Slashdot Mirror
Linux Foundation Releases Document On UEFI Secure Boot
mvar writes "The Linux Foundation today released technical guidance to PC makers on how to implement secure UEFI without locking Linux or other free software off of new Windows 8 machines. The guidance included a subtle tisk-tisk at Microsoft's Steven Sinofsky for suggesting that PC owners won't want to mess with control of their hardware and would happily concede it to operating system makers and hardware manufacturers."
Canonical and Red Hat have also published a white paper (PDF) suggesting that all OEMs "allow secure boot to be easily disabled and enabled through a
firmware configuration interface," among other things.
As I look into my crystal skull through the mists of time I see Microsoft release a white paper saying that OEMs will get $10 off the cost of Windows if they don't allow users to turn off 'Windows boot'?
"...PC owners won't want to mess with control of their hardware and would happily concede that to operating system makers and hardware manufacturers."
Put the word "most" in front of that and I'm on board. The PC as appliance that just works is really is what "most" PC owners want.
I see Microsoft release a white paper saying that OEMs will get $10 off the cost of Windows if they don't allow users to turn off 'Windows boot'
Then I see US v. Microsoft II.
Intel: We've invented a new technology that can be used to prevent low-level malware from being loaded during the pre-kernel boot process, when conventional antimalware techniques are ineffective. It could also be used by a manufacturer to prevent the user from installing any unapproved OS, as from a technological standpoint this functionality is identical to blocking malware, but that isn't what we designed it for.
Microsoft: Oh, that sounds fun. Ok, all OEMs: If you want to ship with the 'windows 8' logo which everyone is going to want soon, you need to include support for this and it must be enabled by default. You will have to include Windows 8 on the trust list, but anything else you need to block as it may be malware. You can give the user the ability to turn this feature off and install non-Windows OSs if you want, but we don't really care.
Linux supporters: But that means that unless an OEM has explicitly taken the trouble to install a feature that few users will even know of, it'll be impossible for us to use any OS except Windows - most seriously on laptops, where we can't build our own.
Microsoft: Not our problem! Take it up with the OEMs. We're only mandating that they install linux-blocking capability, we're not asking them to actually use it.
Throughout this, the OEMs have remained silent on the issue.
If we don't implement secure boot, the viruses will getcha (like the terrorists and the pedophiles)! We must try to save stupid users from their own stupidity at the cost of freedom.
OEM can use this to lock in to there video cards that can cost $100+ the price of other on line stores, hdd that cost the full price of a 1TB disk to just upgrade from 500gb to 1TB. Maybe even ram lock in so you can pay $60 to go from 2gb to 4gb. But for about $50 you can get good 8GB ram kits.
Note that I didn't say anything about Linux in my post.
Every non-tech user I know who wants a PC that 'just works' bought a Mac.
Given the ratio of "professional users" to "toy users" of any technology (from cars to hammers), I'd say that the 7.6% figure is about right. The professional users don't want a toy OS like Windows.
mainstream vendors will completely ignore this. guys like Dell and HP have been testing the technology extensively to make sure it works on their products. it will be proprietary, guarded, and hard to manage, and probably bloated just like every other standard theyve championed.
small players will either choose to ignore the technology entirely, or develop their own convoluted undocumented implementation that manages to lock out anything except what was imaged on the device to begin with. Expect the usual BSD and Linux hackers to rise from the shadows to fix another broken mess of industry detritus.
i expect this to be one more thing i either loathe or disable as a sysadmin. UEFI, welcome to the hallowed esteems of DRAC, BMC, IPMI, ACPI, and APMI.
Good people go to bed earlier.
I don't want to disable the functionality to use Linux or any other operating system. I want it to be customizable so I can use it with any other operating system. Having it locked down for existing OEM's is what makes it evil.
Having to work for a living is the root of all evil.
They could... or, more realistically, they might just not *bother* to include an option to disable the windows-eight-only lock. After all, somewhere around 1% of their customers are going to want to run non-Microsoft OSs, hardly a thriving market. Scarcely worth the cost of having someone program, test and document another option in the setup program.
Or maybe when Windows Ten comes out, Microsoft will demand that the windows-only-lock will be fixed on... as a security feature, of course, to prevent future supermalware from disabling it.
The game / app you want and secure boot can't be turned off on your dell?
Say you want to play Leisure Suit Larry 2012 but sorry windows app store does not have adult games.
So you try to install a steam game and a box comes saying that Steam Client Service does not work with Secure boot.
Could we start a white list of compatible hardware manufacturers or a black list of offending hardware (which ever is easier to maintain) so it would help us users that are planning for our next PC build?
The game / app you want and secure boot can't be turned off on your dell?
You bend over and pay $1000 for a motherboard with a switch that lets you turn it off. This whole thing is about destroying the open PC architecture and replacing it with vendor lock-in so they can rake in the cash.
Only because it allows it's users to dual boot, but Apple could just as easily lock down the product.
Don't know something? Look it up. Still don't know? Then ask.
enterprise use will drive booting older windows + linux but I seeing systems / software needed windows XP being a point that force this to be off on at least some systems.
Windows 7 that most enterprise is now moving to will HAVE TO WORK WITH Secure boot as I don't see windows 8 fitting into enterprise use the way that is now being planed.
OEMs don't need this to lock in hardware, they can do this just fine with regular BIOS.
That is the site that says iDevices overpower Android devices 4 to 1, right?
Well then all their other statistics must be right as well!
-- no sig today
I think lot's of people may not like that new UI and other stuff in windows 7 that is being taken out in windows 8.
I don't want to dual boot my machine, or run Linux in a virtualised environment. I want a system where I can run the Linux distribution of my choosing on it without having a Windows install sitting there (including at the boot sequence). I want to tinker with, customise, upgrade, fix, modify and install custom software of my choosing on it.
UEFI systems without any sort of BIOS compatibility module won't be able to boot 32-bit versions of Windows XP. Of course that doesn't stop anyone from developing one (see efforts to boot Windows on x86 Macs pre-Boot Camp).
I think this'll only affect the desktop market. (why I run my desktop OSes - Linux, Windows, OSX - on a Mac instead of a PC). In the server space, though, that's big freaking money, and I think the manufacturers will be extremely reluctant to cause this trouble in that space. One of two things could happen here, I think... this will be enough of a political black eye that MS will give in and suggest allowances for other OSes or there will be pressure coming back from the server side toward desktops that can effect change. In any event, this will be interesting to watch.
#!/Jerald
APK unpatched psychological disturbances: over 9000!
The soylentnews experiment has been a dismal failure.
Like, "Unleaded Gas Only" just to make it visible to the idiot consumer what he or she is buying. "Runs Anything!" or "Runs Linux!" are optional, of course.
I know, silly idea, but sometimes I feel that this world is rather silly as well. Forcing a machine in hardware to only run Windows, for example.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
It does still have the potential to pretty substantially change the game, though:
Goofy hacks like custom SPD fields and PCI-ID checks are effective enough to spoil the day of Joe User; but most of the implementations in the wild are pitifully weak: SPD data, for instance, are stored on a totally normal little SMBUS eeprom chip. Cloning a vendor-lockout SPD field onto a generic chip of similar capability is not terribly demanding. The proposed cryptographic mechanisms, designed from the ground up for the purpose and given considerably more resources to work with, should be a great deal tougher.
Also, since the objective of this "secure boot" is to establish a 'trusted' chain of execution from power-on to porn browsing, properly rigorous applications will likely require verification by default, rather than having verification be a hacky special case for wifi or RAM. After all, most modern peripherals contain pretty substantial onboard processing power, some amount of onboard flash and firmware, and quite possibly DMA, kernel drivers, or other potentially threatening abilities to make a nuisance of themselves elsewhere in the system...
The 1% of Linux desktop users make the purchase decision for the 91% of supercomputers and 60% of servers on the Internet.
Do not fuck with us.
PS how many people watch netflix? It's not even available in the EU
First: The United States is relevant because the Linux Foundation, mentioned in the article, is headquartered in the United States. Second: Yet. Third: By "Netflix" I meant "Netflix and foreign counterparts", and LoveFilm operates in several countries where Netflix does not.
How many users need 16 bit CMYK press print in their camera snaps (especially since most camera users will use the 8bit RGB Jpeg format)? None.
Professionals do.
Who HAS to create flash apps? Nobody.
What's the alternative to Flash for creating a vector animation?
TurboTax doesn't do the tax returns for 99% of the world's taxpayers.
First: The United States is relevant because the Linux Foundation, mentioned in the article, is headquartered in the United States. Second: By "TurboTax" I meant "software like TurboTax, such as its closest competitor H&R Block At Home, or foreign counterparts".
I've NEVER heard of Stone Edge.
Neither did I until I ended up at my last job. Just because you don't know anybody who runs a particular package doesn't mean nobody runs it.
Sonic 3 is run by, oh, nobody.
Then what well-known platform game is played by a lot of people? I bet a lot more people play Sonic 3 than SuperTux.
Diablo II is niche.
All individual video games are niche, just as all individual books are niche. But again, this is a sample, not an exhaustive list. The odds are greater that you'll find a game you like if you start with Windows than if you start with desktop Linux, especially when online multiplayer requires all players to have the same title.
Netflix: DVD
DVD watching software does not come with Linux because of U.S. patents and U.S. anticircumvention restrictions. VLC is technically illegal in the United States. The United States is relevant because the Linux Foundation, mentioned in the article, is headquartered in the United States.
Photoshop: GIMP
GIMP does not have 100 percent of the features of Photoshop. Professionals who rely on those features cannot rely on GIMP.
TurboTax: Online banking , GNUCash, etc
Those are counterparts to Quicken, not TurboTax. TurboTax has specific programming for a country's most recent income tax laws and for those of its political subdivisions.
StoneEdge: SCO's POS suite
Don't you remember the SCO $699 scam? That was a P.O.S.
All your Games: Games on Linux
Which popular video games, other than first-person shooters rated M for Mature (or foreign counterparts), are ported to Linux?
You really think it is that hard to program? There are many features in the bios that less than 1% of the population uses.
Enterprise customers are going to provide enough demand to support that feature. There are also a significant portion of the population who will want to run Linux or another version of Windows to justify the costs. It would be stupid if manufacturers don't support it.
And yet Website developers will bend over backwards to make their websites work with users still using IE6 (if it's at 1.5% or so).
Why on earth wouldn't Steam work with secure boot? Secure boot has to do with the boot up process. Steam is an application that runs AFTER the boot process is complete. Unless you're saying that Microsoft would modify Windows so that no unapproved software could run.
All the world's a CPU, and all the men and women merely AI agents
Yeah, the consumer will want to buy the one labeled "runs microsoft only" and the other one "runs everything"
Democracy Now! - uncensored, anti-establishment news
Exactly. Users don't want a 'PC that just works' or most of them wouldn't be running Windows.
You have a PHD in being a complete and utter moronic caricature of yourself.
The soylentnews experiment has been a dismal failure.
I just hope they sent a copy to the EU Competition Committee, as jack-shit will be done by USFedGov.
what the hell are you on about?
Seriously, how far away is the thread you were trying to reply to?
LoL
-- no sig today
Yea he makes the decisions, from a list of products I've selected.......
It is my job to evaluate and write-up reports on what technology we should be using. I guess my ego is overinflated to think that my boss reads them. I guess he just really likes me and pays me for a service he finds useless.
You're wasting your talent trolling slashdot.
The soylentnews experiment has been a dismal failure.
The bottom line is simple: a motherboard will not boot unless a third party permits. You will have no control over this. The computer is not yours.
Just buy one where the vendor didn't implement any restriction.
Yeah, but "support" will be restricted to two major product line categories: "enterprise" hardware (i.e., "servers" and "workstations"); and "enthusiast" hardware.
Do you see another common factor in those two market segments? Let me give a hint: it's spelled with currency marks, not alphanumerics.
So, the beige-boxes sold to Mom, Pop, and the average kid going to school will be locked into Windows in ways that would make the ghost of Steve Jobs return from the Beyond seething with envy. Motherboards with "turn off the secure boot" capability will be the stuff of hackers, gamerz, and corporate big-hardware types. Period. At least, until some government decides it needs to regulate those devices and restrict them to properly licensed "tame" hackers and approved corporates. At which point, owning an unlicensed unlockable system will rank right up there with combat firearms and explosives.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Secure boot will be enabled by the likes of Dell, IBM, and HP, *but* their respective service processors would allow install of new platform keys given authentication. It's the only way they could get Windows 8 logo (which *will* continue to matter greatly) and the *only* way they can sell into half the market (large-scale, auto-deployed non-Windows systems). They would have to be careful not to do something like allow keys to be manipulated via in-band IPMI.
XML is like violence. If it doesn't solve the problem, use more.
Apple allow you to boot other OSes. They do the opposite of what Microsoft are attempting to do here.
OEM can use this to lock in to there video cards that can cost $100+ the price of other on line stores, hdd that cost the full price of a 1TB disk to just upgrade from 500gb to 1TB. Maybe even ram lock in so you can pay $60 to go from 2gb to 4gb. But for about $50 you can get good 8GB ram kits.
Yes, UEFI Secure Boot can be used for such anti-competitive tactics. I hope somebody tries something like that, since it will demonstrate to those who don't care about alternative operating systems how evil it is to lock users out of decisions about what to use with their own computers.
Given the ratio of "professional users" to "toy users" of any technology (from cars to hammers), I'd say that the 7.6% figure is about right. The professional users don't want a toy OS like Windows.
Yeah, that's why no business whose livelihood depend on people getting work done would ever use Windows on the desktop, right? Because that's pretty much the definition of "professional user" from cars to hammers, using it in a profession. Until then you're just a enthusiast or prosumer, no matter how many hours you spend tinkering with your car. I'll leave it up to you to choose who of the people at car shows and taxi drivers are the toy users and who are the professionals...
Live today, because you never know what tomorrow brings
How about:
1) look for a driver on the manufacturer's site (works great for intel adapters, they're all on sourceforge)
2) google for a prebuilt package made available by another user
3) build the driver as an external module
4) try a newer distro version
Of course, if you have a crappy wifi card with no linux support whatsoever then you're screwed...but I haven't run into that in a long time, at least for retail network adapters.
Remove you tinfoil. There are enough market forces to ensure that most computers systems will have the option to unlock.
The worst case is that manufacturers are going to try to charge extra for an unlockable dual boot computer. The greed will be with the manufacturers and not Microsoft. It will likely backfire because the PC industry is a commodity business and their will be plenty of competitors who will sell an unlockable computer of the same specs without the extra charge.
It's really sad when people don't recognize one of the best movies of all time.
http://www.youtube.com/watch?v=_4e8iAofnrw
--
BMO
Its like pissing up a rope, except in reverse and with a gravity assist.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
Comment removed based on user account deletion
All UEFI based equipment that do not provide the user an ability to maintain the PK must have a URF'D florescent orange sticker 110% of the size of any MS sticker.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
At what markup?
Give me Classic Slashdot or give me death!
You don't have any credibility here, 'APK'. Post your real name, your occupation, and your employer, and perhaps people will be willing to discuss your issue.
The alerts I get from US-CERT paint a different picture than you're trying to portray, so you have a long uphill struggle ahead of you. Many won't get past your confrontational style, though. If you aim to convince people, you had better brush up on your persuasion tactics.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Probably none. There's no more reason for a vendor to make these boards more expensive than boards they're selling right now.
Adding a BIOS option to disable the secure boot feature doesn't cost anything, and it only increases the number of potential customers, so any sane vendor would include something like that.
I have a hard time believing someone like Dell would offer locked down machines.
I worked at a uni for a spell with Linux labs on our standard Dell build. If they suddenly start saying "Windows only." they will be buying their 500-1,000 machines a year from whoever is selling unlocked boxes.
I mean look at places like Google, they have a "Zero Windows unless you have permission from the CIO." policy. I would think vendors would not be dumb enough to lock themselves out of that potential revenue.
Not saying I agree and that this doesn't need attention, but I get the feeling vendors are not that stupid. And MS themselves would draw the ire of the EU if not the US.
No sig for you!!
There's no reason for an OEM to refuse to sell PCs without Windows either. Still, they do it all the time. Whether it's a deal with microsoft, or just the hassle of tracking an extra SKU, it's hard to buy a PC without Windows on it. It will probably be even harder to buy a PC that's not locked to Windows.
Give me Classic Slashdot or give me death!
Well TG Steam runs on a Mac.... Oh wait nm mac might do this too.... Dammit why won't they come out with a *nix platform?
All the world's a CPU, and all the men and women merely AI agents
Wow, I've had enough of the internet for today.
Just bear in mind this: I'm one of those 1% of Linux users. But I'm also the guy the other 99% come to when they want a recommendation on what to buy. And I'm the guy they come to when their system's having a problem and they need it fixed. They've experienced the migraines having the manufacturer service it (all their precious files gone, all their software wiped and of course the product keys (if there were any) were in their e-mail which went with their data so they have to buy the software all over again), that's why they come to me.
Now, what do you think's going to happen when all those "normal" people come to me and I point them at vendors who don't lock down the BIOS? And when they ask me about a major vendor who does lock it down so it'll only run windows and I say "Sorry, their machines won't let any of my tools run so if you buy one I won't be able to help you with it."? They're going to go with my recommendation if only because they want their friendly neighborhood geek to be willing to fix their systems when they break.
It's like the large corporate world. The CEO's only one person in a company of tens of thousands. He probably doesn't even have any contact with any of the departments that actually buy and use the equipment. But get him mad at you and you're going to lose a lot more than just one person's purchases.
Anonymous coward, please don't refer to the Bible as your "tech manual for life", it only discredits you. http://wiki.ironchariots.org/index.php?title=Main_Page
That brings me to an interesting point, / . is just "the ramblings of socially-inept, technology-literate news-mongers".
DON'T BUY IT IF IT'S NOT WHAT YOU WANT.
The problem comes when the large corporations A. do not provide what I want and B. have manipulated the market and the law such that nobody else can provide what I want.
Can you imagine someone buying a windows 8 secure-boot-locked pc to use as a router/firewall?
No, one is supposed to buy a secure-boot-locked ARM device to use as a home router/firewall, and one is supposed to buy business-priced computer to use as a business firewall. It commands a business price solely because it isn't secure-boot-locked, much as game console devkits are one to two orders of magnitude more expensive than retail consoles.
Or for driving a SAN
I'm not terribly familiar with how a SAN works; every environment I've seen uses NAS instead. NAS is available on dedicated appliances.
Moving all your business away from your usual vendor and towards a 'friendly' one sure as hell will
The lockdown proponents use market and law manipulation to make sure the 'friendly' ones can't do business.
Suppose one writes a BIOS that is compatible with UEFI. Can we use that virtual bios to load any operating system compatible with it?
Who says that the operating system must talk directly to the hardware bios.
Leslie Satenstein Montreal Quebec Canada
Bucky24 wrote : Unless you're saying that Microsoft would modify Windows so that no unapproved software could run.
Wow, we are getting the message through at last!!!
See iPad sales.
I know tobacco is bad for you, so I smoke weed with crack.
That's probably in the works. In the end it's all about DRM. They tried to drop it straight at the top of the software stack (media players) and it didn't work out so well, so now they're going from the bottom up.
Here's how it will work:
1) Control the boot-up procedure and make sure no other OS can run on the machine.
2) Tie-in with Windows Update and driver signatures, after all, nobody can argue that having hardware-authenticated updates and drivers is a good thing, right?
3) Next come the security apps -- 'cause nobody wants malware messing with or disabling their firewall and antivirus.
4) Then it's a very short step to application whitelists, which follows naturally from the security step before.
5) Finally, you can really control the app content, since the entire stack is locked tight.
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer