back to article Microsoft dragging its feet on Linux Secure Boot fix

The Linux Foundation's promised workaround that will allow Linux to boot on Windows 8 PCs has yet to clear Microsoft's code certification process, although the exact reason for the hold-up remains unclear. As The Reg reported previously, the Secure Boot feature of the Unified Extensible Firmware Interface (UEFI) found on modern …

COMMENTS

This topic is closed for new posts.

Page:

"Microsoft has previously denied that Secure Boot is designed to lock Linux out from Windows 8 PCs, but the open source community's ongoing difficulties with UEFI have led many to doubt that claim. The Linux Foundation's latest woes are only likely to add fuel to the speculation."

Much as I detest much of what Microsoft has done, I am reminded of the old adage

Never ascribe to malice that which can adequately be explained by incompetence

30
12

This post has been deleted by its author

Silver badge

Except that a large enough corporation will employ someone incompetent to do a job that they don't want to be done competently.

41
3
Anonymous Coward

Well I'd be tempted to agree with you (hence the upvote). But really, this stinks too much of dominant position abuse for it to be mere incompetence. Maybe I'm too paranoid?

29
1
Silver badge

I've always hated that adage, but I'm sure both incompetent and malicious people love it.

8
0
Anonymous Coward

A couple more old adages...

Fool me once, shame on you; fool me twice, shame on me.

Once is happenstance. Twice is coincidence. Three times, it's enemy action.

The fun part about having all these old adages around is that it's often not until you have the benefit of hindsight that you know which one really fits a given situation.

Between this and the browser ballot screw up I can see how someone could read conspiracy into it. I'm no fan of Microsoft (and not excusing the browser situation either), but it seems to me that it might be a little early to cry foul here. Could be wrong of course...

5
0

Re: A couple more old adages...

I think that a better example of Microsoft's malicious intent would be their old OEM contracts. Many companies were locked into 'agreements' where they were charged a fee for Windows on every machine produced... regardless of whether Windows was installed or not. Other companies were given significant price breaks if they refused to supply any systems without Windows pre-installed.

If the above isn't deliberate abuse of position, I don't know what is. This current issue just smells like a continuation ofthat ppolicy.

23
0
Silver badge
Mushroom

Not early to cry foul

but it seems to me that it might be a little early to cry foul here.

Given the Microsoft history of dirty tricks going back decades (remember the AARD code? Google it if not), I would say it is not too early.

20
0
Bronze badge

But, it STILL is valid to ascribe fiendishness, I dare say...

"Then there was the problem that the entire process of uploading code to be signed assumes developers are running Windows and using Windows-based tools. Even the file upload window required Sliverlight, which ultimately meant there was no way for Bottomley to submit the Linux Foundation's pre-bootloader without loading up Windows 7 in a virtual machine.

Only after Bottomley had completed all of these steps was he able to find out that the code-signing process didn't seem to be working. As of Tuesday, he was still at an impasse."

Ahhh, "Security through obscurity" is alive and well.

This sounds too cunning and devious to be mere incompetence. How can anyone expect ms to go out of its way to ensure that non-ms operating systems, browsers, and applications can smoothly and legitimately obtain, sign, deploy, and maintain working, valid UEFS code?

No, this definitely is fiendishness in play. Otherwise, from ms' perspective, why not just cede the hardware market to anyone refusing to stanch ms' hemhorraging?

7
0
Anonymous Coward

They know exactly what they are doing

Time for a good kicking and another very large fine by the EU competition commission.

17
0
Silver badge

Re: They know exactly what they are doing

Time for a good kicking and another very large fine by the EU competition commission.

Maybe the fine could pay for the cut in the EU budget that David Cameron is trying to get.

3
0
Gold badge

Never ascribe to malice..

FFS, it's Microsoft. That is BOTH malice AND incompetence - no need to exclude one or the other.

23
0

This post has been deleted by a moderator

Anonymous Coward

Re: They know exactly what they are doing @ alain williams

"Maybe the fine could pay for the cut in the EU budget that David Cameron is trying to get."

Or buy the French Farmers some nice new shiny tractors

0
0
Silver badge

The signed pre-bootloader allows unsigned code to be run. MS don't want to allow OEMs to use the same hardware design for Windows and Linux/Android slabs, it'd cut hardware costs for OEMs and customers would also start to ask questions about why same spec hardware is more expensive if it comes with Windows 8. MS want OEMs all-in or all-out, betting on that they'll decide all-in and lock out the competition.

6
0
Anonymous Coward

Re: Not early to cry foul

Given the Microsoft history of dirty tricks going back decades (remember the AARD code? Google it if not), I would say it is not too early.

I had a variation on that. Windows NT4 refused to do an image copy of a DR-DOS floppy which came with a disk drive.

The WIn98 installation would give you no choice but to reformat all disks if it found Linux already on the system too; the solution was to physically disconnect the disk with Linux on it while doing the installation.

1
0

Re: They know exactly what they are doing @ alain williams

Or even better stop forcing tax payers to fund Microsoft in the first place.

All tax payers fund Microsoft whereever they like it or not.

And its things like this that prove do not allow fair competition - thats the reason we're forced to fund Microsoft through taxes in the first place.

They got their monopoly when there was no viable competition - now Microsoft do their upmost to prevent fair competition - the tactics are fully outline in the Halloween Documents - UEFI is yet another example of those tactics.

Slowly but surely the are losing their grip though...

3
0

Re: @Tim Parker

"Never ascribe to malice that which can adequately be explained by incompetence"

Microsoft never act in bad faith. Oh no. That never happens.

Let me add a cliche of my own, "those that ignore history...."

I'm not ignoring it - and i'm not saying it's not a deliberate act - however having dealt with them from a development point of view, I know there is sufficient incompetence to act as a very good barrier without them having actively do anything. They will, without doubt, "take their time2 with this signing - but having read the blog post, i'd have a small wager that most of what's happened so far is down to them not knowing their arse from their elbow... only a small one mind.

0
0
Silver badge
Boffin

Never ascribe to malice that which can adequately be explained by incompetence

In the long view, malice is simply a subcategory of incompetence anyway.

1
0

Re: @Tim Parker

I'd have to say then that you're ascribing to Microsoft both malice and incompetence. The best of all worlds.

0
0
Silver badge
Thumb Down

Re: Never ascribe to malice that which can adequately be explained by incompetence

In the long view, malice is simply a subcategory of incompetence anyway.

Only if there's an afterlife. Otherwise if you can make off with a large amount of someone else's money or other valuables, and get away with it until you draw your last breath, then in the long view malice has paid handsomely.

0
0
Bronze badge

RE: Never ascribe to malice that which can adequately be explained by incompetence

Sorry, but I disagree.

This is another one of Microsoft's crude attempts at inflicting DRM on the computing public.

The proof of this will be in 3 to 5 years down the road, as corporate PC's get retired, and hit the resale market. How difficult will it be for a second owner to put whatever O/S on it remains to be seen. I have supposed that, in order to "assist" its hardware "partners", Microsoft went down this shitty road. After all, if an OEM can turn a PC into the equivalent of a throwaway toy, like cell phones have become, then why not profit from planned obsolescence.

Its more like fuck the user.

2
0
Silver badge

Re: RE: Never ascribe to malice that which can adequately be explained by incompetence

"The proof of this will be in 3 to 5 years down the road, as corporate PC's get retired, and hit the resale market. How difficult will it be for a second owner to put whatever O/S on it remains to be seen"

Not sure what you think the difficulty would be. You don't need Microsoft's assistance or any of the original install keys or discs to replace the OS that is on there. You just go ahead and install what you want, turning off Secure Boot if need be. Secure Boot prevents malware from changing what can boot on a PC, not what a physically present user can install.

1
1
Anonymous Coward

Re: RE: Never ascribe to malice that which can adequately be explained by incompetence

Not sure what you think the difficulty would be. You don't need Microsoft's assistance or any of the original install keys or discs to replace the OS that is on there. You just go ahead and install what you want, turning off Secure Boot if need be. Secure Boot prevents malware from changing what can boot on a PC, not what a physically present user can install.

The difficulty is that in the current scheme the root certificate is issued by an untrusted entity. And this cert cannot be substituted for one of choice.

0
0
Silver badge

Re: RE: Never ascribe to malice that which can adequately be explained by incompetence

"The difficulty is that in the current scheme the root certificate is issued by an untrusted entity. And this cert cannot be substituted for one of choice."

Firstly, inability to install your own certificates does not stop anyone from installing a different OS which is what Fatman was concerned about. It merely means that you wont be using Secure Boot. Which is the same as with any PCs today. This is the main point as it fully answers the scenario that Fatman raises in thinking you wouldn't be able to re-sell a PC and put something else on it (you can).

Secondly, you're calling Verisign or the manufacturer such as Lenovo an "untrusted entity", at which point you've taken your security concerns way beyond what the vast majority of users do, to the extent that your making an equivalent argument to saying you don't trust antivirus software sellers because maybe you can't trust them not to approve something they shouldn't.

But that doesn't

1
1
Silver badge
Facepalm

Re: Never ascribe to malice that which can adequately be explained by incompetence

@Nigel 11.

No, what you've described is a very short view. In classical terms, it's what ethicists call selfish.

0
0

This post has been deleted by its author

Silver badge
Linux

Paranoid?

Just what is in it for Microsoft to not drag their feet on this?

It's exactly what I would have expected from them.

A half-arsed effort to enable a "solution" then ignore any requests for assistance when it all falls apart.

I'm not surprised in the slightest.

28
0
Bronze badge

Re: Paranoid?

You make sense to me, but pull back the tele a little and step into the wide angle. What exactly is the problem for a multi-billion dollar corporation to have people with no alternative to their product? Paranoid, maybe a little. If someone just bought a windows 8 PC today, and today was the first day they tried ANY alternate OS (in this case Linux), they would feel frustrated and probably never try an alternative today. You have to love options, unless you just bought a Windows 8 PC. This whole thing looks like good ol' fashion business to me. Yee Haaaa Cowboy!!!!

By the way, paranoid is just a state of preparation! :-).

1
0
Anonymous Coward

Shocked

I'm shocked, I really am.

Until now I thought MS was perfect.

8
0

It's the season

As easy as it is to ascribe this to malice or incompetence there are two good reasons why the company may be dragging its heels. 1) a major release has shipped so a lot of people denied holidays for a long time ate taking them now, and 2) it's US Thanksgiving so not much gets done at a lot of US companies. It's basically silly season from Thanksgiving till New Year. Don't count on max efficiency from a lot of companies who aren't in retail.

1
5
Anonymous Coward

Re: It's the season

No need to blame Thanksgiving or the Win8 release: Microsoft's season is all year round.

11
0
Anonymous Coward

I don't understand, why do the keys come from microsoft and not a universally supported third party that doesn't make operating systems?

How is it remotely legal for this to be allowed to happen?

28
0
Anonymous Coward

Technically the keys don't have to come from Microsoft: you are supposed to be able to install your own keys if you want to (at least on x86).

However, thanks to OEM deals the only keys that come pre-installed when the hardware is shipped are Microsoft's keys. If you want to run Linux "out of the box" without the user meddling with the BIOS settings (sorry, UEFI settings) then the only solution is to use a Microsoft (sub-)key.

14
0
WTF?

"Technically the keys don't have to come from Microsoft: you are supposed to be able to install your own keys if you want to (at least on x86).

However, thanks to OEM deals the only keys that come pre-installed when the hardware is shipped are Microsoft's keys. If you want to run Linux "out of the box" without the user meddling with the BIOS settings (sorry, UEFI settings) then the only solution is to use a Microsoft (sub-)key."

Quoted for truth.

So what's to stop the various linux "manufacturers" (for want of a better word) negotiating with the OEMs to includes their keys in the UEFI firmware out of the box? IE, Why does RedHat not engage with the OEMs and provide it's key so that Red Hat variants are supported out-of-the-box on certain equipment? Seems a nice way to differentiate your product from the sea of alternatives for your customers.

To me, it looks like this:

* UEFI Secure Boot is an industry option, not a MS technology

* Microsoft want to increase security by leveraging it to prevent rootkits (which all non-MS-fanbois cry about Windows being susceptible to)

* Microsoft spend time and money engaging with the OEM partners to get their keys loaded in by the OEM, and to have Secure Boot enabled by default. This probably takes years and a lot of experimentation

* Linux people cry about this, and expect Microsoft to come up with a solution for them, for free

* ???

Am I missing something?

5
21
Silver badge

"Microsoft want to increase security by leveraging it to prevent rootkits (which all non-MS-fanbois cry about Windows being susceptible to)"

I'm sorry, but have you even looked into the concept of "Secure Boot"? It only signs the bootloader. It won't make your kernel magically secure, it won't make your userspace magically secure. Your Flash-Player and Acrobat Reader will still be as insecure as before. If you previously got drivers into the kernel, it will still work.

Nobody exploits the boot-process. Why? Simply because in order to even get close to it, you already have full access to the file system. You can read out or change the full system.

Again Secure Boot is a misnomer. It's not designed to provide security, it's designed to turn PCs into games consoles. If Secure Boot would be a security advantage, Microsoft would have provided a special "secure" version of Windows for the X-Box where integrators can, for a price, get their software signed and on a disk so they can use the "secure" hardware of that console.

17
6
FAIL

Do what? 'Nobody exploits the boot-process.' - what a load of garbage.

The boot process is exploited by bootkits and some rootkits (TDL4 amongst others) to ensure their malicious code is ran before the Windows loader, making removal difficult because often even a format and reinstall will *not* get rid of the malware.

The initial infection happens in userspace, but after that, the malware is triggered on each boot.

Secure boot stops that.

4
0
Bronze badge
Holmes

How about the possibility of some less than scrupulous open-source developer, fed up with the apparent obstruction from Microsoft, discovering the loophole in the system?

History shows us that cryptosystems, and there has to be a cryptosystem at the heart of this, can have flaws that are not apparent to the users, and the people attacking the system don't need to know how it works. There can be a different route from B back to A.

Having said that, it's not easy, but this is going to be seriously attacked by the virus gangs. They want to have rootkits. So might those awfully nice people at Sony. So it would be a bit foolish to get linked to breaking this security, in a head above the parapet sort of way.

0
0
Silver badge

"Why does RedHat not engage with the OEMs and provide it's key so that Red Hat variants are supported out-of-the-box on certain equipment?"

Nothing in principle. According to RedHat's statement, they investigated doing this and found that setting up the infrastructure to do all this themselves was too costly and it was cheaper for them to simply licence MS's signing capability.

Incidentally, Secure Boot can be turned off. It's not complicated.

3
0
Silver badge

"I'm sorry, but have you even looked into the concept of "Secure Boot"? It only signs the bootloader"

Not you again, lecturing people on not understanding things when you actually have it wrong yourself. It only signs the bootloader for GNU/Linux because no Linux distribution has fully engaged with Secure Boot, yet. They are using a signed boot loader as a work around to make Linux run on a system that has Secure Boot on it without actually taking advantage of its intended purpose. On Windows, Secure Boot is capable of checking that all sorts of things (i.e. drivers and other modules) are signed before loading.

"If you previously got drivers into the kernel, it will still work."

Only on Linux. On Windows it offers an extra layer of protection.

"Nobody exploits the boot-process"

Lots of malware exploits the boot process. There are whole families of malware that infect the boot process. You plainly have never bothered to actually read up much on this, instead just deciding to talk confidently without actual fact checking.

2
0
Silver badge

"How about the possibility of some less than scrupulous open-source developer, fed up with the apparent obstruction from Microsoft, discovering the loophole in the system?"

Then they would be highly unethical because they would be reducing the security of millions of people.

1
2
Bronze badge
WTF?

"

"How about the possibility of some less than scrupulous open-source developer, fed up with the apparent obstruction from Microsoft, discovering the loophole in the system?"

Then they would be highly unethical because they would be reducing the security of millions of people.

"

No - publicly releasing it without first having spoken to the vendor and given them time to get their house in order would reduce user security. In fact looking for such flaws is going to be done - I'd rather they were looked for by white hats than black.

Things didn't start falling just because gravity had been discovered.

2
0
Paris Hilton

Really?

... thanks to OEM deals the only keys that come pre-installed when the hardware is shipped are Microsoft's keys ...

Is that really so? I had the impression (largely from previous articles on El Reg) that the preinstalled key (certificate) would belong to Verisign, and that this would be a root certificate. Microsoft's certificate would then be a subsidiary certificate to be verified using that built-in root certificate. This is how PKIs are meant to work.

All that any vendor (including Microsoft) would have to do to create a signed image would be to generate their own signing keyset and use that to sign the image. They'd also pay Verisign for a certificate for the public part of that keyset and ship the certificate with the image. The UEFI firmware would then the signing certificate using the built-in one, then verify the signed image using the signing certificate, then run the image. It should probably also (at least as an option) flash up a message saying "loading image 'vmlinuz-3.2-generic' signed by 'debian.org'" (or some such, as the case may be) so that the user could see that the image was genuine.

I don't really like the idea of giving Verisign (or any other commercial CA) this much power ... but it's better than allowing any single OS vendor to own the keys.

In a corporate environment I'd expect the BofH to want to be able to change the installed root certificate so that users could only boot images that had been approved and re-signed for use within the organization.

Paris, because she has no clue about any of this, either.

2
0
Anonymous Coward

"So what's to stop the various linux "manufacturers" (for want of a better word) negotiating with the OEMs to includes their keys in the UEFI firmware out of the box?"

The fact that MS will tell them that they will lose their status and ther MS keys if they try it. That's been their MO for decades now, so unless someone has evidence that they've changed I'd assume that's what they're doing now too.

"Am I missing something?"

Lots. The whole point of this is to lock out competition. That's what MS has been about from the days of Windows 1. Apparently you've missed not just an episode but the whole of seasons 1-7 and consequently are unable to follow even the basics of what's going on. Perhaps some boxed sets for Xmas?

6
2
Anonymous Coward

"Then they would be highly unethical because they would be reducing the security of millions of people."

Not if it means they move off Windows. Everyone's a winner in that case.

1
1

> * UEFI Secure Boot is an industry option, not a MS technology

Yes that is always what they do - they keep their monpoly not by playing fair and competition fairly, they hijack existing standards (hey might as well let some other bugger do the hard work) then use their monopoly position to prevent fair competition.

0
0
Silver badge

"Not if it means they move off Windows. Everyone's a winner in that case."

So your ethics says it's okay to jeapordize people's security because you should be able to punish people for not choosing the OS you think they should?

1
2
Facepalm

Secure Boot can be turned off ... BUT ...

Once you do, if you boot up a Live CD, say, Linux Mint 13, and try to install a dual boot, Linux does not recognize Windows 8 (nor any of the numerous partitions on the hard drive) as a valid operating system. How then to set up a dual-boot system?

0
0
Silver badge

> So what's to stop the various linux "manufacturers" ... negotiating with the OEMs

Contracts with Microsoft.

If OEMs want to keep their discounts then they do exactly what MS tells them.

1
0

Call me a cynic, but I rather think that secure boot *might* stop that is likely a more accurate view of what happens.

0
0

Page:

This topic is closed for new posts.

Forums