back to article Red Hat engineer renews attack on Windows 8-certified secure boot

A senior Red Hat engineer has lashed back at Microsoft's attempt to downplay concerns that upcoming secure boot features will make it impossible to install Linux on Windows 8 certified systems. Unified Extensible Firmware Interface (UEFI) specifications are designed to offer faster boot times and improved security over current …


This topic is closed for new posts.


  1. Tom 15


    Surely people should be arguing with mobo manufacturers, not Microsoft. You can't really expect them to require a feature that isn't in their interests. Mobo manufacturers will want to give the option to turn it off as it requires no work from them and makes their boards more valuable.

  2. Field Commander A9


    Users are always in control: if you don't like a locked down computer, just don't buy it! Simple!

  3. David Austin

    This could all be fixed in a simple way; The Unified EFI Forum could mandate in the UEFI Specification that SecureBoot can be toggled on or off. Bonus points for mandating a way for end users to upload their own signing keys.

    The first could be possible - I think there's enough different voices in the EFI Forum to power this through. I can see the second option being more of a problem, but at least then Power users will have the tradeoff option for potentially allowing rogue bootcode against installing any OS they wish to use.

    To be honest, it's not Microsoft abusing this that I'm too worried about; Apple have a track record of playing the walled garden game, and their mac hardware already use EFI to boot - I can see them jumping at using this to lock other Operating Systems off their hardware.

    If this goes through as planned, good luck trying to install Linux on the 2013 Macbook models....

  4. ez2x

    Checkmate, freetards!

    Says billg

  5. Anonymous Coward
    Anonymous Coward

    Common sense...

    Just a little application of common sense:

    If MS force this, it will mean that you can't install any of their older OSes on new hardware.

    MS aren't stupid, they realise that there is a massive market in running their older OSes on new hardware, therefore they're not going to make hardware manufacturers prevent the end user from diabling. More than likely they will attempt to force hardware manufacturers to include a disable switch so that end users can continue to run XP, Vista, 7, 2003, 2008, etc. etc.

    1. Anonymous Coward
      Anonymous Coward


      they would just force you to upgrade. Not sure they really want anybody to still be running XP into the next decade.

    2. BristolBachelor Gold badge

      "if you don't like a locked down computer, just don't buy it! Simple!"

      It's your choice. Where would you like your Etch-a-sketch laptop delivered?

      (It's the only non-locked-down laptop now available after nobody complained about the 2012 MS corruption of hardware manufacturers)

    3. Red Bren


      Apple are happy for you to run other OSs on their hardware. They even provide tools and drivers. What they object to is you running OSX/iOS on anything other than their hardware.

      1. Anonymous Coward
        Anonymous Coward

        I like Bootcamp and i like Apple hardware...

        but I haven't managed to get AROS running on one yet.....

    4. John G Imrie Silver badge

      Do you know

      How difficult it is to buy a PC without windows on it?

      Now tell me which OEM is going to jeopardize their Microsoft discount by not installing this feature?

      1. Mike Pellatt

        Do you know...

        Now tell me which OEM is going to jeopardize their Microsoft bribe by not installing this feature?

        There, fixed that for you.

      2. Field Commander A9


        Go to your local computer shop and let them make you one from standard parts. Or just DIY your own, since all you need to make a common PC is case+MB+CPU+RAM+graphic card+HDD+monitor+KB+mouse+speakers......I mean, just how hard can it be for an average El Reg reader!?

        Much cheaper than any OEMs and no software pre-installed!

        1. asdf Silver badge


          So DIY includes putting together your own PCB mother board now too eh? This might have been possible in mid 70s with soldering skills but not so much today. The issue is on the motherboard bios not all the other components.

          1. Ramazan


            Best of all would be to force (by law, of cource) OEMs to ship BIOS/EFI source code _and_ build environment with every MB they sell.

        2. Hugh McIntyre

          Re: simple

          You make your own laptops?

          Simple for a desktop, not so much for a laptop...

          Plus even home-made desktops generally start with a motherboard which already contains BIOS, etc.

        3. Tom 35 Silver badge

          Build your own laptop?

          Lets see you build your own laptop...

        4. diazamet

          And for a laptop????

    5. Nuke

      @ 1st Post AC - You've missed the point

      Wrote :- "More than likely [Microsoft] will attempt to force hardware manufacturers to include a disable switch so that end users can continue to run XP, Vista, 7, 2003, 2008, etc. etc."

      Crickey, you've managed to miss the point of this. Why the heck would MS want to do that? They want to SELL Windows 8, not let users get away with using XP or Win 7 for longer.

      And of course, MS want to lock out Linux and BSD from PCs.

      They wont get away with this nasty trick in the professional and server market (where it will be the USERS who "force hardware manufactures to include a switch [or the key, whatever]"). What it would stop though is the private user, having bought a PC from the high street, installing Linux - or just giving it a try. MS hate the private user doing that.

      Basically, this is part of MS wanting to turn the PC into a media platform, like a TV or phone, all on MS software and out of the users' control.

      1. Anonymous Coward
        Anonymous Coward

        Being a bit realistic

        Microsoft's main customers are corporate desktop users and corporate server users. Most of these companies require to change hardware on an approximately 3 year depreciation cycle. They don't however replace their OS builds in anything like this period. Typically you'll see most corporate users skiping at least one major version of the OS, certainly in desktop. In the server market, there are still a huge amount of W2003 servers, some W2000 servers and still some companies with a bit of NT4, mainly on up-to-date hardware. If the majority of customers are on W2003 - a nearly decade old OS, how long before they upgrade to server 8? The upshot of this is that if no facillity to disable secure boot is available, MS will seriously annoy all of their major customers.

        I repeat myself: It's not going to happen.

        1. Anonymous Coward
          Anonymous Coward

          Oh really

          "Most of these companies require to change hardware on an approximately 3 year depreciation cycle."

          That must be why I have posted this comment using IE6

          1. Anonymous Coward
            Anonymous Coward

            @AC 1602

            Read you post again, you make exactly my point:

            *Hardware* is replaced on a fairly regular basis.

            *Software* is replaced much less frequently.

            Therefore new hardware without the ability to switch off safeboot would be MS shooting themselves in the foot by alienating their corporate customers.

        2. frymaster


          All this means is that CORPORATE MANUFACTURERS will include such the "disable secure boot" toggle - they'd be stupid not to. That says nothing about the rest of the market, especially the pre-assembled end of it (I suspect consumer retail motherboards to be likely to support disabling it; OEM ones, _maybe_ not)

    6. Nuke

      @ Tom 15

      That is a bit naive. MS will pressurise manufacturers NOT to allow the feature to be turned off.

      MS have massive power over device makers. Their threat is to withdraw discounting the cost of Windows to OEM PC makers who need to buy copies in bulk. No mainstream PC maker can stand up to that threat. In turn, that threat goes back to component makers.

      And it is no good the mobo maker building in a disable switch (hardware or code) because the PC maker would not pass it on to the end user if MS demand otherwise. The PC maker could disable any hardware switch by solder link; and a code could simply be binned after they have installed Windows.

      From then on that PC will boot nothing except that copy of Windows.

      1. frymaster

        MS isn't stupid

        "MS will pressurise manufacturers NOT to allow the feature to be turned off"

        That would leak in about half a second, and trigger a new round of EU _AND_ US antitrust penalties. They don't want that.

        1. Nuke

          @ Frymaster

          Loads of damning things have "leaked" out of Microsoft, from the Halloween documents years ago to their blatent stuffing of Standard Committees with their "partners" in the OOXML affair.

          But they are still here and they still carry on.

          Because most people (politicians especially) worship them as untouchable tin gods.

          1. Goat Jam


            They are the second most evil company in the world (after Monsanto)

            You are correct, things that would be fatally damning for most other companies are constantly made public about MS and they continue on unchecked.

            On the exceedingly rare occasion that they get prosecuted for something they simply throw a few "free" Windows + Office" licenses at education institutions in the complaining jurisdiction and their troubles magically disappear.

            The US won't touch them because the US has only 2 industries of any worth left, Tech and pop culture media.

            These are the only things that the US still has the ability to sell to the world, and it is no coincidence that these two industries are given complete freedom to screw everyone over in order to maintain their dominant positions in their respective markets.

            Should MS, Oracle and Apple fall along with the MPAA and RIAA members then the USA would be truly irrelevant to 95% of the planet.

            I'm sure politicians are aware of this and thus they allow them to get away with anti-consumer practices across the board in order to retain their relevance in world markets.

            All is not lost however because it is a negative strategy and ultimately negative strategies fail.

            Despite their best efforts to use hostile litigation and anti-competitive lock-in strategies to keep at the top of the heap, eventually others will come along who offer better products with less pent up antagonism directed at them.

            People increasingly come to resent being harassed, dictated to and having their choices removed for the benefit of corporate profiteers in another country.

            People no longer *like* Microsoft, or their products. They associate them with boring jobs, and having to wait for ages while the crappy slow corp PC they have on thier desk reboots after a crash . Even longer for patch tuesday, not that they know what patch tuesday is.

            Microsoft and Windows are not cool. There is no "wow, I must get the new Windows phone" factor and the few remaining OS fanboys out there are not enough to sustain the corporation that is the size of the Beast of Redmond. Most of the OS fanboys have the ability (and willingness) to pirate their copies of Windows Ultimate anyway.

            If they do manage to achieve what they are trying to do with this latest lock-in gambit then they will just cause even greater dissent from their existing customer base and increase the rate of user defections to other forms of computing, such as tablets and such.

            The thing that killed the netbook was MS and Intel trying to dictate to the OEMs what they could and couldn't build. In their arrogance they just assumed that everybody had no choice but to purchase PC's, and by creating a set of artificial limitations they could force people to purchase PC's with a more expensive processor and OS just so they could get what they actually wanted, which was a bigger screen.

            Of course this strategy failed spectacularly and simply left a gaping hole in the market in which Apple promptly shoved the ipad to great success.

            If MS succeed in their aims they will just push more people to purchase things other than PC's.

            In fact, it is intel who should feel most scared by this. If MS succeed in tying Windows to x86 hardware then it will be the ARM vendors who come in to take up the slack.

            I'm yet to be convinced that MS will be successful in their efforts to port their full Windows + Office stack to ARM so ARM makers would have no incentive to yield to MS threats and lock their hardware to Windows.

            Even if MS do succeed in getting Windows on to ARM, I doubt very much that most of the ARM vendors would be silly enough to listen to such threats anyway as it would mean cutting off what is currently 100% of their market in order to sell in a new market (Windows) which is completely unproven to this point.

            MS will fail. Every time they try one of the tricks that worked for them in the 90's they will find that those tricks no longer work in the more mature market of today.

            They remind me of Bart Simpson on that episode where Lisa was using him as a psyche test subject and the electrified cupcake.

            Hmmm, cupcake, OUCH!!!


            Hmmm, cupcake, OUCH!!!


            Hmmm, cupcake, OUCH!!!


            1. Field Marshal Von Krakenfart

              @Goat Jam

              Given that MS, Oracle, Apple, Intel and a host of other companies operate from non-'merkin tax havens, and that a significant portion of merkin businesses are owned by OPEC companies/countries, and those that arn't have outsourced most manafacturing to the far east it would seem that apart from supplying the world with petro-dollars, that the USA is truly irrelevant to 95% of the planet, aprt from the bits that it's bombing, invading, suberting or proping up the puppet goverment.

            2. Barracoder
              Paris Hilton

              And the prize for Most Egregiously OTT Comment goes to....

              "Microsoft - They are the second most evil company in the world (after Monsanto)"


              Paris, because she's hOTT.

              1. goats in pajamas

                Top 10

                Somebody has to be the most evil company in the world or the second most, because both evil and companies exist.

                Microsoft have become Mafia like - they extract protection money from people selling other OS's, extort funds from Public Budgets for "licences", tell lies to Government Inquiries and so on.

                Such behaviour is evil. You could also call it stupid, greedy, shallow, destructive, anti-social. Evil's just a convenient catchall term.

                But Microsoft surely are up there with the worst of them.

                Not sure about No2 my self. I think the makers of mines and depleted uranium weapons are a tad worse.

                But they all cause a great deal of poverty of opportunity and shortness of funds.

          2. llewton

            true in the united states of america.

        2. llewton

          rest assured there will be legal action in europe if this goes through.

          -- with or without leaks and "pressure".

          microsoft are threading very thin ice here.

    7. This post has been deleted by its author

      1. Field Marshal Von Krakenfart

        "This most likely requires re-seating a jumper or something similar to assert "somebody is really physically at the hardware"."

        Why do you assume this will be a hardware reset, my suspicion of mickeysoft would say it is going to me more like connect to the interweb and then phone the premium line, have all your licence keys handy....

        "so anything signed with Microsoft keys loads up on your new machine"

        Including MS genuine (dis)advantage, mickeysoft DRM, etc.

        There seems to be a simple solution to all this, don't but MS.

      2. Ramazan


        I have read the spec you mentioned. These your statements are wrong:

        "The spec mandates that there must be a method to clear the platform and enter 'Setup Mode' again if the keys are lost. This most likely requires re-seating a jumper or something similar to assert 'somebody is really physically at the hardware'."

        What's said there is different from your version:

        27.5.2 Clearing The Platform Key

        The platform owner clears the public half of the Platform Key (PKpub) by calling the UEFI Boot Service SetVariable() with a variable size of 0 and resetting the platform. If the platform is in setup mode, then the empty variable does not need to be authenticated. If the platform is in user mode, then the empty variable must be signed with the current PKpriv; see Section 7.2 for details.

        This means that once platform is in "user" mode with MS keys, you're screwed.

    8. h 2

      @Field Commander A9

      In the same way no one bought copies of "locked down" DVD's

    9. henrydddd

      pure greed plain and simple

      From an engineering standpoint, this who concept of a secure boot can be handled from a hardware change. If you have a switch ether on the motherboard or a jumper on a hard drive that when set, the mbr cannot be written. In the early 90's, motherboards had a bios switch which (in the bios setup there was on option of lot letting the Master Boot Record to be updated), when set would accomplish almost the same thing (like not letting malware update the mbr). I often was thwarted in installing an operating system when the words "an attempt to update the master boot record has been made" and I would ether have to go to the bios setup screen or answer a question "do you wish to proceed?". Some might complain that malware might reflash the bios, but a switch on the MB or disk drive would eliminate that worry.

      Considering how MS, Apple and others have attacked Linux, and Andriod, it should be painfully obvious that MS is using this approach to totally control the user. MS does not want a repeat of their mobile phone falling off the map. If you are a Windows user, you might just ignore this, but you also might have a few problems installing Windows 9 on a computer with Windows 8.

    10. cloudgazer

      'If MS force this, it will mean that you can't install any of their older OSes on new hardware.'

      You can't use existing builds of those OSes no, but there's nothing stopping MS producing a signed version of XP and making it available to enterprise clients. It will screw consumers trying to run old OSes, but mostly MS doesn't believe you have a valid license to your old OS anyway - except running on the old hardware it came with.

    11. llewton

      shareholders are curious

      with microsoft bleeding billions all over the place, will this attempt be worth the anti-trust fines, and the reversal/adjustment of policy that will be required of the company.

    12. AdamWill

      "mobo manufacturers"

      you do know that, er, most consumers don't buy motherboards, right? they buy computers. and it's a bit difficult to build your own laptop, never mind tablet.

      1. Goat Jam

        You do know that

        "mobo's" are where the BIOS is physically located?

        Of course, being the genius that you so obviously are you are also aware that the ODM's (ie Dell, Packard Bell et al) of this world do not actually make their own motherboards.

        How it works is that OEM's make the motherboards on the behalf of the ODM's (sometimes to their designs, sometimes not) so my use of "mobo manufacturers" is broadly intended to include all manufacturers of all motherboards.

        But then I'm sure you knew that, seeing that you are a genius and all.

        All that semantic crap aside, I have no idea what your point is here. You say "it's a bit difficult to build your own laptop, never mind tablet.".

        This is in fact quite true. In fact I'm not sure how you came to the conclusion that I thought it was otherwise? Are you perchance responding to somebody else's post?

        1. Anonymous Coward
          Anonymous Coward

          Oh look...

          Goat Jam has gone on a large anti-Microsoft rant, full of factual inaccuracies and paranoid assertions, that's out of character.

    13. CheesyTheClown

      Windows 8 will boot on old hardware, just not be certified.

      This is a requirement of the certification program for Windows. It has nothing to do with which machines Windows 8 will or won't run on. It has to do with requirements being met before you can put a Windows 8 Certified sticker on your box...

      Don't get carried away over nothing.

  6. DrXym Silver badge

    So anticompetitive

    MS would love to pretend this is all about stopping malware. It might stop malware as a side effect but the real intent is stop consumers removing / rooting / jailbreaking their computers, especially tablet PCs.

    I think the issue is going to be difficult to resolve though. The traditional PC world is colliding head on with tablets which are more consumer devices. Should users be able to flash their devices in all circumstances? If I buy a Microsoft branded tablet, or one "designed for Windows 8", why should I even expect to be able to run any another OS?

    My own feeling is that Microsoft should do the right thing here and change their specs so desktop form factors must NOT use boot loader encryption by default, and tablet form factors submit all keys and device serials nrs, hardware ids to an independent key escrow service and provide a simple tool where consumers can feed their serial nr into their computer and receive an unlock code.

    At the end of the day it would avoid a lawsuit and I doubt they have much to worry about a significant percentage of people doing it anyway.

  7. Anonymous Coward
    Anonymous Coward


    "...he end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC..."

    What a load of paranoid nonsense. Does Garrett really think that MS are going to try to prevent people from upgrading their PCs? It's just not going to happen, if anything there is the issue that they'd end up with another anti-trust case on their books and they really don't want to end up there again.

  8. Random Noise

    Simple solution

    Surely a simple solution would be inlcusion of a jumper somewhere. If the jumper is not set (default) then only a digitally signed OS will boot.

    Change the jumper & when booting the firmware pops up a message to state 'unsecure boot' or whatever then carries on.

    Only people who have an idea what they are doing will open up the chassis & start meddling with jumpers. You need hardware access to the machine to change the jumper so no nasty virus can change the setting.

    The warning screen lets anyone who has had their machine physically hacked know that something is up with it.

    Seems like a simple solution, but I can't imagine its in the best interests of M$ to do so.

    On the other hand they could be staring down another anti-trust if they're not careful.

  9. Steve Davies 3 Silver badge

    Open your PC Case, go to jail, do not collect £200

    What Microsoft and the mainstream (eg large) PC Manufacturers want is the the PC of the future is locked down and that even opening the case would constitute a violation of the DMCA (or local equivalent).

    Gone would be the days when you could add RAM, a second HDD or swap the DVD drive for a BluRay one. Disabling the Secure boot could be regarded as copyright circumvention by some courts. Jail time anyone?

    The EU would like to make even changing the spark plugs of a car outside a recognised service centre illegal. It does not take much to extend that concept to PC's.

    Tux. could become extinct. Better add it to the 'Red List' pronto.

  10. Anonymous Coward
    Anonymous Coward

    You can disable it

    Not a lot of bloody good then! Some nasty person will convince the marks to disable it ( if they haven't already disabled it! ) and back to square one!

    I appreciate it has some benefit and despite being a committed Linux/OSX fanboi I will give MS the benefit of the doubt, they seem to be being painted in a bad light over this lock-down BIOS business.

    1. Steve Evans

      @Random noise

      I agree that for the great unwashed, anything which stops them getting infected is a good move. Although convincing them to install something other than windows would probably do far more good than a locked down BIOS!

      A physical link would be a little annoying, a BIOS switch would be enough. There are already ones for protecting the boot sector, so along side that would seem to be a perfect place.

      But this *must* be written into the spec from the beginning.

      It is a little amusing that whilst M$ are going round trying to lock people into their OS, Android mobile phone manufacturers such at HTC are being forced to open theirs up due to the sheer pressure from handset owners.

    2. Nuke

      @ Random Noise

      Wrote :- "Only people who have an idea what they are doing will open up the chassis & start meddling with jumpers."

      You don't know many people do you?

      1. henrydddd

        Most Linux people do. Also, corporations who use Linux have people who can read a motherboard manual and set a switch


This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019