back to article Red Hat engineer renews attack on Windows 8-certified secure boot

A senior Red Hat engineer has lashed back at Microsoft's attempt to downplay concerns that upcoming secure boot features will make it impossible to install Linux on Windows 8 certified systems. Unified Extensible Firmware Interface (UEFI) specifications are designed to offer faster boot times and improved security over current …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Common sense...

Just a little application of common sense:

If MS force this, it will mean that you can't install any of their older OSes on new hardware.

MS aren't stupid, they realise that there is a massive market in running their older OSes on new hardware, therefore they're not going to make hardware manufacturers prevent the end user from diabling. More than likely they will attempt to force hardware manufacturers to include a disable switch so that end users can continue to run XP, Vista, 7, 2003, 2008, etc. etc.

5
23
Anonymous Coward

or

they would just force you to upgrade. Not sure they really want anybody to still be running XP into the next decade.

17
0
Bronze badge
Unhappy

@ 1st Post AC - You've missed the point

Wrote :- "More than likely [Microsoft] will attempt to force hardware manufacturers to include a disable switch so that end users can continue to run XP, Vista, 7, 2003, 2008, etc. etc."

Crickey, you've managed to miss the point of this. Why the heck would MS want to do that? They want to SELL Windows 8, not let users get away with using XP or Win 7 for longer.

And of course, MS want to lock out Linux and BSD from PCs.

They wont get away with this nasty trick in the professional and server market (where it will be the USERS who "force hardware manufactures to include a switch [or the key, whatever]"). What it would stop though is the private user, having bought a PC from the high street, installing Linux - or just giving it a try. MS hate the private user doing that.

Basically, this is part of MS wanting to turn the PC into a media platform, like a TV or phone, all on MS software and out of the users' control.

24
0
Anonymous Coward

Being a bit realistic

Microsoft's main customers are corporate desktop users and corporate server users. Most of these companies require to change hardware on an approximately 3 year depreciation cycle. They don't however replace their OS builds in anything like this period. Typically you'll see most corporate users skiping at least one major version of the OS, certainly in desktop. In the server market, there are still a huge amount of W2003 servers, some W2000 servers and still some companies with a bit of NT4, mainly on up-to-date hardware. If the majority of customers are on W2003 - a nearly decade old OS, how long before they upgrade to server 8? The upshot of this is that if no facillity to disable secure boot is available, MS will seriously annoy all of their major customers.

I repeat myself: It's not going to happen.

2
1
Anonymous Coward

Oh really

"Most of these companies require to change hardware on an approximately 3 year depreciation cycle."

That must be why I have posted this comment using IE6

3
2

Disagree

All this means is that CORPORATE MANUFACTURERS will include such the "disable secure boot" toggle - they'd be stupid not to. That says nothing about the rest of the market, especially the pre-assembled end of it (I suspect consumer retail motherboards to be likely to support disabling it; OEM ones, _maybe_ not)

0
0

'If MS force this, it will mean that you can't install any of their older OSes on new hardware.'

You can't use existing builds of those OSes no, but there's nothing stopping MS producing a signed version of XP and making it available to enterprise clients. It will screw consumers trying to run old OSes, but mostly MS doesn't believe you have a valid license to your old OS anyway - except running on the old hardware it came with.

0
0
FAIL

Windows 8 will boot on old hardware, just not be certified.

This is a requirement of the certification program for Windows. It has nothing to do with which machines Windows 8 will or won't run on. It has to do with requirements being met before you can put a Windows 8 Certified sticker on your box...

Don't get carried away over nothing.

0
1
Anonymous Coward

@AC 1602

Read you post again, you make exactly my point:

*Hardware* is replaced on a fairly regular basis.

*Software* is replaced much less frequently.

Therefore new hardware without the ability to switch off safeboot would be MS shooting themselves in the foot by alienating their corporate customers.

1
1

This could all be fixed in a simple way; The Unified EFI Forum could mandate in the UEFI Specification that SecureBoot can be toggled on or off. Bonus points for mandating a way for end users to upload their own signing keys.

The first could be possible - I think there's enough different voices in the EFI Forum to power this through. I can see the second option being more of a problem, but at least then Power users will have the tradeoff option for potentially allowing rogue bootcode against installing any OS they wish to use.

To be honest, it's not Microsoft abusing this that I'm too worried about; Apple have a track record of playing the walled garden game, and their mac hardware already use EFI to boot - I can see them jumping at using this to lock other Operating Systems off their hardware.

If this goes through as planned, good luck trying to install Linux on the 2013 Macbook models....

11
3
Silver badge
Windows

Bootcamp?

Apple are happy for you to run other OSs on their hardware. They even provide tools and drivers. What they object to is you running OSX/iOS on anything other than their hardware.

6
0
Angel

Again, go read the specs,... !

http://www.uefi.org/specs/

UEFI_2_3_1_Errata_A.pdf (September 2011) states clearly

27.5 Firmware/OS Key Exchange: creating trust relationships

There is 'Setup Mode' no keys loaded and 'User Mode' platform has been initialized.

The spec mandates that there must be a method to clear the platform and enter 'Setup Mode' again if the keys are lost. This most likely requires re-seating a jumper or something similar to assert "somebody is really physically at the hardware".

there is a distinction between platform (meaning uefi services) and other keys (operating systems, applications)

and the "windows key" is of the latter type. meaning if the plaform key is known, and it should be known to the owner of the machine. any count of additional operating system keys can be added.

why Microsoft insists that their keys are included is simple. How many seconds are you clean with windows xp on a unsecured internet line? code red worms? they rightfully assume windows 8 is not secure and have the image "factory" secured with the key.

OEM will init UEFI / TPM with random "platform" keys and add the Microsoft Trust Root to this store, so anything signed with Microsoft keys loads up on your new machine. If you're paranoid and clear UEFI and the TPM you'll need to reinstall windows from DVD or follow some security reinstatement method.

since the UEFI specs upholds YOU ARE the platform owner you can change keys as you wish.

but you have the burden to reinstate all keys needed afterwards if you desire the protection of the secure boot method.

2
2
Devil

"This most likely requires re-seating a jumper or something similar to assert "somebody is really physically at the hardware"."

Why do you assume this will be a hardware reset, my suspicion of mickeysoft would say it is going to me more like connect to the interweb and then phone the premium line, have all your licence keys handy....

"so anything signed with Microsoft keys loads up on your new machine"

Including MS genuine (dis)advantage, mickeysoft DRM, etc.

There seems to be a simple solution to all this, don't but MS.

0
1
Linux

pure greed plain and simple

From an engineering standpoint, this who concept of a secure boot can be handled from a hardware change. If you have a switch ether on the motherboard or a jumper on a hard drive that when set, the mbr cannot be written. In the early 90's, motherboards had a bios switch which (in the bios setup there was on option of lot letting the Master Boot Record to be updated), when set would accomplish almost the same thing (like not letting malware update the mbr). I often was thwarted in installing an operating system when the words "an attempt to update the master boot record has been made" and I would ether have to go to the bios setup screen or answer a question "do you wish to proceed?". Some might complain that malware might reflash the bios, but a switch on the MB or disk drive would eliminate that worry.

Considering how MS, Apple and others have attacked Linux, and Andriod, it should be painfully obvious that MS is using this approach to totally control the user. MS does not want a repeat of their mobile phone falling off the map. If you are a Windows user, you might just ignore this, but you also might have a few problems installing Windows 9 on a computer with Windows 8.

1
1
Anonymous Coward

I like Bootcamp and i like Apple hardware...

but I haven't managed to get AROS running on one yet.....

2
0
Megaphone

@ClueShell

I have read the spec you mentioned. These your statements are wrong:

"The spec mandates that there must be a method to clear the platform and enter 'Setup Mode' again if the keys are lost. This most likely requires re-seating a jumper or something similar to assert 'somebody is really physically at the hardware'."

What's said there is different from your version:

27.5.2 Clearing The Platform Key

The platform owner clears the public half of the Platform Key (PKpub) by calling the UEFI Boot Service SetVariable() with a variable size of 0 and resetting the platform. If the platform is in setup mode, then the empty variable does not need to be authenticated. If the platform is in user mode, then the empty variable must be signed with the current PKpriv; see Section 7.2 for details.

This means that once platform is in "user" mode with MS keys, you're screwed.

0
0

Eh?

Surely people should be arguing with mobo manufacturers, not Microsoft. You can't really expect them to require a feature that isn't in their interests. Mobo manufacturers will want to give the option to turn it off as it requires no work from them and makes their boards more valuable.

3
8
Bronze badge
Meh

@ Tom 15

That is a bit naive. MS will pressurise manufacturers NOT to allow the feature to be turned off.

MS have massive power over device makers. Their threat is to withdraw discounting the cost of Windows to OEM PC makers who need to buy copies in bulk. No mainstream PC maker can stand up to that threat. In turn, that threat goes back to component makers.

And it is no good the mobo maker building in a disable switch (hardware or code) because the PC maker would not pass it on to the end user if MS demand otherwise. The PC maker could disable any hardware switch by solder link; and a code could simply be binned after they have installed Windows.

From then on that PC will boot nothing except that copy of Windows.

12
1

MS isn't stupid

"MS will pressurise manufacturers NOT to allow the feature to be turned off"

That would leak in about half a second, and trigger a new round of EU _AND_ US antitrust penalties. They don't want that.

2
0
Bronze badge
Meh

@ Frymaster

Loads of damning things have "leaked" out of Microsoft, from the Halloween documents years ago to their blatent stuffing of Standard Committees with their "partners" in the OOXML affair.

But they are still here and they still carry on.

Because most people (politicians especially) worship them as untouchable tin gods.

9
0
Silver badge
Mushroom

Microsoft

They are the second most evil company in the world (after Monsanto)

You are correct, things that would be fatally damning for most other companies are constantly made public about MS and they continue on unchecked.

On the exceedingly rare occasion that they get prosecuted for something they simply throw a few "free" Windows + Office" licenses at education institutions in the complaining jurisdiction and their troubles magically disappear.

The US won't touch them because the US has only 2 industries of any worth left, Tech and pop culture media.

These are the only things that the US still has the ability to sell to the world, and it is no coincidence that these two industries are given complete freedom to screw everyone over in order to maintain their dominant positions in their respective markets.

Should MS, Oracle and Apple fall along with the MPAA and RIAA members then the USA would be truly irrelevant to 95% of the planet.

I'm sure politicians are aware of this and thus they allow them to get away with anti-consumer practices across the board in order to retain their relevance in world markets.

All is not lost however because it is a negative strategy and ultimately negative strategies fail.

Despite their best efforts to use hostile litigation and anti-competitive lock-in strategies to keep at the top of the heap, eventually others will come along who offer better products with less pent up antagonism directed at them.

People increasingly come to resent being harassed, dictated to and having their choices removed for the benefit of corporate profiteers in another country.

People no longer *like* Microsoft, or their products. They associate them with boring jobs, and having to wait for ages while the crappy slow corp PC they have on thier desk reboots after a crash . Even longer for patch tuesday, not that they know what patch tuesday is.

Microsoft and Windows are not cool. There is no "wow, I must get the new Windows phone" factor and the few remaining OS fanboys out there are not enough to sustain the corporation that is the size of the Beast of Redmond. Most of the OS fanboys have the ability (and willingness) to pirate their copies of Windows Ultimate anyway.

If they do manage to achieve what they are trying to do with this latest lock-in gambit then they will just cause even greater dissent from their existing customer base and increase the rate of user defections to other forms of computing, such as tablets and such.

The thing that killed the netbook was MS and Intel trying to dictate to the OEMs what they could and couldn't build. In their arrogance they just assumed that everybody had no choice but to purchase PC's, and by creating a set of artificial limitations they could force people to purchase PC's with a more expensive processor and OS just so they could get what they actually wanted, which was a bigger screen.

Of course this strategy failed spectacularly and simply left a gaping hole in the market in which Apple promptly shoved the ipad to great success.

If MS succeed in their aims they will just push more people to purchase things other than PC's.

In fact, it is intel who should feel most scared by this. If MS succeed in tying Windows to x86 hardware then it will be the ARM vendors who come in to take up the slack.

I'm yet to be convinced that MS will be successful in their efforts to port their full Windows + Office stack to ARM so ARM makers would have no incentive to yield to MS threats and lock their hardware to Windows.

Even if MS do succeed in getting Windows on to ARM, I doubt very much that most of the ARM vendors would be silly enough to listen to such threats anyway as it would mean cutting off what is currently 100% of their market in order to sell in a new market (Windows) which is completely unproven to this point.

MS will fail. Every time they try one of the tricks that worked for them in the 90's they will find that those tricks no longer work in the more mature market of today.

They remind me of Bart Simpson on that episode where Lisa was using him as a psyche test subject and the electrified cupcake.

Hmmm, cupcake, OUCH!!!

grrrr

Hmmm, cupcake, OUCH!!!

grrrr

Hmmm, cupcake, OUCH!!!

grrrr

5
2

rest assured there will be legal action in europe if this goes through.

-- with or without leaks and "pressure".

microsoft are threading very thin ice here.

0
0

true in the united states of america.

0
0
Stop

"mobo manufacturers"

you do know that, er, most consumers don't buy motherboards, right? they buy computers. and it's a bit difficult to build your own laptop, never mind tablet.

0
0
Silver badge

You do know that

"mobo's" are where the BIOS is physically located?

Of course, being the genius that you so obviously are you are also aware that the ODM's (ie Dell, Packard Bell et al) of this world do not actually make their own motherboards.

How it works is that OEM's make the motherboards on the behalf of the ODM's (sometimes to their designs, sometimes not) so my use of "mobo manufacturers" is broadly intended to include all manufacturers of all motherboards.

But then I'm sure you knew that, seeing that you are a genius and all.

All that semantic crap aside, I have no idea what your point is here. You say "it's a bit difficult to build your own laptop, never mind tablet.".

This is in fact quite true. In fact I'm not sure how you came to the conclusion that I thought it was otherwise? Are you perchance responding to somebody else's post?

0
0
Anonymous Coward

Oh look...

Goat Jam has gone on a large anti-Microsoft rant, full of factual inaccuracies and paranoid assertions, that's out of character.

0
3

@Goat Jam

Given that MS, Oracle, Apple, Intel and a host of other companies operate from non-'merkin tax havens, and that a significant portion of merkin businesses are owned by OPEC companies/countries, and those that arn't have outsourced most manafacturing to the far east it would seem that apart from supplying the world with petro-dollars, that the USA is truly irrelevant to 95% of the planet, aprt from the bits that it's bombing, invading, suberting or proping up the puppet goverment.

0
0
Paris Hilton

And the prize for Most Egregiously OTT Comment goes to....

"Microsoft - They are the second most evil company in the world (after Monsanto)"

Really.

Paris, because she's hOTT.

0
0
Alert

Top 10

Somebody has to be the most evil company in the world or the second most, because both evil and companies exist.

Microsoft have become Mafia like - they extract protection money from people selling other OS's, extort funds from Public Budgets for "licences", tell lies to Government Inquiries and so on.

Such behaviour is evil. You could also call it stupid, greedy, shallow, destructive, anti-social. Evil's just a convenient catchall term.

But Microsoft surely are up there with the worst of them.

Not sure about No2 my self. I think the makers of mines and depleted uranium weapons are a tad worse.

But they all cause a great deal of poverty of opportunity and shortness of funds.

1
0
Linux

Checkmate, freetards!

Says billg

0
15

shareholders are curious

with microsoft bleeding billions all over the place, will this attempt be worth the anti-trust fines, and the reversal/adjustment of policy that will be required of the company.

0
0
FAIL

Bullshit

Users are always in control: if you don't like a locked down computer, just don't buy it! Simple!

4
19
Gold badge
Joke

"if you don't like a locked down computer, just don't buy it! Simple!"

It's your choice. Where would you like your Etch-a-sketch laptop delivered?

(It's the only non-locked-down laptop now available after nobody complained about the 2012 MS corruption of hardware manufacturers)

5
1
Silver badge

Do you know

How difficult it is to buy a PC without windows on it?

Now tell me which OEM is going to jeopardize their Microsoft discount by not installing this feature?

11
1
Linux

Do you know...

Now tell me which OEM is going to jeopardize their Microsoft bribe by not installing this feature?

There, fixed that for you.

16
2
h 2
FAIL

@Field Commander A9

In the same way no one bought copies of "locked down" DVD's

5
0
Go

Simple

Go to your local computer shop and let them make you one from standard parts. Or just DIY your own, since all you need to make a common PC is case+MB+CPU+RAM+graphic card+HDD+monitor+KB+mouse+speakers......I mean, just how hard can it be for an average El Reg reader!?

Much cheaper than any OEMs and no software pre-installed!

1
6
Silver badge
FAIL

umm

So DIY includes putting together your own PCB mother board now too eh? This might have been possible in mid 70s with soldering skills but not so much today. The issue is on the motherboard bios not all the other components.

2
0

Re: simple

You make your own laptops?

Simple for a desktop, not so much for a laptop...

Plus even home-made desktops generally start with a motherboard which already contains BIOS, etc.

3
0
Silver badge

Build your own laptop?

Lets see you build your own laptop...

0
0
Mushroom

@asdf

Best of all would be to force (by law, of cource) OEMs to ship BIOS/EFI source code _and_ build environment with every MB they sell.

0
0
FAIL

And for a laptop????

0
0

Simple solution

Surely a simple solution would be inlcusion of a jumper somewhere. If the jumper is not set (default) then only a digitally signed OS will boot.

Change the jumper & when booting the firmware pops up a message to state 'unsecure boot' or whatever then carries on.

Only people who have an idea what they are doing will open up the chassis & start meddling with jumpers. You need hardware access to the machine to change the jumper so no nasty virus can change the setting.

The warning screen lets anyone who has had their machine physically hacked know that something is up with it.

Seems like a simple solution, but I can't imagine its in the best interests of M$ to do so.

On the other hand they could be staring down another anti-trust if they're not careful.

4
1
Silver badge

@Random noise

I agree that for the great unwashed, anything which stops them getting infected is a good move. Although convincing them to install something other than windows would probably do far more good than a locked down BIOS!

A physical link would be a little annoying, a BIOS switch would be enough. There are already ones for protecting the boot sector, so along side that would seem to be a perfect place.

But this *must* be written into the spec from the beginning.

It is a little amusing that whilst M$ are going round trying to lock people into their OS, Android mobile phone manufacturers such at HTC are being forced to open theirs up due to the sheer pressure from handset owners.

1
1
Bronze badge
Facepalm

@ Random Noise

Wrote :- "Only people who have an idea what they are doing will open up the chassis & start meddling with jumpers."

You don't know many people do you?

3
1
Silver badge
Linux

Boot Options

"Secure Boot" allows you to boot a signed but insecure Operating System.

"Insecure Boot" allows you to boot an unsigned but secure OS.

39
3
Linux

Most Linux people do. Also, corporations who use Linux have people who can read a motherboard manual and set a switch

0
0
Facepalm

@Boot Options

That's the greatest irony.

They are fighting problem that is at best rare in the wild (I never dealt with a boot-time malware and I've cleaned tens of viruses from computers of other people) while are doing hardly anything to fight the real problem: insecurity and instability of their own OS.

1
0

not

"most linux people do"

that's an interesting misconception. Apart from those who actually work directly on hardware, I've found most software engineer types don't, as a general rule, know any more about hardware than many other people who use computers. I know plenty of people in the industry who buy all their systems from Dell. Or, hell, Apple.

0
0
Devil

How can it be a microsoft anti trust?

They only said secure boot was required for windows 8 certification. They didn't tell your favourite motherboard supplier Y to not allow you to disable it. So how can they be held liable.

MS just give discounts based upon the % of systems supplier makes to win8 logo specifications, (which includes the os preloaded, so you linux guys can go rot nyahhh!)

Microsoft is the good guy here (we've got the best/most lawyers and they say so), go take your complaints up with brand X, with not supplying you.

0
1

Page:

This topic is closed for new posts.

Forums