PC makers are being lobbied to install Windows 8 on machines in a way that will afford users the freedom to boot Linux or any other operating system. The Free Software Foundation (FSF) is urging PC users to sign a statement demanding that OEMs which implement Windows 8's UEFI Secure Boot do so in a way that allows individuals to …
Just step back and think for a second:
If MS prevent the installation of OSes other than Windows 8 on OEMed hardware they will
a) Prevent older versions of Windows booting on those machines
b) End up in massive Anti-trust cases in many different areas
c) Piss off corporate users who want the ability to install what they want on their hardware
They will no allow any of these things to happen, if they did the share-holders would require heads to roll at the very top of the company.
"Prevent older versions of Windows booting on those machines"
I think this, more than anything else is Microsoft's plan. The last thing they want is a repeat of the Vista debacle where users buy shiny new machines and then install XP.
And just when did common sense, lawsuits and customer opinions become a guiding force at Micro$oft?
@Red Bren - Corporate users will not tolerate being told the have to upgrade their OS builds and MS know this. Even Vista using corporates will probably be using it for a long time before upgrading. Also, most major corporates on XP will have arrangements to have support from MS for much longer than joe public. MS only stopped supporting NT4 server for rich customers a couple of years ago.
@DL Smith - Common sense or not, having worked for a few major corporates (ranging from 10k to 140k workstations) I know that MS will bend over backwards to accommodate what their major customers want and they do not want to be forced to upgrade their software except on their own terms. Major corporates do, expect to be able to buy new hardware and put whatever version of whatever OS on it they want.
@AC (1st post) you are being naive.
a) Why on earth would MS be interested in older versions of Windows being installed? They want to sell new ones.
b) MS have never been afraid of anti-trust cases because they usually get away with it. They are so blatent I wonder how, but they do. That is what is so "clever" about this - MS can seem to shift the blame onto the PC maker or retailer, certainly enough to convince a non-technical judge or anyone else who wants to believe them.
c) The vast majority of corporate machines just use Word, Outlook, IE and maybe Excel. Many also use apps such as Photoshop, SAP and Sage, which are recognised as mainstream even by MS. No problem there. If you are talking about corporate servers meant to run Apache on Linux or BSD, then this is a niche professional market in which the secure boot password *will* be passed to the buyer.
But it is the "casual" Linux user who will find the barrier raised. Try running a live Linux DVD on a home PC from the high street, just to try it out, and it will probably be blocked. MS hate that sort of thing - it might result in another Linux convert.
@AC ["Err...] Direct contracts between MS and large corporate users will always accommodate particular requirements. As you say they are too valuable to MS. However that is not what this move is aimed at, it is aimed to stop home and small business users using Linux and any other software that MS frowns on, whether malware or simply minority.
I'm not being naive, you can dig all you want for a conspiracy on the part of MS, but the points stand that:
They are not going to annoy their corporate users
They are not going to prevent previous versions of their OS being installed on new hardware
They really aren't up for anti-trust cases, they are enormously expensive, they certainly wouldn't be thanked by their shareholders and when Bill Gates was interviewed about his regrets the first thing he said was "getting sued by your government was a low point" (or words to the effect of).
It's up to OEMs whether to include UEFI or not. It's also up to the OEMs whether to allow users to disable UEFI or not.
• UEFI allows firmware to implement a security policy
• Secure boot is a UEFI protocol not a Windows 8 feature
• UEFI secure boot is part of Windows 8 secured boot architecture
• Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure
• Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components
• OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
• Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows
If you're part of the (proportionate) uber-infinitsiminutiscule portion of the market that uses Linux then it's up to you to chose an OEM that suits your purposes. Linux fanbois are starting to sound like the people blaming McDonalds because they're fat.
Upside after all?
Re: “heads to roll at the very top of the company”
So there would be an upside after all? Ballmer could go balls out finally?
"At the end of the day, the customer is in control of their PC"
So this implies ... a couple of hours of hacking to remove the mark of the beast?
Syren Baran "At the end of the day, the customer is in control of their PC" → #
we will probably have a web site for PC's at http://www.jailbreakme.com
(Disclaimer - I haven't read up on this subject).... but surely if you are technically competent at re-installing a brand new OS (like Linux) onto a machine, then you are technically competent to go into the BIOS/UEFI options screen and disable secure boot? (Assuming the board vendors provide such option).
I'm also curious - are the FSF fundementally opposed to secure boot? What alternative solution are they proposing to thwart this type of attack vector?
Missed the point
Live USBs are intended to make Linux installs as easy as possible. Distributions such as Ubuntu aim to make everyday usage of Linux possible for non-techies.
Having to go into BIOS and 'Disable Secure Boot' would scare off most potential newbies to Linux I'm sure.
I think the concern is that some (a lot?) of PC makers won't bother to include a "disable" option, thus tying the machine to the OS (indeed, one version of one particular OS).
I'm a bit ambivalent about this - MS are correct in saying that they are not mandating that such a "disable" option is not allowed, and that it is up to the hardware manufacturer to provide such an option, should they so wish. I can see their point - all MS are asking for is a facility to be included into the BIOS for their OS (a facility that is and always has been in the UEFI spec by the way - this is nothing new). They are coming under fire because they have NOT mandated the disable option. I think it is a bit unfair to blast MS for this; do we have a go at Ford because they mandate the use of round wheels, but not square ones? There's nothing stopping you from fitting square wheels to their cars, but Ford don't make such a requirement part of the spec and they don't support it, but if that's what you want to do then go ahead; Ford don't care one way or the other (just don't try and claim on the warranty for any damage to the suspension!). It's the same with MS - all they want is for this facility to be made available for their OS (which is not unreasonable). What happens after that they don't care about, and why should they?
Disclaimer - I loath MS as much as the next geek, and I think their software is a joke, but in this case, I think MS are being lambasted for something that they genuinely have no interest in, nor should they have to. Oh yes, I am well aware that MS would be more than happy if no manufacturer included the "disable" option, but that's not the point; the point is, they are not stopping anyone from adding it as far as we know :o)
I don't think they are opposed...
...to Secure Boot (or similar) per se, I think they are opposed to the danger of the ability to update UEFI or disable Secure Boot being missing and the fact that OEMs will ship with only the Windows 8 key pre-loaded.
Not only does this add to the problems caused by the MS Tax, but it also means MS/vendors can force users to have to upgrade their machines by simply changing the keys needed.
(Assuming the board vendors provide such option).
And that of curse is the problem. Why provide something that adds cost with very little benefit, that your competitors won't.
Only if you have that option-- which you may or may not be given. From what I've seen, you won't have that option. FSF opposes this form of secure boot because it's not GPL-compatible... I doubt they'd care if it was, since then they could incorporate it into their software.
"(Disclaimer - I haven't read up on this subject)...."
In this case it might be useful.
"but surely if you are technically competent at re-installing a brand new OS (like Linux) onto a machine, then you are technically competent to go into the BIOS/UEFI options screen and disable secure boot? (Assuming the board vendors provide such option)."
That last part is one of the main points of issue. There is no incentive for the OEM/vendors to include such an option, and there may be some to exclude it (I think even the most paranoia averse readers might concede that there has been pressure applied by certain software vendors to systems manufacturers in the past for other issues).
Also, although it is not necessarily difficult or particularly time consuming, plenty of seemingly obvious/sensible/desirable BIOS options - depending on your interests - took a very long time to appear (if at all) from some BIOS producers. Any extra work which doesn't really *need* to be done will probably not be done.
If, as has been suggested, the requirement to disable secure boot - or to allow some suitably secure way of allowing signature updates to occur - is enshrined in the UEFI specs then most, if not all, of the objections go away.
"I'm also curious - are the FSF fundementally opposed to secure boot?"
No - far from it.
And if your requirement is to have a boot menu so that the user can choose between Windows and Linux?
As I'm reading it, secure boot enabled - LInux cannot boot. Secure boot disabled - Windows 8 cannot boot. Utility of such a system in my environment: zero.
And of course, the last thing one wants to do is to leave the BIOS itself unprotected, for the user to poke at all the other setttings, boot unapproved media, etc. etc.
If it's going to be straightforward for a Linux sysadmin to generate the appropriate certificates from his Linux system (including a custom-patched, modified kernel) and install these certificates into the system BIOS so that Linux can secure-boot, then that's (just about) OK.
I'm also thinking there's a danger that even if this is do-able, it'll take ten minutes per PC, which it won't be possible to automate like the rest of the deployment process because the only way to interact with a BIOS is by prodding its keyboard. Ten minutes times 200 PCs equals most of a man-week.
yes but, but...
Having heard a number of cases of manufacturers trying to refuse warrantee or other things if a PC does not have the original version of windows on it that shipped on it, I think that some manufacturers may actually like a bios that stops purchasers doing it.
If you look at HP; their idea of support is telling you to boot from the restore partition. Getting them to even look at a hardware failure will take hours on the phone, with them insisting that you restore the machine to as new S/W and delete every single item off it.
I think that MS should actually ask the manufacturers to include the "any other OS" option. Just think, if you have to hack it to run Linux on it, a lot of people will do it. If the easiest way is to be able to cut MS keys, then maybe that will happen, and then all MS installs will be just as vulnerable as before.
"... all MS are asking for is a facility to be included into the BIOS for their OS..."
Not quite -- they are asking for the facility to be included AND TURNED ON BY DEFAULT. They are also specifically NOT asking vendors to provide the ability to turn it off. They are very adamant that they will not require that latter feature, even though they could allay everyone's concerns simply by doing so. THAT is what bothers me -- it follows classic MS FUD strategy: don't actually do anything directly wrong, but use market position to imply that as a side-effect of your "completely innocuous" actions, some partners might "inadvertently" do something that restricts your competition -- and make sure not to do anything to prevent those partners from making that "innocent mistake."
More to the point, this facility isn't a feature that the OS can take advantage of. It's a feature that restricts what an OS or other software can do based on its signature (or lack thereof). So MS is NOT asking for something their software can actually use; they're asking for something that they can use to market their software (i.e, touting security). Since the certification program is supposed* to be about verifying ability to run the software and not about marketing, this feature should not really be required for certification.
* Yeah, I know...
"As I'm reading it, secure boot enabled - LInux cannot boot. Secure boot disabled - Windows 8 cannot boot. Utility of such a system in my environment: zero."
Windows 8 can boot with secure boot disabled (but obviously loses the added security of knowing the boot path hasn't been tampered with). If you want to dual boot with an OS that doesn't support secure boot, that's obviously the option you have to go with. If, for example, Red Hat produced a secure boot Linux and the keys were also installed in the BIOS (either manually added or installed by default by the OEM) then you could happily secure dual boot between the two as freely as you want.
This whole thing is a bit of a storm in a teacup. The driving force behind this is businesses who don't want their networks easily compromised by systems being rebooted into an OS they don't have control over, potentially introducing malware into their infrastructure.
VMs are far easier to use for newbies than dualbooting
Seriously - why would you want to force a newbie user through the pain and hassle of a dual boot configuration, when you can give them the freedom and flexibility of Linux in a VM?
Unless it's not really about getting them to use Linux, and it's really about getting them to stop using Windows?
The way that this type of attack can be thwarted is to put a physical switch on the motherboard or hard drive that will not allow the boot record to be modified unless that switch was set.
SB is the least of a Linux noob's worries
If someone was considering installing and operating Linux, rebooting their PC, hitting F12 (or similar) and disabling secure boot will be the easiest part of the process.
They'll have FARRRR more technical things to deal with just to get the OS installed and running than something as simple as changing a BIOS setting.
Then you should learn to read.
Win8 WILL boot if SB is disabled, but it will be unable to validate that its core system binaries haven't been tampered with.
How else will Win8 be able to install and run on a non-UEFI PC (like the Sony Vaio laptop I am sitting in front of running Win8 dev preview today)?
The end user can/should be able to make a choice as to whether or not they want to disable Secure Boot.
This is an OEM issue and has nothing at all to do with Microsoft.
You forget that Windows' boot manager can also easily boot Linux these days. So you'd simply use that to present the user with a menu which he can use to chose from. You'd probably need Grub or Lilo installed onto the partition itself, but even that can be setup so that remains mostly invisible.
May be not...
>MS are correct in saying that they are not mandating that such a "disable" option is not allowed
From the article <snip>However, it seems OEMs are not free to choose how to enable Secure Boot.</snip> <snip>Microsoft said support for UEFI Secure Boot is a Windows 8 certification requirement</snip>
This may control how the "disable" option is implemented, as part of the certification M$ may require that it is enabled by default and require a hardware jumper change or similar to disable and once disabled means the windose 8 will not run.
It doesn't take that much skill to stick a CD in a drive and reboot the computer. It might take a bit more to press Ctrl+Delete at boot up and then type in something like "set EFI_SEC_BOOT 0" and then "nvram update" (or however EFI does things.) Many people who would otherwise be more than capable of installing an alternative operating system will probably avoid an EFI shell or menu for fear of breaking something.
Of course it's a security feature
It secures Microsoft's revenue stream.
Do not buy this Microsoft bullshit...
"OEMs are free to choose how to enable this support and can further customize the parameters as described above in an effort to deliver unique value propositions to their customers."
This is Microsoft's favourite game: claim that they aren't making others do their dirty work for them and that it's really about vendor enthusiasm, while at the same time either offering vendors no choice or even pressuring them to "voluntarily" support such initiatives. There's a long paper trail documenting Microsoft's unethical - even illegal - coercion on vendors.
Meanwhile, everybody still has to buy Windows on the vast majority of computers sold via retail channels because Microsoft points the finger of blame at the vendors when challenged, and points a sharp instrument at them behind the scenes. And, of course, this even affects their existing customers who have to buy the same product over and over again, not to mention people who want a choice of software.
It is high time that Microsoft were actively prevented from using anticompetitive measures, technical or economic, to corrupt the market. Regulators should get off their behinds and unbundle Windows now!
Agreed. I used to work at a local retail/repair shop where we also built new PCs. In theory, we could put whatever OS we wanted on the system, but if we put anything other that Windows on our new-build machines, we would lose our "discount" and any hope of being able to sell the machines at a competitive price (already difficult since we used quality hardware with solid manufacturer's warranties as opposed to the flimsy crap in the big boys' systems).
So... of course you can disobey MS, but you'll go out of business if you do. Unfortunately, they can say they weren't "forcing" us since, in theory, we could do whatever we wanted. In practice, you obey Redmond or go bankrupt....
You should remove your tin-foil hat - I think you're overheating
"It is high time that Microsoft were actively prevented from using anticompetitive measures, technical or economic, to corrupt the market. Regulators should get off their behinds and unbundle Windows now!"
Microsoft operated from 2002 -> March 2011 under DOJ oversight and in compliance with the 2002 DOJ consent decree. The DOJ has kept a close eye on all of Microsoft's business dealings to make sure that it completely changed the way it did business.
OEM's are entirely free to ship machines running Linux if they want and some do. Dell offers Linux as an option on all its servers for example. They used to offer a range of PC's running Linux too but quit that business because NOBODY BOUGHT THEM.
With the razor-thin margins that the OEM's operate under it costs them too much to sell and support PC's preinstalled with free OS'.
El Cid Campeador
Im sorry but thats utter rubbish. The more licences you buy from the distrabution channel the cheaper it is, its bulk ordering, unless your a teir 1/2 distrabution partner you will have very little to do with MS, joe blogs on the corner repair shop will be getting those at standard cost, which has a relitively small margin depending on your supplier, the supplier couldnt care less what you do with it, when you build a PC you just dont give it a windows licence, if the customer wants a windows licence then you sell them an OEM version, the licence states that Windows is now tied to that hardware
if your a large national outlet then your going to be buying in much larger bulk, and its unlikely you will be building those PCs yourself. you need to remember the power of advertising, a simple sticker saying approved to you an I means getting sticker fingers when you pull it off, but to Jo public its a sign of confidance, retailers love this. If mr PC world was willing, there is nothing to stop them punting out Linux boxes, but to the vast majority of jo public, it will mean nothing at all other than confusion over things being "different"
There is no doubt that MS has and probably will do some dodgy things, but there isnt a single company out there that hasnt done something a bit dodgy and this whole thing, as others have said, is just a big storm in a tea cup.
I mean, christ, if MS dumped its $50 Billion in to charities they would be flamed for tax evasion and trying to influence the markets, they are just a big Magnet for hate an flaming an could never do right in the eyes of many
Yes, that would be the same DoJ who suddenly decided after years of litigation that MS were not so bad after all and could be let off with a slap on the wrist.
aka "a few years of DoJ oversight"
This happened about a week after George W Bush moved in to the Oval Office, although that was entirely coincidental I'm sure.
OEMs and BIOS people
Has anyone asked the OEMs and BIOS manufacturers for comment on this issue? Surely UEFI has a configuration system like the old BIOS settings system, and surely there'll be an off setting in there.
A vendor can sell the same hardware twice. Kerr-ching!
A "consumer" board with the ability to update/disable UEFI missing and a "pro" version with them present.
Beyond that the two boards are identical (bar one jumper or something) and they can charge a massive premium for the "pro".
Also, if not providing the feature saves 0.01p, then that feature will no be provided as the monopoly player doesn't need it and will be rather happy to know that the feature is missing.
"Has anyone asked the OEMs and BIOS manufacturers for comment on this issue?"
My understanding is that some have been asked, but none are currently offering any comment (fair enough).
"Surely UEFI has a configuration system like the old BIOS settings system "
One can be constructed, yes...
", and surely there'll be an off setting in there."
..but there-in lies the rub - there is no requirement, or immediately obvious incentive, to add one. The more code you add, and the more options you expose, the more chance you or the user will screw things up and a time-strapped BIOS producer trying to beat all the others to market with a product may not decide it's worth doing. No-one would be to blame in such a situation, some would say, but suddenly you have a machine on which you can't "downgrade" (e.g. Vista->XP) or update the version of Windows installed or, indeed, install anything else.
"suddenly you have a machine on which you can't "downgrade" (e.g. Vista->XP) or update the version of Windows installed or, indeed, install anything else."
In other words the PC becomes a consumer appliance.
Does Europe still give tax breaks on compuers? Would removing such breaks on appliance-ised equipment be a good incentive to keep the platforms open?
In the debate
over M$ control of the OEMs to configure windows 8/uefi keys , I've noticed a rather funny thing
Its not the linux vs m$ fanboy rantings or the obscure technical details, its this scenario
Customer boots windows 8 pc
Customer surfs/ downloads malware designed to root said PC
Customer shuts down PC
Customer starts pc the next day only for it to go 'Bleergh' I've been root kitted
Customer cant start pc at all, loses a days work taking pc to the repair shop.....
Rinse and repeat
How long until said customer takes a hammer to said pc and gets a white box that has linux installed on it/ a Mac ?
let me fix that
Customer starts pc the next day and it ignores the unsigned code.
An since the unsigned code is the boot code...
As OP said. Rinse and repeat.
Very few rootkits are kernel mode
And if you do have one of those this system would actually do you a favour by treating a kernel mode rootkit as a corrupted MBR and forcing you to replace it before you could run the OS.
I am fairly confident that the implementations will be able to fail properly after a corrupted MBR is detected - after all - corrupted or missing MBR isn't exactly new.
"The FSF has also hinted at a boycott on buying Windows 8 PCs"
Don't most of them boycott MS on principle already?
The enamy within
Microsoft's core mission is to KILL Free Software.
Always was and always will be.
They are the enamy of computer users, free software and a free society.
They can NEVER be trusted. This is a wake up call to cumputer users everyware.
Don't sleep walk into slavery. Don't use Micosoft.
Oh and please continue using the MS FUD term Freetard. I would rather be a Freetard than a slave.
I would rather be a Freetard than a slaveTARD.
There is such a thing as equality!
Don't care which computer I use!
Just as long as it has a spell checker! (Is that one or two words?)
Were you raised by the internet?
Or by a Daily Star journalist? You seem to write a different kind of English from the rest of us.
Whilst I agree with all your points...
even a 'Freetard' can and should use a fucking spelling checker and no, I'm not a shill for MS, I've been running only Linux boxes since the late 90's. Your enthusiasm/zealotry is duly noted but please don't make an arse of yourself by misspelling a word as simple as 'enemy'.
To the spelling/grammer fascists
Have you considered the possibility that that OP's first language is *not* English?
Their English is a damned sight better than my Mandarin, Spanish, Portuguese, Urdu or anything else for that matter.
Or ever considered that they suffer from Dyslexia? Not all browsers have spell-checkers to help (not that they may be much help to someone with severe dyslexia).
Or any one of umpteen other possibilities that could be impairing them.
No, guess you didn't. If you feel you must correct someone, then at least be polite about it.
In short: grow up.
A leopard can never change it's spots
Just when you thought it was ok to like Microsoft again, they cannot help but remind us what absolute douche-bags they can be when the mood takes them.
- Updated Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Android engineer: We DIDN'T copy Apple OR follow Samsung's orders