Tuesday, October 25th 2011

Controversial Windows 8 Secure Boot Feature: FSF Issues Rallying Cry

The controversial new Secure Boot feature in Windows 8 has been covered here before, but now the Free Software Foundation have issued a public statement warning about likely restrictive implementation to lock out competition, pretty similar to the arguments currently being levelled against it. They are also giving people a voice to protest against this, in the form of a petition. They say quite fairly, that it can be used for good, if the option to use it is completely with the owner of the computer. However, it isn't much of a stretch to see that the option to disable it is likely to simply be removed from the user, thus locking out the competition, mainly Linux: This could be a feature deserving of the name, as long as the user is able to authorize the programs she wants to use, so she can run free software written and modified by herself or people she trusts. However, we are concerned that Microsoft and hardware manufacturers will implement these boot restrictions in a way that will prevent users from booting anything other than Windows. In this case, we are better off calling the technology Restricted Boot, since such a requirement would be a disastrous restriction on computer users and not a security feature at all. Click here to see the full public statement and sign the petition and here for a more detailed explanation of the issue by the FSF.
Add your own comment

49 Comments on Controversial Windows 8 Secure Boot Feature: FSF Issues Rallying Cry

#1
qubit
Overclocked quantum bit
by: Derek12
But would this affect to BIOS based computers or only for UEFI ones? This wasn't me clear :confused:, or would Windows 8 ban BIOS computers?
Only UEFI implements secure boot. I would expect Windows 8 will install on old machines though, or Microsoft would leave itself with a tiny little market to sell the operating system into.
Posted on Reply
#2
micropage7
so m$ think coz they own the market what they do the market will follow and say yes?
like titanic that said unsinkable but history prove it
just lets see...
Posted on Reply
#3
pr0n Inspector
When you guys say "signed", do you mean the bootloader or the petition? (hah!)
Posted on Reply
#4
qubit
Overclocked quantum bit
by: pr0n Inspector
When you guys say "signed", do you mean the bootloader or the petition? (hah!)
I was nearly gonna answer that. :wtf: :laugh:
Posted on Reply
#5
Bo$$
Lab Extraordinaire
ah, they are taking the apple route....
Posted on Reply
#6
pantherx12
Wait wait wait, so how can windows 8 effect what the motherboard is doing during boot up?


This won't be able to stop people installing linux at all I'm so confussed :S
Posted on Reply
#7
digibucc
by: pantherx12
Wait wait wait, so how can windows 8 effect what the motherboard is doing during boot up?


This won't be able to stop people installing linux at all I'm so confussed :S
restricted boot only allows signed executables to boot, most linux distros will not be signed on every release, so if restricted boot is enabled, only signed linux installs will work. there will be some,. but it will greatly limit the control you have over our own machine (if it is implemented wrong).
Posted on Reply
#8
tomkaten
It's Microsoft. If something can go wrong it will go wrong. I'm sick of "features" designed to help the users in their first two iterations and horrifyingly restrictive after the initial public protests. So I signed it as well.
Posted on Reply
#9
Kreij
Senior Monkey Moderator
A signed bootloader/kernel is not enough. The firmware on the mobo must be aware of the signed executable too (it's key). This means that if the OEM did not include keys for a given OS, it will not work. Period. If I write a bootloader and kernel and want to test to see if it works with this option, I can't even if I self-sign it.

Let's say that you are happily running (legit) Windows and some malware (ie. rootkit) infects your bootloader.
It would seem that from that point on, your system will no longer boot at all, and force a complete wipe and reload of the OS. While that is probably what you would do in the event of a bootloader compromise, it's really going to put non-technical people in a panic situation.

I like the idea in concept, but the execution leaves quite a few questions unanswered (at least for now).
Posted on Reply
#10
Mussels
Moderprator
kreij: they'll just put a repair tool for the bootloader on the installation DVD, like they already have now for other repair functions.
Posted on Reply
#11
Kreij
Senior Monkey Moderator
by: Mussels
kreij: they'll just put a repair tool for the bootloader on the installation DVD, like they already have now for other repair functions.
That sort of fixes one of the problems, but what about the OEM systems that do not come with installation disks and require you make your own (which many, many people completely overlook)?
Posted on Reply
#12
Mussels
Moderprator
by: Kreij
That sort of fixes one of the problems, but what about the OEM systems that do not come with installation disks and require you make your own (which many, many people completely overlook)?
as always, they'll expect you to take it back to where you bought it for repairs. (in reality, they take it to that family friend who "can fix these stupid things")
Posted on Reply
#13
Kreij
Senior Monkey Moderator
I agree with that, Mussels, as most of us fall into the category of someone who "can fix these stupid things".
I just wonder how many people will just shut off the option, hand the computer back and say "fixed" even though the bootloader is still compromised.

I just can't help but feel that there is a better way to do this.
Posted on Reply
#14
Mussels
Moderprator
by: Kreij
I agree with that, Mussels, as most of us fall into the category of someone who "can fix these stupid things".
I just wonder how many people will just shut off the option, hand the computer back and say "fixed" even though the bootloader is still compromised.

I just can't help but feel that there is a better way to do this.
all microsoft really want is to block OEM machines from pirating newer OS's. they dont give a shit about custom builds. this is a piracy fix for prebuilt machines, especially laptops and tablets and nothing else.
Posted on Reply
#16
laszlo
qubit since you star posting news& "editorials" i felt like tpu gained "virility" ; i must admit that slowly get bored by all the hardware news,test,benches etc...life is not all about hardware & tech and i think is good having more infos from all domain in pc area and related ones

keep up the good work and don't give a s..it about critics;those who criticize you read what you post so they're readers even they want or not.

only good work is criticized bad is almost never mentioned
Posted on Reply
#17
qubit
Overclocked quantum bit
by: laszlo
qubit since you star posting news& "editorials" i felt like tpu gained "virility" ; i must admit that slowly get bored by all the hardware news,test,benches etc...life is not all about hardware & tech and i think is good having more infos from all domain in pc area and related ones

keep up the good work and don't give a s..it about critics;those who criticize you read what you post so they're readers even they want or not.

only good work is criticized bad is almost never mentioned
Thankyou very much! :toast: I'm glad to be making a positive difference to TPU. :)
Posted on Reply
#18
[H]@RD5TUFF
Everyone should sign this regardless of your OS choice, being forced into having to use only 1 OS to "fight piracy" is a terrible thing!
Posted on Reply
#19
fusionblu
So this is the reason Microsoft is releasing a new OS so soon than rather let Windows 7 have a long life span. I thought the release of a new OS this soon was suspicious since there are not as many serious faults with Windows 7 as there were with Windows Vista, but it would appear that this Restrict-Boot is the only option Microsoft have to fight the rather helpful SLIC Activation Loader which is used my millions of people worldwide. :D

I guess this won't matter much as an alternative crack would eventually be made if this "feature" (as Microsoft might like to call it) were to be implemented into all motherboards as piracy is always inevitable when a product is released regardless of any anti-piracy methods that may have been put in. :nutkick:

I think it would be safe to say that when the "Secure-Boot" is bypassed it would only become an unnecessary "feature" that motherboard manufacturers would eventually get rid off, but let's hope that it would fail before it can be used so it won't interfere with the hardware and software that has yet to be released.
Posted on Reply
#20
Mussels
Moderprator
fusionblu: or maybe microsoft always released OS's this fast in the past?


95/98/98SE/ME/NT/2000/XP/XP MCE/XP 64/vista/7 ?
Posted on Reply
#21
fusionblu
by: Mussels
fusionblu: or maybe microsoft always released OS's this fast in the past?


95/98/98SE/ME/NT/2000/XP/XP MCE/XP 64/vista/7 ?
I suppose that part could be true, but from how far they've gone it's clear that the new release is mostly about the anti-piracy and not as an actual improvement, that much is clear.
Posted on Reply
#22
newtekie1
Semi-Retired Folder
by: fusionblu
I suppose that part could be true, but from how far they've gone it's clear that the new release is mostly about the anti-piracy and not as an actual improvement, that much is clear.
Clear? Not really, I think there are more improvements between Win8 and Win7 then there were between Win7 and Vista. Vista didn't really have that many problems by the time Win7 was released, SP1 and SP2 made sure of that.
Posted on Reply
#23
FordGT90Concept
"I go fast!1!11!1!"
There's nothing to stop malware from getting signed. e.g. most Adobe and Apple software.

I've never encountered a malicious boot anyway unless UEFI is extremely vulnerable to such things. I haven't used a UEFI system yet.
Posted on Reply
#24
newtekie1
Semi-Retired Folder
by: FordGT90Concept
There's nothing to stop malware from getting signed. e.g. most Adobe and Apple software.

I've never encountered a malicious boot anyway unless UEFI is extremely vulnerable to such things. I haven't used a UEFI system yet.
Well UEFI is far more capable when it comes to network booting, so one of the main concerns that people voiced about it was that malicous booting was a larger concern due to the better network booting support. Secure Boot is one of the ideas to help close those holes created by the network booting improvements.
Posted on Reply
Add your own comment