Slashdot Mirror
Red Hat Will Pay Microsoft To Get Past UEFI Restrictions
ToriaUru writes "Fedora is going to pay Microsoft to let them distribute a PC operating system. Microsoft is about to move from effectively owning the PC hardware platform to literally owning it. Once Windows 8 is released, hardware manufacturers will be forced to ship machines that refuse to run any software that is not explicitly approved by Microsoft — and that includes competing operating systems like Linux. Technically Fedora didn't have to go down this path. But, as this article explains, they are between a rock and a hard place: if they didn't pay Microsoft to let them onto the PC platform, they would have to explain to their potential users how to mess with firmware settings just to install the OS. How long before circumventing the secure boot mechanism is considered a DMCA violation and a felony?" Note that the author says this is likely, but that the entire plan is not yet "set in stone."
I don't understand how Microsoft is as fault here. Isn't it the hardware manufacturers that are locking out everyone but Microsoft? Shouldn't the hw people be the ones to make the platform open?
Need I say more?
Well your honor, i bough this Item from company X and their Partner company Y won't let me do XX to My property, and XX is perfectly legal.
Wow M$ though that one through...
Lawsuit in 3...2....1..
-------
1. Enjoy your job
2. Make lots of money
3. Work within the law
Choose any two.
How can this be legal and not an abuse of their monopoly power?
Aside from the fact you can turn it off ( for now ) it still sounds like a clear case of abuse to me and someone should be talking to an attorney about this.
---- Booth was a patriot ----
...is about the only thing that might turn me into an Apple user.
RTFA. Then comment.
... how the FUCK this passes the slightest hint of anti-trust scrutiny?
Didn't Microsoft already lose antitrust case before? What makes this allowed now? Because Apple has done it before?
How does this make you mad at RHEL/Fedora and not Microsoft? Admittedly, Red Hat is negotiating with terrorists here, and that may not be the best option for the ecosystem, but I can see how they would choose that path given that their business--one that helps the linux ecosystem tremendously--is in risk.
I am pretty sure that if a hardware manufacturer like Dell locks out Linux operating systems that quite a number of large institutions like Universities will refuse to buy from them. I am not 100% sure because there are a lot of unis with microsoft-centric IT departments. Institutions with hard sciences depend quite heavily on different flavors of Unix and Linux to get work done.
Anyway... this is a disgrace and it's bound to blow up in quite a number of people's faces.
...they would have to explain to their potential users how to mess with firmware settings just to install the OS. How long before circumventing the secure boot mechanism is considered a DMCA violation and a felony?"
The only real option here is to ignore the law, as many of us here do now. The United States, and much of the western world, has become so enamored with short-term profit gain, that they're sacrificing the technological progress of all of humanity. The only rational course of action is to ignore them until another group or organization either through economic, political, or military means, remediates the problem.
Yes, I am suggesting that copyright law could eventually become an issue which countries go to war over. No, I don't think it's that crazy: Governments are already engaging in mass electronic attacks of their enemies. It's only a matter of time before things get physical. UEFI could be perceived as a threat to national security: It's giving one corporation carte blanche access to hardware owned by other governments. Redmond, WA may soon be ringed with missiles and armed guards to keep out other governments when they find out their hardware has been taken over by a foreign power. This is just how the world seems to be evolving... there's too much at stake now.
#fuckbeta #iamslashdot #dicemustdie
Red Hat is willing to pay to be licensed to be able to run on the new hardware. They are going out of their way so you can run Fedora on the new hardware. And you want to ditch them because of it? Remind me never to buy you a beer.
http://www.computerweekly.com/news/2240052523/BeOS-will-live-on-as-Microsoft-settles-legal-action
Any lawyer looking for prior history..this settlement, and the suit claimed might be useful.
This has nothing to do with PCs. Nothing. Not one thing.
This is all in reference to UEFI on ARM tablets that Microsoft has partnered up with OEMs to produce to their specs SPECIFICALLY FOR: Windows 8.
Nothing has changed here, nearly all ARM systems are locked down today by OEMs.
Do any of you expect Microsoft to produce one that isn't (zune: locked down xbox: locked down)?
The point of the whole article is that the next generation of UEFI-compliant hardware will not be able to boot unsigned code. So-called "trusted" computing has made it to mainstream consumer devices. Distros that do not get their bootloader signed will not be able to run on unmodified hardware since the firmware will be configured to refuse-by-default.
Microsoft would get a HUGE Ginormous smackdown over this in the EU.
Wait - Is this article saying they paid a whole $99 bucks to get their bootloader signed?
Microsoft doesn't have the right to "license" hard ware. It's not their hardware, it's not even their design.
This is Microsoft forcing vendors in the corner with their O.S. once again. This is non-competitive behavior once again.
If they have such a great O.S. there is no need for locking out others. It's weak and it's sick.
I was at 2 major industry tech conferences last month.
In every keynote and all-hands session, Apple hardware was center and present. Nothing special was made of this - just every damn computer used to demo solutions or held by a GM, VP or C-Level was a MacBook. Desktops were non-existant. Every time an iPad could be used, it was. There were a couple of minor Android appearances - demonstrating multi-platform support, or what not.
There were a few odds: The HP guys had their own gear, and the IBMers had Lenovos. Some brilliant man from SAP was sadly dragging a 'book of non-descript, perhaps Dell sourced, black plastic...
Overwhelmingly, if you wanted to look like you knew why-the-fuck you ought to be on stage, in front of 8,000 people, you went Mac.
"Flyin' in just a sweet place,
Never been known to fail..."
Got to pay the man to cross the bridge !! And you know how that turned out !!
What the sensationalist headline and summary forgot to mention is that RedHat is paying a whopping $99 to Microsoft.
What is more worrisome and more headline worthy is that Microsoft has now become the de facto gatekeeper of your computer BIOS. Without their signature you operating system will not run.
/greger
You are correct, but MS is using its dominance to control hardware vendors. A 'licensed' secure boot certificate - licensed from MS - is what will allow Fedora to boot using the secure UEFI boot mechanism.
Red Hat Linux started on x86; it was never "only available for the DEC Alpha" (it didn't get ported to Alpha for several years).
They are doing this so that Fedora can be installed without end users having to disable Secure Boot in their UEFI firmware settings. If you want to disable Secure Boot, Fedora will run equally well. Fedora is also going to have signing tools, so you put your own key in the firmware and then sign your own loader and kernel (giving you more control, not less). If you switch to another distribution or OS that doesn't have a signed boot-loader, you'll also have to disable Secure Boot.
This "feature" exists because malware that affects the boot loader and kernel is a real and growing problem, and there isn't really any other technical means to block it. Setting up an independent CA to sign keys for loaders and then trying to get vendors to include the CA key would be highly expensive and would still result in Fedora having a key that you don't have. As long as Microsoft will sign things cheap, it is much better to go that route (if they were to stop signing, then this would obviously change).
The alternative is to tell users that want to run Fedora to not buy hardware that has the Secure Boot functionality, but that is going to become scarce once Windows 8 ships. Here in the real world, I'd like to continue running Fedora on new hardware.
Just ignore PC hardware. As android devices become as powerful as PCs were just a few years ago just get a tablet, install your favorite distro. Add HDMI monitor + kb + mouse. It will just be another nail in the PC coffin.
Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access), but it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions. If there are better options then we haven't found them. So, in all probability, this is the approach we'll take. Our first stage bootloader will be signed with a Microsoft key.
I would much rather see them taking the money spent on Microsoft's extortion and instead applying it to an anti-trust lawsuit. Complacency here starts us down a very nasty rabbit hole.
Could somebody, who is hopefully familiar with corporate law, explain how this could possible hold up in court against an antitrust complaint?
Either give it away or get top dollar, but never sell yourself cheap.
Looks like Microsoft is starting to take plays from Apple's playbook. Steve Jobs helped us race to the bottom. Steve Wozniak weeps.
-Clio
Karma: Bad (mostly from not giving a fuck)
Blog: http://clintjcl.wordpress.com
Entry no. 3, in between all the banks, content owners, universities and trail lawyers.
Maw! Fire up the karma burner!
No, it's not antitrust. You can get a phone or an apple device. Of course, those devices will also only let you run things the company wants you to run (with the exception of Android). Microsoft isn't doing anything evil here. They're simply moving from the high ground to the low ground, because that's what Apple already did.
-Clio
Karma: Bad (mostly from not giving a fuck)
Blog: http://clintjcl.wordpress.com
That's entirely off-topic. Did you even TFA?
My Heart Is A Flower
When you want to run Windows, turn the thing on. When you want to run a different OS, turn it off.
Not that I think that this is remotely a good thing, but really... we've seen this coming for something on the order of a decade or more now. Is anybody surprised?
File under 'M' for 'Manic ranting'
>>>I think it's time to consider a new distro, if this is how Red Hat/Fedora want to work
But the other distros won't work.
Did you not RTFS?
Also I don't recall Red Hat ever saying their were "free as in liberty" software. It's always been a non-free system.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
Well, time to check Red Hat off my list of distros. Any company willing to pay essentially blackmail money does not deserve my business.
For those mystified by the comment subject
The PC industry turning into a closed platform environment would make me turn to building my computer from the ground up. From the COMPONENT LEVEL!
There is a need. It's a security request from many sources. Given that Microsoft will have to be involved in the process regardless, getting worked up over their implementation is silly.
If you really wanted freedom, you d implement a solution yourself.
I'd blame the drama over this just on the article, but the summary's definitely got some FUD to it as well. For x86 systems, all you need to do is turn off the feature. And that's if you insist on running unsigned software - it's not like there isn't an open and inexpensive process to get signed.
And this is different from Apple _____?
-Clio
Karma: Bad (mostly from not giving a fuck)
Blog: http://clintjcl.wordpress.com
So, just as the subject asks, is this going to affect pc builders in anyway? For instance, I haven't purchased a pre-built computer in almost a decade, aside from laptops. I assume this means that if companies want to sell items that want to be able to run windows 8, they'll have to support this policy.
Might be time to purchase a stockpile of parts just to weather the storm.
I don't think Microsoft will actually be able to do what the article is worried about - and it probably requires a history lesson on how the PC (and PC "clones") came about in the first place to fully explain "why" - but I'll just point everyone at Triumph of the Nerds
and does anyone remember IBM's "microchannel"?
the lesson from Microchannel was that people don't HAVE to pay you royalties just because you are the industry leader and come up with something new - they can form a gang of nine and do it another way...
this sounds a lot like Microsoft saying "pay us and get in the box" - I don't think they have that kind of power (and if you were working on PC's in the mid-late 90's you probably saw IBM PS/2's getting sold by the skid to be melted down for the gold in the connectors MCA used)
Shelley's "Ozymandias" is probably relevant ("My name is Microsoft, king of software/Look on my operating systems, ye competitiors, and despair") :-)
It ain't what they call you. It's what you answer to. http://mylyceum.us/
what about loading windows 7 on new systems MS trying to lock that out will be very bad for enterprise.
Most places have just / still are rolling out windows 7 so no way they will go to windows 8 this year. Also windows 8 needs to have the old start menu come back as well app side loading at least let enterprise have then own IN HOUSE apps that don't need to go though a store to be loaded.
Red Hat != Fedora . Close, but they have been growing apart since Fedora 12/RHEL 5
sudo make me a sandwich
Am I the only one who remembers the days when you had to go mucking about in the bios to figure out the hardware geometry and all of that? Turning off some setting in bios is no big deal.
The big question is, will Fedora's 1st stage bootloader then allow you to install *any* linux distro? Like, are they going to have a signed version of GRUB, for example.
A system in custom mode should allow you to delete all existing keys and replace them with your own. After that it's just a matter of re-signing the Fedora bootloader (like I said, we'll be providing tools and documentation for that) and you'll have a computer that will boot Fedora but which will refuse to boot any Microsoft code.
Believe that I will use this to render any Linux computers I set up in the future to be "unbootable" via any MS operating system. Seriously, there is nothing worse than going through a ton of trouble setting up a great Linux computer for someone who loves it and then their punk nephew blasts all of your work away with a pirated windows copy.
Replying to cancel out an incorrect moderation. I did not want to set this as troll.
http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/statement
Pointless? No more pointless than bitching on Slashdot, I guess.
Do what thou wilt shall be the whole of the Law
They are going out of their way so you can run Fedora on the new hardware. And you want to ditch them because of it? Remind me never to buy you a beer.
They went out of their way to avoid exploiting Red Hat's privileged position with OEMS to gain an advantage over other Linux distros:
We explored the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it, but turned it down for a couple of reasons. First, while we had a surprisingly positive response from the vendors, there was no realistic chance that we could get all of them to carry it. That would mean going back to the bad old days of scouring compatibility lists before buying hardware, and that's fundamentally user-hostile. Secondly, it would put Fedora in a privileged position. As one of the larger distributions, we have more opportunity to talk to hardware manufacturers than most distributions do. Systems with a Fedora key would boot Fedora fine, but would they boot Mandriva? Arch? Mint? Mepis? Adopting a distribution-specific key and encouraging hardware companies to adopt it would have been hostile to other distributions. We want to compete on merit, not because we have better links to OEMs.
Implementing UEFI Secure Boot in Fedora
How is this move by Redhat in concept any different from what Novell did? I still think that Microsoft is the agressor/enemy, not either RH nor Novell (nor SUSE)...
What about dual booting? Will users have to change UEFI settings back and forth to boot different operating systems?
What you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.
Microsoft is clearly forcing a conspiracy to harm other OS makers. This must be actionable if not felonious. It's time for a really, huge law suit that would teach Microsoft once and for all about fair play. Frankly I would give a judgement far greater than all the assets of the company.
Where does this leave people who want Ubuntu? Or Debian? Or even Slackware?
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
This is nonsense, the editorial on this article is gibberish.
First, secure boot is a legitimate concern. If you can guarantee a specific boot loader, you have a trust base to build a more secure system.
Second, you can install any OS you want. Just turn off secure boot, it's perfectly valid to do so. Just understand that now your boot foundations are untrusted, just like they are now on almost all PCs.
And what kind of person is going to install Fedora but can't be bothered how to boot into their BIOS and click "Yes, allow me to install other operating systems [X]"? Generally you can even install your keys, just like you can with SSL certs that you might trust.
Finally, Microsoft is doing Fedora a _favor_ here. Fedora is, as actual author indicated, totally free to get their own keys added. Microsoft isn't the problem here, but as usual the breathless, bloviating editorial text tries to make them out to be.
Complacency here starts us down a very nasty rabbit hole.
TFA states as much, since the author admits there is no plan as to how Fedora will be bootable on Win8 certified ARM hardware except to "pray somebody makes non-Win8 certified ARM hardware".
Do what thou wilt shall be the whole of the Law
they must be smoking the same waky-tabaky that Comrade Obama is smoking, that has him asserting that he's spent less than any president in modern history, or somesuch bat-s**t insane claim like that..
Off-topic, but that's a matter of easily-verified fact. Government spending is lower than is has been in the last five administrations. If you disagree with policy or actions, go right ahead, that's the point of democracy, but waving that off as "bat-s**t insane" is simply denial.
The day I go to buy a machine and find that I'm locked out of putting MY CHOICE of OS on it, is the day I get PISSED!!!
Too pissed to go into "BIOS" and turn off the secure boot feature? Because that's all you need to do.
(n/t)
With a MASSIVE anti-trust Lawsuit...
I think your troll detector needs new batteries. :)
Do what thou wilt shall be the whole of the Law
It's one-off fee for a commercial company. Get over it.
The real story here, though, is that they're actually taking a real stab at doing signing right and requiring a chain of trust. They're also doing it in a very cooperative open source way.
This is an excellent step for the assurances of trusted computing for their users!
will we be seing things like "you aren't running a secure OS, you can't do {x,y,z}" even if your copy Windows is legit?
You don't know what you're talking about, but thanks for broadcasting such so I know to ignore your bloviating in the future. Neither MS nor Redhat/Fedora is doing anything even remotely wrong here.
Clueless neckbeard dweeb:
OMG Fedora is paying MS $99 to have a nicer user experience to save their users 30 seconds of going in and disabling secure boot or manually installing Fedora keys!?!! OMG, I IZ BREATHLESS AND ENRAGED!!!
Fucking neckbeards. Ironically they have a reputation for being good in IT/software but at least 50% of them are semi computer-illiterate dim bulbs.
Ditch them? No.
Convince Redhat to instead sue the shit out of Microsoft over its obviously monopolistic practices. Yes. (Lots of yes!)
Perhaps even threatening a boycott to prevent the deal, if for no other reason then to push this issue into the public consciousness.
What does the keeping of Hebrew slaves (which is what the first few verses of Exodus 21 are with regards to, and what you have quoted here) have to do with a lottery?
That's entirely off-topic. Did you even TFA?
Maybe his DNS server is from North Carolina or similar and it's resolving Slashdot.org to RandomBibleVerseToday.com.
Faster! Faster! Faster would be better!
Why is it then that Mint works with everything on my 2011 Mac Mini. Wifi, everything OOTB.
My MBP (2008 17in) Runs CentOS. The only thing I had to fiddle with was the Wifi but that is normal as there are no proprietary blobs shipped with the OS.
I have to say that in my experience Apple H/W is a lot more Linux friendly than some of the H/W sold by the likes of Dell and HP. THe only other H/W I would recommend for running Linux on OOTB is Lenovo.
This is nonsense, the editorial on this article is gibberish.
First, secure boot is a legitimate concern. If you can guarantee a specific boot loader, you have a trust base to build a more secure system.
Second, you can install any OS you want. Just turn off secure boot, it's perfectly valid to do so. Just understand that now your boot foundations are untrusted, just like they are now on almost all PCs.
And what kind of person is going to install Fedora but can't be bothered how to boot into their BIOS and click "Yes, allow me to install other operating systems [X]"? Generally you can even install your keys, just like you can with SSL certs that you might trust.
Finally, Microsoft is doing Fedora a _favor_ here. Fedora is, as actual author indicated, totally free to get their own keys added. Microsoft isn't the problem here, but as usual the breathless, bloviating editorial text tries to make them out to be.
After all we must admit: they are good on doing bad.
Hey hey hey - easy there with the linux-slaggin buddy. You're on slashdot now.
If you have to alert people that your doing it; you probably arenâ(TM)t doing it right.
For me, UEFI is not a problem, because I'll just continue to do what I've been doing for almost two decades: building my own servers and workstations from individual components.
On the other hand, if at some point in the future a client asks me to migrate all of their existing workstations and servers from Windows to Linux, then UEFI may make that difficult. For that matter, it may also become difficult to install Linux on the average laptop.
Will the the EU stand idly by (as I'm sure Uncle Sam will), or will it stand up for consumers everywhere before it's too late?
It seems logical from one point of view.
RH should have at least tried some lawsuits first.
Buddying up to MS never ends well.
They should have used that position to advocate for a neutral key issuer.
If Fedora yields on this, I'd go to another distribution. Paying $99 to Microsoft for the "right" to install the OS of my choice on my own hardware is making Microsoft $99 richer off the efforts of the volunteers who brought Linux and Fedora to us, and it makes my Free-gratis OS effectively cost $99, no longer free.
I'd rather go back to the time of compatibility lists and give my money to those companies that support my needs than give it to those Microsoft-bought hardware manufacturers.
Say NO to Microsoft Danegeld
You think they won't stop signing at some point or delay signing?
You really think MS will do this out of the goodness of their hearts?
Here in the real world we should let the SSL CAs run this. Since they already are running a similar program.
You must be new here... Welcome to Slashdot!
I suspect that Microsoft doesn't care much about linux one way or the other; if users want to tweak a BIOS option and run linux it won't bother them.
However, I wonder if Microsoft is looking at the far more lucrative fact that those with Windows 7 and Vista licenses will be forced to buy a new Windows 8 license or else run an "insecure" setup. It gets rid of a problem that they've had for years where users upgrade their hardware and keep their old OS around.
Seems like a massive money spinner in the medium term for them.
Once Windows 8 is released, hardware manufacturers will be forced to ship machines that refuse to run any software that is not explicitly approved by Microsoft — and that includes competing operating systems like Linux.
Really? Even hardware manufacturers like, say, Apple? Even for hardware that doesn't use UEFI? Or does that sentence really mean that consumers will have the option to purchase machines that are locked down to the OS bundled on them?
This train of thought seems to make a whole bunch of leaps of faith to come to dire conclusions. I can't really see people running racks of servers with OSes on the hypervisor binding all EFI loaders to Windows 8.
I think the real story here is that "Common discount consumer-grade desktop PCs will be locked to the bundled OEM OS, unless third party access is granted a la MS/Red Hat."
In other words, it's not really that big of a story, and will be excellent news for potential bootkit victims everywhere (at home and in an office deployment).
... was the only thing important in the minds of their respective owners.
Snobism abounds.
Have a nice day yourself.
Does this mean that if I want to dual boot my machine with Windows and another OS, I need re-enable Secure Boot in the UEFI options every time I boot into Windows and disable Secure Boot every time I boot into the other OS? What a pain in the ass that would be if that's the case.
Actually (if you read the article) M$ does not get any of that $99. The fee goes to Verisoft. Microsoft is acting as the gatekeeper for the signup process.
Now I will be VERY pissed if I buy a new motherboard to build my own computer and it won't boot Linux unless I have to buy a key for $99. In such a case I would return the MB as being defective. I hope Asus and other MB makers will give me a choice of bios options when I buy a new MB.
I'm just analytical and hyper-observant.
It's a bias, I admit.
"Flyin' in just a sweet place,
Never been known to fail..."
What are we waiting for? They should have been broken up when they were found guilty of monopolistic practices the first time.
Let's get this done. No fucking around the edges.
Microsoft probably told the OEMs that either they played ball Microsoft's way and locked down the motherboard, or they didn't get to preinstall Windows at all.
If you've sold the laptop, or given it away as a gift or a donation, by what right do you have to limit what the recipient can do with it?
It always takes longer than you expect, even when you take into account Hofstadter's Law. --Hofstadter's Law
I still say this has never been about making Windows safer, but it's been about killing it's biggest threat once and for all...That biggest threat being Linux. I've said for years there would eventually be 3 OS's running on 3 different sets of hardware...As of Windows8,that will come true. I've used Linux for eight years and Microsoft can kiss my ass.
It's different in several ways. Apple designs and makes their hardware, Microsoft does not. Some could perceive this as Microsoft locking out the use of other operating systems, while Apple doesn't care if you load another OS on their machines. (They even provide a utility that makes it very simple)
I'd find this story more believable, as in, not horrible overreacting, if mjg hadn't posted that feminist screed in the same blog about a week ago. It's like a great example of how a reasonable (if angry) dude can turn to a "i'm a horrible person, and so are you" level male feminist, and it only took three years.
Be careful out there.
The same right that MS, Apple, and the various Android vendors have to lock the hardware that they rent^H^H^H^H sell/give away/barter or what have you. Oh, that's right, I forgot, they're multi-national mega-corps thereby they have intrinsic rights that me as a mere citizen don't have. Have you considered fucking off and dying perchance?
Off-topic, but that's a matter of easily-verified fact. Government spending is lower than is has been in the last five administrations.
Boldfaced lie.
"Verifying" by pointing to numbers that are deliberately counted & calculated in such a way as to give a desired result is meaningless.
Everybody knows and understands that the government is lying.
Why even post such drivel? It just makes you look like a blindly partisan, kool-ade-drinking fool.
wow, RedHat pays $99 to Verisign for a code-signing cert and gets Microsoft to give it to their OEM logo hardware partners?
it's the end of the freaking planet people.
run for the molehills.
I came to the same conclusion as you at "Comrade Obama".
Jesus H. Christ.
I don't really see the problem here because market forces will open an opportunity for a hardware manufacturer to specialize in creating solutions for operating systems other than Windows. Besides, I'll bet you might still be able to turn UEFI Secureboot off and just use the regular BIOS. It means you won't be able to run Windows, but who cares.
To buy Microsoft stock for my retirement plan...
Website Just Down For Me? Find out
That's easy for you to say. Did you even read the article? Where it was mentioned that no one else is willing to manage the keys? It costs a lot of money, that's why. But hey, it's always easier to tell others what they "should have" done.
Secure booting -- provides no added benefit and is therefore totally useless (except as a tool of extortion). All we need is partition write locking on OS install. When was the last time you actually heard of malware that touched the bootloading process, anyway?
Which name will predominate?
I think we just go with KINdows, for now.
"Flyin' in just a sweet place,
Never been known to fail..."
I meant even MS should have to go get their software signed by a neutral party. I read the article, it did not mention Red Hat even suggesting this, nor did it seem as though they even considered legal action to make that happen.
Not only did you not RTFS, you can't even read, period. Go back under your rock, troll.
Does the signing use a public key for UEFI to verify the signature? Does anyone know the key so people can get crackin? Sure it's probably a large key beyond current methods to crack, but it makes research in such areas feel more relevant with a specific target you can talk about. Theoretically with algorithm X is would take 169 years to break the MS UEFI key using 50000 CPUs. Using Y it only take 165 years...
...that's what the article said. Fedora is paying Verisign, not Microsoft, $99, one time, to have all of their code signed. The summary is some Linux FUD, ironically FUD accusing Microsoft of FUD.
Also, this ios only on "PCs that come preinstalled with Windows 8", which is probably not your machine. Plus you can turn Secure Boot OFF in the BIOS quite easily. Also, you can turn it back ON, import your key, and use it for the same purpose - to prevent malicious bootloaders.
Nothing to see here, move along.
How is this not an abuse of a monopoly to thwart competition?
Says user "0123456" who couldn't slide all the way to seven. Not even "0123456etc". From the later username it would be right and proper to dish this kind of abuse.
I was about nine years old when I saw my first picture of Beautiful Asian Rice Terraces. I went "wow, it's amazing how anyone ever thought of that". And now those clever slopes rule the world.
This reminds me of when everyone fumed that Dick Cheney was running the world. Dick Cheney couldn't do anything that George Bush didn't sign off on.
Microsoft can't do anything the hardware manufacturers don't sign off on. Microsoft doesn't run the world. If they have some hair-brained idea that gets enshrined in hardware, don't blame Microsoft... blame the hardware people. Don't buy their crap! There are many different processors and platforms that run modern operating systems. Tell Blizzard to port Diablo and Wow over, then wave farewell to Microsoft.
On another site i read, that according to section 27.7.3.3 of the UEFI Specification Version 2.3.1 (http://www.uefi.org/specs/download) it may be possible to add an image signature if an UEFI image is not authorized:
UEFI Image Not Approved. If the UEFI image was not approved the platform firmware may use
other methods to discover if the UEFI image is authorized, such as consult a disk-based catalog
or ask an authorized user. The result can be one of three responses: Yes, No or Defer.
So it may be possible to start an image by simply asking the user? However if i read this correctly this process will be necessary on every kernel update for kernels which are not signed by a key (from Microsoft) on the hardware?
As long as the purchaser or recipient understands the limitation before buying or accepting the gift, there's nothing wrong with selling or giving the modified device.
If he misrepresented the device as being in "like new" condition, that would be different.
While I use a PC at work, since I joined the smart-phone and tablet era my PC at home has been virtually untouched. That doesn't help the many distributions of Linux...but nor does it help Microsoft (in my case Google/Android is getting my eyeballs).
The analogy in my subject RE Fox is simply that Fox News is the #1 watch (cable) news channel and with several shows constantly ranking highest viewership.
However... Cable usage in general is going down. So while Fox continues to grow and dominate, it is with an aging population and on a (slowly) dieing platform. Eventually Fox may be able to claim 90% viewership, but if there are only a couple thousand viewers to begin with it really won't matter.
MS has dominated the PC world for 25+ years, and this new "protection" will all but solidify that. But again... having 90% of the market won't matter if there are only few consumers remaining.
-CF
The same right that MS, Apple, and the various Android vendors have to lock the hardware that they rent^H^H^H^H sell/give away/barter or what have you. Oh, that's right, I forgot, they're multi-national mega-corps thereby they have intrinsic rights that me as a mere citizen don't have.
So, because they are evil fucks who don't care about their customer's, you think it's justified for you to do the same?
Yea, that's logical... if you're a sociopath.
Have you considered fucking off and dying perchance?
Oh, you are a sociopath...
Figures.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Apple sell their own hardware, even if it is only a crippled x86 PC (iToys not included). MS don't sell any PCs, and they're abusing their Windows OS position to force box builders to adhere to their latest illegal scam (DOJ will catch then 10 years too late), to extort money from other companies that have nothing to do with MS's OS, or prevent box sellers from using their MS "discounts" that allow them to remain at the same price point as the companies that aren't interested in shifting boxen sans Windows OSes. Apple are shysters, but MS own the roost with this shit.
What is the incentive for Motherboard/Firmware suppliers to do this? It was the outsourcing of the original IBM PC R&D that allowed clones to flourish.
Sure, Microsoft wants to remove a security flaw in Windows. But they've never had any clout over hardware, that's why they've had to steal device driver code through technology 'swaps'. Motherboard manufacturer's can include an unsecured boot process and tell Microsoft where to go. In fact, it is in Microsoft's interest for this to happen. Then Microsoft can claim they are not creating a monopoly.
Good question. Why is Microsoft doing just that?
So much FUD so little time.
No, I really don't think they'll stop for PCs. It makes it easier for them to get vendors to agree to the Secure Boot requirement to begin with. I don't believe they could really get HP and Dell to ship computers that were unable to run anything other than Windows 8.
Even if they do, we're no worse off than we would be if Fedora didn't get a key signed (telling users how to disable Secure Boot or trying to get vendors to include a Red Hat key in the UEFI firmware).
Yea, that's logical... if you're a sociopath.
Oh, you are a sociopath...
Hahahahaha. Yeah, that's why I come here. To read the armchair psychologists. Fucking moron.
How long before circumventing the secure boot mechanism is considered a DMCA violation and a felony?
The answer to that is never. Using the installed configuration tools to turn off a security feature is in no way "circumventing" anything. By that logic, turning off the windows firewall so one can use another firewall would also be "circumventing". To fall under "circumventing" external software or unconventional editing (such as using a third party bit editor to change non-volatile RAM) would need to happen.
Stop with the sensationalism. The issue is that Red Hat has two choices; pay for certification or describe how to turn off the security feature. From a sales point of view it is better if the user does not have to do anything to their BIOS settings to install an OS. On the other hand it is a good Idea to make it difficult to unknowingly install a hacked version of an operating system.
We have discussed this issue before and it is not a "big bad Microsoft blocking Linux" issue. Microsoft is trying to make their installs safer.
Please, for the love of CowBoy Neal, MOD PARENT UP
One voice of reason in a sea of insanity that is "discussion"...
"UNIX is very simple, it just needs a genius to understand its simplicity." -Dennis Ritchie
Maybe they did advocate, and maybe no neutral key issuer was present ? The article say this would be expensive ( like running a certified CA, with audit, stuff like that ), and they surely advocated. Doesn't mean they managed to do it however.
And so far, that's a proposal, nothing more. If accepted, this would be done quite fast, but the best way is to find a better idea.
Gee, I wonder why are you posting this anonimously.
We did. No-one wanted to be one. It would be a thankless task which involved a large degree of legal liability and no profit. There are not exactly organizations lining up to do the job.
Redhat forking over cash is yet another path stone along the way.
Whenever a trust anchor grows so large its value approaches priceless or becomes ubiquitous to the world then you might as well just toss it overboard. Do yourself a favor and just assume it is no longer worth trusting cause it aint.
Someone blesses an exploitable kernel loader just once and all the effort wasted on security gets flushed down the toilet. Clever key management is not going to be able to save you.
What they should have done is what no committee is capable of doing -- provide a good enough but not perfect solution requiring a leap of faith during initial install or some kind of configuration (RS6000 configuration key) button the user must press when installing a new operating system to establish an initial trust relationship.
In a way I'm glad Microsoft is choosing UEFI to protect boot phase of their propritary (ARM) hardware as platform documentation is avaliable and common boot environment will make it easier to both expliot and reap the benefits post expliot.
http://mjg59.dreamwidth.org/12368.html
"The $99 goes to Verisign, not Microsoft"
Once Windows 8 is released, hardware manufacturers will be forced to ship machines that refuse to run any software that is not explicitly approved by Microsoft — and that includes competing operating systems like Linux.
FUD FUD FUD. Also: Bullshit. You will **ALWAYS** be able to install another OS onto your system. Just toggle off the hardware certification in the BIOS. Don't you just love it when people hate FUD when it's against something they like, but go ahead and use it themselves when it's against the "enemy". Microsoft requiring it's hardware manufacture to use the verified boot feature that has been baked into the UEFI standard for **YEARS** now is not the same as banning OSes. It's designed to block malware from affecting the boot path. You are correct; Microsoft completely blocking other OSes would be essentially illegal. That's why it **isn't** happening.
Also, I think it's freaking hilarious that the article says the Fedora feels it's forced to pay because "they would have to explain to their potential users how to mess with firmware settings just to install the OS". Let me get that straight: You're worried that your LINUX customer won't know how to change a setting in the BIOS? To install an OS that nearly requires a near expert level computer knowledge to use?
Okay, let's pretend that these computer neophyte Linux users exist. Hardware manufacturers could always just install a physical switch that Google uses on **ALL** Chromebooks. Flip the switch, and the verified boot is disabled. Then these neophyte Linux users can continue on to install the OS they won't know how to use.
Fedora can boot using secure UEFI boot with their own certificate out of the box, if they can get all the OEMs to add it. They've tried to do that, and found out that it's too much headache for them, simply because there are so many companies to go to. Hence why they went and bought, effectively, the right to sign their own bootloader with MS key, which is obviously going to be supported by most OEMs out there. They didn't have to do that, though, and they didn't have to go to MS at all, though it would have probably cost them more money due to sheer time spend arranging everything in the end.
"Once Windows 8 is released, hardware manufacturers will be forced to ship machines that refuse to run any software that is not explicitly approved by Microsoft"
Well, a job well done, the lawyers have won yet again and in the process forced up the cost of Open Source through the cost of legalistic nonsense such as 'compliance`.
AccountKiller
MS will do this because no-one wants to be responsible for a decision that will lead to another 2.5 billion dollar fine in EU.
If I'd been 10 years younger I'd have been all indignant and worried, but these things have a habit of sorting themselves out.
What, the summary doesn't scare you? You don't think installing linux will become a felony? You don't believe this is a slippery slope into 1984? You don't think that MS keeps the CEOs of major OEMs in it's dungeon? You can't find a way to blame the government, your parents, or baby boomers? It's not part of the scary NWO we've been hearing about since the 1930's? You can see why people might actually want this trivial change to their office furniture?
Congratulations, you are now a 'grown up'.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Maybe not, but the last two systems I bought have graphical UEFI setups. Even after formatting and successfully installing Linux Mint on both PCs (in UEFI mode as well as normal mode on both systems), neither machine detected the OS. :/
This is bull.
"Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access .. In fact, chances are that everything will carry the Microsoft key."
It's always what Microsoft wanted, complete control over the Desktop PC. The lawyers have won yet again and in the process forced up the cost of Open Source through the cost of legalistic nonsense such as 'compliance`.
AccountKiller
Finally someone who gets it.
Seriously.
Why isn't the FTC or ICC, busting them over over business obstruction/trade issues, or just the plain DoJ for antitrust/business obstruction?
MS doesn't own the ecosystem end to end like Apple, so any argument for what is effectively UEFI lockdown is poor at best. Just because MS says their lockdown requires an explicit bypass be available to consumers, there being a whole lot of wink-wink-knudge-knudge-make-it-as-obnoxious-as-possible-for-the-end-user is functionally equivalent to a full lockdown in the eyes of the end user. Note end user is not just some dude at a walmart, but IT departments with fleet rollouts of PC's for business users. If the requirements effectively force major manufacturers to not offer scriptable UEFI unlocking, no sane small/medium business IT sysadmin is going to be able to make a business case for using Linux, simply because of the effort to prep the damn things for the OS install. Note this is for any other Linux that hasn't sold out like RedHat has.
Has Redhat becoming a for-profit corporation finally led them down the path of evil?
Not Microsoft. It was even highlighted in the article. Sheesh!
(Alternate title giving some more details; "Microsoft" abbreviated as "Msft" to make the title fit given /.'s apparent title-length restrictions.)
Read TFA before commenting.
A key signed by Symantec/Verisign works too. They just didn't want to do that.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
So, it is OK for Apple to do it, because its a 'better' system, but when Microsoft does it, it should be illegal? Apple fannatics lack any sense.
To exactly match what Apple are currently doing, Microsoft would have to refuse to give out signatures for Windows 8 ARM tablets (as, without jailbreaking, I don't think you can run your choice of OS on iOS machines) and not do any secure-boot stuff on Windows 8 x86 machines (as Macs don't do secure boot by default).
This "feature" exists because malware that affects the boot loader and kernel is a real and growing problem, and there isn't really any other technical means to block it.
You just lack imagination.
An operating system, once booted, should be able to protect the UEFI boot partition from unauthorized modifications just fine. Let Microsoft implement whatever signing mechanisms they wish.
Booting from removable media on the other hand, can be secured simply by requiring an explicit action to boot them. BIOS systems already can optionally do this.
Simply mandate explicit boot into removable media, and the malware will have no attack vectors aside from the installed OS or infected installation media, neither of which should present a problem for Microsoft.
I'll take a wild guess that that punk nephew is actually doing what he is asked- "Please get this shit that anon put on my computer off. I can't figure it out, and I want to check my damn email!".
You're asking a lot of these people, vux. They'd have to pull their head OUT, read, then put it back IN again. Much easier to just go with preconceived notions.
There will be an EFI/bios option to turn this off. if you think microsoft would EVER get away with this in the post-antitrust over IE days, you're kidding yourself.
It might be turned on BY DEFAULT, but this is "secure by default" behaviour and should be the way it is.
If you want to run unsigned code, so be it. If redhat or another vendor want to get their code signed so be it. This is a lot of hot air over nothing.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
IANAL: But I am quite sure this would be considered an anti-competitive practise here in Australia.
What happens when you get this on your screen ................. its not a matter of if its a matter of when. Stallman doesnt look so crazy anymore!
I can't believe that we all have to stoop down to Microsoft's levels, especially Red Hat which is a highly respected open source company. I was hoping there would be some workaround for this ridiculous deal with Microshaft and hardware vendors. I can say one thing, this will aid me in scratching off vendors from my list when I go to purchase PCs for myself and others. If they put this ridiculous crap on their hardware, I'll buy from somebody else.
Where did I say that the vendors had the right to do it either?
It always takes longer than you expect, even when you take into account Hofstadter's Law. --Hofstadter's Law
That all that needs be done is have a BIOS backdoor allowing remote setting of a mode that disables the ability to disable secure boot.
Coreboot.org
How long until someone hacks the key blacklist distribution servers?
Add the M$ key to the blacklist as served up to a particular region and Presto! most of their PCs stop booting.
Uh, define ``hard to find''. Will vendors now make the means of accessing the firmware become something akin to playing Myst? Will the UEFI options be hidden to all who do not press F8 during some narrow and undocumented window? Will the options be worded so cryptically that end-users won't be able to decipher the settings?
I'm having trouble envisioning where all this difficulty is going to be encountered. I only see dual-booters as the ones having this trouble and, yeah, it would sucketh mightily to have to tweak firmware settings every time you wanted to boot to the other OS. Perhaps I don't see the problem since none of the systems I use are dual-booting. Most have ever even had Windows installed on them and, if they did, the Windows disks were reformatted long ago (i.e., 5+ years ago). Dual-booting is a kludge that I don't find necessary any more. Maybe I'm just lucky.
What's the Vegas line on when there will be a call by the more fanatical Linux proponents to shun Fedora like there has been for SuSE?
CUR ALLOC 20195.....5804M
Microsoft looks, acts, and thinks like a monopoly. Having dealt with fairly senior Microsoft execs and techies personally, I can testify that as far as I could tell, they just "don't get" the idea of open platforms. Open means you cooked up something with a few preselected other vendors, in secrecy, and then released it, probably with onerous conditions and encumbrances.
It isn't... yet. It'll be a race to the bottom with these two companies... and they're taking the x86 platform with them for the bumpy ride.
Apple does it on their own hardware (Apple is going to turn their Mac platform into an iPad sooner rather than later), Microsoft wants to do it on all hardware. Apple has an App Store... Microsoft wants an App Store. (Metro Apps only available through their App store... go figure.) Apple is closing their open OS. Microsoft is plugging leaks in their old OS and attempting to sidestep the openness of x86 to get a boatload of otherwise nice people (but clueless) to buy into their schtick. Letting their colossal foot in the door is a huge mistake. People harping about the "but you can turn it off" forget the tenacity and vast cash reserves of Apple AND Microsoft. They don't have to win on merits.. they'll starve competition out. Why? Because they can....
It's the Stay-Puft Marshmallow Man.
now put that in a quote and give credit where credit is due, you DRUNK!
"That's right...I said it."
So glad to see the Microsoft has no monopoly at all on the PC world, I was afraid they had lost their touch. Government I guess useless or impotent as always.
you appear to live in some fantasy world where there is this thing called 'government regulation of big business'. in case you haven't been paying attention, every politician higher than dog catcher has made a career of doing this over the past 30 years.
You realise anti-trust is a competition issue and that in this situation they aren't doing anything anti-competitive at all?
They are going out of their way so you can run Fedora on the new hardware. And you want to ditch them because of it? Remind me never to buy you a beer.
I really love club dresses ,
In AU, at least, ACCC legislation is said to BAN deals that force purchase of a particular component (from a particular maker) when customer buys a product.
So, Fedora should NOT pay M$ a cent, as doing so brings into existence a 2nd-product & -source that breaks the anti-competitive claim.
IF -only- M$'s op sys works (or is permitted, by the hardware, to work) on a "Win 8 era" computer, the market is effectively -forced- to buy & use a particular maker's product in order to use the computer.
I'd suggest that -that's- exactly what we WANT to happen, ie, so that M$ can be sued (preferably, by gov't, eg, ACCC) for anticompetitive behavior.
OF course, IANAL. :-)
So, this is my 2.2 cents only...
When a user buys a blank PC and tries to load linux and it fails and they return the hardware.. who pays?
Microsoft because they locked other operating systems out?
Say I have a red-hat key installed, then I re-compile my kernel? Do userland programs need to be signed?
Captcha: Re insert ---> I want to reinsert the code I had before!
...That's UEFI, short for
User comma End: Fucked comma Intentionally?
I see even classic Slashdot is now pretty much unusable on dial up anymore.
I'm pretty sure that MS forcing HW-makers to block other OSses is illegal, so I do hope the EU commison which also forced MS to 'remove' IE and Mediaplayer will step in to make sure this isn't going to happen.. Also I just hope one other big linux company will go to court because of this..
and there isn't really any other technical means to block it.
Nonsense. Make the BIOS hardware switch readonly, boot off known good media (e.g. CDROM) and do a checksum check of the system files. Easy, and it could've been done decades ago.
M$ explicitly chose not to do this because it's more profitable for them to have millions of people's PC's infected by viruses or in botnets, or have people wasting many millions of hours debugging or paying for "upgrades". M$ employees, and the bulk "anti-virus" industry, are criminally abusive whatever their astroturfers might claim.
Secure boot is simply readonly storage not directly accessible by the owner. Not some magic security device but a means for the vendor to control the in-name-only owner.
I'm too lazy to get a Slashdot account.
Shame on you, RedHat!
In all honesty, give us any UEFI-signed Linux kernel, and yes, Linux will be infected by rootkits (or rather "kernelspacekits"). It will be done on purpose, by the people who own the machines upon which Linux is installed, so that they can maintain their systems.
A UEFI-signed Linux kernel, like any other Linux kernel will start to become obsolete within a week or two, because Linux is without a doubt that fastest-improving and best-maintained OS in the history of computing, whether you think it's a good OS or not. (That's a fact, Jack. Sorry FreeBSD fans. I'm not dissing your OS, just saying you're not the mainstreamiest of the Free OSes and you don't have a Red Hat or Canonical or IBM paying its employees to work on your project full time.) Part of why you use Linux, is that you want to take advantage of the awesome maintenance that popular Free Software projects get, and Linux happens to be one of the most popular and well-funded ones. So you probably are going to sometimes want to install kernel updates.
Your UEFI-signed-for-$99 kernel will be that kernel's bootloader, and the loading will be accomplished via some exploit, possibly a deliberately-created one for that very purpose.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
My solution is better. My solution will allow you to to load Linux via secure boot, and effortlessly update grub or the kernel from your distribution, no matter which distribution that is (it doesn't have to be Red Hat) -- or you can compile the kernel or grub yourself, if you like, and it'll still get signed. My solution works for everyone. Just make me responsible for the root signing key and I will solve all the problems to almost everyone's satisfaction.
For maximum security, though, I do still need offsite backup volunteers. Wanna be one?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
So, this is the end of multi boot menus that include Windows 8, I guess?
I envision a box with two separate physical boot devices: one with a Windows 8 signed bootloader, and one with a bootloader that lets me choose another OS to boot. The second one may or may not be signed with the Windows 8 key. In any case, Red Hat's won't be able to chainload Windows 8, because only the first stage will be signed with the Windows 8 key.
Did I miss anything?
A republic cannot succeed till it contains a certain body of men imbued with the principles of justice and honour.
For those who are considering this DON''T. MyCleanPC will just load up more malware on your machine. These guys are just scam artists looking to get your money!
Red Hat is willing to pay to be licensed to be able to run on the new hardware. They are going out of their way so you can run Fedora on the new hardware. And you want to ditch them because of it? Remind me never to buy you a beer.
I think it sets a really bad precedence, to be perfectly honest, and I don't like it a bit.
As for the beer, don't lose sleep over it: I don't drink.
When politicians are involved, everyone loses.
How does this make you mad at RHEL/Fedora and not Microsoft?
I've been planning to avoid MS Win8 from the beginning. If I wanted a tablet, i'd have one by now. If I have new hardware, I'll put the OS I want on it, and if I can't then I won't buy it. It's that simple.
This whole thing makes me pissed at RH/Fedora because they're effectively letting MS think they can turn this into a "win/win" situation: MS either makes money selling half-assed operating systems that hardware is locked into using or MS makes money by licensing access to that hardware.
Screw them, screw the hardware.
When politicians are involved, everyone loses.
How is this move by Redhat in concept any different from what Novell did? I still think that Microsoft is the agressor/enemy, not either RH nor Novell (nor SUSE)...
I don't use SuSE, either. I wasn't happy with the way that Novell bought DR-DOS and basically laid there like a dead fish.
When politicians are involved, everyone loses.
Looks like its a $99 fee that goes to getting a signature to prove that its legit software. This should keep people like those at adobe from writing to the boot sector and crapping up enterprise windows computers, something we cannot get away from until something else like reactos or linux steps its game up and becomes serious enough to live under a budget of time and money for a 1 man IT shop...
No, you hope that M$ will give Asus and other MB makers permission to give you a choice of bios options when you buy a new MB. Not if it's for an ARM Cpu!
....with Microsoft locking things down, if Apple wants superiority. Now is the time to allow installation on non-Apple hardware (without having to Hack'in'tosh things together).
Windows8 is a kind of terrible of Vista proportions.
Windows is the last of the OS's not to use a Unix'esque kernel
8 will be the last nail in the coffin, Microsoft has truly lost their way.
There are 2 groups of people you can make fun of on the Internet without fear of attack. The illiterate, and the Amish.
!It looks like I am not the only one who sees a giant red flag here: Microsoft is knowingly and deliberately squeezing or freezing out all OS competition with the pressure it is putting on software companies. This is probably a monopoly violation. The first economic region to deal with this will be Europe and the EU, but even the completely corrupt US governmental system will be forced to recognize what is going on and deal with it. Nice try, Balmer and Gates!