A senior Red Hat engineer has lashed back at Microsoft's attempt to downplay concerns that upcoming secure boot features will make it impossible to install Linux on Windows 8 certified systems. Unified Extensible Firmware Interface (UEFI) specifications are designed to offer faster boot times and improved security over current …
ability to install extra signing keys
Surely the compromise with all of this is to give the end user the ability to either switch it on/off, or install additional keys? This is no different to the way some operating systems come with a firewall installed, which the end user can either disable or customise - e.g. set up their own port rules - based on their needs. It's just a layer of security that can be customised.
We have to remember that for the vast majority of people (not Reg readers, but everyone else!) whether this can be switched on or off will probably never be an issue.
Or would people still have a problem for this if it was switched on by default with the ability to turn it off or amend it somehow?
@ Andy 103
Wrote :- "Surely the compromise with all of this is to give the end user the ability to either switch it on/off, or install additional keys?"
That would be fine; but the fuss is that, as things stand, that is unlikely to happen.
The issue is that Microsoft, which has immense power over PC makers, would be in a position to "encourage" them NOT to provide such a switch, and to throw away the UEFI software keys as soon as Windows 8 has been installed. Then that PC will never be able to run any other OS, ever.
Microsoft are perfectly capable of such skullduggery. It is not in their interest ever to allow any other OS (such as Linux) onto that PC.
Please read about this issue. Any requirement for OEM PC makers to include the function you suggest is conspicuously absent from MS's own proposed requirements for Windows 8 certification (ie to allow a "Designed for Windows 8" sticker).
Linux at purchase
In the past, I've brought PC's with Windows and just resigned myself to paying the windows tax because I know that I can get Linux running later once Windows has succumbed to registry bloat etc and needs to be wiped clean.
In future, I'm going to insist on Linux being installed at the time of purchase because it will be the only to be sure the hardware is usable in the long term and not have any Windows OS on the hardware at the time of purchase, thus saving me the tax - thanks MS.
Upvoted because I agree.
However, the use of the phrase "I've brought PC's" is really annoying. It should be bought, not brought and I don't think you mean PC as possesive either.
They must be joking
So, Linux vendors including Google will have to instruct end user to "disable secure boot" to install their legimate operating systems?
it sounds like "you will have to disable security so you can install our insecure operating system which may even "burn" your brand new equipment"
Ask anyone who did end user/general public support, I am not exaggerating things.
the'll need a "SecureBoot Wizard"
c'mon install brain please.
Microsoft took the highway and used their OEM arm to get their signing root key into every f*king UEFI which is able to load up windows 8, whats wrong with that?
what hinders ubuntu, google, redhat, opensuse to submit their keys? if the OEMs load up 1 key or 6 who cares?
yep problem : all those that recompile their kernel.
It is against GPL
You can't enforce a unmodified Linux to user with a key.
Free software may seem like some kid garage thing to you but it isn't, licenses are very strict. "key" is against the entire idea of open source to begin with.
Seen any DRM containing open source software? You can't since it is impossible.
Wrote : "what hinders ubuntu, google, redhat, opensuse to submit their keys? if the OEMs load up 1 key or 6 who cares?"
The mainstream OEMs would not be bothered to load keys for anything but Windows. All they want is to stick on that "Designed for Windows 8" label.
As someone else here said, their attitude when they build a PC is "Runs Windows, job done".
That is even without the fact that Microsoft is likely to use its power to deter them from allowing keys for other OS's. Just as now, if an OEM sells any PCs without Windows pre-installed they risk losing their bulk puchase deal with MS.
Don't see the issue
If someone buys a Windows 8 PC, they'll do it to run Windows 8. Just like if someone buys an Apple Mac, chances are they'll want to run OSX.
But if you want to run Linux, BSD, AmigaOS, OS2 or whatever on your computer, you'll buy appropriate hardware instead.
This is better as it means you'll not be paying for a Windows License if you're likely to be using something else.
Maybe MS want to copy Apple and sell the hardware as well, maybe they'll sell their OS for £25 too if you buy an MS branded box. I'd welcome this, not sure Dell would though.
But to be able to buy a 'Designed for Linux' branded PC and not have to pay an MS tax would be rather nice.
How many times...
... do people have to repeat this?
Many users install Linux on computers they bought with Windows installed. Sometimes because they like the hardware, sometimes because they happened to get it from eBay cheap, sometimes because they rescued it from a garbage bin.
Those computers are still perfectly usable and they can be recycled by installing Linux. If Microsoft prevents us from doing so, it will harm all users, including my brother who currently has a refurbished laptop that runs Ubuntu and originally came with Windows.
Well, I want a Linux laptop. Find one (that isn't incredibly expensive). Your choice just got massively reduced.
I have a house full of recycled PCs that originally were sold with Windows. They all now run Ubuntu. None run Windows.
Lenovo's business models come with IBM DOS, aka (if you aren't insane) nothing preinstalled.
Funny thing is, I suspect they use the saved money for more than average RAM.
@Matthew and all the other clueless idiots
You don't seem to get it Matthew.
Even if you are one of those fools who actually *like* Windows then this still damages your interests.
The more ability that Microsoft obtains to *force* everyone to use Windows the less pressure there is on them to keep prices at sane levels.
If you have zero choice whether you purchase Windows with every new PC then you can bet your bottom dollar that MS will squeeze you for every cent possible.
This is all about removing choice. Nothing else.
Having less choice means having less freedom. That is always a bad thing, regardless of whether you personally would choose to use Windows anyway.
Microsoft is irrelevant in this argument
It's the OEMs that are going to have to allow disabling of this feature. Many organisations rely on older OS models and the arguments for keeping XP as an option are already pushing OEMs towards backward compatibility.
This requirement for legacy support from medium and large business is why I'm not worried about this. Any decent OEM is going to include an option to disable this just to keep the business.
Why, to obtain Windows 8 certification, would they require additional keys for other operating systems? It is up to the hardware manufacturer, whether they want to add additional keys. Microsoft wants to ensure that shipped PCs are safe and will be delivered without malware installed.
That is a good thing, for 95% of potential private customers.
As to not being able to switch it off, I don't really see many manufacturers not giving that option, given the number of corporate machines and enthusiast machines that are currently downgraded to Windows XP (or Linux).
Thirdly, don't Android smartphone manufacturers already incorporate a similar mechanism in their handsets, to stop them being rooted?
Essentially, this is just a bunch of hot air at the moment, and has nothing specifically to do with Microsoft, they are just taking advantage of an additional security feature, to help ensure that rootkits etc. can't (easily) get onto machines.
Red Hat should be naming the hardware vendors that are taking the lazy route and not planning on having a disable option built in to their hardware. They are the ones at fault, but I guess shouting about Dell, HP or Acer won't get them any sympathy or further co-operation in getting hardware to work well, and Microsoft is always seen as the bogey man.
Buy machine, wipe disk, start to install ubuntu - return PC to store as faulty
Repeat with every machine there...
..... by some of the responses. All the ranting about not being able to do what you want and you still buy from the big box vendors.
If you want control build your own, like I do. It's not hard and the slight cost increase (sometimes it can be cheaper) pays for itself in 2 ways, you get the components you want and you have the lovely 3-5 year warranties on them you don't get from box pushers.
Some crap analogies to help it along, Like buying a Ford then complaining you can't run Nissan's sat nav, buying a washing machine then complaining it breaks your dishes, buying a Yale lock and complaining a Chubb barrel won't fit in it ........
...laptops! How are you going to build your own laptop? If I happen to love Vaios and Linux, because I think the casing is great but hate Windows, what do I do now?
Why should anyone who buys from a big box vendor get shafted? Should old people start building their own machines? Why shouldn't they benefit from Linux? Should I be unable to fix a relative's machine using a rescue disk/thumbdrive? Should all these PCs get dumped after 2-3 years as they're too slow to run the next incarnation and cannot be loaded with Linux?
Please think a little outside your own use-case before posting.
.... bug Sony about it. Bug Lenovo, Acer, Asus, Samsung and all the rest. The requisite is that if you want to ship boxes with W8 on this needs to be enabled. Nothing in there saying there can be an option to turn it off is there.
And before you even think about stating 'normal users won't be able to do that/know that' normal users don't usually have dual boot systems. Despite using Open OS's you boys sure are closed when it comes to thinking about alternatives.
Yes I am a windows fan, it lets me play all the games :P
...is Futile. Prepare to be Billywindowsed.
Getting my jacket, want to get out of this mess of IT.
Couldn't agree more
With all the control-freakery around, IT is starting to suck.
I remember back in the 70s and 80s you could repair your own car with a screwdriver, socket set and pair of multigrips if something went wrong with it. I've ridden in cars where the steering column was held on by a bent coat hanger and had a pair of pantyhose for a fan belt. Cars were simple enough that in a pinch you could cobble something together to at least get it to the nearest garage if things went pear-shaped while you were on the road. In the Australian outback, being able to do that often meant the difference between living and dying.
You can't do that any more. With all the computers, control chips and crap on cars these days, if anything is wrong with it the car simply won't start. Forget bent coat hangers and pantyhose, if a single wire in the convoluted mess that passes for an engine these days is even slightly misaligned, the car will bitch and moan about not being roadworthy. Too bloody bad if you're stuck out in the middle of bumfuck nowhere with no mobile coverage 300 k's from the next nearest human being. You can just roast to fucking death out there for all the car manufacturers care.
Now I see the same thing happening to computers now that happened to cars after the 80s. No user serviceable parts inside. Device must be used only as directed. So what if it's your fucking money? Give it to us and maybe we'll let you have temporary use of OUR device. Not YOUR device. OURS, even if you pay for it. We want to control everything you do with it.
Fuck this. IT is going in a direction I'm beginning to find unpalatable. Maybe I'll go in for carpentry. At least you can still use a hammer and nails the same way I could as a kid.
If Microsoft thought they could get away with it, Torvalds, Stallman et al would be in prison and Linux delcared a "terrorist threat".
If Microsoft were Russian, Torvalds would already be dead.
How many acts of bribery, deceit, bullying, lying and outright thuggery do Microsoft have to be shown to have committed before you stop givnig them the benefit of the doubt?
What benefit of the doubt? There are about three people saying that MS should get the benefit of the doubt, everyone else is ranting their mouth off.
Take off the tinfoil hat, go out, do something less boring instead. The world is not a giant conspiracy and you enjoy life a lot more when you realise it.
maybe i missed the point...
But didnt they say NoeXecute would save the world from rootkits and virii not long ago?
No, no, it was the completely rewritten kernel and security model of Vista.
Isn't this a responsibility of EU and DOJ due to monopoly positions
Microsoft can not require a feature which would block other OS vendors from access to the systems. I would not think that anti-trust laws would allow them to do this and simply saying the OEM can decide is not a solution. If they require something which blocks over OS vendors then they must REQUIRE that feature have the ability to be disabled.
Addressing this after the fact would be too late. Also, are they serious? Using a prototype tablet they had direct hand in and are using for their promos as proof that it's no big deal. Beta hardware and software is not what anyone should trust will be the norm and if you know Microsoft, their betas often look very different from what ships.
>Microsoft can not require a feature which would block other OS vendors from access to the systems.
No but M$ could say look some industrial standards body we bought did it not us.
Has any one here seen a UEFI mother board for an AMD cpu ? So if this goes through like most of you folks think it will it would kill AMD. That would trigger and ant trust action against intel, MS and the MB manufactures/ I know you folks want to believe the worst about MS . That MS has to be evil or it shatters your world view. But stop and think about a few things first. If it goes down like that you will have series of anti trust actions like you have never seen before .
Sorry, Microsoft has been multiply convicted of antitrust behavior. It's not a world view, it's simple empirical evidence.
Or do you keep stepping on a rake because "maybe *this* time it wont hit me in the head!"?
Here's a thought...
"Windows 8 certification does not require that the system ship with any keys other than Microsoft's"
That. is. because. it. is. for. Windows 8.
If OEMs think that compatability with Linux is a valuable for sales, and the Linux community gets off its arse and produces a certifiable OS, then the OEMs will provide keys. I'm sure that they will providing keys for Chrome...
C'mon Linux Community, get off your arses and produce an OS that Microsoft will want to certify!
except that the thing that gets signed is the *bootloader*, not the OS. but thanks for playing.
The bootloader is signed?
How would that work? If your bootloader is signed then you can go ahead and boot any OS?
Including a malicious one?
If it were that easy it would not be a problem.
All that would be required is that the Grub folks get their key out to the motherboard manufacturers and then *anybody* or *anything* could boot whatever they damn well please via grub, including a Grub loaded malware infestation.
Good lord, if you don't have a clue what you are on about then please try and refrain from commenting. All it does is spread confusion.
Lock-in that must be what makes Apple good right?
I can see the rows of MS management desperately trying to find that thing that makes the Apple experience work for so many people (I'm not one BTW) -
"they lock people in, maybe we should do that!", "Yeah lets lock them in -with their wallets OF COURSE (chuckles all round)" , "Hey how about blocking Flash!!! Apple do that!!!!" so it goes on -
Good job you guys! you have identified some of the things other companies do, just not the things that are so innovative, well engineered and efficient that they can get away with that other shit.
Let us know how that works out for you.
Oh stop using Apple example
Apple has been using open firmware for years and they have picked EFI for Intel since they can't be bothered with 80s archaic technology backward compatibility. However, they do some cool tricks to enable end users run competing operating system, windows even including a hassle free live disk partition built into disk utilities framework itself. That is a $50+ tool on Windows.
They even include a freaking Penguin icon inside OS data for end users to pick the right OS when booted with alt key.
In fact, I have seen many Apple engineers help Linux and BSD software authors (especially xorg) to enable their software on Macs.
So, please , using Apple example doesn't work. You guys really don't know the history of Apple and how strict they think when it comes to boot etc. process.
Microsoft are the Cargo Cultists of the IT industry.
Prying the bogged-down UEFI IC off the motherboard is optional.
"Garrett said that Windows 8 certification requires that hardware ship with UEFI secure boot enabled. A feature allowing secure boot to be disabled – necessary to run Linux and FreeBSD on certified systems - – is not required for certification."
Expect new Dell machines with this feature. And the only way to disable it will be with a crowbar or blowtorch applied to the right IC in the motherboard. Maybe not even then.
How is this different from Apple? Isn't it running on windows capable intel chips now? And it only runs windows with boot camp beneath it? What is the catch to run Windows in the bare metal Apple hardware ( not that you would want to do it) ? What about the reverse, why can't they sell Apple OS to x86 PC machines, like all those hackintoshes we hear so much about? If it is really good, then prove it, outselling Windows in x86 PCs. I would try it, at least once.
It seems to me that MS is just copying Apple's strategy of walled garden.
Apply evil icon, pirate icon, fail icon, penguin icon, fanboi icon, windows user icon, eat this icon, wtf icon, the flame icon (because I'm so pissed at the prospect of this feature), all at once. Apply FAIL twice.
Different to Apple Bootcamp?
"How is this different from Apple? Isn't it running on windows capable intel chips now? And it only runs windows with boot camp beneath it? What is the catch to run Windows in the bare metal Apple hardware ( not that you would want to do it) "
Actually all boot camp is is a way of supporting an MBR in a partition on a disk that isn't in DOS partition format combined with a partitioning tool. This is because the Apple boot manager can only boot off of Mac partitioned disks. Windows *will* run on a mac without any apple software installed within Windows itself. Apple just provides a set of drivers to support the Apple hardware better than the standard Windows drivers.
"What about the reverse, why can't they sell Apple OS to x86 PC machines, like all those hackintoshes we hear so much about"
Because then they would have to support many many more devices and motherboards than they support now. Apple's success is because they have a defined sub-set of hardware within their products. This means they can develop device drivers which work well and with one another and test nearly all the combinations. Windows often relies on the hardware supplier for theirs and that supplier can't ever test all the combinations. Hackintoshes only work on a sub-set of hardware.
One of the reasons Apple was an early adopter of bus standards like USB and Firewire is because of the defined protocols they use. Support one HID device and you support them all. PCI-E cases are coming for thunderbolt. It will be interesting to see how many cards actually work with OS-X.
Apple can sell software cheaply because the development cost is covered by the margin on selling hardware.
Basically you fail at business and technical know-how. However I do agree the MS thing looks bad.
UEFI is only required for Windows 8 certification, what does that mean?
If the hardware manufacturer doesn't implement UEFI secure boot does that mean they can't ship there PCs with Windows 8 or that it just won't have one of those stickers on the outside that says 'Window 8 certified' but will actually happily boot Windows 8 without UEFI?
Surely MS must allow Windows 8 to be installed on none UEFI hardware or else they will miss out on being able to sell an upgrade to those that bought windows 7 pcs that aren't UEFI compliant, like the laptop im currently typing on.
I wouldn't be surprised that to receive MS bribe^H^H^H^H^H rebate in volume licensing you have to have the sticker. And without the bribe^H^H^H^H^H rebate you just won't be competitive on the market.
I wonder how this will affect PXE netbooting. I guess it will need to have keys in place before hand.
Re: older versions of Windows
Older versions of Windows aren't really a concern, because they won't work without a BIOS. I haven't heard anything about UEFI providing a "compatibility mode" or any other accommodation for older software. Recent Windows software will probably work because MS abstracted all that away in the HAL, but I seriously doubt they'll ship a HAL for XP that speaks UEFI. And no more booting up with that old copy of DOS 6.22, either.
Vista and 7 run with EFI or BIOS as does 2008 and IIRC 2003 as well, so yes, it is an issue for previous versions of Windows.
It would only be a matter of time before malware with appropriate signatures turns up. Its the old force/ equal and opposite force thing. The only way you're secure a PC is by burying it in concrete.
I don't see Read Hat as the company attacking here.
DVD Jon, where are you?
DVD Jon, where are you? I hope you are working diligently on the important task of obtaining and publishing Microsoft's signing key.
- Geek's Guide to Britain INSIDE GCHQ: Welcome to Cheltenham's cottage industry
- 'Catastrophic failure' of 3D-printed gun in Oz Police test
- Game Theory Is the next-gen console war already One?
- BBC suspends CTO after it wastes £100m on doomed IT system
- Peak Facebook: British users lose their Liking for Zuck's ad empire