No way out? SecureBoot's latest wrinkle for non-Windows users.

[40hz]

Matthew Garrett's blog recently posed an interesting new concern (emphasis added) regarding Secure Boot (Link here.):

Secure Boot isn't the only problem facing Linux on Windows 8 hardware
May. 28th, 2013 05:20 pm
mjg59

There's now no shortage of Linux distributions that support Secure Boot out of the box, so that's a mostly solved problem. But even if your distribution supports it entirely you still need to boot your install media in the first place.

Hardware initialisation is a slightly odd thing. There's no specification that describes the state ancillary hardware has to be in after firmware→OS handover, so the OS effectively has to reinitialise it again. This means that certain bits of hardware end up being initialised twice, and that's slow in some cases. The most obvious is probably USB, which has various timeouts as you wait for hardware to settle. Full USB support in the firmware probably adds a couple of seconds to boot time, and it's arguably wasted because the OS then has to do the same thing (but, thankfully, can at least do other things at the same time). So, looking for USB boot media takes time, and since the overwhelmingly common case is that users don't want to boot off USB, it's time that's almost always wasted.

One of the requirements for Windows 8 certified hardware is that it must complete firmware initialisation within a specific amount of time, something that Microsoft refer to as "Fast Boot". Meeting these requirements effectively makes it impossible to initialise USB, and it's likely that certain other things will also be skipped. If you've got a USB keyboard then this obviously means that your keyboard won't work until the OS starts, but even i8042 setup takes time and so some laptops with traditional PS/2-style keyboards may not set it up. That means the system will ignore the keyboard no matter how much you hammer it at boot, and the firmware will boot whichever OS it finds.

For a newly purchased device, that's going to be Windows 8. It's not too much of a problem with a fully installed Windows 8, since you can hold down shift while clicking the reboot icon and get a menu that lets you reboot into the firmware menu. Windows sets a flag in a UEFI variable and reboots the system, the firmware sees that flag and does full hardware initialisation and then drops you into the setup environment. It takes slightly longer to get into the firmware, but that's countered by the time you save every time you don't want to get into the firmware on boot.

So what's the problem? Well, the Windows 8 setup environment doesn't offer that reboot icon. Turn on a brand new Windows 8 system and you have two choices - agree to the Windows 8 license, or power the machine off. The only way to get into the firmware menu is to either agree to the Windows 8 license or to disassemble the machine enough that you can unplug the hard drive[1] and force the system to fall back to offering the boot menu.

I understand the commercial considerations that result in it ranging from being difficult to impossible to buy new hardware without Windows pre-installed, but up until now it was still straightforward to install an alternative OS without agreeing to the Windows license. Now, installing alternative operating systems on many new systems will require you to give up certain rights even if you want nothing other than to reach the system firmware menu.

I'm firmly of the opinion that there are benefits to Secure Boot. I'm also in favour of setups like Fast Boot. But I don't believe that anyone should be forced to agree to a EULA purely in order to be able to boot their own choice of OS on a system that they've already purchased.

[1] Which is a significant and probably warranty-voiding exercise on many systems, and that's assuming that it's not an SSD soldered to the motherboard…

Apparently this will also eliminate the right to request a refund for any unused and unwanted copies of Windows that come pre-installed on most PCs. Because the catch always used to be you couldn't agree to the EULA or start the setup if you were going to ask for a credit. You had to  install an alternate OS before you ever booted into Windows at all to qualify.

UEFI/Secure Boot apologists can rationalize this to their heart's content. This is still Microsoft we're talking about. Which means the nonsense is never going to stop until Redmond, like the petulant child it is, gets its own way.
 

[TaoPhoenix]

Yeah, that's the strange thing about MS these days - they flip flop between their new baffling decisions (like much of what went into Windows 8 and the Metro meme at all), and stuff like this which harks back to their old style sneakiness.

[Tinman57]

  And one of the biggest reasons why I'm going to Penguin-land.  I've had it with MS's BS.  I will keep XP as a secondary boot just for all my software and games.....

[40hz]

And one of the biggest reasons why I'm going to Penguin-land.  I've had it with MS's BS.

-Tinman57 (May 29, 2013, 08:13 PM)

Which Microsoft has anticipated and is now trying to proactively make as difficult as possible going forward.
 

[f0dder]

Which Microsoft has anticipated and is now trying to proactively make as difficult as possible going forward.
 

-40hz (May 29, 2013, 08:38 PM)

Hm, "fast boot" being done deliberately to foil entering the firmware? That sounds a bit too tinfoil-hatty.

i8042 setup takes very, very, very, very, very, very, very little time. But if the built-in mouse/keyboard is really USB HID devices emulating i8042, the story is different.

[40hz]

Hm, "fast boot" being done deliberately to foil entering the firmware? That sounds a bit too tinfoil-hatty.

-f0dder (May 30, 2013, 07:32 AM)

I think this particular USB issue is probably more in the nature of an "unexpected benefit" rather than a deliberate design. At least at this point. But I still wouldn't put it past Microsoft. I've dealt with them since the days of DOS. And one thing I have learned is not to underestimate their aggressiveness or willingness to push the envelope of acceptable behaviour when it comes to selling software.

Of course, now that this has been pointed out, it will be interesting to see how fast (or if) they fix it. Passive-aggressive responses have served Microsoft almost as well as their all too frequent stonewalling has. My guess is they won't fix  or change their fastboot 'requirement' to accommodate any objections.

And why should they? This is a company that routinely thumbs its nose at national governments, regulatory agencies - and frequently ignores court judgements that go against it. Bill Gates used to openly state his goal for Microsoft was to be an absolute monopoly in which every computer on the planet was running Microsoft software. Eventually he learned that smart CEOs don't use the "M" word in public. But the fact he no longer said 'monopoly' didn't change the company's attitude or goal.

Tinfoil hat? No...I don't think so. Not if you've paid attention for around the last ten years to what’s been going down in the tech world.  And especially not when it comes to Microsoft.


 

[Tinman57]

Which Microsoft has anticipated and is now trying to proactively make as difficult as possible going forward.
 

-40hz (May 29, 2013, 08:38 PM)

Hm, "fast boot" being done deliberately to foil entering the firmware? That sounds a bit too tinfoil-hatty.

-f0dder (May 30, 2013, 07:32 AM)

  Perhaps you should consider a tinfoil hat yourself considering this isn't the first time that MS has monopolized the system.  If you look at their history it's loaded with this kind of thing time and time again.  Many governments have gone after them time and time again for this kind of crap, and they just roll out a new plan if they fail.  This new fastboot scheme seems to be the legal loophole they've been looking for.  I'm not blindly following MS this time around, they can keep Windows and all their built-in monopolizing hardware and software.

[Edvard]

OK, so let's put boots on the ground.  I'm looking to do an upgrade before the year is out.  Do I wait in hopes that this crap gets dealt with soon?  If I were to buy a computer tomorrow and want to install Linux on it, what are my REAL options?  I've read the articles about self-signing, running shim, etc., ad nauseum, but the situation seems to change weekly.  I know for a fact I will not be buying a pre-built machine, so the real question is, what can I expect when I put my install disc in the new computer I just built from parts?  What if I go back on my vows and grab an amazingly cheap deal on a great system when Best Buy has them on clearance? (this actually happens fairly frequently...).  Or is the sky not really falling?
 

[f0dder]

I know for a fact I will not be buying a pre-built machine, so the real question is, what can I expect when I put my install disc in the new computer I just built from parts?

-Edvard (June 01, 2013, 08:51 PM)

No problems whatsoever - and you don't need to enable SecureBoot if you don't feel like using it.

[40hz]

+1

Shouldn't be an issue with homebrew PCs. The mobi manufacturers aren't so stupid as to get caught up in that game. Prebuilt PCs may or may not be a problem. It all depends on the manufacturer and how tied in with Microsoft they are for the reasons originally given. As f0dder pointed out, you're not required to enable SecureBoot. And if you're not dual-booting with Windows, you wouldn't want to anyway. At least not until Linux starts to use it in a fair and open manner.

(Which leaves out Ubuntu btw!)

[Edvard]

OK, that's what I thought, although I was hoping to take advantage of all the good things UEFI was supposed to bring to the table.  Whatevs. 

[Stoic Joker]

Apparently this will also eliminate the right to request a refund for any unused and unwanted copies of Windows that come pre-installed on most PCs. Because the catch always used to be you couldn't agree to the EULA or start the setup if you were going to ask for a credit. You had to  install an alternate OS before you ever booted into Windows at all to qualify.

-40hz (May 29, 2013, 08:52 AM)

Just out of curiosity ... On a typical OOBE first boot the system goes straight to an accept the EULA page...what happens if the user simply selects no to reject the agreement? I've never thought to try it - But does/will/can the system then unclench?

[Edvard]

According to the article, no.  It simply shuts down and if you restart, it comes back to the EULA page again.

[f0dder]

OK, that's what I thought, although I was hoping to take advantage of all the good things UEFI was supposed to bring to the table.  Whatevs. 

-Edvard (June 02, 2013, 09:00 PM)

UEFI doesn't mandate SecureBoot.

[40hz]

OK, that's what I thought, although I was hoping to take advantage of all the good things UEFI was supposed to bring to the table.  Whatevs.  

-Edvard (June 02, 2013, 09:00 PM)

UEFI doesn't mandate SecureBoot.

-f0dder (June 03, 2013, 08:10 AM)

No. Secure Boot is purely a Microsoft initiative and mandated by Microsoft for any PC that wants one of these stuck on it:



Which is to say virtually every consumer and business PC manufacturer's box.  

Conspiracy theorists maintain that Microsoft first got behind UEFI in response to industry interest in Coreboot and then began twisting arms to force their own implementation of Secure Boot (a separate thing from UEFI) into the mix. Coreboot, by contrast, is an open initiative which does much the same thing as UEFI - except it's not controlled by a few industry heavyweights with an agenda to shut out the competition.

I used to be a little sceptical Microsoft would actually be trying to do that since it would be a little too obvious if they were. In the wake of several things which have followed however, I'm now convinced that is exactly what they're trying to do.