back to article Red Hat engineer renews attack on Windows 8-certified secure boot

A senior Red Hat engineer has lashed back at Microsoft's attempt to downplay concerns that upcoming secure boot features will make it impossible to install Linux on Windows 8 certified systems. Unified Extensible Firmware Interface (UEFI) specifications are designed to offer faster boot times and improved security over current …

COMMENTS

This topic is closed for new posts.

Page:

  1. Tom 15

    Eh?

    Surely people should be arguing with mobo manufacturers, not Microsoft. You can't really expect them to require a feature that isn't in their interests. Mobo manufacturers will want to give the option to turn it off as it requires no work from them and makes their boards more valuable.

    1. Nuke
      Meh

      @ Tom 15

      That is a bit naive. MS will pressurise manufacturers NOT to allow the feature to be turned off.

      MS have massive power over device makers. Their threat is to withdraw discounting the cost of Windows to OEM PC makers who need to buy copies in bulk. No mainstream PC maker can stand up to that threat. In turn, that threat goes back to component makers.

      And it is no good the mobo maker building in a disable switch (hardware or code) because the PC maker would not pass it on to the end user if MS demand otherwise. The PC maker could disable any hardware switch by solder link; and a code could simply be binned after they have installed Windows.

      From then on that PC will boot nothing except that copy of Windows.

      1. frymaster

        MS isn't stupid

        "MS will pressurise manufacturers NOT to allow the feature to be turned off"

        That would leak in about half a second, and trigger a new round of EU _AND_ US antitrust penalties. They don't want that.

        1. Nuke
          Meh

          @ Frymaster

          Loads of damning things have "leaked" out of Microsoft, from the Halloween documents years ago to their blatent stuffing of Standard Committees with their "partners" in the OOXML affair.

          But they are still here and they still carry on.

          Because most people (politicians especially) worship them as untouchable tin gods.

          1. Goat Jam
            Mushroom

            Microsoft

            They are the second most evil company in the world (after Monsanto)

            You are correct, things that would be fatally damning for most other companies are constantly made public about MS and they continue on unchecked.

            On the exceedingly rare occasion that they get prosecuted for something they simply throw a few "free" Windows + Office" licenses at education institutions in the complaining jurisdiction and their troubles magically disappear.

            The US won't touch them because the US has only 2 industries of any worth left, Tech and pop culture media.

            These are the only things that the US still has the ability to sell to the world, and it is no coincidence that these two industries are given complete freedom to screw everyone over in order to maintain their dominant positions in their respective markets.

            Should MS, Oracle and Apple fall along with the MPAA and RIAA members then the USA would be truly irrelevant to 95% of the planet.

            I'm sure politicians are aware of this and thus they allow them to get away with anti-consumer practices across the board in order to retain their relevance in world markets.

            All is not lost however because it is a negative strategy and ultimately negative strategies fail.

            Despite their best efforts to use hostile litigation and anti-competitive lock-in strategies to keep at the top of the heap, eventually others will come along who offer better products with less pent up antagonism directed at them.

            People increasingly come to resent being harassed, dictated to and having their choices removed for the benefit of corporate profiteers in another country.

            People no longer *like* Microsoft, or their products. They associate them with boring jobs, and having to wait for ages while the crappy slow corp PC they have on thier desk reboots after a crash . Even longer for patch tuesday, not that they know what patch tuesday is.

            Microsoft and Windows are not cool. There is no "wow, I must get the new Windows phone" factor and the few remaining OS fanboys out there are not enough to sustain the corporation that is the size of the Beast of Redmond. Most of the OS fanboys have the ability (and willingness) to pirate their copies of Windows Ultimate anyway.

            If they do manage to achieve what they are trying to do with this latest lock-in gambit then they will just cause even greater dissent from their existing customer base and increase the rate of user defections to other forms of computing, such as tablets and such.

            The thing that killed the netbook was MS and Intel trying to dictate to the OEMs what they could and couldn't build. In their arrogance they just assumed that everybody had no choice but to purchase PC's, and by creating a set of artificial limitations they could force people to purchase PC's with a more expensive processor and OS just so they could get what they actually wanted, which was a bigger screen.

            Of course this strategy failed spectacularly and simply left a gaping hole in the market in which Apple promptly shoved the ipad to great success.

            If MS succeed in their aims they will just push more people to purchase things other than PC's.

            In fact, it is intel who should feel most scared by this. If MS succeed in tying Windows to x86 hardware then it will be the ARM vendors who come in to take up the slack.

            I'm yet to be convinced that MS will be successful in their efforts to port their full Windows + Office stack to ARM so ARM makers would have no incentive to yield to MS threats and lock their hardware to Windows.

            Even if MS do succeed in getting Windows on to ARM, I doubt very much that most of the ARM vendors would be silly enough to listen to such threats anyway as it would mean cutting off what is currently 100% of their market in order to sell in a new market (Windows) which is completely unproven to this point.

            MS will fail. Every time they try one of the tricks that worked for them in the 90's they will find that those tricks no longer work in the more mature market of today.

            They remind me of Bart Simpson on that episode where Lisa was using him as a psyche test subject and the electrified cupcake.

            Hmmm, cupcake, OUCH!!!

            grrrr

            Hmmm, cupcake, OUCH!!!

            grrrr

            Hmmm, cupcake, OUCH!!!

            grrrr

            1. Field Marshal Von Krakenfart

              @Goat Jam

              Given that MS, Oracle, Apple, Intel and a host of other companies operate from non-'merkin tax havens, and that a significant portion of merkin businesses are owned by OPEC companies/countries, and those that arn't have outsourced most manafacturing to the far east it would seem that apart from supplying the world with petro-dollars, that the USA is truly irrelevant to 95% of the planet, aprt from the bits that it's bombing, invading, suberting or proping up the puppet goverment.

            2. Barracoder
              Paris Hilton

              And the prize for Most Egregiously OTT Comment goes to....

              "Microsoft - They are the second most evil company in the world (after Monsanto)"

              Really.

              Paris, because she's hOTT.

              1. goats in pajamas
                Alert

                Top 10

                Somebody has to be the most evil company in the world or the second most, because both evil and companies exist.

                Microsoft have become Mafia like - they extract protection money from people selling other OS's, extort funds from Public Budgets for "licences", tell lies to Government Inquiries and so on.

                Such behaviour is evil. You could also call it stupid, greedy, shallow, destructive, anti-social. Evil's just a convenient catchall term.

                But Microsoft surely are up there with the worst of them.

                Not sure about No2 my self. I think the makers of mines and depleted uranium weapons are a tad worse.

                But they all cause a great deal of poverty of opportunity and shortness of funds.

          2. llewton

            true in the united states of america.

        2. llewton

          rest assured there will be legal action in europe if this goes through.

          -- with or without leaks and "pressure".

          microsoft are threading very thin ice here.

    2. AdamWill
      Stop

      "mobo manufacturers"

      you do know that, er, most consumers don't buy motherboards, right? they buy computers. and it's a bit difficult to build your own laptop, never mind tablet.

      1. Goat Jam

        You do know that

        "mobo's" are where the BIOS is physically located?

        Of course, being the genius that you so obviously are you are also aware that the ODM's (ie Dell, Packard Bell et al) of this world do not actually make their own motherboards.

        How it works is that OEM's make the motherboards on the behalf of the ODM's (sometimes to their designs, sometimes not) so my use of "mobo manufacturers" is broadly intended to include all manufacturers of all motherboards.

        But then I'm sure you knew that, seeing that you are a genius and all.

        All that semantic crap aside, I have no idea what your point is here. You say "it's a bit difficult to build your own laptop, never mind tablet.".

        This is in fact quite true. In fact I'm not sure how you came to the conclusion that I thought it was otherwise? Are you perchance responding to somebody else's post?

        1. Anonymous Coward
          Anonymous Coward

          Oh look...

          Goat Jam has gone on a large anti-Microsoft rant, full of factual inaccuracies and paranoid assertions, that's out of character.

  2. Field Commander A9
    FAIL

    Bullshit

    Users are always in control: if you don't like a locked down computer, just don't buy it! Simple!

    1. BristolBachelor Gold badge
      Joke

      "if you don't like a locked down computer, just don't buy it! Simple!"

      It's your choice. Where would you like your Etch-a-sketch laptop delivered?

      (It's the only non-locked-down laptop now available after nobody complained about the 2012 MS corruption of hardware manufacturers)

    2. John G Imrie

      Do you know

      How difficult it is to buy a PC without windows on it?

      Now tell me which OEM is going to jeopardize their Microsoft discount by not installing this feature?

      1. Mike Pellatt
        Linux

        Do you know...

        Now tell me which OEM is going to jeopardize their Microsoft bribe by not installing this feature?

        There, fixed that for you.

      2. Field Commander A9
        Go

        Simple

        Go to your local computer shop and let them make you one from standard parts. Or just DIY your own, since all you need to make a common PC is case+MB+CPU+RAM+graphic card+HDD+monitor+KB+mouse+speakers......I mean, just how hard can it be for an average El Reg reader!?

        Much cheaper than any OEMs and no software pre-installed!

        1. asdf
          FAIL

          umm

          So DIY includes putting together your own PCB mother board now too eh? This might have been possible in mid 70s with soldering skills but not so much today. The issue is on the motherboard bios not all the other components.

          1. Ramazan
            Mushroom

            @asdf

            Best of all would be to force (by law, of cource) OEMs to ship BIOS/EFI source code _and_ build environment with every MB they sell.

        2. Hugh McIntyre

          Re: simple

          You make your own laptops?

          Simple for a desktop, not so much for a laptop...

          Plus even home-made desktops generally start with a motherboard which already contains BIOS, etc.

        3. Tom 35

          Build your own laptop?

          Lets see you build your own laptop...

        4. diazamet
          FAIL

          And for a laptop????

    3. h 2
      FAIL

      @Field Commander A9

      In the same way no one bought copies of "locked down" DVD's

  3. David Austin

    This could all be fixed in a simple way; The Unified EFI Forum could mandate in the UEFI Specification that SecureBoot can be toggled on or off. Bonus points for mandating a way for end users to upload their own signing keys.

    The first could be possible - I think there's enough different voices in the EFI Forum to power this through. I can see the second option being more of a problem, but at least then Power users will have the tradeoff option for potentially allowing rogue bootcode against installing any OS they wish to use.

    To be honest, it's not Microsoft abusing this that I'm too worried about; Apple have a track record of playing the walled garden game, and their mac hardware already use EFI to boot - I can see them jumping at using this to lock other Operating Systems off their hardware.

    If this goes through as planned, good luck trying to install Linux on the 2013 Macbook models....

    1. Red Bren
      Windows

      Bootcamp?

      Apple are happy for you to run other OSs on their hardware. They even provide tools and drivers. What they object to is you running OSX/iOS on anything other than their hardware.

      1. Anonymous Coward
        Anonymous Coward

        I like Bootcamp and i like Apple hardware...

        but I haven't managed to get AROS running on one yet.....

    2. This post has been deleted by its author

      1. Field Marshal Von Krakenfart
        Devil

        "This most likely requires re-seating a jumper or something similar to assert "somebody is really physically at the hardware"."

        Why do you assume this will be a hardware reset, my suspicion of mickeysoft would say it is going to me more like connect to the interweb and then phone the premium line, have all your licence keys handy....

        "so anything signed with Microsoft keys loads up on your new machine"

        Including MS genuine (dis)advantage, mickeysoft DRM, etc.

        There seems to be a simple solution to all this, don't but MS.

      2. Ramazan
        Megaphone

        @ClueShell

        I have read the spec you mentioned. These your statements are wrong:

        "The spec mandates that there must be a method to clear the platform and enter 'Setup Mode' again if the keys are lost. This most likely requires re-seating a jumper or something similar to assert 'somebody is really physically at the hardware'."

        What's said there is different from your version:

        27.5.2 Clearing The Platform Key

        The platform owner clears the public half of the Platform Key (PKpub) by calling the UEFI Boot Service SetVariable() with a variable size of 0 and resetting the platform. If the platform is in setup mode, then the empty variable does not need to be authenticated. If the platform is in user mode, then the empty variable must be signed with the current PKpriv; see Section 7.2 for details.

        This means that once platform is in "user" mode with MS keys, you're screwed.

    3. henrydddd
      Linux

      pure greed plain and simple

      From an engineering standpoint, this who concept of a secure boot can be handled from a hardware change. If you have a switch ether on the motherboard or a jumper on a hard drive that when set, the mbr cannot be written. In the early 90's, motherboards had a bios switch which (in the bios setup there was on option of lot letting the Master Boot Record to be updated), when set would accomplish almost the same thing (like not letting malware update the mbr). I often was thwarted in installing an operating system when the words "an attempt to update the master boot record has been made" and I would ether have to go to the bios setup screen or answer a question "do you wish to proceed?". Some might complain that malware might reflash the bios, but a switch on the MB or disk drive would eliminate that worry.

      Considering how MS, Apple and others have attacked Linux, and Andriod, it should be painfully obvious that MS is using this approach to totally control the user. MS does not want a repeat of their mobile phone falling off the map. If you are a Windows user, you might just ignore this, but you also might have a few problems installing Windows 9 on a computer with Windows 8.

  4. ez2x
    Linux

    Checkmate, freetards!

    Says billg

    1. llewton

      shareholders are curious

      with microsoft bleeding billions all over the place, will this attempt be worth the anti-trust fines, and the reversal/adjustment of policy that will be required of the company.

  5. Anonymous Coward
    Anonymous Coward

    Common sense...

    Just a little application of common sense:

    If MS force this, it will mean that you can't install any of their older OSes on new hardware.

    MS aren't stupid, they realise that there is a massive market in running their older OSes on new hardware, therefore they're not going to make hardware manufacturers prevent the end user from diabling. More than likely they will attempt to force hardware manufacturers to include a disable switch so that end users can continue to run XP, Vista, 7, 2003, 2008, etc. etc.

    1. Anonymous Coward
      Anonymous Coward

      or

      they would just force you to upgrade. Not sure they really want anybody to still be running XP into the next decade.

    2. Nuke
      Unhappy

      @ 1st Post AC - You've missed the point

      Wrote :- "More than likely [Microsoft] will attempt to force hardware manufacturers to include a disable switch so that end users can continue to run XP, Vista, 7, 2003, 2008, etc. etc."

      Crickey, you've managed to miss the point of this. Why the heck would MS want to do that? They want to SELL Windows 8, not let users get away with using XP or Win 7 for longer.

      And of course, MS want to lock out Linux and BSD from PCs.

      They wont get away with this nasty trick in the professional and server market (where it will be the USERS who "force hardware manufactures to include a switch [or the key, whatever]"). What it would stop though is the private user, having bought a PC from the high street, installing Linux - or just giving it a try. MS hate the private user doing that.

      Basically, this is part of MS wanting to turn the PC into a media platform, like a TV or phone, all on MS software and out of the users' control.

      1. Anonymous Coward
        Anonymous Coward

        Being a bit realistic

        Microsoft's main customers are corporate desktop users and corporate server users. Most of these companies require to change hardware on an approximately 3 year depreciation cycle. They don't however replace their OS builds in anything like this period. Typically you'll see most corporate users skiping at least one major version of the OS, certainly in desktop. In the server market, there are still a huge amount of W2003 servers, some W2000 servers and still some companies with a bit of NT4, mainly on up-to-date hardware. If the majority of customers are on W2003 - a nearly decade old OS, how long before they upgrade to server 8? The upshot of this is that if no facillity to disable secure boot is available, MS will seriously annoy all of their major customers.

        I repeat myself: It's not going to happen.

        1. Anonymous Coward
          Anonymous Coward

          Oh really

          "Most of these companies require to change hardware on an approximately 3 year depreciation cycle."

          That must be why I have posted this comment using IE6

          1. Anonymous Coward
            Anonymous Coward

            @AC 1602

            Read you post again, you make exactly my point:

            *Hardware* is replaced on a fairly regular basis.

            *Software* is replaced much less frequently.

            Therefore new hardware without the ability to switch off safeboot would be MS shooting themselves in the foot by alienating their corporate customers.

        2. frymaster

          Disagree

          All this means is that CORPORATE MANUFACTURERS will include such the "disable secure boot" toggle - they'd be stupid not to. That says nothing about the rest of the market, especially the pre-assembled end of it (I suspect consumer retail motherboards to be likely to support disabling it; OEM ones, _maybe_ not)

    3. cloudgazer

      'If MS force this, it will mean that you can't install any of their older OSes on new hardware.'

      You can't use existing builds of those OSes no, but there's nothing stopping MS producing a signed version of XP and making it available to enterprise clients. It will screw consumers trying to run old OSes, but mostly MS doesn't believe you have a valid license to your old OS anyway - except running on the old hardware it came with.

    4. CheesyTheClown
      FAIL

      Windows 8 will boot on old hardware, just not be certified.

      This is a requirement of the certification program for Windows. It has nothing to do with which machines Windows 8 will or won't run on. It has to do with requirements being met before you can put a Windows 8 Certified sticker on your box...

      Don't get carried away over nothing.

  6. DrXym

    So anticompetitive

    MS would love to pretend this is all about stopping malware. It might stop malware as a side effect but the real intent is stop consumers removing / rooting / jailbreaking their computers, especially tablet PCs.

    I think the issue is going to be difficult to resolve though. The traditional PC world is colliding head on with tablets which are more consumer devices. Should users be able to flash their devices in all circumstances? If I buy a Microsoft branded tablet, or one "designed for Windows 8", why should I even expect to be able to run any another OS?

    My own feeling is that Microsoft should do the right thing here and change their specs so desktop form factors must NOT use boot loader encryption by default, and tablet form factors submit all keys and device serials nrs, hardware ids to an independent key escrow service and provide a simple tool where consumers can feed their serial nr into their computer and receive an unlock code.

    At the end of the day it would avoid a lawsuit and I doubt they have much to worry about a significant percentage of people doing it anyway.

    1. Ken Hagan Gold badge

      "If I buy a Microsoft branded tablet, or one "designed for Windows 8", why should I even expect to be able to run any another OS?"

      Because it's your tablet.

      Obviously the vendor doesn't have to make it easy, but we're not talking about that here. We're talking about the vendor taking additional steps in order to make it difficult.

      1. DrXym

        That isn't the point

        Yeah its your / my "Windows" tablet. It was designed for Windows and it does what is says. Microsoft is under no obligation to make it easy for you to remove the OS it was designed to run. I'm sure it would be hackable, but MS isn't going to make it easy.

  7. Anonymous Coward
    Anonymous Coward

    Err...

    "...he end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC..."

    What a load of paranoid nonsense. Does Garrett really think that MS are going to try to prevent people from upgrading their PCs? It's just not going to happen, if anything there is the issue that they'd end up with another anti-trust case on their books and they really don't want to end up there again.

    1. DrXym

      The problem

      Is people aren't thinking this through here. People look at Windows and think traditional PCs. Except Windows 8 isn't just for traditional devices any more. It's going to appear on tablets and other devices which are ostensibly "closed". What do you think the chances are that you can uninstall Windows from a tablet? Or from some hybrid device? Or even an ultrabook?

      Basically Microsoft will push it as far as they can go and manufacturers will facilitate them. Maybe your existin PC will never use the feature but that is no guarantee going forward for new hardware. The likes of Dell et al might decide stupid users don't need the choice in consumer models or they might sell you the key to unlock your own machine.

      There are so many worrying possibilities for this that people should be seeking action now, or Microsoft should be doing something in good faith to fix things before it reaches boiling point.

    2. Tomato42
      Unhappy

      First they come and made preinstalled OSs. I did not oppose for I did not use the MICROS~1 OS.

      Then they come for signed bootloaders. I did not oppose for I was given ability to disable enforcement (with sirens and flashing screen).

      Later they came for hardware replacements...

      It's conditioning, testing how much we can take, little by little.

      1. Anonymous Coward
        Anonymous Coward

        @Tomato42

        Don't liken Microsoft to the Nazis, just don't ok? If you don't know why not, you may want to speak to a few jews or homosexuals and gypsies from the time. They are very hard to comeby for some reason.

    3. AdamWill
      WTF?

      welcome to 2004

      "What a load of paranoid nonsense. Does Garrett really think that MS are going to try to prevent people from upgrading their PCs?"

      They, er, already do? You know that WGA is tied to hardware, right? And if you change too many components in your system Windows decides it's a whole new system and requires you to call up Microsoft and plead with a phone droid to give you an exception?

Page:

This topic is closed for new posts.

Other stories you might like