Slashdot Mirror
How Microsoft Can Lock Linux Off Windows 8 PCs
Julie188 writes "Windows 8 PCs will use the next-generation booting specification known as Unified Extensible Firmware Interface (UEFI). In fact, Windows 8 logo devices will be required to use the secure boot portion of the new spec. Secure UEFI is intended to thwart rootkit infections by using PKI authentication before allowing executables or drivers to be loaded onto the device. Problem is, unless the device manufacturer gives a key to the device owner, it can also be used to keep the PC's owner from wiping out the current OS and installing another option, such as Linux."
So it isn't really Microsoft that can lock you out, it's device manufacturer. Likewise they could lock you out of Windows if Linux was the OS that came with computer. Why don't we see a headline like "How Linux Can Lock Windows Off PCs"? Oh right, this is slashdot. We're here to bash Microsoft.
Boot rootkits are a real problem. Microsoft is improving security here. In fact, Linux has had the capability to use (U)EFI for years. Now Microsoft is just making it default in their system, because quite frankly most people aren't that intelligent with computers and the OS needs to decide some security for them. It's funny how in other news Microsoft gets bashed for bad security, and then in other news they get bashed for implementing those security features.
If you don't get the key when buying your computer, complain to your manufacturer. It's their fault. I don't know why you're buying a computer with Windows to begin with if you're going to install Linux anyway, you're just throwing away money. And nowadays there's lots of computers available without Windows, or you can just build it yourself.
As long as the upgrade is signed, why would that be a problem? This is like tivoization for PCs, they can upgrade but nobody else can modify it.
Live today, because you never know what tomorrow brings
In my opinion neither the title nor the article are overly sensational as claimed by you. While it is technically true that the device vendor does the lock out, this is nothing more than a smoke grenade tampering with the truth.
The fact is that Microsoft will require the manufacturers to support this technology if they want to sell devices on which windows will run. Even more the fact is, that this means that they will have to include keys by Microsoft which will prevent the device from running unsigned code like Linux.
And while it is still a rumor it can probably be taken as a fact that disabling this feature (if made possible by the manufacturers) will likely cause Windows to not start because this is what malicious software would do as well and allowing this would circumvent the security improvement.
So cut the crap. Yes, it will be the device manufacturers who will effectively bring this restriction into life. But it will be Microsoft who forces them to do so.
SUEFI can be set to lock out everything but a given set of trusted hashes(which would indeed preclude any updates of the existing OS) or it can verify the signature of something against a set of trusted keys before loading it.
Outside of a few embedded applications, I'd assume that the latter would be the one that sees more general-purpose-computer use. OSes get patched and updated all the time; but so long as the vendor signs the update the way they signed version n-1, everything will just work...
Trusted Boot prevents the use of alternative boot disks. It is controlled from chips soldered onto the motherboard and PKI keys.
No key, no boot. Replacing drives or using external drives does not help. There is no "BIOS Reset" option and you can't short jumpers to clear it.
Google uses it on the CR-48 Chromebooks, but also includes a little switch under the battery to turn it off. With it turned on, the system boots only Google-signed images and nothing else. Period.
Learning HOW to think is more important than learning WHAT to think.
Because it is anti-competitive. Unless the device manufacturers want their PCs and mainboards to be barred from being sold in the EU, they better find a way to make Linux installation possible.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
From one of TFAs
This reminds me of the way keys are used to protect DVDs and we all remember what happened.
Ten years ago, "Trusted Computing", or whatever it was, was sort of news. And it was not unexpected back then either.
But PKI isn't going to be enough, really. They're going to have to find some people to make examples of and sic the lawyers on 'em.
Of course, real security, in the form of a physical switch, is too simple, and too easy for the owner to, well, switch.
Wow the masses, cow the masses.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
...to enable or disable this. If you buy a name brand machine, then yes, you might expect it to be locked down, so if that is the case, then the Linux crowd will simply stick to machines they build themselves, or have built for them that are not locked down. Simple solution really.
Microsoft said they're trying to figure out how to allow users to dual-boot. In the //build/ video discussing the new Windows 8 boot process, the presenter said they were trying to figure out how to keep boot secure but still allow users to boot into Windows 7, since Windows 7 doesn't support this.
And if it works for Windows 7, it'll probably work for Linux.
Windows 8 logo devices will be required to use the secure boot portion of the new spec.
Totally not Microsoft's fault!
I'm sure Microsoft will encourage handing out these keys. No way they'd try to hinder distribution of these keys. After all, Microsoft are the good guys and would never do anything bad to hinder competition and increase their market share. Nossir, not Microsoft. They are saints!
MS wants to take advantage of UEFI, which has obvious benefits. Chromebooks work the same way, but we don't read any heated /. articles about it because Google is charmed and MS is "evil".
It is up to the device manufacturers to figure out a way to let the end-user ultimately take control of their own PCs. They could do that Chromebooks style -- a hardware switch -- or by distributing the key in a secure manner, such as mailing it to the owner's registered home address. Consumers who care about this issue should look for this feature in whatever device they purchase. What's all the fuss?
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
Windows will be very hard to pirate properly now.
Why is this great news?
Because now people who can't pirate will switch to Linux instead! :D
systemd is not an init system. It's a GNU replacement.
I'm aware. Does that mean I will have a choice then?
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
If trusted boot is used to deny people's right to hardware they lawfully purchased I expect to see attacks of both technical and legal natures succeeding against trusted boot.
it's not a bad idea in general as long as the owner of the device holds the key.
Snowden and Manning are heroes.
I fail to see how this new tech will become a problem. The hardware makers want to sell hardware. Given their already thin margins, it would be stupid of them to agree to limit their boards to any one particular OS.
That said, maybe Dell might try that in the name of security, but that is an end-product seller decision. There will always OTHER makers. You can buy new motherboards from the likes of Intel and Asus, build your own systems.
IF this conspiracy theory did come true, the number of lawsuits and investigations into unfair business practices would drown a the targeted company into oblivion. I guess that is one benefit to be such a litigious country now.
Bearded Dragon
Exactly. We aren't supposed to boot other software on the Wii, XBox360, or Playstation. That doesn't stop us from doing it. In fact, they go through great lengths to ensure it doesn't happen, and it still does. Also, who cares if you can't boot Linux on a "Windows PC" with $25 ARM machines like Raspberry Pi coming out, I don't think we'll have much of a need to using the blessed Windows Logo machines for too long. Something majorly unexpected would have to happen for somebody to not be able to build their own machine and run whichever OS they please on it.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Then they get a device that doesn't require it. It's an OPTIONAL security addition
The article I read claimed that Microsoft might require this lockdown on all machines preloaded with Windows 8. The Network World article cites a Microsoft presentation with a slide stating that UEFI Secure Boot will be "Required for Windows 8 client".
What they want to achieve isn't to prevent you from running another OS (although making this operation painful or impossible is of course a nice side effect to them). They want to inject the end of a chain of trust inside your own machine, so they can control what software you run, what media files you play and so on. An OS installed inside a VM would be outside the chain of trust, and thus would be unable to run the software they want to protect (most likely "apps" from the forthcoming windows market) and to decode the media they want to protect.
The iPad is not Turing complete. A machine that is Turing complete can run programs that calculate things that Apple prohibits programs submitted to the App Store to calculate.
Pardon me as I ramble.
As a guy in the phone support trenches for a certain OEM, I just have trouble seeing this work well for everyone.
I see often enough that businesses will buy a brand new machine with Windows 7 pre-installed, then blow away the OS load to immediately try to install Windows XP.
I have a hard enough time trying to teach these people that they NEED to include the Intel RST driver bundle in their image so that they stop getting STOP: 0x7B on their attempt to install or boot.
I have a hard enough time trying to teach these people that they need to make sure their image is aligned on the new Advanced Format hard drives that are going in some of the smaller form factor machines (usually it's a 2.5" drive), since they want to install XP on the damn thing, then complain a week later that the machine is very slow and almost unusable.
I don't speak to customers too often that aren't running some flavor of Windows, but the few I do run into seem happy when they get someone who understands the issue they've got, and will help them despite this OEM's general policy of not assisting with an OS that the OEM did not ship. These calls are usually large corporations that run Red Hat or SUSE or something else in their corporate environment, and prefer to pay for hardware support from the OEM I work for, just so they can have coverage for all of their users in nearly any country they visit.
Keeping that last bit in mind: An OEM that implements a lockout 'feature' that prevents an operating system other than Windows 8 from being installed had better have a backup plan that keeps businesses happy, or else they've just committed suicide. It's business sales, more so than consumer sales that keep OEMs going, because businesses buy big damn contracts. Piss off the big damn contracts, and you piss off your paycheck.
One of these days, I am going to flip out. When I flip out, I'll be back in five minutes.
Help me understand... all this does is provide keys and such... does it actually prevent anything from happening? My understanding of the tech is that it simply provides keys that allow the OS to know that it was booted cleanly and from the secure environment and also allows it to tell if the devices it's connecting to are really the devices they say they are and not rogue DLLs. Even if this system is in place, what's to stop Linux (or any other OS) from booting on the device and just ignoring the keys? Does the system itself actually prevent startup?
Can you give a precise definition of "boot time rootkit" that does not include a competing operating system, along with a way for a computer to distinguish between the two? If I boot Linux and then run Windows in VirtualBox, is that a "boot time rootkit"?
MS is thinking of REQUERING any device maker that wants to use the windows logo on their product to secure the boot process so no other system can interfere with it, it is MS making these demands, not the device makers. No device maker cares about what you do with their product but MS cares about people installing another OS on hardware.
And if you think everyone who runs their own software can afford to buy a key from a registar, you are just a dumb fuck Windows user trading security for freedom.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
This is getting ridiculous. First the game consoles are locked down, then the phones, then the tablets and not they are ready to lock down the PCs too. How long did it take open source (Linux) to make headway? It never would have happened if this was in place.
I say, if this goes down, then a big "open sit-in" at Redmond is in order. It would be great, like a OSS conference/protest all wrapped into one. And it would send a a nice message to the rest of industry too!
:T:R:A:N:S:
Oh, for FUCK's sake, will you give it a FUCKING rest with the anti-swearing BULLSHIT. Don't like it? Leave. And spare us the FUCKING WHINING.
"make a good business plan or come up with an idea" right ..... i guess all the 85% of american people, including the ones who graduated from colleges, are morons to not be able to come up with such ideas ... its you, the first person to be ever able to think about that.
....
and the already established players in whatever field are just going to let you come up with your business or idea and topple them, because they are morons too
not.
reality doesnt work like it is told in make-believe econ 101 and econ 102 books.
Read radical news here
in essence, your life is rented to you at birth. Fail a payment and your body is repoed and used for medical spare parts...
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
Why would you need to find a job? Make a good business plan or come up with an innovative idea, get some financial backing behind it and there's your success. That's what I meant with working hard, not some dead-end McDonalds job.
Oh, I'm sorry, I thought we were talking about reality here. You're right, everyone should just be an entrepreneur, what was I thinking?
There's nothing, absolutely nothing stopping you from trying so.
Well, except for that whole "lack of money" thing. Oh yeah, and a lack of time since you already work 2 full-time jobs just to continue living at a first world level. And the kids, yeah, we'll have our nanny take our kids off our hands for a few weeks while we hammer out a business plan and shop it around to investors (I mean, we all know venture capitalists, amirite?). If we blow off our annual trip to the Caribbean we should have enough to cover the mortgage and car payments for a month while we get our new business off the ground, and once the money from our business starts rolling in (it'll have to, there's no way a business could crash and burn!), we'll be on easy street!
You've been reading too much pro-Capitalism propaganda. It's a game, and the game is rigged...it has been for at least a hundred years.
And that could be a problem. More info:
http://www.itworld.com/it-managementstrategy/205255/windows-8-oem-specs-may-block-linux-booting?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+blogspot%2Fitworldvoices+%28Voices%29
That is true for anything the person has valuable including banking codes. It doesn't mean they should not have access to their bank account.
When Sony did the same thing, they were the one who sued the person who finally cracked it to be able to run whatever he liked, rather than what Sony allowed.
I also dual boot Win7 and Fedora on this Thinkpad and Grub is the one in the MBR. However, I haven't succeeded in getting SP1 to download and install. Until now I just figured, "That's just Windows" and didn't care since I only boot it when I'm doing the 'well does this damned site even work on Win+IE?" test and that doesn't happen often anymore.
But I have been saying for a couple of years that while before Microsoft's future vision was to make the PC into an XBox that it changed recently. Now they are clearly back to chasing Apple's taillights and thus intend to make the PC into an iPhone/iPad. Windows 8 clearly has that goal, from the look, the walled garden, App Store, no Flash and now the chains. And these won't be cool designer chains that the elite can jailbreak anyway, these willl be nasty rusty and you will need shots after handling em. Just wait until the malware gets to take over and Norton won't have the keys to even run. No boot a Linux rescue disk to fix things or even try to save the data. Microsoft Hell(tm). If they could have pulled off this stunt with Vista they would have succeeded, but the OEMs just couldn't ensure delivery of TPMs and the corporate world rebelled at the.idea since Microsoft pushed it as a sop to the content industry to protect 'the precious' so they backed off. That was a mistake on their part, because their moment is past and I don't think they can get away with it now. There are things an 800 pound gorilla can get away with that a 700 pound one can't quite manage and Microsoft is now down just a smidge in monopoly power.
Democrat delenda est
The sad fact is, that microsoft was the great innovator in this space. IBM, who came before them, didn't allow any os but their own to use any hardware they produced, nor did they allow any competition on the hardware side of things. They were like apple's iphone business.
Microsoft is the reason that you can install alternative operating systems in the first place. Everyone else managed to blow themselves up, despite having a really strong opportunity. DR-DOS, Concurrent PC-DOS, CP/M, FreeDOS, PTS-DOS, ROM-DOS, Novell DOS, OpenDOS and I'm not even providing a full list here. Geos, PC/Geos, GeoWorks, MAC/OS, OS/2, Amiga/OS, BeOS, Iris, NextStep, RISC OS, Visi On... Microsoft openly competed with all of them and won, mostly on technical merit. Apple was one of the companies that used the courts to prevent alternative operating systems from becoming possible, and has always been openly hostile to competition. Along with that, Microsoft created the market for hardware innovations (my apologies to any lisp/c64/... machine addicts, but ... even you know what I man). You should give them credit for that, even if that credit mostly belongs to Bill Gates, and little claim can be laid to it by the current microsoft crew.
Microsoft is the canonical example of a company that faced lots and lots of competition and won mostly on technical merits.
Besides, I'm kinda starting to hate this anti-microsoft bashing. It's been years since I've used any form of windows on my own machines, or at work. There is no anti-competition behavior microsoft might be doing of that apple isn't doing 10x worse. Compatibility with iWork ? Just try it. Yet apple is not just forgiven for being anti-freedom, but actually revered for it. "A curated experience is better" and so on. And on apple machines, you really can't install the software you want, because there are actual, technical control measures in place that actually try to prevent it.
In this case, people are afraid of what microsoft *might* at some point, try to do. Great. Microsoft, today, isn't the problem. Apple is the big enemy of software freedom today. Microsoft is mostly becoming less free by imitating apple.
So please, let's shelve this discussion until apple has been broken up into a hardware business entirely separate from the software business. Including on the iPhone front.
Yes, cheap hardware will be locked down and your only options will be $5K-$10K workstations and servers.
That's exactly what they want: to push open computing outside the affordable range and outside the reach of most people. Thus they can keep people trapped in the Windows monopoly.
Stopping dual boot or changing the OS by users would stop the market penetration by Linux. Maybe the knowledgeable Linux crowd might build their own computers but this is beyond the capacity of probably 99% of computer users. Market penetration by a competing OS would be stopped cold which is what MS wants. They want to stop the downward slide of Windows. Yes, Linux has a very small share of the OS market, but what about some new and different OS that is developed in the future. This would stop them from even starting. It's not just about Linux.
But is it a case of explicitly locking you out, or a case of linux simply not having support for the hardware yet?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Yes, you'll have the choice to stay in the technological stone age.
Actually, the way I see it, if you build your own, you will certainly have a choice; how can someone selling you a motherboard not give you the "key" to install whatever OS you want?
It's companies like DELL I would be worried about - I'm sure they'd be happy as clams to lock you into the OS they put on the computer when they sold it to you.
In the words of the Farnsworths:
Prof. Farnsworth: Oh God! I clicked without reading!
Cubert: And I slightly modified something I own!
Prof. Farnsworth: We're monsters!
Stupid sexy Flanders.
I must say you are not getting the way of the future here. There won't be any machines you can build yourself. The best and newest mobos will not support anything but Windows. You've been outmaneuvered - they've been working on this for over ten years.
Just as you can't shut off GPS tracking on your phone, or the mic for that matter, you will not be able to bypass the switch on the mobo. Try to deactivate it, and the encrypted embedded software will prevent the board from booting, period.
And remember this: any encryption on that subsystem will enable Microsoft to invoke the Digital Millenium Copyright Act against anyone who "breaks" the encryption. You might have rights to mod the hardware, but you have *no* right to break the DMCA and decrypt the bootup blocking software. This is a trap sixteen years in the making. Welcome to the future we warned you about.
Dont buy any computer with a Windows 8 logo.
Its not just linux that is blocked its also unsigned versions of windows.
Who makes all the generic motherboards we use?...China.
Who pirates software more than anyone else?...China
Do you honestly think the Chinese mobo makers are gonna make motherboards that wont run windows 7 (or pirated Windows 8)
No microsoft cant block their import... "No sir, these motherboards are made for running linux...not pirated windows!!!"
remember this term "Substantial non-infringing uses"
Ah, the "I know a person that can do it, so that means everyone can" argument. I know it well, I hear it a lot when talking to people about the cyclical nature of poverty and wage slavery. "[Insert name here] made it out of the ghetto and became a multimillionaire, that means that everyone in the ghetto is there by their own choice!" "[Insert name here] started in the mail room and worked his way up to CEO, therefore everyone can do it if they really want it bad enough!"
The reason why that is notable is because of the extremely long odds they beat to get where they ended up. For every person that made that climb from entry level to CEO, there are 99,999 that never made it beyond entry level, not because they were necessarily any less qualified or driven, but because they just weren't in the right place at the right time. You think the best man for the job gets promoted in today's business world? LOL
For every person that is able to make it out of the ghetto and become successful, there are thousands more that try just as hard and don't make it. Once social services get severely curtailed, if not axed entirely, due to this carefully engineered economic crisis, even fewer people will be able to make it. Are they all lazy? I mean, it certainly sounds like that's what you're saying, 85% of people are lazy. Couldn't it be that they're trapped in a dead end job because they lack the resources required to go out and get a better one? That's even ignoring the health care aspect, you know, the people that are stuck in a shitty job because they need health insurance for their sick spouse or child, insurance they will lose when they change employers. What should they do? Throw caution to the wind and bet on "making it?" Those with money can afford to take risks, hell, we just got done handing trillions of dollars to banks to cover the losses of their speculation. Those working at Walmart can not, and even if they could, you think a bailout is waiting for them?
If you're unable to see how much of this game relies on luck then you're either blind or willfully ignorant.
Excuses are like butt holes. Everybody has them. "Oh my... I can't do X because of rich/capitalism/white man" BS. My next door neighbor is a single mother working two jobs and going to school to become a RN. She doesn't think working as a waitress it a good long term career option, so she is making the required changes in her life. Capitalism is all about how much you are willing to put into life. Period. Stop blaming society on your problems and do something about it. The USA is the great country it is, because of the entrepreneur spirit.
That's a delightful story up to the point where something outside her control goes wrong. Let her get sick and see how well that dream plays out. What sort of medical benefits package does a waitress going to nursing school have? All it takes is one such event and the "American Dream" can easily fall to pieces because the societal safety nets aren't sufficient to cover the sorts of problems that the majority of Americans run into. I truly wish that capitalism was all about how hard one is willing to work, but I'm not naive enough to think that's the case in reality.
Oh, and I wish your neighbor all the best, but considering that I know several nurses who have no trouble getting jobs but couldn't get a nursing job sufficient to pay for their student loans, I suspect her American Dream just might not have a happy ending, unless you count working two jobs (one of them as a nurse) to be success.
Virg
Issue 1:
The OS can be subverted by a rootkit:
The system is designed such that it is not possible to change the core of the OS, except by patches from the OS vendor. This could be used to pull off other dirty tricks, for example to install DRM that makes it impossible to output music in decent quality, unless the music player identifies itself with a key. One could imagine that this could also interfere with your ability to record your own music, e.g. a birthday song.
Issue 2:
Assume the OS core somehow IS subverted by a rootkit:
This could for example happen by someone getting at the master keys for signing OS updates. Or by a hardware vendor submitting a bad driver.
When it happens, you are completely fucked, a bit like you would be with already existing trojans that encrypt your data and ask you to send money for the decryption key. The reason that you are fucked is that most of your data will also be encrypted, so that it is impossible to recover by just placing the HD into a different PC. And in addition, it is harder to remove the rootkit, since it is now part of the protected OS core.
Finally, to sum it up, what is wrong with DRM is that it places control over the device you just bought with the OS vendor, not with you. So you just bought a device that doesn't really belong to you, but to the state and the music industry.
Hey don't blame me, IANAB
Yes, IBM's enterprise machines, up until recently, let you run no alternative OS. But the IBM PC has been open from day one. You've always been allowed to run alternate OS'es on your PC. You thought Microsoft "let" you run alternate OS'es? They did not then, and do not now, own the PC HW architecture. It was IBM's openness that let you do this, not Microsoft's.
(IBM did try to keep some of the particulars of the BIOS secret to prevent PC clones, but it was swiftly reverse-engineered and IBM did not stop it, despite the long-demonstrated ability to have their lawyers crush the opposition.)
How about requiring physical interaction? This would resolve the security issues without harming our right to modify our own hardware.
At first, I thought about some kind of "while rebooting, press and hold Scroll Lock to allow the install", but the keyboard is driven by low-level I/O firmware, so that's out.
Then I thought that a physical button would be good, but the scammers could fool Grandma into pushing it "to protect your PC!"
How about a jumper that, while open, does a one-time skip of the UEFI enforcement, and prompts you to sign the new UEFI yourself?
This solution fits the problem -- without unduly interfering with our ownership rights. It's a pain for a newbie to crack the case, but maybe that would be educational, too.
Now I'll have to virtualize Windows inside of Linux when I feel like running it....Oh wait, I all ready do that.
Seriously, every time he opens his mouth he sounds like a conspiracy nut but he is so fucking on the ball that almost everything he says eventually comes true. His 1997 article The Right to Read may have seemed ridiculous fourteen years ago, but reading it now it seems masterfully prophetic: