Microsoft Responds To Linux Concerns Over Windows 8 and UEFI Secure Boot

← Back to Stories (view on slashdot.org)

Microsoft Responds To Linux Concerns Over Windows 8 and UEFI Secure Boot

Posted by Soulskill on Friday September 23, 2011 @12:50AM from the putting-out-fires dept.

CSHARP123 writes "A few days ago, Red Hat employee Matthew Garrett speculated that OEM machines shipping with copies of Windows 8 may lock out support for Linux installations. Garrett highlighted Microsoft's new Secure Build OEM requirements for Windows 8 systems. Microsoft chose to directly respond to confusion surrounding Windows 8's use of the UEFI Secure Boot feature on Thursday. Tony Mangefeste of Microsoft's Ecosystem team said, 'Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secured boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems.'"

15 of 389 comments (clear)

Min score:

Reason:

Sort:

Translation by betterunixthanunix · 2011-09-23 00:53 · Score: 4, Insightful

"Consumers should run Windows, and they should not have any ability to boot up anything else. 'Enterprise' users who can afford to pay more should have more choice."

That is the only way I can see this playing out. What OEM would not jump at the opportunity to control its users and force people to pay more to do something they have been able to do at no cost all these years?

--
Palm trees and 8
1. Re:Translation by GordonBX · 2011-09-23 01:02 · Score: 5, Insightful
  
  Considering the reaction here; the OEMs that would do this would get so much bad PR, that a significant number of customers would flee to some other manufacturer.
  Of course you're right.
  That's exactly what has happened with mobile phones. (cough).
2. Re:Translation by JamesP · 2011-09-23 01:03 · Score: 5, Insightful
  
  No, the problem is:
  BIOS vendors are complete idiots
  "EFI" vendors are the same guys
  It's a crapfest of proprietary extensions, NIH syndrome and a million ways to change monitor brightness. And of course it's only tested on the latest Windows version, well, because...
  Of course, Intel is to blame with the whole ACPI mess and looseness. Typical engineer mentality a standard that standardizes nothing.
  Really, Intel and AMD should join forces in this: Make 'to change monitor brightness write a value from 0 (darker) to 0xff (brighter) to register 0xABC PERIOD'. "but but but", "I SAID PERIOD".
  
  --
  how long until /. fixes commenting on Chrome?
3. Re:Translation by TheRaven64 · 2011-09-23 01:22 · Score: 5, Interesting
  
  NIH syndrome
  NIH is the reason why UEFI exists at all. OpenFirmware already existed, had several independent implementation (including some open source ones), and was a free standard that anyone could implement. So Intel made a new 'standard' that is a crappy copy of OpenFirmware.
  
  --
  I am TheRaven on Soylent News
4. Re:Translation by diegocg · 2011-09-23 01:42 · Score: 5, Informative
  
  ACPI was not designed by Intel alone, Microsoft was also there. And let's remember what Microsoft tried to do:
  From: Bill Gates
  Sent: Sunday, January 24, 1999 8:41 AM
  To: Jeff Westorinon; Ben Fathi
  Cc: Carl Stork; Nathan Myhrvold; Eric Rudder
  Subject: ACPI extensions
  One thing I find myself wondering about is whether we shouldn't try and make the "ACPI" extensions somehow Windows specific.
  It seems unfortunate if we do this work and get our partners to do the work and the result is that Linux works great without having to do the work.
  Maybe there is no way to avoid this problem but it does bother me.
  Maybe we could define the APIs so that they work well with NT and not the others even if they are open.
  Or maybe we could patent something related to this.
5. Re:Translation by MrHanky · 2011-09-23 01:54 · Score: 4, Insightful
  
  I'm well aware of how to buy computers, thank you very much. I'm just pointing out that forcing people to pay for Windows isn't new, and has fuck all to do with control. betterunixthanunix's "translation" is just a bunch of hyperbolic nonsense based on the theory that Microsoft will always be more evil than Satan himself, despite whatever the people at Microsoft claim themselves.
  Of course, since this is Slashdot, facts are flamebait and paranoid fantasies are insightful.
6. Re:Translation by betterunixthanunix · 2011-09-23 02:51 · Score: 4, Insightful
  
  As if I have never heard of a rootkit?
  
  In all seriousness, here is another method of solving the problem, which would be just as effective at preventing rootkits from hiding in the bootloader: make the boot medium a flash device on the motherboard, and have a jumper that enables writes to that device. This would not rob users of control over their system (although it may force people to get over their fear of opening their computer's case and changing a jumper), and would be just as effective at stopping the overwhelming majority of rootkits.
  
  The real motive here is the same as it ever was with the TPM: they want to market Windows as a "media platform" and their "media partners" do not like the idea of users being able to control their own computers -- they want to enforce restriction technologies. GNU/Linux is an operating system that its users control, and so these "media partners" do not want to see it installed on anyone's computer. Likewise, they do not want to see people modifying Windows in a way that circumvents DRM. They want computers to be like cell phones and cable TV boxes, herding the users in ways that are convenient for various copyright-based corporations.
  
  That this will block certain classes of rootkits is entirely incidental, despite the heavy marketing.
  
  --
  Palm trees and 8
7. Re:Translation by Anthony+Mouse · 2011-09-23 03:09 · Score: 5, Insightful
  
  Maybe one day you will realize that every field protects itself. Doctors and lawyers restrict their trade. Regulators and government employees have direct access to government cash.
  Economists call this behavior "rent seeking" and it is considered inefficient and undesirable. The idea that Microsoft should not be criticized for engaging in it is highly misguided.
8. Re:Translation by erroneus · 2011-09-23 04:31 · Score: 4, Insightful
  
  ...you mean the same way Microsoft benefited from the work of IBM and other software vendors? Gates and Microsoft understand the ecosystem which requires sharing. They were and still are interested in embracing that ecosystem and then locking everyone into their twist on what they take from it. This can be seen everywhere and in everything they do. The Java law suit against Microsoft is probably the best example of this behavior by Microsoft but there are hundreds of other great examples out there.
  Saying "we did the work..." is bullshit. They give away LOTS of things and waste LOTS of money. Their little bit associated with ACPI is a speck of dust in a drop in the barrel. This isn't about their trying to keep their work to themselves, it's about keeping the rest of the world from being compatible.
translation by drinkypoo · 2011-09-23 00:55 · Score: 5, Insightful

"Microsoft will attempt to use our gorilla status to force OEMs to lock out non-Windows operating systems, but ultimately, it's their decision as to whether they want to make it possible for you to run what you want on their computer, or whether they want us to not bomb them into the stone age and build a parking lot on the smoking ruins of their company."

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Microsoft addresses concerns... by Anonymous Coward · 2011-09-23 01:00 · Score: 4, Insightful

...by confirming them. Microsoft's customers, the OEMs, will be free to decide who imports keys and how. That's what everybody has been worrying about, isn't it?
I see what you did there... by DontBlameCanada · 2011-09-23 01:01 · Score: 5, Insightful

Nutshell summary after actually reading the TFA:
"You can launch any operating system you like, but if you want to benefit from UEFI secure boot protection, you can only launch Windows 8."
From their screenshots and commentary, there doesn't appear to be any opportunity to add a new "trusted" O/S images to their database. So even signing your secure Red Hat Enterprise Linux won't help you. If you want to use it, you need to turn the bootloader security checks off. The obvious implication, if you want MBR protection you must run Windows 8. Anything else opens the door.
Yup, Red Hat's take on the situation seems the most accurate.
If you can't be bothered to RTF... by neokushan · 2011-09-23 01:05 · Score: 5, Informative

Just take a look at this image.
That's all you need to know.
In Summation: There is a genuinely good reason for enabling secure boot (malware prevention - genuine malware prevention, not just some underhand tactic that's masquerading as malware protection) and as long as your OEM isn't a dick, you should be able to disable it much like how you can disable features in your BIOS today. The decision to remove that ability is down to the OEM, not Microsoft.

--
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
1. Re:If you can't be bothered to RTF... by samjam · 2011-09-23 01:10 · Score: 4, Interesting
  
  yes. Well put.
  And I want secure TPM booting for my linux/GNU machines too.
  I want a way to install my key, enabled by a physical key & mechanic switch to electrically enable to update operation to write my signing key.
  
  --
  blog.sam.liddicott.com
Re:didn't Stallman... by GameboyRMH · 2011-09-23 02:07 · Score: 4, Interesting

Stallman is possibly the most prescient (not best by a long shot, but most prescient) sci-fi writer ever. Everyone calls him a nut and then a couple decades later...he was totally, 100% right. Yeah it's not rocket science and he only writes near-future stuff, but still, he has a nearly flawless record.

--
"When information is power, privacy is freedom" - Jah-Wren Ryel