Matthew Garrett Makes Available Secure Bootloader For Linux Distros

TrueSatan writes "Matthew Garrett, formerly of Red Hat, is providing a shim bootloader that will allow installation/booting of secure boot enabled computers. The shim is designed to chain boot GRUB (Grand Universal Bootloader) without the need for a distribution to obtain a key from Microsoft. Garrett asks that further contacts regarding the shim be made to him and not to Red Hat as he no longer works there and they may not have knowledge of the product."

Yay!

[wgoodman]

I'm really proud of him and I really hope that there is no ensuing lawsuit for violating some sort of propitiatory BS.

Re:Yay!

violating some sort of propitiatory BS

Yeah I really hate all that appeasing the gods BS, too.

Re:Yay!

He violated nothing. The better question to ask is "who the hell does MS think it is?" They don't and cannot control the HW manufacturers. Nothing stops independent HW dealers in Asia or wherever from selling directly to consumers. Look at Google, Amazon, and other large companies. They design and buy their HW direct from the manufacturer, cutting out the middle man. Cutting out the middle man is ALWAYS the right thing to do. No one is entitled to a profit. No one has the right to demand I buy from them and their overly-capitalist markup system. Screw all that.

I am going to start looking into buying from the source, even as a consumer. I have the right to buy from the source just like a company. I'm tired of dealing with the MS tax on computers. MS was and is a monopoly. I have used Linux as my home desktop/laptop system since 1998 and now this is happening. Screw any and all who would attempt to even try and dictate my actions with HW I've paid money for.

Re:Yay!

You should never care if it is an AC.

It is the message that is important, not the messenger. Why, after 11 years of using this site, should I register an account? My words stay the same. All it would be good for is group validation through karma whoring. I'd rather be ignored out of irrational bias than lauded for conforming to groupthink.

Re:Yay!

Cutting out the middle man is ALWAYS the right thing to do.

Next time you're sick, I'll call the undertaker.

Re:Yay!

[TheRealGrogan]

Here's what's funny. The chainloaded "Grub" boot loader is actually circumventing the secure boot, because it has its own "OS kernel-like" functionality until it passes control over to the kernel components that it's booting. Grub was used to circumvent Microsoft's DRM, and now it will be used to circumvent their secure boot nonsense. I love it.

Grub is way more complex, knowledgeable (figuratively speaking... it's got high level filesystem drivers etc.) and functional than any bootloader Microsoft would envision. They'll be crying foul. Not only will this be used to boot Linux, but it will also allow booting any other OS without signing.

Re:Yay!

[Immerman]

Only out of fear of an anti-monopoly response I'm sure. They're requiring the exact opposite (no bypass possible) to certify ARM-based devices.

Re:Yay!

[thegarbz]

The problem is karma actually provides a good system for weeding out the abusive troll, but not the clever troll. People who register an account and act like many of the ACs here will end up with a very poor default karma and thus their comments will be hidden per default slashdot settings. Yet if you post something completely indifferent you will still end up with karma that gives you a default score of 1 when you post.

That's the only reason I signed up for an account. I had things to say, and they never got read. An AC's default post score means they show up as hidden comments, which is sad because sometimes they can be quite insightful.

Re:Yay!

[epyT-R]

oh how terrible. Words you were told were 'bad' by your parents/society still cause you such harm that... seriously? Grow a pair.

what part of having/not having an account would prevent overly sensitive sorts like yourself from modding it down? ..and the term 'trolling' now has no meaning because, nowadays, it is mostly used to mislabel statements one doesn't agree with as an ad hom attack.

Re:Yay!

[TheRealGrogan]

The signing process is relatively mechanical... Joe Blow could do it (with the proper notarization) and there is no way they can consider the full functionality of the binary that you upload to be signed. You put your credentials on the line, you pay the money, you get your binary certified. If it's bad, then there is someone to go after. The way they have set this up, it can only be reactive.

The implications of this will not make them happy. I'm betting that you would realize that this is being done for more than just our "safety". They want to make it a pain in the ass to use anything else, especially with Windows RT on ARM (where you can't allow secure boot to be disabled if you want your shiny Windows 8 compliance sticker), where they think they can seize control now at this crossroads. Windows 8 is designed to steer everyone towards the Microsoft Software Store.

This signed Grub shim is a wildcard, and it only needs to be done once. A barrier has been removed, that will rightly enable others to skip the BS.

You're right though, given that they followed due process and are not malicious, Microsoft will not be able to do anything about it. It is, however, my opinion that they will complain, as this was not the intent of the signing process.

Re:Yay!

[shutdown+-p+now]

Given the amount of press coverage that this whole story has been getting, I very much doubt that the people in charge of the process are not aware of it. And it's not like there are many of those signing requests coming in. I mean, really, how many other companies would need to sign their bootloader with MS key? all Windows OEMs just use the standard Windows bootloader; I wouldn't be surprised if, so far, this has actually been the first and only such request.

Also, did you actually read about how the signed shim works? It doesn't just quietly chain-load whatever you want. It always prompts the user about what it's doing and why, and it gives them the opportunity to add the key for whatever it is that it's going to load to the UEFI key store - so that for future boots it just works. So it can't be used to silently load any random OS (or malware) The whole scheme is rather elaborate, and it looks like it's a compromise that was worked out between the guy who wrote the shim, and the folks in charge of signing it.

Also, my understanding is that this signature will only work on Intel, not on ARM.

How does this work?

[knuthin]

Can anyone explain me like I am 5, how this must be working? Or speculate?

Re:How does this work?

[Kergan]

In simplistic terms, it's a bit like on iOS devices: they'll only boot software that is signed by Apple, thus preventing low-level viruses and such from tampering with the OS.

In more complicated terms, I'll defer to the wiki page.

Re:How does this work?

[schitso]

thus preventing people from using their hardware as they see fit.

FTFY

Re:How does this work?

[scheme]

Right, because you have no right to do that with a device you supposedly own.

The specs already require that the x86 EFI allows you to load your own key. This is just something to let you install and use linux or other OSes without having to go through the process of loading your own keys into the bios and instead using the ms key that's already been loaded.

Re:How does this work?

[mystikkman]

This is a losing battle, there are too many uninformed posters who can't understand such technical matters. You reply to one and 5 other posts come up saying the same wrong things and still modded up. This is happening since a year, there's no use. The smart neckbeards have been replaced by 14 year old kids who don't know what they're talking about and only read headlines and other raving modded retarded rants by the likes of BMO.

Re:How does this work?

[Nerdfest]

I understand the issues quite well. The GP seemed to be stating that people have no right to run as root on their own hardware. It was actually unrelated to UEFI. Personally, I don't have that much of a problem with UEFI other than it's Microsoft administering it and it makes it much more difficult for an average user to install Linux (I think that's the actual motive behind it). Hopefully this boot shim will help solve the ease of use issue.

Re:How does this work?

[Billly+Gates]

What is needed is a pairkey system. THe first seed could be the serial number of the CPU. This way a piece of malware can't sign itself and each set of keys would be different for each PC.

You simply through a EFI utility connect to the internet to a keysigning service and another key is generated to sign the boot image. Easy. Perhaps put a special locked master key that only Intel knows for this process.

Linux, FreeBSD or any other OS can interact with the EFI to upload the key and sign itself in a standard way. Who the hell at Intel thought it was a good idea for WIndows 8 to get the key? Guess what?

If the key is just a string of binary code. It wont take long for someone to find it and then use that string of code to sign their own malware as legit and prevent AV software from deleting it. Just stupid to have one master MS key that anyone can see.

In actuality I like the idea of a signed Windows 7 kernel on my PC if it can reduce malware. Just not having MS do it.

Re:How does this work?

[LordLimecat]

Why couldnt the romanian hackers use the signed chainloader to load their code?

Re:How does this work?

[mjg59]

It'll only boot grub if grub is signed with a key that a physically present user has manually enrolled. If you choose to enrol a key that's been used to sign a grub that'll then boot anything (including viruses) then you're vulnerable, but such a virus would only be able to infect systems with that key installed - anyone who hasn't installed that key still gets the protection.

Re:How does this work?

[AdamWill]

Try reading the OP.

This is a build of shim that's signed by Microsoft. It has particular properties. It is intended to be distributed by small Linux distros, with their own key as config data. When you boot it, it offers you the option to trust a single specific key - the key it was provided to you with. You have to specifically perform a certain operation to trust the key.

What all this wiggling achieves is allow to say 'I trust the entity that provided me with this key to provide an operating system for my machine'. The safeguards prevent it from being used for malware, unless you're _really_ dumb and, when this screen pops up on your system after you install something you didn't think was an operating system, you carefully jump through all the hoops to allow it to nerf your system.

So Microsoft is happy because the malware path is very unlikely to occur, and the Linux distributor is happy because if the person really is installing an alternative OS, all they have to do is navigate a menu once in order to say that OS's key is trusted, and from then on, that OS can function with SB enabled indefinitely.

Clear?

Re:How does this work?

[AdamWill]

It is signed with Microsoft's key.

Re:How does this work?

[AdamWill]

You mean, 'on your Windows RT device'. Which, if you don't want to deal with the restrictions on, you don't buy. Just like if you don't want to deal with the restrictions on an iPad, you don't buy an iPad.

Clarification

[ClaraBow]

Will someone one please clarify for me if we will always be able to buy computers without a securebootloader, or will I have to deal with this shit sometime down the road. Thanks!

Re:Clarification

[MysteriousPreacher]

Micro$oft and Windoze? Have you recently emerged from 15 years in stasis? To bring you up to date...

Madonna is still shit and now looks like Iggy Pop.
9/11
Year of Linux on the desktop is imminent
The president's black
The Rolling Stones aren't dead
We sent cool shit to Mars
World didn't end but will end again later this month

Re:Clarification

[Nerdfest]

Of course you can add to that list:
  - Microsoft still doing things to suppress competition.
  - Apple has joined them.

They earned that dollar sign. The OS is a bit better behaved than 15 years ago, although NT was pretty quick.

Re:Clarification

[serviscope_minor]

And Duke Nukem Forever was released.

Re:Clarification

[MysteriousPreacher]

And Duke Nukem Forever was released.

Steady on there. We don't want to overwhelm him.

Re:Clarification

[Billly+Gates]

If you refuse to do business with Microsoft you wont be in business very long

Kudos

[cheesybagel]

The man delivered! I really hate not being able to use GRUB or some other bootloader anymore. Why the heck can't I choose what to install on the computer I bought with my own money? Imagine you were Linux Torvalds trying to write your own operating system but in a computer with UEFI enabled.

The way to get the key is also particularly weird. It's like Microsoft has gone out of their way to make it so you need to use Windows to get a key. .CAB files, Silverlight applications, .exe to generate a key, etc.

You can't even choose not to enable UEFI anymore. I bought a 3 TB hard disk recently and the BIOS isn't able to see anything above 2 TB on a non-UEFI system without GPT partitions.

Re:Kudos

[cheesybagel]

s/Linux/Linus/ Sorry dude.

Re:Kudos

[recoiledsnake]

First UEFI != UEFI Secure Boot.

Second, you can turn off Secure Boot in the settings. So, I am guessing the young Mr. Torvalds would be smart enough to do that.

Third, the keys are editable, i.e you can remove Microsoft's key and add your own or Linux's key if you don't trust Microsoft and that'll stop your machine from ever booting Windows. Thus, you're really in control of your computer. The defaults are setup that way to stop undetectable bootkits infecting your mom's computers because just wants to run Excel and doesn't know or care about signing keys and hashes.

There is so much FUD and misinformation being spread by stupid people.

Re:Kudos

[bmo]

But to get your own key, you have to shell out 99 bucks.

That's fucking galling. It's a tax.

--
BMO

Re:Kudos

[jonwil]

No.
The $99 fee is if you want to get stuff signed with the default Microsoft keys (or rather, with a chain-of-trust that ties back to the default Microsoft keys)

Anyone can load new keys into the UEFI boot key-store no problems via the BIOS options.

Re:Kudos

[cheesybagel]

The Microsoft key comes pre-loaded with every BIOS. Try installing your own key in the UEFI boot key store and see how easy that is. Microsoft users just pop in a DVD and install. Linux users can't do that.

Re:Kudos

[greenbird]

Second of all, it isn't that bad, There are GUI screens navigatable with a mouse(unlike BIOS) where you can input/remove keys. Perhaps you have ideas to make it easier while still maintaining security, instead of just kneejerk bashing and conspiracy theories of "OH THEY'RE GONNA GET US OMG".

It's a much bigger deal than apologists are making it out to be. It's a big step in making the switch to Linux MUCH more difficult.

For the last ten years or so Linux has been easier to install on a raw machine then Windows. Microsoft finally came up with a way to reverse that. And of course it has nothing to do with making their OS easier to install.

Also no more booting a live CD/DVD so you can try things out or show them to someone. No more Knoppix STD when you're trying to figure out what crap your mom got on her computer this time or recover data from a flaked hard drive. Etc, etc...

Fuck secure boot.

[bmo]

I find it disappointing that instead of actively fighting secure boot and making a BIG PUBLIC STINK about it and embarrassing everyone involved in implementing this, the community is aquiescing to the concept and "working with it."

Stallman is right, guys, and anyone endorsing Trusted Computing 2.0 by either actively participating in the distribution of it, or tacit approval needs to be publicly humiliated and embarassed into doing the right thing.

Secure boot was never about protecting the end user.

--
BMO

Re:Fuck secure boot.

[budr]

What BMO said. Where's a +10 when you need it.

Re:Fuck secure boot.

[zakeria]

exactly; this is just another attempt to stifle and forthcoming competition in the OS development arena and at the same time helping to cement the belief in people that the PC only has one true OS that should be running on the machine namely Microsoft Windows!

Re:Fuck secure boot.

[bmo]

There was a time when the community embarassed Intel into not putting serial numbers into their processors.

I miss that time.

We have become soft.

--
BMO

Re:Fuck secure boot.

[bmo]

If you could generate a self-signed key for free, then I would have less of a problem with this.

But to get a key, you have to pay a notary and prostrate yourself before Microsoft and get their blessing, for 99 bucks. It's a tax on kernel builders and hobbyists who compile their own kernels with experimental patches - a tax on progress for BSD, Linux, Haiku, everyone who isn't Microsoft. It's also a hoop to jump through deliberately engineered to scare the less informed and to make it inconveniient to use a different OS for end users.

It doesn't protect end users one bit, because boot loading malware is scarce these days since it's just easier to attack the user with his own permissions, never bothering to escalate from userspace to kernel space. Because it's "good enough." There are enough dumb users out there that will click on anything to get a purple cow for Farmville that engineering a boot hijacker is too much like work for the botnet herder. Basically because there is no antivirus out there that can protect a computer from Layer 8 dumbassery.

It's a tax, an inconvenience, and it does absolutely nothing in reality to protect the end user.

Yet you see no problem with this.

--
BMO

Re:Fuck secure boot.

[digitalaudiorock]

Oh to have mod points!...If people keep working around this crap rather than voting with their wallets they're saying it's OK. Everyone who gives a shit about this MUST refuse to buy any computer with secure boot...period.

Re:Fuck secure boot.

[bmo]

" Microsoft requires OEMs shipping Windows 8 to provide both options for the user to turn secure boot off completly AND for the user to install new keys of their choice."

A half truth is a whole lie.

Stop lying.

The other half of the truth is that on ARM devices, Secure Boot is ABSOLUTELY REQUIRED AND MUST NEVER BE TURNED OFF

Shill.

--
BMO

Re:Fuck secure boot.

[Multiplicity]

No, no, no. You got it wrong.

I hate this whole kerfuffle as much as everybody, but the part about not being able to load self signed keys isn't correct. You can load self-signed keys into the UEFI boot key-store right from the UEFI UI. Of course that will prevent Windows 8+ from booting, but that's another story. You can disable it altogether, with the same result.

So you can either disable secure boot or have your own chain of trust separated from Microsoft and boot other OSes. BUT if you want to boot Windows 8+ you have to enable it and use Microsoft's chain of trust, and is in THAT case, when you want to also boot other OSes you must have the other OSes bootloaders signed by Microsoft.

This shim bootloader represents a convenience to the users of that specific case (which indeed is the most common one). They have a "generic" Microsoft-signed bootloader along with some tools to extend a chain of trust from that bootloader to another one, and this second one won't have to get through the dreaded certification process (which indeed forces you to use Windows).

The problem here is NOT UEFI / SECURE BOOT. The problem is MICROSOFT CERTIFICATION PROGRAM. That's where they boicott the whole industry, and where they should be given a fight. That stupid certification process they combined with a twisted use of the new capabilities of UEFI. Make no mistakes, shouldn't UEFI exist today, they would still be looking for ways to exploit their certification program to make manufacturers do anything they want, just so they can bless them with being "Win compatible". THAT is the great lie right there, by which they have the industry inexplicably grabbed by the balls.

The solution of course would be everyone giving the finger to Microsoft on their fucking certification program, and a more open competition would arise. I very much want to see how long they last on that environment.

Re:Fuck secure boot.

[bingoUV]

Yes, and Microsoft has immunized users against questions from their computer using UAC so the user will say yes, do what you want and let me do my work. So yes, genius.

Re:Fuck secure boot.

[bmo]

You didn't read past his first sentence.

You don't need to infect the boot to hose the user. It's so much easier to hose the user through normal channels - piracy, troans, spyware, annoyware (toolbars, etc) and "legitimate" software that has "we'll hose you when we like" in the privacy statement that never gets read.

Step 1. Take a popular software package. Bundle malware with it that passes the top 10 scanners.
Step 2. Upload to usenet, direct download sites, and torrents.
Step 3. Wait.
Step 4. Botnet. There isn't even a ????????? here.

Infected boots are a minuscule problem.

--
BMO

Re:Fuck secure boot.

[recoiledsnake]

This is an unrealistic attack and to present it as plausible and likely is laughable, since more mundane and common attacks are far more likely to be an actual problem. It's like recommending that I go outside every day with a hardhat to avoid falling meteors when the actual threat to my safety is people speeding through the neighborhood and not stopping at stop signs as I attempt to cross the street

You don't seem know much about malware and how it works. Here are some references about boot malware which UEFI secure boot can prevent.

http://www.chmag.in/article/sep2011/rootkits-are-back-boot-infection

http://www.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows/

http://www.computerworld.com/s/article/9217953/Rootkit_infection_requires_Windows_reinstall_says_Microsoft

I recommend reading atleast the first link.

Here's one juicy bit:

TDL4 is the most recent high tech and widely spread member of the TDSS family rootkit, targeting x64 operating systems too such as Windows Vista and Windows 7. One of the most striking features of TDL4 is that it is able to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled.

When the driver is loaded into kernel-mode address space it overwrites the MBR (Master Boot Record) of the disk by sending SRB (SCSI Request Block) packets directly to the miniport device object, then it initializes its hidden file system. The bootkit’s modules are written into the hidden file system from the dropper.

The TDL4 bootkit controls two areas of the hard drive one is the MBR and other is the hidden file system created at the time of malware deployment. When any application reads the MBR, the bootkit changes data and returns the contents of the clean MBR i.e. prior to the infection, and also it takes care of Infected MBR by protecting it from overwriting.

The hidden file system with the malicious components also gets protected by the bootkit. So if any application is making an attempt to read sectors of the hard disk where the hidden file system is stored, It will return zeroed buffer instead of the original data.

The bootkit contains code that performs additional checks to prevent the malware from the cleanup. At every start of the system TDL4 bootkit driver gets loaded and initialized properly by performing tasks as follows: Reads the contents of the boot sector, compares it with the infected image stored in hidden file system, if it finds any difference between these two images it rewrites the infected image to the boot sector. Sets the DriverObject field of the miniport device object to point to the bootkit’s driver object and also hooks the DriverStartIo field of the miniport’s driver object. If kernel debugging is enabled then this TDL4 does not install any of it’s components.

TDL4 Rootkit hooks the ATAPI driver i.e. standard windows miniport drivers like atapi.sys. It keeps Device Object at lowest in the device stack, which makes a lot harder to dump TDL4 files.

All these striking features have made TDL4 most notorious Windows rootkit and it is also very important to mention that the key to its success is the boot sector infection.

Another bit:

The original MBR and driver component are stored in encrypted form using the same encryption. Driver component hooks ATAPI's DriverStartIo routine where it monitors for write operations. In case of write operation targeted at the MBR sector, it is changed to read operation. This way it is trying to bypass repair operation by Security Products.

Re:Fuck secure boot.

[mjg59]

"With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?"

openssl req -new -nodes x509 -outform DER -out sig.crt -keyout signing_key.priv

And then enrol it with mokutil or MokManager from shim.

Re:Fuck secure boot.

[Multiplicity]

If what you say is true, it would certainly complete the picture.

It still wouldn't mean the certification is not retarded, but it would certainly show the real direction for the FLOSS communities to push for. I began instinctively taking UEFI / SB as something "bad / anti freedom" mainly because of how it was tainted by Microsoft being the only root signer available at the launch of the technology, their certification program, and the inexcusable fact that they forbid disabling SB / managing keys in the ARM platform. But also, and not the least because I completely ignored how the technology works and the background (like BMO and such show clearly here).

There's huge amounts of misinformation, as we can see in this very same thread, where sensationalistic posts like "FUCK UEFI" get all the eyes and everyone goes idiotic "ZOMG DIE MS SHILL" at the slightest attempt of analysis and information gathering that is the basis for any real solution.

All this current whinning crap won't help us to get anywhere, apart from one or two assholes thinking for a day they are raising the glorious flag of freedom. It is imperative that we start educating ourselves and reach consensus towards more robust solutions; IMO this shim is good, for now, as a temporary one. I long for a more robust and permanent solution which I now begin to think could be, like you say, in the form of a signing infrastructure maintained by some big FLOSS player, like EFF/FSF/LF, and with acceptance by the OEMs and manufacturers.

Re:Making No Sense

Read his blog, he explains it all.

Basically, the Shim is signed with the Microsoft key, it will load on any system which trusts that key (i.e. every system out there).
The Shim will then load anything that's signed with any of the keys in the secure boot trust database, but it will also allow you to add keys to that trust database yourself.

For example: if you try to boot from a SuSe install DVD is will first start the Shim (which is trusted, because it's signed by Microsoft). The Shim will then ask you if you want to load whatever the DVD is trying to start, optionally installing the key used to sign what you're trying to start.

The end result is that John Q. User just needs to be told to push the 'Enroll key' button when he's installing SuSe/RedHat/Debian/... He doesn't need to be told how to disable Secure Boot, or how to install the SuSe/RedHat/Debian/... key into his system (which would be different for every system).

Doesn't work

I happen to have a computer with Secure Boot enabled by default. Matthew Garrett's boot loader doesn't work while Secure Boot is enabled. The reason being that the machine will not (repeat not) boot from any device except the hard drive unless Secure Boot is first disabled. The steps to load any OS, with or without Secure Boot support, goes like this:

Enter into UEFI control panel.
Disable Secure Boot
Enable Legacy boot options
Enable specific Legacy device, such as DVD drive
Save settings and reboot.
Change boot device to DVD

If Secure Boot is turned on, "Legacy" devices can not be used to boot the computer. Therefore having this boot loader doesn't do any good on machines with Secure Boot enabled. It has to be turned off just to access the installation media.

Re:Doesn't work

[mjg59]

If your system currently has Windows 8 installed, then do this:

1) Insert the install media
2) Mouse to the bottom right
3) Select "Settings"
4) Click "Power"
5) While holding down shift, click "Restart"
6) Click "Use a device"
7) Click your install media

This is a little more involved than ideal, but it's got the huge benefit that it's consistent between systems rather than requiring you to use different hotkeys for different platforms.

Re:Do not disagree with Garrett

Why does it matter? Because it could ruin your reputation, even wreck your career?
http://www.itwire.com/business-it-news/open-source/57290-garrett-slams-tso-as-rape-apologist

Garrett is scum.

Must ship with a way to turn off Secure Boot

[tepples]

Computers that ship with Windows 8 for x86 or x86-64 must ship with Secure Boot turned on but (importantly) must ship with a way to turn it off.

Re:Must ship with a way to turn off Secure Boot

[complete+loony]

But there is no standard specification for *how* secure boot can be turned off. Or *how* the user can install a new key. It's the question of "how" to guide the user through the firmware screens that prompted the development of shim in the first place. This way there's one component with a known UI to guide the user through.

Secure Boot in custom mode

[tepples]

With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?

By setting Secure Boot to custom mode and installing the self-signed key. Microsoft requires makers of x86 and x86-64 PCs to allow neutering Secure Boot as a condition for Windows 8 certification, just like Google requires a device to have Android Debug Bridge open as a condition for access to the Google Play Store. The strict game-console-style lockdown is only for Windows RT.

Re:Secure Boot in custom mode

[bmo]

>The strict game-console-style lockdown is only for Windows RT.

As if this makes it ok.

An ARM computer is just as much a real computer as one with an IA64 processor in it, especially when the new ARM processors coming out support 64 bit computing

Why shouldn't I be able to put Linux or any other OS compiled for ARM on an ARM machine? An ARM laptop running Linux would be a nice thing with longer battery life than what can be found with Intel processors. Why do I have to supplicate and offer $$ to Redmond, from where I did not acquire the OS?

Brushing this off as if it doesn't matter "because you Linux guys only care about i386 and IA64" is disingenuous.

And like I said earlier, just because one company (apple) does it, doesn't mean it's OK for other companies to follow suit. Apple perverted the concept of a repository. This is not supposed to be a blueprint for other companies.

--
BMO

Re:Making No Sense

[mjg59]

Given that I've been working with the Microsoft people who manage the signing for the best part of a year now, I'm pretty sure they know who I am and what I was getting signed.

Re:Matthew Garrett FTW!

[Multiplicity]

I kinda agree, but from some answers here I'm starting to think that what should've been there from the beginning isn't a shim, but an alternate root signer / signing infrastructure not controlled by Microsoft. Some key Linux players were offered the chance to maintain this, but they declined. The technology launched with just one signer, and thus this confusion began, where everyone and their dog think that because every x86 mobo comes with MS keys, and the only signer is MS, then UEFI == MS. Which is not.

If the EFF/FSF/LF or for the matter (least preferably) Red Hat or Canonical would support a keysigning infrastructure, things would be more balanced, but they would have to divert their resources to do that, and be accountable for the binaries they sign. Instead they willingly choose to let Microsoft to be the one signer around.

Regarding ARM, it sucks, but it's exactly the same any other ARM player has done, and subject to the same circumstances.

Two previous versions

[tepples]

Just because Microsoft has to support PCs that don't have secure boot doesn't mean they can't force machines that do to be Microsoft only.

UEFI can't tell that Windows 7 is a Microsoft operating system because Windows 7 doesn't carry a UEFI Secure Boot signature. Therefore, end users exercising downgrade rights will have to turn off Secure Boot to use Windows 7. And the page about downgrade rights implies that downgrade rights appear to cover the last two major versions: Windows 8 licensees can downgrade to 7 or Vista, and Windows 7 licensees can downgrade to Vista or XP. So Microsoft will more than likely allow end users to turn off Secure Boot until Windows 9 is no longer available, and that page states: "Note that end user downgrade rights will be available through the sales life cycle of Windows and Windows Server operating systems, which is up to two years after the launch date of a new version." So companies concerned about the Secure Boot problem have until two years after the launch of Windows 10 to plan their migration to hardware with a drawing of a penguin on the box. This could be seven or eight years from now.

The Windows 7 downgrade option can end tomorrow

From the page about downgrade rights: "Downgrade rights are an end-user right, documented in the Software License Terms that customers accept upon first running Windows software." If the Software License Terms are in fact a contract, then they bind Microsoft just as much as they bind the end user.