Wednesday, September 21st 2011

Windows 8 Secure Boot: Designed to Lock Out Linux?

Proposed changes to the Unified Extensible Firmware Interface (UEFI) firmware specifications would mean PCs would only boot from a digitally signed image derived from a keychain rooted in keys built into the PC. Microsoft is pushing hard to make this mandatory, so that users cannot override it. This feature would have the handy benefit of excluding alternative operating systems such as Linux and FreeBSD. This is according to Professor Ross Anderson of Cambridge University and other industry insiders. Also, it's not at all clear that it actually secures against viruses and other malware and appears to be solely designed to appease corporate self interests for unbreakable Digital Restrictions Management (DRM).

UEFI supercedes the 30 year old veteran BIOS found in most PCs today, which is very inefficient and slow for modern PCs, carrying a lot of old, legacy compatibility baggage that's just not needed in today's PC. UEFI, a key component of Windows 8, is designed to work on several CPU architectures, such as ARM and is streamlined and efficient. It also includes a much improved graphical interface that replaces the keyboard-driven menu system of the BIOS.

If the changes are adopted, then any system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux. Tech blogger Matthew Garrett explains that while a signed version of Linux would work, this poses problems:
Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith.

Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by ever OEM.

There's no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code. However, experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market.
However, there's no need to panic just yet, concluded Garrett.

The effect of all these changes is to return to the dark days of 2003, when the Trusted Computing platform was being pushed as a way to completely DRM your entire PC to satisfy the content industries. However, this version will be far worse:
These issues last arose in 2003, when we fought back with the Trusted Computing FAQ and economic analysis. That initiative petered out after widespread opposition. This time round the effects could be even worse, as 'unauthorised' operating systems like Linux and FreeBSD just won’t run at all. On an old-fashioned Trusted Computing platform you could at least run Linux – it just couldn’t get at the keys for Windows Media Player.

The extension of Microsoft’s OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate.
Anderson concludes that this restrictive technology might violate EU competition law, on Cambridge University's Light Blue Touchpaper blog.Source: The Register
Add your own comment

84 Comments on Windows 8 Secure Boot: Designed to Lock Out Linux?

#1
Arctucas
For the average user, who, in most likelihood, is not even aware operating systems other than Windows exist and only buys pre-built PCs, this is basically a non-factor. Ignorance is bliss, after all.

I, personally, would not purchase a motherboard if it had no way to override or disable this type of restriction. When enough people feel the same, and the enthusiast market segment manufacturers begin to lose money, you can bet it will become an 'option'.
Posted on Reply
#2
OneMoar
There is Always Moar
Arctucas said:
For the average user, who, in most likelihood, is not even aware operating systems other than Windows exist and only buys pre-built PCs, this is basically a non-factor. Ignorance is bliss, after all.

I, personally, would not purchase a motherboard if it had no way to override or disable this type of restriction. When enough people feel the same, and the enthusiast market segment manufacturers begin to lose money, you can bet it will become an 'option'.
ofc but when people start pointing fingers and spinning-words logic and common sense go out like the trash
Posted on Reply
#3
A Cheese Danish
Silly question: Does this mean any PC shipped with W8 will not allow another OS to be installed?
Posted on Reply
#4
qubit
Overclocked quantum bit
A Cheese Danish said:
Silly question: Does this mean any PC shipped with W8 will not allow another OS to be installed?
If this came to pass, yes. That kind of lockout it exactly what it's for.

That wasn't such a silly question. :toast:
Posted on Reply
#5
A Cheese Danish
qubit said:
If this came to pass, yes. That kind of lockout it exactly what it's for.

That wasn't such a silly question. :toast:
I kinda figured. Basically screws the business world.
Posted on Reply
#6
happita
If this becomes a reality, EVEN if it is as an option, or if it has a "switch" you can damn well guarantee that when enough non-enthusiasts have adopted this....or forced to adopt I should say.....Microsoft, Trusted Computing, or whoever is behind this will charge a fee and say that "Hey, we're not going to let this 'technology' go for free anymore....we don't have the capacity or resources to help continuing this endeavor."
So this price that is charged has to go somewhere....and what better way NOT to incur the cost than to tack on the extra expense onto us customers? OS prices will go up....as if they aren't high enough? Pretty soon it will be an "option" at a price, then it will be standard in all PCs with an "on/off switch" with a price, and finally we will have no more say in it....oh and the price is one with the total cost and can no longer be negotiated. Plain and simple, this all comes down to control. More control, more certainty.
Posted on Reply
#7
DannibusX
You know, I'm on the fence about this. On one hand, it's a great idea to keep people from infecting their systems with malware and viruses. At least until someone figures out how to bypass it over the internet. On the other hand, it could lead to some systems only allowing (essentially) Microsoft Windows to be installed.

If it were to be implimented it would definitely have to be regulated with an option in the BIOS/UEFI. There's no way Microsoft should be allowed to have a defacto monopoly like that.
Posted on Reply
#8
D4S4
DannibusX said:
monopoly
cuz dat just be the way microsoft rolls.
Posted on Reply
#9
TRWOV
qubit said:
Proposed changes to the Unified Extensible Firmware Interface (UEFI) firmware specifications would mean PCs would only boot from a digitally signed image derived from a keychain rooted in keys built into the PC. Microsoft is pushing hard to make this mandatory, so that users cannot override it.
This is only for OEM PCs that want to carry the "Designed for Windows 8" logo. This will only affect people buying a Dell and wanting to dual boot it. The lock can be turned off if desired although it will be up to the OEM if the option is included or not.




Katanai said:
This article: Designed to start a flamewar?
+1
Posted on Reply
#10
enaher
Probably has an off switch, lawsuits anyone?
Posted on Reply
#11
caleb
Lucky us there is MSDN/AA :)
Posted on Reply
#12
Saidrex
Dont care, im not going to use Windows 8 anyway, high price - same shit, only uglier inteface. :nutkick:
Posted on Reply
#13
_JP_
Saidrex said:
Dont care, im not going to use Windows 8 anyway, high price - same shit, only uglier inteface. :nutkick:
This guy gets it!
For now, I fell the same way about Win8.
Posted on Reply
#14
Bundy
Well I hope Win 8 is totally malware free then...because I use a linux boot distro to recover files.

Also, how are all the school boys going to access their porn now?
Posted on Reply
#15
NdMk2o1o
OneMoar said:
typical foss user ranting lulz :banghead: people like you are why linux has less then a 5% share of the desktop market
No, Windows users like YOU are why Linux has 5% share of the market
Posted on Reply
#16
Shihabyooo
MS looking for another Lawsuit ?
If they really include an option to turn it off, and give the buyer the choice whether to use it or not when buying a new Laptop/ Prebuilt Desktop, I don't see it being much of a problem. If anything, if there claims that it stops viruses from completely ruining the system, it might prove to be a very useful utility.

DrPepper said:
Actually it's more to do with the fact Linux is a niche OS that is only used by professionals and techies since the average user doesn't want to go through all the hoops to get what they want out of software.
...and the two types of users mentioned above won't have a problem running Linux on a Win8 machine, even if there is no off button


Edit: wait a sec, does that mean Win 8 will only run on a UEFI equipped system ?
Posted on Reply
#17
ron732
Microsoft up to no good yet again.

Posted on Reply
#18
Static~Charge
Rule #1 when dealing with Microsoft: Do not ascribe their actions with altruism, especially where competition is involved.

Microsoft is trying to kill two birds with one stone here. First, they want to stop malware infecting the boot record, and Secure Boot will certainly do that. Second, they want to discourage people from using other operating systems, and Secure Boot will put a damper on that, too. Naturally, Microsoft doesn't say anything about item #2, because that would draw the unwanted attention of Federal regulators for anti-trust behavior.

Deny it all you want, OneMoar, but that won't make it go away.
Posted on Reply
#19
Captain.Abrecan
Isn't this rather benign? This bios feature thing is supported in linux too, has been for years. If you turned it on, you wouldn't be able to install windows on a linux box.

It is the device manufacturer's responsibility to allow you to unlock the device, not Microsoft.
Posted on Reply
#20
PCpraiser100
Shouldn't be an issue, just prioritize your hard drives with the Linux one first if this is the case. If you can't afford a second hard drive, YOU CAN'T AFFORD LINUX!:laugh:
Posted on Reply
#21
m4gicfour
Since I'd be infracted if not more for posting a photoshopped GIF of a microsoft logo bukkake-ing a pc.. well you'll just have to make do with that colorful description.

This sort of stuff makes my skin crawl. Regardless of who's behind it - Microsoft or otherwise - It's only acceptable in my mind if the "off" button is a REQUIRED part of the specification. Furthermore, having it turned off should have no effect on any part of the OS. If this is about hardening the boot path against damage like they seem to be saying it is, there's no reason why it should effect anything to be off. I know corporate politics far to0 well (unfortunately) to think that anything of this sort offered up by the guys in the money making spots is anything but a thinly veiled attempt at making more money.
Posted on Reply
#22
Ahhzz
OneMoar said:
the lot of you keep overlooking the point that it HAS a off button AND its A uEFI foundation spec NOT a Microsoft one its not any different the SLIC embedded in most oem bios's
http://mjg59.dreamwidth.org/5552.html
Microsoft is pushing hard to make this mandatory, so that users cannot override it.


yup, you're right... M$ has NOTHING to do with it, and are perfectly fine with users turning it off.....
Posted on Reply
#23
WhiteLotus
Don't worry everyone who lives in Europe, our master overlords will make sure that Microsoft will release a different product to comply with their/our competition laws.
Posted on Reply
#24
erocker
Senior Moderator
Due to the cleaning up I've had to do here any off topic, insulting, flaming posts will be given points. No warnings, as this is your warning. That includes responding to this post.

Stay on topic and behave.
Posted on Reply
#25
DrPepper
The Doctor is in the house
Shihabyooo said:
...and the two types of users mentioned above won't have a problem running Linux on a Win8 machine, even if there is no off button


Edit: wait a sec, does that mean Win 8 will only run on a UEFI equipped system ?
It will run on older hardware but the issue is that hardware won't be carrying a Windows 8 certified sticker I believe which is hardly an issue.
Posted on Reply
Add your own comment