Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Responds To Linux Concerns Over Windows 8 and UEFI Secure Boot

Soulskill posted more than 2 years ago | from the putting-out-fires dept.

Microsoft 389

CSHARP123 writes "A few days ago, Red Hat employee Matthew Garrett speculated that OEM machines shipping with copies of Windows 8 may lock out support for Linux installations. Garrett highlighted Microsoft's new Secure Build OEM requirements for Windows 8 systems. Microsoft chose to directly respond to confusion surrounding Windows 8's use of the UEFI Secure Boot feature on Thursday. Tony Mangefeste of Microsoft's Ecosystem team said, 'Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secured boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems.'"

Sorry! There are no comments related to the filter you selected.

Translation (4, Insightful)

betterunixthanunix (980855) | more than 2 years ago | (#37490080)

"Consumers should run Windows, and they should not have any ability to boot up anything else. 'Enterprise' users who can afford to pay more should have more choice."

That is the only way I can see this playing out. What OEM would not jump at the opportunity to control its users and force people to pay more to do something they have been able to do at no cost all these years?

Re:Translation (1)

Rich0 (548339) | more than 2 years ago | (#37490108)

Well, more like:

"Vendors should provide a simple and standard way that lets us get our OS on any PC out there. Others are welcome to come up with vendor-specific hacks or negotiate with every vendor out there as they wish. You see, we're a monopoly so they come to us and we tell them what to do, and good luck competing with that..."

Re:Translation (5, Insightful)

JamesP (688957) | more than 2 years ago | (#37490198)

No, the problem is:

BIOS vendors are complete idiots

"EFI" vendors are the same guys

It's a crapfest of proprietary extensions, NIH syndrome and a million ways to change monitor brightness. And of course it's only tested on the latest Windows version, well, because...

Of course, Intel is to blame with the whole ACPI mess and looseness. Typical engineer mentality a standard that standardizes nothing.

Really, Intel and AMD should join forces in this: Make 'to change monitor brightness write a value from 0 (darker) to 0xff (brighter) to register 0xABC PERIOD'. "but but but", "I SAID PERIOD".

Re:Translation (0)

Anonymous Coward | more than 2 years ago | (#37490298)

5: n=10
10: We have n standards to do 1 thing, but the standards don't play nice.
20: We need to make 1 standard for 1 thing, none of the exiting ones fit the bill.
30: We have n+1 standards to do 1 thing, but the standards don't play nice.
40: n=n+1
50: goto 10

Re:Translation (1)

Anonymous Coward | more than 2 years ago | (#37490344)

Or, more succinctly,the relevant XKCD comic [xkcd.com] .

Re:Translation (5, Interesting)

TheRaven64 (641858) | more than 2 years ago | (#37490404)

NIH syndrome

NIH is the reason why UEFI exists at all. OpenFirmware already existed, had several independent implementation (including some open source ones), and was a free standard that anyone could implement. So Intel made a new 'standard' that is a crappy copy of OpenFirmware.

Re:Translation (-1, Flamebait)

Culture20 (968837) | more than 2 years ago | (#37490602)

And Apple switched from openfirmware to EFI. Thanks for leading the way Apple!

Re:Translation (1)

JamesP (688957) | more than 2 years ago | (#37490810)

Exactly

This is a mixture of corporate greed and engineering mentality of NIH syndrome

And of course, vendors took ages to implement UEFI, MS took ages to boot from UEFI, etc, etc

Re:Translation (5, Informative)

diegocg (1680514) | more than 2 years ago | (#37490644)

ACPI was not designed by Intel alone, Microsoft was also there. And let's remember what Microsoft tried to do [slated.org] :

From: Bill Gates
Sent: Sunday, January 24, 1999 8:41 AM
To: Jeff Westorinon; Ben Fathi
Cc: Carl Stork; Nathan Myhrvold; Eric Rudder
Subject: ACPI extensions

One thing I find myself wondering about is whether we shouldn't try and make the "ACPI" extensions somehow Windows specific.

It seems unfortunate if we do this work and get our partners to do the work and the result is that Linux works great without having to do the work.

Maybe there is no way to avoid this problem but it does bother me.

Maybe we could define the APIs so that they work well with NT and not the others even if they are open.

Or maybe we could patent something related to this.

Re:Translation (1)

HJED (1304957) | more than 2 years ago | (#37490276)

This would also damage backwards compatibility with older versions of Windows, more likely you will have to change a BIOS setting to turn it off or get annoying messages (such as when you access a website with a self signed SSL cert.) when you try to boot anything other then Windows 8. So it's bad, but not that bad.

Re:Translation (0)

Anonymous Coward | more than 2 years ago | (#37490370)

Durr. There will be no BIOS. This is all about replacing it with something else.

Re:Translation (2)

DJRumpy (1345787) | more than 2 years ago | (#37490494)

This appears to be strictly feature driven by UEFI, and Win 8 supports this secure 'feature'. This functionality was apparently in UEFI all the time but not supported in Windows. What this appears to saying is that your motherboard (or PC manufacturer as the case may be) will be able to decide just how locked down your EFI is in regards to 'allowed' boot loaders. Windows doesn't have much to do with it other than opting in to that additional security. I'm guessing this was done to try and avoid rootkits?

From TFA:

Quick summary
UEFI allows firmware to implement a security policy
Secure boot is a UEFI protocol not a Windows 8 feature
UEFI secure boot is part of Windows 8 secured boot architecture
Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure
Secure boot doesn’t “lock out” operating system loaders, but is is a policy that allows firmware to validate authenticity of components
OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows

Re:Translation (0)

Anonymous Coward | more than 2 years ago | (#37490124)

Considering the reaction here; the OEMs that would do this would get so much bad PR, that a significant number of customers would flee to some other manufacturer.

Re:Translation (2)

Chrisq (894406) | more than 2 years ago | (#37490176)

Considering the reaction here; the OEMs that would do this would get so much bad PR, that a significant number of customers would flee to some other manufacturer.

The reaction from slashdotters who want to run Linux might not be representative of their market.

Re:Translation (5, Insightful)

GordonBX (1059078) | more than 2 years ago | (#37490194)

Considering the reaction here; the OEMs that would do this would get so much bad PR, that a significant number of customers would flee to some other manufacturer.

Of course you're right.

That's exactly what has happened with mobile phones. (cough).

Re:Translation (0)

Anonymous Coward | more than 2 years ago | (#37490718)

Came here to say this, someone mod this guy up.

Re:Translation (1)

lseltzer (311306) | more than 2 years ago | (#37490130)

If there's a demand for it some OEMs will satisfy the demand.This is pretty obvious actually.

Re:Translation (0)

Anonymous Coward | more than 2 years ago | (#37490408)

Not true. OEMs circumventing Microsoft desires will soon lose their special Windows licensing deal prices. It's illegal, but MS legals have worked out away around it using different terms, but the net result is identical. No OEM is going to cut into their slim margins to satisfy 0.001% of their customers who want to install Linux or BSD.

Re:Translation (3, Insightful)

LWATCDR (28044) | more than 2 years ago | (#37490792)

The OEMs for the most part will make it a user option for a simple reason.
A lot of people when Windows 8 comes out will want to keep Windows 7. If they have an install disk and it doesn't work their will be hell to pay.
Right now the UEFI folks are all going to be putting in an option to turn it off. Intel will without a doubt have that option in all of their reference motherboards which is what a lot of the OEMs use.
ASUS will put in that option as well.

The problem will be when at some point in the future someone has an old crappy Ultra book made by Ikkkiianu and wants to put Linux on it because Windows 9 doesn't work well on it and Windows 8 is too insecure.

Re:Translation (1)

icebraining (1313345) | more than 2 years ago | (#37490138)

What OEM would not jump at the opportunity to control its users and force people to pay more to do something they have been able to do at no cost all these years?

Those who don't want to lose business to the ones who don't charge more?

Re:Translation (0)

Anonymous Coward | more than 2 years ago | (#37490168)

if that actually worked a lot of things would be cheaper already

Re:Translation (1)

icebraining (1313345) | more than 2 years ago | (#37490442)

Depends on the competition. PCs are very cheap already and the manufacturers have very low margins. Seems to be working OK.

Re:Translation (0)

Anonymous Coward | more than 2 years ago | (#37490668)

You have a very odd definition of 'working OK'.

See IBM, Dell, HP.

Re:Translation (1, Flamebait)

MrHanky (141717) | more than 2 years ago | (#37490178)

Is that so? Practically all OEMs force a Windows license on you, and have done so since forever (1995), as that's more profitable for them. None of them cares whether you actually use it, and I see no reason why they should start now.

I say you're a shit translator.

Re:Translation (1)

daid303 (843777) | more than 2 years ago | (#37490274)

http://www.computerland.nl/ [computerland.nl] has been selling machines without OS for years. They have a whole range of machines, just just 1 for the linux guys. They'll assume you pirate windows or install Linux. And they'll happily sell you windows if you ask for it. They also have shops in all parts of the Netherlands, so they are not just some small single location store.

Re:Translation (4, Insightful)

MrHanky (141717) | more than 2 years ago | (#37490820)

I'm well aware of how to buy computers, thank you very much. I'm just pointing out that forcing people to pay for Windows isn't new, and has fuck all to do with control. betterunixthanunix's "translation" is just a bunch of hyperbolic nonsense based on the theory that Microsoft will always be more evil than Satan himself, despite whatever the people at Microsoft claim themselves.

Of course, since this is Slashdot, facts are flamebait and paranoid fantasies are insightful.

Re:Translation (2)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37490184)

I'd honestly be more worried about the combination of pressure from Team DRM(sure, we'd be happy to make our "Inspired by Inspiron" new release film collection available for the right price; but look at all the vagabonds on your trusted keys list...) and the general OEM tendency toward a "least effort" model of firmware development, especially; but not exclusively, in consumer hardware.

There is a long, sordid, history of BIOSes being released that don't even work well enough to keep the spec sheet from being a lie, much less well enough to make using all the features actually safe and stable. Unless some sort of earthshattering magic happens, I'm guessing that UEFI development will go pretty much the same way. Since the product isn't done until Windows runs, Windows will work; but any additional keyfill systems will be a bit of an afterthought, unless specifically marketed as some kind of enterprise feature(in which case they'll be expensive and rather baroque...)

Re:Translation (0, Insightful)

Anonymous Coward | more than 2 years ago | (#37490252)

It would be the creators of boot loaders who would pay to get their boot loaders signed, not end-users, and the idea would be that it would only be the cost of validation.

There'd be no reason not to allow people to disable it, if they didn't mind running unsigned boot loaders (just like the TPM module can be disabled if you don't want it), but for the many people who will never have any need to run an unofficial/unsigned boot-loader this will prevent one of the more difficult classes of malware.

Basically you can think of this as letting companies use signatures for their websites; you need to pay a bit but people can be more confident as a result. Seems pretty reasonable to me (and why are we so eager to hang on to 80's BIOS tech anyway? This is one small part of the UEFI standard which will help keep things flexible, future-compatible, standardized and secure).

Re:Translation (2)

SuricouRaven (1897204) | more than 2 years ago | (#37490402)

Except that one of the requirements would probably be that the bootloader itsself be incapable of running an unsigned kernal. Otherwise, the system would be trivial to bypass by simply having a signed GRUB load your malware image, and then have the malware image run the real OS. Much like how, for example, console makers will not sign keys for any game designed to be able to load and execute arbitary code, as a signed program with that ability would defeat the point of signing.

Re:Translation (2)

GameboyRMH (1153867) | more than 2 years ago | (#37490524)

I saw it as "We're going to leave it up to the OEMs on what to do, just as we leave the choice of what OSes they sell up to them right now. They'll be completely free to choose whether to maintain exclusivity agreements with us which may require UEFI bootloader signing. See, it's not us, it's the OEMs. ^_^ "

Re:Translation (1)

DuckDodgers (541817) | more than 2 years ago | (#37490736)

Read up on rootkits. Some rootkits inject themselves into the boot process and get loaded before the operating system starts, and thus make it effectively impossible for the operating system to detect their presence. This UEFI secure boot process is an attempt to prevent that kind of rootkit from working. They describe it right there in the page, look at the Figure 2 diagram for current boot processes and the Figure 3 diagram for what UEFI secure boot does.

Google's Chromebook devices use the exact same feature, for the same reason. A rootkit that hijacks the boot process can run undetected in Linux, Solaris, Mac OS X, or FreeBSD just as well as it can in Windows, we're just fortunate that current rootkits mostly target Windows because there are more potential victims out there.

Admittedly Microsoft is not shy about working in its own best interests. I fully expect that some significant portion of the machines that ship with UEFI configured to make it effectively impossible to install any operating system other than the Microsoft operating system it received from the original equipment manufacturer. But the technology itself is not primarily aimed at blocking adoption of Linux, it's a true security feature. The next time you purchase a PC or motherboard, just make sure it can boot additional operating systems before you buy.

Useless response (3, Insightful)

Chrisq (894406) | more than 2 years ago | (#37490084)

Summary:
If the vendors don't provide a way to boot other systems its not our fault!

Re:Useless response (1)

Anonymous Coward | more than 2 years ago | (#37490140)

In unrelated news;
Vendors which don't provide a way to boot other systems receive better pricing.

Re:Useless response (1)

GameboyRMH (1153867) | more than 2 years ago | (#37490680)

Agreed, little more than shifting blame to the OEMs.

They'll be free to maintain exclusivity agreements with MS which may require bootloader locking, or they can not sell any Windows PCs. If Klupendorf Computers in Switzerland is the last company on earth selling unlocked PCs at Alienware prices, well, tough luck, that's capitalism.

I warned you fucking Apple fanboys this would happen. Thanks a lot, douchebags.

Boo (0)

Anonymous Coward | more than 2 years ago | (#37490086)

MS

Hey Look! (0)

Anonymous Coward | more than 2 years ago | (#37490088)

They aren't being as ruthless as we thought. How thoughtful of the evil geniuses.

Just helps Apple... (1)

Anonymous Coward | more than 2 years ago | (#37490096)

Microsoft killed the Hackintosh for Apple! How nice of them.

translation (5, Insightful)

drinkypoo (153816) | more than 2 years ago | (#37490100)

"Microsoft will attempt to use our gorilla status to force OEMs to lock out non-Windows operating systems, but ultimately, it's their decision as to whether they want to make it possible for you to run what you want on their computer, or whether they want us to not bomb them into the stone age and build a parking lot on the smoking ruins of their company."

Re:translation (-1)

Anonymous Coward | more than 2 years ago | (#37490158)

Yeah, I've heard this kind of talk come out of you Linux fanboys for years and all of your doom and gloom predictions have turned out to be false. This one will be too. Yawn. Thanks for being a jack ass.

Re:translation (1)

GameboyRMH (1153867) | more than 2 years ago | (#37490806)

Yeah buncha Chicken Littles. After all their talk of doom and gloom about locked-down mobile devices, you can still buy open phones and tablets today. Not like their crazy cyberpunk dystopia where only a few devices could even be hacked to allow an open OS to be installed.

Empty promises? Hopefully not. (0)

Anonymous Coward | more than 2 years ago | (#37490110)

Let's hope that this isn't an empty promise. Also, Microsoft should learn from the Sony disaster. Let the geeks use their Linux and they won't try to attack your servers.

Re:Empty promises? Hopefully not. (2)

Chrisq (894406) | more than 2 years ago | (#37490150)

Let's hope that this isn't an empty promise

We're talking Microsoft here, you might as well hope that a leprechaun will bring you a pot of gold so that you can retire in never-never land and live happily ever after.

Who cares? (0)

X-Power (1009277) | more than 2 years ago | (#37490116)

Honestly...

Anyone who wants to use dualboot is not going to buy a DELL computer.

And anyone buying a DELL computer wont know what dualboot is, much less worry about it being locked out.

In other words (2)

Nimey (114278) | more than 2 years ago | (#37490136)

if the computer's locked down, blame the OEM, not us.

Re:In other words (1)

ThosLives (686517) | more than 2 years ago | (#37490236)

I think the general problem is the concept that the organizations with the ability to lock (and unlock) the resources are not the end-users, but the manufacturers.

It's the old tradeoff between responsibility and freedom: if computer users want "security" in their systems but don't want to be responsible for achieving that security (and instead give that responsibility to the hardware and software OEMs) then those users must by necessity give up some freedoms.

I think the issue here is that moves like this don't even give users the option to make the choice - the freedom (and responsibility) has been taken from them without their consent. I suppose there may be an argument for removing some freedoms for "the greater good" (for example, if people have the option to have an unsecured machine and they get malware, that will affect many other people not just that individual) but that, in my opinion, is a philosophically dangerous argument.

Re:In other words (2)

maxume (22995) | more than 2 years ago | (#37490724)

What are you talking about?

A motherboard or uefi vendor can a have a system giving the user the full ability to control the feature (a hardware switch, the ability to install new keys, etc), or they can only install Microsoft's keys and lock the user out. So it really matters what the actual practice ends up being, and it isn't at all clear what is going to happen.

It doesn't seem that likely to me that the various hardware vendors will shoot themselves in the feet by locking to Microsoft here (Microsoft won't bother with incentives, they are smart enough to know that won't fly with regulators).

Re:In other words (0)

Anonymous Coward | more than 2 years ago | (#37490660)

Why not, it's worked out well for Google and Android phones. The OEMs load uninstallable bloatware, lock down the bootloaders, screw with the code, add their own UIs, and delay or outright decide not to support OS updates. All while Google turns a blind eye and washes its hands of it. And the Fandroid zealots, erm excuse me I mean the "totally unbiased average users", defend them at every turn from even the slightest implication that Google could take a bit more responsibility all while screaming that the system is still totally open (you just have to exploit this security hole to get access) and Google is the bestest ever.

Microsoft's Customers (2)

jaminJay (1198469) | more than 2 years ago | (#37490164)

Are Microsoft's customers the OEMs, or consumers. If the former, what incentives would OEMs have to pass the decision on to consumers?

Re:Microsoft's Customers (2)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37490256)

"Consumers" are just cattle. Enterprise licensees, though, carry some clout.

This doesn't help much with cheap consumer systems, or all the various no-you-can't-just-build-one-from-newegg-parts tablets and laptops and other consumer gear; but it does largely ensure that "Enterprise" desktops, laptops, and servers will have some sort of keyfill mechanism, quite possibly offered at an additional cost...

Re:Microsoft's Customers (1)

jaminJay (1198469) | more than 2 years ago | (#37490456)

Looks like I'm going to have to start my own hardware company. With blackjack, etc.

Microsoft addresses concerns... (4, Insightful)

Anonymous Coward | more than 2 years ago | (#37490170)

...by confirming them. Microsoft's customers, the OEMs, will be free to decide who imports keys and how. That's what everybody has been worrying about, isn't it?

I see what you did there... (5, Insightful)

DontBlameCanada (1325547) | more than 2 years ago | (#37490182)

Nutshell summary after actually reading the TFA:
        "You can launch any operating system you like, but if you want to benefit from UEFI secure boot protection, you can only launch Windows 8."

From their screenshots and commentary, there doesn't appear to be any opportunity to add a new "trusted" O/S images to their database. So even signing your secure Red Hat Enterprise Linux won't help you. If you want to use it, you need to turn the bootloader security checks off. The obvious implication, if you want MBR protection you must run Windows 8. Anything else opens the door.

Yup, Red Hat's take on the situation seems the most accurate.

Re:I see what you did there... (1)

Anonymous Coward | more than 2 years ago | (#37490510)

You can run any operating system you want, as long as it's black^H^H^H^H^HWindows.

Re:I see what you did there... (1)

Anonymous Coward | more than 2 years ago | (#37490526)

The blurb is in the comments made by a Microsoft employee:

UEFI provides the protocol and interfaces to update the databases. Windows 8 supports these new protocols to update the databases in firmware.

The database is in the firmware, not in Windows 8. Windows 8 will support the UEFI protocols necessary to manage that database, including importing new certificates.

You obviously can't make use of the UEFI secure boot functionality without having a signed boot loader and trusted certificate. That would be true regardless of Microsoft or Windows 8. Your choices there are to disable the functionality or to find a method through which you can sign and trust your environment. For Linux the solution appears to provide the tools to generate the certificates so that a distro or a self-compiled kernel and be signed and that certificate imported.

Re:I see what you did there... (0)

Anonymous Coward | more than 2 years ago | (#37490764)

How do you expect UEFI Secure boot to be secure if anybody who wants can make their boot considered secure?

Was there anything in the article that said only Microsoft was going to be considered secure and everything else would automatically disallowed? My guess, it's up to the OEM and if it ever comes out that OEMs are locking out other OSs, there will be more antitrust lawsuits against Microsoft and possibly the OEM. I don't think they want that again.

didn't Stallman... (1)

Anonymous Coward | more than 2 years ago | (#37490218)

warn us about this years ago?

Re:didn't Stallman... (1)

Anonymous Coward | more than 2 years ago | (#37490508)

It wasn't exactly a brilliant insight... it's an obvious reality that most people know and understand.

Anyone can look at where we are heading and predict the bad shit that is coming down the road... it's much more of a challange to actually stop it.

Re:didn't Stallman... (0)

Anonymous Coward | more than 2 years ago | (#37490518)

Can't be. As we all know he's an un-american communist-devil who tells nothing but lies about this thing he calls "freedom", yuck!

If you can't be bothered to RTF... (5, Informative)

neokushan (932374) | more than 2 years ago | (#37490224)

Just take a look at this image [msdn.com] .

That's all you need to know.

In Summation: There is a genuinely good reason for enabling secure boot (malware prevention - genuine malware prevention, not just some underhand tactic that's masquerading as malware protection) and as long as your OEM isn't a dick, you should be able to disable it much like how you can disable features in your BIOS today. The decision to remove that ability is down to the OEM, not Microsoft.

Re:If you can't be bothered to RTF... (4, Interesting)

samjam (256347) | more than 2 years ago | (#37490270)

yes. Well put.

And I want secure TPM booting for my linux/GNU machines too.

I want a way to install my key, enabled by a physical key & mechanic switch to electrically enable to update operation to write my signing key.

Re:If you can't be bothered to RTF... (0)

Anonymous Coward | more than 2 years ago | (#37490426)

You can get anything you want you just have to be willing to pay for it.

Well I want Jodie Foster swallowing my 'hood (0)

Anonymous Coward | more than 2 years ago | (#37490684)

Oh, I guess I can't pay her enough to do that.

Alright, how about a version of Diablo 3 that doesn't require Steam? Dang, not even that?

Re:Well I want Jodie Foster swallowing my 'hood (1)

Rudeboy777 (214749) | more than 2 years ago | (#37490738)

Ask and ye shall receive! Diablo 3 doesn't require Steam!

Re:If you can't be bothered to RTF... (-1)

Anonymous Coward | more than 2 years ago | (#37490272)

This is slashdot, your facts have no place here! This is the place to dump on Microsoft and praise Google, step aside! We must tell everyone about the companies we love and those we hate, and f'ck anyone who disagrees!

Re:If you can't be bothered to RTF... (0)

Anonymous Coward | more than 2 years ago | (#37490420)

If you can disable secure boot with a BIOS setting then how is it providing any malware prevention at all? In order to install itself as boot block code the malware already has to circumvent the security of the OS, at which point it can do more or less anything it likes, including changing the BIOS setting so secure boot is disabled next time the machine starts.

Re:If you can't be bothered to RTF... (1)

Anrego (830717) | more than 2 years ago | (#37490546)

Hopefully the setting (if they make it available) will be locked down with a jumper on the mainboard, or a DIP switch, or something that is inaccessible to software.

The amount of stuff happening in changable storage makes me nervous with UEFI.

Re:If you can't be bothered to RTF... (2)

Rockoon (1252108) | more than 2 years ago | (#37490630)

You are presuming that UEFI settings can be altered post-bootstrap. I dont know if they can or they cannot, but I do know that its possible to prevent. It actually seems kinda trivial to throw a read-only flag that itself becomes read-only right before loading the boot sector.

Re:If you can't be bothered to RTF... (0)

Anonymous Coward | more than 2 years ago | (#37490506)

Disabling the feature in the bios is not a valid solution though. It needs to be made to work with Linux. Now, that support may need to come from the Linux community. Forcing users to give up functionality by running Linux is exactly what MS wants. They want Linux to be a less capable, less desirable alternative.

Re:If you can't be bothered to RTF... (2)

advocate_one (662832) | more than 2 years ago | (#37490756)

Forcing users to give up functionality by running Linux is exactly what MS wants. They want Linux to be a less capable, less desirable alternative.

Exactly... they want to be able to lock Linux users out of seeing the premium content that will ONLY be viewable on a machine that has been booted and verified as secure to play premium content via their key mechanism... there's even a TPM block shown in the graphic on the article. Don't forget that as far as Microsoft are concerned, their customers aren't the end users, but the film and recording publishers... we're the product... eyeballs delivered to watch the premium content

Re:If you can't be bothered to RTF... (1)

andycal (127447) | more than 2 years ago | (#37490558)

in reality any setting that can be changed by software, is open to modification by rogue software. If the secure boot *can* be disabled, then it's useless. ( if you had to click a hardware switch, that is a different story) I thought M$ push was that this option couldn't be disabled. Or are they planing on the windows boot process to halting if it discovers that it wasn't booted securely? Like that wouldn't get hacked... ( assuming anybody actually wants the new M$ OS by then )

Re:If you can't be bothered to RTF... (0)

Anonymous Coward | more than 2 years ago | (#37490650)

EFI stores its nonvolatile variables in flash. Flash can be locked down, even selectively.

That means, they could lock down the flash region where they store the "secure boot or not"-flag before they start the OS loader, and nothing can revert that change except a reset, which would flush out malware, too.

Re:If you can't be bothered to RTF... (1)

neokushan (932374) | more than 2 years ago | (#37490714)

No, Windows will still boot just fine. It has to, otherwise it wouldn't work on older, BIOS-only machines. It's not about "Will windows boot if UEFI security fails", it's more "Will UEFI boot windows if security fails". Windows won't care what's telling it to boot, be it UEFI, Microsoft's own loader, GRUB or whatever, but UEFI will make a distinction about what it's prepared to boot.

There are also means for the OS (Any OS) to communicate with the UEFI system to determine how secure the boot was. If secure boot does somehow get disabled, Windows will boot just fine but you might get an error or a warning from your Anti-malware client letting you know that the boot couldn't be verified for security.

Re:If you can't be bothered to RTF... (0)

Anonymous Coward | more than 2 years ago | (#37490732)

Nonsense. That is true for traditional systems.
But with a TPM chip, that chip always has the last say about if the setting can be changed.
If the BIOS changes a flag in the chip to lock things down right before handing things to the bootloader, then not even the BIOS itself could change the setting back without the chip intercepting it.

Re:If you can't be bothered to RTF... (1)

Anonymous Coward | more than 2 years ago | (#37490606)

Actually you're right.. except where the manufacture decides not to add that option.. you know, like when you open your friend's "BIOS settings" and see that they're different than yours.. or when you get the boot menu with F12 and others with Esc.
That screenshot might be for one motherboard.. how about the others? any guarantee that Microsoft won't "convince" them not disable such option?

Re:If you can't be bothered to RTF... (1)

neokushan (932374) | more than 2 years ago | (#37490656)

That screenshot is from the Tablet PC Microsoft themselves gave out at BUILD (before all this kerfuffle actually came up).

Re:If you can't be bothered to RTF... (1)

Rudeboy777 (214749) | more than 2 years ago | (#37490804)

In other words, it's probably not the BIOS that will ship with the final product, and they can remove the ability to toggle that setting at any time in the future.

Yes, just like BEOS (3, Interesting)

Anonymous Coward | more than 2 years ago | (#37490628)

Meanwhile under the table: Psst...Hitachi... want to sell another Windows box ever again? No BEOS in our BIOS, please. [beincorporated.com]

Re:If you can't be bothered to RTF... (1)

CycleFreak (99646) | more than 2 years ago | (#37490752)

The problem is that the vast majority of users have no idea the BIOS even exists, let alone how to change a setting within the BIOS.

Meaning that if that if "Secure Boot" is enabled by default, then it will never be changed by the end user. Linux users and computer enthusiasts in general will not have a problem with it. But, honestly, MS doesn't care about that 0.5%.

Re:If you can't be bothered to RTF... (1)

neokushan (932374) | more than 2 years ago | (#37490828)

I don't see how that's an issue at all? If you want to install Linux, chances are you're capable of hitting F12 at startup and switching an option off. If you're not capable of doing this, then what the hell are you trying to install another OS for?
If you don't know about the option or BIOS, why would you want to disable it?

Realistically all the need is a clear boot warning (1)

Chrisq (894406) | more than 2 years ago | (#37490234)

If they modified the standard so that the system would give a confirmation popup saying

"You are about to load an unsigned operating system, do you want to do so? To continue may compromise the security of your system.

This way people could load Linux if they wanted but the "joe average" would know something is wrong if he was compromised by a boot virus. This would actually be more sensible than preventing other systems, otherwise they will have literally thousands of hackers trying to discover the boot signing keys and publish them online like they did for blue-ray.

Re:Realistically all the need is a clear boot warn (1)

scottuss (1325601) | more than 2 years ago | (#37490316)

Yes, because all "Joe Average" people are going to then panic and power off their computers. Most "normal" users that I know would look at that, shrug their shoulders and hit "continue", wanting to get on with watching their DVD, writing their letter, browsing the web, etc etc.

Re:Realistically all the need is a clear boot warn (1)

icebraining (1313345) | more than 2 years ago | (#37490588)

You're assuming there is such an option, and that the user won't be required to reboot, enter the menu and disable secure booting.

Re:Realistically all the need is a clear boot warn (1)

tires don exits (2460114) | more than 2 years ago | (#37490388)

Dancing bunnies [wikipedia.org] .

Re:Realistically all the need is a clear boot warn (2)

SuricouRaven (1897204) | more than 2 years ago | (#37490454)

That's what it does right now, in the demo hardware. If you want to run anything other than Windows 8, you just have to go untick an option in the setup screen. The big fear of slashdotters is that once this is supported in hardware, it would be so, so easy for an OEM to remove that option, and they may well do so under pressure either from Microsoft or possibly as part of a data-collection/adware/network-locking subsidy deal similar to that already frequently seen in the mobile phone sector, where firmware-locking is the norm. Think Windows tablets more than desktops.

Time to get my last notebook (0)

Anonymous Coward | more than 2 years ago | (#37490240)

As long as I can build my own box, UEFI won't be a problem. But I bet most notebook manufacturers will lock their products down, for easier support.
And even if they put a Linux on their notebook, they may want to lock that down.

Re:Time to get my last notebook (1)

SuricouRaven (1897204) | more than 2 years ago | (#37490464)

Probably not so much notebooks as tablets. Similar reasons as with mobile phones. Lockdown OS means lower support costs and the options of disabling features at the behest of the networks or bundling spyware or adware that the user can't remove.

if they wanted to address the concern (1)

Anonymous Coward | more than 2 years ago | (#37490258)

If they wanted to address the concern, they would have made user control a requirement of the Windows Certificate program. The worry from the Linux crowd is that manufacturers have historically only done the minimum required in order to get Windows working.

"For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision."
- Is there some sort of policy on these blogs that prevents them from mentioning their competition?

Pass the FUD, I'm starving. (1)

The Altruist (1448701) | more than 2 years ago | (#37490312)

Guys, remember the Internet Explorer anti-trust controversy?

*long awkward pause*

They. Are. Not. Going. To.

And even if they did, so what? Seriously, this is frickin' Slashdot. All of you either build your own machines or own Macs.

Re:Pass the FUD, I'm starving. (0)

Anonymous Coward | more than 2 years ago | (#37490374)

>implying there is a difference between a modern mac and a home-built PC at the hardware level.

Re:Pass the FUD, I'm starving. (1)

The Altruist (1448701) | more than 2 years ago | (#37490384)

Yeah, about $1000.

Re:Pass the FUD, I'm starving. (3, Interesting)

Svartalf (2997) | more than 2 years ago | (#37490432)

Building your own machines will be a bit of a problem if all the new motherboards do the same thing. Do you honestly think the DIY vendors will not march to that drum unless they're gunning for the Linux user crowd in the first place?

Re:Pass the FUD, I'm starving. (1)

Renegrade (698801) | more than 2 years ago | (#37490754)

I can totally see Asus having those features installed, and giving it some silly Asus name. "Super SafeBoot Deluxe!"

On the other hand, they will allow users to disable it in the "Boot" section of the BIOS setup.

Super SafeBoot Deluxe [No ]

(Description: "Enable/disable Super SafeBoot Deluxe" -- not very helpful).

This isn't Microsoft (2)

Murdoch5 (1563847) | more than 2 years ago | (#37490444)

This has nothing to do with Microsoft, the fact that Windows 8 will use UEFI is a choice just like any other choice. Linux supports UEFI,

Linux has been able to use EFI at boot time since early 2000, using the elilo EFI boot loader or, more recently, EFI versions of GRUB.[21]

Which is from the UEFI wiki page and Linux documentation. The issue is that the boot might be locked, not that Windows 8 will find and delete Linux partitions, so really this has nothing to do with Microsoft, it has to do with OEM systems. If your concerned about this effecting you then build your own computer and it wont matter.

Re:This isn't Microsoft (2)

sakdoctor (1087155) | more than 2 years ago | (#37490616)

Stop spoiling this 2 minute hate on Microsoft with your facts.

Re:This isn't Microsoft (1)

Anonymous Coward | more than 2 years ago | (#37490700)

But you can't (realistically) build your own motherboard...even if a bunch of us got together and did exactly that, we couldn't make a motherboard that was remotely cost-competitive with the big manufacturers.

So we're stuck with motherboards with this instead of the regular BIOS...and that's where the problem lies.

This is damaging to FOSS (1)

Beetjebrak (545819) | more than 2 years ago | (#37490498)

Of course a Linux or other OS user might be able to disable this "feature" but that would *SERIOUSLY* tarnish the reputation of said OS. If it can not use "Secure boot" -for whatever reason- that implies it boots insecurely.. oh the horror!! It will put the adoption of any kind of grassroots OS at a major disadvantage. For us tinkerers here it's an absolute outrage that the freedom to tinker will come at a premium in the near future, but we've always been the minority.

Answer from Matthew Garret to this article (1)

diegocg (1680514) | more than 2 years ago | (#37490542)

"Microsoft wrote an article about how they weren't making it harder to install Linux which described, in detail, how they're making it harder to install Linux. Here's my response" - https://plus.google.com/109386511629819124958/posts/GXc9y7E5uZX [google.com]

pay to play (0)

Anonymous Coward | more than 2 years ago | (#37490596)

yeah i only need a certificate to boot, but who issues that certificate and how much ? let me guess it will be to be a the same gang of suits that signs websites.
the free money game just doesnt get any harder for these guys

ill just wait till the antitrust lawsuits start happening, as soon as MS sign their bootloader is the time to strike,
locking out the competition 1x$500 boot certificate at a time

Might increase the marked for free os desktops? (1)

Youngbull (1569599) | more than 2 years ago | (#37490720)

This might raise awareness of the windows tax. The main problem with it is that most buyers intending to use some other operating system will accept the extra cost, install whatever they like over windows and never look back. Microsoft got a good deal going, locking in a machine to use windows and nothing else is unnecessary.

However, if there is no way to run anything else then windows on a machine, it will make a small but noticeable decrease in sales. Perhaps this will increase the marked for desktop machines with a free os installed, with the possibility of tweaking or disabling secure boot, since "locked in" desktops is not a preferable option for some users.

"in"secure boot (1)

scharkalvin (72228) | more than 2 years ago | (#37490858)

The problem with the secure boot system is that it won't work. It will fail for the same reason that DRM encryption on DVD's and BD disks failed. They were eventually 'cracked'. As soon as a third party OS (Linux, BSD, Mac, etc) is available for installation on systems with secure boot the 'secret' will be out to the malware writers and they will find ways to get in via subterfuge.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?