Slashdot Mirror
OEMs Allowed To Lock Secure Boot In Windows 10 Computers
jones_supa writes: Hardware that sports the "Designed for Windows 8" logo requires machines to support UEFI Secure Boot. When the feature is enabled, the core software components used to boot the machine are verified for correct cryptographic signatures, or the system refuses to boot. This is a desirable security feature, because it protects from malware sneaking into the boot process. However, it has an issue for alternative operating systems, because it's likely they won't have a signature that Secure Boot will authorize. No worries, because Microsoft also mandated that every system must have a UEFI configuration setting to turn the protection off, allowing booting other operating systems. This situation may now change. At its WinHEC hardware conference in Shenzhen, China, Microsoft said the setting to allow Secure Boot to be turned off will become optional when Windows 10 arrives. Hardware can be "Designed for Windows 10," and offer no way to opt out of the Secure Boot lock down. The choice to provide the setting (or not) will be up to the original equipment manufacturer.
That's a descriptive word I know gsm phone manufacturers work hard to distance themselves from, even more where it's more true.
I was nice of Microsoft to play along until the secure boot controversy was diffused and then stop backing openess. I'm not sure RMS would be completely surprised.
Seriously though, we have the choice, and the only thing that will maintain that freedom is that we express it with our dollars. Manufacturers are at OUR mercy, not the other way around.
If you can't get to the boot menu when you play with it in the store, don't buy it. Amazon will let you return nearly anything. This is a freedom we can defend.
Grabs popcorn.
You can currently cryptographically sign a Linux kernel to secure boot, You can install them alongside, or overwrite the windows signature (keep in mind, these keys are your new keys to the windows os. It's not truly keyless, so I would suggest add them alongside.) but most I.T. guys aren't even smart enough to know how it's done. It's no easy task even for Linux people. I currently make 6 figures in a support job and it was difficult for me. I've attempted it only once and was successful, but it is so not user friendly even to smart tech people. I would go as far as to say that even less than 1% of people will ever do it. The other hassle is, if you ever update your kernel in Linux which happens way more than in Windows, you have to re-sign against the new one and re-add the keys all over again alongside or overwrite.
However, I still have the ability to do it, and that's what's important. Make no mistake. This is a literal and direct attack on Linux. OEM's will not care about the few people who use Linux and will omit this ability essentially killing Linux off. This is Microsoft's attempt at the final nail in the coffin of Linux.
Unfortunately the vast majority of PC buyers are unaware and/or don't care and will buy that crap. They'll pay again when it comes time to have their computer serviced. I will only buy re-configurable and repairable hardware. I've built PCs before and I'll do it again. Not surprised to see that Microsoft's venture into openness was so fleeting.
First they invented SecureBoot, but that was OK, because you could turn it off.
Then they prevented disabling it, but that was OK, because several non-Windows bootloaders are signed.
Next up will be refusing to sign the boot loaders which simply disable SecureBoot and load Linux/*BSD. That will be OK, because Ubuntu is properly signed including the kernel (I think).
After that it will only be certain commercial vendors who can get a certificate, but that will be OK, because Red Hat Enterprise Linux 8 will run, only allowing signed kernel modules.
Yes I hate slippery slope arguments too.
Finally! A year of moderation! Ready for 2019?
People predicted that this is exactly what would happen with Secure Boot. The initial support would be optional and after a time and the phasing out of older hardware the support would become mandatory. Microsoft moving to a mandatory secure boot would fall right in line with these predictions.
The next gambit in secure boot is to disallow the user putting in their own signing keys. From that point forward the only way to get an OS on a computer is with Microsoft's signature. Secure boot could be a good thing if the user was allowed total control, but microsoft shows their true goal here, which is to take total control of the PC market. Many forget that secure boot was devised at a time when Microsoft was first facing a new Linux OS challenger that they couldn't defeat with their traditional tactics. Many people don't consider this timing to be coincidental.
Of course it will work.
This is essentially another form of DRM and as you well know that was and is still highly successful and completely crushed all piracy. People still actively seek out products that say "DRM Included" just so they can have the safety and security of knowing that a large corporate is having its own best interests protected at the expense of your product's usability.
Anyone with a marketing background will tell you this is a FANTASTIC idea guaranteed to succeed...if you pay them enough...
But seriously now.
The general livestock will buy the "coolest" and/or "cheapest" option and wont understand what the fuck is going on as per usual. It success or failure will be based on whether this affects the price point of the product (i.e. making it cheaper) or detrimentally effect its "coolness". (like DRM did)
And DRM still exists and are some of the most profitable platforms around. e.g. Steam, Itunes, netflix, etc.
You got it! We had to destroy the laptop in order to save it...
As far as I'm concerned a locked up, drm-encumbered bootloader is dead on arrival.
If I were an Evil Executive at Microsoft, my next gambit would be to apply some unofficial, off-the-record pressure to the OEMs to make sure they have no means of disabling secure boot. Requiring this outright would be legally risky, could come back to bite them in future antitrust cases, but nothing to stop them from some deniable hints that it might help get a cheaper license deal.
I don't know about you, but I really don't have time to put together a laptop from components...
SecureBoot is a reasonable thing. It's when it's under the control of Microsoft, rather than the owner of the hardware, that it becomes a problem.
Make sure the OS is composed of files that are cryptographically signed and entirely legit? Fine.
Define "legit" as being "only those things signed with Microsoft keys"? Not so fine.
The current solution of a Linux bootloader signed by Microsoft is a stupid, half-baked compromise. I wouldn't have settled for it - nothing less than the ability to load my own signing keys into the BIOS being mandatory for all SecureBoot installations. And of course, disabling it.
When I tried to update the graphics drivers for my Lenovo laptop, I got undocumented errors and a rollback. Later, on a whim, I disabled UEFI, and the drivers installed with no problem. I re-enabled UEFI afterwards, and the system still runs fine.
So unless you trust your vendor to deliver absolutely PERFECT drivers that will NEVER need updating, you wouldn't want a system that prevents you from disabling UEFI.
I do not fail; I succeed at finding out what does not work.
No, no, no, you are paranoid and delusional to think that they will keep you from disabling secure boot. Microsoft only cares about your security and safety, and you're a conspiracy theorist if you think otherwise.
A fool and his hard drive are soon parted.
For most people, its not about alternative operating systems.
Its about when they break the thing and bring it to me, and I cant fix it because I cant run any boot disks on it.
There should be a permanent sh!tlist pinned to the top of Slashdot with any vendor that promotes this scheme for "PCs".
Microsoft's long-time disruptive technology shark in the water was that they promoted a platform that was just open enough to let techies (and 3rd party vendors) on a budget customize the systems however they need. This is the essence of a "personal computer", for the MS camp at least. Now MS has jumped their own shark.
Their tepid claims of being FOSS-friendly are being shown as ultimately false. Like Apple, they still won't incorporate open A/V formats into their products and their OSes will tell you an inserted Linux-formatted volume "must be formatted before use". Heaven forbid if I ever give an EXT3 formatted flash drive to an Android user, and they decide someday to look at it with Windows. They are similarly hostile when it comes to Linux multiboot setups. Its wilful negligence that still reigns in Redmond and must be fought with tooth and nail to gain any concession.
And how necessary for security are these firmware-level lockouts?? They are not! Qubes OS employs a scheme that, in combination with a TPM, prevents a computer from being able to reproduce a chosen passphrase if its been tampered-with. No doubt, the MS excuse will be that the consumer or administrator can't be bothered to remember a sentence to verify system integrity.
I suggest rallying around vendors like this: https://www.crowdsupply.com/pu...
Eventually, we should pressure the market to open up the whole damn stack; We will probably be forced to.
This is still the wrong approach. The owner of the hardware should have the right to turn it off if they so choose. It should not be up to Microsoft. And it should not be up to the OEM. And it should not be up to carriers. And it should not be up to the government, either (might as well keep extending out the doom-and-gloom possibilities).
OEM's should listen to their customers and not Microsoft. Locking the bootloader is extremely anti-consumer and anti-competitive. The time to find out your machine is a paperweight should not be after you spent your hard-earned money buying a machine. When this whole fiasco started, there was ZERO transparency from the OEM's. You could not call Dell and ask if machine X had a locked secureboot, because the idiot support and sales people don't know. And it is not listed on the websites, the manuals, or the boxes.
>"So Red Hat and Ubuntu establish relations with consumer hardware vendors and offer factory signed binaries. Linux is not doomed. Linux kernel developers need to be careful about their motherboards but the vast majority of Linux uses would be just fine."
And what about Mageia?
And what about FreeBSD?
And what about FreeDOS?
And what about VMWare VSX?
And what about that hard drive diagnostic disc?
And what about that RAID controller utility?
And what about any number of many dozens of OSes, utilities, and distros?
The "solution" is not to try and get everyone to play by the stupid secureboot "rules" that MS is trying to force on everyone. The solution is to have ALL machines give the owner of the machine the CHOICE to decide if they want secureboot on or off.
Microsoft saying it is "optional" means it absolutely won't be optional when they start putting behind-the-scenes (and probably illegal) pressure on the OEM's to start the lockdown.
Pressure? Not at all. There'll just be a ... "discount" if you do. This has happened before, and it'll happen again. It's within M$'s nature to rub out its competitors by pressing every advantage; it can't help itself.
ELOI, ELOI, LAMA SABACHTHANI!?
When we pointed this out years ago, the Microsoft trolls told us to stop being silly, because it was optional and Microsoft would never, ever think of changing that. Why, the very idea!