back to article Windows 8 secure boot would 'exclude' Linux

Computer scientists warn that proposed changes in firmware specifications may make it impossible to run “unauthorised” operating systems such as Linux and FreeBSD on PCs. Proposed changes to the Unified Extensible Firmware Interface (UEFI) firmware specifications would mean PCs would only boot from a digitally signed image …

COMMENTS

This topic is closed for new posts.

Page:

      1. Adam Nealis
        Stop

        Not the same thing.

        There is nothing to stop you (in principle) from installing a different OS than intended on these systems.

        The difference in this is case one's kernel must be signed, and the signing key recognised by the BIOS.

  1. Anonymous Coward
    Trollface

    Security

    Surely if security is the goal then having it recognise the Windows keys and refusing to boot would be a better idea.

    1. dssf

      If security is the goal...

      Then, it should be a NATIONAL/GLOBAL mandate, not one from mshaft.

      If it is about letting governments have backdoor, escrowed keys, then it should NOT BE ms that is the gatekeeper of those keys.

      Stallman et al need to REALLY quit wasting time ranting about Android and kick it into full gear on this EFI/TC chip. Government COULD demand that all mass-maket or commercial/retail consumer computers capable of loading an OS must have a TC-type of BIOS regime, but then, it MUST be an OS agnostic system, not one that helps a piss-ant, ape-jumping company get rid of competitors.

      Goddamn microsoft. JUST when I was gradually letting down my hair and easing up on anti-ms ranting, you STIR UP THIS SHIT AGAIN! I hate feeling filled with venom and vitriol, but goddammit, if i had the magic red nuke button, I'd kneecap that company, maybe up to the sternum.

      All this benevolent kernel involvement was probably to get on working committees to get legit, timely, deep insight and constant data stream on how the Linux kernel development and deployment works JUST so ms and its root-sucking, jack-ass consortium of fools can support ms in coopting the boot/bios industry to the exclusion of all others, save for Apple.

      Now, more than ever, foreign governments need to put a morningstar into ms' ass. In the name of national security, no government should let ms get away with this shit because it means likely only ONE country will have preview or full access to the global escrow.

      This IS SCARY, and inFURIATING.

      I still have a suspicion that ms has found ways to infiltrate and fuck up the distros distribution for the most popular distros such as Mandriva, PCLOS, Ubuntu and others. I for the past year have had increasing failure rates of installing PCLOS from magazine pressed/distributed discs than ever. It is maddening to have no clue, and no matter how thin or how fat an install, no matter which kernels, I have very little stability. I have no idea why ioslaves are rampantly failing for me. On FRESH installs, i'm talking about. It's so painful it drives paranoia a lot easier than questionable hardware. Each release of the kernels and update of KDE just brings me more and more frustration. I'm at the point where I feel I'd rather PAY $100 or $200 for someone to install it for me and provide me recovery disks and USB devices. But, i sure as hell will have them do it in a near-cleanroom setting, not from their own media and facility and have an opportunity to jack in some backdoor kit. I may inadvertently install a roge rpm, but it'll be MY error.

      OTOH, I sometimes wonder whether the distros themselves may be making things randomly painful by over-providing, or on behalf of hardware dealers who wish they could be part of the build process. In either case, I want LINUX as the host OS, and any windows as a virtualized, sequestered, QUARANTINED GUEST! Not the other way around. It's my CHOICE and my RIGHT, and ms should be fracking happy they at LEAST get a legit sales via a legit consumer purchase out of me since my desired apps don't run well in wine or not at all in Linux.

      1. MCG
        WTF?

        The simplest explanation would be that your PC and/or its optical drive is FUBAR'ed. But don't let me kill your paranoiac buzz!

  2. graeme leggett Silver badge

    Swings and roundabouts

    If this was offered as an option at point of sale. I can see some benefit in corporate security terms in preventing a PC from booting from an "alien" OS eg off CD.

    On the other hand if implemented across the board (no pun intended) it could well make homemade tools and recovery discs useless as well as dual boot systems.

    1. BristolBachelor Gold badge

      But it would still boot off a signed CD (e.g. Windows).

      If you don't want anything unauthorised booting it, turn off the boot from CD (floppy, usb, etc. etc.) options.

      Even better, don't have a CD drive; lots of attack vectors suddenly disappear, and you don't want admin people walking around with CDs anyway; store them all on an admin only share.

    2. Anonymous Coward
      Anonymous Coward

      Corporate IT would hate this

      It would *force* a company into a piecemeal upgrade of their systems.

      No mid-to-large company wants to do that - they want to keep everybody on the previous version until they can shift everybody onto the new one.

      This future is one where a company buying a new computer can *only* run the new OS on it. Your PC died and you need a new one, and it needs to run your legacy apps? Sorry, but MS says you can't do that.

      You need those legacy apps to do your job? Oh, what a shame.

      This would kill the Microsoft Windows PC, as no corporate could afford to accept it.

  3. Zebo-the-Fat
    Linux

    Simple Solution

    If the MOBO won't run linux or whatever I decide to use, then I will just refuse to buy it. If others do the same, then maybe when the manufacturers see their sales drop things may change.

    1. phlashbios
      Stop

      Sales drop?

      Businesses buy Windows PC's for end users. Consumers buy Windows PC's (and sometimes Apple's products)

      Where exactly do you think the huge drop in sales is going to come from that would alter what manufacturers do? Do you honestly think that the tiny minority that run something other than Windows or Apple's OS, are going to influence manufacturers in any way whatsoever?

      There are a variety of reasons why this initiative may fail dismally, and thankfully not make it to market, but a drop in sales isn't one of them.

      1. PyLETS
        Linux

        Sales drop: because closed hardware is crap hardware

        "Where exactly do you think the huge drop in sales is going to come from that would alter what manufacturers do? Do you honestly think that the tiny minority that run something other than Windows or Apple's OS, are going to influence manufacturers in any way whatsoever?"

        Um, do you have any idea how often the typical Linux user is asked for hardware purchase recommendations by non Linux users ? As far as I'm concerned, if hardware doesn't run Linux, by being closed, this means it's probably undocumented and barely tested, and we have no way of knowing how crap it really is. So it's likely to have problems being upgraded to the next version of ProprietaryNClosed OS, for which even the next forced patch level may very well break it.

        Anyone who had to tell people to throw away cheap Winmodem crap once the software which worked on Windows N didn't work with Win N+1, and the manufacturer had lost interest in maintaining the drivers will know all about this.

        1. Anonymous Coward
          Anonymous Coward

          Or trying to get Linux to talk to a WinModem in the late 90s.

        2. Tomato42
          Big Brother

          Don't need to look at the '90s, just look at Creative and their drivers.

          They sued the guy that un-broke their drivers to work with Windows Vista.

    2. Aaron Em

      You and three other neckbeards

      aren't going to make a hell of a lot of difference to anyone's profit margins.

      1. Anonymous Coward
        Anonymous Coward

        Other than to...

        RedHat. And Samsung. And Netgear. And Cisco. And Shiva. And...well, you get the idea.

    3. dssf

      Drop in sales... only part of the pain they need

      Is only PART of the after-effect. For even daring to take part in such heinous acts they need to suffer severe legal retribution, plain, swift, simple, and enduring so they learn to not cozy up so much to a company that behaves like a tyrant yet donates to charitable causes to soften its rough edges.

      Would ms and its chairpeople donate if the company's public image were not so under siege?

  4. Boris the Cockroach Silver badge
    FAIL

    I'd give it 3 weeks

    after first coming to market that the clever linux bods find a way round it.

    and 3 days before the malware scum find a way past it

    1. Anonymous Coward
      Anonymous Coward

      :)

      "Those malware guys will NEVAR get a hold of an improperly signed certificate!"

      /sarcasm off

  5. Anonymous Coward
    Anonymous Coward

    They are finally pulling the trigger on TPM?

    So, they finally feel bold enough to pull the trigger on Trusted Platform Computing? With the proliferation of tablets, cheap computers (Raspberry Pi), and phones?

    Microsoft really thinks they are big enough to tell the PC makers "Hey, we want you to jump on this grenade to save us. Don't worry about the inevitable anti-trust suits, don't worry about having to keep your servers and your personal computer lines separate because servers need to run Linux, don't worry about anything but protecting Microsoft. GO!"

    1. Anonymous Coward
      Anonymous Coward

      "because servers need to run Linux"

      You Linux fanbois are almost as bad as apple fanbois

      Hint: There are many many many open source unix alternatives to linux

      1. DavCrav

        "You Linux fanbois are almost as bad as apple fanbois

        Hint: There are many many many open source unix alternatives to linux"

        All of which are not Microsoft, so would be banned also. So what's the difference?

      2. Ramazan
        WTF?

        @AC 18:54

        What do you mean by server then? Secondhand SPARC running plan9? Don't be silly, there is no open source UNIX other than some kind of RHEL on enterprise servers

        1. Adam Nealis
          WTF?

          RHEL != Unix

          Linux is not Unix.

          If you had said FreeBSD you would have been closer.

          1. Ramazan
            Facepalm

            @Adam Nealis

            Wrong, GNU's Not Unix, but this is just blah blah and has nothing to do with what I'm saying here. Oracle (and Java probably too) aren't supported on FreeBSD, OpenBSD, NetBSD, fooBSD and barBSD while they are on RHEL, SLES, HP-UX, Solaris, AIX and even on Tru64 and this is what matters for server. If you are OK with limited box, then you may go with SheevaPlug and happily live together ever after. Most customers aren't and they want Linux

        2. Anonymous Coward
          Anonymous Coward

          Ramazan, you are typical of the sort of fanboi I was referring to.

          Have you looked at the top netcraft servers? Generally at least 4 out of 10 run FreeBSD. In the latest survey, there were more Freebsd than linux! http://news.netcraft.com/archives/2011/09/05/most-reliable-hosting-company-sites-in-august-2011.html

          I also know MANY MANY enterprise servers that run FreeBSD, NetBSD, OpenBSD, etc.

          netcraft themselves, yahoo, ISC, etc

          Unfortunately, many of my customers are gradually switching to Linux, because a lor of the so called "unix" experts are only used to the many non-standard linuxisms with respect to unix (or unix like) implementations.

      3. Tomato42
        Paris Hilton

        I would need to use the definition of "many" equal to 1 to count OSS UNIX alternatives to Linux.

        Paris, for even she doesn't count to three using "many".

        1. Anonymous Coward
          Anonymous Coward

          I see your '1' and raise you to '5':

          opensolaris

          netbsd

          freebsd

          openbsd

          dragonflybsd

  6. Anonymous Coward
    Anonymous Coward

    Planned obsolescence by crypto key

    Why, isn't that smart? You buy a second-hand computer (not now, but say a tech generation or three after this gets put in practice) but no new copies of windows will run on it because the keys are "too old". And any alternative won't run at all. I can see why they like this idea. And now is a pretty good time to go for it, now that everybody knows that good handling of keys is essential and my aren't they proactive and Stuff. Only they're screwing you big time, like your computer is a game console. Only you didn't get the discount on the hardware. Way to productize your customers, micros~1.

    1. scarshapedstar
      Coffee/keyboard

      Wow, I forgot about that. hilari~1

    2. Paul 129
      Devil

      Thin edge of the wedge

      I can't believe people didn't see this one. Even if they lose money on this now what it offers, in the future, is the ability to charge the hardware makers more in return for more sales.

      Oooh IT downturn you say, we've got a new shiny shiny, but to use it you need to pay $X for each motherboard for your license to the key, so make them nice n pricey the sheep wont notice they'll just have to pay for a whole new system if they want it. They're used to that now...

      Oh n dont forget as part of they key license, your only allowed to manufacture Y number of boards for those other OS's (erm non conforming boards)

      Our only hope against this IS government intervention against the M$ monopoly. That has always worked in the past.... Ohhh.

  7. Wize

    Well...

    1) Pirates will circumvent the keys

    2) People in the know wont buy the hardware so they can run other operating systems

    3) IT support wont touch them as they will want to boot from CD (sometimes Linux) to fix problems on a machines.

    Can't see any benifits

    1. henrydddd
      Unhappy

      hmmm

      I wonder if MS will try to get the law changed so that, like Sony, it will be illegal to put Linux on your pc?

  8. The Alpha Klutz

    It's a crying shame, but somehow I'm sure there will always be a market in motherboards that aren't crippled in this way.

    Such a move would also create a new market in high quality firmware cracking tools just as there are already high quality Microsoft cracking tools. 'High Quality' means that they work and are not malicious, which is ironic because the copy protection mechanisms that they remove often do not work (self evidently) and are malicious (you're basically being spied on).

    Inevitably though such firmware lockout schemes will make it into the millions of low quality computers that Dell and Acer must be selling at cost price these days. All Microsoft has to do is offer them another couple of dollars off Windows and the temptation to screw their customers would be overpowering as usual.

    There is probably a market for this kind of thing in set top boxes and the like, when manufacturer's want to sell their hardware as a loss leader, and don't want some "scum" "bag" installing a proper OS on it and using it as a cheap PC. The Xbox will probably have this new firmware in it. But then the Xbox also breaks 5 times a day so there you have it.

  9. Mike 29
    Mushroom

    Every windows 8 story

    ..makes me more certain that it's going to replicate the visionary success of Vista.

    </sarcasm>

  10. Jemma
    FAIL

    And people still think St Jobs is harmless?

    The Great Jobs and his closed system goodness started all this and I hope the ifundies are proud of themselves for perpetuating it until it reached this epitome of ridiculousness.

    If this isnt stopped then Microsoft have everyone by the curlies.

    1. Assuming the ARM incompatibility re current windows apps is true - whole new app & systems will have to be upgraded, at once. Costs of which will kill small companies stone dead. Not to mention the lost business all such fundamental upgrades always bring.

    2. Even if there *is* a way of bypassing it companies wont use it because of fear of being sued for using jailbroke software stacks. Think im a pessimist? Just look at the legal battles over curly corners happening right now.

    3. Every single update will most likely break the jailbreaks that worked before. Another reason non MS will be killed in the commercial appspace. Companies just cant stop for 36 hours every time MS brings out an update.

    This is the point the various monopoly commissions need to step in and kill this stone dead - if they dont its going to make the credit crunch look like a fender bender. Companies will fall left right and centre, destroyed by the very IT they rely on.

    There is something even worse to contemplate. Lets assume, for example, Nokia drops WinPhone and keeps with Symbian and MeeGo. How hard would it be to introduce a bios level incompatibility? Ditto Android & even iOS. Syncing therefore impossible - or maybe modify Exchange to not talk to anything Linux based... And call it a bug, that we just cannot seem to fix...

    If that happens there are two possibilities. Firstly, we all bend over and take it up the tuchus. Secondly - Microsoft single handedly make the desktop/laptop extinct. Whichever happens people and companies will suffer during the intermediate period and ultimately we all will as a result.

    This is an extremely dangerous possibility and an entirely plausible one. And people wonder why I hate iFundies and the Steve they rode in on...

    1. Anonymous Coward
      Anonymous Coward

      Fall

      "Companies will fall left right and centre, destroyed by the very IT they rely on."

      [classic English understatement]

      I don't think they will.

      [/classic English understatement]

  11. Captain Scarlet Silver badge

    Signed version of Linux/Unix

    So the same could be said for Linux and Unix being preinstalled, except for I know Grub does support booting to windows quite well.

  12. Anonymous Coward
    Anonymous Coward

    This has all the hallmarks of not just Microsoft but

    This has all the hallmarks of not just Microsoft but the whole "content" industry, whose efforts to ensure a secure copy-protected delivery chain at every stage from disc (or network) to screen have been so helpful to PC and TV users and content consumers in recent years. Not.

  13. Wile E. Veteran
    FAIL

    Sounds like ..

    One hell of an anti-trust suit to me. Trial lawyers, sharpen your knives, there's a big fat hog just waiting to be butchered.

    BTW How is this any different (in concept) than IBM making their OS's only run on IBM hardware?

    1. DutchP

      it's the exact opposite

      make all hardware not run anything other than your software

  14. Ryan Kendall
    FAIL

    Sounds Like an Apple

    Bundled OS with hardware ?

    1. Anonymous Coward
      Facepalm

      The difference being ...

      Apple make what are essentially unencumbered PCs -- which can be loaded with any OS you like. For the time being at least.

      A Mac is just a perfectly standard Intel PC with the addition of a hardware EFI bootloader interface ... that's not a problem. You can run Linux, Windows or BSD Unix without a hitch either as a primary or secondary OS, as several comments have already mentioned.

      What is being proposed here is that your hardware would be unable to run anything but the copy of Windows it came supplied with and NOTHING ELSE.

      That's simply not the same thing, nor is it even remotely legal.

      The whole thing smells of desperation on the part of MS.

  15. Chad H.

    Forgive me if this sounds ignorant

    But what is the benefit of running only signed code during boot time? Are there better ways of getting the same result?

    Seems to me from the sounds of this article to be a blatant attempt to missue market power...

    1. diodesign Silver badge
      Facepalm

      Anti-malware

      The only benefit is to stop malware infecting your boot-up. As soon as the boot executables are nobbled, their signatures will change and the UEFI firmware will reject them. If the machine will only start securely signed bootloaders, it's therefore game over for the trojan trying to gain control of your PC during initialisation.

      Unfortunately, there's no way (as it stands) to tell the difference between an unsigned malware-infected bootloader and an unsigned bootloader for Linux.

      1. Charles 9
        Mushroom

        But...

        ...there have already been cited instances of signed malware (indeed, malware signed with keys too ubiquitous to revoke--Realtek makes most of the mobo sound chips on the market; bye-bye sound?). What's to say some malware group enlists or worms a mole into Microsoft such that they can get at Microsoft's private keys? Or employ GPU-augmented botnets to find weaknesses in the signing algorithms? Either way, the end result would be a SIGNED malware bootloader. THEN what?

      2. CyberCod
        FAIL

        Wouldn't this mean that once infected, your computer never boots again until its proper bootloader is restored?

        It sounds like a downtime nightmare.

      3. BristolBachelor Gold badge

        Re: Anti-malware

        Won't work. Ever.

        Just like the DVD scrambling didn't work, and ditto for Blu-ray, PS3, HDCP, printer-ink cartridges, iOS, etc... People will break / leak / work around the keys.

        There are already virii that tamper with the BIOS. There are already Virii that get around only signed software installs / drivers, etc.

        What it will (possibly) do is make it harder for people to install any OS they want. Apple might be happy because machines won't run Mac OS X (without even more effort).

        Windows / OEMs may change the keys from one generation of Windows to the next or between OEMs, etc. No putting new windows on old H/W; you have to buy new H/W. No putting that HP OEM Windows on a home-build or Dell box.

        Maybe even stop people putting old Windows on new HW. Enforced upgrade cycles are good for everyone (except the customers).

      4. henrydddd
        Linux

        why

        Instead of assuring only windows will be allowed to boot, why not lock up the boot sector with a switch that has to set. For the consumer who in smart enough to install a new operating system, setting that switch will be no real big deal. Unless this switch is set, it will be impossible to modify the boot record. Just a thought

        1. Anonymous Coward
          Anonymous Coward

          Isn't that what the "Boot Sector Virus Protection" option is for in most current BIOSes? Admittedly it's just an "alert if the boot sector changes" rather than a lockdown.

    2. Aitor 1

      I almost like the idea

      As long as you have the OPTION to boot from non valid keys, it is ok for me.. as it will be way more difficult to make rootkits.

      If it is mandatory, then it will not only be a disaster, but also illegal and their ulterior motives quite different.

  16. The BigYin

    Given the dross...

    ...spouted over RMS's comments about Android, do people *NOW* get why we need free software?

    Free as in speech, not as in beer.

Page:

This topic is closed for new posts.

Other stories you might like