back to article MS denies secure boot will exclude Linux

Microsoft has hit back at concerns that secure boot technology in UEFI firmware could lock out Linux from Windows 8 PCs, saying that consumers will be free to run whatever they want on their PCs. Unified Extensible Firmware Interface (UEFI) specifications, designed to reduce start-up times and improve security, allow computers …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

"Why we would never! Honest!"

Yes of course, you're perfectly trustable, and so on, and so forth.

So pray tell, how do I put my own keys in the bios then? And no, I'm not going to shell out to some CA or other for the privilege of signedly running whatever I like on my own hardware. A self-signed key will have to do. How do I put that in, hm?

And that's not just me as a home user, but that too. I'd also want, nay *need* it if I were a large enterprise running a homebrew slipstreamed imaged what-have-you mix of whatever OS and software and drivers and such we care to put in our automated deployment process.

10
0
Silver badge
Linux

Won't fly

I've sad it before, I'll say it again. If this hits the market (and make no mistake: it'll do so in such a way that it's not easy to disable if it does) it'll be cracked open within a couple months. Within a year the crack will be integrated into the installers for every major distro so that they don't become as hard to use as MS fanboys say they are. And then, of course, the rootkit authors will sleaze in behind them, pick up their work, and use it to make rootkits immune to the restrictions as well.

In the end, nothing will be accomplished other than Microsoft further alienating a group of people who collectively never liked them to begin with.

17
1
Anonymous Coward

@sisk - If you live in US or Australia it will be a no go

FOSS community will not go against DMCA and/or copyright law that will be used to protect the mechanism. They might be freetards but not outlaws. Yes, people will come up with ways to crack this like they are doing with encrypted DVDs but it will never be accepted into any reputable distro.

1
0
Devil

Yes and NO

AC you are probably correct because microsoft will have some shell company raise the DMCA issue, and there is 0% chance it will get an exception like cell phone unlocking.

However, you didn't really address part 2. Someone, probably lots of someones simultaneously will break this security. There is no real time limit here like an SSL session. So given all the data necessary, full access to the hardware, and elapsed time only impacting on your patience - OF COURSE it will be broken. To think otherwise you would have to be truly retarded.

So while Red Hat may never use this facility, it is certain that criminals will. Therefore, if we follow the money trail and ask the simple questions:

1 who benefits

2 why

3 when

4 by how much

We find the only real beneficiary here is microsoft and the only real possible loser here is Linux in the developed world.

Sorted.

5
0
Linux

There are exemptions to DMCA...

I'd imagine this would go under the same exemptions present in the smartphone market with regards to jailbreaking. The reason this was granted excemption under DMCA was because jailbreaking allowed the user to run other apps that were otherwise unavailable, and may not neccessarily have anything to do with copyright infringement. This will be the same (more so infact) with these computers

0
0
Linux

just as bad

The contrapositive is also true. If a motherboard does not use Microsofts secure boot, that mother board will not support windows. Something that a motherboard manufacturer does not want to happen. Folks wske it, look at who is behind this standard (apple, Microsoft, etc). It is an open war against Linux and the bad guys just might win if this standard is approved.

4
1

@Sisk

Except in the Land Of The Free, where such a crack might fall under circumventing a security device.

0
0
Flame

What is it with Linux fanboi's frothing at the mouth....

"In the end, nothing will be accomplished other than Microsoft further alienating a group of people who collectively never liked them to begin with."

THIS IS THE UEFI STANDARDS BOARD! Microsoft have said to OEM's (so people that pre-load the OS onto their own hardware) "please enable Secure Boot on your systems when pre-loading WIndows 8". That's it.

Want to install Linux / BSD / Recovery environment - Disable it

Can't disable it? Speak to your OEM

Can't add a new key? Speak to your OEM

The FACTS are quite simply the above. Microsoft have sod all to do with it. There's no reason when buying Dell boxes pre-loaded with Ubuntu that you won't have secure boot enabled then eitehr.

Back the fuck off - this is not Microsoft' standard, and Microsoft are not mandating that it cannot be disabled to updated. Think otherwise? Some proof would be nice.

2
6

@The Original Steve

Have you been at the KoolAid?

The ISO body is meant be independent, yet MS managed to stuff the ballot box and have a patent encumbered format approve. Do you understand the implications of that? There is an ISO *standard* that you cannot fully implement without infringing on MS patents (I am quite aware of the MS "gratis" license and it's limitations).

If we could be 100% sure that the UEFI body was totally independent and was really just there to ensure that all the i's and t's were dotted and crossed, you'd be correct. But we cannot be because, as I have pointed out, MS has form for skewing these bodies.

0
0
Silver badge
Linux

Frothing and whatnot

Your OEM is Microsoft's house boy and has been for decades.

They will do whatever Microsoft tells them to do and say please and thank you during.

They simply cannot afford to get on Microsoft's bad side. Their Windows discounts might get revoked. So they will go along with whatever Microsoft wants.

Perhaps you missed the big trial where this all came to light?

0
0
Silver badge

@ AC

If Apple couldn't pay off enough people to prevent a DMCA exemption for the iPhone I sincerely doubt MS will be able to. It won't be a DMCA or a copyright issue to the FOSS community. It'll be an 'It's my machine, I'll do what I want with it' issue, just like jail breaking phone.

As for it not being accepted into any reputable distro, how many distros lack libdvdcss2 or aacskeys? It'll be the same thing.

0
1
Anonymous Coward

I said this...

I said this was rubbish at the time, what with there being no quotes from anyone at MS and Ross Anderson's blog post actually saying "I've heard that..." rather than a much more definite "It is the case that".

I can't believe that people are still looking for a conspiracy, but it's always the same with an MS story.

Still more the f5s being pressed by angry commentators, the more cash that The Reg get...

4
13
Anonymous Coward

@AC 14:37 - Please stand still, close your eyes and try to relax !

said the snake to its victim

5
1

If the worst happens...

"...sorry, I can't recover the files on your hosed installation. You have a Microsoft BIOS that won't let me run this Backtrack disk. If you had (insert brand of not-shit PC here), I could have helped."

Or words to that effect. Perhaps UEFI will allow you to add your own keys and self sign, but if not, then there are many ways of showing why this is a bad thing to technically illiterate users. Especially after their installation gets hosed and they can't find the Windows disk.

1
0
Mushroom

boot.ini and how MS protects you when installing another OS

Look, Microsoft already does not play well with other operating systems by disabling the other OS in their boot process when you install Windows. They put up a screen telling you that you can re-enable the other OS by changing boot.ini when it's a 1-2 line addition to the file they could do if they wanted to play well with others.

read my lips:

THEY ARE NOT IN THIS GAME TO MAKE ANY OTHER OS EASY TO USE WITH WINDOWS.

So they say it is up to the OEM to allow other OSes to boot with UEFI and you should know what pressure and control Microsoft exerts on OEMs to do what Microsoft wants. Unless OEM's are legally forced to provide those unlocking keys when the product ships, we will not get them easily or at all.

Fix your crappy OS Microsoft and leave the hardware open.

13
1
Anonymous Coward

Err...

That's right... That servies for UNIX they made and their support of Linux on their virtual machines makes it particularly hard to interoperate Windows with Linux and UNIX.

In fact the SNA services proxy they used to make totally prevented the interoperabillity with pre-IP IBM frames.

Oh, err...

0
0
Silver badge
Thumb Up

don't know what you're all worried about

with the massive consumer spending power of the linux community there's no way hardware manufacturers would lock you out!

2
6
Thumb Down

I'll think you'll find

The hardware consumer spend in Linux is far, far higher than you imagine it is.

8
0
Pint

What's more...

Much of my linux hardware spend over the last 10 years has actually included a windows license.

But if machines that ship with windows 8 won't run linux then anyone buying a machine for linux will have to choose one without the firmware restrictions. It may not be a huge market, but if an oem can service it with a simple variant, then maybe this will inadvertently boost the availability of os-free hardware.

Well, here's hoping at least...

0
0
Bronze badge
Coat

@sabroni

So, servers will be sold with unlocked UEFI, right, but this won't help you to find small portable computer (I mean notebook) able to run Your Unix of Choice, won't it? Or will you go to work with 1U server in your bag?

Mine with low power SFF 72 core MIPS64 PDS cluster in the pocket

0
0
Anonymous Coward

Nothing new...

Every time I build a PC i pirate $40 of MS software to offset the MS Tax. From now on it'll have to be $150 for a full copy.

3
3
Anonymous Coward

Hmm...

You mean the MS Windows tax where Windows pre-installed machines cost less than the ones without Windows pre-installed?

Shouldn't you be giving money to MS for every machine you remove Windows from, following your logic that is.

Oh, also, if you build a machine - I presume you mean make from discreet components, rather than put an OS build on it - there wouldn't be Windows installed anyway so no MS tax.

1
6
Unhappy

This is ...

... a feature that most people do not need. All it will do is form another point of failure that can potentially deny me from booting my PC, but also deny direct access to the HD. In case of issues neither of those is a good thing.

If you insist on doing this, make it an option that can be turned off in BIOS settings.

0
0
Anonymous Coward

Notice Tony's careful use of words...

Tony didn't say that M$ wasn't going to PRESSURE the OEMs to not include an uefi "safe" boot disabling option,... he merely said that it was the OEMs' option to include it... M$ is notorious for their back-room deals, totally off the record... They did the same thing when "negotiating" with Barnes & Noble over Android patent extortion "licensing."

Nope,... the only way to make the OEMs play ball will be to buy machines and if they are not able to be booted with alternative OSes, return them (and avoid those with restocking fees, or bring unfair trade practices against them if they try charge them). Few OEM vendors will disclose the lock-out up front, giving most consumers a valid objection to restocking fees with their credit card vendors. The more machines are returned, and have to be unloaded as "refurbs" at a loss, the less likely they will be to "play ball" with M$ extortion tactics.

5
1
Anonymous Coward

I wonder if they'll wake up ...

When people (i.e. the consumers) start up the lawsuits?

Many people use software that is available only for Linux and require it, even if its just a secondary OS. How is this supposed to fly? Its none of MS/OEM's business what I choose to run as my OS. MS isn't a hardware company! Hardware isn't like software, so fuck off, MS.

This form of crass Mafia business practice -- I'm literally speechless. This sort of nonsense can only get worse if legally unchallenged. What astounds me, though, are the number of people who seem to think that there's nothing wrong with any of this.

9
1
Silver badge
Thumb Up

Maybe I'm clueless optimist, but as long as users are free to disable the feature or, even better, manage signature keys in UEFI store, I see no problem with it. I'm also pretty certain that doing it otherwise would be fiercely opposed and is not going to happen.

Also, Microsoft is a hardware company - they make pretty good better webcams , mouses and few other bits.

1
5
Silver badge
FAIL

I predict...

If this is implemented, it'll scrapped within two years for one or more of the following reasons;

A. Within weeks of its release, it'll be hacked into a new attack vector. (Of course,it'll be many months before they admit the problem exists.)

B. Consumer complaints (and returns) from a host of unforseen problems it will generate. (Murphy's Law always trumps engineering skill and marketing plans.)

C. The flood of new "Run what you want" boxes that will hit the market from various minor vendors without Windows installed, depriving MS of a surprising amount of "MS Tax" on computer sales.

What, me worried? I'm stocking up on snacks and sodas to enjoy the show caused by the inevitable cluster-fuck if this goes through!

7
0
Silver badge
Happy

Dear OEM

We love you where much, and as you know, we have no power nor no wish to affect your decisions,

but you do know what a great responsibility we have towards providing our customers with the superb user experience and safety they expect and are used to, using our products.

In order to fulfil these goals there are a few things regarding the hardware that is demanded for running Windows.

The choice is yours alone and we will accept any decision you make regarding this minor question.

Regards, Microsoft

1
0
Angel

PS. we will provide a "Certified for Windows 8: Platinum" for all the machines that implement it and sell WIndows 8 Home OEM copies for $5 and Windows 8 Professional OEM copies for $10 for the same hardware.

1
0

Security is always a hassle.

So you are saying you want to run a 'maybe' rootkitted OS on your machine?

Signing a kernel is a hassle? Sure, yeah any security measure is a hassle. I think Linux wants to be a safe OS too right? Or are we going to play the Apple game and state that there is no reason for that because the OS is so secure it can't be rootkitted?

For development purposes I agree. There should be an option to disable, but normal customers would surely want an OS that they can be reasonably sure that it isn't easy to be rootkitted.

1
14
Anonymous Coward

@Majid - Trolls are finally starting to catch up by now.

If you decided to use an easily root-able OS, that's your problem. However, I do not accept a solution to your problem that will force me to quit running an OS (it's not Linux but since all you've ever known is Windows I will not bother you with details) which isn't so easily compromised. Oh, and you are not in the position to decide what normal customers and Linux users want, let them decide it for themselves.

Signing the Linux boot-loader and/or kernel is a major hassle when your #1 enemy with a serial killer history has a word to say on it. In case you missed it, this is the subject of all these posts here.

5
1

So you have a time machine do you Majid?

If so, please could I borrow it?

I can't see how else you expect anyone to include a signature for the new Bootloader, Kernel or OS that comes out in mid-2013 to BIOS made in 2012.

Also, do you think manufacturers will let people who build their own kernels send them keys to import before they buy the PC?

The problem being envisaged here is that only bootloaders signed by keys included in the BIOS will be booted from. If that isn't the case, and importing your own key is possible, then this isn't a problem. That's kind of the point of the discussion...

1
1
Silver badge
Facepalm

PKI

"I can't see how else you expect anyone to include a signature for the new Bootloader, Kernel or OS that comes out in mid-2013 to BIOS made in 2012."

why would they? It's enough to store root certificate for CA which will sign these new boot images. And the root certificate can be just as well your own public key. I see no reason why any vendor would want prevent you from storing it in UEFI of your own computer, so please STOP PANICKING!

1
3

@Bronek Kozicki

Once again, this is what is being discussed here and what is currently unclear.

Worst case being the only key included is the one MS used to sign Windows 8, and even they will use another for Windows 9 (highly unlikely).

Best case is you can add your own key, preferably by setting a jumper or pressing a hardware button -- this is thought to be how it would be done in the real world. The problem here being that MS has as long history of giving discount licenses to OEMs who do things to make it harder for users to choose their OS (they've been convicted, this isn't speculation).

A middle ground would be, say, that a key is present for a CA who will sign Linux bootloaders -- problem there is that it will cost everyone who wants their kernel signed, since I doubt they'll provide a free service.

The developers working on the kernel, GRUB, or whatever could sign them, perhaps, the only problem there being that the GPL would have to be re-written or they'd have to give out the key used to sign them, thus defeating the object.

Of course, the manufacturers could just allow non signed bootloaders to run instead but, as stated above, MS will give them no incentive to do this and past performances point to the possibility of them actively discouraging it.

1
0
Silver badge

I understand and I also admit I don't have access to reports to back the following up.

According to Gartner, Linux was fastest growing segment on servers in 2010. http://ostatic.com/blog/linux-is-growing-fast-on-servers-and-red-hat-benefits

Do you seriously think that any vendor would voluntarily remove himself from this market? I don't.

Although I do agree that it is quite possible that the desktop sector could be partially bastardized - not by locking Linux out, but rather by making it more difficult to install.

0
1
Anonymous Coward

Linux has made such massive inroads into the server market, it seems clear to me that all reputible motherboard manufactures will have options for a Linux boot.

There's enough 'movement' in the Linux market and big enough numbers for this to be a certainty.

So, calm down everyone, it'll be alright.

2
5
Devil

The only way I can see things getting worse

Would be a merger of Microsoft and Monsanto.

5
1
Linux

Microsoft does not know how to be "good"

It is the dream of Microsoft to slow down, incapacitate, hobble, cripple, disallow and prevent anything that makes it seem as though there is a choice - to not use their Operating System.

Especially if the competing Linux is somehow better.

Microsoft is not competitive in mobile so it latches on to piggybacking the cost to produce mobile devices by suing the hardware manufacturers that use android, thus raising the cost to consumers and slowing down the demise of the PC by cost offset and generate a profit on the existence of android like the parasites they are.

Even as the gradual death of the PC is soon to be here... if they can somehow prevent or make less easy for a newbie to install Linux they win.

No doubt experienced Linux users will find a work around in time... but slowing down the inevitable, Microsoft wrongly believes that they gain time to make more profit. Perhaps long enough to become the complete parasite upon Linux by whatever means available.

Microsoft was never a good neighbor, not to their partners or to their users. Restrictions, restrictions, restrictions... pay me, pay me more, we want it all.

9
1
Linux

Supporting UEFI secure boot on Linux: the details

"An obvious question is why Linux doesn't support UEFI secure booting. Let's ignore the issues of key distribution and the GPL and all of those things, and instead just focus on what would be required. There's two components - the signed binary and the authenticated variables...."

http://mjg59.dreamwidth.org/6054.html

2
0

OEM decides?

You mean the same OEMs putting "best viewed under IE 5.5 or above" on all pages including routers/modems running freaking linux themselves?

They sure know the idiotic OEM will disable linux booting just to look nice to MS.

I know only couple of brands who has balls to ship their laptops with freedos (aka nothing) pre installed. Nothing else comes to mind.

Ignorance is what they trust as usual business.

2
0

Any American into politics around?

Did these guys hire a private army and overthrew US government and judicial system together?

I mean, they have to put a lot of extra to Internet Explorer, they couldn't enforce Windows Live ID to use Windows, they even had to put a "choose your defaults" to OS interface and now, they are in freaking BIOS.

Half of the reason TPM failed was the DOJ and other officials whispering "don't even dream about it" to Intel and Microsoft. The rest was the media like The Register and couple of others like Slashdot.

This is something even Apple doesn't do on the machines they design themselves. Wake up really or we will talk about pc jailbreaks. No joke here.

Did these guys just bribe DOJ or White House? What does military elite think about this? These guys have sure thought about the security aspect and monopoly aspect, not?

5
1
Thumb Down

Purely artificial marketing BS, as usual

We all know that getting one program to look like another isn't a big issue. We don't need a signed 'grub', for example, provided we had a signed something or another that knows how to load grub. That signed something or another can also load Windows, except it won't because Microsoft appears to be trying to set up a scenario where the loader will only load their code and only their code. This won't be at all difficult to bypass for a sophisticated user (or criminal -- same thing) but it will deter the average user, someone who would otherwise like to load a Google/Linux/whatever supplied instant on OS that just accessed the 'net.

From what I've seen Windows 8's UI sucks, BTW.

5
1

i don't see what all the fuss is about

the bios adds a check before boot : give me your signature , and checks this against a stored list of 'known good' signatures. if the key does not match it refuses to boot.

Good ! this prevents malware.

Linux ? should'nt be a problem. just get a signed version and hand the key to the bios. done.

oh wait... ehm yes is think is see the problem... with so main strains, forks and custom builds of linux there is going to be a massive amount of keys .... and someone will have to fork over some dough to get all these trusted key ... wow. and ubuntu crancks out a new version almost every day... thats gonna be a problem.

1
3
Anonymous Coward

@Vincent - It is not even about money here.

Let's say a certain version of the Linux boot-loader gets signed and works with UEFI. You download it and the GPL grants you the right to modify it AND to run the modified version. Unfortunately, because of the signing keys, UEFI will not allow you to run the modified version so this will be a copyright violation for the distributor. It will be no longer possible to distribute Linux. This is exactly what TiVo was doing and it is exactly one of the reasons GPL was upgraded to v3.

All this in the name of security so who could possibly be against it ? Now you see why Microsoft is so delighted ?

1
0
Silver badge
Happy

simple - just build Linux with your own private key, install public one to UEFI and presto! Boot, verify signature match, start Linux.

This of course assuming PC vendor gives you an option to install keys to UEFI. Second best option - do like these guys here http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-01-29-43-metablogapi/0624.Figure_2D00_5_2D002D002D00_Samsung_2D00_PC_2D00_secured_2D00_boot_2D00_setting_5F00_thumb_5F00_02016A69.jpg (thx AC for the link) and disable secure signature verification. No protection agains rootkits, but there are none under Linux, right? "that was a joke, haha fat chance".

1
1

eh

The uefi simply want a signed loader.

if MS changes the loader they have to sign it and provide the key.

So, if you mod your loader you need to sign it. Why should linux user be treated differently than MS. The rules are clear : You want to boot ? give me the key .... The UEFI is neutral in this respect.

0
0
Anonymous Coward

Yeah right

Yeah right, like UEFI won't be cracked in a week or so...

1
1

iphone gets cracked in an hour

You know Apple iphone "jail" gets cracked in an hour too. How many people have you seen jailbreaking around doesn't matter, the rate of general public cracking their phone is less than 1%.

Good luck convincing general public to "crack" (they will call hack) their BIOS. These guys call support line in case their finger slips to del key while booting as they see BIOS screen.

0
0

consumer power

Does not make commercial sense to cut out customers, linux has a huge following, and microsoft know full well a large porportion of those using linux also buy there high end distributions of windows, so ultimately it wont be an os vendor dictating what a pc can run, it will be consumers.

Remember its consumers who forced windows 7 when vista wouldnt do what many wanted, and why major vendors like dell offered us what we wanted because it affected sales, this will in my view because of customer numbers be similar, they will sort it.

Also in todays economic climate, vendors might get a frightening shock, wont take much for a major switch from home users and business to linux. It will be reputable companies then who see the potential, thats why i dont think theres anything for us to worry about, at this stage at least.

1
1
Anonymous Coward

@Damien Thorn - You're being naive on this one.

It's Microsoft who decided to collect a fresh round of voluntary donations from its customer base with Windows 7. Don't like Vista, then pay for 7. That was the MS mantra on their way to the bank.

Customers were definitely not those who forced Microsoft to replace Vista. Microsoft could have simply wait and all of us would have migrated to that OS maybe after a Service Pack, Where else could you move with all your MS-Office documents after support for XP being terminated ?

Admit it, you are so tied to Microsoft that you will swallow whatever they shove down your throat.

0
1
This topic is closed for new posts.

Forums

Biting the hand that feeds IT © 1998–2017