Slashdot Mirror
Microsoft Responds To Linux Concerns Over Windows 8 and UEFI Secure Boot
CSHARP123 writes "A few days ago, Red Hat employee Matthew Garrett speculated that OEM machines shipping with copies of Windows 8 may lock out support for Linux installations. Garrett highlighted Microsoft's new Secure Build OEM requirements for Windows 8 systems. Microsoft chose to directly respond to confusion surrounding Windows 8's use of the UEFI Secure Boot feature on Thursday. Tony Mangefeste of Microsoft's Ecosystem team said, 'Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secured boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems.'"
"Consumers should run Windows, and they should not have any ability to boot up anything else. 'Enterprise' users who can afford to pay more should have more choice."
That is the only way I can see this playing out. What OEM would not jump at the opportunity to control its users and force people to pay more to do something they have been able to do at no cost all these years?
Palm trees and 8
Summary:
If the vendors don't provide a way to boot other systems its not our fault!
Microsoft killed the Hackintosh for Apple! How nice of them.
"Microsoft will attempt to use our gorilla status to force OEMs to lock out non-Windows operating systems, but ultimately, it's their decision as to whether they want to make it possible for you to run what you want on their computer, or whether they want us to not bomb them into the stone age and build a parking lot on the smoking ruins of their company."
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
if the computer's locked down, blame the OEM, not us.
Hail Eris, full of mischief...
E pluribus sanguinem
Let's hope that this isn't an empty promise
We're talking Microsoft here, you might as well hope that a leprechaun will bring you a pot of gold so that you can retire in never-never land and live happily ever after.
Are Microsoft's customers the OEMs, or consumers. If the former, what incentives would OEMs have to pass the decision on to consumers?
Leela: "Is all the work done by children?" Alien: "No, not the whipping."
...by confirming them. Microsoft's customers, the OEMs, will be free to decide who imports keys and how. That's what everybody has been worrying about, isn't it?
Nutshell summary after actually reading the TFA:
"You can launch any operating system you like, but if you want to benefit from UEFI secure boot protection, you can only launch Windows 8."
From their screenshots and commentary, there doesn't appear to be any opportunity to add a new "trusted" O/S images to their database. So even signing your secure Red Hat Enterprise Linux won't help you. If you want to use it, you need to turn the bootloader security checks off. The obvious implication, if you want MBR protection you must run Windows 8. Anything else opens the door.
Yup, Red Hat's take on the situation seems the most accurate.
warn us about this years ago?
Just take a look at this image.
That's all you need to know.
In Summation: There is a genuinely good reason for enabling secure boot (malware prevention - genuine malware prevention, not just some underhand tactic that's masquerading as malware protection) and as long as your OEM isn't a dick, you should be able to disable it much like how you can disable features in your BIOS today. The decision to remove that ability is down to the OEM, not Microsoft.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
This way people could load Linux if they wanted but the "joe average" would know something is wrong if he was compromised by a boot virus. This would actually be more sensible than preventing other systems, otherwise they will have literally thousands of hackers trying to discover the boot signing keys and publish them online like they did for blue-ray.
If they wanted to address the concern, they would have made user control a requirement of the Windows Certificate program. The worry from the Linux crowd is that manufacturers have historically only done the minimum required in order to get Windows working.
"For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision."
- Is there some sort of policy on these blogs that prevents them from mentioning their competition?
Guys, remember the Internet Explorer anti-trust controversy?
*long awkward pause*
They. Are. Not. Going. To.
And even if they did, so what? Seriously, this is frickin' Slashdot. All of you either build your own machines or own Macs.
Yes, because all "Joe Average" people are going to then panic and power off their computers. Most "normal" users that I know would look at that, shrug their shoulders and hit "continue", wanting to get on with watching their DVD, writing their letter, browsing the web, etc etc.
Dancing bunnies.
Linux has been able to use EFI at boot time since early 2000, using the elilo EFI boot loader or, more recently, EFI versions of GRUB.[21]
Which is from the UEFI wiki page and Linux documentation. The issue is that the boot might be locked, not that Windows 8 will find and delete Linux partitions, so really this has nothing to do with Microsoft, it has to do with OEM systems. If your concerned about this effecting you then build your own computer and it wont matter.
That's what it does right now, in the demo hardware. If you want to run anything other than Windows 8, you just have to go untick an option in the setup screen. The big fear of slashdotters is that once this is supported in hardware, it would be so, so easy for an OEM to remove that option, and they may well do so under pressure either from Microsoft or possibly as part of a data-collection/adware/network-locking subsidy deal similar to that already frequently seen in the mobile phone sector, where firmware-locking is the norm. Think Windows tablets more than desktops.
Probably not so much notebooks as tablets. Similar reasons as with mobile phones. Lockdown OS means lower support costs and the options of disabling features at the behest of the networks or bundling spyware or adware that the user can't remove.
Of course a Linux or other OS user might be able to disable this "feature" but that would *SERIOUSLY* tarnish the reputation of said OS. If it can not use "Secure boot" -for whatever reason- that implies it boots insecurely.. oh the horror!! It will put the adoption of any kind of grassroots OS at a major disadvantage. For us tinkerers here it's an absolute outrage that the freedom to tinker will come at a premium in the near future, but we've always been the minority.
Learn from the mistakes of others. There isn't enough time to make them all yourself.
"Microsoft wrote an article about how they weren't making it harder to install Linux which described, in detail, how they're making it harder to install Linux. Here's my response" - https://plus.google.com/109386511629819124958/posts/GXc9y7E5uZX
You're assuming there is such an option, and that the user won't be required to reboot, enter the menu and disable secure booting.
Dilbert RSS feed
Meanwhile under the table: Psst...Hitachi... want to sell another Windows box ever again? No BEOS in our BIOS, please.
This might raise awareness of the windows tax. The main problem with it is that most buyers intending to use some other operating system will accept the extra cost, install whatever they like over windows and never look back. Microsoft got a good deal going, locking in a machine to use windows and nothing else is unnecessary.
However, if there is no way to run anything else then windows on a machine, it will make a small but noticeable decrease in sales. Perhaps this will increase the marked for desktop machines with a free os installed, with the possibility of tweaking or disabling secure boot, since "locked in" desktops is not a preferable option for some users.
Ask and ye shall receive! Diablo 3 doesn't require Steam!
From hell's heart I fstab at /dev/hdc
The problem with the secure boot system is that it won't work. It will fail for the same reason that DRM encryption on DVD's and BD disks failed. They were eventually 'cracked'. As soon as a third party OS (Linux, BSD, Mac, etc) is available for installation on systems with secure boot the 'secret' will be out to the malware writers and they will find ways to get in via subterfuge.
There is still cause for concern and the concern is misdirected at Microsoft. The bigger cause for concern should be the Motherboard manufacturers. Look at the issue from their perspective. They pre-install a certain number of certificates at the factory (Windows 8...).
They then have the choice on whether or not they want you to be able to install additional certificates beyond what it came with from the factory. In order to do this they have to enable the feature to allow the certificate store to be updated or the feature to be turned off. They also have to manage additional new certificates and or supporting the user installing their own. That means that they have to provide tech support to allow you to do this. That means additional testing beyond what it comes from the factory, additional support costs for users having trouble and so on.
Their financial interest is arguably in making sure that the certificates they expect you to need are included and that you have no way to modify this as that costs them money for what they will perceive as a market that isn't worth catering to. There is also the added fact that a motherboard that is locked to a certain Operating System can't run a new Operating System when it comes out. That translates into planned obsolescence where the user /has/ to replace their motherboard when a shiny new OS comes out that they want.
There is only one thing I can think of that would prevent this issue from being widespread on most motherboards. Enterprise environments need to use tools like Altiris to deploy OS's with PXE boot. If an enterprise can't image their computer they can't use it in fleet deployments and they won't buy it. Of course this does nothing to protect home users that don't have this requirement.
Bottom line, UEFI is an issue, but not for the reasons that everyone thinks it is.
Been saying it for a while now. People laugh.
Just keep laughing.
SJW: Someone who has run out of real oppression, and has to fake it.
If they modified the standard so that the system would give a confirmation popup saying
This way people could load Linux if they wanted but the "joe average" would know something is wrong if he was compromised by a boot virus. This would actually be more sensible than preventing other systems, otherwise they will have literally thousands of hackers trying to discover the boot signing keys and publish them online like they did for blue-ray.
That's great, but how is that Microsoft's problem? Seriously, if people want Linux to boot on this new generation of motherboard/firmware, then people need to do the work to make it happen. It's not Microsoft's job. Find an OEM to help and get to work.
I love the "translation" posts because I hate them all individually -- none of them stress my way of looking at the problem. Here's my translation:
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
If they modified the standard so that the system would give a confirmation popup saying
This way people could load Linux if they wanted but the "joe average" would know something is wrong if he was compromised by a boot virus. This would actually be more sensible than preventing other systems, otherwise they will have literally thousands of hackers trying to discover the boot signing keys and publish them online like they did for blue-ray.
That's great, but how is that Microsoft's problem? Seriously, if people want Linux to boot on this new generation of motherboard/firmware, then people need to do the work to make it happen. It's not Microsoft's job. Find an OEM to help and get to work.
That's a bit like saying that if someone campaigns for a system that would only allow you to use one bank's credit card in all shops the lock in would be nothing to do with them but the shops problem.
Just make the option a jumper on the motherboard, and you're virtually guaranteed that only people with at least some clue will change it.
The Tao of math: The numbers you can count are not the real numbers.
Why can't you make adding and removing certificates (or disabling the whole system altogether) part of the UEFI standard? That way, any hardware which claims to be UEFI compliant must implement adding and removing certificates. Failure to comply would result in either: high fines, or a free refund for a customer.
This would solve the issue. Isn't this how HDMI (or was it DP) does it?
How many non-technical home users install a new OS on their hardware? How many of them even bother with an upgrade to a later version of Windows? The percentage has to be so small as to be non-existant. I'm not trolling here, I think its a legitimate question.
To expand on it. Computers have become commodity devices. People buy one, use it up, buy a new one in the same way they do TVs etc. As long as it lets them do the things they want they don't really care if its got the latest software on. They certainly don't care enough to install a new operating system. Most of them wouldn't even know that this was an option. This is the general population, not the tech elite that read slashdot. So, does this stop people who want to install a different OS from installing it? Yes and no. They might find that its not worth buying systems made by X, but they could always build their own, or buy from a different OEM that provides the access they need.
TL;DR its not a problem that will affect the vast majority of users. Those that it will affect will have an understandable way around it.
You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
This resembles locked vs unlocked cell phone policies. Here in the USA, the gov't kow-towed to network operator's desires and allowed the distribution of locked cell phones. Meanwhile, in many European countries, governments upheld their citizens rights to take their hardware to any network they wanted.
I think the PC market will work in much the same way. The EU will protect customers and mandate handing the boot keys over to them. The USA will let Microsoft muscle OEMs around and withhold boot options to get the affordable Windows 8 licenses. So Linux users will ship PCs in from the EU.
US retailers will scream about the loss of business. US Customs will respond by training dogs that can detect unlocked PCs and go through incoming freight.
Have gnu, will travel.
My pretty new Samsung RV520 comes with an option in the BIOS to turn it off. I didn't know about this wonderful "feature" so I was baffled why no single Linux based 'Live CD' or install DVD would boot. Until I found that option. Then it was goodbye to all existing partitions and hello freedom to install what I want.
Here's the secret to immortality:
You think Microsoft forcing OEMs to do or not do something is a SOLUTION to their abuse of monopoly? Why don't you take it up with DELL directly? They seem to have listened with preinstalled Linux support.
Unless you have some sort of proof that Microsoft forced the OEMs to not allow it to be disabled and did not allow for other OS's to be installed, any such cases would be immediately thrown in the trash where they belong. And no, a bunch of whining and 'what ifs' and 'it could happen' and even 'it happened before' do not count as proof.
I am sure Apple be front and center in this effort, probably up to requiring all user-level applications to be signed with their developer keys. I am even sort of sympathetic. My freedom to save $100/year before hacking my own computers is not as compelling as freedom of normal folks not be be p0wned.
Secure boot is a UEFI protocol not a Windows 8 feature
UEFI secure boot is part of Windows 8 secured boot architecture
Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure
Secure boot doesn’t “lock out” operating system loaders, but is is a policy that allows firmware to validate authenticity of components
OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows
Solution: If you don't want it up to your particular big name vendor, build your own system. You can bet the full UEFI spec will be implemented on Gigabyte, Asus, MSI, and other boards, where you have the choice of disabling the secured boot environment.
Also, the pre-boot environment in Windows 8 clearly allows the booting of "Other OS."
It'll be the OEMs, or more likely the BIOS vendors. They are obviously going to sign Windows, but may or may not think linux worth the effort - and even if they do, they couldn't possibly sign every kernel for every distro, or even every version of GRUB. Not that they will sign GRUB at all, because it could then go on to load untrusted malware.
A lot of the people commenting here are not really getting the issue, as far as I can tell. The point of worry is control creep, much like the creep that is worried about when they start censoring the "bad things" off the Internet, I'd be all for it if it wasn't so easy to abuse. The problem is in fact, it is easy for the powers that be/status quo to abuse these systems and they have done so before. I've had laptops where I couldn't even switch the SATA mode, there's nothing to stop them making this into the worst possible situation for those who use OSes besides Windows.
Its gonna take less than a week for this to get cracked, so why is everyone so worried. for the 80% of the population who browse facebook and read emails, its probably quite good to have a secure bios that can't (well, I wont say can't, I'll say *less easily*) get rootkitted, if that's a word... for the rest of us, we can just download the latest crack, apply it, and boot whatever we want.
I suspect (I don't know) that the scenario that's trying to be "fixed" is the opening scene of Ghost in the Wires. What happens is Kevin Mitnick gets himself into a building, find the Domain Admin's computer, shut's it down, boots the computer off of a USB key, and install's a key logger onto the system. The computer boots back up, with a key logger now installed, OS security completely bypassed. Is there another solution to this scenario?
Why do you have to pay $100 per year to "hack your own computer"?
The dev tools on OS X are free, and you can write as much software as you like with them, for free.
If you want to publish on iOS in the store, *then* you need to pay the $99 fee, but anything other than publishing software to iOS devices (ie, all OS X development) is free if you have OS X.
Who says I'm not up in arms about it? Lack of software freedom is one of the reasons I don't have a cell phone. Locked down cell phones are just as bad, and bad for the same reasons, as locked down PCs.
Give me Classic Slashdot or give me death!
Well, if you really wanted to run whatever OS you want, you could always buy a Mac.
Oh, the irony.
You mean that's not going to happen?
:*(
Motorcycles, Robots, Space Gossip and More!
...run on top of PC BIOS.
If anything, they add more crap to the giant stinking pile of crap that is PC BIOS.
Contrary to the popular belief, there indeed is no God.
The comment by Microsoft basically says nothing.. it doesn't clear up anything. As usual, Microsoft doesn't play well with others, and essentially users will be left scrambling to find a way to do something because Microsoft doesn't bother. Thanks Microsoft. Thankfully, I stopped using Microsoft software years ago and use Fedora Linux now, so I've got nothing to worry about.
i mean, if you write over the BIOS then you can effectively wipe out any protection UEFI can provide. please dont tell me that it's protected from flashing unauthorized firmware because we both know those verification systems can be cracked.
with that much storage capacity, you can make some serious malware.
Anons need not reply. Questions end with a question mark.
D@mn. Even their choice of terminology pisses me off.
"OEMs having the flexibility to decide who manages security certificates and how to allow customers"
To OEM's and Microsoft, How about once I've paid for the computer you F-off unless the HARDWARE breaks. The OWNER makes the decisions. Period.
Digital is, by definition, imperfect. Analog is the way to go.
> 'Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secured boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems.'"
Yeah, that really clarifies. And Microsoft has never leaned on OEMs to get them to enter into business deal that benefits Microsoft at the expense of competitors. Oh, wait...
But seriously, Microsoft has never required a customer to pay that portion which is a Windows license when buying a PC even if the customer never intends to run Windows... on... said... machine... oh, wait.
Yep, that's really clear now.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
They didn't "force" it to be enabled. They merely require it if you want to put the "Designed for Windows 8" sticker on your PC.
And let's face it, what manufacturer isn't going to want that sticker? They're all controlled by risk-averse corporate drones who know the value of marketing. They know that people will probably choose the one with the sticker, so they MUST have the sticker themselves.
Currently you can boot your PC from, for example, a LiveCD, by default in many cases.
What this will require is that you enter your BIOS, turn off an option that may not be there to turn off [1], and is probably marked with a warning that says "Don't turn this off for security reasons!!!!". Which will put many people off. Linux adoption is a small fraction ; what this will do is whittle down that small fraction a bit more, as people who can't figure it out will just give up and possibly even badmouth Linux as being difficult [2] because they couldn't get it to work.
[1] Why leave it out? Fewer support calls when someone turns it off by accident. Or maybe someone suggested you might... I wonder who.
[2] Yes, installing Linux is probably beyond many users. But then, so is installing Windows - the only difference is Windows comes pre-installed for the most part. Having installed both, I can honestly say that installing Linux is now easier and faster than installing Windows ever has been (although it was once atrociously difficult).
If they modified the standard so that the system would give a confirmation popup saying
This way people could load Linux if they wanted but the "joe average" would know something is wrong if he was compromised by a boot virus. This would actually be more sensible than preventing other systems, otherwise they will have literally thousands of hackers trying to discover the boot signing keys and publish them online like they did for blue-ray.
Unfortunately, the average Joe would just confirm without reading or understanding the warning. Why do you think malware is so widespread today? As long as there's an option to disable secure UEFI in the firmware setup, that's good enough to support other OSes while keeping the average Joe from rendering any benefit from it useless.
what sony disaster?? the one where ps3s are now the best selling consoles?
lets face it, 99.999999% people don't care about booting anything. booting is just something between them and facebook, or modern warfare.
Wealth is the gift that keeps on giving.
The OEM should provide a way that allows the purchaser to program keys into EFI and the OS should allow the installer to notify the OS install process of their key. Personally I prefer there to be no way of making changes to the EFI without physical access. It should be a process of 1) jump pins 2) boot CD 3) program or update. This would place the control in the hands of the owner not an OEM or OS vendor.
Having to work for a living is the root of all evil.
Microsoft should learn from the Sony disaster. Let the geeks use their Linux and they won't try to attack your servers.
Linux on the PlayStation is still dead.
Attack the console servers and it is the console fans who be reaching for their pitchforks, the tar and feathers. There are more of them than there are of you.
Tens of millions more of them than you.
In short this sounds like a proxy war tactic. MSFT has the "OEMs" lock down future BIOS to boot just Windows OS.
//FWIW, I and my org will not be buying hardware locked down to a MSFT OS. Get a clue, if you want my $$.
"Oh you wanna run Linux on your machine..? Too bad your OEM does not allow that...! Instead please keep staring at that shiny Windows sticker on your machine...!
Profit!
I'm betting it's because Microsoft's WGA or WAT or whatever they're calling their activation process is currently bypassed for OEMs by way of a BIOS certificate, and the stuff necessary to bypass it by the warez scene is typically a bootloader. I'm betting that the only way companies get to use the OEM way of activating Windows with a single key is if secure boot is enabled. The impact to malware and Linux are both probably incidential benefits to Microsoft. How to tell if I'm right? See if it asks you to activate your copy of Windows when you disable secure boot on your Windows 8 Dell.
Locking out all future competition by default is not an acceptable solution to anti trust issues.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Its microsoft, of course they have had internal discussions about this. A simple discovery phase would turn up loads of info. They always have in the past. The point I was raising, was that all of this could be avoided with a modicum of foresight by microsof.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Actually, I think this new UEFI Secure Boot could backfire everyone: the user who cannot install a different Operating System; Microsoft could have the same problem when the user wants to switch to another version of Windows; mainboard manufacturers if they have to provide a *simple* way of updating / managing certificates: and by *simple* I mean a very fool proof user interface, not the usual 80-chars-navigate-using-strange-keys BIOS interface they still produce.
I don't think that UEFI is a feature worth the cost.
None of this is new. The clear desire to control the ability to access hardware, storage media, to boot an OS, andn to authorized applications to run or access to data, was buiilt into the "Palladium" project and was renamed "Trusted Computing". While much of its glamour has been lost, and the difficulty of enforcing its controls has been shown to be hackable with virtualization, it emains a technology designed to prevent access to hardware and data based on commercial licenses, rather than any security or defense of user data.
This is another attempt at the same goals, to foster and enforce Microsoft monopolies by controlling the ability to use the hardware, itself.
I can't believe how little protest the remote attestation aspect has generated. From TFA: "To prove a client is healthy, the anti-malware software can quote TPM measurements to a remote verifier."
How long before that becomes "The XYZ software can attest that only trusted software components are running." Big content are going to love this capability.
UNIX: 'cuz you can tattoo it on your knuckles!
Or for half the price, build you own computer that supports secure booting Linux.
I think the worry is that the motherboard manufacturers will get onboard the Microsoft train. If the paranoia pans out then you might have a little difficulty doing that.
Unless you enjoy etching PCBs, that is.
if you want a linux box, build one from basic parts and don't be lazy (building is cheaper if you know where to buy the parts)
if you want a linux box but don't know how to build one, now's a good time to learn
if you want a laptop for linux, there's ebay
if you're lazy, don't know what linux is, or just like playing freecell and obsessing over comments on facebook, then you're probably not even aware of any of this and won't be affected anyway
I am just saying I should pay that $99 so that if a regular user gets p0wned, there is at least address/SSN/bank info on file to round up the offender. Certainly there is a potential for abuse by Apple, or by repressive governments, but currently millions of people get abused and placed in financial, personal and sometimes legal jeopardy. We should look for a balanced solution rather than just insisting on outdated status quo.