back to article FSF takes Win 8 Secure Boot fight to OEMs

PC makers are being lobbied to install Windows 8 on machines in a way that will afford users the freedom to boot Linux or any other operating system. The Free Software Foundation (FSF) is urging PC users to sign a statement demanding that OEMs which implement Windows 8's UEFI Secure Boot do so in a way that allows individuals …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Pah...

    Just step back and think for a second:

    If MS prevent the installation of OSes other than Windows 8 on OEMed hardware they will

    a) Prevent older versions of Windows booting on those machines

    b) End up in massive Anti-trust cases in many different areas

    c) Piss off corporate users who want the ability to install what they want on their hardware

    They will no allow any of these things to happen, if they did the share-holders would require heads to roll at the very top of the company.

    1. Red Bren

      Point A

      "Prevent older versions of Windows booting on those machines"

      I think this, more than anything else is Microsoft's plan. The last thing they want is a repeat of the Vista debacle where users buy shiny new machines and then install XP.

    2. DLSmith
      Mushroom

      Re: Pah...

      And just when did common sense, lawsuits and customer opinions become a guiding force at Micro$oft?

      1. Anonymous Coward
        Anonymous Coward

        Err...

        @Red Bren - Corporate users will not tolerate being told the have to upgrade their OS builds and MS know this. Even Vista using corporates will probably be using it for a long time before upgrading. Also, most major corporates on XP will have arrangements to have support from MS for much longer than joe public. MS only stopped supporting NT4 server for rich customers a couple of years ago.

        @DL Smith - Common sense or not, having worked for a few major corporates (ranging from 10k to 140k workstations) I know that MS will bend over backwards to accommodate what their major customers want and they do not want to be forced to upgrade their software except on their own terms. Major corporates do, expect to be able to buy new hardware and put whatever version of whatever OS on it they want.

    3. Nuke
      Thumb Down

      Naive

      @AC (1st post) you are being naive.

      a) Why on earth would MS be interested in older versions of Windows being installed? They want to sell new ones.

      b) MS have never been afraid of anti-trust cases because they usually get away with it. They are so blatent I wonder how, but they do. That is what is so "clever" about this - MS can seem to shift the blame onto the PC maker or retailer, certainly enough to convince a non-technical judge or anyone else who wants to believe them.

      c) The vast majority of corporate machines just use Word, Outlook, IE and maybe Excel. Many also use apps such as Photoshop, SAP and Sage, which are recognised as mainstream even by MS. No problem there. If you are talking about corporate servers meant to run Apache on Linux or BSD, then this is a niche professional market in which the secure boot password *will* be passed to the buyer.

      But it is the "casual" Linux user who will find the barrier raised. Try running a live Linux DVD on a home PC from the high street, just to try it out, and it will probably be blocked. MS hate that sort of thing - it might result in another Linux convert.

      @AC ["Err...] Direct contracts between MS and large corporate users will always accommodate particular requirements. As you say they are too valuable to MS. However that is not what this move is aimed at, it is aimed to stop home and small business users using Linux and any other software that MS frowns on, whether malware or simply minority.

      1. Anonymous Coward
        Anonymous Coward

        @Nuke

        I'm not being naive, you can dig all you want for a conspiracy on the part of MS, but the points stand that:

        They are not going to annoy their corporate users

        They are not going to prevent previous versions of their OS being installed on new hardware

        They really aren't up for anti-trust cases, they are enormously expensive, they certainly wouldn't be thanked by their shareholders and when Bill Gates was interviewed about his regrets the first thing he said was "getting sued by your government was a low point" (or words to the effect of).

    4. Spearchucker Jones

      The low-down:

      It's up to OEMs whether to include UEFI or not. It's also up to the OEMs whether to allow users to disable UEFI or not.

      • UEFI allows firmware to implement a security policy

      • Secure boot is a UEFI protocol not a Windows 8 feature

      • UEFI secure boot is part of Windows 8 secured boot architecture

      • Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure

      • Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components

      • OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform

      • Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows

      http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx

      If you're part of the (proportionate) uber-infinitsiminutiscule portion of the market that uses Linux then it's up to you to chose an OEM that suits your purposes. Linux fanbois are starting to sound like the people blaming McDonalds because they're fat.

    5. Anonymous Coward
      Anonymous Coward

      Upside after all?

      Re: “heads to roll at the very top of the company”

      So there would be an upside after all? Ballmer could go balls out finally?

  2. Syren Baran
    Coat

    "At the end of the day, the customer is in control of their PC"

    So this implies ... a couple of hours of hacking to remove the mark of the beast?

    1. henrydddd
      Linux

      Syren Baran "At the end of the day, the customer is in control of their PC" → #

      we will probably have a web site for PC's at http://www.jailbreakme.com

  3. iGoto

    (Disclaimer - I haven't read up on this subject).... but surely if you are technically competent at re-installing a brand new OS (like Linux) onto a machine, then you are technically competent to go into the BIOS/UEFI options screen and disable secure boot? (Assuming the board vendors provide such option).

    I'm also curious - are the FSF fundementally opposed to secure boot? What alternative solution are they proposing to thwart this type of attack vector?

    1. Richard Wharram

      Missed the point

      Live USBs are intended to make Linux installs as easy as possible. Distributions such as Ubuntu aim to make everyday usage of Linux possible for non-techies.

      Having to go into BIOS and 'Disable Secure Boot' would scare off most potential newbies to Linux I'm sure.

      1. Anonymous Coward
        Anonymous Coward

        VMs are far easier to use for newbies than dualbooting

        Seriously - why would you want to force a newbie user through the pain and hassle of a dual boot configuration, when you can give them the freedom and flexibility of Linux in a VM?

        Unless it's not really about getting them to use Linux, and it's really about getting them to stop using Windows?

      2. Rich Turner
        FAIL

        SB is the least of a Linux noob's worries

        If someone was considering installing and operating Linux, rebooting their PC, hitting F12 (or similar) and disabling secure boot will be the easiest part of the process.

        They'll have FARRRR more technical things to deal with just to get the OS installed and running than something as simple as changing a BIOS setting.

    2. Rich 2 Silver badge
      Happy

      yes, but...

      I think the concern is that some (a lot?) of PC makers won't bother to include a "disable" option, thus tying the machine to the OS (indeed, one version of one particular OS).

      I'm a bit ambivalent about this - MS are correct in saying that they are not mandating that such a "disable" option is not allowed, and that it is up to the hardware manufacturer to provide such an option, should they so wish. I can see their point - all MS are asking for is a facility to be included into the BIOS for their OS (a facility that is and always has been in the UEFI spec by the way - this is nothing new). They are coming under fire because they have NOT mandated the disable option. I think it is a bit unfair to blast MS for this; do we have a go at Ford because they mandate the use of round wheels, but not square ones? There's nothing stopping you from fitting square wheels to their cars, but Ford don't make such a requirement part of the spec and they don't support it, but if that's what you want to do then go ahead; Ford don't care one way or the other (just don't try and claim on the warranty for any damage to the suspension!). It's the same with MS - all they want is for this facility to be made available for their OS (which is not unreasonable). What happens after that they don't care about, and why should they?

      Disclaimer - I loath MS as much as the next geek, and I think their software is a joke, but in this case, I think MS are being lambasted for something that they genuinely have no interest in, nor should they have to. Oh yes, I am well aware that MS would be more than happy if no manufacturer included the "disable" option, but that's not the point; the point is, they are not stopping anyone from adding it as far as we know :o)

      1. BristolBachelor Gold badge

        yes but, but...

        Having heard a number of cases of manufacturers trying to refuse warrantee or other things if a PC does not have the original version of windows on it that shipped on it, I think that some manufacturers may actually like a bios that stops purchasers doing it.

        If you look at HP; their idea of support is telling you to boot from the restore partition. Getting them to even look at a hardware failure will take hours on the phone, with them insisting that you restore the machine to as new S/W and delete every single item off it.

        I think that MS should actually ask the manufacturers to include the "any other OS" option. Just think, if you have to hack it to run Linux on it, a lot of people will do it. If the easiest way is to be able to cut MS keys, then maybe that will happen, and then all MS installs will be just as vulnerable as before.

      2. Steve Knox

        @Rich 2

        "... all MS are asking for is a facility to be included into the BIOS for their OS..."

        Not quite -- they are asking for the facility to be included AND TURNED ON BY DEFAULT. They are also specifically NOT asking vendors to provide the ability to turn it off. They are very adamant that they will not require that latter feature, even though they could allay everyone's concerns simply by doing so. THAT is what bothers me -- it follows classic MS FUD strategy: don't actually do anything directly wrong, but use market position to imply that as a side-effect of your "completely innocuous" actions, some partners might "inadvertently" do something that restricts your competition -- and make sure not to do anything to prevent those partners from making that "innocent mistake."

        More to the point, this facility isn't a feature that the OS can take advantage of. It's a feature that restricts what an OS or other software can do based on its signature (or lack thereof). So MS is NOT asking for something their software can actually use; they're asking for something that they can use to market their software (i.e, touting security). Since the certification program is supposed* to be about verifying ability to run the software and not about marketing, this feature should not really be required for certification.

        * Yeah, I know...

      3. Dagg Silver badge
        Black Helicopters

        May be not...

        >MS are correct in saying that they are not mandating that such a "disable" option is not allowed

        From the article <snip>However, it seems OEMs are not free to choose how to enable Secure Boot.</snip> <snip>Microsoft said support for UEFI Secure Boot is a Windows 8 certification requirement</snip>

        This may control how the "disable" option is implemented, as part of the certification M$ may require that it is enabled by default and require a hardware jumper change or similar to disable and once disabled means the windose 8 will not run.

    3. The BigYin

      I don't think they are opposed...

      ...to Secure Boot (or similar) per se, I think they are opposed to the danger of the ability to update UEFI or disable Secure Boot being missing and the fact that OEMs will ship with only the Windows 8 key pre-loaded.

      Not only does this add to the problems caused by the MS Tax, but it also means MS/vendors can force users to have to upgrade their machines by simply changing the keys needed.

    4. John G Imrie

      (Assuming the board vendors provide such option).

      And that of curse is the problem. Why provide something that adds cost with very little benefit, that your competitors won't.

    5. El Cid Campeador
      Devil

      Only if you have that option-- which you may or may not be given. From what I've seen, you won't have that option. FSF opposes this form of secure boot because it's not GPL-compatible... I doubt they'd care if it was, since then they could incorporate it into their software.

    6. Tim Parker

      @iGoto

      "(Disclaimer - I haven't read up on this subject)...."

      In this case it might be useful.

      "but surely if you are technically competent at re-installing a brand new OS (like Linux) onto a machine, then you are technically competent to go into the BIOS/UEFI options screen and disable secure boot? (Assuming the board vendors provide such option)."

      That last part is one of the main points of issue. There is no incentive for the OEM/vendors to include such an option, and there may be some to exclude it (I think even the most paranoia averse readers might concede that there has been pressure applied by certain software vendors to systems manufacturers in the past for other issues).

      Also, although it is not necessarily difficult or particularly time consuming, plenty of seemingly obvious/sensible/desirable BIOS options - depending on your interests - took a very long time to appear (if at all) from some BIOS producers. Any extra work which doesn't really *need* to be done will probably not be done.

      If, as has been suggested, the requirement to disable secure boot - or to allow some suitably secure way of allowing signature updates to occur - is enshrined in the UEFI specs then most, if not all, of the objections go away.

      "I'm also curious - are the FSF fundementally opposed to secure boot?"

      No - far from it.

    7. Nigel 11
      Unhappy

      Dual boot?

      And if your requirement is to have a boot menu so that the user can choose between Windows and Linux?

      As I'm reading it, secure boot enabled - LInux cannot boot. Secure boot disabled - Windows 8 cannot boot. Utility of such a system in my environment: zero.

      And of course, the last thing one wants to do is to leave the BIOS itself unprotected, for the user to poke at all the other setttings, boot unapproved media, etc. etc.

      If it's going to be straightforward for a Linux sysadmin to generate the appropriate certificates from his Linux system (including a custom-patched, modified kernel) and install these certificates into the system BIOS so that Linux can secure-boot, then that's (just about) OK.

      I'm also thinking there's a danger that even if this is do-able, it'll take ten minutes per PC, which it won't be possible to automate like the rest of the deployment process because the only way to interact with a BIOS is by prodding its keyboard. Ten minutes times 200 PCs equals most of a man-week.

      Yuk.

      Yuk.

      Yuk.

      Bleugh.

      1. El Andy
        WTF?

        @Nigel11

        "As I'm reading it, secure boot enabled - LInux cannot boot. Secure boot disabled - Windows 8 cannot boot. Utility of such a system in my environment: zero."

        Wrong.

        Windows 8 can boot with secure boot disabled (but obviously loses the added security of knowing the boot path hasn't been tampered with). If you want to dual boot with an OS that doesn't support secure boot, that's obviously the option you have to go with. If, for example, Red Hat produced a secure boot Linux and the keys were also installed in the BIOS (either manually added or installed by default by the OEM) then you could happily secure dual boot between the two as freely as you want.

        This whole thing is a bit of a storm in a teacup. The driving force behind this is businesses who don't want their networks easily compromised by systems being rebooted into an OS they don't have control over, potentially introducing malware into their infrastructure.

      2. Rich Turner
        Facepalm

        Then you should learn to read.

        Win8 WILL boot if SB is disabled, but it will be unable to validate that its core system binaries haven't been tampered with.

        How else will Win8 be able to install and run on a non-UEFI PC (like the Sony Vaio laptop I am sitting in front of running Win8 dev preview today)?

        The end user can/should be able to make a choice as to whether or not they want to disable Secure Boot.

        This is an OEM issue and has nothing at all to do with Microsoft.

      3. Anonymous Coward
        Anonymous Coward

        @Nigel11

        You forget that Windows' boot manager can also easily boot Linux these days. So you'd simply use that to present the user with a menu which he can use to chose from. You'd probably need Grub or Lilo installed onto the partition itself, but even that can be setup so that remains mostly invisible.

    8. henrydddd
      Linux

      options

      The way that this type of attack can be thwarted is to put a physical switch on the motherboard or hard drive that will not allow the boot record to be modified unless that switch was set.

    9. Jordan 1

      It doesn't take that much skill to stick a CD in a drive and reboot the computer. It might take a bit more to press Ctrl+Delete at boot up and then type in something like "set EFI_SEC_BOOT 0" and then "nvram update" (or however EFI does things.) Many people who would otherwise be more than capable of installing an alternative operating system will probably avoid an EFI shell or menu for fear of breaking something.

  4. Ian Stephenson
    Facepalm

    Of course it's a security feature

    It secures Microsoft's revenue stream.

  5. Anonymous Coward
    Anonymous Coward

    Do not buy this Microsoft bullshit...

    "OEMs are free to choose how to enable this support and can further customize the parameters as described above in an effort to deliver unique value propositions to their customers."

    This is Microsoft's favourite game: claim that they aren't making others do their dirty work for them and that it's really about vendor enthusiasm, while at the same time either offering vendors no choice or even pressuring them to "voluntarily" support such initiatives. There's a long paper trail documenting Microsoft's unethical - even illegal - coercion on vendors.

    Meanwhile, everybody still has to buy Windows on the vast majority of computers sold via retail channels because Microsoft points the finger of blame at the vendors when challenged, and points a sharp instrument at them behind the scenes. And, of course, this even affects their existing customers who have to buy the same product over and over again, not to mention people who want a choice of software.

    It is high time that Microsoft were actively prevented from using anticompetitive measures, technical or economic, to corrupt the market. Regulators should get off their behinds and unbundle Windows now!

    1. El Cid Campeador
      Devil

      Agreed. I used to work at a local retail/repair shop where we also built new PCs. In theory, we could put whatever OS we wanted on the system, but if we put anything other that Windows on our new-build machines, we would lose our "discount" and any hope of being able to sell the machines at a competitive price (already difficult since we used quality hardware with solid manufacturer's warranties as opposed to the flimsy crap in the big boys' systems).

      So... of course you can disobey MS, but you'll go out of business if you do. Unfortunately, they can say they weren't "forcing" us since, in theory, we could do whatever we wanted. In practice, you obey Redmond or go bankrupt....

      1. Anonymous Coward
        Anonymous Coward

        El Cid Campeador

        Im sorry but thats utter rubbish. The more licences you buy from the distrabution channel the cheaper it is, its bulk ordering, unless your a teir 1/2 distrabution partner you will have very little to do with MS, joe blogs on the corner repair shop will be getting those at standard cost, which has a relitively small margin depending on your supplier, the supplier couldnt care less what you do with it, when you build a PC you just dont give it a windows licence, if the customer wants a windows licence then you sell them an OEM version, the licence states that Windows is now tied to that hardware

        if your a large national outlet then your going to be buying in much larger bulk, and its unlikely you will be building those PCs yourself. you need to remember the power of advertising, a simple sticker saying approved to you an I means getting sticker fingers when you pull it off, but to Jo public its a sign of confidance, retailers love this. If mr PC world was willing, there is nothing to stop them punting out Linux boxes, but to the vast majority of jo public, it will mean nothing at all other than confusion over things being "different"

        There is no doubt that MS has and probably will do some dodgy things, but there isnt a single company out there that hasnt done something a bit dodgy and this whole thing, as others have said, is just a big storm in a tea cup.

        I mean, christ, if MS dumped its $50 Billion in to charities they would be flamed for tax evasion and trying to influence the markets, they are just a big Magnet for hate an flaming an could never do right in the eyes of many

    2. Rich Turner
      Stop

      You should remove your tin-foil hat - I think you're overheating

      "It is high time that Microsoft were actively prevented from using anticompetitive measures, technical or economic, to corrupt the market. Regulators should get off their behinds and unbundle Windows now!"

      Microsoft operated from 2002 -> March 2011 under DOJ oversight and in compliance with the 2002 DOJ consent decree. The DOJ has kept a close eye on all of Microsoft's business dealings to make sure that it completely changed the way it did business.

      OEM's are entirely free to ship machines running Linux if they want and some do. Dell offers Linux as an option on all its servers for example. They used to offer a range of PC's running Linux too but quit that business because NOBODY BOUGHT THEM.

      With the razor-thin margins that the OEM's operate under it costs them too much to sell and support PC's preinstalled with free OS'.

      1. Goat Jam
        FAIL

        DoJ Oversight

        Yes, that would be the same DoJ who suddenly decided after years of litigation that MS were not so bad after all and could be let off with a slap on the wrist.

        aka "a few years of DoJ oversight"

        This happened about a week after George W Bush moved in to the Oval Office, although that was entirely coincidental I'm sure.

  6. Geoff Johnson

    OEMs and BIOS people

    Has anyone asked the OEMs and BIOS manufacturers for comment on this issue? Surely UEFI has a configuration system like the old BIOS settings system, and surely there'll be an off setting in there.

    1. The BigYin

      Think...

      A vendor can sell the same hardware twice. Kerr-ching!

      A "consumer" board with the ability to update/disable UEFI missing and a "pro" version with them present.

      Beyond that the two boards are identical (bar one jumper or something) and they can charge a massive premium for the "pro".

      Also, if not providing the feature saves 0.01p, then that feature will no be provided as the monopoly player doesn't need it and will be rather happy to know that the feature is missing.

    2. Tim Parker

      @Geoff Johnson

      "Has anyone asked the OEMs and BIOS manufacturers for comment on this issue?"

      My understanding is that some have been asked, but none are currently offering any comment (fair enough).

      "Surely UEFI has a configuration system like the old BIOS settings system "

      One can be constructed, yes...

      ", and surely there'll be an off setting in there."

      ..but there-in lies the rub - there is no requirement, or immediately obvious incentive, to add one. The more code you add, and the more options you expose, the more chance you or the user will screw things up and a time-strapped BIOS producer trying to beat all the others to market with a product may not decide it's worth doing. No-one would be to blame in such a situation, some would say, but suddenly you have a machine on which you can't "downgrade" (e.g. Vista->XP) or update the version of Windows installed or, indeed, install anything else.

      1. LaeMing
        Linux

        "suddenly you have a machine on which you can't "downgrade" (e.g. Vista->XP) or update the version of Windows installed or, indeed, install anything else."

        In other words the PC becomes a consumer appliance.

        Does Europe still give tax breaks on compuers? Would removing such breaks on appliance-ised equipment be a good incentive to keep the platforms open?

  7. Boris the Cockroach Silver badge
    FAIL

    In the debate

    over M$ control of the OEMs to configure windows 8/uefi keys , I've noticed a rather funny thing

    Its not the linux vs m$ fanboy rantings or the obscure technical details, its this scenario

    Customer boots windows 8 pc

    Customer surfs/ downloads malware designed to root said PC

    Customer shuts down PC

    Customer starts pc the next day only for it to go 'Bleergh' I've been root kitted

    Customer cant start pc at all, loses a days work taking pc to the repair shop.....

    Rinse and repeat

    How long until said customer takes a hammer to said pc and gets a white box that has linux installed on it/ a Mac ?

    1. Colin Millar
      Boffin

      let me fix that

      Customer starts pc the next day and it ignores the unsigned code.

      1. LaeMing
        Boffin

        An since the unsigned code is the boot code...

        As OP said. Rinse and repeat.

        1. Colin Millar
          Boffin

          Try again

          Very few rootkits are kernel mode

          And if you do have one of those this system would actually do you a favour by treating a kernel mode rootkit as a corrupted MBR and forcing you to replace it before you could run the OS.

          I am fairly confident that the implementations will be able to fail properly after a corrupted MBR is detected - after all - corrupted or missing MBR isn't exactly new.

  8. JDX Gold badge

    "The FSF has also hinted at a boycott on buying Windows 8 PCs"

    Don't most of them boycott MS on principle already?

  9. Smudge@mcr

    The enamy within

    Microsoft's core mission is to KILL Free Software.

    Always was and always will be.

    They are the enamy of computer users, free software and a free society.

    They can NEVER be trusted. This is a wake up call to cumputer users everyware.

    Don't sleep walk into slavery. Don't use Micosoft.

    Oh and please continue using the MS FUD term Freetard. I would rather be a Freetard than a slave.

    1. Sam Liddicott

      slavetard

      I would rather be a Freetard than a slaveTARD.

      There is such a thing as equality!

    2. Paul Johnston
      Happy

      Don't care which computer I use!

      Just as long as it has a spell checker! (Is that one or two words?)

    3. auburnman
      Headmaster

      Were you raised by the internet?

      Or by a Daily Star journalist? You seem to write a different kind of English from the rest of us.

    4. NB

      Whilst I agree with all your points...

      even a 'Freetard' can and should use a fucking spelling checker and no, I'm not a shill for MS, I've been running only Linux boxes since the late 90's. Your enthusiasm/zealotry is duly noted but please don't make an arse of yourself by misspelling a word as simple as 'enemy'.

      1. The BigYin
        FAIL

        To the spelling/grammer fascists

        Have you considered the possibility that that OP's first language is *not* English?

        Their English is a damned sight better than my Mandarin, Spanish, Portuguese, Urdu or anything else for that matter.

        Or ever considered that they suffer from Dyslexia? Not all browsers have spell-checkers to help (not that they may be much help to someone with severe dyslexia).

        Or any one of umpteen other possibilities that could be impairing them.

        No, guess you didn't. If you feel you must correct someone, then at least be polite about it.

        In short: grow up.

  10. ColonelClaw
    Thumb Down

    A leopard can never change it's spots

    Just when you thought it was ok to like Microsoft again, they cannot help but remind us what absolute douche-bags they can be when the mood takes them.

    1. Anonymous Coward
      Anonymous Coward

      Technically

      They are just behaving as our societies' corporate laws require them to, ie: the shareholder comes well above the customer.

  11. Jim 59

    True to form

    Having failed to compete technically, MS is once again falling back on its core skill, an area in which it genuinely excels: bullying others by market domination. This is a dangerous game for them. If somebody stands up to the the bully, his bullying days are over. Microsoft has been doing it for 20 years though, and they are the experts.

    Hats off to MS, they really are the best at this, no question. Their customers had the power of choice confiscated decades ago, and have long been "users" rather than true "customers". Heck, I cannot even buy a memory stick without some OEM paying tribute to MS for the ancient FAT file system onboard, even though superior free alternatives abound. That's genius.

    I don't hate MS and don't wish to offend MS fans. But I do hate this aspect of MS behaviour. If they focussed on their business rather than manipulating the market and harming competitors, they could be better than Apple, and their products even more glorious.

    1. Anonymous Coward
      Anonymous Coward

      @Jim

      Where have MS failed to compete technically, wrt OSes?

      1. Goat Jam
        FAIL

        Well

        The registry is an abomination and the way they handle user permissions is straight out of the "Idiots Guide to OS Design", then there is the absolutely astounding way that the application of even the most seemingly insignificant patch suddenly requires a full system reboot , not to mention their propensity to virus attack (see afore mentioned user permissions idiocy) and last but not least is their insane insistence of welding an internet browser into the core OS but other than that they are way up there with the best for sure.

        Or not, as the case may be.

        1. Anonymous Coward
          Anonymous Coward

          @Goat Jam

          If you'd ever said anything positive about MS in any way, I may take more notice of you.

          You may not like the registry, that doesn't make it bad.

          To suggest that the permissions/ACLs are designed by idiots is to slag off VMS.

          You blame the mis-configuration of ACLs on the OS itself, rather than users

          Very few patches require a reboot on modern Windows.

          1. Goat Jam

            @AC

            At least I put my name (so to speak) to my opinions Mr AC.

            The fact that I clearly dislike Microsoft does not negate my points in any way.

            Dave Cutlers VMS concept was utterly destroyed by Bill Gates insistence that NT be compatible with MS-DOS. Dave Cutler is known to have been upset by this.

            The fact that there is little to no separation between user space and system space in Windows is the problem, not the simple misconfiguration of ACL's.

            This post;

            http://forums.theregister.co.uk/post/1184513

            is not anti Microsoft per se.

      2. Jim 59

        Microsoft OSes

        On the desktop, MS OSes are techincally inferior to Apple OSX and Linux. In the datacentre, Windows is still years behind Linux, Solaris, AIX. On the smartphone, Windows is inferior to Android and Apple. Windows 8 is good but that's only compared to Windows Vista. Microsoft's tactic is not to improve their products, but to use their market dominance to put better products out of our reach.

        1. Anonymous Coward
          Anonymous Coward

          @Jim

          Just saying something doesn't make it true. You make no specific citations of any particular area, which leads me to believe you don't know much about MS OSes. Sure they aren't going to be Big Iron UNIX on reliabillity, but they will on user frendliness. They aren't going to beat Linux on cost, but they will on directory services or ease of use etc. As for MacOS being technically superior, in what area? Apple say this, but I've never heard anyone else say it.

      3. Goat Jam

        Oh drat

        I forgot to mention their inability to move on from the quaint concept of "drive letters" which were out of vogue by the late seventies.

        But other than that, yeah, they are high tech baby, all the way!

  12. Anonymous Coward
    Mushroom

    listen, Mr Mingefester

    this means more expensive PCs: Linux bods will have to buy motherboards with unlocked UEFI, these will be more expensive because there will be no economy of scale. But there will be no Windows tax; even so the total cost will be higher.

    FSF have more chance of success if they used commercial tactics, i.e. if they organised a supply of unlocked MBs (cheaper through bulk buying).

    1. Anonymous Coward
      Anonymous Coward

      Err?

      Mingefester? Delightful. Have you ever heard that calling people names is really rather childish.

      1. Anonymous Coward
        Anonymous Coward

        I'm very grateful to you

        for taking offence on behalf of Mr Mangeteste (I believe it's actually pronounced "Mangytesticles"). I cannot commend you more highly on your mature and responsible attitude and can only hope that one day I too can reach such high standards - well one can dream, perhaps.

  13. Sam Liddicott

    I want TPM for my linux

    I want my linux boxes to use TPM, that way I know my system is secure as Richard Stallman and Linus Torvalds intended it to be.

    So I want the ability to insert my own root keys without first needing to boot windows.

    1. Rich Turner
      WTF?

      So secure that even the Linux.org site got hacked and taken offline?

      If even the core gurus can't get it right, methinks you've swallowed an untruth.

      1. Anonymous Coward
        Anonymous Coward

        re: even the core gurus can't get it right

        You think Torvalds and Stallman run the interwebtp servers?

  14. Anonymous Coward
    Anonymous Coward

    No, to pre-installed Windows.

    Personally, I have not purchased a "Windows Pre-installed" PC for years.

    I buy the bare metal and then decide which OSes I will install on it, mostly in a dual boot configuration.

    Check out Novatech for an example of a decent OEM.

    1. Nigel 11
      Thumb Up

      And even if it is preinstalled ...

      Even if it's pre-installed, the first thing any corporate customer will do is boot into his corporate image install environment, and blow away whatever crap came pre-installed to the disk. That's the only way of being sure that the system doesn't have random malware, backdoors, and extra unknown security weaknesses pre-installed. (It also frequently makes the system boot five minutes faster. Time is money! )

  15. The BigYin
    Mushroom

    Time to alert the EU?

    If PCs start shipping with no way to update the keys or disable Secure Boot (I'm thinking physical jumper or something would be the way to go, harder to attack) then it is time to call in the EU and have MS hammered once again for abusing its market position.

    That MS are using OEMs as puppets to further entrench their OS as the only player in the market is pretty disgusting. But then they have form for sock-puppeting to get what they want: ISO - I am looking at you.

    It already pisses me off that I have to pay £30 over the odds for a PC because of the way MS force manufacturers to include Windows and allows OEMs to no longer honour refund requests.

    Oh and before someone brings up Apple (and no, I don't own one) let me just point out one thing - Apple are not a monopoly in the PC market.

  16. Anonymous Coward
    Anonymous Coward

    If it's such a good OS...

    Why don't MS copy Apple and produce their own locked down computer/laptop? Then everyone can buy those if that's what they want, or not if they prefer to choose. Seems to be working for Apple.

    The MS PC would come pre-configured with Secure Boot and locked to IE and with Security Essentials, Office Live etc. It could refuse to install non-signed drivers and generally just. All updated to all software could come from MS (or their app store).

    Anyone who wants to tweak their systems, or swap operating systems can buy a generic PC as they do now.

    1. dogged

      "Seems to be working for Apple."

      12% of the market is "working", is it? This is what you suggest to the holder of 87% of the market? Where did you go to business school, a kibbutz?

      Here's the skinny.

      Secure Boot is a nice feature but not an essential one. Win8 (the pre-beta Dev edition release at least and I see no reason why Gold releases should differ) runs perfectly well without it.

      IF IT DIDN'T, THERE WOULD BE NO UPGRADE PATH AND MS WANT YOU TO UPGRADE.

      New PCs that come "Certified" must be capable of implementing Secure Boot but they don't have enable it by default and they don't have make it mandatory (ie, no off-switch).

      Basically, this whole argument is bullshit.

    2. Anonymous Coward
      Anonymous Coward

      re: If it's such a good OS...

      "Why don't MS copy Apple and produce their own locked down computer/laptop?"

      Because Apple would sue them. They thought of it first. And copyrighted it. Only they (them? this one eludes me) can build walled gardens.

      Besides, where would MS build their hardware? Foxconn? They are already building for Apple and Dell. Unless MS buys Dell.

      </snark>

      Downvote barrage in 3, 2, 1....

  17. Christian Berger

    A bit of senseless ranting can be beneficial

    I mean it doesn't matter what Microsoft or the OEMs say, what matter is what the public opinion is. Once there is a general "Secure Boot is dangerous" idea, manufacturers will have to make sure they implement it properly or risk sales.

    It's like giving a child a slap on the fingers. It may not be the best thing to do and it's certainly not a very intelligent of acting, but it may get the job done.

    1. The BigYin

      The problem is...

      ...people who don't know any better will swallow the marketing that "Secure Boot" is great and not realise there is a problem. These are the very same people who buy a whole new PC just to get a new OS, rather then trying a different OS or a few key upgrades.

      These people are the vast majority and for that reason, it's up to use who (in this one case) happen to know better to defend their freedoms for them.

      1. Anonymous Coward
        Anonymous Coward

        "These are the very same people who buy a whole new PC just to get a new OS, rather then trying a different OS or a few key upgrades."

        In that case, whether or not SB is enabled will make no difference to them anyway, and so defending their freedoms becomes a rather fruitless endeavour.

  18. JaseP

    MS tactics...

    For those who are being MS apologists, keep in mind that MS has repeatedly bullied both small and large corporations into doing their bidding. If you doubt this, ask yourself the following questions; a) Why did Foxconn (a leading system manufacturer for name brand systems) intentionally corrupt the device table in the Bios of motherboards, a few years back (yes,... it was intentional, as a second, erroneous table was created, when Linux would have done fine with the original one intended for MS OSes)???, b) Why couldn't you buy a Compal-spec MID or decent touch-screen netbook in the US for years after they were available in Europe or Asia???, c) Why did the small device vendor, Yukyung (a/k/a Viliv) suddenly change the OS and tweak the specs for the Viliv S5 MID, just a few months before release, and why are they OOB (Out of Business) now, just before they were to release an economical Android tablet, and/or d) Why has the price point on Tablets (including the iPad, and Android tablets) been kept in the $400 price range, when they are available in China for around $100-$200 at retail???

  19. Russ Pitcher
    Stop

    How is Microsoft restricting OSs exactly??

    As far as I can tell Microsoft are only insisting that a PC has the ability to enable UEFI secure boot (note: not Microsoft secure boot!) in order for it to obtain a Windows 8 certification. It is not insisting that users be prevented from disabling secure boot. It is not preventing other vendor keys being present in addition to the Microsoft keys.

    I don't see how they can be painted in such a bad light for trying to get a useful security feature implemented! Whilst it's true that if lazy OEMs fail to allow secure boot to be disabled or fail to allow the addition of new keys then unknown or unsigned OSs will be prevented from being installed, but surely that is a problem with the OEMs, not Microsoft. Once again this is not a Microsoft feature, but a UEFI feature.

    Yes, I'm a PC guy in general, but I use Apple and *nix devices as well and I'm by no means blind to Microsofts failings, but all I can see here is uninformed fanboi/MS-hater ranting.

    1. JaseP

      Because MS bullies the OEMs to restrict what can be done on devices, and also to coerce the into using parts that are less compliant with standards that Linux follows, in order to restrict availability under that platform. I could write you a book about their under-handed back-room deals and threats,... Just look at the events surrounding the Barnes & Noble patent suit. They won't even disclose which patents they are accusing the competition of being in violation of unless they sign a NDA... That's not MS hating. That's actual fact.

    2. Anonymous Coward
      Anonymous Coward

      "Whilst it's true that if lazy OEMs fail to allow secure boot to be disabled or fail to allow the addition of new keys then unknown or unsigned OSs will be prevented from being installed, but surely that is a problem with the OEMs, not Microsoft."

      Oh dear, you must be new to this planet. When Microsoft insists on some new gadgetry and gets vendors to implement it, and then the kit in question tips up without the ability to boot anything else, and then the usual game of finger-pointing takes place where everyone else is to blame and yet no-one is to blame, it's mission accomplished as far as Microsoft is concerned. All they have to do is to wink (or stare threateningly) at the vendor and it's business as usual.

      "I can see here is uninformed fanboi/MS-hater ranting."

      The "uninformed" input to this debate is from those who think that Microsoft play fair, when you just have to read trial evidence to know that this is very rarely the case.

  20. Gordon Fecyk
    Go

    The FSF is an unsolvable problem now

    "The FSF has also hinted at a boycott on buying Windows 8 PCs."

    This represents a sales drop of 0.0000000000......0001% :-)

    I'd suggest running Linux on VMware Workstation on a Windows 8 PC as a workaround, but last I checked the FSF was against VMware, too.

    http://linux.slashdot.org/story/07/08/14/1618241/VMware-May-Violate-Linux-Copyrights

  21. Peter 26
    Pirate

    Pirating Windows

    I have noticed in all these posts regaring the locked BIOS that nobody has mentioned another huge benefit to MS, and probably the reason they started looking at protecting the BIOS.

    The standard way to pirate Windows 7 is to update your BIOS with a SLIC which makes it look like your computer was an OEM PC with Windows 7 preinstalled. There is very little MS can do to stop this. You can sell on PCs like this with Windows 7 installed without paying MS a thing and it passes all the genuine checks etc.

    The solution for MS to this is to sign the BIOS to stop people doing this.

    1. Anonymous Coward
      Anonymous Coward

      Yes, that's right...

      That, or the fact that EFI/UEFI is an industry standard that has been on the cards for something like a decade now. It was supported by MS from Vista onwards, on all Itanium servers and has been used by Apple since they went to Intel hardware. It's also almost certain that Win8 will support BIOS hardware as well as UEFI.

      But, no, you think that it's so that MS can prevent people copying their software. Paranoid? Much?

      This is typical FUD, exactly the same sort of thing that MS are accused of all the time.

  22. JDX Gold badge

    @JaseP & bullying...

    The FSF seems pretty happy using bullying tactics to get what it wants.

  23. bazza Silver badge

    Difficult for OSS

    Secure boot would be a sensible safeguard for most people. Can't blame MS for looking out for the majority vote. OSS could do the same thing and negotiate with the hardware vendors to have OSS keys in the hardware too.

    Ok, so who holds the OSS keys then? The whole point is that they can't be public knowledge, isn't it? But the whole ethos of OSS is that nothing is private. Seems like a situation that's impossible to resolve.

    I think the best that can be hoped for is that the hardware vendors include an option in UEFI to allow non-signed boots. Or maybe the vendors tell MS where to poke it (an unlikely outcome I suspect). Otherwise what am I going to run OS/2 on?

    1. Tim Parker

      "Secure boot would be a sensible safeguard for most people. Can't blame MS for looking out for the majority vote. "

      Indeed. I don't think anyone is against secure boot per se.

      "OSS could do the same thing and negotiate with the hardware vendors to have OSS keys in the hardware too."

      I believe some of the players are discussing this - but they hardly have the clout that Microsoft has - nor the same ability to award incentives (or dis-incentives) to OEMs etc

      "Ok, so who holds the OSS keys then? The whole point is that they can't be public knowledge, isn't it?"

      Nope.

      "But the whole ethos of OSS is that nothing is private. Seems like a situation that's impossible to resolve."

      Nope - the idea is that signing keys match the key generated from the software you're installing, i.e. the software you're installing is the same as the one that generated the master key.

      "I think the best that can be hoped for is that the hardware vendors include an option in UEFI to allow non-signed boots. Or maybe the vendors tell MS where to poke it (an unlikely outcome I suspect). Otherwise what am I going to run OS/2 on?"

      Ahhhh OS/2 - I actually miss that sometimes... Warp ran Windows apps better than Windows :)

  24. Ken Hagan Gold badge

    "a Windows 8 certification requirement"

    "Microsoft said support for UEFI Secure Boot is a Windows 8 certification requirement."

    Does the average Joe check for the Windows Logo? Or does he just buy a PC with Windows on it?

    And if a major OEM decides not to bother getting their hardware certified, Microsoft are going to do what, exactly? Windows 8 will obviously work on non-certified hardware, since otherwise MS just killed the whole of their own upgrade market. Therefore, MS can't withhold Windows from such hardware, or make their OEM pricing dependent on it, unless they want to end up in court again.

    We had all this with Vista's protected video path. MS stuck to their guns right up to the final release and the rest of the world just yawned.

    1. defiler

      The average Joe...

      The average Joe does what the advert tells them to. If the Microsoft ad, the Dell ad, the Packard Bell ad, the HP ad, the Acer ad all say to look for the "Certified for Windows 8" logo on their new PC, they'll look for the "Certified for Windows 8" logo.

      What else would they do? Trust the spotty youth in PC World when he says "nah - this one will also work just fine", or put their faith in multi-billion-dollar companies?

      1. Ken Hagan Gold badge

        Re: what the advert tells them to

        Intel would dearly love that to be true, but AMD still sell everything they can make.

        It's not even about trusting anyone in PC world. That uncertified PC will be powered up and running Windows for the average Joe to see with his own eyes.

  25. Anonymous Coward
    Anonymous Coward

    Storm in a tea cup

    i still dont get why this is Microsofts fault.

    This is the facts

    For OEMs to be able to sell a WIndows 8 branded PC they must use secure boot

    If said customer wants to install something else then the OEM must allow a function to turn off secure boot.

    Where is that Microsofts fault? because they want the ability to secure the systems to the vast majority of users? given that in all likelyhood people buying OEM PCs are less likely (i didnt say not!) to want to change their OS anyway, end result is that less PCs can be compromised because of more security which is good for everyone.

    If the user cant install Linux because of a function missing in the BIOS then its the OEMs fault! Windows 8 does not need secure boot it will boot quite happily with out it, its just that for an OEM to be able to say its Win 8 Approved they need to use it.

    MS have every right to secure their OS in whatever way they see fit and if its an OEM system then they have the right to demand OEMs to follow guidelines, no where do those guidelines say the OEMs cant add a switch to turn off the security, the only ones that can bugger this up is OEMs for not wanting to add a BIOS feature to disable that security but again, is that the OEMs being lazy or Microsofts fault?

    Now i know im going to get downvoted for this but if you do feel the need then please tell me exactly how its Microsofts fault that OEMs didnt give the user access to a BIOS function without using the argument that MS stopping users from changing (which their not) or the argument that "historically OEMs put the least effort in to the BIOS as possible"

    1. Goat Jam

      You are assuming

      that Microsoft are not putting pressure on manufacturers to disallow so-called "non secure" booting behind the scenes.

      Given Microsofts history on doing exactly that in other areas this would make that a pretty big assumption on your part.

  26. Anonymous Coward
    Anonymous Coward

    OEMs

    Lots of people seem to be saying that MS are pressuring the OEMs to not include a disable switch for the secure boot functionality of UEFI. I've not seen anything to suggest that this is the case, does anyone have any evidence that it is the case, or is it just blustering?

    The reason I ask is - if anyone can show that MS are putting pressure on OEMs to prevent their rival OSes being run on their PCs, there will be an anti-trust case so large that it will probably result in the whole board of MS being fired (by the shareholders) and there will be a pretty high chance of the company being broken up a la Bell.

    The thing is that I've seen no evidence other than people on internet forums saying that this is the case, with nothing to back it up.

  27. Whitespace

    Give Microsoft a break!

    All you bearded sandal-wearing Linux lovers are living in some paranoid world where the best arguments you can give against Microsoft are nothing more than ad-hominem attacking rants.

    Anyone who lives in the real world would be able to tell you that Microsoft's only aim is to promote innovation by giving the user the best software and the quality and usability of their software is all they need to wipe out their under-achieving rivals.

    Microsoft would never stoop to pressurising computer manufacturers to deliberately lock out their competition and anyone who thinks otherwise deserves to forced to read Groklaw for the rest of their lives.

    (Now, how do I submit this - control-V isn't it?)

    APPENDIX A

    Preclusive effect should be given to the following statement of liability rulings made by the D.C. Circuit. The introductory sentence is taken verbatim from the Fourth Circuit opinion In re Microsoft Corp Antitrust Litigation, 355 F 3d 322 328 (4th Cir 2004). The descriptions of individual types of illegal conduct are taken verbatim (except for citations and quotation marks) from Microsoft's Memorandum in Opposition to Burst's Motion to Apply Collateral Estoppel to 311 Findings of Fact and 15 Excerpts from the D.C. Circuit's Opinion in the Government Case, at 5-6 (July 1 2004)

    Microsoft illegally maintained a monopoly in the market of licensing of all Intel compatible PC operating systems worldwide through 12 specified acts of anticompetitive conduct

    1. Microsoft's Windows license agreements improperly prohibited computer manufacturers ("OEMs") from removing visible means of user access to Internet Explorer (i.e. desktop icons, folders and "Start" menu entries);

    2. Microsoft's Windows license agreements improperly prohibited OEMs from modifying the initial Windows boot sequence to promote the services of Internet Access Providers ("IAPS")

    3. Microsoft's Windows license agreements improperly prohibited OEMS from promoting rival Web browsing software by adding to the Windows desktop icons or folders different in size or shape from those supplied by Microsoft;

    4. Microsoft s Windows license agreements improperly prohibited OEMs from using the Active Desktop feature of Windows 98 to promote rival Web browsing software;

    5. Microsoft improperly excluded Internet Explorer from the Add/Remove Programs utility in Windows 98;

    6. Microsoft improperly commingled browsing and non browsing code in the same files in Windows 98;

    7. Microsoft improperly agreed to provide easy access to IAPS services from the Windows desktop in return for the IAPS’ agreement to promote Internet Explorer exclusively and to keep shipments of internet access software using Navigator under a specific percentage;

    8. Microsoft improperly agreed to provide preferential support to certain software developers in return for their agreement to use (i) [Internet Explorer] as the default Web browsing software for any software they developed with a hypertext based user interface and (ii) Microsoft's HTML Help to implement their applications' help system;

    9. Microsoft improperly agreed to release new versions of Office for the Apple Macintosh in return for Apple s agreement to preinstall Internet Explorer and make it the default Web browsing software on new Macintosh computers;

    10. Microsoft improperly agreed to give certain software developers preferential access to Windows technical information in return for their agreement to use Microsoft's Java Virtual Machine( JVM ) as the default JVM for their software;

    11. Microsoft improperly deceived software developers regarding the Windows specific nature of Microsoft's Java developer tools; and

    12. Microsoft improperly pressured Intel to not support cross platform Java by threatening to support technology developed by one of Intel's competitors

  28. Grumpy Fellow
    Coat

    As long as it is open, like Apple products.

    My MacBook is running Windows XP, my Dell Mini 9 is running OS X Snow Leopard, my "designed for Windows Vista" Gateway PC is running Ubuntu Lucid Lynx, and my Nook Color is running Android. If PC makers lock me out, I will just have to switch to Apple hardware to retain the ability to run whatever I want on whatever hardware I purchase.

  29. Anonymous Coward
    Anonymous Coward

    @AC OEMs

    i completely agree, im still waiting on my challenge of anyone that down votes me to explain why its MSs fault

    I would actually love to hear it, the same for evidence for their pressuring of the OEMs

    come on people, enlighten me, i dont want FUD i want had facts why its Microsofts fault if an OEM doesnt give the user the option.

  30. Nuke
    Headmaster

    The "She" in OSF's Petition

    I went to sign it, but decided not to because of its fatuous use of "she" to mean a typical end user. It completely distracts from the point and it is making the fundamental error of trying to carry two issues in one vehicle. This is the hand of RMS, I've seen it before in his stuff. Grow up man

    I am aware that some people don't accept that "he" can be used generically according to context, but in that case why not use "they"?

    Ironically, anything less like a "she" than RMS himself is hard to imagine.

    As well as that point, it is unclear what the statement is. There is a first statement that introduces a second statement. It is a statement within a statement - which are we signing?

  31. mikebartnz

    @Dazza

    You are being very disingenuous by ignoring the behemoth that MS is.

    All they have to do to convince everyone of their good intent is add that there has to be a mechanism to turn off secure boot so that other OS's can be booted to get certification but they seem very reluctant to do so.

    I often use a Linux live CD or USB drive to sort out a PC Windows has screwed up.

  32. Anonymous Coward
    FAIL

    I know this won't get read....

    ...but i'm going to write it anyway...

    This won't work. Viruses are targeting the BIOS so it is likely that anything which could have got past existing defences will be able to re-write the BIOS before the next boot ... because the system will already be live when the virus hits it.

    This is, of course, assuming that the majority of people have not thought to write-protect their BIOS ... I mean, how many of us do that in a daily work environment? BIOS updates are the first thing that manufacturers ask us to do when the hard drive crashes ... "Yes, I know you've got a script to read from, but honestly, the hard drive is going, clunk, clunk, clunk. Listen to it..."

    So any security cause is out the window as nonsense.

    To make any sense, they will only do it to the consumer units. Manufacturers seem to have subtly different "channels" for business as opposed to the consumer stream; so I believe it is a possible goal to have that degree of separation.

    This could not only affect finished systems, but any motherboard manufacturer who wants to be able to ship their wares to the Windows 8 Certified market.

    If you took this thing to its logical conclusion, then any system, bought anywhere, would have to have this in order to be "Windows 8 certified" ... any manufacturer with anything resembling a sane head on their shoulders, would have to offer a BIOS update that would strip out the lockdown rubbish.

    End result, a load of useless nonsense that they will have to issue an official strip-out for, thus wrecking the whole point of having it in the first place.

    I reckon they're just trying another way to ultimately enforce the windows licence key in the hardware; it would be the holy grail for stopping the casual software pirate.

    If they are willing to do this, then perhaps what next ... processors that will only run Windows with certain serial numbers?

    Microsoft are grasping at technical straws. They're out of enforcement options, other than turning off all the machines with hookey serial numbers, and they won't do that because it will hack off the next generation of techies who can't affort the licences to run a server at home to learn their MCE on ... and the last thing MS wants is for those people to go over to a different platform.

    Sounds to me like they are backed in to a corner of their own making, with the headlights coming straight at them.

  33. Anonymous Coward
    Anonymous Coward

    OEMs will have a BIOS disable feature...

    OEMs will always have a disable option in the BIOS. OEMs want to sell systems. These systems may go out with Win 8 COA labels but many will actually be shipped with Win 7 in the corporate marketspace. Customers will want the flexibility to use them for Win 7, or even linux Thin Clients at a later date. What OEM or mainboard manufacturer would opt for limiting their market by producing a BIOS which only allows Win8?

  34. 2cent

    Doing Apple one better

    How to make you pay more.

    Create a hardware/software lock-in just like Apple.

    Money, Money, Money....

    This is an effort to put up a castle, a defense used time and again.

    As always, the castle is surrounded. Wonder how much money (food and water) is stored up to ride out the siege.

    Unless an opposing force shows up, they are sure to run the fiefdom.

    Can any of these guys actually say "better product"?

    Remember when Microsoft tried to close it's kernel? Bet you wished they had secured it that way now.

  35. 2cent

    Is the OS making the BIOS secure?

    This is just bad design.

    If BIOS is the problem, than BIOS should handle the security itself.

    This is a physical condition requiring several physical operations before the BIOS hands over to the Boot Loader. That is to say that you, your hardware and its keys must all be in the same physical location for it to work.

    BIOS comes up with new hardware, OS or BIOS update file. Screen and keyboard have question.

    "Would you like to add Hardware, Operating System or Update BIOS?".

    You respond appropriately.

    Hardware is the simplest. The manufacturer supplies you with the Key, After all, you did buy the car, you should get the keys with it. Else, how could you use it?

    For loading OS, the OS loader says, would you please copy this key into your BIOS. You restart and add OS key. Loader will now allow OS to boot from BIOS.

    BIOS updates are stored with a specific name, when BIOS loader sees it, it asks if you want to load it, you say yes and add key from current BIOS for new BIOS, and it does.

    The point is that it is not the OS making the BIOS secure.

    This means you must be proactive in any change to the BIOS.

    No matter what OS you load or boot manager you use to "hand off", the BIOS should not except anything unless you authorize it via a BIOS key.

  36. Matt 24
    Facepalm

    Personally, I like Windows 7 (a bit) although no fan of M$, and a big Linux fan since the early/mid 90's (came in on SuSE 5, Solaris on SPARCs before that) I really don't like the look of Windies 8 or their mobile platform. And having been in IT for a long time, I don't trust MS despite the DOJ and EU rulings. They do have a history of abusing their market position. I'd forgotten the whole XP registration thing, but last week having to replace the motherboard I had to re-register my install. Will I have to do a complete re-install on the 'secure' systems? I don't have to register anything with Ubuntu - although I'm really not a fan of Unity either - I prefer KDE.

    I do think - could be wrong - that they have their sticky mitts well and truly in there somewhere. So - will the new systems be able to boot ESXi, for example? Can I run 'nix on VMWare on Windows 8 as I do on 7 now? What happened to the OS-on-a-chip and will that be compromised now? Booting from a secure ROM image with configuration files and applications on HD could stop malware - and be pretty speedy as well. There are Linux firewalls and systems that boot from CDs or read-only USB keys and have the configs on r/o floppies(remember them?) It's not hard, surely?

    Ramblings and drivel from an old IT hack. I'll go back in the corner and dribble now...

  37. Anonymous Coward
    Anonymous Coward

    sad

    The sad thing is that no matter how secure boot is implemented, dual boot between Windows and Linux might be part of history only

This topic is closed for new posts.

Other stories you might like