Wednesday, September 21st 2011
Windows 8 Secure Boot: Designed to Lock Out Linux?
Proposed changes to the Unified Extensible Firmware Interface (UEFI) firmware specifications would mean PCs would only boot from a digitally signed image derived from a keychain rooted in keys built into the PC. Microsoft is pushing hard to make this mandatory, so that users cannot override it. This feature would have the handy benefit of excluding alternative operating systems such as Linux and FreeBSD. This is according to Professor Ross Anderson of Cambridge University and other industry insiders. Also, it's not at all clear that it actually secures against viruses and other malware and appears to be solely designed to appease corporate self interests for unbreakable Digital Restrictions Management (DRM).
UEFI supercedes the 30 year old veteran BIOS found in most PCs today, which is very inefficient and slow for modern PCs, carrying a lot of old, legacy compatibility baggage that's just not needed in today's PC. UEFI, a key component of Windows 8, is designed to work on several CPU architectures, such as ARM and is streamlined and efficient. It also includes a much improved graphical interface that replaces the keyboard-driven menu system of the BIOS.
If the changes are adopted, then any system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux. Tech blogger Matthew Garrett explains that while a signed version of Linux would work, this poses problems:
The effect of all these changes is to return to the dark days of 2003, when the Trusted Computing platform was being pushed as a way to completely DRM your entire PC to satisfy the content industries. However, this version will be far worse:
Source:
The Register
UEFI supercedes the 30 year old veteran BIOS found in most PCs today, which is very inefficient and slow for modern PCs, carrying a lot of old, legacy compatibility baggage that's just not needed in today's PC. UEFI, a key component of Windows 8, is designed to work on several CPU architectures, such as ARM and is streamlined and efficient. It also includes a much improved graphical interface that replaces the keyboard-driven menu system of the BIOS.
If the changes are adopted, then any system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux. Tech blogger Matthew Garrett explains that while a signed version of Linux would work, this poses problems:
Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith.However, there's no need to panic just yet, concluded Garrett.
Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by ever OEM.
There's no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code. However, experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market.
The effect of all these changes is to return to the dark days of 2003, when the Trusted Computing platform was being pushed as a way to completely DRM your entire PC to satisfy the content industries. However, this version will be far worse:
These issues last arose in 2003, when we fought back with the Trusted Computing FAQ and economic analysis. That initiative petered out after widespread opposition. This time round the effects could be even worse, as 'unauthorised' operating systems like Linux and FreeBSD just won't run at all. On an old-fashioned Trusted Computing platform you could at least run Linux - it just couldn't get at the keys for Windows Media Player.Anderson concludes that this restrictive technology might violate EU competition law, on Cambridge University's Light Blue Touchpaper blog.
The extension of Microsoft's OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate.
84 Comments on Windows 8 Secure Boot: Designed to Lock Out Linux?
LOL. The Register should probably hire a technical editor.
en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface
This really sucks for cheap, exceedingly cheap, OEM boards that don't allow you to flash your BIOS/EFI . . . For everyone else, meh
Also, Microsoft is going to have to bribe the pants off the Unified EFI Forum to get them to make this change. I'm not saying they won't-- but they will have to.
Furthermore, I guess Microsoft won't be allowing virtualization of Windows 8? That should go over well with corporate consumers. :rolleyes:
The only problem I foresee is with laptops but I'm sure that some enterprising users or even a manufacturer or two will make sure that some models come with the option to turn off the signature.
Some of the software I've used and set up for friends and family on their PCs make use of a run-at-boot program to more efficiently clean the system. I hope this isn't going break that.
Also other things like DBAN or Memtest86+.
there will surely be "enthusiast" motherboards that aren't "certified", they may come up with a moniker, like "windows 8 guaranteed" or "ready" or something.
this is really more for the likes of dell, gateway, acer, etc. who you know do care about being "certified".
it does show the direction microsoft is headed. i see them eventually only allowing hardware with drm to run windows.
To those of you that think I'm overreacting about Microsoft using BIOS signing to lock out Linux and other operating systems, check out this little extortion racket they're playing on Casio. Yeah, it's my belief that the whole SCO saga was orchestrated by Microsoft to try and make Linux illegal, it's just a shame that the cover-up was so good that the smoking gun wasn't found.Techdirt
in order to allow secured boot, they will need to follow msofts rules. since the signed os bit is part of UEFI anyway, i'm not sure what rules microsoft will impose, but this is fancy speak trying to hide the fact that they WILL mandate and control firmwares that enable secured boot for windows.
not saying that does or doesn't make sense, they just deliberately tried to hide that point.
it is NOT required to Run windows 8 its only Required IF you want they fancy "designed for windows 8 cert"
so here we go again people are over analyzing and creating dots to connect
tl;dr >
if a OEM Wants to have there machines labeled "made for windows 8" then they need to ship the board with Secure-boot Capable and it _enabled by default_ now this doesn't mean they WILL bother to include a option to disable it in the uEFI setup but thats not microsofts or the uefi.org 's problem
k we are done here
- you where late to the party on that one that was part of the ORIGINAL unedited announcement
[/offtopic]
and no I didn't prepare any _statements_ what I wrote is what I meant and its what ill stand by
the problem I have with the foss community in general has nothing todo with my posts I know Microsoft has a darkside and that has ZERO bearing on my post until its said and DONE all that exists is unfounded FUD and misunderstanding
I FULLY understand HOW IT COULD be used and it doesn't mean it WILL so jumping on the ideological lets-hate-microsoft bandwagon just because some of the foss community is BUTTHURT that there "Product doesn't have a 50% desktop market share does not give people the right to ASSUME that ""this is this and this will be used like this""
and to wander a bit more off the topic path since that seems to be the point of this thread ... the only one at fault for linux/GNU's lackluster "market-share" are the the coders and community that are responsible
its all about the dollars and linux/GNU is no different
I could guarantee if that is Linux was as big and windows and was on every desktop pc
there would be ungodly amounts of cash involved and all kinds of corporate-reindeer-games
if Microsoft was GNU-linux and Linux was Microsoft then it would still be the same deal
back room deals and law suites up the yang hole
As someone said, the price of freedom is eternal vigilance, or something like that. :p It was somebody famous, I might google it later, lol.
and everyone else does it. that's your argument? that makes it all the more essential to stand up to every instance of it, not to berate people for recognizing it - as you have.
it IS A OPTIONAL UEFI.org SPEC NOT A Microsoft one
www.uefi.org/learning_center/
www.uefi.org/learning_center/UPFS11_P2_SecureBoot_Insyde.pdf
Microsoft is making use of a OPTIONAL Tech and yall are having a panic attack
how much fking clearer can I be and according to the nice fking pdf that no one has seemed to rtfm'd in-order for a vender to be fully UEFI 2.3.1 compliant there needs to be a option to _disable secure boot_
again:my comment, was about the wording of that statement. (Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows )
that's it. the statement is intentionally worded to make it sound as though microsoft will not enforce any restrictions, while actually saying they can enforce any restrictions on any hardware that uses secureboot and windows. i was wrong to say WILL, when CAN is the length of reason - however it's not far off to assume they WILL enforce control should it suit their interests.
as i said, you had a canned response that actually had no bearing on my post. but because you didn't take the time to read my post you missed that. you also seem to have a hard time admitting that, and so continue to argue with me about things i did not say, or what you think i do not know (though both times i have shown i stated it before you).
and no THEY CANT ENFORCE SHIT Microsoft does NOT have any control over UEFI at best all they could do would be to change the windows boot loader to be incompatible with GRUB or what ever
you seem to be under the impression that Microsoft has direct control over what is signed and NOT signed by UEFI they don't uEFI.org DOES.
All Microsoft can do is supply a kms/cert and say here you go here are the keys for windows 8 used these to the authentication of boot loader ;else no windows 8 certification for you > require user to turn the "secure boot off" to boot unsigned code, also since a lot of UEFI based boards have "embedded Linux's the chance of UEFI NOT supporting GRUB on boards running " THERE"
firmware is low to nonexistent either way microsoft has no direct control over what UEFI.org signs or doesn't sign