealism and a little more pragmatism would go a long way.

1
6
Silver badge
Windows

Wrong conspiracy

This might not be MS trying to scupper the use of alternative OSs, although that could be a usefull side-effect. More likely, MS want to ensure that Windows users upgrade when MS tells them to, so that Windows 8 doesn't suffer the fate of Vista, i.e. people buy a shiny new PC then install XP.

1
3
Silver badge

Key holder matters

The issue is not the 'secure' boot by verifying the OS, that on its own is good for everyone (Linux, MS, Apple, etc) as it allows protection against pre-boot root kits.

The issue is who decides what can boot.

If the UEFI loader just stops and tells me this has changed, and do I want to accept the new signature, that is fine for me and nothing is lost but I have gained control over unexpected changes to my boot loader. Maybe have a UEFI password so only admin can change it (like current BIOS offer for boot sequence, etc).

Of course, it then makes the whole "security" push rather pointless because, as we all know, asking the (l)user if they want something or not is a recipe for disaster when it comes to security.

Even so, if you can root the OS while running, then you could flash the UEFI firmware to disable this before loading the pre-boot root kit. Also how long until the keys are compromised as for DVD/BlueRay/HDCP? It helps of course, but short of a physical switch to disable motherboard updates, it is only a bit harder for the bad guys.

So maybe a mandatory configurable option in the UEFI menu to enable/ask on change/disable would OK. But on MS' past behaviour I have serious worries about the openness of it all.

4
0
Bronze badge
Angel

hey OEMs, here is specification for you

"If the UEFI loader just stops and tells me this has changed"

Close, except that UEFI has no notion of "changed" - it has a notion of "known signature". And I want actual mechanical switch(es), with no programmatic override of any kind, to allow adding new signatures to UEFI.

So, let's say I'm starting freshly installed Linux distribution (of freshly built kernel) which happens to use signed boot image (distribution key or my own). Start screen presents me with a warning about unrecognized signature of a boot image. My options are:

1. restart

2. *only if RED mechanical switch is enabled* - import signature of that image into UEFI so no further warnings will be displayed. BIOS password will be required (if set).

3. *only if BLUE mechanical switch is enabled* - ignore and boot anyway

4. open BIOS settings (password required as usual) and disable signature check if BLUE mechanical switch is enabled

Another scenario is loading non-signed boot image (e.g. Windows 7) , start screen presents me with a warning about absent signature of a boot image. My options are:

1. restart

2. *only if BLUE mechanical switch is enabled* - ignore and boot anyway

3. open BIOS settings (password required as usual) and disable signature check if BLUE mechanical switch is enabled

BIOS options required - just one:

1. skip signature check if BLUE mechanical switch is enabled.

No such BIOS option: "import new signatures" - enabled via RED mechanical switch only

Also no such BIOS option: "ignore check and boot anyway" - enable via BLUE mechanical switch only

Meaning no malware can manipulate these settings, but users with a clue can. Malware could manipulate one BIOS setting (above) but for it to be effective, BLUE mechanical switch must be enabled anyway so (l)user "cooperation" is required.

Clueless masses would only be able to boot from valid signed image, but anyone versed will be able to install any signature to UEFI or disable check completely. This should also work for corporations since skipping the check would involve opening the box or BIOS password; there is support staff to install keys in UEFI initially if required (e.g. on a Linux server or desktop). There is cost side of installing two mechanical switches, but I think motherboard vendors would love to sell two switches at the cost of $0.02 each for premium of $10 (could be done with one, but it makes it ambiguous, which is bad for security so smaller premium for vendor!).

Anyone welcome to use above specification, I claim no rights to it!

2
0
C 2
Stop

RE: hey OEMs, here is specification for you

All well and good, but consider that windows has always been and will very likely always have security holes like swiss cheese .. some big enough to sail a cruise ship through.

Oh and BTW has anyone else realized that it is probably a lot simpler to write malware that either steals, or scrambles the 'signature' from Micros~1's bootloader(s). Chaos would ensue.

Which makes this whole UEFI signed bootloader business a big hassle with pretty much zero benefit. In other words just so much fluff.

So why not just use a mechanical/electrical switch to prevent or enable flashing the BIOS? Then at least the motherboard would be secure against the nasties that now re-write the BIOS.

As for windows .. pffft .. just fix it as per usual, it is after all the premier malware distribution software.

2
0
Thumb Down

My 5 year old MoBo has a jumper to enable / disable bios updates, and also a "touch" jumper to reprogram the bios back to it's factory original.

This is not new technology, it's suppressed technology because of cost "engineering" and very very lazy programmers .

If I compile my own Linux kernel, how the heck can I boot it unless a key generator is available, and if it's available and you are running Windows then I expect there will be a hack to alter your opsys and then surreptitiously re-key it.

2
0
IT Angle

"No, no, we're not saying that at all."

"But we're certainly thinking it loudly."

8
0
Devil

Follow the SSL route

The problem with an on/off switch is that you either lose the functionality signature verification offers, or can't dual boot between Windows and anything with an unsigned kernel. During the bootstrap process, the UEFI loader should simply display a message explaining to the user that the kernel is unsigned, with a warning that this may have been caused by malware, and prompt to temporarily accept or permanently store an exception in NVRAM. You could perhaps tie this to an on/off/prompt switch in the UEFI settings.

It's not as if one extra keystroke is going to inconvenience Linux/BSD users when they rebuild their kernels.

1
0
Thumb Up

Question: How often do you boot your own media on other computers? How often you give other people your own boot media?

As long as I can import CA keys (or key signing keys) to any hardware I'm sitting in front of, the system is OK.

It won't help for Windows malware but will make quite a nice duo with my encrypted, SELinux enabled installation.

1
1
Silver badge

How often?

Well, lets see, in the last several months I've booted various family computes from a USB drive several times, and from a CD numerous times as well, to either repair an existing installation or to install something new. I do it quite regularly. A lot of people do it quite regularly. More than enough to make something like this a huge problem.

As for importing keys, surely you can see this renders the entire concept pointless? If you can import keys, so can other people. In that case all you have is a needlessly complicated additional step to getting a working system. It's rather like government bureaucracy in that respect.

2
0
Pirate

Um...

has anyone asked the Firmware vendors if they are likely to include the disable ability in their firmwares? I can see Dell, HP, and Lenovo possibly specifying highly locked-down EFI stuff, but what about the white-box motherboard makers like Abit, Asus, Intel, etc? If the big OEMs like Dell and HP want to lock up their crap then fine, let them. So long as we can still get standard motherboards with this disabled or disable-able, we don't need the OEMs. At least for enthusiast desktops. Server use is another matter entirely.

1
1
Coat

@Pirate Dave

Yes, http://mjg59.dreamwidth.org/5850.html: "we've already been informed by hardware vendors that some hardware will not have this option."

Mine with the list of bastards in one pocket and sawed off shotgun in another

2
1
Anonymous Coward

Laptops are also another matter

Few people who use alternative OSs build their own laptops; they buy Dell, HP, Lenovo, whatever laptops and install their choice of OS. If laptops are locked down, there will be no practical alternative.

2
0
Silver badge

For those hardware vendors intending that some hardware will not have this option I look forward to the EU court cases brought against them on restraint of trade or whatever the appropriate law is that covers this. If the hardware has the ability to have the on/off option then I believe it is illegal to remove it through firmware especially when such a measure prevents the free use of a machine by its owner.

1
0

I'm wondering...

...how bootable recovery and diagnostic software environments will run in this case?

10
0
Bronze badge

Or the utility to load the disk image onto that shiny new drive...

It potentially kills a lot of legitimate system management tools used both by DIY enthusiasts and large commercial operations. Booting from a network image might be workable. Or does the software have to be signed by some central key authority? And is that Microsoft?

5
0
Anonymous Coward

I don't believe a word of it

"Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows." I take it as a backhanded compliment, that someone from Microsoft has implicitly acknowledged the existence of other operating systems that people wish to use, despite their many years of (continuing) efforts to deny us this choice by fair means or foul (mostly the latter).

We're just seeing the "embrace" part of MS' modus operandii here (talk nicely, act in a superficially reasonable manner, sound reassuring, etc.), but if this plan is ever implemented, rest assured that "extend" and "extinguish" will follow as night follows day. And as for "it's the OEMs' choice whether to go along with this or not"... exhibit A: the past twenty years in the PC business. When has a major PC builder (excepting Apple) gone against Redmond's bidding?

Frankly, if someone from Microsoft told me at 10am that it was light outside, I would still take the precaution of finding a window to check for myself. Thirty years of actions speak louder than a morning's words.

16
1
Anonymous Coward

You exagerate a little bit here..

There will be no extend phase, they will go directly with extinguish.

12
0
Flame

Please read the specs,... !

Just because some OEMs "preload" some keys does not mean you cannot boot unsinged.or self signed code.

The EFI files need to be on an accessible disk (currently most pc/servers reserve a small FAT partition on the primary drive) the problem lies there, this disc may not be easily encrypted because its contents are needed during boot.

the windows boot manager is something "bootmgr.efi"

so "secure" uefi checks if bootmgr.efi has valid signature no more no less. bootmgr.efi is then responsible to check the rest it cares for.

nobody hinders you to register grub or whatever loader you wish to invoke from within windows boot manager but this step is probably not even necessary.

loading linux or other OS is just like installing "grub.efi" which is unsigned. but the UEFI stuff won't really care it just reports to the OS "booted in insecure mode" if the OS cares to ask. the process is somehow secured with cryptohandshaking bla bla so as to avoid fake "booted securely" messages.

if you have a signed grub.efi you go into switch a jumper, go into UEFI register this new key, reseat the physical presence jumper and good to go. like the TPM stuff we already know.

maybe there will be a GUI method like booting your windows rescue dvd and having control from there.

remeber there are still retail and volume license copies of windows, how will those be able to install? don't you think those install will need some "preparation steps" to enable secure boot?

efishell# trust.efi -add -key -extract windows\bootmgr.efi

or whatever. certainly nothing to be done by the the techy illiterate people

1
8
Anonymous Coward

@ClueShell - Two aspects to mention here

1. It all depends on what is the default policy for unsigned or incorrectly signed boot-loaders. If it's ALLOW then the whole security concept goes down the drain and if it's DENY then you're toast

2. Getting Grub boot-loader signed is impractical. What if there's a new version/release/patch coming out ? Who is going to take a tour to all OEMs to have it signed again ? What do you do with all motherboards already sold ?

9
0
Anonymous Coward

'currently most pc/servers reserve a small FAT partition on the primary drive'

Well that's screwed it!

When I install _MY_ operating system on _MY_ PC I wipe the hard drive of all partitions, after all its _MY_ hard drive

Why should the hard drive and motherboard be linked like this, its WGA all over again, what if the disc dies or I replace it with a bigger one?

FAIL FAIL FAIL

1
0

Page:

This topic is closed for new posts.