Main Area and Open Discussion > General Software Discussion
It's official - Linux Foundation Secure Boot System Released
Josh:
OK, so I am coming into this cold but.....What exactly is Microsoft's role in UEFI? From what I am reading, it sounds like the UEFI has been around for a while and that the standard has been known...It sounds like Microsoft is requiring UEFI be turned on by default to have the "Windows 8 certified" logo applied. Now, since most users will not care to install anything else, I fail to see this becoming a problem. For those who are more tech saavy and want to install an alternative OS on the system, the issue will have to be known that they are buying a "Windows 8 certified" system, and as such, will have to load a private key into the firmware to install an alternative OS. It does not seem that this is intended to lock users in, but instead serve as a way to progress forward past the traditional bios.
In the end, I think techy users will still be able to do what we do, and regulars users will still be able to do what they do. Is there more to the story that I am missing? I fail to see the issue here...It sounds like Microsoft is forcing the alternative OSes (read: Linux) to progress forward...Yes, there is coreboot, but like Linux, there are dozens of alternatives to every one solution that is attempted to be setup as a "standard". I guess that is one of the problems of having such a diverse system.
40hz:
@Josh - Microsoft is not doing anything to make Linux "progress" forward. There's been serious discussion in the Linux world to go beyond BIOS for some years now. And several initiatives have been proposed, the best of which was coreboot. Coreboot can do what UEFI/SecureBoot does. And it's been around longer.
The big difference is that coreboot is a true open standard whereas UEFI is not. UEFI's board is composed of nine of the the most closed-system oriented businesses out there. And, with the exception of Apple (who is also on the board) all are exceedingly Windows friendly. There is NO open software representation anywhere on the board. A curious omission when you consider the huge number of servers running Linux - as well as the slow but steady growth of Linux desktops in municipal government circles.
The other problem is, because of its size, Microsoft and Microsoft signed keys are currently the only viable way of dealing with SecureBoot for the vast majority of PC users. And while the key signing process is supposed to be fair and open to all, Microsoft has introduced several unnecessary hoops you'll need to go through to get one if you don't use Microsoft software.
There's a write up here about why RedHat compromised and went along with what was required to obtain a Microsoft signed key.
In the wake of criticism and the potential for legal actions, Microsoft has since "clarified" (as in backed off on some of the hints and insinuations) of what was causing concern in the above article. I'll leave it to others to argue about whether that partial "clarification" was - or wasn't - in response to some of the pushback being felt.
But that is of no consequence to the rest of the article which explains why, from an average end-user experience perspective, most OS creators will be virtually forced to go along and do it Microsoft's way.
And considering what the Linux Foundation recently went through to get theirs, it doesn't seem like Microsoft is about to back down any on that score.
Microsoft's official role in UEFI is that it sits on the board. But if you're asking what Microsoft's functional role is - they're the 800-pound gorilla in the room that's currently calling most of the shots.
f0dder:
What exactly is Microsoft's role in UEFI? From what I am reading, it sounds like the UEFI has been around for a while and that the standard has been known...-Josh (February 10, 2013, 02:19 PM)
--- End quote ---
Right, so...
It all started with EFI, which was Intel's replacement for BIOS for their Itanium systems back in the late nineties. This was later involved into UEFI, and while the EFI spec is owned eclusively by Intel, the UEFI spec is handled by a cartel of the big boys. To give a hint at how important Microsoft is in that group, consider the fact that the executable format chosen is Microsoft Portable Executable (i.e., the format of Windows .exe and .dll files).
It sounds like Microsoft is requiring UEFI be turned on by default to have the "Windows 8 certified" logo applied.-Josh (February 10, 2013, 02:19 PM)
--- End quote ---
You can do UEFI without Secure Boot; but in order for vendors to get the Win8 certified logo, they have to enable Secure Boot. With Microsoft's master key. The implicaitons of this has been discussed to death in other threads, and there's craploads of FUD around. But even when ignoring the FUD and sticking to facts, this is problematic.
In the end, I think techy users will still be able to do what we do, and regulars users will still be able to do what they do. Is there more to the story that I am missing?-Josh (February 10, 2013, 02:19 PM)
--- End quote ---
While Win8 cert requires that the end-user can disable Secure Boot (iirc it doesn't require that the UEFI has key management, just that you can turn off SB...), there's no guarantee that this will continue to be a requirement on Win9 or Win10 or a bit further down the road. Good ol' slippery slope... and I honestly don't have a lot of faith in Microsoft. Yes, they'd probably end up with antitrust lawsuits if they tried to pull that stunt, but they could do a lot of damage to the PC ecosystem before those suits are settled.
See what I'm saying? I'm still confused about some of this and I'm not exactly an amateur when it comes to either Linux or Windows. And you would probably blow my doors off on most of this when it comes to the real hardcore tech - yet even you still have questions.
-40hz (February 10, 2013, 01:58 PM)
--- End quote ---
How many "regular users" installs Linux by themselves? I honestly don't see key enrollment as a problem - and it's only necessary if you don't want the current compromise of bootloaders signed by Microsoft (which I do find somewhat problematic, it's too much power in the hands of a non-neutral party).
What I do find problematic is the "tiny little detail" about key management features not being mandatory. Haven't seen any prebuilt "ready for windows 8" systems, so I don't know what the status of their UEFI setups are - can only comment on my own motherboards, which do offer the full key management bonanza. (I think large parts of UEFI implementations are going to be the Intel UEFI Standard Base, so at least key management UI might have some de facto standard :)).
So there are bigger factors at play behind some of this direction the new PC design is going in... And it's not mere paranoia or "FUD swallowing" should you start noticing it...-40hz (February 10, 2013, 01:58 PM)
--- End quote ---
Oh, I agree about that - as I've stated multiple times, I'm wary & weary.
I just feel that a fair amount of people on the interwebs either focus on things that are non-issues, or simply spread FUD... which isn't very helpful. And it's kinda silly, since there's enough pretty problematic stuff even if you stick with the facts.
Edvard:
...or enroll your own key in the firmware.
-f0dder (February 10, 2013, 10:35 AM)
--- End quote ---
:huh:
So, you're saying we can make up our own key and plug it in? It can't be that simple, this would have been over by now...
f0dder:
So, you're saying we can make up our own key and plug it in? It can't be that simple, this would have been over by now...-Edvard (February 10, 2013, 05:29 PM)
--- End quote ---
Well, it isn't that simple - for a couple of reasons.
1) there's no guarantee the all UEFIs will provide key management; for Win8 cert it's only a requirement that SecureBoot can be turned off. (Or, well, see the somewhat muddy quote below).
2) there's no guarantee certification for future Windows versions will require this flexibility... although dropping it would probably result in antitrust, even if MS tries to pull a "it's up to the OEMs".
3) UEFI tooling (the bootloaders as well as all the signing stuff) is still very early days - and there's buggy UEFI implementations out there (*cough* Samsung *cough*).
There's a bit more information in this post, including link to the Windows 8 certification requirements.
page 121, section 17.a:
It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.-Windows 8 System Requirements
--- End quote ---
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version