SUSE Slowly Shows UEFI Secure Boot Plan

itwbennett writes "One blog post at a time, SUSE is revealing its plan for getting SUSE Linux Enterprise Server (SLES) to boot on machines with UEFI Secure Boot. The short version: 'For now, it seems, SLES will implement an approach similar to that used by Fedora,' writes Brian Proffitt. '[Director of the SUSE Linux Enterprise Olaf] Kirch's first blog entry on Tuesday merely introduced the problem of UEFI Secure Boot. Today's blog only specified the use of the shim bootloader.' Just dying to know what's next? Tune in to the SUSE blog."

Its a trap!!!

[FriendlyLurker]

Run!

Re:Its a trap!!!

I am sure those who wish to break the popularity and open nature of commodity hardware and the OSs that run on it have long studied how best to break what we have achieved so far. UEFI Secure Boot is not so offensive that the Linux distributions "Run!" in fear, but it is pretty obviously that UEFI is just thin edge of the wedge. It is sad that the Linux distributions are bending over so easily, together they might have been a force to be reckoned with... they better f-well not say "we could not have known..." in a few years time, seriously.

what is the point again?

[OrangeTide]

does UEFI secure boot bring any value to users or only to our corporate masters?

Re:what is the point again?

Riiiiight. It also also absolute control over YOUR computer by third parties. Pleeeaaase.

Re:what is the point again?

does UEFI secure boot bring any value to users or only to our corporate masters?

Pretty soon you won't be allowed to run any DRM-ed software on a machine which doesn't have it, because it will eliminate most opportunities for hacking the DRM.

Ah, I think I get your point.

Re:what is the point again?

[countach]

I think in theory it plugs a malware hole, that the whole OS is secure from the bootloader on up.

Re:what is the point again?

Yeah, so much control that the Microsoft certification specifically requires that the OEMs let you disable the option.

Re:what is the point again?

Because Microsoft would never think of pulling an ARM for future releases of Windows. Not in a million years. Can't happen.

Re:what is the point again?

It can't. If they actually want to keep selling it.

Re:what is the point again?

It can't. If they actually want to keep selling it.

Really? Who's going to stop them selling Windows because they require Windows-logoed motherboards to force 'Secure Boot'?

Re:what is the point again?

[morcego]

Yes. Like the "malware" that allows people to use a pirated copy of Windows 7.
Somehow, I think that is one of the main reasons they went after this "secure boot" thing.

Re:what is the point again?

[gomiam]

Theory is closer to practice in theory than in practice. The facts are clear: UEFI lets someone else decide what you can or can not run in your computer.

Think you can disable it? Think again: who is going to care about your being able to disable it when, eventually, Microsoft requires it to be always on on Intel versions of Windows just like they have done on ARM?

Re:what is the point again?

[Billly+Gates]

Yes. It keeps my computer secure from rootkits and with Office 2013 and win 7 I can put restrictions on files in groups and have documents timebomb which is nice too.

I do not like the implementation of this as an OEM or MS can decide for me which OS to sign. This would be great if keys could be installed from the internet using something like SOA so that way I could run Linux or even my own os signed! That probably wont happen in future releases of UEFI but one can hope.

Re:what is the point again?

[OrangeTide]

The EU would probably stop them.

Re:what is the point again?

[LordLimecat]

DoJ.

Re:what is the point again?

[Gadget_Guy]

Think you can disable it? Think again:

Um, no. It is part of the spec that motherboards must be able to disable UEFI. So if you go out and buy a Windows 8 certified system then you will be able to install any operating system you want. And no amount of bleating about how nobody cares for your right to boot the old fashioned way will change this.

Re:what is the point again?

Or you could not use a computer logged in as super user.

The malware hole remains as long as anyone can install third party applications on their own computer.

Re:what is the point again?

http://en.wikipedia.org/wiki/Boiling_frog

Re:what is the point again?

It's worth noting that, even in the Wikipedia article you linked, most people agree frogs won't sit still no matter how slowly you boil the water.

Re:what is the point again?

[Nerdfest]

The best thing that could happen to Windows 8 is for people to pirate it. Perhaps they're trying to build up a false sense of value.

Re:what is the point again?

Microsoft has never really gone after people who pirate Windows. Even non-validated copies of Windows work fine and just make the desktop black with a message at the bottom saying that it might not be a genuine copy.

Re:what is the point again?

[http]

If being able to disable it is part of the UEFI spec, what are those Windows 8 ARM devices using?

Re:what is the point again?

[camperdave]

Think you can disable it? Think again:

Um, no. It is part of the spec that motherboards must be able to disable UEFI. So if you go out and buy a Windows 8 certified system then you will be able to install any operating system you want. And no amount of bleating about how nobody cares for your right to boot the old fashioned way will change this.

It is part of the spec AT THE MOMENT, but that doesn't mean it will remain part of the spec.

Re:what is the point again?

[0123456]

The EU would probably stop them.

So why haven't they stopped Microsoft requiring 'Windows Boot' on ARM?

Re:what is the point again?

[phantomfive]

As someone who's gotten Linux to boot on an EFI machine, I can tell you that motherboards do not always implement the full specification.

Generally they do what is necessary to boot Windows, and once that's working, call it good. They have no motivation to test and make sure disabling UEFI works.

Re:what is the point again?

[exomondo]

So why haven't they stopped Microsoft requiring 'Windows Boot' on ARM?

Because they obviously don't have a monopoly there, in fact they don't even have any presence in that market additionally the product they are releasing there is not the same as the one in which they have a monopoly. It's the same deal with Windows Phones, they don't have to open that up and provide all their private APIs because they don't have a monopoly in that market. They have a monopoly in x86 desktop/laptop computers (a market that doesn't include ARM computers) - it's all there in the EU and US DOJ filings.

Re:what is the point again?

who is going to care about your being able to disable it when, eventually, Microsoft requires it to be always on on Intel versions of Windows just like they have done on ARM?

They could have done that with BIOS 20 years ago but they didn't and they can't do it on X86 version because they'd get a government smackdown just like they have in the past with anti competitive tactics.

Re:what is the point again?

[Gadget_Guy]

It is a different spec for ARM than Intel chips. The ARM version of Windows 8 does not have to maintain backwards compatibility with an existing user base. Intel Windows does have a long pedigree, and the OS will work on systems made in 2002. Given that they are trying to support computers that predate UEFI by a decade, then they can't start insisting on secure boot only.

Re:what is the point again?

[eric_herm]

Why would they stop Microsoft and not Apple or Samsung or every people on the market who do this since years on their arm tablet and computer ( also called cellphones ) ?
In fact, why do people care about Microsoft doing it and not Apple ? Where are all those protesters we are seeing on every website, why aren't they doing something radical like burning a Apple store ?

Re:what is the point again?

[eric_herm]

So when Microsoft do not try enough to stop piracy "that's because they want to keep their monopoly at all costs", and when they do "that's because they want to keep their monopoly". There is a moment where logic should apply I think.

Re:what is the point again?

[eric_herm]

yeah, that's like saying "sure free speech is part of the consitituion, but it can be changed so our liberty are endangered". Saying "this can be changed later" is a totally useless statement. Maybe saying "maybe the spec will later mandate a anal probe to start my computer" is equally as accurate, since based on non existant facts and still true, because we have the technology for doing that ( ok, not exactly, because there is no ready to use probe for that, but nothing prevent to build them ).

So sure, basing your present on whatever could happen without proof ( and i mean, real proof, not supposed one ) is idiotic.

Microsoft requires secure boot with UEFI because the whole industry for arm tablet already does, each with their own way. So the main point is to have 1 single thing to support, and not local variation, which make sense from a engineering point of view. Without stuff like SB on arm, I think Microsoft would have asked for a locked bootloader anyway, only to prevent movies copying and others demands that Apple surely make to the content industry. Without this, content provider would have said "no", and they would have lost a rather important competitive advantage ( if not a strategic one, since tablet are marketed as comsuption devices primarly, like "reading paper on the couch", or "watching streamed movies" ). Or even for non content related industry, there is games and Apple tout the fact that piracy is higher on Android to lure people into developping for their platform ( and thus get money when games are doing well ).

So face it, the battle was played when people accepted ios devices. The rest is just industry following those who succeeded.

Re:what is the point again?

[SuricouRaven]

Perhaps. After a ten-year court case. Then, once microsoft has destroyed all competition and ensured profits of many billions, the EU can give another record-breaking billion-euro fine.

Re:what is the point again?

Perhaps. After a ten-year court case. Then, once microsoft has destroyed all competition and ensured profits of many billions, the EU can give another record-breaking billion-euro fine.

Interesting that you believe that Microsoft will completely beat iPad and Android in the ARM tablet market we are talking about here.

Re:what is the point again?

[Luckyo]

Same reason they haven't stopped any of iphones or android phones from doing the same thing. Lack of monopoly on the market.

There are many things that you can do that limit competition legally. Many of these options vanish when you become a monopoly. Windows has a near monopoly in desktop market (judged to be monopoly by EU). As a result, demands to not lock down the system on x86/amd64 PC are backed by anti-monopoly legislation. Demands for the same on ARM are not.

Re:what is the point again?

[Luckyo]

When they do it's because they want to monetize these people without losing them - hence the dualistic approach.

Using logic is indeed not hard. Parroting silly press releases without engaging in any critical thinking is easier though, as your post shows.

Re:what is the point again?

[thegarbz]

then they can't start insisting on secure boot only.

Can't is a strong word in an industry where in the last few years we've seen companies abandon an entire computer architecture breaking all backwards compatibility, moving the software ecosystem from software as a product to software as a service, and one of the biggest vendors has now announced they will be competing directly with their OEM suppliers.

"Can't" is the one word we can't use to describe anything in the IT industry.

Re:what is the point again?

Yep. Linux users need a reality check sometimes, badly. Nobody cares about an OS used by 0.5% of the population. Get real, ffs.

Re:what is the point again?

[gomiam]

Why do I think they don't really care much about government smackdowns? It's not like paying €497M hurt them much.

They could have tried that in the '90s but, guess what? There was no standard, so forcing OEMs to secure their BIOS would have been a much bigger effort (and Microsoft was far from the size it has now). Now it is very easy: it is included in the standard.

Re:what is the point again?

[JackieBrown]

The DoJ is too busy suing states and trying to continue voter fraud to get involved in this

Re:what is the point again?

[Gadget_Guy]

"Can't" is the one word we can't use to describe anything in the IT industry.

But have a look at the backlash that Microsoft received when Vista had high system requirements. Subsequent versions of Windows have tended towards better support for older systems, and not worse as would happen if secure boot was mandatory.

So until we actually see a change in Microsoft's policy, people are complaining about a fantasy future that does not match the current practices of Microsoft regarding Windows.

Re:what is the point again?

[Gadget_Guy]

It is part of the spec AT THE MOMENT, but that doesn't mean it will remain part of the spec.

And it doesn't mean that it won't remain part of the spec. It is all guesswork. Should you really be able to deny people have security features added to Windows because in some dystopian future those features may be made mandatory?

Should we also ban firewalls because one day the built-in firewall may be only made configurable by a paid service rather than a local tool?

Re:what is the point again?

[Gadget_Guy]

Generally they do what is necessary to boot Windows, and once that's working, call it good. They have no motivation to test and make sure disabling UEFI works.

Except that if a motherboard can't disable UEFI then older versions of Windows (especially x86 versions) would not boot. Remember that Microsoft's biggest competitor to Windows is older version of Windows. This is going to become even more pronounced if people reject the Metro user interface (or whatever it is called now) and stay with XP or Win7.

Re:what is the point again?

If you think that this will make Windows any more secure you have complete gone up Ballmers asshole.

Re:what is the point again?

They why does Linux own these markets?

1. Server
2. Cloud/Mainframe
3. Supercomputers
4. Embedded, including phones.

MS is a bit player everywhere except desktops and the desktop market is shrinking.

Why does MS spend millions of dollars on FUD each year?

Why does MS significantly copy KDE/Gnome & OS X?

Because no one cares!

Re:what is the point again?

[camperdave]

Don't forget Microsoft's SOP: Embrace, Extend, Extinguish. Right now UEFI is being Embraced.

Re:what is the point again?

[marcosdumay]

No, it doesn't, and no, it doesn't.

It does not create any extra protection for IT people to use against their users. If they break into their computers enough to install a boot loader, Secure Boot doesn't stop them from doing anything else, besides installing some unigned Linux distro.

It also won't protect your computer against any trojan or virus that doesn't install a boot loader, and that set is basicaly all of them. There are a few exceptions, of course, boot loader malware exists, it is just very very very rare.

The most visible practical consequence of Secure Boot (the way it is now, ignoring the obvious extension that will make Windows mandatory) is that it will protect your computer against anti-virus and data recovery tools.

Re:what is the point again?

[thegarbz]

The current practices of Microsoft? You mean the current practices of a company which has in the last few year announced a change from producing an operating system that runs on an open PC architecture to announcing new plans for vendor lock-in (ARM), restrictive usage scenarios (limited app running capabilities), the start of a walled garden (Windows Store), and decided to compete directly with OEMs producing a fully closed hardware/software platform.

Regarding Microsoft's future, fantasy is the only thing we have at the moment. All bets are off for where they are going to try and take the industry, especially given how they have had abysmal performance over the last 5-10 years in the eyes of shareholders and management.

It's not fantasy. They will try something, and I'm betting they will shit on the rights of users in the process.

Re:what is the point again?

When they do it's because they want to monetize these people without losing them

Nope, that doesn't follow. If that were the case there would be no reason to have taken a soft stance on piracy for the nearly 20 years that they've had a monopoly.

Re:what is the point again?

[Luckyo]

How does taking a hard stance on people who aren't doing anything illegal help? Most of the pirates we're talking about lived in countries where pirating OS wasn't illegal back then.

The only thing you'll do is piss off entire large countries, which will become interested in providing government-level funding for your competitors. That's suicide.

Re:Microsoft Linux

But most of all: Fuck trolls.

It is a trap - control over the OS

How long until firmware yays or nays the OS your trying to install? Windows 8 Tablet is just a baby step into that future...

Re:It is a trap - control over the OS

Only for ARM based systems. Microsoft has stated that all Windows 8 branded x86 PCs must have the ability to disable secure boot.

Re:It is a trap - control over the OS

[camperdave]

Only for ARM based systems. Microsoft has stated that all Windows 8 branded x86 PCs must have the ability to disable secure boot.

Sure, they say that now. Soon it will be optional, then it will be required that secure boot be unable to be disabled.

Re:It is a trap - control over the OS

[fragMasterFlash]

So you think UEFI boot will be harder to root than iOS or Android devices? Look at the custom chipset in the XBox if you want to see what it takes to make a consumer product moderately well protected against being rooted. I have seen nothing in the secure boot specifications that looks as daunting. What scares the heck out of me is the likelyhood UEFI secure boot will end up being compromised without detection and critical infrastructure will be owned before anyone detects it.

Re:It is a trap - control over the OS

[SuricouRaven]

It doesn't have to be uncrackable. It just has to be sufficiently hard that people who are not experienced with linux never get to try it.

Re:It is a trap - control over the OS

[Luckyo]

They already do so on many linux (android) phones. The entire thing is old news in ARM world.

Re:It is a trap - control over the OS

You havent used an apple product recently, have you?...

Re:It is a trap - control over the OS

[kthreadd]

You havent used an apple product recently, have you?...

Linux runs just fine on my Macs.

Re:It is a trap - control over the OS

[camperdave]

Does UEFI affect the boot process of virtual machines? If someone wanted to try linux, could they not do it in a virtual environment, a la wubi?

Re:It is a trap - control over the OS

And in these cases, if you do manage to install an alternate OS, you are in violation of the DCMA.

Re:It is a trap - control over the OS

[pnutjam]

No USB on your servers? Most of mine don't have PS/2, but they still have plenty of USB.

Re:It is a trap - control over the OS

[SuricouRaven]

No. You can still use that method easily enough. But it means memory overheads (Even doing nothing but running a VM, Windows will still eat at least a gig), and no low-level hardware access.

Re:It is a trap - control over the OS

WUBI si not a virtual machine, it just installs Ubuntu on to a Windows partition. When you boot it up, Windows is not running in the background.

here's hoping..

[Johann+Lau]

There are two ways of getting there. One is to work with hardware vendors to have them endorse a SUSE key which we then sign the boot loader with. The other way is to go through Microsoft's Windows Logo Certification program to have the boot loader certified and have Microsoft recognize our signing key (i.e. have it signed with their KEK). We are currently evaluating both approaches, and may eventually even pursue both in parallel.

Seeing how Microsoft is currently pissing off Hardware vendors (and surface isn't even out, so I guess the worst is still to come), I sure hope the first of those two options will come to pass. I'm not sure if I dare be optimistic, this whole thing crazy to begin with. I mean, who the fuck is Microsoft's Windows Logo Certification anyway, and why are they putting their penis in my soup? Waiter?!?!

Re:here's hoping..

[Johann+Lau]

Yeah, I know that. Do you know what random typos are?

I'm getting tired of passive-aggressive gestures of submission by AC's.. I mean, I get it, but still.

Re:here's hoping..

[camperdave]

Did you know? The word "hardware" is not a proper noun...

Some people would like to have a word with you.

Re:here's hoping..

then go die in a chopstick fire, chink. it will solve multiple problems at once.

Re:Microsoft Linux

[Johann+Lau]

Don't knock it till you tried it. I mean, people have no qualms talking about Ubuntu with a straight face here... wtf is up with that?! OpenSUSE is as awesome as they can be in a crappy world.

There's a totally open source verified boot

running on Chromebooks. All source is there. You can download it and study it and build something good on it.

So what are the "open source OS companies" putting all their effort into? Satisfying a closed, proprietary system designed to lock users in. Very disappointing.

Re:There's a totally open source verified boot

[AdamWill]

UEFI is a standard. It's not a codebase. There's no reason there can't be F/OSS implementations of UEFI, and indeed Secure Boot - SB relies on asymmetrical key signing, which of course can be perfectly well implemented by F/OSS code. In fact, I think there's a partial F/OSS implementation of UEFI and SB for qemu already.

Re:There's a totally open source verified boot

No offense intended, but you don't understand the problem if you are saying this. You're just propagating misinformation.

Ron Minnich

Re:There's a totally open source verified boot

Yeah, you just need to install your own BIOS on your motherboard before you can boot your OS. That's so simple.

Re:There's a totally open source verified boot

and see how far the various "Open" bios has gotten. :P http://en.wikipedia.org/wiki/OpenBIOS

Re:There's a totally open source verified boot

this is /. understanding 99.9% of comments are misinformation is the first rule to /. club; and yes that guy is a moron who doesnt understand the problem

Re:There's a totally open source verified boot

[eric_herm]

The next rule is that "if this is your first night on the /. club, you must post misinformation comments"

Re:There's a totally open source verified boot

The statement was a bit terse so I googled your name and read some of what you have written, listened to the 2008 google tech talk and looked at coreboot. All very good stuff. Your work speaks for itself. I didn't know much about the innards of EFI before reading your comment, but with what I was able to dig up you've convinced me that something like coreboot is better than EFI from both a technical and political standpoint.

I also used to work in Windows at Microsoft. I'll admit that in the big picture I wasn't a hugely influential decision-maker there. From what I have seen there definitely have historically been people acting in bad faith at Microsoft with regards to such "standards". I know there's something from billg that came out in court, where he said they can use ACPI to kill Linux, or at least slow it down. And while people I worked with generally didn't say those things while I was there, I'm pretty sure that there is some amount of that attitude "latent" in the company, existing in pockets.

But I think for the most part those attitudes from Microsoft are in the past. Today when we see stupid shit like secure boot come out of Redmond, I think the primary driver is incompetence rather than anything nefarious. The Microsoft of 2012 is not nearly well organized enough to pull off a conspiracy like that. Even those that do have hostile attitudes towards Linux do so mostly out of their own ignorance and incompetence, rather than being evil, wanting to kill it, and knowing how.

The recent Vanity Fair article about Microsoft politics does capture some of what's gone wrong. People are more interested in gaming annual review than delivering a good product. It totally taints every interaction one would have at the company, and in Windows in particular this runs deep.

With the latest Windows cycle it's also the story of a conglomeration of management chains trying to reproduce what Apple has done with iOS, but without understanding what pros or cons exist. iOS signs code so we must. They won't come right out and say it but that's the subtext. This is largely Sinofsky's fault, the man is both a doofus and has very superficial awareness of what his people are doing. But even independent of him there is a large bureaucracy of people doing stupid shit because (1) they think it will get promotions and bonuses for them and their friends (it often does) and (2) the competition is doing something vaguely resembling that, so why not? This did not seem common at Microsoft when I joined but by the time I left it was thick.

So back to my original point... I'll agree that the result is largely the same, but why ascribe to malice what can be explained by incompetence and big company politics? I agree with you that coreboot beats EFI, for example, that you can just take drivers from Linux rather than having to write something new for the EFI environment. But the forces behind EFI are the same ones that have been shipping crappy BIOS for years and years. They're not going to understand that. So, I'll say, I don't know if I'm misinterpreting your position on this, but I can't say that the forces behind EFI are acting entirely in bad faith. Not good at their job maybe, but bad faith? You can say you don't like it, and I agree with your rejection of it in principle, but it does the job of being better than BIOS.

All that fighting for nothing?

I don't get it.

So after several decades of fighting for free software (and computer freedom in general), all these distributions are just going to roll over on command for Microsoft?

You know what? Anyone who goes along with this UEFI bullshit is a fucking traitor, a coward, and a goddam disgrace to the open source community.

Playing along here is NOT THE ANSWER. Doing NOTHING is the only appropriate course of action. Why? Simple, because then you're shifting the problem to the hardware manufactures who are going to get shafted in sales because their stuff doesn't run Linux OOTB (not without configuring UEFI first). They're going to realize this mighty fast and either produce cheaper "Linux" versions of their motherboards without UEFI restrictions (or even better, without UEFI at all)- or just drop the whole Secure Boot thing all together.

Again, playing along with this mockery is the WORST POSSIBLE THING anyone could do. It's like letting the Germans into your country during 1945 because they promised they'd only ask for your papers when you're entering or leaving your own city. How long do you think it'll be until they have the same guards stationed everywhere? Train stations, food stores, clothe stores... How long before you're walking down the street in your own community and you're getting stopped for papers, only blocks away from your house?

I'm sick and tired of people saying "it's only the bootloader man, chill". Yeah, it might be today. What about tomorrow, when they drop the ability to manually disable Secure Boot permanently? What then, huh? Well, then Microsoft has the power to revoke your keys and doom your operating system to death. After everything Linux has been for, after everything Linux has stood for- why the fuck would you EVER want to give Microsoft this power?

Fedora, Ubuntu, and SUSE can kiss my fucking ass. All these distributions are a disgrace. A total fucking disgrace. The least they could do is show some goddam balls, stand up and say "No, we're not going to be your bitch". So what if your users have to manually disable Secure Boot for now. At least then they'll realize what is going on here and you might actually educate a few of them as to why CLOSED PLATFORMS ARE BAD.

-AC

Re:All that fighting for nothing?

[Chaonici]

Erm, the person who posted the message is not as important as the message's content. In fact, the identity of the poster is almost completely irrelevant.

Re:All that fighting for nothing?

You're free to stick with gNewSense and Trisquel.

Re:All that fighting for nothing?

[kiwimate]

Anyone who goes along with this UEFI bullshit is a fucking traitor, a coward, and a goddam disgrace to the open source community.

Ah, well at least you're putting forth a calm and rational argument.

Doing NOTHING is the only appropriate course of action. Why? Simple, because then you're shifting the problem to the hardware manufactures who are going to get shafted in sales because their stuff doesn't run Linux OOTB (not without configuring UEFI first).

This argument isn't going to fly. Most hardware manufacturers don't care about Linux. How long have Slashdotters bemoaned the lack of major manufacturer Linux options, or complained about the small forays by Walmart and Dell which are then pulled back?

It's like letting the Germans into your country during 1945

This kind of commentary is not doing your argument any favors. You're shooting yourself in the foot; you obliterate any useful point you may have.

The least they could do is show some goddam balls, stand up and say "No, we're not going to be your bitch".

Says the anonymous coward.

I have several times observed a tech expert, making a totally valid point that was 100% correct, fail utterly to win support for his argument because he made his point while raving and going over the edge.

Ranting is not the answer. You end up marginalizing anyone who's not already part of the faithful. Doing nothing is not the answer. People who you want to switch to Linux will see it doesn't work on their new system and won't have any sensible explanation as to why this should be. If that's the first picture they get, and there's no help, then they think "Linux can't even install/boot up/get started without some mucking around? What else is going to go wrong?".

Then again, you're probably not going to listen and I really don't care. So, rant away, and continue wondering why you don't make any inroads.

Re:All that fighting for nothing?

[LordLimecat]

To make statements as bold as his without actually standing behind them damages the credibility of the statement itself, and makes one suspect trolling. When said AC proceeds to Godwin the whole discussion and compare a situation in IT to World War 2, it becomes clear why ACs are generally reviled.

One of the reasons to post AC is that you know your post is so ridiculous and out there that theres a 50/50 chance it will get flagged as the flamebait that it is. GP basically said "if you dont agree with me youre WW2 France, and Microsoft is Hitler". If that doesnt deserve a karma penalty I dont know what does.

Re:All that fighting for nothing?

[epyT-R]

his argument is spot on.. obviously since the only thing you could critique was his anonymity and his nazi reference...and honestly, the former is perfectly acceptable in a free society, and the latter isn't all that far off base.

Re:All that fighting for nothing?

[epyT-R]

Ah, well at least you're putting forth a calm and rational argument.

It is rational. It just isn't calm.

This argument isn't going to fly. Most hardware manufacturers don't care about Linux. How long have Slashdotters bemoaned the lack of major manufacturer Linux options, or complained about the small forays by Walmart and Dell which are then pulled back?

agreed. this argument doesn't make much sense.

This kind of commentary is not doing your argument any favors. You're shooting yourself in the foot; you obliterate any useful point you may have.

why? the whole nazi police state reference is a perfect analogy with the top down lock down that is signed UEFI. Sure, today, it can be disabled, but the slippery slope does apply here.

Says the anonymous coward.

In free societies, anonymity is perfectly acceptable. the argument stands or falls on its own. demanding id just demands an argument from authority. the only thing you might gain is slightly higher confidence in the speaker, but that doesn't prove anything either.

I have several times observed a tech expert, making a totally valid point that was 100% correct, fail utterly to win support for his argument because he made his point while raving and going over the edge.

In cases where someone is ranting, it is most likely serious, with high stakes, and the group is about to make a terrible decision. In such circumstances, these listeners are idiots for not taking sound advice because the format didn't stroke their egos sufficiently/allow them to save face/hurt their oversensitive feelings.

Re:All that fighting for nothing?

[camperdave]

It's like letting the Germans into your country during 1945

Learn a little history. In 1945, the War was ending. The Allied Forces were squeezing Germany like a lemon. Hitler was ordering that all industries, military installations, machine shops, transportation facilities and communications facilities in Germany be destroyed. German military leaders were committing suicide left, right, and center. There were probably untold thousands of German civilians fleeing the country in 1945. None of them would have been stopping people and asking for papers. They would have been glad to get out alive.

Re:All that fighting for nothing?

Sure. Manson is a decrepit old man in prison. He's probably even more harmless than Charles.

Re:All that fighting for nothing?

[westlake]

I don't get it.
So after several decades of fighting for free software (and computer freedom in general), all these distributions are just going to roll over on command for Microsoft?

Secure Boot is not new.

Another case of trusted boot is the One Laptop per Child XO laptop which will only boot from software signed by a private cryptographic key known only to the OLPC non-profit organisation. However, the laptop and the OLPC organisation provide a way to disable the restrictions, by requesting a "developer key" unique to that laptop, over the Internet, waiting 24 hours to receive it, installing it, and running the firmware command "disable-security". The stated goal is to deter mass theft of laptops from children or via distribution channels, by making the laptops refuse to boot, making it hard to reprogram them so they will boot and delaying the issuance of developer keys to allow time to check whether a key-requesting laptop had been stolen.

Hardware restrictions

Secure Boot makes a great deal of sense.

Secure Boot is biting the geek in the ass because of his pathetic dependence on affordable hardware designed and built for the mass market Windows platform and because he has had damn little influence or control over the explosive evolution of a mobile market defined and shaped by Apple.

You do not gain converts to Linux by disabling low-level hardware security in Windows.

You do not gain converts to Linux by encouraging Windows users to dual boot into Linux.

Damn near everything client side in FOSS is ported to Windows or begins as a native Windows app. There are strange, inexplicable, glitches. Try explaining to a Windows user why audio and video support isn't part isn't part of the default install of the Chromium browser...

You gain converts to Linux through strong OEM support and promotion and broad retail distribution of high quality Linux systems. The bottom feeders are no longer welcome even at Walmart.

Re:All that fighting for nothing?

[flyingfsck]

Hmm, I think only Argentina let Germans into their country in 1945.

Re:All that fighting for nothing?

Ballmer is an uncircumcised cockroach!

Re:All that fighting for nothing?

[LordLimecat]

Until countries are invaded and millions killed, no, it isnt like the Nazis at all.

Slashdot has gone batsh*t crazy

I'm used to a little bit of healthy paranoia here, but the amount of FUD and flat-out misinformation in Slashdot's UEFI reporting is frankly astonishing. Let's get a few things straight.

UEFI is not a Microsoft technology. It is an industry standard intended intended to replace the archaic x86 BIOS. Microsoft participated in the standard, as did Slashdot favorites Red Hat, Canonical, IBM, and AMD. You can freely download the full specification from the uefi.org website.

Secure Boot is part of the larger UEFI specification. See section 27 for the technical details. Of particular interest to Slashdot readers will be section 27.7 which describes the key update mechanism.

Secure Boot is intended to solve the real-world security problem of boot-time malware. No operating system can defend against malware at boot-time; this would be equivalent to defending against the hardware itself. If it helps, imagine how you would defeat a keylogger embedded in your keyboard.

Secure Boot uses code-signing to defeat boot-time malware. This is the optimal solution and should be full-proof provided (1) the machine is physically secured, and (2) the private keys are secure. (I am defining "full-proof" here to mean the keys and hashes involved are adequately difficuly to brute-force with modern hardware. I am also explicitly discounting scenarios outside of UEFI's area-of-responsibility, such as vulnerabilities in the operating system's signed image.)

For some real irony, see the Slashdot article Windows 8 Secure Boot Defeated. Both the headline and much of the discussion in this article were flat-out wrong. The exploit in question targetted the legacy BIOS and MBR. This is exactly the problem that Secure Boot addresses, and it reinforces the need for this technology.

Secure Boot is not a DRM scheme, nor it is explicitly a tool for Microsoft lock-in. Remember that on x86 platforms, the end-user can edit the key database, and can disable Secure Boot entirely. I concur that Microsoft's treatment of ARM is a dick move, but is also typical for other vendors in that market segment. In either case, remember that Secure Boot is a logical solution to a real-world problem affecting all operating systems, and evaluate it on this merit first.

Just because the technology can be mis-used is no reason to completely boycott it. For my part, I intend to use Secure Boot when it becomes generally available, but only buy parts that allow me to edit the key database.

Links:
UEFI membership list: http://www.uefi.org/join/list/
UEFI specification: http://www.uefi.org/specs/agreement

Re:Slashdot has gone batsh*t crazy

[gomiam]

UEFI is not a Microsoft technology. It is an industry standard intended intended to replace the archaic x86 BIOS.

OOXMLz is a standard as well. Your point being?

Secure Boot uses code-signing to defeat boot-time malware. This is the optimal solution and should be full-proof provided (1) the machine is physically secured, and (2) the private keys are secure.

I guess you meant fool-proof. And it is. It is fool-proof against all those fools who want to decide to run their own code on the computer without having to ask permission beforehand.

Secure Boot is not a DRM scheme, nor it is explicitly a tool for Microsoft lock-in.

True, and yet... it can be used as such. Excuse me, I meant it is already being used as such (see Windows 8 on ARM).

Just because the technology can be mis-used is no reason to completely boycott it. For my part, I intend to use Secure Boot when it becomes generally available, but only buy parts that allow me to edit the key database.

You are free to decide what to use. Just tell me: what will you do when the parts that allow you to edit the key database stop being manufactured? What will you do when, say, the graphics cards you want to use require UEFI to protect their HDMI hardware? It will happen, and rather sooner than later.

Remember: it's not paranoia when they are out to get you. And they are, oh how they are.

Re:Slashdot has gone batsh*t crazy

[Joe_Dragon]

Video cards have HDCP now and they don't need UEFI to lock it down.

Re:Slashdot has gone batsh*t crazy

But it is paranoia when you assume people are out to get you and ignore the facts of the matter. Facts like:

1. UEFI Secure Boot is only required for Windows 8 Logo certification. It will not affect OEMs selling Linux machines, servers or hobbyist hardware.
2. Linux is now a multi-billion dollar market. Do you really think hardware makers are really going to stop supporting Linux? They'd basically lose all the major enterprises in the world over night.
3. The Secure Boot specification requires that it can be disabled. This isn't just for open source nuts, it's also for Windows admins who want to downgrade an OS or run imaging software or run tests from a USB drive. If OEMs locked down the hardware so those tasks couldn't be completed they would go out of business.

If you think secure boot is going to take over and prevent people from running the software/OS they want, then you are being paranoid.

Re:Slashdot has gone batsh*t crazy

[kiwimate]

Excellent post. I have several times thought about pointing out these same points on UEFI, but always gave up. I figured "no point - it'll get modded down because people don't want to hear".

Re:Slashdot has gone batsh*t crazy

Secure Boot is not a DRM scheme, nor it is explicitly a tool for Microsoft lock-in. [...] Just because the technology can be mis-used is no reason to completely boycott it.

My fear is that, once Secure Boot is widely implemented, Microsoft will start refusing Windows licenses to hardware manufacturers who allow the end-user to install their own keys in order to install a new OS. You seem to know what you're talking about. Could you please tell me: is this possible?

Re:Slashdot has gone batsh*t crazy

1. UEFI Secure Boot is only required for Windows 8 Logo certification. It will not affect OEMs selling Linux machines, servers or hobbyist hardware.

Right now at the moment it will not affect OEMs no, but why give convicted monopolists the tools that may eventually be used to lock out competition to begin with? It's like hiring a drug addict to guard the police evidence locker, of course it'll work for the first couple of days, but you know that he's going to get in there eventually.

2. Linux is now a multi-billion dollar market. Do you really think hardware makers are really going to stop supporting Linux? They'd basically lose all the major enterprises in the world over night.

Wrong. Linux in the ENTERPRISE is a multi-billion dollar market. Nobody is making any money (directly) off of home Linux users, nor care if they are the ones being locked out of their hardware.

3. The Secure Boot specification requires that it can be disabled. This isn't just for open source nuts, it's also for Windows admins who want to downgrade an OS or run imaging software or run tests from a USB drive. If OEMs locked down the hardware so those tasks couldn't be completed they would go out of business.

Specifications can and will be changed. The fact that you're calling people who use open source 'nuts' already shows how much you care about that topic, so you're trying to convince people who do take open source seriously that Secure Boot is not that bad, while not having a vested interest in open source yourself, but apparently do have a vested interest in Secure Boot.

The Windows admins who need to downgrade an OS, will eventually be able to do that for the first few years, until the hardware gets written off and hardware is brought in that ONLY runs the latest and greatest, but that doesn't matter of course, because the older version of Windows will not be supported anyway anymore...

Re:Slashdot has gone batsh*t crazy

[lostfayth]

They could refuse to certify their hardware, which would likely cost them any discounts on licensing. They would not be able to use windows update to update drivers. See: http://msdn.microsoft.com/en-us/library/windows/hardware/hh924782

Windows could be changed in such a way as not to allow installation on uncertified hardware. Likely not insurmountable, but not trivial for the average user.

The tinfoil hat could be screwed on too tight, but then again..

Re:Slashdot has gone batsh*t crazy

Thank you. How different is UEFI from OpenBIOS or GRUB2?

Re:Slashdot has gone batsh*t crazy

OOXMLz [wikipedia.org] is a standard as well. Your point being?

I'm not sure how he could have made it more obvious, OOXMLz is not an industry standard (which is one of his qualifiers) and was developed solely by Microsoft, which again he quite clearly pointed out that is not the case with UEFI. I'm not sure he could have been much clearer, i've bolded the relevant parts of his post if that helps you:

It is an industry standard intended intended to replace the archaic x86 BIOS. -- See how he says 'industry standard'? OOXMLz is not an industry standard.

Microsoft participated in the standard, as did Slashdot favorites Red Hat, Canonical, IBM, and AMD. -- See how he says Microsoft participated in the standard as did a number of other companies? Microsoft created the OOXMLz standard on their own without participation of other companies.

Re:Slashdot has gone batsh*t crazy

[KingMotley]

If Microsoft forced vendors, or even coerced them into something like that, there would be more antitrust trials both in the US, the EU, and probably a few other countries. It wouldn't be profitable no matter what, so they won't do it even if you think Microsoft is out to get you. It really is that simple.

Re:Slashdot has gone batsh*t crazy

[guruevi]

But HDCP is also weak and has already been defeated. Secure Boot could make it hard for instance to put in a driver that would accept non-HDCP links.

The problem is that Secure Boot is a solution looking for a problem. Boot-time malware can already be detected in software, is really hard to pull off, can be secured by not allowing software other than the OS to access the boot records and wouldn't be a benefit to anyone if it was undetectable.

Re:Slashdot has gone batsh*t crazy

[lostfayth]

Yet it is possible, which was the question that was asked. The repercussions (legal and otherwise) would be swift, currently.

Re:Slashdot has gone batsh*t crazy

[eric_herm]

And since vendors are microsoft primary clients ( remember, you do not buy a windows license most of the time, you buy a computer where someone negociated windows license for you ), it would be rather stupid to screw your own clients. It usually doesn't end well, especially when competition ( chromebook, canonical ) are ready to provides anything to make you miserable.

Re:Slashdot has gone batsh*t crazy

Secure Boot is intended to solve the real-world security problem of boot-time malware. No operating system can defend against malware at boot-time; this would be equivalent to defending against the hardware itself. If it helps, imagine how you would defeat a keylogger embedded in your keyboard.

Security theatre. When was the last time you saw a piece of boot time malware? I remember viruses that would sometimes find their way onto floppy disks, so if you left the floppy in when switching on, your machine could be infected that way.... my, was a long time ago.

Its trying to solve a problem that doesn't really exist. There are much more valuable and interesting attack vectors for malware writers these days.

Re:Slashdot has gone batsh*t crazy

[havana9]

Security theatre. When was the last time you saw a piece of boot time malware? I remember viruses that would sometimes find their way onto floppy disks, so if you left the floppy in when switching on, your machine could be infected that way.... my, was a long time ago.

Its trying to solve a problem that doesn't really exist. There are much more valuable and interesting attack vectors for malware writers these days.

Actually the problem of boot time malware was solved in the DOS day with a BIOS setting that prevented to write the first sectors of the hard disc An MD5 checksum of the MBR and the boot sectors saved in a read only memory shoud suffice. I think a jumper to enable flashing the BIOS and this checksum area kill easily the unwanted tampering of the boot sectors.

Re:Slashdot has gone batsh*t crazy

[gomiam]

My excuses about the mistype: of course it is OOXML and not OOXMLz.

I am afraid you missed my point: its being an standard, either "just" an industry standard like UEFI or an ISO standard like OOXML is irrelevant. The problem is it allows lock-in, as shown on Windows 8/ARM, and that is bad.

Re:Slashdot has gone batsh*t crazy

[Skapare]

The scheme is poorly designed. THAT is all the reason in the world to fight it every way possible. That and say BS to Anonymous Coward posts. I bet you are one of those Microsoft people, too. The correct way to do this is for the "chain of trust" to be rooted at the owner of the computer, not some corporation, not YOUR employer, and not Anonymous Coward.

The BIOS can do it this way. Start with a hardware feature that does not allow OS access to (write) BIOS code or data once BIOS "flips the switch" to turn it off as it makes the jump to start the OS is loaded. Encryption keys are not needed. All that is needed is for the BIOS to have an inventory of bootable partition hash codes. There will be a menu to add/delete bootable partitions. When one is added, the image to be booted will be scanned to generate a hash, and that hash is saved. When one is to be booted, it scans it again as it loads it, and looks for the hash in the list of valid bootable hashes. The partition number might also be compared, as well as the device ID for permanent devices. External media like DVDs and USB drives would still have the same test applied, and can have their loadable image hashes added, too (and they stay even if the media is removed and is used again later).

The "chain of trust" is simply not needed.

And stop linking to some legalese form. Link to the actual specs. Tell the lawyers to go pound sand. They are the ones that fuck up everything.

Re:Slashdot has gone batsh*t crazy

[Skapare]

1. UEFI Secure Boot is only required for Windows 8 Logo certification. It will not affect OEMs selling Linux machines, servers or hobbyist hardware.

This IS THE PROBLEM. One should not have to go buy a different machine to run a different OS. Anyone who OWNS the machine should be able to install AND BOOT any OS they want. Your words are weasel words trying to make the problem look like it isn't there.

2. Linux is now a multi-billion dollar market. Do you really think hardware makers are really going to stop supporting Linux? They'd basically lose all the major enterprises in the world over night.

More stupid weasel words. The problem is not that they might stop selling hardware to be used for Linux. The problem is they won't be selling hardware that allows its OWNER to easily and securely change the OS (e.g. disabling UEFI is the wrong way to install another OS ... another OS should be allowed if the OWNER of the machine chooses to install it and authorize it to be booted ... including Windows 8.

3. The Secure Boot specification requires that it can be disabled. This isn't just for open source nuts, it's also for Windows admins who want to downgrade an OS or run imaging software or run tests from a USB drive. If OEMs locked down the hardware so those tasks couldn't be completed they would go out of business.

Disabling secure boot is WRONG! Stop being stupid. Everyone benefits from secure boot ... when it is done right. The RIGHT way to do this is to allow the OWNER, during BIOS setup, to add/delete ANY valid bootable OS to the list kept by the BIOS in flash memory that is completely shut off except when BIOS started from a hard reset or cold start. Chain of trust is not needed. Trust the OWNER. Period.

If you think secure boot is going to take over and prevent people from running the software/OS they want, then you are being paranoid.

YOU still misunderstand the problem. What is needed is for it to WORK ... CORRECTLY ... and provide secure booting for ALL OSes that the OWNER of the machine chooses to install/allow ... while making sure that no infiltration code under ANY OS can alter the owner's choice. YOUR description of secure boot FAILs to do that.

Re:Slashdot has gone batsh*t crazy

[Hatta]

Secure Boot is not a DRM scheme, nor it is explicitly a tool for Microsoft lock-in.

No, it's implicitly a tool for Microsoft lock-in.

Remember that on x86 platforms, the end-user can edit the key database, and can disable Secure Boot entirely.

For now.

Just because the technology can be mis-used is no reason to completely boycott it. For my part, I intend to use Secure Boot when it becomes generally available, but only buy parts that allow me to edit the key database.

When Windows 9 comes around, and Microsoft well and truly locks down PC hardware, how much more are you going to have to pay to get unlockable hardware?

When Windows 10 comes around, and your parents decide they want to get off the MS upgrade treadmill, will they have to buy new hardware to do so?

Re:Slashdot has gone batsh*t crazy

[Hatta]

1. UEFI Secure Boot is only required for Windows 8 Logo certification.

How many instances of Linux today are running on MS certified hardware? I'd be willing to bet most x86 Linux boxes were sold with XP or W7 stickers. What is going to happen to that segment of the open source ecosystem?

2. Linux is now a multi-billion dollar market. Do you really think hardware makers are really going to stop supporting Linux?

Sure, Linux is a multi-billion dollar SERVER market. Are OEMs selling internet appliances to grandmas going to stop supporting Linux? Hell yes they are.

3. The Secure Boot specification requires that it can be disabled.

For now. When(not if) this changes, I'll be here to say "I told you so".

If you think secure boot is going to take over and prevent people from running the software/OS they want, then you are being paranoid.

If you don't think they're going to try, you're being naive.

Re:Slashdot has gone batsh*t crazy

[tajribah]

UEFI Secure Boot solves a security problem which, while being real, is completely marginal in real world. The extra complexity with key management is simply not worth the gain. There is a zillion of places where you can improve real security of systems at much smaller cost.

Re:Slashdot has gone batsh*t crazy

[bws111]

Anyone who OWNS the machine should be able to install AND BOOT any OS they want.

This is just plain false. Anyone who OWNS a machine should be able to use that machine as the manufacturer sold it. Period. If you buy a machine that says it is Linux compatible, then you should be able to boot Linux. If you buy a machine that says it is OS agnostic, then you should be able to boot any OS you want. If you buy a machine that says it runs Windows 8, then you should be able to run Windows 8.

Nobody is required to produce a product to your liking, ever.

Nobody is stopping you from doing whatever you want with your device that you own. Hack it up, replace the UEFI, overclock it, replace the processor, throw it in the river, do whatever you want. It's your device. But NOBODY is required to make it EASY for you to modify the device to your liking, or to make it easy for you to use the device in a manner other than as sold.

Re:Slashdot has gone batsh*t crazy

[cduffy]

Nobody is stopping you from doing whatever you want with your device that you own. Hack it up, replace the UEFI, overclock it, replace the processor, throw it in the river, do whatever you want. It's your device. But NOBODY is required to make it EASY for you to modify the device to your liking, or to make it easy for you to use the device in a manner other than as sold.

Of course nobody is required to make general-purpose computers easy to modify -- but the market can, and should, reject efforts to make hardware unnecessarily difficult to modify and reuse.

That's what the crowd is doing here: We're part of the market, and we're trying to reach consensus on what we will and won't accept as buyers willing and able to act of our own free will.

Re:Slashdot has gone batsh*t crazy

[bws111]

Yes, the market can do whatever it wants. But please, don't try to claim that the people commenting on this article are supporting 'the market'. The number of people who will put an OS other than the one it came with on any device (computer, tablet, phone, embedded devices) is vanishingly small. There is zero market for devices that let you do that. I don't see much acceptance of that on here.

The market can reject it, true. The market should reject it? Why? If the vast majority of users don't care in the slightest about booting an alternate OS, why should they reject something on the basis that they can't boot an alternate OS? The market will reject it? No way.

The people on here are not rallying in support of the market, they are complaining because the market has eliminated a choice they prefer. So instead, they use phrases like "hardware manufacturers should be required to ship machines with no keys installed" and "anyone who owns a machine should be able to install whatever OS they want". That does not sound like the market talking to me.

Re:Slashdot has gone batsh*t crazy

[cduffy]

If the vast majority of users don't care in the slightest about booting an alternate OS, why should they reject something on the basis that they can't boot an alternate OS?

Simple: Artificially limiting the uses to which secondhand hardware can be put reduces resale value.

Re:Slashdot has gone batsh*t crazy

[bws111]

Haha! That is a good one. So this tiny percentage of people who can't influence the device manufacturers are going to have a significant impact on the USED market? Seriously? And how many people care about the resale value of a relatively cheap item anyway?

Re:Slashdot has gone batsh*t crazy

[shutdown+-p+now]

They could refuse to certify their hardware, which would likely cost them any discounts on licensing.

Note that if this happens with Intel-based hardware, there will likely be an immediate anti-trust reaction, at the very least in EU, and also quite likely in US as well.

Re:Slashdot has gone batsh*t crazy

[Joe_Dragon]

video cards still have VGA or DVI ports with analog.

Also most laptops have HDMI + VGA out and lots of projectors setups are only cabled for VGA. Note I said cabled they have DVI / HDMI now but the cables in the rooms and switchers are VGA only on most of them.

Re:Slashdot has gone batsh*t crazy

[Rich0]

I guess you meant fool-proof. And it is. It is fool-proof against all those fools who want to decide to run their own code on the computer without having to ask permission beforehand.

You don't have to ask for permission - you just have to configure your computer to boot it. If you stick an Ubuntu CD in a PC that isn't configured to boot off of CD, it won't run that either unless you "ask for permission" by telling it to boot from CD.

On amd64 at least you'll be able to disable it if you want, or configure it with your own keys, so that MS won't be able to install something on your PC without asking YOU for permission.

Re:Slashdot has gone batsh*t crazy

[gomiam]

On amd64 at least you'll be able to disable it if you want

For now. Microsoft has already declared the preferred configuration by requiring it on ARM.

Re:Slashdot has gone batsh*t crazy

[cduffy]

So this tiny percentage of people who can't influence the device manufacturers

This has yet to be seen.

And how many people care about the resale value of a relatively cheap item anyway?

The people in the business of buying old hardware (which has often had its OS wiped) and reselling it for use, to start with.

Re:Slashdot has gone batsh*t crazy

[guruevi]

Yes but 1080p or 120Hz won't work over the analog line and HDCP ensures that the WHOLE SCREEN will show static when any piece of it displays a DRM-protected piece of media and the output is not HDCP secured.

I work with high-def video in scientific systems and HDCP is a big pain in the neck as it will come on whenever and overlay static (even when no DRM is playing back especially in Windows 7). Disabling it is fairly easy but I can see where Secure Boot will refuse to boot Windows 8/9 if we don't have HDCP links.

Re:Slashdot has gone batsh*t crazy

The people in the business of buying old hardware (which has often had its OS wiped) and reselling it for use, to start with.

That's a minuscule segment of the market you're talking about. And from what I've seen they are also the biggest rip-off artists, trying to sell an old P4 for $300. Good riddance to those people.

Re:Slashdot has gone batsh*t crazy

I am afraid you missed my point

No, you asked what the point of the original post was when you compared UEFI to OOXML, they are clearly different things where the elements of differentiation were clearly the point being made, in that one is an industry standard created not by Microsoft but by many industry players including some of the biggest companies in the open source world, the other is a ratified standard created only by Microsoft. You can certainly pan Microsoft for OOXML but if you don't like UEFI then direct your displeasure not just at Microsoft but also at the others who created the industry standard, at Red Hat, Canonical, IBM, and AMD (among others).

The problem is it allows lock-in, as shown on Windows 8/ARM, and that is bad.

UEFI SecureBoot does not create lock-in, it is simply a method of ensuring only a signed bootloader can execute, if you don't like it then don't use it. As for WindowsRT devices there is a simple solution there too, don't buy them, buy a device that lets you do what you want to do with it, like an ipad or an android device with an unlocked bootloader rather than complaining that a device exists that clearly isn't what you want.

The argument from people like you ends up just being that the end of computing freedom will come thanks to a bizarre conspiracy theory in which every hardware manufacturer in existence will only produce UEFI boards with locked secureboot for Microsoft, Apple's Mac computers will cease to exist or be locked down in the same way, the iPad and all Android tablets will also fail and WindowsRT will be a phenomenal success.

Re:Slashdot has gone batsh*t crazy

[exomondo]

For now.

Well until Microsoft stops having a monopoly in the x86 desktop market.

Microsoft has already declared the preferred configuration by requiring it on ARM.

Sure, you can't just get an ipad and run whatever software you want, you can't get a Windows RT device and run whatever software you want, so just get one of the myriad of Android tablets with unlocked bootloaders if you want to do that.

Re:Slashdot has gone batsh*t crazy

[gomiam]

No, you asked what the point of the original post was when you compared UEFI to OOXML, they are clearly different things where the elements of differentiation were clearly the point being made,

And once again you miss my point. Its being an standard doesn't make it automatically fine and dandy. Its being an "industry standard" means, as I have shown in the MPI case, actually nothing. And my criticizing Microsoft for abusing it is, of course, because they _are_ abusing it. If it was someone else doing it I would criticize it too.

...if you don't like it then don't use it.

That only happens when everyone implements the standard correctly. Guess what? If it is cheaper to enable it and not to allow disabling it many motherboard manufacturers will do it. And if disabling it is forbidden by a big OS manufacturer... well, you get the picture.

The problem is that you don't want to see that Microsoft is already taking steps for this to happen: ARM locking is one. Do you really think they won't "dare" requiring locked UEFI Secure Boot on Intel at some given point? Like they wouldn't dare to use their market power to drive competitors out of other markets?

By the way, Apple already tries to lock their OS to their devices (with some success, mind you). It would be just the next step to require Secure Boot.

You call it bizarre conspiracy, I call it learning from what they have already tried before by different means.

Re:Slashdot has gone batsh*t crazy

[gomiam]

Sure, you can't just get an ipad and run whatever software you want, you can't get a Windows RT device and run whatever software you want, so just get one of the myriad of Android tablets with unlocked bootloaders if you want to do that.

First they came for the communists...

Well until Microsoft stops having a monopoly in the x86 desktop market.

Which is to happen before they decide to enable lockdown, thus keeping them as the main player in the Intel desktop market, right? Forgive me for thinking the lockdown will happen first.

Re:Slashdot has gone batsh*t crazy

[exomondo]

First they came for the communists...

Yeah unfortunately for you that has no relevance here, the simple fact is that people who want to do that are a niche part of the market so naturally basic market forces dictate what is available. But you of course have some entitlist mentality whereby there can exist no product that doesn't do what you think it should do, there's products that serve the niche market, why do you so desperately want a WindowsRT tablet? I can't see any reason anyone would want such a device.

Well until Microsoft stops having a monopoly in the x86 desktop market.

Which is to happen before they decide to enable lockdown, thus keeping them as the main player in the Intel desktop market, right? Forgive me for thinking the lockdown will happen first.

Well they can't lock it down first, unless you've been completely ignorant of the extensive high-profile anti-trust suits that themselves were far less anti-competitive than a move like expressly preventing competitors in a market in which they have a monopoly. Clearly you have no understanding of anti-trust law or the previous cases against microsoft in this area, it's well documented, they have been convicted of monopoly abuse multiple times.

Re:Slashdot has gone batsh*t crazy

That only happens when everyone implements the standard correctly. Guess what? If it is cheaper to enable it and not to allow disabling it many motherboard manufacturers will do it.

So they won't be windows 8 certified, they won't include the key and given that this would make them virtually unable to boot an OS they won't have secureboot enabled. Not having secureboot probably would be cheaper, so yes i agree, many manufacturers will go that route. Why are you complaining about that? Is that not exactly what you want?

And if disabling it is forbidden by a big OS manufacturer... well, you get the picture.

Yeah so? They can do that with locked bootloaders on any device. If they really didn't care about antitrust laws and really could coerce all OEMs and all hardware manufacturers to do exactly what Microsoft wants them to do then they could have done it any time in the past 30 years, the simple fact is they didn't.

The problem is that you don't want to see that Microsoft is already taking steps for this to happen: ARM locking is one.

No, ARM locking is a different issue altogether, like many existing devices that have locked bootloaders but Microsoft just disabled "Custom Mode" rather than create a new locked bootloader like most other manufacturers do.

Do you really think they won't "dare" requiring locked UEFI Secure Boot on Intel at some given point? Like they wouldn't dare to use their market power to drive competitors out of other markets?

Do you really think if they could have done it they wouldn't have done it sometime in the past 30 years?

By the way, Apple already tries to lock their OS to their devices (with some success, mind you).

So what's wrong with that? You can't run iOS on non-Apple devices because they don't sell iOS standalone.

It would be just the next step to require Secure Boot.

WRONG! You can install whatever you want on Apple devices, restore from backup with a specified .img file in iTunes, no jailbreaking required, that's how iPhone Linux works! It's all very simple and not the regime you so desperately want to portray it as being.

You call it bizarre conspiracy, I call it learning from what they have already tried before by different means.

Except they haven't tried it before, they could have done what you suggest they will do any time in the last 30 years...oh look...they didn't. The reason is that they don't control the OEMs, they don't control all the manufacturers and they don't just ignore antitrust law.

Re:Slashdot has gone batsh*t crazy

[gomiam]

why do you so desperately want a WindowsRT tablet?

I don't. I couldn't care less if, say, Apple, decided to lock their devices up to the neck. They don't really have a strong hand in the architecture I mainly work with (namely x86). On the other hand, though, Windows _does_ have that strong hand, and their getting Windows ready for lockdown points to a future in which I may have to jump through a lot of hoops just to, say, boot a USB Live linux system.

Well they can't lock it down first, unless you've been completely ignorant of the extensive high-profile anti-trust suits

High profile, perhaps, but effective? Not the US ones, certainly, and neither the EU ones: the former turned into a mere slap on the wrist and the latter... well, Microsoft has been fined in 2004, I meant 2006, or was it 2008 or finally in 2012. Now that's what I call effective.

Clearly you have no understanding of anti-trust law or the previous cases against microsoft in this area, it's well documented, they have been convicted of monopoly abuse multiple times.

Conviction doesn't matter if you get far more than what you are fined with. Otherwise speeding fines would make speeding disappear, which they don't.

Re:Slashdot has gone batsh*t crazy

[gomiam]

So they won't be windows 8 certified, they won't include the key and given that this would make them virtually unable to boot an OS they won't have secureboot enabled. Not having secureboot probably would be cheaper, so yes i agree, many manufacturers will go that route. Why are you complaining about that? Is that not exactly what you want?

They can just not include a "disable secure boot" option. They will then be Windows 8 certified since it needs secure boot enabled, but you won't be able to boot mostly anything else.

They can do that with locked bootloaders on any device. If they really didn't care about antitrust laws and really could coerce all OEMs and all hardware manufacturers to do exactly what Microsoft wants them to do then they could have done it any time in the past 30 years, the simple fact is they didn't.

As I have written in another subthread, Microsoft has paid little or no attention to its being convicted once and again for monopolistic practices. And now they get the lockdown option in a silver platter. If you really trust Microsoft not to abuse it... well, they already did on ARM and set the stage for doing it on x86. Those are facts, not your unfounded theory about Microsoft having changed its stripes now that it got fined a few times.

No, ARM locking is a different issue altogether, like many existing devices that have locked bootloaders but Microsoft just disabled "Custom Mode"

Of course, because now they only need to "just" disable Custom Mode. Easier device lockdown is still device lockdown, and wrong.

Do you really think if they could have done it they wouldn't have done it sometime in the past 30 years?

See above.

WRONG! You can install whatever you want on Apple devices, restore from backup with a specified .img file in iTunes, no jailbreaking required, that's how iPhone Linux works!

Would you be so kind to provide a reference to that statement? I certainly am unable to find such app in iTunes.

The reason is that they don't control the OEMs, they don't control all the manufacturers and they don't just ignore antitrust law.

No, they don't ignore the antitrust law, not at all. They were convicted because some evil judge had it in for them. And they don't control OEMs enough to force them to ship Windows in all their computers if they want to get the cheap licences. Do you really believe what you are writing? Besides, why would they worry about forcing manufacturers' hand when the UEFI's antecedents date back to the '90s?

Re:Slashdot has gone batsh*t crazy

[exomondo]

On the other hand, though, Windows _does_ have that strong hand, and their getting Windows ready for lockdown points to a future in which I may have to jump through a lot of hoops just to, say, boot a USB Live linux system.

So you build your own system or you buy a Mac. Even if you ignore all the reasons why they wouldn't/can't do it motherboard makers aren't going to lock their boards to Windows, the only ones that would conceivably do that and have any reason to are system builders that are actually selling Windows systems.

High profile, perhaps, but effective? Not the US ones, certainly, and neither the EU ones: the former turned into a mere slap on the wrist and the latter... well, Microsoft has been fined in 2004, I meant 2006, or was it 2008 or finally in 2012. Now that's what I call effective.

The fines aren't the resolution, they are just a deterrent. In the US the effectiveness is clearly in the fact that they had to expose the APIs that they previously kept private, so that was accomplished. In the EU it was the browser ballot, again accomplished. So like i said, you'd have to be pretty ignorant of those cases to think they could just lock down x86.

Conviction doesn't matter if you get far more than what you are fined with. Otherwise speeding fines would make speeding disappear, which they don't.

Rubbish, it's not about fines, it's about stamping out the anti-competitive behavior and that's what the conviction led to.

Re:Slashdot has gone batsh*t crazy

They can just not include a "disable secure boot" option. They will then be Windows 8 certified since it needs secure boot enabled, but you won't be able to boot mostly anything else.

WRONG! You have to be able to disable secureboot, that is a critical element of windows certification, without it it is not windows certified, seriously do you know nothing about the topic of discussion here? If they are going the cheap route, like you suggest, then they arent going to include secureboot, so it's exactly what you want...but of course you are just so desperate to paint this as some bleak future that you will ignore all facts to do so.

As I have written in another subthread, Microsoft has paid little or no attention to its being convicted once and again for monopolistic practices. And now they get the lockdown option in a silver platter.

Wtf are you on?! They've had years of oversight by the DOJ, modifications to the OS internal APIs, removal of the browser in the european union version (the "N" versions) which are the exact things the antitrust suits were there to rectify. Suggesting they paid little or no attention to these suits is moronic, they complied with the rulings such that they ceased to be in violation of antitrust law, what else did you want them do to?

If you really trust Microsoft not to abuse it... well, they already did on ARM and set the stage for doing it on x86.

They can do whatever they want on ARM because they don't have a monopoly just like Apple, Samsung, HTC, Nokia, etc, etc, can do whatever they want in a market in which they have a monopoly. It's absolutely clear you have no understanding of how a free market works or the concept of a monopoly.

Of course, because now they only need to "just" disable Custom Mode. Easier device lockdown is still device lockdown, and wrong.

It's letting the market decide, if it's wrong then it will be rejected by the market, if not then it's clearly not wrong, just like things like the Wii, DS, PS3, PSP, XBox, etc. You can whinge and cry and complain that they are wrong to not allow installing other software but in fact you are wrong, people like it that way, they could buy a system, install linux and have a fully free environment but by and large most people do not want that, this is a fact.

They could buy an Android tablet without a locked bootloader instead of a locked Windows RT tablet, ultimately the market will decide, that's how it works.

If they don't want to run windows then dont buy a windows certified system, there are plenty of alternatives, hell, buy a mac! Again, there is choice and the market will decide.

Why do you so desperately want to believe that the market wont decide?

Do you really think if they could have done it they wouldn't have done it sometime in the past 30 years?

See above.

See what? There is nothing there that explains why they couldn't have done this sometime in the past 30 years, except for exactly what stops them doing it now.

Would you be so kind to provide a reference to that statement? I certainly am unable to find such app in iTunes.

What app in iTunes?! Its about running your own software (not iOS) on an apple device, so you restore the device with a custom .img, like openiboot.

No, they don't ignore the antitrust law, not at all.

Correct, the clear and irrefutable evidence is that they have complied with the antitrust suit requirements such that they no longer break the law.

They were convicted because some evil judge had it in for them.

They were convicted because they broke the law you idiot.

And they don't control OEMs enough to force them to ship Windows in all the

Re:Slashdot has gone batsh*t crazy

[gomiam]

WRONG! You have to be able to disable secureboot, that is a critical element of windows certification

Mandatory, not critical, mind you. And it is mandatory now. I guess we will have to wait and see what happens with later versions of Windows.

They've had years of oversight by the DOJ, modifications to the OS internal APIs, removal of the browser in the european union version (the "N" versions) which are the exact things the antitrust suits were there to rectify.

And yet they had to be prosecuted on the "browser wars", had to be prosecuted again on the Windows Media Player affair, had to be prosecuted again on the browser selection option. Yes, that oversight worked really well to stop their infringing the law.

It's absolutely clear you have no understanding of how a free market works or the concept of a monopoly.

Yes, as it is clear that you don't run your tests on your main cash cow. You run them in a sideshow like Windows 8/ARM. Besides, if Microsoft was really considered a monopoly it would have been split like AT&T was. Why they didn't still escapes me.

but in fact you are wrong, people like it that way

The same way people like attaching the most common apps to the Start bar... because Microsoft decided to hide the old Quick Launch bar so there was another option. You have too high an opinion of the mean computer user. Most of them will use what comes with the computer and never notice something is missing until they crash against it.

Why do you so desperately want to believe that the market wont decide?

Perhaps because Microsoft currently has a monopoly on the OS market and people will usually buy what they see everywhere. And that's not Apple nor Linux.

There is nothing there that explains why they couldn't have done this sometime in the past 30 years, except for exactly what stops them doing it now.

Ok, let's tear this "30 years" meme down. In 1982, 30 years ago, Microsoft wasn't big enough to do anything about x86 architecture: the IBM PC had just started selling in August 1981. In 1993, when Windows NT showed up, Microsoft wasn't still big enough to press anybody to bend to their wishes: when they tried to force Adobe, Autodesk and other big software makers to adapt their code to Windows NT (sane things like having a correct account of the times the same file was opened or closed) they got no headway, which is partly responsible for the need to reboot a computer on many upgrades and software installations. You could go as far back as the middle '90s to find references about Microsoft forcing OEM's hands, about fifteen years in which the hardware market scattered far enough to make messing around with BIOS a nightmare even for Microsoft.

What app in iTunes?! Its about running your own software (not iOS) on an apple device, so you restore the device with a custom .img, like openiboot.

Excuse me, but this doesn't match with what you wrote before:

WRONG! You can install whatever you want on Apple devices, restore from backup with a specified .img file in iTunes, no jailbreaking required, that's how iPhone Linux works!

Just to keep things simple, OpeniBoot requires a compatible jailbreak to be applied. On the other hand, I guess you meant the iTunes application and not the appstore service. Sorry for that misunderstanding.

They were convicted because they broke the law you idiot.

I guess my attempt at sarcasm failed.

And all the OEMs that don't ship Windows? And all the manufacturers who don't ship systems at all? Ever built your own PC? No, didn't think so.

Numbers, please: having one of each ten (for example) OEM not shipping Windows doesn't break the monopoly. And

Re:Microsoft Linux

Fuck trolls like you, moron. SUSE has nothing to Novell after Attachmate and Microsoft is committing to open source a lot, you undercomplete idiot!

It might be easy enough for us....

[complete+loony]

Disabling secure boot, or manually installing a new vendor key, may be easy enough for us. But it adds another large hurdle for joe average user to try another operating system. That alone is reason enough to complain about it and object to it.

As it stands now the UEFI standard doesn't specify how the user can install a custom trusted key.

IMHO, hardware vendors should be required to leave the trusted key set empty from the factory. UEFI should then have a standard prompt to enable secure boot and install a key found on bootable media. If Microsoft were forced to guide the user through the same process that a linux installation would require, this process would get the attention it deserves to make it as user friendly and standardised as possible.

Re:It might be easy enough for us....

>Disabling secure boot, or manually installing a new vendor key, may be easy enough for us. But it adds another large hurdle for joe average user to try another operating system.

So you are asking us to imagine a user who is clever enough to find a new OS and go through the learning curve to install and use it but not clever enough to turn off one standardized firmware setting? LOL

Re:It might be easy enough for us....

[Missing.Matter]

I wonder if you might be able to estimate how many "average joe users" attempt to install other operating systems. Anyone who even know consider installing Linux is pretty much by definition not average.

Re:It might be easy enough for us....

Your point being that it's ok to make it harder for them because they're not in the majority?

Re:It might be easy enough for us....

[complete+loony]

There are a couple of ways to get a linux install working right now. You could boot a liveCD or USB, which obviously requires you to obtain the correct media and tweak the boot order in the BIOS first. Getting the user to tweak UEFI probably won't add too much difficulty for someone who can already accomplish this, but it is an additional step that may have great big scary warnings all over it.

But what about running something like ubuntu's windows installer? This reboots into linux from a virtual disk that it builds in a file on your windows partition. Is that easy enough for a user to try? But that can't reliably work with secure boot unless they've signed their boot loader with a key already known and trusted by the BIOS. And currently that will mean you get it signed by microsoft or it just doesn't work.

Re:It might be easy enough for us....

[waveclaw]

Joe average user doesn't know Linux exists, but let's pretend he's heard of it somewhere - maybe due to a huge marketing push by a vendor.

With virtualization, joe average user can try another operating system even in the world of UEFI's Secure boot model. Even today Linux distros become just another "app" joe can download to joe's Microsoft desktop and run.

There are some downsides to this. Any killer app for Linux becomes also a killer app for Windows. The experience of moving from Metro or Aero to something like GNOME 3 is likely to deter joe average user from trying that again.

Of course, as a Convicted Monopolist, Microsoft can report these Linuxes as viruses or trojans and refuse to run Linux virtual machines. Microsoft is also free to ban virtualized Linux distributions from the Windows Marketplace. Then joe is rather stuck. He's not going to some ugly website talking about Open-this and Free-that just to download something the size of a large movie that doesn't involve tits or explosions.

Booting Linux was once just the providence of the enthusiast. Today major Linux Distributions are as easy as if not easier to install on supported hardware than Microsoft Windows. But that window is quickly closing.

There is no telling how complicated or difficult disabling secure boot or installing a new vendor key will be in the future. I have a Sun Sparcstation 2 on which I have to program the boot PROM each time I power it on. Sure, it's just a couple dozen lines of Fourth. But there's a reason I never boot that space heater anymore. Even in the cold of winter.

Re:It might be easy enough for us....

[bws111]

Absolutely, why not? Nobody is required to produce something just because you want it. No doubt some people would find it very interesting to be able to modify how the processor in their computer works (change the pipelining, add scalar processors, etc). Does that mean that processor manufacturers should be 'required' to only build processors out of discrete components? Is it OK for them to make it harder for people to modify the processor by using chips?

Re:It might be easy enough for us....

[exomondo]

I'd sure as hell like a CPU with an unlocked multiplier...but of course I know the demand for such a thing is very low and as such they are much more expensive because they target a tiny market segment. It sucks sure, but niche products for niche markets.

Re:It might be easy enough for us....

[exomondo]

Of course, as a Convicted Monopolist, Microsoft can report these Linuxes as viruses or trojans and refuse to run Linux virtual machines.

No, as a convicted monopolist they are under much more scrutiny than other companies such that they don't abuse their position. I don't understand this perception that they are a convicted monopolist and somehow that means they can get away with anti-competitive practices, it means the opposite, they are a convicted monopolist so every competitive move they make is scrutinized by the US and EU.

Re:It might be easy enough for us....

[westlake]

Joe average user doesn't know Linux exists, but let's pretend he's heard of it somewhere

Booting Linux was once just the providence of the enthusiast.

If Joe Average doesn't know Linux exists, then booting Linux remains the sole province of the enthusiast.

For Joe, maintaining two operating systems, software libraries, and skill sets has all the appeal of root canal. What he needs to see is the "killer app" that makes the pain worthwhile. The FOSS app that hasn't been ported to Windows.

Name one.

Re:It might be easy enough for us....

Mod parent funny

Re:It might be easy enough for us....

Teh US? ORLY?

Re:It might be easy enough for us....

yeah it's all a big conspiracy! microsoft got convicted of anti competitive tactics on purpose and went through the court cases, discovery and paid the billions in fines but that was all a ruse, all part of their elaborate final solution! it was to lure you into a false sense of security that the EU and US DOJ have power when actually they are owned by microsoft and now over a decade later they can start to implement their plan of operating system domination and all the while those poor plebs will think "if it was anti competitive they would be sued" oh but little do they know the truth is microsoft owns everything, they WANTED to be sued just so you would think they would be sued again if they did anything evil, the reality is far more sinister infact they even own YOU, you work for microsoft and they just let you think that you don't! it's all part of the plan!

Re:It might be easy enough for us....

[thegarbz]

It's not a question of produce what you want. It's a question of use a device you now own.

It's one thing to not manufacture an ARM tablet because consumers don't want them, but it's quite another to manufacture and sell them, then explicitly prohibit the user from doing something with their device which it should be perfectly capable of doing for no other reason than vendor lock-in. I use ARM as an example because that's exactly what has happened. ARM Windows devices have Secure Boot enabled with no option to disable. This means you can't install Android on it if you want to like you can on say an iPad. Even if you were a programmer and wanted to code the solution yourself you couldn't do it.

I'm not a Linux user. I'm a happy Microsoft customer, but I will fight for the right of a user to do with his equipment whatever the hell they want, including using any software they (legally) acquire, or even making modifications to the hardware.

They say America is slowly losing its ability to technically innovate. I wonder if that has anything to do with people not being able to play with their toys in an unapproved way anymore.

Re:It might be easy enough for us....

[bws111]

But there's the thing. This does not affect devices you now own in any way, shape, or form. This affects devices you may own in the future.

So you are saying it is a matter of produce what you want. What is being produced (in the future) is Windows tablets. Why should they be expected to do anything other than run Windows? They are advertised as Windows tablets, they are sold as Windows tablets, and that is what you get - a Windows tablet. Just because it is made of components that could be doing something else doesn't mean that the manufacturer has to make it easy (or even possible) for you to do something else. The steel in the hammer I have could just have easily been forged into a socket wrench, but I don't complain that my hammer does not function as a socket wrench. If you want to hack up your Windows tablet to make it do something else, go for it - nobody is stopping you. But they don't have to make it easy.

If you want to run Android, buy an Android tablet. If you want to run Windows, buy a Windows tablet. If you want to run anything you feel like, buy a general purpose tablet. But complaining that your Windows tablet doesn't run Android is just stupid.

Re:It might be easy enough for us....

[Rich0]

Are you suggesting that if I sell somebody a phone it shouldn't be able to boot unless they insert an install SD card or such? Or does this just pertain to PCs? Most people buy PCs with pre-installed OSes. Is there really any value to making it so that those PCs can't be booted without sticking in a CD as the first step?

And if that happened, how would that help? Anybody with a Windows PC will have stuck in the Windows CD, which will install the MS key and now it won't boot linux when they want to switch.

If the firmware has to accept any key it finds on any later boot, well then secure boot gets you nothing anyway since the malware can just supply a new key.

Re:It might be easy enough for us....

[exomondo]

It's one thing to not manufacture an ARM tablet because consumers don't want them, but it's quite another to manufacture and sell them, then explicitly prohibit the user from doing something with their device which it should be perfectly capable of doing for no other reason than vendor lock-in.

So where was the uproar over locked CPU multipliers? Or locked GPU pipelines? Or fixed BIOSes?

ARM Windows devices have Secure Boot enabled with no option to disable. This means you can't install Android on it if you want to like you can on say an iPad.

So buy an iPad if that's what you want. There are devices that let you hack around so if that's what you want to do then buy them and support the companies that provide you the products you want. Are you also complaining about the inability to install iOS on an Android tablet? There's no reason they couldn't allow that, but they do prevent it. Just like with CPUs there are ones that have unlocked multipliers so if that's what you want then buy them, but of course most people don't care about that, the product you want exists so why are you complaining about the existence of a product that you don't want?!

Re:It might be easy enough for us....

[thegarbz]

And that's the scary change I'm talking about. We're talking about a change from buying hardware and software and mating them to buying hardware with software with no flexibility or customisation. Do a survey on Linux / Mac users who are also gamers and find out how many people dual boot.

We as a species are dragged silently into a world of complete corporate control. If the world was like this 30 years ago then there would never have been a Personal Computer.

Re:It might be easy enough for us....

[thegarbz]

The uproar was there. The vendors heard, and they provided a product. You can buy off the shelf hardware unlocked CPUs which we couldn't do for about a year of the Pentium 4 era where your ability to overclock depending on you not buying Intel and modifying your AMD device using a steady hand and a pencil. Locked GPU pipelines are following a similar trend by releasing open source CUDA compilers and both Nvidia and AMD now supporting OpenCL to some extent. I'm not sure what you mean by fixed BIOSes but if you refer to issues running Linux on some motherboards from what I remember it was only ever a minor inconvenience of poor ACPI support rather than something not actually running, and a lack of uproar could be due to the fact that hardware not working under Linux has actually declined over the last 10 years rather than increased. But do share if you meant something else like TPM which has almost been outright rejected in the industry after an uproar.

The product I want is a personal computing device in tablet format. What is with this idea that suddenly hardware and software need to be mated? It's a complete change in concept for the industry. I buy a motherboard I install the software I want on it, be it Linux or Windows. Even my brief foray into Macs had me running a dual booted system. iOS is not over the counter software, that's why I'm not complaining. If the software is not sold to me why would I care, but if it is sold to me why should I be limited to installing it only on one specific piece of hardware? Android is over the counter software. I've run various versions on my phone, ran it on my PC just for fun, and then seriously ran it on an x86 eeePC with a touchscreen and still do, I even ran it on an old iPhone 3.

Why are you so ready to accept software lock-down with open arms? What happened to the idea of being able to run anyone's compatible software on the hardware you own without a small company sponsored encryption key in the way? I mean running any software on any hardware is the foundation of the PC.

Re:It might be easy enough for us....

[bws111]

But that is true of every industry. Take automobiles for instance. Originally, they were built by tinkerers for tinkerers only. Over time, improvements were made, and the need to tinker got less and less all the time. And each time the need to tinker was reduced, the ability to tinker was reduced with it. And today we have cars that the average person can't do anything with except maybe change the oil. On the other hand, there is no need to do anything other than that. No doubt there are car enthusiasts who bemoan the fact that they can't really tinker with their car much. Would the rest of us give up our reliable, fuel-efficient, lower emission cars that don't even need a tuneup until 105K miles just so the enthusiasts could tinker? No way.

Same thing with radio and TV. How many people do you know who complain that their giant HDTV is completely made up of evil, corporate-made chips, and they really miss the ability to swap out those crappy tubes that the manufacturer used with some good, high-performance ones like you could in the good old days? Nobody.

Computing is progressing along the same path. The vast majority of users do not enjoy installing programs, configuring things, dealing with/preventing malware, making sure that every damn thing they do doesn't cause some security problem, etc. They just want a device that does what they want. If that means losing some ability to tinker, who cares?

If you want to be free of corporate control, how about not buying a device built by a corporation for the purpose of running another corporation's OS? Build your own.

As for your earlier comment about innovation - I think you are completely wrong there. I mean, as of today you still have 100% freedom to do whatever you want with your PC, so clearly locked-down PC's can't be blamed for lack of innovation. No, I think the more likely reason for lack of innovation is that for the last couple of decades it has been too easy to do things. Ease does not cause innovation, difficulty does. Installing alternate OS's, programs to let you cheat at games or pirate stuff, etc is not any more innovative than building a Heathkit TV was 40 years ago. It may be fun, it may give you satisfaction, but it sure is not innovative. So maybe the locked-down world of computing will actually cause people to get off their asses and actually tinker with real stuff and innovate once again.

Re:It might be easy enough for us....

[exomondo]

The uproar was there. The vendors heard, and they provided a product. You can buy off the shelf hardware unlocked CPUs which we couldn't do for about a year of the Pentium 4 era where your ability to overclock depending on you not buying Intel and modifying your AMD device using a steady hand and a pencil.

Precisely! There is such a product, but that doesn't mean every product has to have that capability. It's for a niche market for it so obviously products meant for the mass market don't serve that purpose, it's very simple, supply and demand.

Locked GPU pipelines are following a similar trend by releasing open source CUDA compilers and both Nvidia and AMD now supporting OpenCL to some extent.

No they aren't, they were/are artificially locked to be sold at lowered pricepoints to protect the value of high end products.

I'm not sure what you mean by fixed BIOSes

I mean that you can't just install whatever BIOS you want.

The product I want is a personal computing device in tablet format.

And you are clearly a minority, but you know what? There are products there for you, it's just that not every product can do that because clearly very few people want to. The free market works!

What is with this idea that suddenly hardware and software need to be mated? It's a complete change in concept for the industry.

What are you on about? They don't have to be, no one is saying they have to be.

I buy a motherboard I install the software I want on it, be it Linux or Windows. Even my brief foray into Macs had me running a dual booted system.

And that is not changing, so what's your problem?

iOS is not over the counter software, that's why I'm not complaining. If the software is not sold to me why would I care, but if it is sold to me why should I be limited to installing it only on one specific piece of hardware?

You aren't, what product are you even referring to that does this? Windows 8 doesn't do it and Windows RT isn't sold, so what are you complaining about?

Why are you so ready to accept software lock-down with open arms?

What are you talking about? I don't have any devices with software lockdown and have no foreseeable reason to buy any such device. Not sure what you're trying to get at with that comment, it makes no sense.

What happened to the idea of being able to run anyone's compatible software on the hardware you own without a small company sponsored encryption key in the way? I mean running any software on any hardware is the foundation of the PC.

Nothing happened to it at all, the only people who believe things have changed are those who don't understand it, no one is stopping you from doing anything. You don't use secureboot now and if you don't want to run an OS with an encryption key then you wouldn't use secureboot because of the nature of it. So what are you complaining about?

Re:It might be easy enough for us....

[thegarbz]

But that is true of every industry.

I never proclaimed to complain only about computer :-)

There are however some industries which have been dominated by hobbyists and tinkerers to the point where open hacker friendly access has become the norm. Take astronomy as one. I don't think I've seen a telescope mount on the market which doesn't support the completely open ASCOM model which basically allows any software to work with any mount via this layer. This is a change from 10 years ago where mounts would come with proprietary hand controllers, or proprietary computer software.

I'm just concerned that we're losing what originally made the industry, all in the name of profits. Hacking the C64 was the norm, some would say even required. There were endless guides published on writing your own software for the thing. Do the same thing on a Nintendo DS or iPhone and the vendor will publish a "security update" in short notice. It's sad.

Re:It might be easy enough for us....

Hacking the C64 was the norm, some would say even required. There were endless guides published on writing your own software for the thing.

Um, you can write your own software in Windows. And guess what? There are even guides published on how to do it. Amazing, isn't it?!

Linux does have a spokeperson

[Taco+Cowboy]

It is sad that the Linux distributions are bending over so easily, together they might have been a force to be reckoned with... they better f-well not say "we could not have known..." in a few years time, seriously.

 
What the linux distro distributors have failed to do, the Linux Kernel folks should pick up the slack
 
Do not forget, there exists a spokeperson for Linux - Linus Torvalds
 
It's up to Mr. Torvalds to decide which direction Linux should proceed on this UEFI issue
 

Re:Linux does have a spokeperson

Linux is not a bootloader. You might expect Linus to chime in if there were kernel modifications needed to support this, but there really aren't..

Re:Linux does have a spokeperson

[exomondo]

What the linux distro distributors have failed to do, the Linux Kernel folks should pick up the slack

How? What can they do? They are kernel developers, not bootloader developers. Maybe GRUB and LILO developers could get involved but i don't see why the kernel developers have any interest/responsibility in it.

Do not forget, there exists a spokeperson for Linux - Linus Torvalds

And don't forget Linux is just a kernel, Linus is the spokesman for the kernel.

Re:Linux does have a spokeperson

And don't forget Linux is just a kernel, Linus is the spokesman for the kernel.

Linus doesn't give a shit about open source.
He is okay with the tivioization of the linux kernel.

Re:Linux does have a spokeperson

Taking into consideration Linus' stance against the GPL v3 and his love for the binary blob ridden Android operating system, I don't think he gives a shit about the consequences of secure/restricted boot, hence why we're yet to hear his opinion on such a significant subject.

Posting as AC as I'm bound to get modded down for saying something negative on /. about Linus or Android.

Re:Linux does have a spokeperson

Do not forget, there exists a spokeperson for Linux - Linus Torvalds

And don't forget Linux is just a kernel, Linus is the spokesman for the kernel.

Have you heard Linus rant? Trust me, he is a force to be reckoned with.

Re:Linux does have a spokeperson

we're yet to hear his opinion on such a significant subject

Wrong.

"I'm certainly not a huge UEFI fan, but at the same time I see why you might want to have signed bootup etc. And if it's only $99 to get a key for Fedora, I don't see what the huge deal is."
    -- Linus Torvalds

Doesn't seem so bad

[SealBeater]

Maybe this is more of an issue with machines that have Windows pre-installed but I'm upgrading my motherboard and it has UEFI and the gentoo wiki doesn't make it seem so bad.

http://en.gentoo-wiki.com/wiki/UEFI

Laptops, of course are going to be an issue.

Re:Doesn't seem so bad

[makomk]

Current motherboards with UEFI don't support UEFI Secure Boot. Once Windows 8 comes out, they'll basically be required to support it by Microsoft, who's forcing all OEMs to ship Windows 8 PCs with Secure Boot enabled.

Re:Doesn't seem so bad

[Skapare]

Having Secure Boot enabled is NOT an issue, by itself. A badly designed Secure Boot is the issue. It needs to have a means to allow the OWNER of the machine to indicate which systems are to be allowed to boot, while still having the means to verify that those OSes have not been altered. Too many OEMs won't do this because the UEFI/SB standard does not require it.

Re:Microsoft Linux

[Forty+Two+Tenfold]

Don't knock it till you tried it.

Guess what, I'm servicing SuSE in corporate environment. We're moving on, though. To Debian.

Re:Microsoft Linux

[Forty+Two+Tenfold]

Microsoft is committing to open source

Beware of Greeks bearing gifts

on x86 systems.

[thegarbz]

Oh ok. So it's all good and fine on x86 systems. Lets completely ignore the amount of "computing devices" which are today being released on an ARM platform rather than x86.

I was looking forward to UEFI and ARM devices with a proper BIOS and a way to run various operating systems on them. I mean we currently have people running Android on iPhones and on PCs, we have small embedded ARM devices running Linux, but who cares about that when in the future the vast majority of ARM devices will be locked to Windows only at the bootloader level.

I mean Linux is such a small market share so screw em whenever we make a change that may affect them in the slightest bit. They shouldn't have a say in this Windows only world right?

I for one look forward to a future where mega corporations are able to control my very thoughts, that way I'll never possibly think of doing something unauthorised with a device I own... err I mean contracted to use.

Re:on x86 systems.

[bws111]

Why, exactly, do you expect the "vast majority of ARM devices will be locked to Windows only"? There are millions of ARM devices in use today, with the Windows marketshare being approx 0%. Do you expect Apple and all the Android device makers to just give up and switch to Windows-only? The idea is ludicrous. The only way that would happen is if Microsoft produces such a superior product that people simply stop buying Apple and Android. Do you forsee that happening?

Re:on x86 systems.

[Rich0]

While I'm all for getting rid of lock-in, the fact is that almost all arm-based system in consumer use have locked bootloaders already. Just about every android phone in use falls into this category (and yes, I know the sliver of market share held by Nexus devices are an exception).

Re:on x86 systems.

[thegarbz]

The existence of an alternative platform to x86 will invite the microsoft certification. This has happened time and time again and there have been major court cases about people being allowed to put the coveted windows logo on their hardware. Windows 8 may be a flop but the existence of Windows on ARM at all lends weight to ARM being a viable alternative to the x86 platform in the future. In that case I actually truly expect the majority of ARM devices capable of running multiple a full blown OS to tend towards windows certified given the track record with vendors rolling out Linux devices (netbooks).

Now that said it's all speculation. Mind you ask me 5 years ago what I thought of the possibility of ARM being a major player in the consumer hardware market and I would have said "The idea is ludicrous."

As such I don't use those kinds of words anymore. The only thing I really know is that I haven't a clue what will really happen in a few years.

Re:on x86 systems.

[thegarbz]

This doesn't really counter the argument against vendor lock-in. Also the vast majority of ARM devices are actually NOT bootloader locked. Just go and check the compatibility list for Cyanogenmod.

Anyway the main point of my post was that there's a significant number of people who are interested in doing with their devices whatever the hell they want, and this even includes installing Android on an iPhone. People want to do this and given it's their hardware we should not be promoting systems to prevent this.

Re:on x86 systems.

[bws111]

This doesn't make sense to me. The reason that vendors fight for the MS certification in the x86 arena is that without it they won't sell any hardware. There is zero market in x86 for something that doesn't run Windows (Apple excluded, because that doesn't run on anyone else's hardware). The reason there is no market is because everyone has a few decades of Windows 'stuff' that they have accumulated (not only software, but also some hardware like WinPrinters and WinModems) that they did not want to have to replace. And on top of that, there are simply no viable alternatives that Joe Public ever heard of that have a compelling enough reason to go through the pain of switching.

All of that is different with ARM. None of your existing Windows x86 stuff is going to work on ARM, so that advantage is gone. More importantly, there is an alternative now - Android. There are millions of people using Android now. They have Android 'stuff'. They like Android, and see no reason to switch. Why would manufacturers completely abandon Android?

Are manufacturers going to offer at least some Windows certified machines? Probably. Is every manufacturer going to certify every machine? No way, unless all of their customers abandon Android for Windows.

Re:on x86 systems.

[thegarbz]

I'm not thinking in terms of vendors abandoning Android, I'm thinking in terms of ARM doing more than just your basic tablets. Remember windows 8 despite it's graphical crapness is still a full fledged Windows OS. I'm not worried about the ARM tablet market, I'm worried about the future of the laptop market as ARM may start displacing x86 and in the process bringing along it's vendor lock-in baggage.

Mind you that kind of maintains the status quo too given the biggest complaints about Linux on laptops is poor battery life due to ACPI compliance and inability to sleep properly. It's fitting that the potentially greatest low-power platform to hit the market in recent years should be refused to run Linux all in the name of a sticker.

Re:on x86 systems.

The only thing I really know is that I haven't a clue.

FTFY

Re:on x86 systems.

Oh ok. So it's all good and fine on x86 systems. Lets completely ignore the amount of "computing devices" which are today being released on an ARM platform rather than x86.

Locked-down UEFI SecureBoot ARM hardware doesn't even exist! The thing you are ignoring is the fact that this is only a requirement for Windows RT, a product that doesn't seem to have any target market, i don't think you have to worry about it supplanting iOS and Android in the ARM market. The fear-mongering over UEFI SecureBoot runs so deep that people like you are so ignorant of Microsoft's existing efforts against iOS and Android on ARM with Windows Phone (hint: it isn't going well) and instead spread this idea that Windows RT is the be-all and end-all and will be a runaway success that sets the precedent for the entire future of the ARM computing platform. Get with reality instead of just spreading FUD.

Re:on x86 systems.

[exomondo]

Remember windows 8 despite it's graphical crapness is still a full fledged Windows OS.

Then your whole premise is based on a fundamental misunderstanding: Windows 8 does not run on ARM, only Windows RT runs on ARM and that is no more a 'full fledged Windows OS' than iOS is 'a full fledged OSX OS' or Android is 'a full fledged Linux distribution'.

Re:on x86 systems.

[Rich0]

This doesn't really counter the argument against vendor lock-in. Also the vast majority of ARM devices are actually NOT bootloader locked. Just go and check the compatibility list for Cyanogenmod.

Uh, virtually all the devices on the Cyanogenmod compatibility list HAVE locked bootloaders. They just have poorly implemented locked bootloaders/etc, which means that you can defeat them and install Cyanogenmod anyway. The only Android device I'm aware of that have unlocked bootloaders are the Nexus line, which probably have

Anyway the main point of my post was that there's a significant number of people who are interested in doing with their devices whatever the hell they want, and this even includes installing Android on an iPhone. People want to do this and given it's their hardware we should not be promoting systems to prevent this.

I'm all for legislation that requires device owners to be given all the stuff required by GPLv3/etc. However, I've got nothing against the technology itself. I'd prefer a device with UEFI to what I have on my PC now. Right now anybody who wants to can just install a keylogger on my hard drive just by booting from a CD, and there is little I could do to stop it. Rootkits installed over the internet can make themselves almost undetectable unless you boot off of clean media. UEFI has the power to change that. My only objection to the proposed implementation is the inability to change the OEM-supplied machine key (that isn't the one used to sign windows) - I want to be able to change it all.

The chain of trust is WRONG for this

[Skapare]

But it is the ROOT of the chain of trust that is wrong. Instead of some corporation being the root of trust, the owner of the computer should be that root of trust. A proper UEFI boot system needs to include an option in the BIOS to add ANY boot partition (such as the new OS you just installed) as trusted. That same menu should allow you to delete trust for any, as well. When you add trust, it scans the image to be loaded, calculates a checksum, and stores it into an area of Flash memory that can only be written to during the BIOS run from a hard reset or power cycle. Once BIOS runs an OS, that area of Flash is write protected, or maybe even completely out of addressable space so no OS can reflash (all of BIOS should be like this, of course).

There is NO need for Microsoft or even the manufacturers to sign stuff. They are doing this WRONG. Of course, they chose to do this wrong so they would be in control.

Re:The chain of trust is WRONG for this

[shutdown+-p+now]

That's pretty much how it works, except that instead of containing a list of boot loader hashes (which would require you to edit every time the boot loader is updated), it contains the list of valid signatures. But you can clear that list (thus revoking MS key), or add your own. The reason why Linux distros are signing their loaders with MS key is that it's the one that will be in the list by default on any PC that has "Certified for Windows 8" sticker on it (i.e. 99% of those sold via retail channels), and they don't want users to muck around with UEFI settings.