Wednesday, September 21st 2011

Windows 8 Secure Boot: Designed to Lock Out Linux?

Proposed changes to the Unified Extensible Firmware Interface (UEFI) firmware specifications would mean PCs would only boot from a digitally signed image derived from a keychain rooted in keys built into the PC. Microsoft is pushing hard to make this mandatory, so that users cannot override it. This feature would have the handy benefit of excluding alternative operating systems such as Linux and FreeBSD. This is according to Professor Ross Anderson of Cambridge University and other industry insiders. Also, it's not at all clear that it actually secures against viruses and other malware and appears to be solely designed to appease corporate self interests for unbreakable Digital Restrictions Management (DRM).

UEFI supercedes the 30 year old veteran BIOS found in most PCs today, which is very inefficient and slow for modern PCs, carrying a lot of old, legacy compatibility baggage that's just not needed in today's PC. UEFI, a key component of Windows 8, is designed to work on several CPU architectures, such as ARM and is streamlined and efficient. It also includes a much improved graphical interface that replaces the keyboard-driven menu system of the BIOS.

If the changes are adopted, then any system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux. Tech blogger Matthew Garrett explains that while a signed version of Linux would work, this poses problems:
Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith.

Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by ever OEM.

There's no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code. However, experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market.
However, there's no need to panic just yet, concluded Garrett.

The effect of all these changes is to return to the dark days of 2003, when the Trusted Computing platform was being pushed as a way to completely DRM your entire PC to satisfy the content industries. However, this version will be far worse:
These issues last arose in 2003, when we fought back with the Trusted Computing FAQ and economic analysis. That initiative petered out after widespread opposition. This time round the effects could be even worse, as 'unauthorised' operating systems like Linux and FreeBSD just won’t run at all. On an old-fashioned Trusted Computing platform you could at least run Linux – it just couldn’t get at the keys for Windows Media Player.

The extension of Microsoft’s OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate.
Anderson concludes that this restrictive technology might violate EU competition law, on Cambridge University's Light Blue Touchpaper blog.Source: The Register
Add your own comment

84 Comments on Windows 8 Secure Boot: Designed to Lock Out Linux?

#1
TRWOV
It's akin to joining a club. If you want to enter the "Designed for Windows 8" logo club you have to use UEFI 2.3.1 which provides the secure boot feature.



To recap:
- The UEFI 2.3.1 specification includes the secure boot option
- Microsoft mandates that OEMs whom want to enter the "Designed for Windows 8" logo program have to use UEFI 2.3.1 on their boards
- It's up to the OEM if the disable feature is included
- If the option to disable the secure boot isn't present you can still install linux but it would have to be signed.
Posted on Reply
#2
digibucc
TRWOV said:
It's akin to joining a club. If you want to enter the "Designed for Windows 8" logo club you have to use UEFI 2.3.1 which provides the secure boot feature.



To recap:
- The UEFI 2.3.1 specification includes the secure boot option
- Microsoft mandates that OEMs whom want to enter the "Designed for Windows 8" logo program have to use UEFI 2.3.1 on their boards
- It's up to the OEM if the disable feature is included
- If the option to disable the secure boot isn't present you can still install linux but it would have to be signed.
perfectly explained!
Posted on Reply
#3
The Jedi
For one, with whitelisting and blacklisting of keys can be an anti-piracy measure. I believe in buying Windows, so have no problem with that, and most people would just get Windows with their new pre-built computer.

Also, with Windows 8 being able to boot to a virtualized OS, or like a .VHD virtual hard drive file like Windows 7 Ultimate/Enterprise, MS may want extra protection for security purposes for a corporate PC.

The "Windows 8 Certified" is only for a mass produced computer with the Designed for Windows 8 logo, and DIY'ers need not concern themselves that their PC is not certified. It's a formality in some respects. A PC can be built with Windows 8 Logo'ed components and use official release WHQL drivers and be the same as certified. A Certified PC however means that I can't ship you a PC with beta drivers, so there is some intent to ensure the quality in a PC that gets Microsoft's logo sticker.

I doubt any company will ship a PC with an EFI BIOS that doesn't allow the secure boot to be disabled. I would imagine there would be options like Secure Boot: On/Off/Off for Next Boot

Then an IT department can just set a BIOS password for security, and no big deal. The actual PC designers surely have the sense that alternate OSes should be able to be installed like Knoppix or booting to anti-virus scanners and such. Also with a company like Dell, they sell PC's with Linux to certain customers, so often I think it'd be inappropriate to built in limitations into the PC. But HP for example locks their BIOSes on Pavilions so it will only work with the CPU model that it ships with - so you not only can't overclock, you can't upgrade your CPU, you'd need to buy a new PC for more CPU power. At least this was my experience several years ago. So sometimes depending on the company they have different model lines and different support agendas. I notice that with BIOS activation of Windows, Dell will ship a Linux PC with a different BIOS than the same model with Windows. And if you're an enthusiast who's buying pre-built and certain stuff matters to you, either do a little research before you buy or return it within 30 days and go with a better company.

I don't see this as a credible threat to Linux or DIY'ers, it's just more modernizing with the move to UEFI and the new things they can do now. If it were real Microsoft anti-competitiveness I think it'd surely get shot down one way or the other. As stated above, surely MS would want to avoid another confrontation with the governmental regulators.
Posted on Reply
#4
[H]@RD5TUFF
The Jedi said:

I don't see this as a credible threat to Linux or DIY'ers, it's just more modernizing with the move to UEFI and the new things they can do now. If it were real Microsoft anti-competitiveness I think it'd surely get shot down one way or the other. As stated above, surely MS would want to avoid another confrontation with the governmental regulators.
I currently use WUBI to boot Ubuntu, if I can't do so I have serious issue with that!
Posted on Reply
#5
Drone
I've read that MS replied to this and said that secure boot can be opt in/out and they posted this screen

Posted on Reply
#6
Shihabyooo
Drone said:
I've read that MS replied to this and said that secure boot can be opt in/out and they posted this screen

http://www.maximumpc.com/files/u138055/secure_boot.jpg
Thank you !

Now we just have to hope that OEMs won't disable this option in their products. But if you ask me, I think some -of not most- laptops will come without this option. At least it won't be MS's fault. Unless someone digs out a document showing MS paying OEMs to remove this "off button" from their products.
Posted on Reply
#7
Drone
^ yes, anything is possible
Posted on Reply
#8
Solaris17
Creator Solaris Utility DVD
/angry face.
Posted on Reply