Microsoft Responds To Linux Concerns Over Windows 8 and UEFI Secure Boot

← Back to Stories (view on slashdot.org)

Microsoft Responds To Linux Concerns Over Windows 8 and UEFI Secure Boot

Posted by Soulskill on Friday September 23, 2011 @12:50AM from the putting-out-fires dept.

CSHARP123 writes "A few days ago, Red Hat employee Matthew Garrett speculated that OEM machines shipping with copies of Windows 8 may lock out support for Linux installations. Garrett highlighted Microsoft's new Secure Build OEM requirements for Windows 8 systems. Microsoft chose to directly respond to confusion surrounding Windows 8's use of the UEFI Secure Boot feature on Thursday. Tony Mangefeste of Microsoft's Ecosystem team said, 'Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secured boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems.'"

25 of 389 comments (clear)

Min score:

Reason:

Sort:

Translation by betterunixthanunix · 2011-09-23 00:53 · Score: 4, Insightful

"Consumers should run Windows, and they should not have any ability to boot up anything else. 'Enterprise' users who can afford to pay more should have more choice."

That is the only way I can see this playing out. What OEM would not jump at the opportunity to control its users and force people to pay more to do something they have been able to do at no cost all these years?

--
Palm trees and 8
1. Re:Translation by GordonBX · 2011-09-23 01:02 · Score: 5, Insightful
  
  Considering the reaction here; the OEMs that would do this would get so much bad PR, that a significant number of customers would flee to some other manufacturer.
  Of course you're right.
  That's exactly what has happened with mobile phones. (cough).
2. Re:Translation by JamesP · 2011-09-23 01:03 · Score: 5, Insightful
  
  No, the problem is:
  BIOS vendors are complete idiots
  "EFI" vendors are the same guys
  It's a crapfest of proprietary extensions, NIH syndrome and a million ways to change monitor brightness. And of course it's only tested on the latest Windows version, well, because...
  Of course, Intel is to blame with the whole ACPI mess and looseness. Typical engineer mentality a standard that standardizes nothing.
  Really, Intel and AMD should join forces in this: Make 'to change monitor brightness write a value from 0 (darker) to 0xff (brighter) to register 0xABC PERIOD'. "but but but", "I SAID PERIOD".
  
  --
  how long until /. fixes commenting on Chrome?
3. Re:Translation by Anonymous Coward · 2011-09-23 01:08 · Score: 0, Insightful
  
  It would be the creators of boot loaders who would pay to get their boot loaders signed, not end-users, and the idea would be that it would only be the cost of validation.
  There'd be no reason not to allow people to disable it, if they didn't mind running unsigned boot loaders (just like the TPM module can be disabled if you don't want it), but for the many people who will never have any need to run an unofficial/unsigned boot-loader this will prevent one of the more difficult classes of malware.
  Basically you can think of this as letting companies use signatures for their websites; you need to pay a bit but people can be more confident as a result. Seems pretty reasonable to me (and why are we so eager to hang on to 80's BIOS tech anyway? This is one small part of the UEFI standard which will help keep things flexible, future-compatible, standardized and secure).
4. Re:Translation by LWATCDR · 2011-09-23 01:52 · Score: 3, Insightful
  
  The OEMs for the most part will make it a user option for a simple reason.
  A lot of people when Windows 8 comes out will want to keep Windows 7. If they have an install disk and it doesn't work their will be hell to pay.
  Right now the UEFI folks are all going to be putting in an option to turn it off. Intel will without a doubt have that option in all of their reference motherboards which is what a lot of the OEMs use.
  ASUS will put in that option as well.
  The problem will be when at some point in the future someone has an old crappy Ultra book made by Ikkkiianu and wants to put Linux on it because Windows 9 doesn't work well on it and Windows 8 is too insecure.
  
  --
  See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
5. Re:Translation by MrHanky · 2011-09-23 01:54 · Score: 4, Insightful
  
  I'm well aware of how to buy computers, thank you very much. I'm just pointing out that forcing people to pay for Windows isn't new, and has fuck all to do with control. betterunixthanunix's "translation" is just a bunch of hyperbolic nonsense based on the theory that Microsoft will always be more evil than Satan himself, despite whatever the people at Microsoft claim themselves.
  Of course, since this is Slashdot, facts are flamebait and paranoid fantasies are insightful.
6. Re:Translation by Hatta · 2011-09-23 02:02 · Score: 3, Insightful
  
  But only some. Today you can throw Linux on any old hardware, and do something useful with it. 5-10 years from now, you'll have to specifically hunt down unlocked hardware. This has a rather drastic effect on the utility of Linux, which is Microsoft's intention.
  
  --
  Give me Classic Slashdot or give me death!
7. Re:Translation by Hatta · 2011-09-23 02:06 · Score: 1, Insightful
  
  The technology is clearly intended to block adoption of Linux (and other operating systems), or they'd provide a way for the owner of a device to whitelist new operating systems. BIOS rootkits are a convenient excuse.
  
  --
  Give me Classic Slashdot or give me death!
8. Re:Translation by houstonbofh · 2011-09-23 02:39 · Score: 3, Insightful
  
  No, just representative of the techs who support and choose company PCs. I got to change the corporate laptop standard from HP to Asus for problems like this. And the suits liked the new laptops.
9. Re:Translation by scamper_22 · 2011-09-23 02:45 · Score: 1, Insightful
  
  And good on MS.
  They're doing the work, they want to make sure they get paid.
  Maybe one day you will realize that every field protects itself. Doctors and lawyers restrict their trade. Regulators and government employees have direct access to government cash.
  What do tech companies have? They have their own community fighting to destroy any sense of long term cash flow.
  It was easier back in the day when this cash-flow came from a telecom monopoly which was then funded to R&D labs. But with the breakup of the telcos and vendors forced to fight on their own, they have to deal with the realities of funding a long term business.
  You want nice open standards... then do it but then have a license fee or tax that goes back to the creators of said standard.
  I have a feeling as the economy implodes... more and more people are going to realize that making a living is a pretty important part of life.
10. Re:Translation by Anonymous Coward · 2011-09-23 02:50 · Score: 3, Insightful
  
  ACPI was not designed by Intel alone, Microsoft was also there. And let's remember what Microsoft tried to do [slated.org]:
  Translation: "We're doing all the work, how do we prevent the freeloaders from benefitting ?"
  Ah, the battlecry of the American People(see healthcare, welfare, etc).
11. Re:Translation by betterunixthanunix · 2011-09-23 02:51 · Score: 4, Insightful
  
  As if I have never heard of a rootkit?
  
  In all seriousness, here is another method of solving the problem, which would be just as effective at preventing rootkits from hiding in the bootloader: make the boot medium a flash device on the motherboard, and have a jumper that enables writes to that device. This would not rob users of control over their system (although it may force people to get over their fear of opening their computer's case and changing a jumper), and would be just as effective at stopping the overwhelming majority of rootkits.
  
  The real motive here is the same as it ever was with the TPM: they want to market Windows as a "media platform" and their "media partners" do not like the idea of users being able to control their own computers -- they want to enforce restriction technologies. GNU/Linux is an operating system that its users control, and so these "media partners" do not want to see it installed on anyone's computer. Likewise, they do not want to see people modifying Windows in a way that circumvents DRM. They want computers to be like cell phones and cable TV boxes, herding the users in ways that are convenient for various copyright-based corporations.
  
  That this will block certain classes of rootkits is entirely incidental, despite the heavy marketing.
  
  --
  Palm trees and 8
12. Re:Translation by Anthony+Mouse · 2011-09-23 03:09 · Score: 5, Insightful
  
  Maybe one day you will realize that every field protects itself. Doctors and lawyers restrict their trade. Regulators and government employees have direct access to government cash.
  Economists call this behavior "rent seeking" and it is considered inefficient and undesirable. The idea that Microsoft should not be criticized for engaging in it is highly misguided.
13. Re:Translation by jedidiah · 2011-09-23 04:04 · Score: 2, Insightful
  
  You're an idiot to base any argument on what Microsoft SAYS they will do.
  They only thing that is remotely relevant is what they have actually done.
  Do they have that well established history of not being totally evil yet? Can you point to it as a counterexample to everyone else's paranoid?
  If not then you really have nothing to add to this conversation.
  
  --
  A Pirate and a Puritan look the same on a balance sheet.
14. Re:Translation by erroneus · 2011-09-23 04:31 · Score: 4, Insightful
  
  ...you mean the same way Microsoft benefited from the work of IBM and other software vendors? Gates and Microsoft understand the ecosystem which requires sharing. They were and still are interested in embracing that ecosystem and then locking everyone into their twist on what they take from it. This can be seen everywhere and in everything they do. The Java law suit against Microsoft is probably the best example of this behavior by Microsoft but there are hundreds of other great examples out there.
  Saying "we did the work..." is bullshit. They give away LOTS of things and waste LOTS of money. Their little bit associated with ACPI is a speck of dust in a drop in the barrel. This isn't about their trying to keep their work to themselves, it's about keeping the rest of the world from being compatible.
15. Re:Translation by Anthony+Mouse · 2011-09-23 04:45 · Score: 1, Insightful
  
  Gates felt that Linux devs gained some sort of undue enrichment. It's a bogus and douchbag position, but it's not "rent seeking".
  You're reading his bogus defense of his conduct and ignoring the conduct. Copyright and patent holders do this on a regular basis. They say that they created something and demand remuneration, but what they demand is far in excess of what they contributed. The patent holder patents the parts to his copy machine, but then tries to leverage the "legitimate" patent monopoly over replacement parts into a monopoly over copier service. The motion picture industry takes their oligopoly position in copyrighted motion pictures and tries to leverage it into control over the distribution channels, and then over all consumer electronics.
  If Microsoft breaks ACPI for Linux, they break more than they built. They are (to use the Microsoft camp's philosophy and terminology) "stealing" the benefit to the hardware makers who developed ACPI of selling ACPI-functional hardware to users of non-Microsoft operating systems. They are also ignoring the legitimate work done by the Linux camp to make ACPI work on Linux, as though somehow only Microsoft's efforts to make ACPI work for Windows are legitimate and require compensation and consideration but any efforts by a third party to make it work for another operating system can be ignored in the calculations.
16. Re:Translation by makomk · 2011-09-23 06:38 · Score: 2, Insightful
  
  Entirely coincidentally, most of the really buggy ACPI implementations out there - the ones that cause the most headaches for Linux and other OSes - are generated by a Microsoft tool that's carefully crafted to generate code that breaks under other OSes. It's probably also a coincidence that Microsoft encourages vendors to use WMI, a way of extending ACPI which means that every single laptop in existence needs its own drivers for stuff like hotkeys, backlight control etc, and these drivers are for some odd reason Windows only.
Useless response by Chrisq · 2011-09-23 00:53 · Score: 3, Insightful

Summary:
If the vendors don't provide a way to boot other systems its not our fault!
translation by drinkypoo · 2011-09-23 00:55 · Score: 5, Insightful

"Microsoft will attempt to use our gorilla status to force OEMs to lock out non-Windows operating systems, but ultimately, it's their decision as to whether they want to make it possible for you to run what you want on their computer, or whether they want us to not bomb them into the stone age and build a parking lot on the smoking ruins of their company."

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Microsoft addresses concerns... by Anonymous Coward · 2011-09-23 01:00 · Score: 4, Insightful

...by confirming them. Microsoft's customers, the OEMs, will be free to decide who imports keys and how. That's what everybody has been worrying about, isn't it?
I see what you did there... by DontBlameCanada · 2011-09-23 01:01 · Score: 5, Insightful

Nutshell summary after actually reading the TFA:
"You can launch any operating system you like, but if you want to benefit from UEFI secure boot protection, you can only launch Windows 8."
From their screenshots and commentary, there doesn't appear to be any opportunity to add a new "trusted" O/S images to their database. So even signing your secure Red Hat Enterprise Linux won't help you. If you want to use it, you need to turn the bootloader security checks off. The obvious implication, if you want MBR protection you must run Windows 8. Anything else opens the door.
Yup, Red Hat's take on the situation seems the most accurate.
The concern is valid, if misplaced by onyxruby · 2011-09-23 02:21 · Score: 3, Insightful

There is still cause for concern and the concern is misdirected at Microsoft. The bigger cause for concern should be the Motherboard manufacturers. Look at the issue from their perspective. They pre-install a certain number of certificates at the factory (Windows 8...).
They then have the choice on whether or not they want you to be able to install additional certificates beyond what it came with from the factory. In order to do this they have to enable the feature to allow the certificate store to be updated or the feature to be turned off. They also have to manage additional new certificates and or supporting the user installing their own. That means that they have to provide tech support to allow you to do this. That means additional testing beyond what it comes from the factory, additional support costs for users having trouble and so on.
Their financial interest is arguably in making sure that the certificates they expect you to need are included and that you have no way to modify this as that costs them money for what they will perceive as a market that isn't worth catering to. There is also the added fact that a motherboard that is locked to a certain Operating System can't run a new Operating System when it comes out. That translates into planned obsolescence where the user /has/ to replace their motherboard when a shiny new OS comes out that they want.
There is only one thing I can think of that would prevent this issue from being widespread on most motherboards. Enterprise environments need to use tools like Altiris to deploy OS's with PXE boot. If an enterprise can't image their computer they can't use it in fleet deployments and they won't buy it. Of course this does nothing to protect home users that don't have this requirement.
Bottom line, UEFI is an issue, but not for the reasons that everyone thinks it is.
Re:If you can't be bothered to RTF... by neokushan · 2011-09-23 02:25 · Score: 3, Insightful

If you disable it then it is not genuine prevention any longer? If you disable it then win8 no longer boots.
Incorrect.
This seems to be a common misunderstanding with the whole thing. Windows will boot no matter what, be it secure or unsecure. It's not Windows' decision, it's the UEFI system's decision if it should boot windows, Linux or whatever.
The whole point of the secure boot is to prevent malware that fucks with the bootloader, allowing rootkits to be inserted into the Kernel before any anti-malware gets a chance to run.
This is how a chain of trust works.
A -> B -> C -> D
A, ideally, is some hardcoded software that cannot be modified. In games consoles, it's usually a part of a ROM or in the Xbox-360's case, it's on the CPU itself. It checks that B hasn't been modified in any way, shape or form and if it passes, boots it. B then does the same for C and so on and so forth.
The principal is exactly the same here. If you disable UEFI secure, all you're doing is saying "Dear A, don't bother checking B, just boot the fucking thing". B will then happily continue on as normal, booting C which then boots D. At some point, D can look back and check that A, B and C haven't been modified but it's almost pointless because if they've already been compromised, they'll feed the next in the chain whatever the fuck the compromiser wants it to.
A = UEFI bootloader
B = Windows Bootloader
C = Windows
D = Anti-malware

--
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Yet Another Translation by Sloppy · 2011-09-23 02:39 · Score: 3, Insightful

I love the "translation" posts because I hate them all individually -- none of them stress my way of looking at the problem. Here's my translation:

Microsoft supports OEMs having the flexibility to decide who manages security certificates, because they are our customers, not the users. Fuck the users, why should they have any decision making power in what their computers are allowed to do? We didn't get to be the marketshare leader by leaving decisions to users. Those aren't the people who sign per-processor licensing deals in the millions.

--
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Re:If you can't be bothered to RTF... by 0123456 · 2011-09-23 03:52 · Score: 3, Insightful

If you are buying a PC because it has a little sticker on the device that says Windows 8, then you are almost guaranteed to be in the group that could care less whether it's enabled or not as you aren't going to be putting Linux, OpenBSD, etc on it.
How many motherboard and hardware manufacturers do you think there are who don't want to be able to put a 'Designed for Windows 8' sticker on the box?
When Microsoft says your hardware must lock out Linux to get that magic sticker, manufacturers will lock out Linux.