back to article Windows 8 secure boot would 'exclude' Linux

Computer scientists warn that proposed changes in firmware specifications may make it impossible to run “unauthorised” operating systems such as Linux and FreeBSD on PCs. Proposed changes to the Unified Extensible Firmware Interface (UEFI) firmware specifications would mean PCs would only boot from a digitally signed image …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

  2. Geoff Campbell Silver badge
    FAIL

    Good grief....

    They never learn, do they? Ho hum.

    GJC

    1. Anonymous Coward
      Anonymous Coward

      @GJC

      Nope, gawd bless'em.

      The whole trusted computing architecture thing died a death before and the world is a different place now - you know, with some real competition for MS, the fading monopolist. So I don't rate their chances this time around as well. TCA required the connivance of Intel and I get the feeling that's not as likely these days either.

      But you can't keep a good tyrant down so it's probably a good thing to publicise what they are up to so they don't get away with it just because no-one was looking.

      1. henrydddd
        Linux

        hell

        If Microsoft succeeds in this (I wonder how many millions or billions will change hands), I hope that the hackers in this world make life a living hell for windows products on the internet.

        1. Anonymous Coward
          Anonymous Coward

          Make?

          "I hope that the hackers in this world make life a living hell for windows products on the internet."

          From what I see, day and daily, it already is!

  3. pip25
    Thumb Down

    Thankfully the UEFI board is not only made up of Microsoft

    I doubt this will be realized... or at least I hope so. I really don't want to see an age when you have to install custom firmware to your bloody PC to make it function free of artificial restrictions.

    1. The BigYin

      The ISO...

      ...board is not made up of MS, but they still managed to force through their patent-encumbered 'standard'.

  4. Anonymous Coward
    Anonymous Coward

    Where did I see that before???

    Bundled OS with hardware, does that sound familiar to you?

    This proposal is the ultimate blasphemy. Here we go, re-flashing our motherboards with unlocked UEFI/BIOS/whatever.

    Good, now we will have motherboards that behave like a PS3. </sarcasm>

    Shotgun shell, meet foot.

  5. Jolyon

    Won't happen like that

    Which may be a shame as it sounds like the sort of push that might finally lead to broad mainstream acceptance of Linux desktops.

    Nothing people dislike more than being told they are having choices removed even if they had no intention of taking up the alternative options.

    1. The BigYin

      Umm...

      ...explain Apple. Anyone who likes freedom and choice should eschew Apple, but people flock in their droves.

      Make is shiny enough and people will pay you to enslave them.

      1. Jolyon

        Apple has boot camp

        Which is one of the reasons I would consider one of their PCs even though it's quite possible that after buying one I would use it infrequently if ever.

      2. Greg J Preece

        Apple who created Boot Camp?

        There may be many reasons why they did, some more cynical than others, but at the end of the day, Apple made Boot Camp so you don't have to use Mac OS X on their machines. And failing that, there's rEFIt, which if you ask me is the superior solution.

      3. BristolBachelor Gold badge
        Trollface

        Except that my MBP will happily run OS X, or Windows, or Linux, or BSD, or....

        In fact more choice than a Windows machine :)

        1. Andrew Barratt

          it could all backfire on MS then

          If MS start to try to lock people to their tin supplier when you buy a PC, maybe even more people will flock to Macbooks.

          Another shot in the proverbial foot MS.

        2. Anonymous Coward
          Anonymous Coward

          uh huh ...

          So does my Netbook. And it cost peanuts.

      4. Anon the mouse

        Baaaaaaaaaaa.

        People are sheep. They like the illusion of choice, but not really having any... that way any problems are someone elses fault.

        Present company accepted of course as us el reg readers are more likely to want real choice and not just the pretend choice.

      5. Anonymous Coward
        Anonymous Coward

        Difficult as it maybe...

        Apple don't stop you installing other operating systems on their hardware though. They are more concerned about you installing their software on hardware that wasn't sold by them. And only a very small minority of people who buy Apple hardware and the software that comes with it actually bother installing another OS. In either case though, you have bought Apple hardware and/or software and to some extent agree to the terms you've bought them on.

        It seems that what Microsoft is attempting to do, is ensure that even though you'll inevitably buying your hardware from a third party manufacturer, you can only run Windows on it. Perhaps if I was buying Microsoft hardware such as an XBox it wouldn't be quite so unpalatable.

        But I'm not even sure it's quite that bad either. So long as you have a suitably signed boot loader that the BIOS is prepared to execute, you're good to go. Perhaps Google will step in and get GRUB signed appropriately? Once the BIOS has passed control to the OS, you're trusting the OS anyway.

        What it means for Microsoft, is that if your BIOS only allows bootloaders signed by a few authorities, and you run Microsoft's signed bootloader which is the only thing that can authenticate and launch a copy of Windows 8, then it's going to be hard for hackers to develop rootkits. It's one more backdoor that's been closed and not such a terrible thing from that perspective (i.e. would be useful for anyone wanting that chain of trust starting at the BIOS level).

        1. The BigYin

          These comments prove a very valid point

          People don't get the problem. Just because the MBP you have today will allow you to do this, does not mean a MBP tomorrow will.

          But the newer MBP will be shiny, and you like shiny dontcha.

          Here, this ball and chain is shiny to. Shiny. Likey-likey?

          1. Dana W
            FAIL

            Apples and Oranges

            Apple is a HARDWARE vendor, not a software vendor, they have less interest in Locking out other OS's. They are naturally concerned with what HARDWARE you are running, not what sofware.

            Mac 3 is running Mint, so much for my ball and chain......

          2. Anonymous Coward
            Anonymous Coward

            It might be a problem to some...

            But like I said the majority of people who buys Macs or PCs won't be installing other operating systems anyhow. I have 3 Macs and 3 PCs at home and only occasionally in the past have installed various versions of Linux, but never kept any of them in the long term.

            So even if I can't install other operating systems in the future, it really wouldn't be a problem for me nor a lot of other people.

            That's not to say I necessarily approve of it though. There is scope for it to harm competition and consumers but I have a reasonable amount of faith in the open source community, EFF and companies like Google, Redhat, etc. to prevent that kind of thing.

            Seemed to me a lot of people were starting to panic.

          3. Anonymous Coward
            Anonymous Coward

            This is an article about Microsoft not Apple.

        2. cloudgazer

          As the article explains there are problems trying to release a signed copy of GRUB, it may violate the GPL v2, it definitely would violate the GPL v3.

          On the other hand I don't expect this to go anywhere because it's Intel that has the most control over the BIOS/EFI layer and Intel don't want to make their kit less useful. Particularly with MS flirting with ARM, Intel have no reason to bend over here.

          1. 2cent

            Rally round the profit wagons

            I don't think Intel will care as long as they are the major player in the technology.

            A technology lock like this is just another method for other technologies, good or bad, to be excluded.

            All the PR will be how they saved the world.

            The reality is that there is no WMD out there, but it won't be played that way.

            I will assume politicians taking money will pass laws, but manufacturers will have the ability to opt-out.

            Sort of like when Xfinitity does not tell you about the free HD channels they must supply by law in the States. You'll never see them advertise that service.

        3. stuff and nonesense

          Hmmm... A Google sourced grub? A boot loader that logs all your activities and reports them to its master so that they can better serve you adverts...

          Sounds like a bad virus to me.

      6. Jim 59

        Apple vs MS

        Actually, most punters flock to Apple's main competitor, Android, mainly because it is more open and bit cheaper.

      7. Dana W
        Stop

        No

        I've run Linux on all my Macs. No Problems. Macs run all Major OSes.

        So much for no freedom of choice on my Mac. So looks like Mac IS where to go for freedom of OS choice if this bit of fun goes through.

        1. zanto
          Gimp

          @dana

          don't kid yourself. all apple need to do is pull another sony and pfft.. no more other os.

          however, knowing your typical apple fanboi, they'd probably go orgasmic every time, apple decided to bugger them.

          1. Anonymous Coward
            Anonymous Coward

            @zanto

            Can you give a reason why Apple would care which OS you run on their HW? No didn't think so.

      8. Anonymous Coward
        Anonymous Coward

        @The Big Yin

        Yeah, Apple allow you install any x86/x64 compliant O/S you want via boot camp and this new doo-dad from MS will allow you to run ONLY a signed and verified O/S and that would be...oh yes fricking Windows 8!

        So Brain of Britain, which is worse? Apple allowing you to install any O/S you want on their hardware or Microsoft who want hardware locked down so tight that it only allows Windows to run on all non Apple hardware?!?!

        1. The BigYin

          @AC 17:39

          Do you think for one second that Apple will not start to use this as well? They'll dress it up a bit better than MS and make it all shiny for you, but they will use it. Then where will you be?

          Apple run the most locked-down and controlling hardware/software when they can get away with it. This will be just another way of doing that for them.

          And do leave off the ad hominems, they really are pathetic.

          1. Anonymous Coward
            Anonymous Coward

            Tinfoil for The BigYin

            Apple has been using EFI/UEFI on all Intel based Macs since 2006 which just shows how paranoid you are. As for "ad hominems", thats all of your argumeants.

      9. itzman

        About Apple..

        You can boot linux on Apple hardware.

        Not tan many bother as its overpriced.

        When you buy apple, you buy a total solutions.

        I have no objection to people buying total solutions BUT if people want to buy hardware, that hardware should not be crippled.

        Will windows 8 load on a virtual machine without some pseudo signed BIOS? Not sure. Apple wont. (not without serious hackery anyway).

        The answer of course is to write BIOSes for all boards that don't have this issue. Are most bioses not in FLASH these days anyway?

    2. Anonymous Coward
      Anonymous Coward

      Yes it will

      Because most people don't care. At all.

      Your average (common?) PC buyer buys a PC and is even happy (relieved?) that it comes with an OS pre-installed because otherwise he or she wouldn't have the foggiest idea what to do. And those will be the same kind of people who may even support this movement because well (marketing crap here:) "It keeps my computer safe from booting unwanted or corrupted software such as virusses!".

      I see a parallel here, though very vague... The European vote on encryption; the issue which would make it illegal for an household to own an encryption method /without/ handing a copy of the secret key to the government. Of course all in order to prevent "terrorism".

      "It will never happen" people said, also because "We would lose our freedom". In the end hardly any political party cared (the attendance of said vote was very low) and it was IIRC Finland who eventually blocked the whole thing all together. Barely. It didn't even make it to the news.

      While this thing may seem huge to us don't lose perspective; your average PC buyer or owner will probably have a hard time understanding what this fuss is all about.

    3. Anonymous Coward
      Anonymous Coward

      Damn IBM took my cassette port away...

  6. Anonymous Coward
    WTF?

    "Garrett concluded that there is no need to panic just yet."

    Oh.Yes.There.IS.

    This is clearly illegal -- the concept alone is enough to have it declared as an assault. Yes, it would be a physical assault. This really *is* the thin end of the wedge!

    There's nothing bad about EFI itself and UNIX/Linux has no problem being made to boot from EFI (Apple already has it) but this "trusted computing" bullshit? This from MICROSOFT?!?!

    ALL computing already IS a dozen times more secure and trusted than anything MS has to foist on the world.

    1. Alex Rose

      "ALL computing already IS a dozen times more secure and trusted than anything MS has to foist on the world."

      In "ALL computing" do you include Windows computing?

      1. Tomato42
        Trollface

        Microsoft is playing and gaming, it's not computing.

    2. Doug Glass
      Go

      Kindly provide references, legal precedences, judgments and final resolutions that support your "illegal" claim.

      1. Anonymous Coward
        Coat

        Oh, really ...

        Don't be ridiculous. Its called Tying and its is illegal under European law. It would be an interesting test case under the same. It also probably falls under the Sherman Act in the US.

        1. Turtle

          "Physical Assault".

          "This is clearly illegal -- the concept alone is enough to have it declared as an assault. Yes, it would be a physical assault. This really *is* the thin end of the wedge!"

          So "tying" is treated as "physical assault" in Europe? Somehow I doubt that. It is *certainly not* treated as "physical assault" under the Sherman Act, so it would interesting to know why you have even brought it up, unless, of course, you did so out of sheer ignorance and stupidity.

  7. Anonymous Coward
    Anonymous Coward

    So who owns the hardware then?

    Seems like a wonderful opportunity to force through legislation that says that if you own the thing you must be provided with all the relevant keys to it, too.

    1. bean520
      FAIL

      will never happen - that would basically kill all game consoles security and therefore the business model

  8. Dazed and Confused

    M$ could end up in seriously big trouble here

    Having spent years trying to convince the powers that be world wide that they are not a monopoly if they then end up pushing a technology that guarantees that they are in fact a monopoly they could end up well stuffed.

    1. Arctic fox
      Windows

      RE: "M$ could end up in seriously big trouble here"

      Indeed they most certainly would. It is impossible to believe that the competition authorities in Europe or in the US would sit still for this - the row would be unbelievable. However that is perhaps the point? The article does not quote MS on this subject or indicate whether any attempt to contact them has been made. I for one would be *very* interested in how Redmond would react to this accusation. If MS actually *wanted* to give Win8 the worst possible start they could scarcely have chosen a better way to do it - and it is precisely that point that causes me to have some reservations about this story. Not because I am under any illusions as to what MS might *like* to do if they could get away with it, I just have some difficulty believing that they would think that they *could* get away with this.

      1. nematoad

        Well, maybe

        I agree that the EU might well look on this as a form of monopoly manipulation by MS, but the US?

        I am not so certain that they would, look at the way the DOJ handled the last monopoly case against MS. That didn't do much harm to MS did it? After all they do invoke the magic words "security"in their specifications for Windows 8 and you know how keen the authorities are on that. It would not surprise me if MS spun this as a tool in the "fight against terror" or something.

  9. Piloti
    Thumb Down

    Your computer or theirs ?

    So, if I am reading this correctly, MS will be saying that, although you own your hardware, the computer you have purchased, you can not run your OS of choice ?

    So what, I wonder, if you decided to reject the EULA at boot up ? Rejecting the T/C's from MS but still having them control your machine or rejecting them and essentially then having a vanilla machine with NO MS junk at all ?

    This is one occasion when I hope the EU does throw some weight around and say " get stuffed boys……..".

    1. Anonymous Coward
      Anonymous Coward

      Re: Your computer or theirs ?

      Whilst I agree with your sentiments, I'm surprised at your surprise.

      Haven't you heard of xbox / playstations / iphones / ipads ?

      Companies have been pulling this ruse for years

      1. Piloti
        Thumb Down

        Indeed I have.....

        ... the difference here is this :

        A device written for a single job [playing games p'raps] only has one job in life. Play the damn games. And yes, it would be great to have one piece of hardware that would play all games, regardless of vendor. Maybe this will be the next step in games evolution.

        That is where PC hardware is now. Standards to allow multiple O/S's. This MS proposal is, in my humble opinion a retrograde step and limits choice. At least in the games world, or mobile phone world, there is some choice, not much I grant you, but some.

        And right now, I can buy [if I want] any laptop and then shove, say, Mandriva or Ubuntu on it. And then use FOSS and not have to keep coughing up more and more money to a company that I really don't want to. This is about choice. I choose to use Linux, I will decide on what I consider to be a good experience, not MS.

        That, my Anonymous friend, is the difference.

        1. Anonymous Coward
          Anonymous Coward

          Re: Indeed I have.....

          Woooah there cowboy. Don't be so angry! I agree with your reply - I agree with your view about this being a horrible thing. As I said, I'm just surprised that you are SURPRISED that Microsoft want to do this.

          I use Unix exclusively too. No MS or Apple lock-in.

          Love, your anonymous friend.

          1. Piloti
            Thumb Up

            In that case....

            Thumbs up to FOSS and freedom to choose.

            Cheerio.

      2. Adam Nealis
        Stop

        Not the same thing.

        There is nothing to stop you (in principle) from installing a different OS than intended on these systems.

        The difference in this is case one's kernel must be signed, and the signing key recognised by the BIOS.

  10. Anonymous Coward
    Trollface

    Security

    Surely if security is the goal then having it recognise the Windows keys and refusing to boot would be a better idea.

    1. dssf

      If security is the goal...

      Then, it should be a NATIONAL/GLOBAL mandate, not one from mshaft.

      If it is about letting governments have backdoor, escrowed keys, then it should NOT BE ms that is the gatekeeper of those keys.

      Stallman et al need to REALLY quit wasting time ranting about Android and kick it into full gear on this EFI/TC chip. Government COULD demand that all mass-maket or commercial/retail consumer computers capable of loading an OS must have a TC-type of BIOS regime, but then, it MUST be an OS agnostic system, not one that helps a piss-ant, ape-jumping company get rid of competitors.

      Goddamn microsoft. JUST when I was gradually letting down my hair and easing up on anti-ms ranting, you STIR UP THIS SHIT AGAIN! I hate feeling filled with venom and vitriol, but goddammit, if i had the magic red nuke button, I'd kneecap that company, maybe up to the sternum.

      All this benevolent kernel involvement was probably to get on working committees to get legit, timely, deep insight and constant data stream on how the Linux kernel development and deployment works JUST so ms and its root-sucking, jack-ass consortium of fools can support ms in coopting the boot/bios industry to the exclusion of all others, save for Apple.

      Now, more than ever, foreign governments need to put a morningstar into ms' ass. In the name of national security, no government should let ms get away with this shit because it means likely only ONE country will have preview or full access to the global escrow.

      This IS SCARY, and inFURIATING.

      I still have a suspicion that ms has found ways to infiltrate and fuck up the distros distribution for the most popular distros such as Mandriva, PCLOS, Ubuntu and others. I for the past year have had increasing failure rates of installing PCLOS from magazine pressed/distributed discs than ever. It is maddening to have no clue, and no matter how thin or how fat an install, no matter which kernels, I have very little stability. I have no idea why ioslaves are rampantly failing for me. On FRESH installs, i'm talking about. It's so painful it drives paranoia a lot easier than questionable hardware. Each release of the kernels and update of KDE just brings me more and more frustration. I'm at the point where I feel I'd rather PAY $100 or $200 for someone to install it for me and provide me recovery disks and USB devices. But, i sure as hell will have them do it in a near-cleanroom setting, not from their own media and facility and have an opportunity to jack in some backdoor kit. I may inadvertently install a roge rpm, but it'll be MY error.

      OTOH, I sometimes wonder whether the distros themselves may be making things randomly painful by over-providing, or on behalf of hardware dealers who wish they could be part of the build process. In either case, I want LINUX as the host OS, and any windows as a virtualized, sequestered, QUARANTINED GUEST! Not the other way around. It's my CHOICE and my RIGHT, and ms should be fracking happy they at LEAST get a legit sales via a legit consumer purchase out of me since my desired apps don't run well in wine or not at all in Linux.

      1. MCG
        WTF?

        The simplest explanation would be that your PC and/or its optical drive is FUBAR'ed. But don't let me kill your paranoiac buzz!

  11. graeme leggett Silver badge

    Swings and roundabouts

    If this was offered as an option at point of sale. I can see some benefit in corporate security terms in preventing a PC from booting from an "alien" OS eg off CD.

    On the other hand if implemented across the board (no pun intended) it could well make homemade tools and recovery discs useless as well as dual boot systems.

    1. BristolBachelor Gold badge

      But it would still boot off a signed CD (e.g. Windows).

      If you don't want anything unauthorised booting it, turn off the boot from CD (floppy, usb, etc. etc.) options.

      Even better, don't have a CD drive; lots of attack vectors suddenly disappear, and you don't want admin people walking around with CDs anyway; store them all on an admin only share.

    2. Anonymous Coward
      Anonymous Coward

      Corporate IT would hate this

      It would *force* a company into a piecemeal upgrade of their systems.

      No mid-to-large company wants to do that - they want to keep everybody on the previous version until they can shift everybody onto the new one.

      This future is one where a company buying a new computer can *only* run the new OS on it. Your PC died and you need a new one, and it needs to run your legacy apps? Sorry, but MS says you can't do that.

      You need those legacy apps to do your job? Oh, what a shame.

      This would kill the Microsoft Windows PC, as no corporate could afford to accept it.

  12. Zebo-the-Fat
    Linux

    Simple Solution

    If the MOBO won't run linux or whatever I decide to use, then I will just refuse to buy it. If others do the same, then maybe when the manufacturers see their sales drop things may change.

    1. phlashbios
      Stop

      Sales drop?

      Businesses buy Windows PC's for end users. Consumers buy Windows PC's (and sometimes Apple's products)

      Where exactly do you think the huge drop in sales is going to come from that would alter what manufacturers do? Do you honestly think that the tiny minority that run something other than Windows or Apple's OS, are going to influence manufacturers in any way whatsoever?

      There are a variety of reasons why this initiative may fail dismally, and thankfully not make it to market, but a drop in sales isn't one of them.

      1. PyLETS
        Linux

        Sales drop: because closed hardware is crap hardware

        "Where exactly do you think the huge drop in sales is going to come from that would alter what manufacturers do? Do you honestly think that the tiny minority that run something other than Windows or Apple's OS, are going to influence manufacturers in any way whatsoever?"

        Um, do you have any idea how often the typical Linux user is asked for hardware purchase recommendations by non Linux users ? As far as I'm concerned, if hardware doesn't run Linux, by being closed, this means it's probably undocumented and barely tested, and we have no way of knowing how crap it really is. So it's likely to have problems being upgraded to the next version of ProprietaryNClosed OS, for which even the next forced patch level may very well break it.

        Anyone who had to tell people to throw away cheap Winmodem crap once the software which worked on Windows N didn't work with Win N+1, and the manufacturer had lost interest in maintaining the drivers will know all about this.

        1. Anonymous Coward
          Anonymous Coward

          Or trying to get Linux to talk to a WinModem in the late 90s.

        2. Tomato42
          Big Brother

          Don't need to look at the '90s, just look at Creative and their drivers.

          They sued the guy that un-broke their drivers to work with Windows Vista.

    2. Aaron Em

      You and three other neckbeards

      aren't going to make a hell of a lot of difference to anyone's profit margins.

      1. Anonymous Coward
        Anonymous Coward

        Other than to...

        RedHat. And Samsung. And Netgear. And Cisco. And Shiva. And...well, you get the idea.

    3. dssf

      Drop in sales... only part of the pain they need

      Is only PART of the after-effect. For even daring to take part in such heinous acts they need to suffer severe legal retribution, plain, swift, simple, and enduring so they learn to not cozy up so much to a company that behaves like a tyrant yet donates to charitable causes to soften its rough edges.

      Would ms and its chairpeople donate if the company's public image were not so under siege?

  13. Boris the Cockroach Silver badge
    FAIL

    I'd give it 3 weeks

    after first coming to market that the clever linux bods find a way round it.

    and 3 days before the malware scum find a way past it

    1. Anonymous Coward
      Anonymous Coward

      :)

      "Those malware guys will NEVAR get a hold of an improperly signed certificate!"

      /sarcasm off

  14. Anonymous Coward
    Anonymous Coward

    They are finally pulling the trigger on TPM?

    So, they finally feel bold enough to pull the trigger on Trusted Platform Computing? With the proliferation of tablets, cheap computers (Raspberry Pi), and phones?

    Microsoft really thinks they are big enough to tell the PC makers "Hey, we want you to jump on this grenade to save us. Don't worry about the inevitable anti-trust suits, don't worry about having to keep your servers and your personal computer lines separate because servers need to run Linux, don't worry about anything but protecting Microsoft. GO!"

    1. Anonymous Coward
      Anonymous Coward

      "because servers need to run Linux"

      You Linux fanbois are almost as bad as apple fanbois

      Hint: There are many many many open source unix alternatives to linux

      1. DavCrav

        "You Linux fanbois are almost as bad as apple fanbois

        Hint: There are many many many open source unix alternatives to linux"

        All of which are not Microsoft, so would be banned also. So what's the difference?

      2. Ramazan
        WTF?

        @AC 18:54

        What do you mean by server then? Secondhand SPARC running plan9? Don't be silly, there is no open source UNIX other than some kind of RHEL on enterprise servers

        1. Adam Nealis
          WTF?

          RHEL != Unix

          Linux is not Unix.

          If you had said FreeBSD you would have been closer.

          1. Ramazan
            Facepalm

            @Adam Nealis

            Wrong, GNU's Not Unix, but this is just blah blah and has nothing to do with what I'm saying here. Oracle (and Java probably too) aren't supported on FreeBSD, OpenBSD, NetBSD, fooBSD and barBSD while they are on RHEL, SLES, HP-UX, Solaris, AIX and even on Tru64 and this is what matters for server. If you are OK with limited box, then you may go with SheevaPlug and happily live together ever after. Most customers aren't and they want Linux

        2. Anonymous Coward
          Anonymous Coward

          Ramazan, you are typical of the sort of fanboi I was referring to.

          Have you looked at the top netcraft servers? Generally at least 4 out of 10 run FreeBSD. In the latest survey, there were more Freebsd than linux! http://news.netcraft.com/archives/2011/09/05/most-reliable-hosting-company-sites-in-august-2011.html

          I also know MANY MANY enterprise servers that run FreeBSD, NetBSD, OpenBSD, etc.

          netcraft themselves, yahoo, ISC, etc

          Unfortunately, many of my customers are gradually switching to Linux, because a lor of the so called "unix" experts are only used to the many non-standard linuxisms with respect to unix (or unix like) implementations.

      3. Tomato42
        Paris Hilton

        I would need to use the definition of "many" equal to 1 to count OSS UNIX alternatives to Linux.

        Paris, for even she doesn't count to three using "many".

        1. Anonymous Coward
          Anonymous Coward

          I see your '1' and raise you to '5':

          opensolaris

          netbsd

          freebsd

          openbsd

          dragonflybsd

  15. Anonymous Coward
    Anonymous Coward

    Planned obsolescence by crypto key

    Why, isn't that smart? You buy a second-hand computer (not now, but say a tech generation or three after this gets put in practice) but no new copies of windows will run on it because the keys are "too old". And any alternative won't run at all. I can see why they like this idea. And now is a pretty good time to go for it, now that everybody knows that good handling of keys is essential and my aren't they proactive and Stuff. Only they're screwing you big time, like your computer is a game console. Only you didn't get the discount on the hardware. Way to productize your customers, micros~1.

    1. scarshapedstar
      Coffee/keyboard

      Wow, I forgot about that. hilari~1

    2. Paul 129
      Devil

      Thin edge of the wedge

      I can't believe people didn't see this one. Even if they lose money on this now what it offers, in the future, is the ability to charge the hardware makers more in return for more sales.

      Oooh IT downturn you say, we've got a new shiny shiny, but to use it you need to pay $X for each motherboard for your license to the key, so make them nice n pricey the sheep wont notice they'll just have to pay for a whole new system if they want it. They're used to that now...

      Oh n dont forget as part of they key license, your only allowed to manufacture Y number of boards for those other OS's (erm non conforming boards)

      Our only hope against this IS government intervention against the M$ monopoly. That has always worked in the past.... Ohhh.

  16. Wize

    Well...

    1) Pirates will circumvent the keys

    2) People in the know wont buy the hardware so they can run other operating systems

    3) IT support wont touch them as they will want to boot from CD (sometimes Linux) to fix problems on a machines.

    Can't see any benifits

    1. henrydddd
      Unhappy

      hmmm

      I wonder if MS will try to get the law changed so that, like Sony, it will be illegal to put Linux on your pc?

  17. The Alpha Klutz

    It's a crying shame, but somehow I'm sure there will always be a market in motherboards that aren't crippled in this way.

    Such a move would also create a new market in high quality firmware cracking tools just as there are already high quality Microsoft cracking tools. 'High Quality' means that they work and are not malicious, which is ironic because the copy protection mechanisms that they remove often do not work (self evidently) and are malicious (you're basically being spied on).

    Inevitably though such firmware lockout schemes will make it into the millions of low quality computers that Dell and Acer must be selling at cost price these days. All Microsoft has to do is offer them another couple of dollars off Windows and the temptation to screw their customers would be overpowering as usual.

    There is probably a market for this kind of thing in set top boxes and the like, when manufacturer's want to sell their hardware as a loss leader, and don't want some "scum" "bag" installing a proper OS on it and using it as a cheap PC. The Xbox will probably have this new firmware in it. But then the Xbox also breaks 5 times a day so there you have it.

  18. Mike 29
    Mushroom

    Every windows 8 story

    ..makes me more certain that it's going to replicate the visionary success of Vista.

    </sarcasm>

  19. Jemma
    FAIL

    And people still think St Jobs is harmless?

    The Great Jobs and his closed system goodness started all this and I hope the ifundies are proud of themselves for perpetuating it until it reached this epitome of ridiculousness.

    If this isnt stopped then Microsoft have everyone by the curlies.

    1. Assuming the ARM incompatibility re current windows apps is true - whole new app & systems will have to be upgraded, at once. Costs of which will kill small companies stone dead. Not to mention the lost business all such fundamental upgrades always bring.

    2. Even if there *is* a way of bypassing it companies wont use it because of fear of being sued for using jailbroke software stacks. Think im a pessimist? Just look at the legal battles over curly corners happening right now.

    3. Every single update will most likely break the jailbreaks that worked before. Another reason non MS will be killed in the commercial appspace. Companies just cant stop for 36 hours every time MS brings out an update.

    This is the point the various monopoly commissions need to step in and kill this stone dead - if they dont its going to make the credit crunch look like a fender bender. Companies will fall left right and centre, destroyed by the very IT they rely on.

    There is something even worse to contemplate. Lets assume, for example, Nokia drops WinPhone and keeps with Symbian and MeeGo. How hard would it be to introduce a bios level incompatibility? Ditto Android & even iOS. Syncing therefore impossible - or maybe modify Exchange to not talk to anything Linux based... And call it a bug, that we just cannot seem to fix...

    If that happens there are two possibilities. Firstly, we all bend over and take it up the tuchus. Secondly - Microsoft single handedly make the desktop/laptop extinct. Whichever happens people and companies will suffer during the intermediate period and ultimately we all will as a result.

    This is an extremely dangerous possibility and an entirely plausible one. And people wonder why I hate iFundies and the Steve they rode in on...

    1. Anonymous Coward
      Anonymous Coward

      Fall

      "Companies will fall left right and centre, destroyed by the very IT they rely on."

      [classic English understatement]

      I don't think they will.

      [/classic English understatement]

  20. Captain Scarlet Silver badge

    Signed version of Linux/Unix

    So the same could be said for Linux and Unix being preinstalled, except for I know Grub does support booting to windows quite well.

  21. Anonymous Coward
    Anonymous Coward

    This has all the hallmarks of not just Microsoft but

    This has all the hallmarks of not just Microsoft but the whole "content" industry, whose efforts to ensure a secure copy-protected delivery chain at every stage from disc (or network) to screen have been so helpful to PC and TV users and content consumers in recent years. Not.

  22. Wile E. Veteran
    FAIL

    Sounds like ..

    One hell of an anti-trust suit to me. Trial lawyers, sharpen your knives, there's a big fat hog just waiting to be butchered.

    BTW How is this any different (in concept) than IBM making their OS's only run on IBM hardware?

    1. DutchP

      it's the exact opposite

      make all hardware not run anything other than your software

  23. Ryan Kendall
    FAIL

    Sounds Like an Apple

    Bundled OS with hardware ?

    1. Anonymous Coward
      Facepalm

      The difference being ...

      Apple make what are essentially unencumbered PCs -- which can be loaded with any OS you like. For the time being at least.

      A Mac is just a perfectly standard Intel PC with the addition of a hardware EFI bootloader interface ... that's not a problem. You can run Linux, Windows or BSD Unix without a hitch either as a primary or secondary OS, as several comments have already mentioned.

      What is being proposed here is that your hardware would be unable to run anything but the copy of Windows it came supplied with and NOTHING ELSE.

      That's simply not the same thing, nor is it even remotely legal.

      The whole thing smells of desperation on the part of MS.

  24. Chad H.

    Forgive me if this sounds ignorant

    But what is the benefit of running only signed code during boot time? Are there better ways of getting the same result?

    Seems to me from the sounds of this article to be a blatant attempt to missue market power...

    1. diodesign Silver badge
      Facepalm

      Anti-malware

      The only benefit is to stop malware infecting your boot-up. As soon as the boot executables are nobbled, their signatures will change and the UEFI firmware will reject them. If the machine will only start securely signed bootloaders, it's therefore game over for the trojan trying to gain control of your PC during initialisation.

      Unfortunately, there's no way (as it stands) to tell the difference between an unsigned malware-infected bootloader and an unsigned bootloader for Linux.

      1. Charles 9
        Mushroom

        But...

        ...there have already been cited instances of signed malware (indeed, malware signed with keys too ubiquitous to revoke--Realtek makes most of the mobo sound chips on the market; bye-bye sound?). What's to say some malware group enlists or worms a mole into Microsoft such that they can get at Microsoft's private keys? Or employ GPU-augmented botnets to find weaknesses in the signing algorithms? Either way, the end result would be a SIGNED malware bootloader. THEN what?

      2. CyberCod
        FAIL

        Wouldn't this mean that once infected, your computer never boots again until its proper bootloader is restored?

        It sounds like a downtime nightmare.

      3. BristolBachelor Gold badge

        Re: Anti-malware

        Won't work. Ever.

        Just like the DVD scrambling didn't work, and ditto for Blu-ray, PS3, HDCP, printer-ink cartridges, iOS, etc... People will break / leak / work around the keys.

        There are already virii that tamper with the BIOS. There are already Virii that get around only signed software installs / drivers, etc.

        What it will (possibly) do is make it harder for people to install any OS they want. Apple might be happy because machines won't run Mac OS X (without even more effort).

        Windows / OEMs may change the keys from one generation of Windows to the next or between OEMs, etc. No putting new windows on old H/W; you have to buy new H/W. No putting that HP OEM Windows on a home-build or Dell box.

        Maybe even stop people putting old Windows on new HW. Enforced upgrade cycles are good for everyone (except the customers).

      4. henrydddd
        Linux

        why

        Instead of assuring only windows will be allowed to boot, why not lock up the boot sector with a switch that has to set. For the consumer who in smart enough to install a new operating system, setting that switch will be no real big deal. Unless this switch is set, it will be impossible to modify the boot record. Just a thought

        1. Anonymous Coward
          Anonymous Coward

          Isn't that what the "Boot Sector Virus Protection" option is for in most current BIOSes? Admittedly it's just an "alert if the boot sector changes" rather than a lockdown.

    2. Aitor 1

      I almost like the idea

      As long as you have the OPTION to boot from non valid keys, it is ok for me.. as it will be way more difficult to make rootkits.

      If it is mandatory, then it will not only be a disaster, but also illegal and their ulterior motives quite different.

  25. The BigYin

    Given the dross...

    ...spouted over RMS's comments about Android, do people *NOW* get why we need free software?

    Free as in speech, not as in beer.

  26. Anonymous Coward
    Anonymous Coward

    Ah, Professor Anderson, I presume...

    It's been a while since we had a Professor Anderson story...

    I will just observe that his blog post says: "I hear that Microsoft (and others) are pushing for this to be mandatory"

    ie: He doesn't know that they are, but someone has said to him that they may be. It's the sort of thing that I'd take with a pinch of salt if I heard down the pub.

    MS aren't going to support something that stops people running what they want on their own machines, the anti-trust guys would be down on them like a ton of bricks and the know it. However the combination of Prof "Against the banks" Anderson and an anti MS story chimes so strongly with Reg Commentators that he must be 100% correct and MS must be 100% evil and it doesn't even need to be checked out for basic facts or plausibility.

    1. CyberCod

      but Microsoft IS 100% evil.

      Just because crazy people can see it too doesn't make it false.

      1. Anonymous Coward
        Anonymous Coward

        Err...

        I was just trying to inject a little sanity into this "debate".

        The story is obviously rubbish, no quotes from anyone in MS to back it up and even the person "quoted" said that "he has heard" rather than he actually knows. Besides this no-one has bothered to pause for a second and think that this will prevent all other MS OSes from working if adopted.

        1. Arbuthnot Darjeeling

          MS

          only care about their latest version of windows.

          For a new editionof windows, you buy a new machine, right?

  27. sisk

    So it'll be impossible to run Linux on new Pcs? Like it's impossible to run Linux on PS3s, Xbox360s, and Wiis? Oh, wait a minute....

    Yeah, nothing to worry about. We always have Linux bootloaders for consoles within a year of them being released and that's with just a small subsection of the Linux community working on it. When you start talking about PCs and give all of the Linux community a vested interest in making it work, I'm guessing you'll see this cracked wide open within a month or two of it hitting the market.

  28. Anonymous Coward
    Anonymous Coward

    ACPI again?

    In Bill G's own words:

    From: Bill Gates

    Sent: Sunday, January 24, 1999 8:41 AM

    To: Jeff Westorinon; Ben Fathi

    Cc: Carl Stork; Nathan Myhrvold; Eric Rudder

    Subject: ACPI extensions

    One thing I find myself wondering about is whether we shouldn't try and make the "ACPI" extensions somehow Windows specific.

    It seems unfortunate if we do this work and get our partners to do the work and the result is that Linux works great without having to do the work.

    Maybe there is no way to avoid this problem but it does bother me.

    Maybe we could define the APIs so that they work well with NT and not the others even if they are open.

    Or maybe we could patent something related to this.

    Source - http://groklaw.net/staticpages/index.php?page=ComesExhN05#E3020

  29. Britt Johnston
    Windows

    different understanding

    I read this twice, but could find no reason against making linux the standard for PCs, and then loading a VM-windows OS only when windows is needed.

    Wouldn't this reduce the Microsoft hold on PCs?

  30. yossarianuk

    re : So who owns the hardware then?

    Well once you install windows certainly 'Not you'.

    Its in the EULA - you give up all human rights and allow Redmond and every script kiddie in the galaxy to do anything they want to your computer.

    All the kids' won't care as it will have Windows 8 init

    1. John G Imrie
      Linux

      Windows 8 init

      I thought Linux had init. Windows has autoexec.bat

  31. Bronek Kozicki
    Angel

    won't fly

    vendors will have to provide option for installing keys in UEFI by the clients, by "clients" I mostly mean "corporations". These use Linux on servers in thousands, and won't give up only because some vendor thought not to make their ware fit for user requirements; they just change the vendor That's what competition is for.

    Once vendors have to go through the work necessary to make UEFI keys installable, there is absolutely no reason not to make similar functionality available on "normal user" desktops. Doing otherwise would give them plenty of bad press, just (some) vendors started supplying drivers for Linux and generally pretending that they care.

    Even if competition does not force that, consumer protection laws (at least in EU) will.

    So nothing really to see here, move along.

  32. Anonymous Coward
    Anonymous Coward

    on the flip side.....

    I think it should be an option....

    If when you go to PC world, you get a brand spanking new PC, with microsoft all over the box, and a MS operating system pre-installed. and that you can ONLY install the same version of windows on that PC with no other choice, then so long as the price tag reflects that your choices for future expantion are limited then thats fine by me....

    Lets face it... most people who go into high street shops to buy a pc, run the OS on it, and by the time they have finished paying the finance they go buy another box... this will not make the slightest difrence to them.

    So long as I can still go to my favorate PC hardware supplier and select what componants I want and put together my own machine, install whatever OS I want, then thats where choice comes in...

    so long as corp buyers can buy whatever systems they want, maybe even self sign a os install so their own particular build of OS is the only one to work on the hardware they bought is a good thing... The IT department can still have signed boot disks to boot live versions of os's..

    There is no way motherboard suppliers will only start to produce boards that will only allow one type of OS... they are not stupid enough to shoot themselves in the foot, not since the notorious meeting bill had with IBM anyway....

  33. Robin Bradshaw
    Facepalm

    Global mischief :)

    From Matthew Garrett's blog:

    "Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load."

    So assuming windows8 will have these Pkek keys the first exploit of windows 8 would then allow the malware to add the windows signing key to the blacklist and render the machine unbootable.

    Or at least thats my cursory take on it.

    Foot meet high velocity projectile :)

    1. Vic

      Re: Global mischief

      > the first exploit of windows 8 would then allow the malware to add the windows

      > signing key to the blacklist and render the machine unbootable.

      More likely, the FOSS guys would spend significant effort getting their keys into the whitelist. And, of course, those keys would be publicly available, so as to ensure users could install the bootloader of their choice...

      Vic.

  34. Anonymous Coward
    Anonymous Coward

    @Umm... explain Apple

    Er... you can run Linux on Apple hardware. They don't lock the bootloader. I've run Ubuntu as the primary OS on a MacBook Air (2010) for several months i.e. erasing and replacing Mac OS entirely.

    Hardware-wise it's the best laptop I ever bought. Software-wise I think Apple need to up their game, OS X is infuriating in some respects. Mainly in multi-monitor setups. Sorry but the idea of a global menu and dock which appears only on one monitor is ridiculous. Also they should be embarrassed to advertise "full screen apps" and "cut and paste files" as new features in Lion.

    1. The BigYin

      Another one who misses the point

      Apple do not lock the hardware *yet*

      Not even MS demands that OEMs lock the hardware *yet*

      Do you get the point? It's NOT about what you have now it's about what you WILL BE FORCED to have. It's just like you cannot use HDMI due the various vested interests deciding that you freedoms and you rights mean jack-shit.

    2. Anonymous Coward
      Anonymous Coward

      Oh yeah?

      I don't seem to be able to install Linux on an ipad.

  35. 1Rafayal
    Pint

    But surely there will be hardware for developers

    I mean, for the people/groups who like to create their own operating systems? Wont there be something out there that will cater for them? And would it be as simple as just deactivating this security?

    This reminds me of the time when DVD players became popular - everyone wanted to know how to remove the region lockout on their drives in order to watch films from other regions. I could see something like this happening.

    I dont honestly see a problem with the hardware on your machine verifying you have the right to boot a certain OS, but if this is just Microsoft trying to freeze out the open source community then they will need to go and sit on the naughty step for a while..

  36. mark phoenix

    Whatver they've been smoking I don't want any of it

    Currently I run Mac with a Windows botocamp and 2 Linux VMs.

    Why would any power user buy hardware that locked to a single OS?

    1. Paul_Murphy

      Power users wouldn't

      However all the technologically illiterate who 'just want it to work' wouldn't even think to question the salesman saying 'and it's safe to use since it will only run windows'.

      I can't see anything like this succeeding, but then maybe they are just trying to sneak in another nasty and are using this as a distraction.

      ttfn

  37. Nigel 11
    Boffin

    Hypervisors?

    No-one has mentioned hypervisors yet.

    If you can boot a hypervisor, then you can run LInux, Windows, whatever under it. If you can't, then you are cut off from a lot of technologies that I expect will break out of the datacentre onto the desktop, as network bandwidth and hard disk sizes increase.

    To take just one example: if you want to secure your data in a corporate environment, you want the hard disk behind locked doors in the datacentre or a data-safe-closet. Given a Gbit or faster network, that's easy. Boot a hypervisor on the desktop, then boot the disk in the datacentre across the network.

    Perhaps the BIOS of the future ought to BE a hypervisor? Just as long as it's open to all client O/Ses, of course.

    1. Bronek Kozicki

      It all comes down to question : is this bootloader recognized as correctly signed by UEFI? This is valid question as long as the hypervisor is loaded from bootloader; but probably not so if it's all in BIOS .

      Whilst I can imagine some machines will come with keys locked down in UEFI (still there would be hacker tools to change/add keys, pretty sure of that) it is going to be low segment of the market, if it happens at all. Perhaps tablets/laptops, too.

      Anything that might be used with a hypervisor (or open source OS): servers, barebone systems, motherboards alone etc. would provide an option for user to install keys. Either competition or customer protection laws will force that. In other words, I don't believe vendors will be allowed (by either of these two forces) to ship systems which, by design, are unable to run an open source OS.

  38. Will 28

    Something not right there

    The prof says:

    "I hear that Microsoft (and others) are pushing for this to be mandatory, so that it cannot be disabled by the user"

    He then links to a blog post which says:

    "There's no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code."

    Perhaps they should talk to each other and compare notes?

    1. Anonymous Coward
      Anonymous Coward

      Hmm...

      It's almost like Prof Anderson is a massive self-publicist and people so want to believe ill of MS that they don't even do basic "does this make sense" type analysis of the article.

      But that couldn't be the case, could it?

    2. pip25

      This link suggests that the "feature" can be disabled:

      http://www.prnewswire.com/news-releases/american-megatrends-announces-aptio-uefi-bios-support-for-windows-8-uefi-development-pc-at-build-conference-129744348.html

      Unless AMI wants to offer a BIOS right now that runs none of the OSs available today, they have to provide a way to turn that damn thing off. But if Windows 8 won't boot without it, that still means that I will have to keep switching that thing on every reboot when I want to run another operating system.

  39. dave 46

    Looking squarely at security for the common home or small business user this is a good idea - just make it so you can turn it off in the bios.

    If you know how to install Linux, you'll know how to turn it off.

    Making it impossible to turn off is overkill and I don't think it would happen unless there was a commercial imperative (i.e. subsidised hardware or software purchased as a bundle).

  40. JimmyPage Silver badge
    Stop

    Usual FUD

    I would expect something like a BIOS option ... "Allow unsigned boot code ?", which would be set to "YES" by default. This would protect the average Joe, could be locked down by big corps IT departments, and allow the tech-savvy punter to disable it to do what they like.

    1. Bronek Kozicki
      FAIL

      "insecure" by default?

      power users would know how to change it (so they can install Linux on it), my parents would have no idea there is such an option and thus their computer would be no safer for it.

      I'd rather have signature check turned on by default, thank you very much. Even if I don't benefit from it directly, thousands of average Joes would. And that would, among other things, make the Internet slightly better place.

      1. JimmyPage Silver badge
        Facepalm

        oops

        I meant "Load unsigned code ?" should be "NO" by default ....

  41. heyrick Silver badge
    FAIL

    Secure computing?

    What a load of bollocks. Controlling what can *boot* on the machine [*] is a fairly trivial thing, and can be easily circumvented by: 1, lack of physical access to the machine; 2, not leaving it running with admin privs; and 3, a hardened IT policy that disables access to booting from specific devices (USB/SD, etc). Once the machine has booted, will this supposed security continue, or will Windows be a pwnable as before?

    * - on XP machines where people have shut down badly and the thing boots to UNMOUNTABLE_BOOT_VOLUME messages, it is hell to get Windows to recover itself from a simple disc map corruption (because the recovery console is an add-on, not a standard issue). It is, however, a breeze to drop in a copy of Hirren's BootCD, fire up the NTFS version of DOS, then run a pass with chkdsk. Losing that sort of functionality will be annoying unless Microsoft fix their recovery tools, but given the (XP) version of ScanDisk couldn't detect a FAT disc on fire, never mind mildly corrupted, and that - believe it or not - command line chkdsk (actually vfat) has a habit of crashing when anything goes wrong, I don't trust Microsoft one bit in this respect. Their disc recovery tools are mediocre at best. Not something you want to discover when your supposedly secure computer got owned and now the damn heap is throwing up messages telling you that your recovery stuff isn't going to be booted...

    1. Tony-A
      Thumb Up

      The ability to RECOVER from a disaster is maybe even more important than avoiding problems.

      Ensuring that your lost data is irrecoverable -- well that seems to be Microsoft's idea of security.

      Some kind of Linux boot disk, most any kind of Linux boot disk, is often essential to recovering Windows machines.

  42. Jim 59
    Happy

    Not likely

    This has no chance of happening, because nobody will want it except for some MS executives. Good of the Cambridge lads to raise it early though, to save MS further dissapointment.

  43. Anonymous Coward
    Anonymous Coward

    Am I missing the point?

    UEFI in its purest form is there increase security on the end Pc. Rather than bitching and whining about how signed OS's (not Windows specifcially you note) are the only ones that will work with this tech, why doesnt the open source community modify lunix and other distros to be compliant / compatible? so far as I can see people are all hankering to cater for the lowest common denominator.

    1. Vic

      You certainly are

      > why doesnt the open source community modify lunix and other distros

      > to be compliant / compatible?

      Because FOSS is about Freedom. The Freedom to roll your own version of the OS, for example.

      In order to do that, you'd need to be able to sign it yourself with a key that is accepted by any putative lock-down UEFI. That means having a signing key readily available to all.

      And if you can do that, then locking down the UEFI serves no purpose whatsoever, as anything that wants to circumvent it can do so trivially. The key would be readily available, y'see...

      Vic.

      1. Bronek Kozicki

        RE: You certainly are

        You are perfectly correct but missed one thing : as long as the user is able to add own public key to UEFI , he will be also able to use own private key to build Linux, and such kernel would be validated by UEFI. So assuming this comes with option to add user-defined keys, there is nothing preventing Linux from running on such a machine. Installation might be slightly more complex, that's it.

        I don't believe we are going to see PCs without ability to add own keys and without ability to disable this protection, so the whole article is just alarmist nonsense to me (feel free to vote me down). If this were to happen, I'm certain there are laws in place (consumer protection and x64 server market, among other things) to make vendors think twice.

        1. Charles 9

          What man can use for good...

          ...man can use for ill. Picture your scenario. Guaranteed, a malware will come along, able to hijack the keyboard and USB bus on low-level, and make out like it's you monkeying with the key registry. Purpose? To add a malware's signing key to the registry. Now it can safely take over the boot sector. Next time the machine boots, it sees the malware boot sector...but it signed and the key's known. KABOOM! Remember, SIGNED malware already exists. It can happen again.

        2. Vic

          Re: You certainly are

          > You are perfectly correct but missed one thing

          No, I didn't.

          > as long as the user is able to add own public key to UEFI , he will be also

          > able to use own private key to build Linux

          And if keys are readily available to sign Linux / alternative OSes, they're also available to sign the malware.

          IOW, this whole plan would be a total waste of everyone's time and money. Except Microsoft's, of course; they'd make out ilke bandits. Again.

          Vic.

  44. TeeCee Gold badge
    WTF?

    So, PC hardware it's physically impossible to boot MacOS on?

    You're not MS, you're Apple in disguise aren't you?

  45. steward
    FAIL

    ?

    As news trickles out about Windows 8, I have to wonder:

    Other than Microsoft programmers, who is the intended market for this? I'd think even Gates would stay on 7 and not upgrade!

  46. NOOOOOOO
    FAIL

    Here we go again...

    "Anderson describes this as a return to the rejected Trusted Computing architecture"

    Yeah, I remember how that actually useful technology was rejected because a bunch of overreactionary nerds couldn't keep their M-dollar signs in their pants long enough to actually figure out how it worked (it doesn't do anything unless you use something that calls on it, just like the DRM that's been in Windows for about a decade), that it was COMPLETELY FUCKING OPTIONAL (in most cases you can pull that eeeeeeeevil TPM chip right off the board!), or that there were NUMEROUS attempts to bring TC functionality to Linux as well as Windows. It's still around of course, but now it's actually quite difficult to find a good board with a TPM. Yet when Pimp Daddy Steve actually DID start telling the world what programs they could and couldn't run on the hardware they bought, many of the same nerds were conspicuously silent, just like they are today about Win8 ARM. Funny, that.

    I don't know about you all, but to me, the thought of a BIOS or Option ROM rootkit (http://www.blackhat.com/presentations/bh-dc-07/Heasman/Paper/bh-dc-07-Heasman-WP.pdf) completely controlling my computer without me ever realizing it is a bit scarier than the thought of eeeeeeeeeevil M$ maybe potentially sorta possibly doing it in a way that everyone on earth will know about, in which case I'd STOP BUYING THEIR SHIT. It would be nice if you idiots would stop ruining things for everyone who actually cares whether their computer's lowest-level firmware has been tampered with.

  47. Paul Landon
    Coat

    Make Linux Secure

    To make Linux secure we could exclude Windoze -no?

    1. Anonymous Coward
      Anonymous Coward

      Re: Make Linux Secure

      To make Linux secure, replace it with FreeBSD

  48. StefanoRighi

    BIOS setup save the day!

    What about going to BIOS setup and disable Secure Boot feature and install whatever you like?

    Market will decide if PC sold without this BIOS feature will be well accepted by customers...

    Stefano

  49. Manu T

    RE: Microsoft at it's core business

    Dejavu! This is Microsoft going all eighties over again.

    Amazing. We're going back in time!

  50. b166er

    There is plenty of knowledge out there when it comes to modifying BIOS ROMs.

    Perhaps this is why Microsoft are suggesting this as some cack-handed way of protecting their IP.

    However, I expect any system such as this implemented in UEFI would be undone or worked around in about 5 minutes.

    Essentially, these large corporations would spend a fortune trying to implement this only to have it undone by a group of enthusiasts.

    We've seen this happen sooooo many times.

    Christ, even master keys get leaked ffs.

    1. Bronek Kozicki
      Boffin

      ... whilst in other large corporations

      ... there are plenty of servers and not all of them run Windows. Actually, significant part run on open source, since it makes support options cheaper.

      So if there are server vendors wishing to lose a business, they are welcome to do so - there will be plenty left to buy hardware from.

      So no, this isn't goint to happen (and I very much doubt Microsoft would even seriously consider pushing vendors in this direction - they paid enough fines already).

  51. DJ Particle
    Holmes

    Here's why MS'plan would never work....

    First let me kill one particular misconception: MacOS X is *not* a walled garden. If you think it is, you're thinking of iOS, and even that is pushing it, because people have jailbroken that. UNIX-based OS's (like MacOS X and iOS) cannot be a walled garden.

    Now the reasons why the "forced Windows" will never come to pass:

    1) Windows 8 will tank, harder than either Vista or ME, and it will be for the same reasons Office 2010 is still being eschewed in favor of Office 2007. Their 'ribbon' menu system is so vastly different than what people are currently used to. This is NOT what you want to force on less-computer-literate users who are used to the current "File Edit View" hierarchy. As for the "tiles" interface, it's not working for Apple (how many do you know actually use the "Launcher" as the main interface), so what makes MS think it will work for them on a desktop OS?

    2) MS would have to make this LAW to succeed at it, and they would have to do it WORLDWIDE. Good luck with that, and good luck with the lawsuits from Apple and Google (both of whom have far better legal resources than MS) that would result from even TRYING to push this through law. Why would they sue? Because such a law would also illegalize MacOS X (UNIX), iOS (UNIX), Chrome (Linux), and Android (Linux)...not just the smaller UNIXes and Linuxes.

    3) Because they would never be able to pass this worldwide, there would result in a grey-market for computers that can run other OS's, yet identify to internet routers as Windows to allow them online, completely killing the effectiveness of their plan.

    There are simply way too many ways to keep MS from doing this. Their plan to lock everyone into Windows is a cry for desperation from a company that is hemorrhaging money. At this current rate, I don't see MS as being a viable company past the end of the decade. Look in comparison: MS tanked HARD yesterday in the stock market (about $1/share, but that's still about 4-5% - probably over the news that Bing lost them $5.5 billion over the last year), while Apple is posting its highest numbers EVER... *without* Steve as CEO! Wall Street knows where the companies are heading already.

    1. Anonymous Coward
      Anonymous Coward

      Apple won't sue.

      Apple will welcome this. They sell a hardware+software stack (to stay in el reg terminology) and *do not want* anybody selling hardware for the purpose of running their software on it. So they'll take this, put their own keys in the BIOS*, and lock down their bootloader to their own hardware. No more hackingtosh.

      And the ribbon? Remember how lose '95 was oh so different from lose 3.*? People wanted it so bad, just like how they felt they needed 3 "for the multitasking" a few short years earlier. Despite better OSes that actually did multitasking being available. With enough marketing push this'll go through. Just convince "everybody" it's the shiny micros~1y future and you don't want to stay behind in backwardistan, do you? It's quite amazing what influence a little marketeering can have on the great unwashed masses.

      As to having to succeed world-wide, no they don't have to. Their primary market is the fortune 500, so shove that chock-full of this and the herd will follow. They already can enforce this through the DMCA and the USoA's stance on copyright and big corporate trading interests (in a nutshell: everybody else must bow to that, period). That there's a couple linux fanbois out there crying bloody murder, oh well, "they had it coming and good riddance", micros~1 will think.

      I'm tempted by your analysis, but I don't think micros~1 sees it that way, and they have enough monies to make DC not only buy into their view, but then make it make the rest of the world bow to it too, see ACTA. Then again, micros~1 has been wrong before, and we might yet make them wrong this time.

      * Or whatever you're supposed to call it with that newfangled thing.

  52. Lars Silver badge

    Do not underestimate

    Do not underestimate Microsoft, they will always attack any competition using any possible measures lawful or unlawful, and their power over OEMs is still stronger than anybody else's like before.

    On the other hand, I have a feeling that the number of "friends" is decreasing.

  53. choice

    Choice

    Trying to take away choice again... when will they learn?

  54. Anonymous Coward
    Anonymous Coward

    Wrong

    "Windows 8 secure boot would 'exclude' Linux"

    Wrong, Windows 8 secure boot would exclude Windows 8 from my PC if it comes down to choosing between Linux and Windows.

    So, will I be forced into that choice?

  55. jason 7
    FAIL

    I think some folks have an inflated opinion of themselves....

    ...and their amount of importance/impact on the PC market...mainly Linux users.

    Up in arms over possibly being shut out of modern hardware. How they will storm the barricades of computer tyranny (if there werent busy waiting for a torrent to finish or had to buy more crisps) etc. etc.

    The other 99.8% of the computer using world doesnt either notice or care and carries on using Facebook etc.

    The world keeps on turning.

    1. Anonymous Coward
      Anonymous Coward

      Servers

      As has been pointed out - but you seem to have missed - is that there are LOT of servers running Linux in the enterprise. If this lock down was implemented then MOBO manufacturers would face losing a lot of market unless they then create a locked down "client" PC MOBO and an open "server" MOBO.

      1. The BigYin

        Simple

        Migrate the servers to Windows. Job done.

        And, according to El Reg, GNU/Linux is already in second place on servers [Apols, search-fu has failed me at this late hour].

        Perhaps securing this position is MS's plan?

        1. Anonymous Coward
          Mushroom

          I take it you've never tried "migrating" software that was designed to run on Unix systems, over to Windows?

          Never seen the funny quirks that result, due to the software assuming a POSIX system?

          Ohh, and of course, Microsoft Windows can do everything that Linux can do, and is every bit as flexible … not!

  56. Anonymous Coward
    Anonymous Coward

    bootloader bloatware

    grub / bootcamp etc.

    why?

    The boot manager that comes in FreeBSD is less that 446 bytes, and loads up quickly and cleanly from the MBR itself.

    Do you Linux fanbois really need a gui boot manager to satisfy your secret windows fetish?

    http://www.freebsd.org/doc/handbook/boot-blocks.html

    1. Anonymous Coward
      Anonymous Coward

      Eh?

      We don't.

  57. airbrush
    Thumb Down

    Positives and Overwhelming Negatives?

    Well there are some positives such as quicker boot times and the end of root kits, if they make it optional fine. Surely we're at the stage where we need some kind of global body to ensure that companies don't employ anticompetitive measures to dominate a market and os have to be certified or something. Its in our own interest to have competition after all even if your not a fan of linux.

    1. Anonymous Coward
      Anonymous Coward

      Surely [...] we need some kind of global body

      We already have that and it is called the World Trade Organisation. And it's so wonderful that it causes mass leftist riots whenever it convenes. Not to mention that it's the vehicle for ACTA and such. How do you propose we fix them dividing the world in corporations and consumers?

  58. DEAD4EVER
    WTF?

    windows 8 secure boot

    so really what there meaning is making it impossible for linux users to use linux next to windows in dual boot or single boot. heh this wouldnt suprise me microsoft will try anything to get people forced on windows only i mean there making ie 10 with no addon support so you would be stuck with it without flash. think il stick with 7 least its stable fast and im able to use my own browser with flash.

  59. Sean Baggaley 1
    FAIL

    The stupid is flowing freely today.

    @PyLETS:

    "Um, do you have any idea how often the typical Linux user is asked for hardware purchase recommendations by non Linux users ?"

    Yes: once. After that, they've learned their lesson never bother to ask someone with such obvious sadomasochistic tendencies for advice on anything ever again.

    *

    - Consoles have been locked down since time began.

    - Virtual Machines run just fine on Windows.

    Furthermore, GNU / Linux and BSD are *niche* operating systems. GNU/Linux has had *twenty f*cking years* to "make it" on the desktop, and has failed dismally. And not just once, either. But this doesn't mean they're not popular in vertical markets like internet-facing servers, clustering, embedded devices, and so on.

    For those markets, it *will* be possible to continue to buy parts for building suitable hardware. But it won't be cheap.

    If GNU/Linux and similar platforms were any bloody use as consumer operating systems, the issue of finding computers capable of running them wouldn't exist even if MS did manage to lock down the UEFI: the market for GNU/Linux PCs would continue as, apparently, there's a massive demand for all this "openness" and "freedom" if posts to this website are representative of the general consumer market.

    But it turns out readers of El Reg are *not* representative of the general consumer market, so you'll only be able to buy "unlocked" computers from a few dedicated suppliers.

    Yes, they'll cost more than a cheapo Windows 8 PC, but guess what? That's what's *supposed* to happen in niche markets!

    Cheap *GNU / Linux* PCs are, and always were, a market anomaly. Sucks to be GNU, I guess.

    1. Richard Plinston

      cheapo ??

      > Yes, they'll cost more than a cheapo Windows 8 PC

      Why do you think that a W8 PC will be cheaper than an otherwise identical one with an unlocked MB and no cost of Windows ?

      Do you think that Windows is 'free' because it is not a separate item on the invoice ?

      If this does go ahead and W8 will only run on locked PCs then there will be no upgrades from XP or W7 PCs, they would have to buy a complete new machine.

      Similarly there will be no downgrades with a new machine where the user wants to or must run XP or Win7.

      There will be no upgrade vouchers for people buying W7 machines now.

      Consequently the OEMs will not put up with this. Buyers will not put up with this. Just like Symbian, Windows 7 would be a dead-end product that will not be available on new hardware and W8 will not run on existing hardware.

      It is also possible that W9 would repeat this so that new hardware is again required and W8 dead-ends.

      Linux is still running on an 8 year machine here. That is considerably cheaper than having to buy new computers every couple of years or so.

      Perhaps Linux users will just buy cheaply all the 'useless' Win7 computers when those who want W8 have to buy new PCs.

  60. Anonymous Coward
    Anonymous Coward

    UEFI signed boot only

    Hrrrm - lessee :

    HPUX - 453

    AIX - 324

    Solaris - 213

    Windows - 2845

    Linux - 1483

    about 85 of those Slowlaris hosts are on x86 UEFI boot.

    about 1300 of the windows boxes are on UEFI boot

    about 1100 of the linux boxes are on UEFI boot.

    I work for a global corporation that both sells and supports UEFI boot hardware.

    I really doubt the desktop space is going to drive this decision -

    x86_(32/64) systems running something OTHER than windows are far more common these days. UEFI is UEFI - one of the advantages of UEFI is that it can be written once for an entire family of systems. From Desktop to Server.

    if MS is applying to lock out any OS without an appropriate key, either the vendors will be making that an option that can be turned off or will be creating a method to update, add, modify the UEFI managed keys. And that action will NOT be complex, difficult or unmanageable. At least around here we're up over 250 servers/head on support levels. Automation is the ONLY way this works.

    Long and short of it, I STRONGLY suspect that IBM, HP, Fujitsu and Oracle will beat MS to a bloody pulp on this one, not to mention Cisco playing (warning WoW reference) the rogue in stealth mode, even if HP makes their hardware.

  61. Anonymous Coward
    Anonymous Coward

    Worship however you like, but keep it to yourself.......

    "It's a grey area, and exploiting it would be a pretty good show of bad faith."

    Err.... who cares.... but not bad faith, just an unbeliever

  62. Eduard Coli
    Linux

    Palladium dreams

    M$ and the entertainment monopoly have been beating this drum for sometime now, we can only pray they never get their way.

    They have somethings they want in video and in storage and now it is firmwares turn.

    Maybe M$ needs to be sued again?

  63. Jeff 11
    Windows

    Microsoft had better get their chequebook out if they want motherboard manufacturers to sign on to this, because it offers nothing but downsides to them. Secure boot covers up an extremely minor and difficult to exploit vulnerability, while at the same time increasing development costs and reducing end-user appeal. There might be a niche for extremely sensitive systems to use this technology, but extremely sensitive systems generally don't run Windows to begin with.

    So in other words, this is going to die for exactly the same reasons the TCA did.

    1. Ramazan
      Holmes

      @Jeff 11

      MS can try to offer discounts on bundled windows 8 or 9 to those and only those of OEMs who build "locked" systems...

  64. Will Godfrey Silver badge

    I suspect the main motivation is actually from Microsoft's 'friends' in Hollywood, however it is indeed disturbing.

    If this was purely about making your computer secure, then I would suggest the bios should contain a key generator, that was activated by a hardware switch or link.

    In key generation mode it would scrutinise whatever boot program was on the hard drive, store the key internally and do absolutely nothing else. To then run the system the switch would have to be reset.

    If that area of the bios was also not flashable when in ‘run’ mode this should protect against any malware attempts.

    Too easy?

  65. Vetcom
    Trollface

    Soooo

    What is in place to stop us flashing the UEFI to run unsigned code "Jailbreaking" our pc's.

  66. Anonymous Coward
    Mushroom

    Errm… Microsoft…

    I bought it… It is my computer… You did not pay one cent towards the hardware in *my* computer.

    Therefore, *I* will decide what *I* run on *my* computer.

    If you want to give me a computer, fine, you choose what it runs and how. Otherwise, get off my lawn.

  67. JohnG

    This idea will be about as popular as the Clipper Chip.

    1. Anonymous Coward
      Anonymous Coward

      Hmmmmm

      An interesting blast from the past. That totally vanished up its own fundament too.

  68. Stephen W Harris
    Black Helicopters

    Chain loading? Or Hypervisor?

    Could we have a minimal signed boot loader that'll then chain-load unsigned code? Or maybe a signed hypervisor that'll then run the OS as a full-machine VM.

    In fact I can see MS doing this; hyper-v being the loader and then allowing other OS's to run underneath it. Of course you'll need a Windows VM to manage hyper-v, and it'll let MS claim they have the worlds most popular hypervisor, but...

  69. Paul Hovnanian Silver badge
    Mushroom

    XP

    Will it exclude Windows XP as well? If so, this will not sit well in the corporate world (where XP is king).

    Try telling your corporate customers that they've got to rebuild their legacy apps for Windows 8 and there will be dark muttering. Mention Metro and they'll be marching on the castle in Redmond with pitchforks and torches.

  70. John Savard

    The Legitimate Intent

    Of course, though, this wouldn't stop people from running Linux software with the help of applications such as andLinux. But you would still have to buy a copy of Windows.

    What it would do is lock out boot sector viruses - which, of course, would be a good thing, because it would also lock out low-level anti-virus products.

    Basically, this is indeed a disaster. But something like it would be a good idea. The right way to achieve this would be for the user to have to go into the BIOS screen, and digitally sign his Windows CD, or his Linux CD, or his antivirus product CD, from there to allow it to be installed - so that viruses, not being explicitly authorized by the user for booting from, would have no chance of invading.

    Eliminate viruses not by locking the user out of the machine, but by giving the user more control over the machine!

    Another way to do this: let the user go into the BIOS screen and add new keys - so that it would come with Microsoft's public key, but you could add one from your Linux supplier. (Or you could make a public/private key pair yourself and encrypt the kernel you compiled...)

    So there is a way to make this work and avoid it ending OS competition.

    1. Tom 7

      And it would also lock out

      recovery disks.

      Now that is funny...

    2. Anonymous Coward
      Anonymous Coward

      Locking out boot sector viruses...

      ... doesn't require crypto. All it requires is not giving them access to the boot sector, like, oh, by not running them with admin rights. It's a trick that systems like unix have known for half a century or more. But oh dear that'd require *the user* not to be running with admin rights all the time. And that is something micros~1 cannot bring themselves to make happen. So they "flee forward" and lock the user out of his own computer entirely instead. Why, isn't that bleeding edge technological advancement and industry standard innovation at the same time, I do say.

      1. Charles 9

        Privilege Escalation

        Don't those two words kinda make the whole point moot? Given a Privilege Escalation exploit, all they have to do is run at any level and you're pwned. Just one more hurdle for the malware writer to clear. It's the big hurdle with Windows Vista/Windows 7 now--getting past their version of the Admin guard: the Universal Access Control. AFAIK, no one's been able to get past UAC directly from userland on 64-bit Win7 yet.

  71. Paul Stimpson

    Apple have messed with their firmware for a long time to prevent stuff they don't like running. With them, however, it's old versions of their own OS that are the enemy. Every time a new version of OS-X comes out a few months later boxes leaving the factory come with new firmware that won't let you install any OS-X older than the current version.The first Macs that will only run Lion and higher have just been spotted in the wild.

    I'm a certified engineer for the Avid professional video editing platform. Avid is engineered and tested to provide guaranteed performance and due to the level of testing, Lion isn't a certified platform to run it on yet. Not-certified = no support from Avid if it doesn't work. This is a royal pain in the arse for the Avid channel as there's at least a month every time a new OS-X appears when it's not possible to buy hardware that can be used for a certified install until Avid's testing program and any bug fixes catch up.

    So far, I've not found a competent Windows PE environment that MS roll (all our PE discs are from 3rd parties [thanks BART] so won't be signed). We use PE and Linux discs extensively in preparation, imaging and fault finding/disaster recovery of machines. To lose those would be a real blow to us. I assume this would also mean it wouldn't be possible to slipstream drivers into older Windows CDs any more (like I've done to help my friends upgrade from Vista to XP) when the XP CD suffered some fatal exception, like not being able to see the HDD controller or drives.

    I don't think MS are that worried about people like me running Linux on premium hardware. What I think they would like is to make it difficult for the Linux community to install it on ordinary people's budget machines and thus slow down its spread. We've already seen this kind of behaviour with Windows Vista and 7 putting the immovable MFT right at the end of the boot drive so Windows can't shrink the boot partition to create a dual boot and if a 3rd party tool is used Windows becomes unbootable and needs repair

    Another possibility is that this is politics in the mould of Britain's New Labour: They suggest something so bad that everybody is up in arms then they offer a "compromise" (read "what they really wanted to do in the first place but would have been unpopular.") People are so relieved the first proposal has gone they swallow the new one without a big fight and the proposer gets what they really wanted. If this is the case, what are they really up to?

  72. Richard Dudley

    Smart as he undoubtedly is, The Professor is failing to see the bigger picture. The future is not PCs and x86, its ARM and Linux/Android. So let M$ get on with hastening their own demise by further restricting the PC platform. Encourage them to do so even. The ecosystem will always come up with the goods eventually, the sooner people kick the Windoze/x86 habit and go cold turkey the sooner we can all embrace the more egalitarian digital future.

  73. Peter Mc Aulay
    FAIL

    Even if this flies...

    It's not a problem, I'll just wait for someone to either leak the keys or crack the firmware. Or my next mainboard will be made in China. (Again.)

  74. spicysomtam

    Users are getting tired of Microsoft 'controls'

    I have heard umteen people say to me they are fed up with all the controls in MS Windows and prefer Linux now. Even unexperienced users who know little about computers prefer Linux. Why? Simple: no constant nags and prompts.

    Do I dare say now, its easier to use Linux than Windows?

  75. Anonymous Coward
    Paris Hilton

    Motherboards...

    I thought they were all made in China anyway. My current one is 3 1/2 years old and I have no intention of changing it yet. And yes I run Linux on it., plus XP on another disk in the same machine.

    There will be plenty of people in other countries who would not want this to happen, they would not be able to use their 'unofficial' copies of Windows on new hardware. And would not want to upgrade either.

    I am interested to see where this will go, if anywhere. It certainly does look like an attempt to stop other OS's running on X86_(32/64) hardware in a bid to kill competition. That is how it looks but maybe that is not their intention. Come on M$ let's hear from you.

    Paris - because.

  76. ziggyfish

    Question I have to ask is what about Desktop virtualisation

    I mean, considering that a lot of companies are going to desktop virtualization. How is this going to work when the operating system isn't even guaranteed to be on the system when it first boots?

  77. Anonymous Coward
    Anonymous Coward

    Hmmm

    I may have missed this, but if the myriad Linux and FreeBSD kernel developers can't boot experimental kernels without creating signed kernels then either creating signed kernels will be so easy that there will be no point or all those millions of Linux servers will be looking around for a different architecture.

    There might be some mileage in having a machine that can be configured to boot only a trusted kernel, but any machine that lands on my desk had better be able to boot my kernel or its going straight back to be fixed.

This topic is closed for new posts.

Other stories you might like