Microsoft dragging its feet on Linux Secure Boot fix

Except that a large enough corporation will employ someone incompetent to do a job that they don't want to be done competently.

Well I'd be tempted to agree with you (hence the upvote). But really, this stinks too much of dominant position abuse for it to be mere incompetence. Maybe I'm too paranoid?

I've always hated that adage, but I'm sure both incompetent and malicious people love it.

A couple more old adages...

Fool me once, shame on you; fool me twice, shame on me.

Once is happenstance. Twice is coincidence. Three times, it's enemy action.

The fun part about having all these old adages around is that it's often not until you have the benefit of hindsight that you know which one really fits a given situation.

Between this and the browser ballot screw up I can see how someone could read conspiracy into it. I'm no fan of Microsoft (and not excusing the browser situation either), but it seems to me that it might be a little early to cry foul here. Could be wrong of course...

But, it STILL is valid to ascribe fiendishness, I dare say...

"Then there was the problem that the entire process of uploading code to be signed assumes developers are running Windows and using Windows-based tools. Even the file upload window required Sliverlight, which ultimately meant there was no way for Bottomley to submit the Linux Foundation's pre-bootloader without loading up Windows 7 in a virtual machine.

Only after Bottomley had completed all of these steps was he able to find out that the code-signing process didn't seem to be working. As of Tuesday, he was still at an impasse."

Ahhh, "Security through obscurity" is alive and well.

This sounds too cunning and devious to be mere incompetence. How can anyone expect ms to go out of its way to ensure that non-ms operating systems, browsers, and applications can smoothly and legitimately obtain, sign, deploy, and maintain working, valid UEFS code?

No, this definitely is fiendishness in play. Otherwise, from ms' perspective, why not just cede the hardware market to anyone refusing to stanch ms' hemhorraging?

They know exactly what they are doing

Time for a good kicking and another very large fine by the EU competition commission.

Never ascribe to malice..

FFS, it's Microsoft. That is BOTH malice AND incompetence - no need to exclude one or the other.

The signed pre-bootloader allows unsigned code to be run. MS don't want to allow OEMs to use the same hardware design for Windows and Linux/Android slabs, it'd cut hardware costs for OEMs and customers would also start to ask questions about why same spec hardware is more expensive if it comes with Windows 8. MS want OEMs all-in or all-out, betting on that they'll decide all-in and lock out the competition.

RE: Never ascribe to malice that which can adequately be explained by incompetence

Sorry, but I disagree.

This is another one of Microsoft's crude attempts at inflicting DRM on the computing public.

The proof of this will be in 3 to 5 years down the road, as corporate PC's get retired, and hit the resale market. How difficult will it be for a second owner to put whatever O/S on it remains to be seen. I have supposed that, in order to "assist" its hardware "partners", Microsoft went down this shitty road. After all, if an OEM can turn a PC into the equivalent of a throwaway toy, like cell phones have become, then why not profit from planned obsolescence.

Its more like fuck the user.

Re: Paranoid?

You make sense to me, but pull back the tele a little and step into the wide angle. What exactly is the problem for a multi-billion dollar corporation to have people with no alternative to their product? Paranoid, maybe a little. If someone just bought a windows 8 PC today, and today was the first day they tried ANY alternate OS (in this case Linux), they would feel frustrated and probably never try an alternative today. You have to love options, unless you just bought a Windows 8 PC. This whole thing looks like good ol' fashion business to me. Yee Haaaa Cowboy!!!!

By the way, paranoid is just a state of preparation! :-).

Re: It's the season

No need to blame Thanksgiving or the Win8 release: Microsoft's season is all year round.

Technically the keys don't have to come from Microsoft: you are supposed to be able to install your own keys if you want to (at least on x86).

However, thanks to OEM deals the only keys that come pre-installed when the hardware is shipped are Microsoft's keys. If you want to run Linux "out of the box" without the user meddling with the BIOS settings (sorry, UEFI settings) then the only solution is to use a Microsoft (sub-)key.

Re: Hubris?

I know someone who uses Windows (XP though I think) and I just asked him if the Linux foundation can use his computer to upload the code. He's very willing (can't do it today though because he's reinstalling Windows).

Re: Hubris? WTF?

"In which case it's important enough to drop the bloody attitude, swallow your pride and just do it the way MS want it done, principals be damned."

Wow! Who agrees with that in regards to anything you buy, not just software? You've been married too long :-). There is 12 steps programs for this friend (just jump to step 6 and smile).

Re: Hubris?

The thing is surely it's not just going to affect rival operating systems such as Linux. What about other open source software such as Truecrypt, who aren't a competing operating system, but are going to have problems with full disc encryption.

Re: Hubris? "Hubris"? Excuse me...

But, considering that ms is one to bandy TCO and all the gold-plating buzz words, it stands to reason that ms should not be playing toll-taker or road blocker to helping secure the world's computers.

In the name of TCO and related, ms cannot logically or sensibly get away with this. And, what is to deter corrupt or criminal elements from using ms-ordained components from getting and tainting the keys? It may very well be that ms are taking a hellishly painful road to saintly altruism, but it does not look convincing given that so far it makes the toll much higer to be safe if one is not using ms wares nor has no desire to be funding ms' bottom line.

Am I missing soething fundamentally vital?

Maybe it is more about hemming in South Korean ms-based Internet users. Over 60,000,000 potential business and consumer systems stuck on old securit infrastructure facing a craftily-calculated thread, inducing massive hardware upgrades would produce a tidy sum for ms.

One in Five Online Shops Won't Let Customers Go

http://english.chosun.com/site/data/html_dir/2008/07/31/2008073161018.html

Korea's Internet Is Mired in a Microsoft Monoculture

http://english.chosun.com/site/data/html_dir/2009/10/27/2009102700899.html

Online Shopping Remains an Ordeal in Korea

http://english.chosun.com/site/data/html_dir/2010/01/19/2010011900379.html

Given the stakes involved, it is not difficult to see many Korean hardware resellers and ms exploiting the installed win base. Yes, the articles are dated, but still generally are in play.

Re: Different UEFI firmware

Microsoft forbids you from having those open bootloaders on ARM-devices. Thus Windows 8 capable ARM devices are essentially useless.

Re: Interesting approaches to monopoly

> End result: You can only run Apple software on Apple hardware, and you can only run MS software on MS-approved hardware.

Not quite. You can only run MS-approved software on any (non-Apple) hardware.

I find it difficult to believe that MS will get away with this.

I sense a "bios" setting for "MS-ONLY" which provide defaults to UEFI.

Re: Interesting approaches to monopoly

As far as I'm aware Vista SP2 or later will install on a mac, as will many linux distros. Earlier versions of Windows will on a Mac with the help of Bootcamp.

Android is available for some iDevices. Apple won't help you install it, but it doesn't look like they go out of their way to stop you.

Re: Interesting approaches to monopoly

"Microsoft: We get the OEM to tweak their hardware so that the only OS that'll run is the one we make."

Not quite. Windows 8-RT the above statement is true, for Windows 8 it should read something along the lines of.....

Microsoft: If you want to have your hardware certified to run Windows 8, and get the little sticker to say it is certified, you must ship it with Secure-Boot enabled, but you must give the option for the user to turn it off.

Re: Interesting approaches to monopoly

Err, no. The end result is that you can only run MS software on MS-Approved hardware if you can't deal with the frankly pathetically simple process of:

At boot time:

Press the button to enter the UEFI

Go to "Security"

Select "Secure boot"

Switch "Secure Boot" to "Disabled"

Save settings and exit

I just did it because I was helping one of our devs install Linux onto his laptop (Lenovo Thinkpad W530). He had been bitching about secure boot and how it was all a conspiracy, until I showed him just how easy it was to switch off. This prompted a "is that all you have to do?", followed by a "Yes, now shut up about it."

Re: Boot on the other foot

They are more than welcome too, it is standard rather than a microsoft product. However if they did it would be anti-competative and rightly be blocked. All the Linux community have do to is to work with the OEMs to get their certs. added to the approved list on new hardware and there is no issue. The subject of the article is getting their code signed by Microsoft so they can use the certs that Microsoft have already worked with the OEMs to add.

Re: Boot on the other foot

It wouldn't be a problem, because the Linux community doesn't have a massive monopoly position with OEMs, and therefore wouldn't be able to twist sufficient arms to get them to install the stuff on their kit.

The problem isn't UEFI or Secure Boot in itself, it's Microsoft's abuse of its monopoly position in order to make it very difficult (if not impossible) to install any other operating system.

Re: Boot on the other foot

Yeah, because there would be millions of people anxiously looking to install Windows on machines sold for running Linux.

It's pathetic, really. After twenty years, Linux is still dependent on the Windows hardware market to provide machines to install upon outside of specific markets where the OS has no identity for end users to consider, such as DVRs and other appliances. If there were really a viable market for, say, an Ubuntu tablet, it would be trivial for an OEM like Acer or Asus to make a generic model with no boot loader security active by default. But is there enough market to make it worth their trouble? It is a very different investment from a generic PC line that a fairly small company can produce and support.

Re: Once the pre-bootloader is released

"Why won't the virus writers simply bundle the pre-bootloader with their "products"?"

A couple of reasons. Firstly, they can't bundle the bootloader (it's not a "pre-", btw), because only a signed bootloader will be executed, so any malware has to start further up the chain. Secondly, the bootloader is for GNU/Linux so their malware actually has to target this platform rather than Windows. Well it doesn't have to, but you'd essentially be writing malware that infected Linux and then unloaded Linux and booted up Windows. Possible but very cumbersome. The install base of GNU/Linux is far smaller than Windows and most of the roots to infect the boot process would be opportunistic and thus target Windows.

Re: how to disable this secure boot

"how to disable this secure boot that's all I would like to know"

When you power up the computer, press the key to enter set up. Typically <F1>. Then mouse or cursor to the option saying: "Secure Boot: Enabled" and toggle it to "Disabled" or "Off". Exit and let the computer start up. It's much like changing the boot device in BIOS.

@Blue Philly Maraj - Re: how to disable this secure boot

It's not how you do it that matters, it's IF you will be allowed to do it.

Re: And I have this habit of assembling my own computer

"How is UEFI going to affect that?"

It wont. Also, by UEFI, I presume you mean Secure Boot which is actually only a smallish part of UEFI. You can just turn Secure Boot off. Unless you are building your own ARM devices.

Re: Summary of the "problems"

Quite. E.g. "there was no way for Bottomley to submit the Linux Foundation's pre-bootloader without loading up Windows 7 in a virtual machine". Or using one of over a billion machines in the world that have Windows installed.

Re: Summary of the "problems"

I completely agree.

From the article "As near as Bottomley can tell, there's a problem with the key he has been trying to use to sign the software, but the most he's heard from Microsoft has been, "Don't use that file that is incorrectly signed. I will get back to you.""

So either there is a problem with the key that he has been issued with, or that he is using it incorrectly. Either way it does not feel that this is evil at work.

Re: Don't like windows 8? Tough, you can't run anything else.

All the user has to do is to disable secure boot in the UEFI, and they can install whatever they want. I feel that if someone gets to the point that they are happy to replace their existing OS with completely different one, asking them to change 1 setting when the machine boots is not the end of the world.

Re: This UEFI thing...

"This UEFI thing... why do I get the feeling it'll be a complete flop?"

Possibly because you don't understand the difference between UEFI and Secure Boot and aren't aware that pretty much all modern x86 motherboards are shipping with UEFI instead of BIOS and that this has already been the case for some time. I have a motherboard here I bought about a year ago. And it has UEFI. Quite possibly you are using it now as well.

Re: Get an Apple Mac?

Apple Macs have been UEFI, not BIOS for a long time, not sure how long, but my G4 PPC (ancient in Mac terms) is UEFI.

Re: Microsoft reason of doing this

"they also take the chance to earn money from Linux."

Do you really think Microsoft are motivated by a $US99 fee they get from RedHat or SuSE asking them to sign a bootloader? Because that's how much has been charged.