Slashdot Mirror

← Back to Stories (view on slashdot.org)

OEMs Allowed To Lock Secure Boot In Windows 10 Computers

Posted by Soulskill on from the feel-free-to-do-whatever-we-want-with-your-new-computer dept.

jones_supa writes: Hardware that sports the "Designed for Windows 8" logo requires machines to support UEFI Secure Boot. When the feature is enabled, the core software components used to boot the machine are verified for correct cryptographic signatures, or the system refuses to boot. This is a desirable security feature, because it protects from malware sneaking into the boot process. However, it has an issue for alternative operating systems, because it's likely they won't have a signature that Secure Boot will authorize. No worries, because Microsoft also mandated that every system must have a UEFI configuration setting to turn the protection off, allowing booting other operating systems. This situation may now change. At its WinHEC hardware conference in Shenzhen, China, Microsoft said the setting to allow Secure Boot to be turned off will become optional when Windows 10 arrives. Hardware can be "Designed for Windows 10," and offer no way to opt out of the Secure Boot lock down. The choice to provide the setting (or not) will be up to the original equipment manufacturer.

9 of 362 comments (clear)

  1. I can't wait for the Linus Torvalds rant over this by Anonymous Coward · · Score: 5, Interesting

    Grabs popcorn.

    You can currently cryptographically sign a Linux kernel to secure boot, You can install them alongside, or overwrite the windows signature (keep in mind, these keys are your new keys to the windows os. It's not truly keyless, so I would suggest add them alongside.) but most I.T. guys aren't even smart enough to know how it's done. It's no easy task even for Linux people. I currently make 6 figures in a support job and it was difficult for me. I've attempted it only once and was successful, but it is so not user friendly even to smart tech people. I would go as far as to say that even less than 1% of people will ever do it. The other hassle is, if you ever update your kernel in Linux which happens way more than in Windows, you have to re-sign against the new one and re-add the keys all over again alongside or overwrite.

    However, I still have the ability to do it, and that's what's important. Make no mistake. This is a literal and direct attack on Linux. OEM's will not care about the few people who use Linux and will omit this ability essentially killing Linux off. This is Microsoft's attempt at the final nail in the coffin of Linux.

  2. No boot? by Anonymous Coward · · Score: 3, Interesting

    "the core software components used to boot the machine are verified for correct cryptographic signatures, or the system refuses to boot"

    Does that mean that IF malware infects the bootloader, the OS will not boot, BRICKING IT? Seems like an easy way for grandmothers to lose their whole computer with a click of the mouse.

  3. Re:I dub all unswitchable hardware: disposable by Anonymous Coward · · Score: 2, Interesting

    It doesn't matter what you buy. If the locked laptop is $10 cheaper than the one where you can install a hippie OS that nobody* uses anyway, then the majority of customers will choose the cheaper device, and manufacturers of more flexible hardware will lose out in the market.

    Exactly so.

    The end result of this road is mad-expensive hardware for servers at a 500% price premium, and low end locked down hardware for consumers that can't boot "inconvenient" OSs that give the user control of their own computer.

    People who say "but servers!" miss the point: the average Joe will get priced out of that market.

    After that, it's not long until online gaming requires an "authenticated" system. Then banking and online shopping, because safety.

    That's where this road goes. Just wait and watch.

  4. Toooold Youuu! by linebackn · · Score: 2, Interesting

    Yep, told you so.

    I'd hope somebody keeps a public list of machines that are locked down. Although that probably won't keep the masses from buying.

    This is "optional" for OEMs in the same way as they have the option to have MS break their legs or not.

  5. Re:Slippery slope by IamTheRealMike · · Score: 3, Interesting

    Unfortunately, it's not really Microsoft pushing us down this slippery slope. If anything it's the NSA.

    The problem is boot sector or BIOS malware is now a real thing that needs real defences. It's not some obscure academic attack any more. Securing the boot chain is the only known way to fix this.

    The real issues start once malware begins using Linux to install itself. That is, "I cannot infect or modify Windows because of the secure boot check. But I can install Linux and then load a special kernel module and then make the kernel chain into the Windows boot process after modifying it". So then you start needing signed kernels to check for signed kernel modules, etc. Eventually you end up with hardware that only runs signed code, and it's not because of some evil DRM conspiracy but because the openness of the PC platform has caused it to be so thoroughly bum-fucked by malware developers. I mean what are the manufacturers meant to do? Leave their 99% Windows userbase vulnerable to spying and horrible un-removable viruses because Team Linux has never managed to get OEMs on board to make Linux laptops? Doesn't make any sense, regardless of where your software sympathies may lie.

  6. You also disable UEFI for driver updates by msobkow · · Score: 5, Interesting

    When I tried to update the graphics drivers for my Lenovo laptop, I got undocumented errors and a rollback. Later, on a whim, I disabled UEFI, and the drivers installed with no problem. I re-enabled UEFI afterwards, and the system still runs fine.

    So unless you trust your vendor to deliver absolutely PERFECT drivers that will NEVER need updating, you wouldn't want a system that prevents you from disabling UEFI.

    --
    I do not fail; I succeed at finding out what does not work.
  7. Re:I can't wait for the Linus Torvalds rant over t by Dutch+Gun · · Score: 3, Interesting

    Microsoft is now saying that OEM hardware that doesn't allow disabling secure boot would still be "Windows 10 certified". What's in it for the OEM to do this? Why would they purposefully lock their customers out of a choice of OSes? I have a hard time seeing this happening for PCs. It seems more likely that this is actually intended for smaller-form-factor hardware like phones or tablets, similar to how Apple attempts to lock down the devices they sell. It's hard to say since all versions of the new OS are simply called "Windows 10".

    Regarding PCs though, I can think of nothing that would generate a new anti-trust lawsuit faster than this. MS had better walk damn carefully here if they do ANYTHING that could be perceived as unfairly locking Linux and other OSes from PC hardware. Frankly, I think the first OEM to try this is going to generate a shitstorm of controversy the moment an unsuspecting user tries to install Linux in a secondary partition or to replace Windows altogether. While it's good to be aware of this and watch to see how things go, I don't think the sky is falling quite yet.

    So, that being said... Can anyone explain to me why Microsoft can use the Secure Boot feature but Linux can't offer the same as an "out of the box" experience? Or why Windows can apparently be patched and continue to work, while Linux somehow can't? Is this true for Linux in general, or just for people who modify and compile their own kernel (which I'm guessing probably isn't that many)?

    --
    Irony: Agile development has too much intertia to be abandoned now.
  8. Re:and laptops? by Lumpy · · Score: 3, Interesting

    I do.

    http://www.amazon.com/MSI-937-...

    Start there and buy the other parts. anyone semi competent can build one in under an hour. Guarentee MSI bare bones systems will not have secure boot locked and enforced on you.

    --
    Do not look at laser with remaining good eye.
  9. Re: No longer required by jcdr · · Score: 3, Interesting

    If I understand you correctly, this confirm the possibility that Microsoft have the possibility to manage 2 classes of keys: the first keys class is the current one where Microsoft is willing to sign binaries not from them; the second keys class could be for 'lock in' machines where Microsoft keep full control on.

    To be fair, I think that the 'lock in' keys class it's a logical step for Microsoft branded machines. But this could go very wrong if OEMs start to do the same by using the argument 'designed for Microsoft OS' because this will add 'and nothing else could run on it' to the argument. I suspect that the goal is to reserve top machines specifications to Microsoft and to only allow degraded specifications machines to run other OS. The market already have products with this kind of bias.

    And yes, you are right. This evil plan was draw decades ago with the deep knowledge that it will only work at the time when the security feature will be so standard that no chip will be manufactured without it anymore.

    The fact that Windows 10 is announced to be virtually free for almost everyone having a previous copy of Windows somewhere is a clear singe that the time have changed. The OS have no value anymore. The number of new software that only run on a single OS will drastically shrink, exacerbating the OS value problem. So the 'lock in' machines with exclusive specifications will be the only market where Microsoft could make money from the OS.

    From my analysis, the Microsoft message is dual: 1) you don't need anything other that Windows 10 as it's virtually free for everyone; 2) You need Windows 10 to run top specifications machines. OEM market will almost certainly split the product range accordingly if no reaction prevent this.