Slashdot Mirror
Microsoft Responds To Linux Concerns Over Windows 8 and UEFI Secure Boot
CSHARP123 writes "A few days ago, Red Hat employee Matthew Garrett speculated that OEM machines shipping with copies of Windows 8 may lock out support for Linux installations. Garrett highlighted Microsoft's new Secure Build OEM requirements for Windows 8 systems. Microsoft chose to directly respond to confusion surrounding Windows 8's use of the UEFI Secure Boot feature on Thursday. Tony Mangefeste of Microsoft's Ecosystem team said, 'Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secured boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems.'"
"Consumers should run Windows, and they should not have any ability to boot up anything else. 'Enterprise' users who can afford to pay more should have more choice."
That is the only way I can see this playing out. What OEM would not jump at the opportunity to control its users and force people to pay more to do something they have been able to do at no cost all these years?
Palm trees and 8
Summary:
If the vendors don't provide a way to boot other systems its not our fault!
MS
They aren't being as ruthless as we thought. How thoughtful of the evil geniuses.
Microsoft killed the Hackintosh for Apple! How nice of them.
"Microsoft will attempt to use our gorilla status to force OEMs to lock out non-Windows operating systems, but ultimately, it's their decision as to whether they want to make it possible for you to run what you want on their computer, or whether they want us to not bomb them into the stone age and build a parking lot on the smoking ruins of their company."
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Let's hope that this isn't an empty promise. Also, Microsoft should learn from the Sony disaster. Let the geeks use their Linux and they won't try to attack your servers.
if the computer's locked down, blame the OEM, not us.
Hail Eris, full of mischief...
E pluribus sanguinem
Are Microsoft's customers the OEMs, or consumers. If the former, what incentives would OEMs have to pass the decision on to consumers?
Leela: "Is all the work done by children?" Alien: "No, not the whipping."
...by confirming them. Microsoft's customers, the OEMs, will be free to decide who imports keys and how. That's what everybody has been worrying about, isn't it?
Nutshell summary after actually reading the TFA:
"You can launch any operating system you like, but if you want to benefit from UEFI secure boot protection, you can only launch Windows 8."
From their screenshots and commentary, there doesn't appear to be any opportunity to add a new "trusted" O/S images to their database. So even signing your secure Red Hat Enterprise Linux won't help you. If you want to use it, you need to turn the bootloader security checks off. The obvious implication, if you want MBR protection you must run Windows 8. Anything else opens the door.
Yup, Red Hat's take on the situation seems the most accurate.
warn us about this years ago?
Just take a look at this image.
That's all you need to know.
In Summation: There is a genuinely good reason for enabling secure boot (malware prevention - genuine malware prevention, not just some underhand tactic that's masquerading as malware protection) and as long as your OEM isn't a dick, you should be able to disable it much like how you can disable features in your BIOS today. The decision to remove that ability is down to the OEM, not Microsoft.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
This way people could load Linux if they wanted but the "joe average" would know something is wrong if he was compromised by a boot virus. This would actually be more sensible than preventing other systems, otherwise they will have literally thousands of hackers trying to discover the boot signing keys and publish them online like they did for blue-ray.
As long as I can build my own box, UEFI won't be a problem. But I bet most notebook manufacturers will lock their products down, for easier support.
And even if they put a Linux on their notebook, they may want to lock that down.
If they wanted to address the concern, they would have made user control a requirement of the Windows Certificate program. The worry from the Linux crowd is that manufacturers have historically only done the minimum required in order to get Windows working.
"For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision."
- Is there some sort of policy on these blogs that prevents them from mentioning their competition?
Guys, remember the Internet Explorer anti-trust controversy?
*long awkward pause*
They. Are. Not. Going. To.
And even if they did, so what? Seriously, this is frickin' Slashdot. All of you either build your own machines or own Macs.
Yes, because all "Joe Average" people are going to then panic and power off their computers. Most "normal" users that I know would look at that, shrug their shoulders and hit "continue", wanting to get on with watching their DVD, writing their letter, browsing the web, etc etc.
Dancing bunnies.
Linux has been able to use EFI at boot time since early 2000, using the elilo EFI boot loader or, more recently, EFI versions of GRUB.[21]
Which is from the UEFI wiki page and Linux documentation. The issue is that the boot might be locked, not that Windows 8 will find and delete Linux partitions, so really this has nothing to do with Microsoft, it has to do with OEM systems. If your concerned about this effecting you then build your own computer and it wont matter.
That's what it does right now, in the demo hardware. If you want to run anything other than Windows 8, you just have to go untick an option in the setup screen. The big fear of slashdotters is that once this is supported in hardware, it would be so, so easy for an OEM to remove that option, and they may well do so under pressure either from Microsoft or possibly as part of a data-collection/adware/network-locking subsidy deal similar to that already frequently seen in the mobile phone sector, where firmware-locking is the norm. Think Windows tablets more than desktops.
Of course a Linux or other OS user might be able to disable this "feature" but that would *SERIOUSLY* tarnish the reputation of said OS. If it can not use "Secure boot" -for whatever reason- that implies it boots insecurely.. oh the horror!! It will put the adoption of any kind of grassroots OS at a major disadvantage. For us tinkerers here it's an absolute outrage that the freedom to tinker will come at a premium in the near future, but we've always been the minority.
Learn from the mistakes of others. There isn't enough time to make them all yourself.
"Microsoft wrote an article about how they weren't making it harder to install Linux which described, in detail, how they're making it harder to install Linux. Here's my response" - https://plus.google.com/109386511629819124958/posts/GXc9y7E5uZX
You're assuming there is such an option, and that the user won't be required to reboot, enter the menu and disable secure booting.
Dilbert RSS feed
yeah i only need a certificate to boot, but who issues that certificate and how much ? let me guess it will be to be a the same gang of suits that signs websites.
the free money game just doesnt get any harder for these guys
ill just wait till the antitrust lawsuits start happening, as soon as MS sign their bootloader is the time to strike,
locking out the competition 1x$500 boot certificate at a time
Meanwhile under the table: Psst...Hitachi... want to sell another Windows box ever again? No BEOS in our BIOS, please.
Oh, I guess I can't pay her enough to do that.
Alright, how about a version of Diablo 3 that doesn't require Steam? Dang, not even that?
This might raise awareness of the windows tax. The main problem with it is that most buyers intending to use some other operating system will accept the extra cost, install whatever they like over windows and never look back. Microsoft got a good deal going, locking in a machine to use windows and nothing else is unnecessary.
However, if there is no way to run anything else then windows on a machine, it will make a small but noticeable decrease in sales. Perhaps this will increase the marked for desktop machines with a free os installed, with the possibility of tweaking or disabling secure boot, since "locked in" desktops is not a preferable option for some users.
The problem with the secure boot system is that it won't work. It will fail for the same reason that DRM encryption on DVD's and BD disks failed. They were eventually 'cracked'. As soon as a third party OS (Linux, BSD, Mac, etc) is available for installation on systems with secure boot the 'secret' will be out to the malware writers and they will find ways to get in via subterfuge.
You can still buy a Mac to run Linux on consumer hardware. Pretty solid and idiotproof hardware at that too (my circa 2006 C2D MacBook running Debian has been dropped to the floor a few times and it still holds together, try that on an Acer or even on a modern soft floppy plastic Lenovo).
"We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems."
I couldn't give a f**k about Microsofts customers or OEMs. I'm solely interested in my ability to manage my system.
CSHARP123 is another Microsoft shill. But he's not a front-line guy, rather more of a support guy, submitting pro-MS / anti-competition stories and doing "reputation management" in the firehose.
http://slashdot.org/~CSHARP123
"When information is power, privacy is freedom" - Jah-Wren Ryel
How is this any different than phones running Android or Symbian? The OS is developed, then phone manufacturers aquire the OS, adapt it to their hardware and then lock it down. If you want to boot something else, you have to hack it. I dont see you up in arms about it, you just deal with it. It was only a matter of time before this started happening with computers too.
There is still cause for concern and the concern is misdirected at Microsoft. The bigger cause for concern should be the Motherboard manufacturers. Look at the issue from their perspective. They pre-install a certain number of certificates at the factory (Windows 8...).
They then have the choice on whether or not they want you to be able to install additional certificates beyond what it came with from the factory. In order to do this they have to enable the feature to allow the certificate store to be updated or the feature to be turned off. They also have to manage additional new certificates and or supporting the user installing their own. That means that they have to provide tech support to allow you to do this. That means additional testing beyond what it comes from the factory, additional support costs for users having trouble and so on.
Their financial interest is arguably in making sure that the certificates they expect you to need are included and that you have no way to modify this as that costs them money for what they will perceive as a market that isn't worth catering to. There is also the added fact that a motherboard that is locked to a certain Operating System can't run a new Operating System when it comes out. That translates into planned obsolescence where the user /has/ to replace their motherboard when a shiny new OS comes out that they want.
There is only one thing I can think of that would prevent this issue from being widespread on most motherboards. Enterprise environments need to use tools like Altiris to deploy OS's with PXE boot. If an enterprise can't image their computer they can't use it in fleet deployments and they won't buy it. Of course this does nothing to protect home users that don't have this requirement.
Bottom line, UEFI is an issue, but not for the reasons that everyone thinks it is.
If The majority of OEM's do not allow for a disabling of secure boot we will do two things:
1) Launch a class action lawsuit against the OEMs and Microsoft.
2) Ask the EU and the US Justice Department to reopen the anitrust lawsuits.
The only way for Microsoft to avoid these is to require OEM's to allow users to disable secure boot.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Been saying it for a while now. People laugh.
Just keep laughing.
SJW: Someone who has run out of real oppression, and has to fake it.
If they modified the standard so that the system would give a confirmation popup saying
This way people could load Linux if they wanted but the "joe average" would know something is wrong if he was compromised by a boot virus. This would actually be more sensible than preventing other systems, otherwise they will have literally thousands of hackers trying to discover the boot signing keys and publish them online like they did for blue-ray.
That's great, but how is that Microsoft's problem? Seriously, if people want Linux to boot on this new generation of motherboard/firmware, then people need to do the work to make it happen. It's not Microsoft's job. Find an OEM to help and get to work.
"Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows"
What they mean, here, is that OEMs are welcome to refuse to sign the Microsoft contracts for discounted Windows licenses, and just add that extra cost to their computers, which can then boot other operating systems. Good luck selling any when everybody else is undercutting your prices by $100 or so.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
I love the "translation" posts because I hate them all individually -- none of them stress my way of looking at the problem. Here's my translation:
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
If they modified the standard so that the system would give a confirmation popup saying
This way people could load Linux if they wanted but the "joe average" would know something is wrong if he was compromised by a boot virus. This would actually be more sensible than preventing other systems, otherwise they will have literally thousands of hackers trying to discover the boot signing keys and publish them online like they did for blue-ray.
That's great, but how is that Microsoft's problem? Seriously, if people want Linux to boot on this new generation of motherboard/firmware, then people need to do the work to make it happen. It's not Microsoft's job. Find an OEM to help and get to work.
That's a bit like saying that if someone campaigns for a system that would only allow you to use one bank's credit card in all shops the lock in would be nothing to do with them but the shops problem.
Just make the option a jumper on the motherboard, and you're virtually guaranteed that only people with at least some clue will change it.
The Tao of math: The numbers you can count are not the real numbers.
Why can't you make adding and removing certificates (or disabling the whole system altogether) part of the UEFI standard? That way, any hardware which claims to be UEFI compliant must implement adding and removing certificates. Failure to comply would result in either: high fines, or a free refund for a customer.
This would solve the issue. Isn't this how HDMI (or was it DP) does it?
And ofcourse the ones that secures monopoly of Microsoft will be best treated ...
How many non-technical home users install a new OS on their hardware? How many of them even bother with an upgrade to a later version of Windows? The percentage has to be so small as to be non-existant. I'm not trolling here, I think its a legitimate question.
To expand on it. Computers have become commodity devices. People buy one, use it up, buy a new one in the same way they do TVs etc. As long as it lets them do the things they want they don't really care if its got the latest software on. They certainly don't care enough to install a new operating system. Most of them wouldn't even know that this was an option. This is the general population, not the tech elite that read slashdot. So, does this stop people who want to install a different OS from installing it? Yes and no. They might find that its not worth buying systems made by X, but they could always build their own, or buy from a different OEM that provides the access they need.
TL;DR its not a problem that will affect the vast majority of users. Those that it will affect will have an understandable way around it.
You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
This resembles locked vs unlocked cell phone policies. Here in the USA, the gov't kow-towed to network operator's desires and allowed the distribution of locked cell phones. Meanwhile, in many European countries, governments upheld their citizens rights to take their hardware to any network they wanted.
I think the PC market will work in much the same way. The EU will protect customers and mandate handing the boot keys over to them. The USA will let Microsoft muscle OEMs around and withhold boot options to get the affordable Windows 8 licenses. So Linux users will ship PCs in from the EU.
US retailers will scream about the loss of business. US Customs will respond by training dogs that can detect unlocked PCs and go through incoming freight.
Have gnu, will travel.
My pretty new Samsung RV520 comes with an option in the BIOS to turn it off. I didn't know about this wonderful "feature" so I was baffled why no single Linux based 'Live CD' or install DVD would boot. Until I found that option. Then it was goodbye to all existing partitions and hello freedom to install what I want.
Here's the secret to immortality:
Secure boot is a UEFI protocol not a Windows 8 feature
UEFI secure boot is part of Windows 8 secured boot architecture
Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure
Secure boot doesn’t “lock out” operating system loaders, but is is a policy that allows firmware to validate authenticity of components
OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows
Solution: If you don't want it up to your particular big name vendor, build your own system. You can bet the full UEFI spec will be implemented on Gigabyte, Asus, MSI, and other boards, where you have the choice of disabling the secured boot environment.
Also, the pre-boot environment in Windows 8 clearly allows the booting of "Other OS."
Much ado about nothing.
Look, what Microsoft is saying here is they support an OEM's right to decide if they will secure an installation of OS on their hardware products. This is what Apple has been doing for years.
Microsoft is NOT a hardware vendor, so they do not have the right to decide which OS you run on your PC, and nothing about this suggests Microsoft is going to force you to run Windows for-ever more if you install it on a new PC. The PC industry is made up of many many OEM's and some of them are going to want to lock down their computers to run only Windows.
So, what does this mean for you? Well, if you buy a Dell computer and Dell decides to lock out installation of Linux, then don't buy Dell, period, end of story. Move along.
This is not Microsoft saying that if you install Windows 8 on a PC then you can never install any other OS ever again on that box.
I am tired of the idiot mass Slashaters yelping about stuff they either do not understand or can't see clearly enough to realize this is an incredible NON-ISSUE! These discussions become filled with MS hater *sshats that are so enraged about past experiences with MS that they don't realize how stupid they sound continuing there hatred of MS. A bunch of cavegeeks yelling "Linux good, MS bad" without any context or thought behind the statement.
Any self respecting Linux fanboy does not buy a Dell computer, they piece together their machine from scratch meaning they are in full of which OS they run. If they happen to install Windows 8, they can freely install Linux at some other time.
And yes, Microsoft's customers are the OEM's, they are the ones that ship Windows with their computers. Microsoft's market for DIY PC builders is incredibly small, but they are not interested in trying to force that small market to use Windows only.
So, in translation, 90% of people that buy an OEM PC do not care to use Linux and Microsoft and the OEM's are catering to the desires of this LARGE market, the 10% that do want to use it build their own computers and can install whatever they like on them. This is not an issue!
A lot of the people commenting here are not really getting the issue, as far as I can tell. The point of worry is control creep, much like the creep that is worried about when they start censoring the "bad things" off the Internet, I'd be all for it if it wasn't so easy to abuse. The problem is in fact, it is easy for the powers that be/status quo to abuse these systems and they have done so before. I've had laptops where I couldn't even switch the SATA mode, there's nothing to stop them making this into the worst possible situation for those who use OSes besides Windows.
Its gonna take less than a week for this to get cracked, so why is everyone so worried. for the 80% of the population who browse facebook and read emails, its probably quite good to have a secure bios that can't (well, I wont say can't, I'll say *less easily*) get rootkitted, if that's a word... for the rest of us, we can just download the latest crack, apply it, and boot whatever we want.
I suspect (I don't know) that the scenario that's trying to be "fixed" is the opening scene of Ghost in the Wires. What happens is Kevin Mitnick gets himself into a building, find the Domain Admin's computer, shut's it down, boots the computer off of a USB key, and install's a key logger onto the system. The computer boots back up, with a key logger now installed, OS security completely bypassed. Is there another solution to this scenario?
Consumers have many OS choices on all shapes and sizes of devices. If microsoft's goal is to gain lock in on the consumer market, and then own the smartphone and tablet market, they are 2 days late, and a Euro short.
They tried to lock down the very first PC's and failed. The PC only became popular because it was an open platform.
As for the Canard that the BIOS needs to be updated, I have been hearing this for years. C'mon. All the boot loaders are already written.
You need secure boot, trusted boot? Install a card, or pay extra for a special motherboard to fix *your* problem. If the problem was that big, somebody would have made such a motherboard and be selling it to you.
Security Keys in the BIOS? That's a clusterfuck and a brick event waiting to happen. Not in my server room.
No, I am not flashing or otherwise updating BIOS's. Copy that? Received Transmission? Confirm.
There are 6 updates for your BIOS. Please install and then reboot your critical server and pray that it comes back up. NO. NO. NO!
GOT THAT? I AM NOT UPDATING MY BIOS. EVER.
Microsoft is promising not to come in your mouth.
Well, if you really wanted to run whatever OS you want, you could always buy a Mac.
Oh, the irony.
...run on top of PC BIOS.
If anything, they add more crap to the giant stinking pile of crap that is PC BIOS.
Contrary to the popular belief, there indeed is no God.
The comment by Microsoft basically says nothing.. it doesn't clear up anything. As usual, Microsoft doesn't play well with others, and essentially users will be left scrambling to find a way to do something because Microsoft doesn't bother. Thanks Microsoft. Thankfully, I stopped using Microsoft software years ago and use Fedora Linux now, so I've got nothing to worry about.
i mean, if you write over the BIOS then you can effectively wipe out any protection UEFI can provide. please dont tell me that it's protected from flashing unauthorized firmware because we both know those verification systems can be cracked.
with that much storage capacity, you can make some serious malware.
Anons need not reply. Questions end with a question mark.
My favorite quote:
For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision.
(emphasis mine)
Way to put a spin on it.
D@mn. Even their choice of terminology pisses me off.
"OEMs having the flexibility to decide who manages security certificates and how to allow customers"
To OEM's and Microsoft, How about once I've paid for the computer you F-off unless the HARDWARE breaks. The OWNER makes the decisions. Period.
Digital is, by definition, imperfect. Analog is the way to go.
> 'Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secured boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems.'"
Yeah, that really clarifies. And Microsoft has never leaned on OEMs to get them to enter into business deal that benefits Microsoft at the expense of competitors. Oh, wait...
But seriously, Microsoft has never required a customer to pay that portion which is a Windows license when buying a PC even if the customer never intends to run Windows... on... said... machine... oh, wait.
Yep, that's really clear now.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
If they modified the standard so that the system would give a confirmation popup saying
This way people could load Linux if they wanted but the "joe average" would know something is wrong if he was compromised by a boot virus. This would actually be more sensible than preventing other systems, otherwise they will have literally thousands of hackers trying to discover the boot signing keys and publish them online like they did for blue-ray.
Unfortunately, the average Joe would just confirm without reading or understanding the warning. Why do you think malware is so widespread today? As long as there's an option to disable secure UEFI in the firmware setup, that's good enough to support other OSes while keeping the average Joe from rendering any benefit from it useless.
I can probably hear some people yell "boycott". Well... those people are wrong. What you need to do is go buy the UEFI machine, try to install Linux or boot a Live CD (you do have to do this, you can't just look at the box), then return the product for a full refund. Buy another machine with the same problem, repeat. Multiply this by all the Linux users out there (assuming they can be bothered to do this). Watch vendors go ballistic, as the number of open box machines in their stocks grows insanely fast.
The OEM should provide a way that allows the purchaser to program keys into EFI and the OS should allow the installer to notify the OS install process of their key. Personally I prefer there to be no way of making changes to the EFI without physical access. It should be a process of 1) jump pins 2) boot CD 3) program or update. This would place the control in the hands of the owner not an OEM or OS vendor.
Having to work for a living is the root of all evil.
In short this sounds like a proxy war tactic. MSFT has the "OEMs" lock down future BIOS to boot just Windows OS.
//FWIW, I and my org will not be buying hardware locked down to a MSFT OS. Get a clue, if you want my $$.
"Oh you wanna run Linux on your machine..? Too bad your OEM does not allow that...! Instead please keep staring at that shiny Windows sticker on your machine...!
Profit!
Remember all the uproar from years back about TPM/Palladium? Remember how it was going to eat our (Linux/BSD) babies? And how it didn't show up, and everyone assumed it more or less "went away"... Guess what. It was just hibernating. It's awake now, it's hungry, and your first-born (non-Windows-install) is looking rather pleasantly plump with some BBQ sauce.
We've grown oh-so-fucking-complacent. And now we reap the harvest we've sown for years.
I plan on running my out-of-date 890FX-based motherboard for as many years as I can. Grandfathered hardware will become the tinkerer's/hobbist/hacker's chosen platform, because of bullshit like this. Microsoft keeps squeezing the loopholes that allow "foreign" installations tighter, making it harder and harder to get off of Windows; give it about 10 more years, and the memory of "you can install what you want" will finally be "you install what we tell you to, peon."
Before people say "but no it's always been this way", let's look at a little history:
- Windows XP, introduces Windows Genuine Advantage, which immediately fails software installs on Wine (because it's not Windows).
- Windows Vista, introduces "secure audio path" and other core DRM elements, but isn't heavily pushed (yet) because of driver grief. The community buys some valuable time.
- Windows 7 aka Vista Second Edition (remember 98/98SE?) retains all the DRM elements, and starts to finally push things forward. We pretty much pissed the time away that we got with Vista, with Ubuntu being the only viable contender to emerge from 5 years of stagnation.
- Windows 8, introduces "secure boot", which really means "securely booting our revenue stream until your computer is dead".
What comes next? I can only guess:
- Windows 9, we will tie the license to facial recognition software so that you can never transfer it to another user when you sell the computer. The facial recognition is part of the new "secure logon".
- Windows 10, you will rent the software "by the year" as part of Azure 2. Failure to pay = failure to access your data. If you don't pay up soon...your data gets deleted after just 1 year. Goodbye family photos, home finances, and other important home use items...
- Windows 10, we start our original goal that Bill G. wanted, namely, to be the middleman in your transactions. We get a cut.
It's OEM's commercial interest, not MS's.
For now, the ability of installing Ubuntu on laptop seems to be "free as air". But sorry, this can change. In mobile world, for instance, it is not free, and requires excessive hacking.
There is no freedom to run Linux on iPhone, unless you will hack it (and they become more and more resistable to hacks, for instance, iPhone 4's baseband _cannot be operator-unlocked for a year_ without this ugly Gevey SIM hardware hack which bastardizes the whole GSM protocol and can cause blacklisting of your account by the network operator).
So, why do you think OEMs will not go the Apple's way and, for instance, sell the Windows-only restricted laptop for cheap, and _the same laptop_ but not restricted for Windows - for more money? for me, this is logical. Same as with cellphones - operator-unlocked phone is more expensive than the locked one.
The OEMs will even market the unrestricted version as "Pro", and "Geek's Friend", as "Install the True Real OS of Linux for this small additional money" and such.
The thing is that 99% of laptop users do not care about Linux, so saving money on this non-Pro version can be important for them.
As for MS, they a) do not ship the assembled systems, laptops, motherboards and BIOSes b) do not write EFI firmware c) have only partical control over it, since EFI is Intel's thing c) they do not care. The percentage of desktop/laptop Linux users is insignificant and has no serious growth since around 2004.
I'm betting it's because Microsoft's WGA or WAT or whatever they're calling their activation process is currently bypassed for OEMs by way of a BIOS certificate, and the stuff necessary to bypass it by the warez scene is typically a bootloader. I'm betting that the only way companies get to use the OEM way of activating Windows with a single key is if secure boot is enabled. The impact to malware and Linux are both probably incidential benefits to Microsoft. How to tell if I'm right? See if it asks you to activate your copy of Windows when you disable secure boot on your Windows 8 Dell.
i'm gonna have to start building my own PCs again...
The home user that buys motherboards is precisely the kind of user who cares about the ability to upgrade or replace operating systems.
If I buy a motherboard from newegg that won't let me install Linux, it's useless to me and will be returned for refund immediately.
The person who buys complete "name brand" computer systems is probably screwed, though.
Nobody should trust MS unless they have an option not to trust them. I will manage my own keys, thank you.
if they do lock it down so you cant change the system and crackers find a way to virus that anyway (which they will no doubt on that one its just a matter of time) will that prevent someone from reinstalling windows if they dont have the origional oem recovery disks made? if they lock it down forceing people to use a specific system will it stop them from repairing the current system when it finaly buckles over?
Actually, I think this new UEFI Secure Boot could backfire everyone: the user who cannot install a different Operating System; Microsoft could have the same problem when the user wants to switch to another version of Windows; mainboard manufacturers if they have to provide a *simple* way of updating / managing certificates: and by *simple* I mean a very fool proof user interface, not the usual 80-chars-navigate-using-strange-keys BIOS interface they still produce.
I don't think that UEFI is a feature worth the cost.
How interesting. Like a mobster trying to convince the cops that the other guy just happened to run into his bullets... "None of my doings, Sir! I'd never do anything like that!"
The CAPTCHA for this post was fittingly 'silliest'.
None of this is new. The clear desire to control the ability to access hardware, storage media, to boot an OS, andn to authorized applications to run or access to data, was buiilt into the "Palladium" project and was renamed "Trusted Computing". While much of its glamour has been lost, and the difficulty of enforcing its controls has been shown to be hackable with virtualization, it emains a technology designed to prevent access to hardware and data based on commercial licenses, rather than any security or defense of user data.
This is another attempt at the same goals, to foster and enforce Microsoft monopolies by controlling the ability to use the hardware, itself.
I can't believe how little protest the remote attestation aspect has generated. From TFA: "To prove a client is healthy, the anti-malware software can quote TPM measurements to a remote verifier."
How long before that becomes "The XYZ software can attest that only trusted software components are running." Big content are going to love this capability.
UNIX: 'cuz you can tattoo it on your knuckles!
Or for half the price, build you own computer that supports secure booting Linux.
I think the worry is that the motherboard manufacturers will get onboard the Microsoft train. If the paranoia pans out then you might have a little difficulty doing that.
Unless you enjoy etching PCBs, that is.
if you want a linux box, build one from basic parts and don't be lazy (building is cheaper if you know where to buy the parts)
if you want a linux box but don't know how to build one, now's a good time to learn
if you want a laptop for linux, there's ebay
if you're lazy, don't know what linux is, or just like playing freecell and obsessing over comments on facebook, then you're probably not even aware of any of this and won't be affected anyway
No mention of dual booting, if only 1 of the OS's has a signed key. What will you do when you have go go into the bios and disable key checking to run one os and then go back in to enable key checking to run the other bios?
How many dual booters--if they had to choose, if it were difficult to choose otherwise--would just choose to give up Windows entirely?
Probably not many...some of use still keep a Windows box around to run a certain application that is vital to what we do.
The underlying reason for an OS before the OS is not user protection, it is digital content protection, with Microsoft (or the oem's, moot point) loading keys for digital rights protection from software vendors to keep you from:
installing other OS's
Installing software like competitors to MS Office, who didn't pay for a key.
playing music that is not "keyed"
playing movies that are not "keyed" to you (or to your region).
stage 1 involves building a wall/hurdle that other os's must bear the cost of.
stage 2 involves having software companies apply for and pay for a key for their software to run under Windows 8.
stage 3 involves the music and movie industries applying for and paying for keys to let their products be protected by keys.