Slashdot Mirror
Linux Foundation Releases Document On UEFI Secure Boot
mvar writes "The Linux Foundation today released technical guidance to PC makers on how to implement secure UEFI without locking Linux or other free software off of new Windows 8 machines. The guidance included a subtle tisk-tisk at Microsoft's Steven Sinofsky for suggesting that PC owners won't want to mess with control of their hardware and would happily concede it to operating system makers and hardware manufacturers."
Canonical and Red Hat have also published a white paper (PDF) suggesting that all OEMs "allow secure boot to be easily disabled and enabled through a
firmware configuration interface," among other things.
As I look into my crystal skull through the mists of time I see Microsoft release a white paper saying that OEMs will get $10 off the cost of Windows if they don't allow users to turn off 'Windows boot'?
Because people want certain must-have applications more than they want an appliance. "Secure boot" is advertised as capable of giving them both.
Intel: We've invented a new technology that can be used to prevent low-level malware from being loaded during the pre-kernel boot process, when conventional antimalware techniques are ineffective. It could also be used by a manufacturer to prevent the user from installing any unapproved OS, as from a technological standpoint this functionality is identical to blocking malware, but that isn't what we designed it for.
Microsoft: Oh, that sounds fun. Ok, all OEMs: If you want to ship with the 'windows 8' logo which everyone is going to want soon, you need to include support for this and it must be enabled by default. You will have to include Windows 8 on the trust list, but anything else you need to block as it may be malware. You can give the user the ability to turn this feature off and install non-Windows OSs if you want, but we don't really care.
Linux supporters: But that means that unless an OEM has explicitly taken the trouble to install a feature that few users will even know of, it'll be impossible for us to use any OS except Windows - most seriously on laptops, where we can't build our own.
Microsoft: Not our problem! Take it up with the OEMs. We're only mandating that they install linux-blocking capability, we're not asking them to actually use it.
Throughout this, the OEMs have remained silent on the issue.
Because for most people, Windows does just work. (Hate to burst your bubble.) I know where you're coming from, but for a lot of people, Linux just doesn't work. It's a lot better than it used to be, but if that Wifi adapter isn't recognized, they have no idea where to go from there.
the US does not bite the hand that feeds it.
corporations feed the US. people don't matter anymore.
there are only going to be lawsuits in your dreams, my friend. big business is 'too big to fail' - no matter how large they actually are.
the OWS guys are complaining about this very kind of thing, in fact. but it won't change. the system is already in the hands of the 1% and that's that until the next bloody revolution comes.
--
"It is now safe to switch off your computer."
OEM can use this to lock in to there video cards that can cost $100+ the price of other on line stores, hdd that cost the full price of a 1TB disk to just upgrade from 500gb to 1TB. Maybe even ram lock in so you can pay $60 to go from 2gb to 4gb. But for about $50 you can get good 8GB ram kits.
Given the ratio of "professional users" to "toy users" of any technology (from cars to hammers), I'd say that the 7.6% figure is about right. The professional users don't want a toy OS like Windows.
Most users would be just as stuck if faced with a windows install which failed to recognise their wifi adapter...
Stock out of the box windows often fails to recognise hardware, xp was especially bad because it got so dated but 7 is going that way too now...
Users don't install their computers, they buy them preinstalled... There's no reason why a machine preinstalled with linux wouldn't have everything already configured and working, and come with a recovery disc to return it to the factory state... Same as currently happens with windows.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I don't want to disable the functionality to use Linux or any other operating system. I want it to be customizable so I can use it with any other operating system. Having it locked down for existing OEM's is what makes it evil.
Having to work for a living is the root of all evil.
enterprise use will drive booting older windows + linux but I seeing systems / software needed windows XP being a point that force this to be off on at least some systems.
Windows 7 that most enterprise is now moving to will HAVE TO WORK WITH Secure boot as I don't see windows 8 fitting into enterprise use the way that is now being planed.
OEMs don't need this to lock in hardware, they can do this just fine with regular BIOS.
Just like how they fixed Motorola's secure boot process, right? Oh, wait. Those are still locked and the kernel can't be replaced.
Not going to happen. Microsoft lobbies heavily now.
That was in 2001. After a decade of increasing corporate influence in Washington I doubt we'll ever see antitrust action against Microsoft again.
Give me Classic Slashdot or give me death!
If that were true, these multinational tech giants wouldn't have such valuable brands. As it stands now slapping the MSFT logo on something adds perceived value and credibility to it. Like it or not, people think locked-down platforms are great! http://www.forbes.com/2010/07/28/apple-google-microsoft-ibm-nike-disney-bmw-forbes-cmo-network-most-valuable-brands.html
unfortunately geeks like the avg /. visitor are a dying breed vastly outnumbered by the hordes of the - now hip - undead, media mass consumers.
-- no sig today
I've installed windows countless times, I'm a software developer, I build computers, I have made custom (legal) windows installation disks that have drivers and updates slip streamed on them. I've hex edited DVD ROM firmware updates, rooted plenty of Android devices. I'm also pretty good with regular expressions and can use vim in a pinch. Suffice to say, I'm pretty technically inclined and when Linux doesn't recognise my wireless adapter out of the box, I haven't a fucking clue what to do, either.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Because Microsoft like totally couldn't have suggested a more acceptable approach like requiring that the root key be given to the owner of the PC.
As it stands now slapping the MSFT logo on something adds perceived value and credibility
I find that hard to believe. A Dell is going to sell whether it has a Windows logo on it or not. Same with Lenovo, HP, Acer, etc. I don't think that sticker is really that valuable as people expect windows on it and would be shocked if it didn't come with it. What do they need to see a sticker for?
The soylentnews experiment has been a dismal failure.
UEFI systems without any sort of BIOS compatibility module won't be able to boot 32-bit versions of Windows XP. Of course that doesn't stop anyone from developing one (see efforts to boot Windows on x86 Macs pre-Boot Camp).
The 1% of Linux desktop users make the purchase decision for the 91% of supercomputers and 60% of servers on the Internet.
Do not fuck with us.
Well in a way this makes sense. Imagine the people who respond to spam emails and get viruses anyway despite all the protection. If they had the master key, any rootkit could just ask "Please enter your BIOS root key. This is required in order to run this software for some made up reason". And a lot of people would do it. You and I certainly wouldn't, we'd know what it meant. But grandma down the street who already ignores the UAC when installing something she got off the internet wouldn't know the difference. Personally I think that we should be able to GET the root key if we really want it, but it shouldn't come with the machine. That way you have to know what it is in order to get ahold of it. But that assumes customer service at the manufactures (or Microsoft) is actually up to par.
All the world's a CPU, and all the men and women merely AI agents
I created an account just to say this. You weren't born with the ability to create windows installation disks that have been slip streamed and other drivers on it. You took the time to learn how to do this. The fact that you didn't take the time to learn how linux wireless adapters work isn't a fault of Linux.
Why on earth wouldn't Steam work with secure boot? Secure boot has to do with the boot up process. Steam is an application that runs AFTER the boot process is complete. Unless you're saying that Microsoft would modify Windows so that no unapproved software could run.
All the world's a CPU, and all the men and women merely AI agents
Ah yes, lets ignore the fact that rootkits have become a problem and Microsoft wants to secure computers running Windows. No, it is obviously a plan to destroy competing operating systems like Linux.
You're right. Microsoft would never set out to lock down the PC platform so it could only run Windows. Why the very idea!
I just hope they sent a copy to the EU Competition Committee, as jack-shit will be done by USFedGov.
Other responses to this have replied that RedHat and Google don't spend the campaign contribution $$$ that Microsoft does, and therefore Microsoft can buy Ju$tice here.
The other side of reality is that the server space is heavily Linux, much of that on workstation-class machines, but also many farms are based on commodity-class machines, too. So in this case, it's not just RedHat and Google complaining, it's also IBM, Oracle, Disney/Pixar, Dreamworks, atmospheric modeling people, the petrochemical industry, etc.
My prediction is that the workstation-class market will have the switch from the get-go. Almost all of the commodity-class market will not have the switch, per Microsoft's wishes. But not all - because a few of those commodity-class manufacturers will have special boxes, probably at a slight, but tolerable premium, for the above-mentioned companies. Those few manufacturers will pick up the Linux business, lock, stock, and barrel. After a few quarters of that, some other commodity-class manufacturers will introduce their "Linux-capable" boxes in order to grab that same premium. It'll "race to the bottom" after that.
The real question will then be how do the rest of us get our fingers on those "special Linux machines." At that point, we may not, but some motherboard vendor will realize that he can sell the "Linux-capable motherboard" at a slight premium to those who know that they will get crappy non-Windows support, and also let them shave the Windows support cost into their profit margin, too.
Plus I need to write my Congress-critters. This Microsoft move is curiously soon after they've been released from Antitrust oversight. Maybe it's innocent and in the name of security and all of that, but the timing really stinks. Of course my Congress-critters don't give a hoot that I can't build and boot my own kernel. But I'd hope that they understand that we're shoving yet another piece of science and technology overseas, away from the US, reducing our competitiveness. The tinkerers who become future scientists and engineers will be on foreign shores, as well as those new ideas, products and business opportunities that my not fit into Microsoft's business plans. THAT's what I'll emphasize in my letters.
The living have better things to do than to continue hating the dead.
Easy.
Buy one that has drivers for linux.
---------- Open Source is capitalism applied to IP.
One additional item. Corporations are vulnerable to citizen protests but the protests would be a lot more effective if the protesters targeted all their energy on individual corporations one at a time instead of going after an entire industry. CEOs and Board members really don't like being constantly hounded by protesters, cameras, and ambush interviews. Public corporations are required by law to publish a great deal of their business information and finding disgruntled employees or ex-employees can provide even more ammunition to use in the protests. Forensic accountants can review P/L and overall earning documents to identify misleading information. Most citizens have a hard enough time balancing their checking account let alone deciphering complex corporate finance reports. Most Corporate lobbying groups are also required by law to publish documents related to their operations and a little investigating you can even uncover the politicians who interact with the lobby groups affiliated with the corporation and in today's political environment politicians stand to lose a substantial amount of support if they are identified as being in the pocket of a lobbying group and the proof needed to make these connections are readily available. President Obama made a promise to refuse lobbyist money in his re-election campaign but he has used non-registered lobbying groups and 3rd parties to evade the spirit of his promise.
Being able to shut off "secure boot" doesn't do a thing to make Windows 8 less secure. In order to boot Windows 8, secure boot has to be turned on. If being able to run the computer with secure boot turned off somehow compromises the integrity of the Windows 8 installation, then the entire concept is broken before it started. (Hint... You can always remove the hard drive and put it in a non-UEFI computer as a secondary drive. That's essentially equivalent to booting another OS on the same machine.)
At this point, I'd have to say that the first screwup is that from what I've heard, Microsoft messed up the kernel signing process and hasn't signed their kernels the "correct" way supported by general tools. One piece of correct solution is to allow RedHat and others to sign their kernels and LiveCDs. For this reason, Microsoft should NOT be the signing authority - they should just be another company submitting their software for signing.
I suspect that the real/better solution to this problem would be a little more smarts in the UEFI itself. I get a signed Gentoo LiveCD image which, because it's properly signed, will boot. I then install my Gentoo onto the hard drive and tell the UEFI-aware GRUB about the kernel I just compiled.
Then I restart the machine back to BIOS and tell it to talk to GRUB, find my new kernel, and "approve" it - I guess a local signing. After that, I can boot my kernel. It's more pain than it is today, but probably less pain than the old days of lilo and forgetting to run lilo after building a new kernel. When that happened I had to boot a LiveCD to fix it. With this the fix involves at most booting my old kernel and using UEFI BIOS.
The living have better things to do than to continue hating the dead.
Just buy one where the vendor didn't implement any restriction.
So you think the richest 3.5 million or so people in the country control everything? That's not so bad, it only takes something like $380k annual income to make the top 1%, specialist doctors and lawyers can make that much. I have a hard time believing that the pediatric neurosurgeon I know, who certainly makes in the top 1%, would screw up the country.
My first programming on a 286 was using DEBUG to create .COM files. I've written AIX device drivers and have used Linux since 1992 and compiled plenty of kernels as well as kernel modules. I work heavily with embedded software.
Despite this I find setting up WIFI under Linux a huge PITA. I normally end up using NDISwrapper. The whole thing reminds me of Winmodems, only I could readily purchase a hardware modem that I knew would do the job. With WIFI vendors continually changing chipsets and firmware versions without changing the model number, buying a "known good" WIFI card is a crapshoot.
Microsoft faced those lawsuits because they were not yet politically savvy enough to buy off politicians. Now that they are, it's not happening again.
Comment removed based on user account deletion
You don't have any credibility here, 'APK'. Post your real name, your occupation, and your employer, and perhaps people will be willing to discuss your issue.
The alerts I get from US-CERT paint a different picture than you're trying to portray, so you have a long uphill struggle ahead of you. Many won't get past your confrontational style, though. If you aim to convince people, you had better brush up on your persuasion tactics.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)