back to article MS denies secure boot will exclude Linux

Microsoft has hit back at concerns that secure boot technology in UEFI firmware could lock out Linux from Windows 8 PCs, saying that consumers will be free to run whatever they want on their PCs. Unified Extensible Firmware Interface (UEFI) specifications, designed to reduce start-up times and improve security, allow computers …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Be careful now...

    Maybe I'm over analyzing but technically speaking its true what they say. Solely focusing on Linux now; Grub or Lilo can be made to boot from a partition instead of the MBR. The Windows boot manager is capable of activating such a partition.

    As such it would always be possible to boot / use Linux while secure boot is in effect and give the owner "complete control".

    So be very careful about what is being said here... Because although what they claim maybe true, it doesn't take the initial problem away. IMO that is.

    1. Anonymous Coward
      Anonymous Coward

      So you'd need to own OS A in order to boot OS B?

    2. Anonymous Coward
      Anonymous Coward

      @ShelLuser

      Could you please read again what you have written in your post ?

      You mean I have to buy Windows8 and fiddle with its boot manager in order to be able to boot Linux ? That will be a price tag of 375CAD for every copy of Linux and *BSD payable to ... why yes, to Microsoft of course.

      You're not over analyzing at all. Au contraire mon ami!

      1. Anonymous Coward
        Anonymous Coward

        Missing the point here?

        @AC's

        THAT is /exactly/ why I say "be careful wrt what is being said".

        Yes; booting one OS to boot another; think about this before posting or voting please.

        You pick up a new PC; /WHAT/ OS is pre-installed by default ?

        SO when they say "you have full control" do you really? From their point of view you do (see my comment above) but in reality...

        As such my comment: be careful (or mindful) about what is being said. /technically/ they are right, but in the end it doesn't change sh*t for us.

        1. Peter2 Silver badge

          Generally when I pick up the parts for a new PC they are in separate boxes and nothing is installed on them other than maybe the firmware.

          1. Anonymous Coward
            Anonymous Coward

            @Peter2: Sure, same here. Unfortunately the majority does otherwise, and ironically enough those are the people who MS will have in mind when they claim that this boot mechanism will still give you "full control".

            Its one big scam, they're merely twisting words.

  2. Steve Davies 3 Silver badge
    WTF?

    Here Mr OEM have this {brown envelope}

    MS OEM Salesman to OEM Purchasing Mgr

    "All you have to do is make it impossible to boot anything but Windows on every machine you ship."

    OEM rolls over and accepts the incentive.

    MS Guy smiles, puts away the loaded 45 and says,

    "Now how hard was that?"

    1. Anonymous Coward
      Anonymous Coward

      No envelope required

      The only thing MS needs is the loaded .45 and that is what they will use - lock out Linux or we stop supplying you with OEM copies of Windows.

      They've done it many times before and they'll continue doing it because it's how they run their business.

      1. Ramazan
        Paris Hilton

        "can be disabled, if OEMs want"

        OEMs wouldn't probably able to make up their minds about the subject all by themselves / They "sit alone, waiting for suggestions" (RevCo)

    2. P Saunders

      As for those annoying anti-trust suits

      MS will just smile and say that the OEMs are the ones who are stifling choice. Nice way to shift liability for your legal indiscretions onto your customers.

  3. Dirk Vandenheuvel
    Holmes

    Storm in a glass of water. Surely this will just be a setting in your boot-setup screen?

    1. Bean0

      Comparing the BIOS options on my Abit mobo with those of my Dell work machines :-

      If you buy your own mobo, then probably yes.

      If you buy a pre-built machine, then possibly not.

    2. WonkoTheSane
      FAIL

      @Dirk Vandenheuvel

      Yes, it will. Until it isn't.

    3. BitDr

      Setting in BIOS

      Given that the ability to disable this 'feature' is not a requirement of the spec, then I would expect lots of muscle ($$) being applied to hardware vendors to not include it. Now you might think that having this ability as a requirement would solve any issues, but there is no requirement for accessory makers to ignore the setting, meaning that any fancy new graphics card you buy may require the setting be enabled, effectively shutting out all (*cough*LINUX*cough*) who do not have keys.. and because this CAN be done, and because such action would in effect slowly crush the competition, i'd bank on it being implemented.

    4. Ramazan
      Coffee/keyboard

      BIOS option

      There is no BIOS option to turn on Intel VT-x bit in Sony VAIO VGN-UX BIOS, and the same is true for many other contemporary VAIO notebooks: SZ, TZ, TX series just to name a few. I suspect the similar story will most probably happen with Windows 8 VAIO notebooks, with no BIOS option to turn off boot signature verification.

  4. Sam Liddicott

    linux users want security too

    Linux users also want security. I see TPM as being good for me.

    I just want the ability to upload new signing keys, and for the ability to upload a key to be blocked with a physical key that turns a mechanical switch to make an electrical connection.

    1. Voland's right hand Silver badge
      Devil

      Be careful for what you wish

      If you can easily upload your own keys so can any exploit code.

      Want to find yourself in the interesting situation where you are not allowed to run a "clean" non-troianed OS?

      Dunno, we will have to go down that route sooner or later and it is a lose/lose in any case where you do not have a "personal" certificate which signifies your ownership of things solid or digital and it is your unalienable right to upload a cert signed by this "ownership" cert into anything you own.

      How - that is for standardmongers to figure out.

      On the negative side - bye-bye anonymity, it was nice knowing you. On the positive side, anyone trying to define what is essentially a monopoly license can be told to f*** off on two counts:

      1. You have the right to upload

      2. He has _NO_ technical reason whatsoever to deny this because he can now identify you and your equipment for purposes of commerce.

      Every time I think of it, nothing short of this will stop attempts by people like MSFT, Sony and the like to push this through the backdoor. Let's face it - we are going into the direction which Neil Gibbson (Neuromancer) and Peter F. Hamilton (Commonwealth) have foreseen. We might as well bite the bullet and lead there as free people instead of being lead on a slaver's chain.

      1. Bronek Kozicki Silver badge
        Stop

        RE: Be careful for what you wish

        "blocked with a physical key that turns a mechanical switch to make an electrical connection."

        I think that makes it clear - I am yet to see any code able to operate *mechanical* switch, without use of motors etc (which aren't normally present inside a PC).

      2. nematoad Silver badge

        Actually..

        I think you mean William Gibson

  5. The BigYin

    "If OEMs want to"?

    Really? Just like OEMs can ship with any OS thy want, assuming they also want to swallow inflated license costs.

    Just like OEMs don't have to "recommend" any particular OS, if they want to swallow inflated license costs.

    I would not trust MS in this matter, they are far from impartial and have too long a history of attacking GNU/Linux and F/LOSS in general. If they need to solve this issue, then I suggest two courses of action:

    1) Write an OS that does not leap on to the Interwebs and scream "I am open, have at me like a cheap tart! I'll take all comers in any port!"

    2) Let OEMs sell a "bolt on" to people who need this kind of control (certain corporates, certified environments etc).

  6. Jim 59

    MS Partners

    "Microsoft has effectively batted the question over to its hardware partners and firmware suppliers."

    ...who are controlled my Microsoft. MS has long been occupying a central position it does not deserve in the PC market. If it continues to behave in this way, the world might just stop bothering with Microsoft alltogether. Which would be bad. Microsoft - please stop controlling and start competing.

    1. Anonymous Coward
      Thumb Up

      re "courses of action"

      Fortunately I had just finished my cup of tea when I read your action (1). Brilliant.

    2. Someone Else Silver badge
      Stop

      Yogi Berra was right

      "It's like deja vu all over again."

      It's not like we haven't already seen this activity on Micros~1's part. Do we really have that short of a memory span?

    3. perlcat
      Black Helicopters

      Dream on, junior.

      M$ has sabotaged every boot manager I have ever had -- from OS/2 on -- this will be no different.

      They'll just use the old "you have nothing to hide, do you' defense, blame it on the manufacturers, and there you go. Every PC will be in any OS you want as long as M$ gets their cut.

      On a lighter note, now that world+dog sees this for what it is, they'll back off and look for another port to slip the ol' wazoo into, as people will be looking for the antitrust angle on this now.

      Too bad they can't just compete on the merits of their product, rather than resort to dirty tricks -- oh, wait. There *are* no merits. I guess they *do* have to resort to underhanded tactics to move their shite.

  7. Wang N Staines

    Buyer

    The buyer should be given the option to enable/disable this option NOT the OEM.

    Problem sorted. Damn, I should be the next HP CEO.

  8. Anonymous Coward
    Anonymous Coward

    ACPI precedent

    It's presumably not Microsoft's fault that motherboards often report incorrect information to non-windows operating systems via ACPI. That's down to the manufacturer too, but for the most part they don't care if it doesn't affect Windows.

  9. Anonymous Coward
    Anonymous Coward

    um...am I missing something?

    Isn't this just the moving of WGA into the BIOS?

    1. Paul Crawford Silver badge

      @WGA

      That might be part of the reason, as if you can verify the boot loader, it can then verify the rest of the system* and so stop hacks that check for invalid activation keys, etc.

      I don't care about MS screwing it users for non-licensed software, if you want Windows then pay for it. What I do care about is such a system being abused to prevent alternative OS from running.

      Unfortunately if you can bypass the boot check, then you can also bypass all other DRM/license protection steps (given the time to hack the OS components). If MS are only doing this to stop root kits, fine, but I can't see it being very useful (in this context) and open at the same time.

      * time-dependent of course, how long to check the signatures of a multi-GB OS installation?

      1. Sean Baggaley 1
        FAIL

        "What I do care about is such a system being abused to prevent alternative OS from running."

        Yeah! Because the PC is a a well-known "open source" standard that was invented by Richard Stallman!

        Oh, wait, no it wasn't.

        Why the f*ck aren't GNU / FOSS advocates *specifying their OWN platform* instead of demanding that *commercial entities* do all that stuff on their behalf for no adequately explored reason?

        After all, GNU / Linux distros are usually "free as in beer" as well as "free as in speech", and there's Open/LibreOffice to replace MS Office! How hard can it be to compete with a *paid-for* commercial platform?

        Twenty years of incessant, childish bickering has resulted in a string of wasted opportunities. Hands up all those who think "open source" is more important than open _standards_? (Hint: 99.99% of computer users cannot read your source code—not least because you can't even decided on a simple set of languages to write it in. Or even whether you should use tabs or spaces!)

        The GNU / FOSS community is about to get the wake-up call it has so desperately needed for years. Time to grow up, children. A little less idealism and a little more pragmatism would go a long way.

    2. Ilgaz

      Youngsters

      Post talks about the famous and REAL halloween documents where MS was busted talking about using ACPI as a weapon against Linux.

      Actually they succeeded for a while, especially bugging home users and portable users.

      If you ever heard Linux is not working fine with plug and play, portable setups, that comes from that era.

  10. Red Bren
    Windows

    Wrong conspiracy

    This might not be MS trying to scupper the use of alternative OSs, although that could be a usefull side-effect. More likely, MS want to ensure that Windows users upgrade when MS tells them to, so that Windows 8 doesn't suffer the fate of Vista, i.e. people buy a shiny new PC then install XP.

  11. Paul Crawford Silver badge

    Key holder matters

    The issue is not the 'secure' boot by verifying the OS, that on its own is good for everyone (Linux, MS, Apple, etc) as it allows protection against pre-boot root kits.

    The issue is who decides what can boot.

    If the UEFI loader just stops and tells me this has changed, and do I want to accept the new signature, that is fine for me and nothing is lost but I have gained control over unexpected changes to my boot loader. Maybe have a UEFI password so only admin can change it (like current BIOS offer for boot sequence, etc).

    Of course, it then makes the whole "security" push rather pointless because, as we all know, asking the (l)user if they want something or not is a recipe for disaster when it comes to security.

    Even so, if you can root the OS while running, then you could flash the UEFI firmware to disable this before loading the pre-boot root kit. Also how long until the keys are compromised as for DVD/BlueRay/HDCP? It helps of course, but short of a physical switch to disable motherboard updates, it is only a bit harder for the bad guys.

    So maybe a mandatory configurable option in the UEFI menu to enable/ask on change/disable would OK. But on MS' past behaviour I have serious worries about the openness of it all.

    1. Bronek Kozicki Silver badge
      Angel

      hey OEMs, here is specification for you

      "If the UEFI loader just stops and tells me this has changed"

      Close, except that UEFI has no notion of "changed" - it has a notion of "known signature". And I want actual mechanical switch(es), with no programmatic override of any kind, to allow adding new signatures to UEFI.

      So, let's say I'm starting freshly installed Linux distribution (of freshly built kernel) which happens to use signed boot image (distribution key or my own). Start screen presents me with a warning about unrecognized signature of a boot image. My options are:

      1. restart

      2. *only if RED mechanical switch is enabled* - import signature of that image into UEFI so no further warnings will be displayed. BIOS password will be required (if set).

      3. *only if BLUE mechanical switch is enabled* - ignore and boot anyway

      4. open BIOS settings (password required as usual) and disable signature check if BLUE mechanical switch is enabled

      Another scenario is loading non-signed boot image (e.g. Windows 7) , start screen presents me with a warning about absent signature of a boot image. My options are:

      1. restart

      2. *only if BLUE mechanical switch is enabled* - ignore and boot anyway

      3. open BIOS settings (password required as usual) and disable signature check if BLUE mechanical switch is enabled

      BIOS options required - just one:

      1. skip signature check if BLUE mechanical switch is enabled.

      No such BIOS option: "import new signatures" - enabled via RED mechanical switch only

      Also no such BIOS option: "ignore check and boot anyway" - enable via BLUE mechanical switch only

      Meaning no malware can manipulate these settings, but users with a clue can. Malware could manipulate one BIOS setting (above) but for it to be effective, BLUE mechanical switch must be enabled anyway so (l)user "cooperation" is required.

      Clueless masses would only be able to boot from valid signed image, but anyone versed will be able to install any signature to UEFI or disable check completely. This should also work for corporations since skipping the check would involve opening the box or BIOS password; there is support staff to install keys in UEFI initially if required (e.g. on a Linux server or desktop). There is cost side of installing two mechanical switches, but I think motherboard vendors would love to sell two switches at the cost of $0.02 each for premium of $10 (could be done with one, but it makes it ambiguous, which is bad for security so smaller premium for vendor!).

      Anyone welcome to use above specification, I claim no rights to it!

      1. C 2
        Stop

        RE: hey OEMs, here is specification for you

        All well and good, but consider that windows has always been and will very likely always have security holes like swiss cheese .. some big enough to sail a cruise ship through.

        Oh and BTW has anyone else realized that it is probably a lot simpler to write malware that either steals, or scrambles the 'signature' from Micros~1's bootloader(s). Chaos would ensue.

        Which makes this whole UEFI signed bootloader business a big hassle with pretty much zero benefit. In other words just so much fluff.

        So why not just use a mechanical/electrical switch to prevent or enable flashing the BIOS? Then at least the motherboard would be secure against the nasties that now re-write the BIOS.

        As for windows .. pffft .. just fix it as per usual, it is after all the premier malware distribution software.

        1. Shanghai Tom
          Thumb Down

          My 5 year old MoBo has a jumper to enable / disable bios updates, and also a "touch" jumper to reprogram the bios back to it's factory original.

          This is not new technology, it's suppressed technology because of cost "engineering" and very very lazy programmers .

          If I compile my own Linux kernel, how the heck can I boot it unless a key generator is available, and if it's available and you are running Windows then I expect there will be a hack to alter your opsys and then surreptitiously re-key it.

  12. Thomas 4
    IT Angle

    "No, no, we're not saying that at all."

    "But we're certainly thinking it loudly."

  13. Jeff 11
    Devil

    Follow the SSL route

    The problem with an on/off switch is that you either lose the functionality signature verification offers, or can't dual boot between Windows and anything with an unsigned kernel. During the bootstrap process, the UEFI loader should simply display a message explaining to the user that the kernel is unsigned, with a warning that this may have been caused by malware, and prompt to temporarily accept or permanently store an exception in NVRAM. You could perhaps tie this to an on/off/prompt switch in the UEFI settings.

    It's not as if one extra keystroke is going to inconvenience Linux/BSD users when they rebuild their kernels.

    1. Tomato42 Silver badge
      Thumb Up

      Question: How often do you boot your own media on other computers? How often you give other people your own boot media?

      As long as I can import CA keys (or key signing keys) to any hardware I'm sitting in front of, the system is OK.

      It won't help for Windows malware but will make quite a nice duo with my encrypted, SELinux enabled installation.

      1. Graham Dawson

        How often?

        Well, lets see, in the last several months I've booted various family computes from a USB drive several times, and from a CD numerous times as well, to either repair an existing installation or to install something new. I do it quite regularly. A lot of people do it quite regularly. More than enough to make something like this a huge problem.

        As for importing keys, surely you can see this renders the entire concept pointless? If you can import keys, so can other people. In that case all you have is a needlessly complicated additional step to getting a working system. It's rather like government bureaucracy in that respect.

  14. Pirate Dave
    Pirate

    Um...

    has anyone asked the Firmware vendors if they are likely to include the disable ability in their firmwares? I can see Dell, HP, and Lenovo possibly specifying highly locked-down EFI stuff, but what about the white-box motherboard makers like Abit, Asus, Intel, etc? If the big OEMs like Dell and HP want to lock up their crap then fine, let them. So long as we can still get standard motherboards with this disabled or disable-able, we don't need the OEMs. At least for enthusiast desktops. Server use is another matter entirely.

    1. Ramazan
      Coat

      @Pirate Dave

      Yes, http://mjg59.dreamwidth.org/5850.html: "we've already been informed by hardware vendors that some hardware will not have this option."

      Mine with the list of bastards in one pocket and sawed off shotgun in another

      1. Mark 65

        For those hardware vendors intending that some hardware will not have this option I look forward to the EU court cases brought against them on restraint of trade or whatever the appropriate law is that covers this. If the hardware has the ability to have the on/off option then I believe it is illegal to remove it through firmware especially when such a measure prevents the free use of a machine by its owner.

    2. Anonymous Coward
      Anonymous Coward

      Laptops are also another matter

      Few people who use alternative OSs build their own laptops; they buy Dell, HP, Lenovo, whatever laptops and install their choice of OS. If laptops are locked down, there will be no practical alternative.

  15. Reality Dysfunction

    I'm wondering...

    ...how bootable recovery and diagnostic software environments will run in this case?

    1. Dave Bell

      Or the utility to load the disk image onto that shiny new drive...

      It potentially kills a lot of legitimate system management tools used both by DIY enthusiasts and large commercial operations. Booting from a network image might be workable. Or does the software have to be signed by some central key authority? And is that Microsoft?

  16. Anonymous Coward
    Anonymous Coward

    I don't believe a word of it

    "Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows." I take it as a backhanded compliment, that someone from Microsoft has implicitly acknowledged the existence of other operating systems that people wish to use, despite their many years of (continuing) efforts to deny us this choice by fair means or foul (mostly the latter).

    We're just seeing the "embrace" part of MS' modus operandii here (talk nicely, act in a superficially reasonable manner, sound reassuring, etc.), but if this plan is ever implemented, rest assured that "extend" and "extinguish" will follow as night follows day. And as for "it's the OEMs' choice whether to go along with this or not"... exhibit A: the past twenty years in the PC business. When has a major PC builder (excepting Apple) gone against Redmond's bidding?

    Frankly, if someone from Microsoft told me at 10am that it was light outside, I would still take the precaution of finding a window to check for myself. Thirty years of actions speak louder than a morning's words.

    1. Anonymous Coward
      Anonymous Coward

      You exagerate a little bit here..

      There will be no extend phase, they will go directly with extinguish.

  17. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      @ClueShell - Two aspects to mention here

      1. It all depends on what is the default policy for unsigned or incorrectly signed boot-loaders. If it's ALLOW then the whole security concept goes down the drain and if it's DENY then you're toast

      2. Getting Grub boot-loader signed is impractical. What if there's a new version/release/patch coming out ? Who is going to take a tour to all OEMs to have it signed again ? What do you do with all motherboards already sold ?

    2. Anonymous Coward
      Anonymous Coward

      'currently most pc/servers reserve a small FAT partition on the primary drive'

      Well that's screwed it!

      When I install _MY_ operating system on _MY_ PC I wipe the hard drive of all partitions, after all its _MY_ hard drive

      Why should the hard drive and motherboard be linked like this, its WGA all over again, what if the disc dies or I replace it with a bigger one?

      FAIL FAIL FAIL

  18. Anonymous Coward
    Anonymous Coward

    "Why we would never! Honest!"

    Yes of course, you're perfectly trustable, and so on, and so forth.

    So pray tell, how do I put my own keys in the bios then? And no, I'm not going to shell out to some CA or other for the privilege of signedly running whatever I like on my own hardware. A self-signed key will have to do. How do I put that in, hm?

    And that's not just me as a home user, but that too. I'd also want, nay *need* it if I were a large enterprise running a homebrew slipstreamed imaged what-have-you mix of whatever OS and software and drivers and such we care to put in our automated deployment process.

  19. sisk Silver badge
    Linux

    Won't fly

    I've sad it before, I'll say it again. If this hits the market (and make no mistake: it'll do so in such a way that it's not easy to disable if it does) it'll be cracked open within a couple months. Within a year the crack will be integrated into the installers for every major distro so that they don't become as hard to use as MS fanboys say they are. And then, of course, the rootkit authors will sleaze in behind them, pick up their work, and use it to make rootkits immune to the restrictions as well.

    In the end, nothing will be accomplished other than Microsoft further alienating a group of people who collectively never liked them to begin with.

  20. Anonymous Coward
    Anonymous Coward

    I said this...

    I said this was rubbish at the time, what with there being no quotes from anyone at MS and Ross Anderson's blog post actually saying "I've heard that..." rather than a much more definite "It is the case that".

    I can't believe that people are still looking for a conspiracy, but it's always the same with an MS story.

    Still more the f5s being pressed by angry commentators, the more cash that The Reg get...

    1. Anonymous Coward
      Anonymous Coward

      @sisk - If you live in US or Australia it will be a no go

      FOSS community will not go against DMCA and/or copyright law that will be used to protect the mechanism. They might be freetards but not outlaws. Yes, people will come up with ways to crack this like they are doing with encrypted DVDs but it will never be accepted into any reputable distro.

      1. Terry H
        Devil

        Yes and NO

        AC you are probably correct because microsoft will have some shell company raise the DMCA issue, and there is 0% chance it will get an exception like cell phone unlocking.

        However, you didn't really address part 2. Someone, probably lots of someones simultaneously will break this security. There is no real time limit here like an SSL session. So given all the data necessary, full access to the hardware, and elapsed time only impacting on your patience - OF COURSE it will be broken. To think otherwise you would have to be truly retarded.

        So while Red Hat may never use this facility, it is certain that criminals will. Therefore, if we follow the money trail and ask the simple questions:

        1 who benefits

        2 why

        3 when

        4 by how much

        We find the only real beneficiary here is microsoft and the only real possible loser here is Linux in the developed world.

        Sorted.

        1. henrydddd
          Linux

          just as bad

          The contrapositive is also true. If a motherboard does not use Microsofts secure boot, that mother board will not support windows. Something that a motherboard manufacturer does not want to happen. Folks wske it, look at who is behind this standard (apple, Microsoft, etc). It is an open war against Linux and the bad guys just might win if this standard is approved.

      2. bean520
        Linux

        There are exemptions to DMCA...

        I'd imagine this would go under the same exemptions present in the smartphone market with regards to jailbreaking. The reason this was granted excemption under DMCA was because jailbreaking allowed the user to run other apps that were otherwise unavailable, and may not neccessarily have anything to do with copyright infringement. This will be the same (more so infact) with these computers

      3. sisk Silver badge

        @ AC

        If Apple couldn't pay off enough people to prevent a DMCA exemption for the iPhone I sincerely doubt MS will be able to. It won't be a DMCA or a copyright issue to the FOSS community. It'll be an 'It's my machine, I'll do what I want with it' issue, just like jail breaking phone.

        As for it not being accepted into any reputable distro, how many distros lack libdvdcss2 or aacskeys? It'll be the same thing.

    2. Anonymous Coward
      Anonymous Coward

      @AC 14:37 - Please stand still, close your eyes and try to relax !

      said the snake to its victim

    3. BitDr

      @Sisk

      Except in the Land Of The Free, where such a crack might fall under circumventing a security device.

    4. The Original Steve
      Flame

      What is it with Linux fanboi's frothing at the mouth....

      "In the end, nothing will be accomplished other than Microsoft further alienating a group of people who collectively never liked them to begin with."

      THIS IS THE UEFI STANDARDS BOARD! Microsoft have said to OEM's (so people that pre-load the OS onto their own hardware) "please enable Secure Boot on your systems when pre-loading WIndows 8". That's it.

      Want to install Linux / BSD / Recovery environment - Disable it

      Can't disable it? Speak to your OEM

      Can't add a new key? Speak to your OEM

      The FACTS are quite simply the above. Microsoft have sod all to do with it. There's no reason when buying Dell boxes pre-loaded with Ubuntu that you won't have secure boot enabled then eitehr.

      Back the fuck off - this is not Microsoft' standard, and Microsoft are not mandating that it cannot be disabled to updated. Think otherwise? Some proof would be nice.

      1. The BigYin

        @The Original Steve

        Have you been at the KoolAid?

        The ISO body is meant be independent, yet MS managed to stuff the ballot box and have a patent encumbered format approve. Do you understand the implications of that? There is an ISO *standard* that you cannot fully implement without infringing on MS patents (I am quite aware of the MS "gratis" license and it's limitations).

        If we could be 100% sure that the UEFI body was totally independent and was really just there to ensure that all the i's and t's were dotted and crossed, you'd be correct. But we cannot be because, as I have pointed out, MS has form for skewing these bodies.

      2. JEDIDIAH
        Linux

        Frothing and whatnot

        Your OEM is Microsoft's house boy and has been for decades.

        They will do whatever Microsoft tells them to do and say please and thank you during.

        They simply cannot afford to get on Microsoft's bad side. Their Windows discounts might get revoked. So they will go along with whatever Microsoft wants.

        Perhaps you missed the big trial where this all came to light?

  21. M Gale

    If the worst happens...

    "...sorry, I can't recover the files on your hosed installation. You have a Microsoft BIOS that won't let me run this Backtrack disk. If you had (insert brand of not-shit PC here), I could have helped."

    Or words to that effect. Perhaps UEFI will allow you to add your own keys and self sign, but if not, then there are many ways of showing why this is a bad thing to technically illiterate users. Especially after their installation gets hosed and they can't find the Windows disk.

  22. sabroni Silver badge
    Thumb Up

    don't know what you're all worried about

    with the massive consumer spending power of the linux community there's no way hardware manufacturers would lock you out!

  23. Doug 3
    Mushroom

    boot.ini and how MS protects you when installing another OS

    Look, Microsoft already does not play well with other operating systems by disabling the other OS in their boot process when you install Windows. They put up a screen telling you that you can re-enable the other OS by changing boot.ini when it's a 1-2 line addition to the file they could do if they wanted to play well with others.

    read my lips:

    THEY ARE NOT IN THIS GAME TO MAKE ANY OTHER OS EASY TO USE WITH WINDOWS.

    So they say it is up to the OEM to allow other OSes to boot with UEFI and you should know what pressure and control Microsoft exerts on OEMs to do what Microsoft wants. Unless OEM's are legally forced to provide those unlocking keys when the product ships, we will not get them easily or at all.

    Fix your crappy OS Microsoft and leave the hardware open.

    1. Anonymous Coward
      Thumb Down

      I'll think you'll find

      The hardware consumer spend in Linux is far, far higher than you imagine it is.

      1. loopy lou
        Pint

        What's more...

        Much of my linux hardware spend over the last 10 years has actually included a windows license.

        But if machines that ship with windows 8 won't run linux then anyone buying a machine for linux will have to choose one without the firmware restrictions. It may not be a huge market, but if an oem can service it with a simple variant, then maybe this will inadvertently boost the availability of os-free hardware.

        Well, here's hoping at least...

    2. Anonymous Coward
      Anonymous Coward

      Err...

      That's right... That servies for UNIX they made and their support of Linux on their virtual machines makes it particularly hard to interoperate Windows with Linux and UNIX.

      In fact the SNA services proxy they used to make totally prevented the interoperabillity with pre-IP IBM frames.

      Oh, err...

    3. Ramazan
      Coat

      @sabroni

      So, servers will be sold with unlocked UEFI, right, but this won't help you to find small portable computer (I mean notebook) able to run Your Unix of Choice, won't it? Or will you go to work with 1U server in your bag?

      Mine with low power SFF 72 core MIPS64 PDS cluster in the pocket

  24. Anonymous Coward
    Anonymous Coward

    Nothing new...

    Every time I build a PC i pirate $40 of MS software to offset the MS Tax. From now on it'll have to be $150 for a full copy.

    1. Anonymous Coward
      Anonymous Coward

      Hmm...

      You mean the MS Windows tax where Windows pre-installed machines cost less than the ones without Windows pre-installed?

      Shouldn't you be giving money to MS for every machine you remove Windows from, following your logic that is.

      Oh, also, if you build a machine - I presume you mean make from discreet components, rather than put an OS build on it - there wouldn't be Windows installed anyway so no MS tax.

  25. NoneSuch
    Unhappy

    This is ...

    ... a feature that most people do not need. All it will do is form another point of failure that can potentially deny me from booting my PC, but also deny direct access to the HD. In case of issues neither of those is a good thing.

    If you insist on doing this, make it an option that can be turned off in BIOS settings.

  26. Anonymous Coward
    Anonymous Coward

    Notice Tony's careful use of words...

    Tony didn't say that M$ wasn't going to PRESSURE the OEMs to not include an uefi "safe" boot disabling option,... he merely said that it was the OEMs' option to include it... M$ is notorious for their back-room deals, totally off the record... They did the same thing when "negotiating" with Barnes & Noble over Android patent extortion "licensing."

    Nope,... the only way to make the OEMs play ball will be to buy machines and if they are not able to be booted with alternative OSes, return them (and avoid those with restocking fees, or bring unfair trade practices against them if they try charge them). Few OEM vendors will disclose the lock-out up front, giving most consumers a valid objection to restocking fees with their credit card vendors. The more machines are returned, and have to be unloaded as "refurbs" at a loss, the less likely they will be to "play ball" with M$ extortion tactics.

  27. Anonymous Coward
    Anonymous Coward

    I wonder if they'll wake up ...

    When people (i.e. the consumers) start up the lawsuits?

    Many people use software that is available only for Linux and require it, even if its just a secondary OS. How is this supposed to fly? Its none of MS/OEM's business what I choose to run as my OS. MS isn't a hardware company! Hardware isn't like software, so fuck off, MS.

    This form of crass Mafia business practice -- I'm literally speechless. This sort of nonsense can only get worse if legally unchallenged. What astounds me, though, are the number of people who seem to think that there's nothing wrong with any of this.

    1. Bronek Kozicki Silver badge
      Thumb Up

      Maybe I'm clueless optimist, but as long as users are free to disable the feature or, even better, manage signature keys in UEFI store, I see no problem with it. I'm also pretty certain that doing it otherwise would be fiercely opposed and is not going to happen.

      Also, Microsoft is a hardware company - they make pretty good better webcams , mouses and few other bits.

  28. Captain DaFt
    FAIL

    I predict...

    If this is implemented, it'll scrapped within two years for one or more of the following reasons;

    A. Within weeks of its release, it'll be hacked into a new attack vector. (Of course,it'll be many months before they admit the problem exists.)

    B. Consumer complaints (and returns) from a host of unforseen problems it will generate. (Murphy's Law always trumps engineering skill and marketing plans.)

    C. The flood of new "Run what you want" boxes that will hit the market from various minor vendors without Windows installed, depriving MS of a surprising amount of "MS Tax" on computer sales.

    What, me worried? I'm stocking up on snacks and sodas to enjoy the show caused by the inevitable cluster-fuck if this goes through!

  29. Lars Silver badge
    Happy

    Dear OEM

    We love you where much, and as you know, we have no power nor no wish to affect your decisions,

    but you do know what a great responsibility we have towards providing our customers with the superb user experience and safety they expect and are used to, using our products.

    In order to fulfil these goals there are a few things regarding the hardware that is demanded for running Windows.

    The choice is yours alone and we will accept any decision you make regarding this minor question.

    Regards, Microsoft

    1. Tomato42 Silver badge
      Angel

      PS. we will provide a "Certified for Windows 8: Platinum" for all the machines that implement it and sell WIndows 8 Home OEM copies for $5 and Windows 8 Professional OEM copies for $10 for the same hardware.

  30. Majid

    Security is always a hassle.

    So you are saying you want to run a 'maybe' rootkitted OS on your machine?

    Signing a kernel is a hassle? Sure, yeah any security measure is a hassle. I think Linux wants to be a safe OS too right? Or are we going to play the Apple game and state that there is no reason for that because the OS is so secure it can't be rootkitted?

    For development purposes I agree. There should be an option to disable, but normal customers would surely want an OS that they can be reasonably sure that it isn't easy to be rootkitted.

    1. Anonymous Coward
      Anonymous Coward

      @Majid - Trolls are finally starting to catch up by now.

      If you decided to use an easily root-able OS, that's your problem. However, I do not accept a solution to your problem that will force me to quit running an OS (it's not Linux but since all you've ever known is Windows I will not bother you with details) which isn't so easily compromised. Oh, and you are not in the position to decide what normal customers and Linux users want, let them decide it for themselves.

      Signing the Linux boot-loader and/or kernel is a major hassle when your #1 enemy with a serial killer history has a word to say on it. In case you missed it, this is the subject of all these posts here.

    2. Cameron Colley

      So you have a time machine do you Majid?

      If so, please could I borrow it?

      I can't see how else you expect anyone to include a signature for the new Bootloader, Kernel or OS that comes out in mid-2013 to BIOS made in 2012.

      Also, do you think manufacturers will let people who build their own kernels send them keys to import before they buy the PC?

      The problem being envisaged here is that only bootloaders signed by keys included in the BIOS will be booted from. If that isn't the case, and importing your own key is possible, then this isn't a problem. That's kind of the point of the discussion...

      1. Bronek Kozicki Silver badge
        Facepalm

        PKI

        "I can't see how else you expect anyone to include a signature for the new Bootloader, Kernel or OS that comes out in mid-2013 to BIOS made in 2012."

        why would they? It's enough to store root certificate for CA which will sign these new boot images. And the root certificate can be just as well your own public key. I see no reason why any vendor would want prevent you from storing it in UEFI of your own computer, so please STOP PANICKING!

        1. Cameron Colley

          @Bronek Kozicki

          Once again, this is what is being discussed here and what is currently unclear.

          Worst case being the only key included is the one MS used to sign Windows 8, and even they will use another for Windows 9 (highly unlikely).

          Best case is you can add your own key, preferably by setting a jumper or pressing a hardware button -- this is thought to be how it would be done in the real world. The problem here being that MS has as long history of giving discount licenses to OEMs who do things to make it harder for users to choose their OS (they've been convicted, this isn't speculation).

          A middle ground would be, say, that a key is present for a CA who will sign Linux bootloaders -- problem there is that it will cost everyone who wants their kernel signed, since I doubt they'll provide a free service.

          The developers working on the kernel, GRUB, or whatever could sign them, perhaps, the only problem there being that the GPL would have to be re-written or they'd have to give out the key used to sign them, thus defeating the object.

          Of course, the manufacturers could just allow non signed bootloaders to run instead but, as stated above, MS will give them no incentive to do this and past performances point to the possibility of them actively discouraging it.

          1. Bronek Kozicki Silver badge

            I understand and I also admit I don't have access to reports to back the following up.

            According to Gartner, Linux was fastest growing segment on servers in 2010. http://ostatic.com/blog/linux-is-growing-fast-on-servers-and-red-hat-benefits

            Do you seriously think that any vendor would voluntarily remove himself from this market? I don't.

            Although I do agree that it is quite possible that the desktop sector could be partially bastardized - not by locking Linux out, but rather by making it more difficult to install.

  31. Anonymous Coward
    Anonymous Coward

    Linux has made such massive inroads into the server market, it seems clear to me that all reputible motherboard manufactures will have options for a Linux boot.

    There's enough 'movement' in the Linux market and big enough numbers for this to be a certainty.

    So, calm down everyone, it'll be alright.

  32. Anonymous Coward
    Devil

    The only way I can see things getting worse

    Would be a merger of Microsoft and Monsanto.

  33. Cyfaill
    Linux

    Microsoft does not know how to be "good"

    It is the dream of Microsoft to slow down, incapacitate, hobble, cripple, disallow and prevent anything that makes it seem as though there is a choice - to not use their Operating System.

    Especially if the competing Linux is somehow better.

    Microsoft is not competitive in mobile so it latches on to piggybacking the cost to produce mobile devices by suing the hardware manufacturers that use android, thus raising the cost to consumers and slowing down the demise of the PC by cost offset and generate a profit on the existence of android like the parasites they are.

    Even as the gradual death of the PC is soon to be here... if they can somehow prevent or make less easy for a newbie to install Linux they win.

    No doubt experienced Linux users will find a work around in time... but slowing down the inevitable, Microsoft wrongly believes that they gain time to make more profit. Perhaps long enough to become the complete parasite upon Linux by whatever means available.

    Microsoft was never a good neighbor, not to their partners or to their users. Restrictions, restrictions, restrictions... pay me, pay me more, we want it all.

  34. Anonymous Coward
    Linux

    Supporting UEFI secure boot on Linux: the details

    "An obvious question is why Linux doesn't support UEFI secure booting. Let's ignore the issues of key distribution and the GPL and all of those things, and instead just focus on what would be required. There's two components - the signed binary and the authenticated variables...."

    http://mjg59.dreamwidth.org/6054.html

  35. Ilgaz

    OEM decides?

    You mean the same OEMs putting "best viewed under IE 5.5 or above" on all pages including routers/modems running freaking linux themselves?

    They sure know the idiotic OEM will disable linux booting just to look nice to MS.

    I know only couple of brands who has balls to ship their laptops with freedos (aka nothing) pre installed. Nothing else comes to mind.

    Ignorance is what they trust as usual business.

  36. Ilgaz

    Any American into politics around?

    Did these guys hire a private army and overthrew US government and judicial system together?

    I mean, they have to put a lot of extra to Internet Explorer, they couldn't enforce Windows Live ID to use Windows, they even had to put a "choose your defaults" to OS interface and now, they are in freaking BIOS.

    Half of the reason TPM failed was the DOJ and other officials whispering "don't even dream about it" to Intel and Microsoft. The rest was the media like The Register and couple of others like Slashdot.

    This is something even Apple doesn't do on the machines they design themselves. Wake up really or we will talk about pc jailbreaks. No joke here.

    Did these guys just bribe DOJ or White House? What does military elite think about this? These guys have sure thought about the security aspect and monopoly aspect, not?

  37. Martin Usher
    Thumb Down

    Purely artificial marketing BS, as usual

    We all know that getting one program to look like another isn't a big issue. We don't need a signed 'grub', for example, provided we had a signed something or another that knows how to load grub. That signed something or another can also load Windows, except it won't because Microsoft appears to be trying to set up a scenario where the loader will only load their code and only their code. This won't be at all difficult to bypass for a sophisticated user (or criminal -- same thing) but it will deter the average user, someone who would otherwise like to load a Google/Linux/whatever supplied instant on OS that just accessed the 'net.

    From what I've seen Windows 8's UI sucks, BTW.

  38. Anonymous Coward
    Anonymous Coward

    Yeah right

    Yeah right, like UEFI won't be cracked in a week or so...

  39. vincent himpe

    i don't see what all the fuss is about

    the bios adds a check before boot : give me your signature , and checks this against a stored list of 'known good' signatures. if the key does not match it refuses to boot.

    Good ! this prevents malware.

    Linux ? should'nt be a problem. just get a signed version and hand the key to the bios. done.

    oh wait... ehm yes is think is see the problem... with so main strains, forks and custom builds of linux there is going to be a massive amount of keys .... and someone will have to fork over some dough to get all these trusted key ... wow. and ubuntu crancks out a new version almost every day... thats gonna be a problem.

    1. Anonymous Coward
      Anonymous Coward

      @Vincent - It is not even about money here.

      Let's say a certain version of the Linux boot-loader gets signed and works with UEFI. You download it and the GPL grants you the right to modify it AND to run the modified version. Unfortunately, because of the signing keys, UEFI will not allow you to run the modified version so this will be a copyright violation for the distributor. It will be no longer possible to distribute Linux. This is exactly what TiVo was doing and it is exactly one of the reasons GPL was upgraded to v3.

      All this in the name of security so who could possibly be against it ? Now you see why Microsoft is so delighted ?

      1. Bronek Kozicki Silver badge
        Happy

        simple - just build Linux with your own private key, install public one to UEFI and presto! Boot, verify signature match, start Linux.

        This of course assuming PC vendor gives you an option to install keys to UEFI. Second best option - do like these guys here http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-01-29-43-metablogapi/0624.Figure_2D00_5_2D002D002D00_Samsung_2D00_PC_2D00_secured_2D00_boot_2D00_setting_5F00_thumb_5F00_02016A69.jpg (thx AC for the link) and disable secure signature verification. No protection agains rootkits, but there are none under Linux, right? "that was a joke, haha fat chance".

      2. vincent himpe

        eh

        The uefi simply want a signed loader.

        if MS changes the loader they have to sign it and provide the key.

        So, if you mod your loader you need to sign it. Why should linux user be treated differently than MS. The rules are clear : You want to boot ? give me the key .... The UEFI is neutral in this respect.

    2. Ilgaz

      iphone gets cracked in an hour

      You know Apple iphone "jail" gets cracked in an hour too. How many people have you seen jailbreaking around doesn't matter, the rate of general public cracking their phone is less than 1%.

      Good luck convincing general public to "crack" (they will call hack) their BIOS. These guys call support line in case their finger slips to del key while booting as they see BIOS screen.

  40. Damien Thorn

    consumer power

    Does not make commercial sense to cut out customers, linux has a huge following, and microsoft know full well a large porportion of those using linux also buy there high end distributions of windows, so ultimately it wont be an os vendor dictating what a pc can run, it will be consumers.

    Remember its consumers who forced windows 7 when vista wouldnt do what many wanted, and why major vendors like dell offered us what we wanted because it affected sales, this will in my view because of customer numbers be similar, they will sort it.

    Also in todays economic climate, vendors might get a frightening shock, wont take much for a major switch from home users and business to linux. It will be reputable companies then who see the potential, thats why i dont think theres anything for us to worry about, at this stage at least.

    1. Anonymous Coward
      Anonymous Coward

      @Damien Thorn - You're being naive on this one.

      It's Microsoft who decided to collect a fresh round of voluntary donations from its customer base with Windows 7. Don't like Vista, then pay for 7. That was the MS mantra on their way to the bank.

      Customers were definitely not those who forced Microsoft to replace Vista. Microsoft could have simply wait and all of us would have migrated to that OS maybe after a Service Pack, Where else could you move with all your MS-Office documents after support for XP being terminated ?

      Admit it, you are so tied to Microsoft that you will swallow whatever they shove down your throat.

  41. Anonymous Coward
    Anonymous Coward

    Mangefeste

    Is this the travellers' version of Crufts?

  42. Anonymous Coward
    Anonymous Coward

    Stop crying like babies.

    Just turn this off.

    http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-01-29-43-metablogapi/0624.Figure_2D00_5_2D002D002D00_Samsung_2D00_PC_2D00_secured_2D00_boot_2D00_setting_5F00_thumb_5F00_02016A69.jpg

    If that's too hard then you shouldn't be dual booting.

  43. Ohb1knewbie
    Linux

    Upgardes?

    Surely MS is not planning on foregoing upgrades from earlier versions of Windows on existing hardware, so there's going to have to be some mechanism (assumed to be on the install media/via the install process) to add the required keys to existing machines which do not have them currently.

    If the UEFI is an open standard, BIG assumption – I realize, would not said method be available to Linux, BSD, etc...? If not, the best solution would seem to not be an ON/OFF switch which would make dual booting Windows 8 and an unsigned Linux a major PITA, but instead an IMPLEMENT/IGNORE switch that would tell Windows 8 - “Yes, I'm here and functioning just like you insist” and otherwise just piss off for anything other than Windows 8?

  44. goats in pajamas

    Microsoft...

    ...are the scum of the earth.

    Imagine if a car maker came up with a new device that meant that other cars would only be able to drive on the same roads if they adopted a new device to counter it.

    They'd be in Court so fast their feet wouldn't touch the floor.

  45. Number6

    Hardware Key

    So the way to do it is to add an extra connector to the board so that a dongle can be attached that contains a small EEPROM with the custom key in it. That way the HW manufacturers get to sell the little boards as well, so more $$$ and it requires more than just software to add an extra key (or more than one) to a system. The dongle board would have a write-protect link on it so that it could be plugged in, have a key written to it by a small program (using a freely-available API) and then the write-protect would be enabled. As a one-off step this could be done for a Linux distro, after which the distro maintainer could distribute kernels signed with the key. By having more than one key possible, individuals could add their own keys as well, so that they could sign and boot their own kernels.

    1. Ramazan
      Paris Hilton

      @Number6

      So one has to pay for freedom twice: first for unnecessary windows 8 that came bundled with a computer, then for the right to use another OS on the said computer, correct?

  46. Anonymous Coward
    Trollface

    seems like...

    ... everyone is *wanting* this to happen so they can say "See, look how bad microsoft are!"

    So no amount of logic being applied, in that motherboard manufactures are really not going to lock out other vendors, will fall on deaf ears.

    Yes, it's likely that pre-installed PC's from the like of PC World, that ship windows OEM, will fall under these restrictions - but 99% of people who buy those PC's won't know, won't care and won't be installing Linux.

    But what respectable Linux user would buy a windows OEM rig anyway?

    And if they did, they'll be able to modify that PC to run Linux.

    Sorry, but this is much ado about really nothing at all - it's a numbers game, no matter which way you paint it, Linux has a minuscule share of the desktop market.

    But hey, some people just love to blow things out of proportion when it comes to microsoft.

  47. stuff and nonesense

    Microsoft makes a component for the PC.

    Linux distributors produce variations of a component for the PC.

    AMD / Nvidia make components for the PC.

    UEFI is a boot loader for those components.

    NO component manufacturer should be able to block access to the platform at the expense of another.

    The attempts to block should be seen as protectionist, any applicable laws should be used to stop the platform being tied exclusively to any individual component manufacturer.

  48. heyrick Silver badge

    F*cktards

    This "secure" nonsense is a big misnomer, for it might be nice to get a verified kernel running, but given Windows history, the fault is rarely with the boot code, but with everything else. Will this secure boot stop rootkits?

    Secondly (DVDs, BR, Sony consoles, SSL, etc), systems that work with the concept of a fixed signed key are inherently flawed, for when the key is known the security evaporates. Do they not realise that the moment this hits the high street, it'll be poked and prodded and ripped apart? No DMCA is going to put the genie back into the bottle.

    Simple activism, identify what boards/machines have this unwanted feature and don't purchase. Make enough noise that your friends will reconsider likewise...

  49. shawnfromnh
    Big Brother

    Privacy and Monopolies

    Isn't this against the EU privacy laws if someone in the US can ID a machine from just being turned on anywhere in the world. There's also the fact that the EU was pissed that MS had IE preinstalled a few years back and this is so much more a monopoly move than just browser choice, this is forced product. I wonder how many stores will be stocking PC's with Linux preinstalled or Linux ready? Not many I bet.

    So if they push this I hopefully expect the EU to possible rule collusion between the hardware makers and Microsoft since it would make it more of a monopoly than before they even shipped the first motherboard with this locked in bios. Especially if you had to special order unlocked motherboards.

    Does anyone think this would be better than DRM for tracking users? Since they don't need an I.P. address and are basically given a computer ID without asking?

  50. Anonymous Coward
    Anonymous Coward

    So whats the bad news???

    "What both Microsoft and critics of UEFI seemingly agree on is that unless secure boot can be disabled then Linux can't be run on Windows 8 PCs."

    Oh...

    Shame that.....snigger

    1. hplasm Silver badge
      Mushroom

      Hush.

      Grownups are talking.

      1. Anonymous Coward
        Anonymous Coward

        @Hplasm

        Judging by the paranoid "The Man will get you and tell you what you can and can't do on your own PC" type of nonsense being written in this thread, I seriously doubt that is the case.

      2. Anonymous Coward
        Anonymous Coward

        Thanks for that. Could i just add that, if, had wanted to listen to an arsehole, i'd have farted.

        Go Bill.....

  51. Robert E A Harvey
    FAIL

    Another snag

    Assuming you want to stay with windows, how will the motherboard code learn the key for windows 9? or 10? Not only will this daft idea stop you running linux or qubes or whatever, but there is a good chance you will need a new mobo for each new version of windows.

    Who benefits from that?

    M$ ? yes

    Mobo makers ? yes

    users ? -err - umm - no.

  52. HooHah!
    Unhappy

    Run out of space?

    OK, suppose the UEFI folks let us add new keys to the system. How many keys will it let us store? Three? Five? 20? And what happens when that number is exhausted? Can we delete obsolete keys? How will the system let us identify which keys are obsolete?

    The people likely to hit this problem are kernel developers and boot loader developers. Including Microsoft's kernel developers and boot loader developers. It will also affect some driver developers, and PC maintainers such as IT support people.

    Messy, messy.

  53. sam 16

    This looks like a dumb move...

    The best way, historically, to identify the inherant faults in your security system, has been to ensure it blocks linux users. CSS, Bluray, graphics card manufacturers, not to mention mobile phone manufacturers, have all had thier systems verse engineered and cracked by the open source community.

    That's sad because a pre-boot integrity checker like this sounds like quite a good idea. I presume that rather than a cryptographic approach, this will fall to reflashing the bios to disable the software, or overwriting the keys by which ever patching mechanism MS use. Or some kind soul leaking the keys, as seems to happen often.

  54. Henry Wertz 1 Gold badge

    @The Original Steve

    Nope I won't "back the fuck off". Microsoft has no reason to request this to be enabled to begin with. Well, no *legitimate* reason. Older BIOSes already had the option to detect a modified boot sector. Did this do anything useful with regards to virus protection? Nope. Niether would this. For Microsoft's purposes, it is just to add a hurdle to installing your own OS on the hardware you own.

    (Where this would be useful is for ATM and for slot machines. But from the one I've seen booting, they already had multiple layers of authentication -- including I think a custom BIOS that verified both itself and the grub bootloader. Obviously, a slot machine would not run Windows.)

    1. Magnus_Pym

      "For Microsoft's purposes, it is just to add a hurdle to installing your own OS on the hardware you own."

      Including other Microsoft OS's. This essentially ties the mobo to the windows version purchased with it. No more 'upgrade' licences available as is not technically possible any more. The old mobo won't recognise the new keys as they didn't exist when it was made. There is no guarantee that a new Mobo will recognise old keys. Who says it should?

      No. If you want an upgrade on any part of your system you have to upgrade everything all at the same time.

  55. Cyfaill
    Linux

    A rolling release is my reality (problem is real)

    A point that affects some of us, is that reality.

    I use aptosid Linux based on Debian sid (unstable due to advanced and experimental state)

    I go through many perpetual upgrades continually as that is the nature of an experimental development model - We are the future of your next Linux

    that includes the boot loader and the kernel and all of the thousands of applications. If this thing (UEFI) becomes some form of reality what of that.

    I smell the scent of a plan here... killing the development of future software by those whose interest lies in the status of what is. A blockade of development. Linux is mobile and changes to fill the needs of society by responding to new hardware with functionality... that is why it is a fast cycle and that explains the hundreds of distro's. Needs vary.... UEFI is a poison pill to that, so it seems to me.

  56. P. Lee Silver badge
    Linux

    No need to read this far

    The server manufacturers won't include this - too much linux and no-one wants to go to the data centre to turn a key to install a new kernel (windows or linux).

    The OEMs are happy to pay the MS tax because, well, pretty much everyone will buy windows anyway, so the tax turns out to be cheaper (due to "marketing support") for customers than paying "properly" for the OS.

    Now, hands up who wants to be the first OEM to introduce a feature that will stop customers from pirating W7 Enterprise to replace the OEM version installed. Hmm, I see no hands.

    Do you think Gigabyte are going to kill their hackintosh community? Do you think the other manufacturers are going to bother to implementing EFI and forgo that option? If it get's implemented, they'll certainly be a "turn off secure boot" option available.

    I see two reasons for this "feature":

    1) FUD. MS have no expectation of implementation, they just want it to shout that linux can't boot "securely."

    2) Driver signing bonanza. Unless your drivers are signed by MS they aren't going to load. Charge a small fee and you have a recurring revenue stream. The problem is, that makes MS responsible for all the drivers. I'm not sure they'd actually want that. If they don't sign all the drivers, you don't known kernel. That seems to point back to (1).

    An easier security option is to mount your OS partition read-only. Have a separate "update OS" boot option which loads the OS partition r/w but only runs update software. The OS comes up, installs the updates. Once the installation is complete, you reboot and loading the OS in "run" mode which switches the partition back to read-only.

    MS could also help themselves by having different users to update the OS from those which can install applications. If you disallow the OS-update user access to non-OS-update apps, you stop people just running as admin all the time. In fact, you could hobble the system-wide app-install-admin account to only run a couple of processes, so that can't be used to run everything too.

    Oops, I've missed the point haven't I? This isn't about security, its about licensing. My interest appears to be vanishing...

  57. Jean-Luc Silver badge
    Thumb Down

    Odd behavior from MS, you'd figure they'd learned their lessons.

    If the technical gist is true, i.e. that Windows will get preferential treatment at boot time and competitors will be potentially excluded, then I would expect the various anti-trust/anti-monopoly agencies to take action.

    If not the US, at the least Europe has in the past forced Microsoft to provide choice, for things far more trivial than this.

    I don't believe hiding behind the fig-leaf of the firmware capabilities being provided by the mobo companies will cut it.

    Memo to MS: you've spent the 90s exposing your dirty laundry in anti-trust cases. The 00's brought us Vista. Do you really need to squander goodwill again this decade?

    1. Anonymous Coward
      Anonymous Coward

      @Jean Luc

      I think you've hit the nail on the head: It's not going to happen, because MS know that they'd end up with a court case that makes Media Player or IE bundling look like chicken feed. It's just that a lot of people really, really want MS to be as evil as possible to justify their choice of Linux (and it always is Linux, never Free BSD, etc) being somehow against the system.

    2. Ilgaz

      It was easy for them in nineties

      It was just Sun, IBM who doesn't really care that much about desktop with Apple who had their own serious problems to deal with.

      Netscape was only a browser maker who wasn't liked too much by such enterprise (DOJ and Congress were also paying huge money).

      Today, it is FSF who is very organised and experienced, Google giant who basically owns the information and who has very serious plans for desktop and Apple with very long term plans which everyone can predict.

      I can also bet large OEMs have their long term agenda, nobody would want to tie their future to another company that much. They are already being extremely pissed just looking at startup/ shutdown speeds of os x and windows on same hardware.

  58. Anonymous Coward
    Anonymous Coward

    Back in your cages people

    OK, so when it's suggested that Microsoft *might* use something, why is this suddenly *more* sinister than the fact that Apple are *already* using it on all their Intel Macs?

    As you can see from the complete lack of a single flavour of Linux running on any UEFI Mac this really is a major problem... Oh wait, no, the other thing.

    *sigh*

    Nothing to see here folks, move along please.

    1. Ilgaz

      Apple doesn't block anything

      You can install linux or any *bsd to a Mac, including apple powermac.

      They didn't abuse their design to prevent people from installing other operating systems. They even added special functions to disk frameworks to make easier to online resize/ divide partitions.

      Either you have been misinformed or misinforming people yourself.

  59. Reg T.
    Big Brother

    The option

    to "unlock" will not be yours to make. It will depend entirely upon the whims of the OEM vendor.

    I think it safe to say that the US government will seize this as an opportunity to implement their WEB ID government issued digital ID/biometric unique identifier mark which will be required for all internet activity.

    They already fondle your stones at the airport or give you "free" cancer, so you won't protest being chipped and permanently identified by your government.

  60. Svein Skogen
    Mushroom

    It's WORSE than just locking out Linux

    All of us know that most of the not-so-serious pc manufacturers, preload a lot of crapware (and track-the-user-for-advertisement-ware!) software onto their products. Even a lot of blackmail-ware (such as symantec's CoinOpped virii).

    With this "enforce signature" setup, the MFG can protect against users removing all this crapware with a "real windows" installation-disc. They can FORCE you to remain the recipient of targeted spamvertizement.

    Now, what would be their motivation for allowing users to reinstall a non-infected OS again?

  61. 2cent

    Microsoft Linux Money Engine - Phase II

    This will be great, M$ will push the technology through and allow it to be open by UEFI firmware manufacturers, then via a backdoor contract, gently remind them to pay because of using unknown patents that supposedly linux breaches if loading linux is aloud.

    All signers of contracts will be non-disclosure types to keep it from the prying eyes of the light of day.

  62. Filippo

    I don't think this is going to be a problem. Adding the ability to disable secure boot is very easy for firmware makers, so I expect that most mobos will be able to have the secure boot disabled and run whatever you want. Even if some manufacturers decide not to allow the user to disable secure boot, surely Linux users are savvy enough to check before buying the mobo.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019