Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian Users Petitioning Against Windows 8 Secure Boot

Posted by Unknown on from the treacherous-computing-lives-again dept.

In his first accepted submission, lukemartinez sends in an excerpt from a ZDNet article on continuing developments about Microsoft's UEFI secure boot requirements: "The Linux Australia community began petitioning the ACCC this week after Microsoft aired plans to mandate the enabling of Unified Extensible Firmware Interface's secure boot feature for devices bearing the 'Designed for Windows 8' logo. This means that any software or hardware that is to run on the firmware will need to be signed by Microsoft or the original equipment manufacturer (OEM) to be able to execute. This would make it impossible to install alternative operating systems like Linux..." Delimeter has further information on the petititions, and Matthew Garret recently posted a follow-up to Microsoft's response to the concerns about secure boot, calling them out on their misinformation.

19 of 386 comments (clear)

  1. Re:Hunting... by Zaldarr · · Score: 5, Informative

    Found it buried beneath several links. http://www.accc.gov.au/content/maintain/create/index.phtml?contentTypeItemId=9133&informationSpaceItemId=268347&inPop=1&returnUrl=.&type=Other

    --
    I write professional videogame reviews! http://www.digitallydownloaded.net/
  2. Re:Only affects OEM stuff? by Chrisq · · Score: 3, Informative

    Doesn't this only affect OEM stuff, in which case, who cares.

    WTF are you talking about? It will affect any PC that you want to load another OS on.

  3. Europeans by sg_oneill · · Score: 3, Insightful

    I'd strongly implore europeans to look at similar moves. The EU courts have proven time again to have backbone when it comes to anti-competitive behaviour in the IT industry, and right now this is Microsoft playing the checkmate card its been threatening for a long long time.

    --
    Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
  4. Re:Only affects OEM stuff? by Hatta · · Score: 4, Informative

    Anyone who wants to repurpose an OEM computer. Anyone who doesn't want to pay extra for jailbroken motherboards. Anyone who thinks people should own their property, instead of being beholden to the manufacturer.

    That's who.

    --
    Give me Classic Slashdot or give me death!
  5. Re:honestly...so what? by Chrisq · · Score: 4, Insightful

    Really though...who buys a vendor PC then slaps Linux on it? We build our PC's..

    I did just that with my laptop

  6. Re:Petition to ignorance by gstoddart · · Score: 3, Interesting

    But truth is this is a manufactured story that really has yet to cause anyone any problems.

    Because they haven't shipped any yet, that's why.

    Let me ask you this: Who has built a system with a UEFI subsystem which doesn't allow Secure Boot to be disabled by the user? Answer: Nobody.

    And, who has seen a UEFI system which says it's been designed for Windows 8 they could test this against? Answer: Nobody.

    In the hands of Microsoft, I believe entirely they would insist their vendors build a machine which is really only capable of booting Windows without basically violating ACTA or something. They've never demonstrated any compunction about forcing lock-in if they get a chance. In fact, they have a strong preference for it.

    Hell, it took literally years and a bunch of lawsuits to buy a whitebox PC without Microsoft getting paid for the OS even if you didn't want it and weren't going to use it ... you think they'd hesitate to insist vendors ship something locked down to them?

    The reality is, almost any tech company would lock you into their product so fast it's not funny.

    --
    Lost at C:>. Found at C.
  7. Re:Only affects OEM stuff? by erroneus · · Score: 3, Informative

    Uh... "OEM" is pretty much every PC maker. And that's thing isn't it? In the case of Dell, you can be sure that consumer models will have their UEFI locked to Windows and the business models will still be allowed to run Windows XP - Windows 7 by disabling this feature. But as for being able to install new keys for other OSes? I'm going to simply doubt it because once that code is made available, you can expect malware to make use of it as well.

    And here's the thing. In order to get better security, you pretty much HAVE to stop people from being able to do stupid things. It is precisely the user doing stupid things which is the most significant source and cause of security problems on PCs today. You can disable and limit things all day long, but in order for users/consumers to be able to make use of their stuff, they frequently need to disable security features as applications publishers and others are not always on board with security strategies. And let's be frank -- Microsoft hasn't been strongly security focused in the past. And the result of this past means a lot of old applications expect to live in a less secure environment. (And it's not like we haven't seen this in countless other ways such as a persisting need for MSIE6 because their browser was broken by design and applications written for it will not work with other browsers... lock-in worked for a while but was not considerate of the future.)

    Is there an alternative approach? Can you allow users to do stupid things and maintain security? If there is a way, it has escaped my imagination.

  8. Impossible? by maxume · · Score: 3, Interesting

    Only if there is no way to disable secure boot.

    The problem here is that a majority of users are Windows users that will actually benefit from running a computer with a secure boot loader. So Microsoft is serving the interests of their users by pushing for secure boot.

    The good reason to oppose secure boot is the fear that computers will ship locked to Microsoft's keys. Before petitioning the government to specify the terms under which Microsoft can offer a logo program, people should be encouraging Microsoft to add a requirement for a method of disabling secure boot to the logo program (this may well be futile...).

    The reason for Microsoft to do this would be to put the whole damn issue behind them, and it only really matters for random consumer hardware that might end up with Linux on it, not a space they face much competition in.

    (Server and business vendors will continue to sell their customers what they want, running arbitrary software on such systems will not be problematic)

    --
    Nerd rage is the funniest rage.
  9. Re:Petition to ignorance by karolbe · · Score: 3, Insightful

    It is just a matter of time when such systems will start appearing. I bought a laptop some time ago, and to my big surprise it had VT-x (Hardware Virtualization) flag disabled, enabling it by the vendor was just a matter of setting one bit in some processor registry, but still they decided to release BIOS without such option. You could buy similar laptop with VT-x enabled but it cost more. I expect that in 3 years time we will have to pay extra just to have Secure Boot option configurable. After all that feature will be purely for "experts" (that is Linux users) and they can afford paying more...

  10. Re:secure boot?? by maxume · · Score: 3, Informative

    Secure boot prevents those other malwares from subverting the boot process.

    --
    Nerd rage is the funniest rage.
  11. Re:secure boot?? by Anonymous Coward · · Score: 4, Interesting

    This isn't designed to stop viruses (though theoretically it could help a little), this is part of Microsoft's anti-piracy push. Current methods of pirating Windows involve loading up something before the kernel to trick Windows into thinking it is installed on a machine with an OEM license. Obviously if the BIOS won't hand off to unsigned code then this becomes impossible and this method of piracy (which has been in use since Vista's time) is no longer viable.

    Hence why the don't want OEMs to give you the option to disable this feature or to load up your own keys. If they did then it would solely be a security feature and do nothing for piracy. Given that, it explains why Linux people are so worried, because Microsoft is pushing for exactly this and Linux is about to get caught in the crossfire.

  12. Re:Only affects OEM stuff? by jamesh · · Score: 3, Interesting

    You won't be paying extra for jailbroken motherboards

    You might be paying a fine for jailbreaking your motherboard though...

  13. This issue isn't Microsoft's... by neokushan · · Score: 3, Insightful

    ..It's the OEM's. Nowhere does Microsoft mandate that OEMs must remove the option to disable UEFI secure boot, only that it's enabled by default.
    For someone that's supposedly calling Microsoft out for misinformation, Matthew Garret does a great job of it himself. Here's a few points I noticed:

    Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.

    Which hardware vendors? Who? What hardware? Why? And what has that got to do with Microsoft?

    Windows 8 certification does not require that the system ship with any keys other than Microsoft's.

    And why shouldn't it? It also doesn't state that you can only ship Microsoft's keys. Why is it Microsoft's responsibility to get keys other than its own installed?

    A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems.

    Exactly, however a system that ships with UEFI secure boot and only includes a linux distribution's signing keys will only securely boot that linux distribution. Why is the latter ok, but the former not? Oh wait, because Microsoft is the big, bad buy? Once again - Microsoft doesn't mandate that UEFI secure boot be forced, its the OEM's decision to remove the option to disable it.

    Vendors who choose not to follow the certification requirements will be at a disadvantage in the marketplace. So while it's up to vendors to choose whether or not to follow the certification requirements, Microsoft's dominant position means that they'd be losing sales by doing so.

    Of course, this fails to mention (again) that OEMs are in no way forced to remove UEFI secure boot and by doing so, they'll be at a disadvantage in the marketplace and lose sales from people like this very writer....

    Why is this a problem? Because there's no central certification authority for UEFI signing keys. Microsoft can require that hardware vendors include their keys. Their competition can't. A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's. No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft's influence here is greater than even Intel's.

    In short: Because Nobody else can have secure boot, why should Microsoft get to have it? Apparently that's bad for even the likes of AMD and Intel.
    Nevermind that 99.99% of malware targets windows, that most "zombies" on the internet are Windows machines, that most spam is sent from windows machines, which affects everyone. In that instance, giving Windows machines that extra blip of security by default hardly seems like a bad thing.

    What does this mean for the end user? Microsoft claim that the customer is in control of their PC. That's true, if by "customer" they mean "hardware manufacturer". The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware.

    Woah woah woah! Didn't you just say that Microsoft were the only ones capable of forcing Manufacturers to include their signing keys? That the likes of AMD,

    --
    +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
    1. Re:This issue isn't Microsoft's... by Microlith · · Score: 4, Insightful

      ..It's the OEM's. Nowhere does Microsoft mandate that OEMs must remove the option to disable UEFI secure boot, only that it's enabled by default.

      Which is a great dodge. Then they can apply quiet, behind the scenes pressure to remove the option. Some vendors omit options regardless (like disabling VT-x.)

      It also doesn't state that you can only ship Microsoft's keys. Why is it Microsoft's responsibility to get keys other than its own installed?

      Yep, we're heading into THOSE days where only a select handful of operating systems are allowed to boot. If we're lucky, we'll be able to boot Fedora and Ubuntu. Gentoo users? Fuck you.

      This whole thing stinks of misinformation and FUD. The OEMs are the ones you want to pressure, not Microsoft.

      Do you seriously think that users can pressure OEMs harder than MS can? MS can kill their business overnight, and I don't doubt they've learned a LOT about how to act in unethical manner even under the eye of the DoJ. No, this is MS pursuing something and, much like Apple, hoping the inertia of the masses who don't care can overwhelm the complaints of the minority that understand why such unilateral, non-disablable lock down is bad.

      People are fighting so aggressively to defend MS, but in a few years we may wish for the day when we didn't have to violate the DMCA and ACTA to run whatever OS we choose on our systems.

    2. Re:This issue isn't Microsoft's... by neokushan · · Score: 4, Insightful

      Some vendors omit options regardless (like disabling VT-x.)

      Which is why I say we should pressure OEMs. This decision has nothing to do with Microsoft so people are ignoring it, despite the fact that it is still an issue that people should be concerned with.

      Yep, we're heading into THOSE days where only a select handful of operating systems are allowed to boot. If we're lucky, we'll be able to boot Fedora and Ubuntu. Gentoo users? Fuck you.

      No, we're not. The thing to keep in mind is that there's a distinction between simply booting and secure booting. Right now, no operating system can secure boot (as far as I'm aware, anyway - if there is hardware+software out there that can utilise this, please let me know) and Microsoft wants to push it for Windows 8. It would be nice if we can also utilise this for other operating systems as well (or rather, other boot loaders, like GRUB), however that task lies with the OEMs and their willingness to let us add our own keys. Like I said before - this is the OEM decision, not Microsoft's.

      Do you seriously think that users can pressure OEMs harder than MS can? MS can kill their business overnight, and I don't doubt they've learned a LOT about how to act in unethical manner even under the eye of the DoJ. No, this is MS pursuing something and, much like Apple, hoping the inertia of the masses who don't care can overwhelm the complaints of the minority that understand why such unilateral, non-disablable lock down is bad.

      And there it is again! The assumption that you won't be able to disable secure boot. This assumption lies squarely with OEMs and not Microsoft.
      Consumers don't need to pressure OEMs more than Microsoft, they just need to pressure them. Microsoft is pushing to enable secure boot by default, while us users should be pressuring OEMs to give us control over secure boot. They are two entirely different things.
      Even if Microsoft changed their mind on the secure boot by default thing, we should still pressure OEMs to give us this control as it's a very useful security feature to have.

      Now, of course there's that idea that Microsoft might be in the background pressuring OEMs to remove the option to disable it, but so far this is based entirely on conjecture and speculation. If Microsoft does try it, they'll be liable for a massive class-action lawsuit, something that would cost them a lot more than the 1-2% of the marketshare they could possibly gain by blocking Linux. Until that happens, it's a non-issue. Rather than moaning at Microsoft, we should be moaning at the OEMs because they're the ones that will be taking these options from us.

      In the technology world, we shouldn't let the "maybes" get in the way of innovation. Secure boot would outrightly kill a lot of malware attacks, something that plagues windows a lot more than it does Linux.

      --
      +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
  14. Re:Only affects OEM stuff? by JosKarith · · Score: 4, Interesting

    Circumventing a protection system? I'm glad nobody passed a law boneheaded enough to make that illegal even if you're not breaching any copyright .
    http://news.slashdot.org/story/11/09/27/2130245/canadian-government-says-drm-circumvention-not-related-to-copyright
    Slowly the pieces are coming together...

    --
    'Don't worry' said the trees when they saw the axe coming, 'The handle is one of us.'
  15. Re:Hunting... by Bengie · · Score: 3, Insightful

    In other news, users petition to have Firewalls disabled, Microsoft force all users to have admin privs, and the removal of passwords.

    When interviewing these users they had these things to say: "I love malware, someone has to" and "Pressing F12 at boot and disabling secure boot is too much work, I would rather troll every forum on the internet to sign petitions"

    If you want to stand up for the rights of malware and rootkit creators everywhere, please help support this cause. Because.. "Someone has to love them"

    Signing off, Bengie

    1) Certs can be managed if your OEM doesn't suck. eg. Sign your own custom Linux kernel if you want
    2) Win8 doesn't require secure boot to work, it just requires secure boot to put the logo on the PC
    3) Secure boot can be disabled, again assuming your OEM doesn't suck
    4) IT would have a shit storm if they couldn't manage this
    5) Server admins would have a shit storm if they couldn't manage this
    6) Someone would lose a job at Dell/HP/Gateway/etc if the end user couldn't manage this
    7) This effectively makes it impossible, with current malware, to ever take over a PC

    I have yet to hear a logical argument against secure boot, just lots of emo and fud.

  16. Re:Petition to ignorance by gstoddart · · Score: 3, Insightful

    If you don't like the product. Do not buy the product. That is what Free Enterprise is all about. Let the market, not the courts decide.

    Blah blah blah.

    The free market never reaches optimal conditions. The free market allows the big players to change the rules and fuck us all over. The free market is an abstraction that doesn't exist.

    If we let the markets decide, we'd all be running Microsoft operating systems on closed hardware, and it would spy on us. And we'd probably be driving cars which explode on contact.

    Oh, and most of us wouldn't have survived to adulthood because companies would have replaces melamine for protein powder or other toxic shortcuts.

    Your market does nothing more than look out for its own interests. It's incapable of doing the things you ascribe to it ... mostly it's just the rich eating the poor.

    --
    Lost at C:>. Found at C.
  17. Re:Hunting... by segedunum · · Score: 4, Insightful

    In other news, users petition to have Firewalls disabled, Microsoft force all users to have admin privs, and the removal of passwords.

    These things can be controlled for obvious reasons. What's being discussed here is what you can actually run on your computer from the start. An entirely different ball game.

    When interviewing these users they had these things to say: "I love malware, someone has to"

    Right.............

    "Pressing F12 at boot and disabling secure boot is too much work

    If you'd done some reading then you'd know that this F12 option will not always be there, nor is there any guarantee that it won't be removed.

    If you want to stand up for the rights of malware and rootkit creators everywhere, please help support this cause. Because.. "Someone has to love them"

    This will not help prevent malware or rootkits in any way over and above what is already done. Stop hiding behind the security reasoning, because it's crap. It still won't prevent vulnerabilities in the OS once it is running, which is where it is all happening anyway.

    Certs can be managed if your OEM doesn't suck.

    They will all suck. The EFI spec does not currently allow you to add your own keys. It's Microsoft or the OEM.

    Win8 doesn't require secure boot to work

    Future versions will once the hardware is widespread. This argument always makes me chuckle.

    Secure boot can be disabled, again assuming your OEM doesn't suck

    They will suck. See above.

    IT would have a shit storm if they couldn't manage this

    They will accept what they've been given, as always.

    Server admins would have a shit storm if they couldn't manage this

    See above.

    Someone would lose a job at Dell/HP/Gateway/etc if the end user couldn't manage this

    Utter crap.

    This effectively makes it impossible, with current malware, to ever take over a PC

    No, that is not the case because there will still be vulnerabilities in the OS. However, in order to do that we want it to make sure you cannot install anything but Windows? Interesting. We haven't even got into the ramifications for virtualisation, or how this might work in terms of individual hardware working on a motherboard in the future.......... It's a right mess.

    This got modded insightful? Jesus.............