Slashdot Mirror
Linux Foundation Releases Document On UEFI Secure Boot
mvar writes "The Linux Foundation today released technical guidance to PC makers on how to implement secure UEFI without locking Linux or other free software off of new Windows 8 machines. The guidance included a subtle tisk-tisk at Microsoft's Steven Sinofsky for suggesting that PC owners won't want to mess with control of their hardware and would happily concede it to operating system makers and hardware manufacturers."
Canonical and Red Hat have also published a white paper (PDF) suggesting that all OEMs "allow secure boot to be easily disabled and enabled through a
firmware configuration interface," among other things.
As I look into my crystal skull through the mists of time I see Microsoft release a white paper saying that OEMs will get $10 off the cost of Windows if they don't allow users to turn off 'Windows boot'?
Intel: We've invented a new technology that can be used to prevent low-level malware from being loaded during the pre-kernel boot process, when conventional antimalware techniques are ineffective. It could also be used by a manufacturer to prevent the user from installing any unapproved OS, as from a technological standpoint this functionality is identical to blocking malware, but that isn't what we designed it for.
Microsoft: Oh, that sounds fun. Ok, all OEMs: If you want to ship with the 'windows 8' logo which everyone is going to want soon, you need to include support for this and it must be enabled by default. You will have to include Windows 8 on the trust list, but anything else you need to block as it may be malware. You can give the user the ability to turn this feature off and install non-Windows OSs if you want, but we don't really care.
Linux supporters: But that means that unless an OEM has explicitly taken the trouble to install a feature that few users will even know of, it'll be impossible for us to use any OS except Windows - most seriously on laptops, where we can't build our own.
Microsoft: Not our problem! Take it up with the OEMs. We're only mandating that they install linux-blocking capability, we're not asking them to actually use it.
Throughout this, the OEMs have remained silent on the issue.
the US does not bite the hand that feeds it.
corporations feed the US. people don't matter anymore.
there are only going to be lawsuits in your dreams, my friend. big business is 'too big to fail' - no matter how large they actually are.
the OWS guys are complaining about this very kind of thing, in fact. but it won't change. the system is already in the hands of the 1% and that's that until the next bloody revolution comes.
--
"It is now safe to switch off your computer."
Most users would be just as stuck if faced with a windows install which failed to recognise their wifi adapter...
Stock out of the box windows often fails to recognise hardware, xp was especially bad because it got so dated but 7 is going that way too now...
Users don't install their computers, they buy them preinstalled... There's no reason why a machine preinstalled with linux wouldn't have everything already configured and working, and come with a recovery disc to return it to the factory state... Same as currently happens with windows.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
OEMs don't need this to lock in hardware, they can do this just fine with regular BIOS.
Not going to happen. Microsoft lobbies heavily now.
That was in 2001. After a decade of increasing corporate influence in Washington I doubt we'll ever see antitrust action against Microsoft again.
Give me Classic Slashdot or give me death!
As it stands now slapping the MSFT logo on something adds perceived value and credibility
I find that hard to believe. A Dell is going to sell whether it has a Windows logo on it or not. Same with Lenovo, HP, Acer, etc. I don't think that sticker is really that valuable as people expect windows on it and would be shocked if it didn't come with it. What do they need to see a sticker for?
The soylentnews experiment has been a dismal failure.
I created an account just to say this. You weren't born with the ability to create windows installation disks that have been slip streamed and other drivers on it. You took the time to learn how to do this. The fact that you didn't take the time to learn how linux wireless adapters work isn't a fault of Linux.
I just hope they sent a copy to the EU Competition Committee, as jack-shit will be done by USFedGov.
Other responses to this have replied that RedHat and Google don't spend the campaign contribution $$$ that Microsoft does, and therefore Microsoft can buy Ju$tice here.
The other side of reality is that the server space is heavily Linux, much of that on workstation-class machines, but also many farms are based on commodity-class machines, too. So in this case, it's not just RedHat and Google complaining, it's also IBM, Oracle, Disney/Pixar, Dreamworks, atmospheric modeling people, the petrochemical industry, etc.
My prediction is that the workstation-class market will have the switch from the get-go. Almost all of the commodity-class market will not have the switch, per Microsoft's wishes. But not all - because a few of those commodity-class manufacturers will have special boxes, probably at a slight, but tolerable premium, for the above-mentioned companies. Those few manufacturers will pick up the Linux business, lock, stock, and barrel. After a few quarters of that, some other commodity-class manufacturers will introduce their "Linux-capable" boxes in order to grab that same premium. It'll "race to the bottom" after that.
The real question will then be how do the rest of us get our fingers on those "special Linux machines." At that point, we may not, but some motherboard vendor will realize that he can sell the "Linux-capable motherboard" at a slight premium to those who know that they will get crappy non-Windows support, and also let them shave the Windows support cost into their profit margin, too.
Plus I need to write my Congress-critters. This Microsoft move is curiously soon after they've been released from Antitrust oversight. Maybe it's innocent and in the name of security and all of that, but the timing really stinks. Of course my Congress-critters don't give a hoot that I can't build and boot my own kernel. But I'd hope that they understand that we're shoving yet another piece of science and technology overseas, away from the US, reducing our competitiveness. The tinkerers who become future scientists and engineers will be on foreign shores, as well as those new ideas, products and business opportunities that my not fit into Microsoft's business plans. THAT's what I'll emphasize in my letters.
The living have better things to do than to continue hating the dead.
Being able to shut off "secure boot" doesn't do a thing to make Windows 8 less secure. In order to boot Windows 8, secure boot has to be turned on. If being able to run the computer with secure boot turned off somehow compromises the integrity of the Windows 8 installation, then the entire concept is broken before it started. (Hint... You can always remove the hard drive and put it in a non-UEFI computer as a secondary drive. That's essentially equivalent to booting another OS on the same machine.)
At this point, I'd have to say that the first screwup is that from what I've heard, Microsoft messed up the kernel signing process and hasn't signed their kernels the "correct" way supported by general tools. One piece of correct solution is to allow RedHat and others to sign their kernels and LiveCDs. For this reason, Microsoft should NOT be the signing authority - they should just be another company submitting their software for signing.
I suspect that the real/better solution to this problem would be a little more smarts in the UEFI itself. I get a signed Gentoo LiveCD image which, because it's properly signed, will boot. I then install my Gentoo onto the hard drive and tell the UEFI-aware GRUB about the kernel I just compiled.
Then I restart the machine back to BIOS and tell it to talk to GRUB, find my new kernel, and "approve" it - I guess a local signing. After that, I can boot my kernel. It's more pain than it is today, but probably less pain than the old days of lilo and forgetting to run lilo after building a new kernel. When that happened I had to boot a LiveCD to fix it. With this the fix involves at most booting my old kernel and using UEFI BIOS.
The living have better things to do than to continue hating the dead.
Microsoft faced those lawsuits because they were not yet politically savvy enough to buy off politicians. Now that they are, it's not happening again.