Welcome Guest.   Make a donation to an author on the site December 18, 2014, 08:14:34 PM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
The N.A.N.Y. Challenge 2012! Download dozens of custom programs!
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Windows 8 Secure Boot may lock out Linux  (Read 2984 times)
Edvard
Coding Snacks Author
Charter Honorary Member
***
Posts: 2,643



View Profile Give some DonationCredits to this forum member
« on: September 22, 2011, 05:31:12 AM »

Well, not Linux specifically, but this certainly has the potential to put an end to dual-booting another OS with your off-the-shelf OEM Windows boxes.

From InterNetNews.com:
http://www.internetnews.c...boot-as-a-linux-risk.html
Quote
Microsoft's next major OS is set include a secure boot. The system will prevent any executable from loading unless they are signed by a specific set of keys. The problem with that is non-key signed executable - say Linux - might not be able to put on a piece of hardware that has been built for Windows.

That's a problem.

From the source:
http://mjg59.dreamwidth.org/5552.html
Quote
The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys.
...
A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.

o_O
Logged

All children left unattended will be given a mocha and a puppy.
40hz
Supporting Member
**
Posts: 11,058



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: September 22, 2011, 07:47:58 AM »

Wonder what's next?

Right now, OEM license copies of Windows and Office can only (legally) be installed on the PC they shipped with.

Wonder how long will it be before some of the PC manufacturers start getting leaned on to add their own license clause that says their hardware is only for use with a Microsoft operating system? And that  jaillbreaking will void the warranty.

It worked for Apple.

Those that decline will have to pay a significantly higher price for their Windows licenses since Microsoft can argue any larger OEM discount is what they're 'paying' the hardware people for their help in "promoting" Windows.

 smiley



Logged

Don't you see? It's turtles all the way down!
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,958



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #2 on: September 22, 2011, 08:16:51 AM »

Another nail in the Windows 8 coffin - it will also mean that you can't boot into USB, CD or DVD based utilities to fix problems when Windows 8 won't boot!

This is really worrying and should be made as public as possible as it means if something doesn't work the only option you have is to reinstall the OEM setup!

I am amazed that Apple have got away with this crap but I think the competition commission in Europe will jump on this from a great height.

Presumably Apple manage to get away with it because they ship their own hardware and OS.

MS do not make PCs so what they are saying is that other manfacturers have to lock their systems to MS products - that is the ultimate in anticompetitive behaviour!
Logged

zridling
Friend of the Site
Charter Member
***
Posts: 3,291


Linux captive

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: September 23, 2011, 01:37:56 PM »

Maybe Ballmer/Sinofsky think that by making Win8 more exclusive, more people will want it?

If Walmart was smart, it would set up a counter station in each electronics department just to sell computers.
(1)... "You want no OS? Here, take your machine and go."
(2)... "You want Windows installed? Give me $$$ and wait a few minutes, thank you!"

Under #1 they make pure profit off the hardware. Under #2 they make more money off of Windows customers. Win-win.
Logged

- zaine (on Google+)
steeladept
Supporting Member
**
Posts: 1,058



Fettucini alfredo is macaroni & cheese for adults

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #4 on: September 23, 2011, 01:58:14 PM »

Um...Did you guys miss that Hyper-V 3.0 is being included?  Sure you may not be able to dual boot traditionally, but you can still install it in it's own virtual machine.  What's more, depending on how they expose Hyper-V, you will be able to switch between the two on the fly and get native or near native performance from the OS.  The only argument I can see here is Carol's about using some sort of rescue CD - but then you should just be able to boot into a different VM anyway.  Indeed, the VM could be your rescue CD.  The only time these wouldn't work is if Hyper-V is borked, but then it isn't a Windows 8 issue anyway at that point.
Logged
40hz
Supporting Member
**
Posts: 11,058



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #5 on: September 23, 2011, 04:19:34 PM »

Um...Did you guys miss that Hyper-V 3.0 is being included?  Sure you may not be able to dual boot traditionally, but you can still install it in it's own virtual machine.

Nope. The Linux world didn't miss it either.  Wink

Microsoft has no problem with Linux running under Windows - where it will basically just be another application.. That's why they've been contributing so much code lately. Almost all of it is to allow Linux to run better under Windows.

We're actually all waiting for the footnote on the ads to say something like:

AND if your business is using applications written for Linux. Microsoft Windows is now the perfect HOST SYSTEM for running them on...

Yeah. Swell. Just everybody buy your own copy of Windows and Microsoft will be cool with you running Linux on your PC. No need to even buy a separate license for all the IP Microsoft claims they could sue you for if they really wanted to... tongue

Logged

Don't you see? It's turtles all the way down!
steeladept
Supporting Member
**
Posts: 1,058



Fettucini alfredo is macaroni & cheese for adults

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #6 on: September 23, 2011, 05:37:58 PM »

Microsoft has no problem with Linux running under Windows
Except that Hyper-V is not Windows.  It is Microsoft, but it is the hypervisor that Windows runs *on* and could just as easily be XenServer or VMware ESXi (okay, XenClient and VMware doesn't have a client-side equivalent...yet).  Linux can run *on* it too.  In fact, it already does in many, many shops.  Linux is NOT running *on* Windows in this case, just with it.  (Unless you want to stretch the definition of Windows to be *any* OS that Microsoft creates) Cool
Logged
40hz
Supporting Member
**
Posts: 11,058



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: September 23, 2011, 06:09:49 PM »

(Unless you want to stretch the definition of Windows to be *any* OS that Microsoft creates) Cool

I do.  Grin

Logged

Don't you see? It's turtles all the way down!
steeladept
Supporting Member
**
Posts: 1,058



Fettucini alfredo is macaroni & cheese for adults

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #8 on: September 23, 2011, 06:20:31 PM »

Well that makes it simple  Grin
Logged
Edvard
Coding Snacks Author
Charter Honorary Member
***
Posts: 2,643



View Profile Give some DonationCredits to this forum member
« Reply #9 on: September 24, 2011, 12:38:45 AM »

I have a theory...
It's obvious Microsoft REALLY wants to be in the phone and tablet business, viz. Windows 8.
But they can't beat Apple (the only competition as long as they keep ignoring Linux/Android) at their own game UNLESS they play the only card that would work... price.

If they can sell enough Windows 8 tablets at a loss or near-loss to undercut iPad sales, Secure Boot makes sure the Penguinistas don't snap them up and turn them into cheap Ubuntu tablets (which is EXACTLY what happened with all those HP Touchpads that went on fire sale for $99) and MS has their very own hardware-locked shiny shiny to impress shareholders with.

Simplistic, I know, but it seems crazy enough to be true...  huh
Logged

All children left unattended will be given a mocha and a puppy.
zridling
Friend of the Site
Charter Member
***
Posts: 3,291


Linux captive

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #10 on: September 24, 2011, 12:42:45 AM »

By locking (the Win8) OS to the hardware, they also get to prevent anyone from running an older version of Windows. Like Apple, maybe the only way to get Windows in the future will be to buy a new machine.
Logged

- zaine (on Google+)
40hz
Supporting Member
**
Posts: 11,058



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #11 on: September 24, 2011, 07:35:34 AM »

Well...more information from Microsoft has come in. And the situation now looks to be even worse than was originally feared.

OSNews has just put up an  article: Microsoft Responds to Secure Boot Story, Doesn't Address Issue

Some highlights (emphasis added) from the article follow.

At first, it doesn't sound all that bad...

Quote
The story about how secure boot for Windows 8, part of UEFI, will hinder the use of non-signed binaries and operating systems, like Linux, has registered at Redmond as well. The company posted about it on the Building Windows 8 blog - but didn't take any of the worries away. In fact, Red Hat's Matthew Garrett, who originally broke this story, has some more information - worst of which is that Red Hat has received confirmation from hardware vendors that some of them will not allow you to disable secure boot.

A short recap: if OEMs want to partake in the Windows 8 Logo Program (and they all want to), they will have to implement secure boot on all Windows 8 machines. Secure boot requires signing keys from either Microsoft or the OEMs themselves to be installed into the firmware - any binaries, drivers, or operating systems not signed by one of those signing keys will refuse to work on that machine.

Secure boot is part of UEFI, and in some cases, you will be able to go into UEFI and disable it. However, the fear is that OEMs will not include the option to disable it - there's enough historical precedence to assume this will be the case. Just look at any of the gazzilion crippled BIOS implementations out there today.

Microsoft tried to address this lingering, but potentially very problematic issue in a blog post today, but sadly, none of our concerns were addressed. Microsoft does not intend to mandate OEMs include the option to turn secure boot off (surprising!), which means OEMs are free to omit this option from their firmware implementations.

And this is exactly what some of them intend to do, according to Red Hat's Matthew Garrett in a response to Microsoft's blog post. "Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option," he notes on his own blog.

But then, the central problem is identified:

Quote
"Why is this a problem? Because there's no central certification authority for UEFI signing keys," Garrett explains, "Microsoft can require that hardware vendors include their keys. Their competition can't. A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's. No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft's influence here is greater than even Intel's."

And then comes the kicker that shows how truly ingenious Microsoft can be when it comes to being devious by not directly requiring vendor participation. Much like the Captain Barbarossa's interpretation of the Pirate Code - "The code is more what you'd call "guidelines" than actual rules."

Quote
This could be disastrous for end users. They will lose considerable control over their own hardware if Microsoft gets its way. "The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality," Garrett details, "The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware."

This is going from merely potentially maybe kind of problematic into full-on dangerous. From what both Microsoft and Garrett have told so far, this seems like a perfect storm for Microsoft - they will essentially lock people into using Windows without actually doing any of the locking themselves; they're basically relying on the utter incompetence of OEMs. And let's face, three things in life are certain: death, taxes, and incompetent OEMs. This is so damn clever and diabolical I just can't help having some admiration for it.

Lovely!

Logged

Don't you see? It's turtles all the way down!
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,958



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #12 on: September 24, 2011, 08:31:18 AM »

In the general OEM market place the shit won't hit the fan until 3 or 4 years down the line when customers start wanting to upgraded their hardware. The majority of customers I do upgrades for are Windows XP and Windows Vista users. Windows 8 users are going to be thoroughly pissed off in a few years time when they need to add a USB expansion card or replace a graphics card or possibly even upgrade memory or hard disk if MS can lock them out.

I can understand the security advantage of this (and it will get Apple worried because they won't have such a big target to aim at in MS once hardware is locked down). I can also understand there is an economic argument for MS but why are the OEMs clamouring to do this - and not even offer the option of turning this ON (OFF should be the default)?

Next they will be shipping BIOSes with preinstalled admin passwords that only they have so that the BIOS is completely inaccessible.

They need to ensure all BIOSes have this as an OPTION - not mandatory.

Any business contemplating possible future shifts of loyalties are going to be very reluctant to buy into OEM machines!

Actually realistically how many hours do you think it will take before someone writes a utility to disable UEFI from within Windows? Or are MS going to insist that ALL binaries (including those of applications inside the OS) are only going to be allowed to run if they are signed?
Logged

Shades
Member
**
Posts: 1,696


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #13 on: September 26, 2011, 03:19:50 PM »

The shit already hits the fan when Microsoft decides to revoke the certificate your mainboard uses. Instant uselessness!

Talking about a hostage situation!
Logged
40hz
Supporting Member
**
Posts: 11,058



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #14 on: September 26, 2011, 05:14:58 PM »

In the meantime Microsoft continues to sign deals with individual vendors where the Linux-based vendor is licensing IP Mocrosoft claims Linux is infringing on.

Apparently Microsoft has adopted a divide and conquer legal strategy where they're planning on getting enough vendors licensing from them that they can claim there's de facto industry recognition Linux is infringing on their IP without having to prove it in court.

In many ways, this is just a smarter version of the game SCO was playing.

Why do so many otherwise savvy people insist on kidding themselves Microsoft has suddenly decided to play nice?


« Last Edit: September 26, 2011, 06:02:16 PM by 40hz » Logged

Don't you see? It's turtles all the way down!
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.289s | Server load: 0.19 ]