Slashdot Mirror
Dual Boot Not Trusted, Rejected By Vista SP1
Alsee writes "Welcome to our first real taste of Trusted Computing: With Vista Enterprise and Vista Ultimate, Service Pack 1 refuses to install on dual boot systems. Trusted Computing is one of the many things that got cut from Vista, but traces of it remain in BitLocker, and that is the problem. The Service Pack patch to your system will invalidate your Trust chain if you are not running the Microsoft-approved Microsoft-trusted boot loader, or if you make other similar unapproved modifications to your system.
The Trust chip (the TPM) will then refuse to give you your key to unlock your own hard drive. If you are not running BitLocker then a workaround is available: Switch back to Microsoft's Vista-only boot mode, install the Service Pack, then reapply your dual boot loader. If you are running BitLocker, or if Microsoft resumes implementing Trusted Computing, then you are S.O.L."
What happens on systems without a TPM?
If I read TFA correctly, you need to have been using your TPM to experience this problem?
It's possible to use the Vista bootloader to chainload GRUB rather than the other way around (which is the default for most Linux installs.)
Yes, it's a pain to set up, but so is any dual-boot setup.
I've upped my standards, so up yours.
Does one of the more popular Vista cracks not rely on booting Grub4Dos to load a bit of code to patch the kernel after boot?
I am thinking this will be affect the crack.
Before anyone says it, no, I am not running a pirate version of Vista, so I cannot check. In fact... not running any version of Vista, joy!
Has anyone tried this with Boot Camp? I had no problems with Mac OS X and FileVault dual-booting with either XP SP2 or Vista base.
In which case you can no longer trust linux.
Good thing I'm running Mojave and not Vista.
MABASPLOOM!
So... yeah. Anyone technical enough to change their bootloader should know how to put it back temporarily so it can get updated.
If you are running BitLocker, or if Microsoft resumes implementing Trusted Computing, then you are S.O.L.
I thought that was the entire point of BitLocker - don't unlock things unless you know that you're not running on top of some evil VM.
And no TPM in the laptop.
That's the whole point of the problem, TPM has begun causing issues. You don't have TPM, so you are not affected.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
If you are using BitLocker then you want your data to be secure. There are probably ways that a compromised boot loader can allow an attacker access to your data. Vista closes this security hole by requiring the boot loader to be a cryptographically signed binary that it trusts. If it didn't, this story would instead be "Vista BitLocker encryption not secure on dual boot systems".
That being said, there should be a way to register other trusted signature keys in Vista to allow 3rd party boot loaders. I don't know if there is or not, but there should be.
Are so few people dual booting Vista and Linux that this story hasn't hit Slashdot until now? Is it even still applicable?
Proud member of the American Non Sequitur Society. We might not make much sense, but boy do we love pizza!
Comment removed based on user account deletion
Is there really any need to choose between operating systems at boot time on a single box any more?
Let me rephrase that question:
If there wasn't a need for multi-boot systems, why do so many of us have that arrangement? My answer might be special hardware not supported by virtualization, like TV capture cards... In addition, there IS a performance hit using virtualization; loading each OS on their lonesome allows for maximum resource availability.
That, of course, is my humble opinion.
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
pick one:
http://acronyms.tfd.com/sol
Math is beautiful... e^(pi*i)+1=0
do you have Vista Enterprise or Ultimate on you laptop? if not, then your fine. it only affects BL capable systems.
It also says:
if you are not running the Microsoft-approved Microsoft-trusted boot loader
Unless you're some oddball that decided to install another boot loader over Vista's, I think it's a fair bet you're not running a non-trusted boot loader.
I'll admit, the summary isn't exactly unambiguous. But the first line of TFA being Are you currently running Windows and Linux in a dual-boot setup? is a pretty strong hint.
This *may* be a corner case as most TPM's were shipped in the disabled state back when XP was still shipping.
Instead, how about testing the open source BIOS stack? Most of you have an unused box of recent vintage and I'm sure the projects can use the feedback.
FYI: An open sourced bios is an Achilles heel for Microsoft. Mobo OEM's will **jump** on a Free bios because it saves them money and elminating TPM saves them much more money.
Get involved!!
http://www.coreboot.org/Welcome_to_coreboot
http://openbios.info/Welcome_to_OpenBIOS
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
c:\> FDISK /MBR /dev/hda1
Out of Memory
c:\> format c:
Out of Disk Space
c:\> edlin config.sys
File not found
c:\> set PROMPT=$
$ mke2fs
Vista's security chain works as designed and intended, preventing from you to inject an untrusted bootloader into the bootstrap. Isn't that what we -want- from our security systems? This isnt' a case of "Microsoft" holding our data hostage, this is a case of our own security policies WORKING.
If I were to be running Linux, with equivalent protection, I'd be right pissed if it could be trivially rootkitted/bypassed by swapping in a malicious bootloader.
The ONLY flaw I see in the entire Vista/TPM system is that users don't seem to have a way of manually trusting things they genuinely want to trust. If it hasn't been blessed by MS its not trusted -- that's a fine policy for general users, but if I, as the hardware want to trust a specific bit of code (e.g. the linux boot loader) then I should be able to manually sign it somehow, and add my personal key to my personal install of Vista. And then the grub bootloader I signed will be trusted on my (and only my) PC.
All the 'chatter on the internets' is currently centered around how to disable UAC, how to disable driver signing, how to go back to running windows as insecurely as possible. i would prefer to see the discussion take a more intelligent direction -- how to obtain keys/certificates, how to add them to Vista's chain of trust on a per PC or per domain basis, and how how sign code with them.
Signed drivers are a FANTASTIC idea. not being able to sign drivers myself for my own hardware is EVIL. But MS --does-- have programs in place to let you sign code with 'development drivers' which are designed to only be valid on your PC... its just that most of the discussion surround the issue is how to disable it, and how evil MS for deciding what is blessed and what is not.
I mean, take Stallman, even -he- who wrote the GPLv3 in part to counter DRM isn't against code signing. He just requires that the keys necessary to sign code be included, so the owner of the hardware and user of GPLv3 code can sign it, and thereby be free to make modifications and excercise all the freedoms intended by the gpl.
Does anyone else remember when Quicken a few years ago would overwrite the MBR or something like that, and break dual-boot systems?
What would that do in this case? Brick windows until reinstall?
I thought it was bad of Microsoft to intentionally not read Mac floppy disks. I feel the dual-boot issues (minus BitLocker security issues in this specific case) with windows and linux (or any other OS) are just another example of that same mentality: Make it difficult to work with other systems, to try and keep people locked into the MS trash can for as long as possible.
Don't steal. The government hates competition.
Native hardware support. You can't use specialized hardware (like tuner cards, but there are others). In particular, you can't use 3D acceleration at all unless you fork over for VMWare, and at that it's nowhere near perfect.
"I think an etch-a-sketch with an ethernet port would beat IE7 in web standards compliance."
I won't use it. I just bought a laptop on Ebay, brand new, out of box, that came with the Home edition, great bargain at $421. First thing I did with it was actually start it up and say "No" on the AUP acceptance page. I immediately powered it off, put in my trust Ubuntu Hardy 64-bit install cd, wiped the disk, and installed a real operating system that will stay the fuck out of my way.
Sorry, Microsoft, but I'd call this Epic Fail. Trusted computing causes me to lose control of *my* computer. Problem is, Microsoft don't understand the definition of computer ownership.
Linux with ntfs-3g has been supporting full read/write on ntfs for some time, and works out of the box on my ubuntu hardy machine anyways.
"You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
come a long, long way from the dos, WFW, and 95 days, when you had control of your own computer.
which is why I'm not depending on them any more.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Actually most linux distros can read/write ntfs now
"if you are not running the Microsoft-approved Microsoft-trusted boot loader .. The Trust chip (the TPM) will then refuse to give you your key to unlock your own hard drive"
It's not as if this was designed behavour. But what does the Microsoft Linux Lab have to say on the subject, do they have a workround?
davecb5620@gmail.com
Two words: filesystem support.
Boot up Linux and all the stuff on your NTFS partition is read-only.
What? You know, Linux has had full NTFS Read/Write support for a while now, see :
http://www.linux-ntfs.org/
Also, ever heard about WUBI ?
jdb2
Just wipe out my Windows partition! Like I'm going to put up with this crap.
...if Microsoft Vista SP1 deems my dual booting system not bootable anymore, then I finally have a reason to boot Microsoft off this dual booting machine. Here's the other boot Linux...wear it proudly.
Your solution to dual-booting is..."get 2 computers"?
Not to mention it's fairly easy to get Windows to read ext2/3 partitions with the extfs driver.
Beware : the new Intel ICH10R has an integrated TPM.
Hardware is cheap, so build more than one box for specialized tasks.
For a lot of people, it's not. My computer was both my computer and my TV for about 4 years as an undergrad. (And guess what: when I replaced the TV tuner about halfway through, I got one that still doesn't have Linux drivers!) Even if I had the money, the reason I didn't have a TV was space.
Maybe a better question is "why not?" You could very easily not have need for separate boxes, and if you don't, why spend more money than you have to just so you can create additional waste when you get rid of them?
I mean, this is the shift from the paradigm that the OS would mind its own business. Now the OS is snooping into the MBR for some "security consideration". In a near future it will snoop into your facial expression, your wallet and ultimately into your mind. Gaaaahh!! *flees in terror*
I hope this will encourage people to stop using Windows for good and use manyfold-boot systems running Cedega, Fedora, Ubuntu, Slackware and so on. ;-)
Send your spendthrift head of state this
Unless you're some oddball that decided to install another boot loader over Vista's
That depends on which part of the boot loader you're talking about. There are a great many of us who have overwritten the Microsoft MBR in a dual boot fashion. since all it really does is pass control to the partition boot sector, overwriting it is not strange in the least. Now if you were talking about people using an alternate style system volume to boot Windows, that would be oddball indeed.
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
loading each OS on their lonesome allows for maximum resource availability
Especially important on a resource starved system. I've got maybe 512MB of RAM, pretty much the bare minimum for VirtualBox and Vmware player. The VM will probably crash before I can do anything useful with it.
open source modern art: laser taggi
This is by design. If you are into the secure boot stuff you'll know why.
This is not about DRM and such (but may be) but about *your* data encrypted by BitLocker (the DRM is about protecting *somebody else's* data from you - that is why it is flawed concept).
Right now there are some kinds of attacks that let you compromise the entire system right from boot (using other than approved bootloader and unsecure boot proces) puting it into hypervisor and thus being able to retrive keys and such directly from memory.
In fact I don't see any other option as to control entire boot proces. And if you wish to control it you need to use tools that support it.
So in fact it is not a Bad Thing. It could be a bad thing if you are casual-security user - but this 'casual security' is not so secure isn't it?
I bet BitLocker documentation covers that. But why bother checking? It is better to set the "secure" option to "on" and dumbly belive it.
I dual-boot between Vista and GNU/Linux.
Just use EasyBCD to configure Vista's bootloader to add an entry.
I personally just use Virtual PC. That way, when I need to make the occasional use of Linux, I just fire up the VPC and do my thing in a window on the desktop. I'm sure there's something similar that can run Windows on an X desktop, or on a Mac.
Microsoft cheerleader, blue flag waving, you got a problem with that?
...dual boot Vista Ultimate 32-bit/OpenSUSE dev box at the office, I've got SP1 installed and haven't had to touch my bootloader (which works just fine by the way) and Vista works fine as well (in other words it works the same as before ;)...) I thought I was missing something so I read the actual article and it claims (unless I did miss something) that the problem occurs whether you use Bitlocker or not.
Loading...
My Intel Core Duo Mac Mini has no problem dual booting.
Why would I want to wait half a minute for it to boot to Windows Vista and then run twice as slow anyway?
-- Tigger warning: This post may contain tiggers! --
I'm running Vista Ultimate 64bit with GRUB for Ubuntu, but BitLocker is turned off. No problems here thankfully.
It seems that the best option to triple boot Vista/XP and Ubuntu was, in fact, Vista's own boot loader. Xp's couldn't do it and Grub simply passed it over to windows boot loader.
I have Vista Ultimate and SPI with FreeBSD 7.0 release as a dual boot and I have no problems. It a relatively new laptop. I use FreeBSD's bootloader which indicates Vista as "?."
Hardware is cheap, so build more than one box for specialized tasks.
"Cheap" is very relative. If we go by what I consider cheap, I'll say that people would rather dual-boot than build a second box using garbage hardware. For myself, building the second box just never happens because there's always more upgrades that need to be done to my primary box that take up the extra funds available for system upgrades. If your secondary box for "specialized tasks" can do with hardware that's 2-3 years old, sure then you just use old hardware from the main box after you upgrade. I think it's pretty safe to assume though that for those people dual-booting, this is not the case.
Then there's also the issues of where to put the second box, getting all the peripherals for the second box (or shelling out still more money for a not-cheap KVM switch that reliably works every time), etc. etc.
In the end it's pretty easy to see why people just dual-boot.
There is no -1 Disagree mod. Slashdot.org/faq defines mod options. USE IT.
You have Vista. You don't need any other operating system. We are helping you.
You never expect irony, do you?
Want to be a professional wrestler? Visit www.iyfwrestling.com
@iyfwrestling
Is that the whole security premise of "trusted bootchain" is wrong.
Granted, that's one way of infecting a machine. But we haven't seen BIOS bootsector-type viruses since the 80's. Why would you write a bootsector virus when you can just crack the host OS?
Vista is huge, and having a secure bootchain won't change the fact that it's probably riddled with security holes anyway. Someone able to reverse engineer the checksumming code can simply modify the checksummer so that the bootchain always passes validation. What is to stop virus running with administrative user priveledges from modifying this key system binary (probably a DLL, at that!) under the auspices of a "system update"?
So what you get is an OS which can be modified to report that it is secure, when in fact it is not. This is the whole problem with the "trusted computing" initiative - others - presumably media companies - are trusting your machine to tell them that it is secure. It's a broken security model from the outset - who's to say you aren't running Windows in a virtual machine? - and only inconveniences the users.
The society for a thought-free internet welcomes you.
I think you left something out of that sentence. Microsoft can resume implementing Trusted Computing and you can still not be S.O.L. It's really easy. Just don't run Windows.
"Believe me!" -- Donald Trump
right now, im running windows vista sp1 ultimate and gentoo 2008.0, booting via grub (chainloader for vista) and it works perfectly well...
why hasnt the information in this article been checked for that thing called... the truth?
portfolio
You can access linux partitions fairly easily. If the partition is ext3 or ext2 you can use it by downloading "Ext2 Installable File System for Windows". http://www.fs-driver.org/
Never Smoke A Banana.
oddball? This affects chain bootloading, which is used in practically every dual-boot windows/linux system I've seen.
upon the advice of my lawyer, i have no sig at this time
Sometimes, just sometimes, I wish I didn't have to elaborate every time I leave out something obvious.
The article specifically talks about dual booting Linux and Windows as the issue at hand. The poster stated he's running XP + Vista.
I was pretty much telling him to RTFA or at the very least the summary before throwing himself at the keyboard. I *know* there are tons of reasons to have a different MBR, but that wasn't the point.
Linux Can read an write NTFS.
And there is an open source ext2 driver for Windows, used it long ago probably supports journaling now (ext3).
Oh come now, Trusted Computing is as good as Play for Sure. *scratches his head* Oh that's right, Microsoft was getting rid of that because it was crap, but didn't because they didn't want to completely screw their customers.
Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
can the TPM chip be "managed" with say, a wirecutters or an xacto knife?
I work for the Department of Redundancy Department.
Read. Think. *Then* reply.
Which two operating systems did the one I replied to state he was running?
Sorry if I'm coming across as acerbic. This just happens all the freakin time. People don't *read*, they just reply. It's like sending a detailed mail to some support department, and getting back a reply based on the single first sentence of that mail. It can be infuriating.
Early versions/prototypes probably, but for a while now, they have been included directly in the CPU die.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Most machines allow you to disable the TPM chip in the BIOS. In fact, the better ones have it disabled by default.
Apples intel macs have always had a TPM chip installed on them to prevent people from redistributing the OS X operating system (we all know how well that worked).
However, other than Macs, there aren't very many computers out there (to my knowledge) that have the TPM chip, so to me this appears to be a way that M$ can keep people from installing Windows on a Mac.
If you are running BitLocker, [...], then you are S.O.L.
You (presumably) can't run BitLocker with a third-party boot loader in the first place, so that situation simply doesn't apply.
As for needing to restore the Vista boot-loader before installing the service pack, I'm not sure what else the service pack could do without introducing unpleasant complications. For example, if it just ignored the third-party boot loader, what would happen if the user later restored the now out-of-date Vista Gold boot-loader? (I don't know, but I'd prefer not to have to find out!)
Boot up Linux and all the stuff on your NTFS partition is read-only. The situation gets even worse when you boot Windows because that can't even see the stuff on your Linux partition. It's like having two seperate computers and no easy way to share data between them.
Not true; there are plenty of ways to read your Linux files from within Windows. For example: http://ext2fsd.sourceforge.net/.
Our lab technicians were upgrading vISTA PC's to use the department's standard linux build. For whatever reason, the BIOS wouldn't allow the LINUX install DVD to BOOT. So they had to remove the hard disk drives out of the PC's with built-in TRUSTED SECURITY BIOS'S, pop them into an older untrusted XP system, and then install the linux build and put the hard disk drive pack in again. IT's a pain, but if OS vendors are going to install security measures without consulting their users, this is what is going to happen. Everyone is going to think of ways of getting around these "security measures".
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
Some people might take 2 or three days to go all Linux but games. Assuming it can convert everyone overnight is a bit overoptimitic :)
Incidentally, it seems to me the real underlying issue here is in the existence of a MBR in the first place. The PC BIOS should understand hard disk partitions and boot directly from the appropriate partition.
Looked at this way, this issue is just one of many resulting from the world hanging on so desperately to a hardware platform standard nearly 27 years old!
(Of course, enabling TPM-controlled booting could and arguably should have changed this behaviour, so in that respect you can legitimately blame TPM.)
countless things can go wrong, most modern bioses let you swap boot devices with a single keypress, and dual booting to 2 hard drives lets you avoid bootloader headaches, as well as allows you to completely format either drive, with a HD eraser like darik's boot and nuke, without affecting the other drive, simply by pulling the cable to that drive...
i've never liked trying to get multiple oses to play nice with multi-boot, single drive configurations... and so i never install it that way.
https://www.gnu.org/philosophy/free-sw.html
Never name a piece of spacegoing hardware anything that rhymes with "trouble".
Also, never trust any technology that rhymes with "busted".
The higher the technology, the sharper that two-edged sword.
At last a software design from Microsoft with what i can fully agree. If you have something already installed and running from any other company, the unsafe action would be to install Vista, And if whatever you have installed is from Microsoft, better that it dont run even, or you would be even unsafer than with vista. In either case, refusing to install is the right and more security-minded choice.
Software like Vista Ultimate with BitLocker is aimed at the corporate environment. If I'm a network admin, I don't want some jack hole dual-booting anything on my network. He doesn't need a Linux partition on his workstation. I might want laptops with TPM and BitLocker for the sales staff so that when they get drunk and lose their laptops with the customer list on it, I can rest relatively soundly knowing that the data is secure.
It is obvious that Microsoft does not care about the individual end user who wants complete control over their computer. That is okay with me. Maybe I've been drinking too much of the Kool Aid but I'm happy with HP hardware running a Microsoft OS. I like the fact that they make it a complete PITA for the end user to do anything to their workstation. It makes my job easier. 95% of the corporate computing world can get by with an office suite, a web browser and access to a couple of custom apps (financial, inventory, manufacturing, and what not). They don't need to be playing stolen mp3s that they got from Pirate Bay, watching DVDs on their lunch breaks, or dual-booting their damn desktops.
Where are all the gripes about how Server 2003 sucks? How about the gripes about IIS6 getting owned all over the place? They aren't there because Microsoft is focusing their attention where they need to focus it... on the administrators responsible for hundreds and thousands of workstations and servers. Does anyone really think that the folks at Microsoft stay up late at night wringing their hands over corporation versions of their workstation software not dual-booting a third party OS? Seriously guys... what portion of the Vista Ultimate/Enterprise user base do you think is negatively impacted by the change? 1%? 3%? I'm not talking about the developers who need ten thousand OSes on their machines "for development purposes." I'm talking about the cubicle drones who work 8-5 running a couple of applications.
I got tired of dealing with the MBR issues with dual booting. Ever since I went to two separate hard drives I've been much happier.
laptop owners.
Is there an option for "start working?"
Help stamp out iliturcy.
I have a laptop with a TPM that has never been used. It dual-boots WinXP and Linux, thank you very much.
I keep hearing about this TPM thing, and how it isn't necessarily evil, depending on who owns the keys to the kingdom. Accordingly, I have built the Linux TPM kernel support and installed Trousers, though I've never gotten around to using any of it. I keep thinking that some time when I have spare time, I'm going to be the first to own TPM chip, so that I will be the owner, and nobody else can grab it from me. Therefore, if it stays under MY control, I can keep it from being used for evil.
Has anyone else done much with TPM/Trousers under Linux?
Has anyone else done this, then tried to install Vista? (Bitlocker, in particular.)
The living have better things to do than to continue hating the dead.
One more reason not to use Vista...
*It's not what you can do for the Dark Side but what the Dark Side can do for you!*
I can find no way to get my application X added to a trust chain and thereby be trusted and usable. If Microsoft has a trust chain, then since they are a monopoly they should be required to accept trust requests and add them if they meet valid requirements for trust.
In other words the GRUB developers should be able to get a trust certificate so that windows boot loader accepts it as trusted, but I can't find out how to even get one.
the following other items that will not, or currently have not been supported by Vista:
fair and secure computing
HD video and audio without 100% cpu usage
copying files without a cryptic workaround
negative market reception
fair pricing
interoperability with usb flash drives
ballmer and others desperately trying to pedal this company away from a
yawning abyss of failure through obscenely subversive
products that users secretly do not own, but rent for a limited and undisclosed amount of time.
vista will, however,still support:
visa, mastercard, discover, cash, and forced acceptance through automatic bundling
with your new PC through a glorified scheme of backscratching and price-fixing.
hope you like clippy.
Good people go to bed earlier.
So sayeth the tao of slashdot.
How many Vista Enterprise or Ultimate users really dual boot? Since this article is dated four months ago and this is the first we're hearing about it, I'm guessing not many.
Everyone detoured. Underrated Gives Karma: True or False?
Vista: The OS that you can't trust to run outside a VM.
The good news is, at least ReactOS has finally gotten up to the same level as the last released MS OS.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Vista wouldn't reinstall from OEM discs on my Dell notebook, because I was running GRUB?? That just about gold-plates my hunch. Now, Vista won't run on ANY computer I own because Ubuntu 8.04 is my operating system of choice. It simply does not pay to trust an OS whose future operation is subject to policy whims and random paranoid vagaries by a third party, in this case, Microsoft. I would be happy to join any class action lawsuit that result from this disclosure, but no inducement is sufficient to make me trust Vista again.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
I have a dual-boot setup with Ubuntu 8.04 and Vista Ultimate. Linux was loaded first then Vista with the bootloader replaced with EasyBCD v1.72 from NeoSmart. Service Pack 1 installed w/o any problems at all.
What the hell? I'm typing this on Ubuntu which dual-boots quite happily with Vista SP1.
"It doesn't cost enough, and it makes too much sense."
They play blissfully ignorant right up to enraged when they realize that their datas inaccessible and their isn't a damn good reason for it. Just because the lunatic fringe happens to be more versed in the issue doesn't mean the average person doesn't know right from wrong.
Quack, quack.
Don't use Vista.
Oh Crap, I'm an optimist.....
Why work around them, when you just can stop using it ?
New things are always on the horizon
I once soldered together a system using a (keyed) switch with enough contacts to allow me to effectively swap the master and slave jumpers on two hard drives. (The key part helps because you'd only want to do it when the system was powered off!) But the end result is dual booting between two dedicated hard disks, that aught to stump vista!
If you don't risk failure you don't risk success.
I multi-boot with several 64-bit Linux distros and 64-bit Ultimate Vista on a Dell Vostro 400 I bought back in February (does this have the TPM stuff?). Grub is installed on the MBR and I don't have BitLocker enabled in Vista (why would I - can't read the disks in Linux if I did!). I installed Vista SP1 when it came out and had absolutely no problems (I may have had to re-install GRUB on the MBR, but I do that so often that I consider it no big deal). So am I the odd one out?
It is time to take note that Red Hat, SuSe and Ubuntu are still using legacy GRUB since the new GRUB 2 does not seem to be ready for prime time.
Legacy GRUB is not being developed any longer, even patches are not accepted. The project had no developers working on it for the past 3-4 years. The major distros have just forked it without saying so. And it is a company fork, each distro has its own conconction.
QUOTE: GRUB Legacy has become unmaintainable, due to messy code and design failures. :UNQUOTE
Who said that? Not Microsoft, check here: http://www.gnu.org/software/grub/grub-2-faq.en.html
There is nothing more secure then a Vista computer which will not boot, so I'm all for it!
I've tried to install SP1 on my dual-boot system twice (FreeBSD/amd64). It did not work and the stupid thing even does not tell me WHY. Worse is, the windows update mechanism will try to install the SP1 again and again, so the only plausible solution is to switch the automatic updates off.
(Well, whatever. Vista is just for gaming.)
I'm running a dual boot of Ubuntu 8.04 and Vista Home Premium, and have zero problems running the GRUB boot loader. I'm not sure as to exactly what problem I'm supposed to have, but my Vista side is fully updated, including SP1, and there are no conflicts. Just my two cents worth...
Stone
...that "good enough for government work" used to mean that the work was really good. Kinda funny if it's true.
One last thing: Sometimes I wonder; "Is that someone's signature? Or do they type that at the end of each post?"
This is one desktop? Motherboard has TPM or not? My guess is TPM is alive regardless of the BIOS enable/disable option.
I guess a few more former Microsoft customers will switch, but most will put up with their abuse and this won't end up on anyone's anti-trust radar.
The good news is Vista still requires a great deal of hand-holding. I don't have to worry about running out of desktop support work. **Far** less interesting than high-availability support though.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Funny, Overrated(grr!) and Underrated(useless) do not affect karma. Insightful, Informative and Interesting increase karma. Flamebait and Troll decrease karma.
Now since we're having a karma circle-jerk, mod me Informative so I can have a karmagasm before I lose my karmarection!
"When information is power, privacy is freedom" - Jah-Wren Ryel
Boot only to (any OS provided by an organization or company that DOESNT try to illegally leverage its near-monopoly position to prevent anything else from existing), and leave Microshit Shista out.
I'm failing to see why this is a big deal. Software is in place to check for a piece of third party code intercepting your encryption key... It successfully detects GRUB as such software, and stops. So what?
This is a flaw of the trusted computing architecture. If the partition of the trusted OS (Vista) is encrypted, Multiboot does not break trust, because the other OS cannot decrypt the partition. But in trusted computing, if an untrusted bootloader loads a trusted OS the chain of trust is broken.
If trusted computing were designed with the user's interest in mind, the user would be able to decide that the bootloader he is using (grub) is trusted, sign it with a key which enables that bootloader only on his computer, and get on with his life. But now we have to wait for Microsoft to implement and sign a real bootloader... good luck with that.
However exciting this issue is, my problem is the bigger - that it will simply be the tip of the iceberg. The reality is that within a few years it will be very difficult indeed to buy a computer, and control what, why and for whom it acts without being an uber-nerd. Call it trusted computing, DRM, but big business wants to know, and control everything you can do: the games, music & video industries are all onto this, quite apart from the facebook + partners link-up reported on this site a few weeks ago. Only LinuxBios can save us! :p
It seems that the problem occurs only on systems with TPM chips. Yours is probably without one. My desktop also runs Vista Ultimate SP1, and it's multiple-boot (XP/Vista/Debian/FreeBSD) without any trouble.
Some people might want to dual boot on a laptop with a single internal hard drive. Another possibility is that someone only uses one hard drive for different reasons. Either he/she only owns one drive for the computer or has a case that is too small to accomodate for more than one drive comfortably.
Add KeyboardSpy to chain of trust ?
[ Yes ] [ No ]
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
No, it's not. It shouldn't prevent me from doing anything on my machine.
Correct. It shouldn't prevent you from doing anything on your machine. But it should take steps to ensure that you actually are doing things.
It should prevent other people from doing it behind my back.
And how is the OS supposed to know the difference? How does it know that you installed grub, and that it wasn't installed behind your back? How does it know that the grub installed hasn't been modified or tampered with? How does it know grub isn't a rootkit?
Taking the control of the computer's private key away from the user is not the only solution to this technical problem. Another one would be to have an option in the bios (which requires physical access and a password) to have the TPM sign a bootloader if I want to. I'm not saying this is the optimal solution, I'm sure there are better ones that could have been designed if the goal were really the user's security.
Vista's digital signatures requirements and checks -does- protect you from that sort of tampering. Its a good thing.
The only flaw, as I said in my post, is that vista doesn't give us a well defined method of trusting code that it doesn't trust by default.
I agree 100%. Except in my opinion this flaw is fundamental enough to make the entire feature harmful rather than useful.
The problem with Vista is that the process of 'signing' a copy of grub and getting Vista to trust it is not an established and well documented procedure, if it is even possible.
However, given that you can develop windows device drivers and test driver signing etc, and you can create 'developer signatures' that will apply to just your machine(s), there apparently **IS** a process for doing it.
So rather than disable Vista's driver signing and so forth, we should be signing GRUB so Vista knows that we trust it.
That would be nice, but Vista does not allow it. From some quick googling, this site came up:
http://msdn.microsoft.com/en-us/library/aa906239.aspx
Where it says:
For development and testing purposes only, kernel-mode code signing enforcement can be temporarily disabled. For more information, see Installing an Unsigned Driver During Development and Test (Windows Server 2008 and Windows Vista).
For general information about how to sign a Windows Server 2008 or Windows Vista driver for public release, see Signing Drivers For Public Release (Windows Server 2008 and Windows Vista).
Which means you can disable signing for development purposes. You cannot sign something for your local machine only. So we can either disable the signing feature, or let microsoft decide for us what we trust. The better option is to disable it, which adds exactly 0 to our security... and this option doesn't even seem to be available for bootloaders, which is what this thread is about.