Secure Boot isn't the only problem facing Linux on Windows 8 hardware

[mjg59]

There's now no shortage of Linux distributions that support Secure Boot out of the box, so that's a mostly solved problem. But even if your distribution supports it entirely you still need to boot your install media in the first place.

Hardware initialisation is a slightly odd thing. There's no specification that describes the state ancillary hardware has to be in after firmware→OS handover, so the OS effectively has to reinitialise it again. This means that certain bits of hardware end up being initialised twice, and that's slow in some cases. The most obvious is probably USB, which has various timeouts as you wait for hardware to settle. Full USB support in the firmware probably adds a couple of seconds to boot time, and it's arguably wasted because the OS then has to do the same thing (but, thankfully, can at least do other things at the same time). So, looking for USB boot media takes time, and since the overwhelmingly common case is that users don't want to boot off USB, it's time that's almost always wasted.

One of the requirements for Windows 8 certified hardware is that it must complete firmware initialisation within a specific amount of time, something that Microsoft refer to as "Fast Boot". Meeting these requirements effectively makes it impossible to initialise USB, and it's likely that certain other things will also be skipped. If you've got a USB keyboard then this obviously means that your keyboard won't work until the OS starts, but even i8042 setup takes time and so some laptops with traditional PS/2-style keyboards may not set it up. That means the system will ignore the keyboard no matter how much you hammer it at boot, and the firmware will boot whichever OS it finds.

For a newly purchased device, that's going to be Windows 8. It's not too much of a problem with a fully installed Windows 8, since you can hold down shift while clicking the reboot icon and get a menu that lets you reboot into the firmware menu. Windows sets a flag in a UEFI variable and reboots the system, the firmware sees that flag and does full hardware initialisation and then drops you into the setup environment. It takes slightly longer to get into the firmware, but that's countered by the time you save every time you don't want to get into the firmware on boot.

So what's the problem? Well, the Windows 8 setup environment doesn't offer that reboot icon. Turn on a brand new Windows 8 system and you have two choices - agree to the Windows 8 license, or power the machine off. The only way to get into the firmware menu is to either agree to the Windows 8 license or to disassemble the machine enough that you can unplug the hard drive[1] and force the system to fall back to offering the boot menu.

I understand the commercial considerations that result in it ranging from being difficult to impossible to buy new hardware without Windows pre-installed, but up until now it was still straightforward to install an alternative OS without agreeing to the Windows license. Now, installing alternative operating systems on many new systems will require you to give up certain rights even if you want nothing other than to reach the system firmware menu.

I'm firmly of the opinion that there are benefits to Secure Boot. I'm also in favour of setups like Fast Boot. But I don't believe that anyone should be forced to agree to a EULA purely in order to be able to boot their own choice of OS on a system that they've already purchased.

[1] Which is a significant and probably warranty-voiding exercise on many systems, and that's assuming that it's not an SSD soldered to the motherboard…

Comments

What about live-cds?

[(Anonymous)]

Most distros these days come with a livecd, are newer firmware's not set to boot to CD if there's one in the drive?

Re: What about live-cds?

[mjg59]

They are not set to boot from CD if there's one in the drive.

Re: Not bound by licence agreement I think

[mjg59]

I've screened a bunch of discussion here, because having a bunch of non-lawyers talk about whether or not the license is binding is unhelpful.

Tying

[ewen]

That sounds quite a bit like "tying" the hardware purchase to an OS contractual arrangement in the way that competition law (eg, anti-monopoly) is likely to be relevant. Possibly the way to tackle it is through one of the jurisdictions (EU? USA?) that has issued related consumer choice rulings?

The simplest technical solution would seem to be to not do FastBoot until after the first successful boot-to-full-running-OS, so "out of the box" systems (in "late first install" mode) go through the slow path that enables the keyboard in the pre-boot environment. Or (possibly in addition) implement something like the Apple Macintosh hold-key-to-boot-from-CD in the early OS environment (ie, that when the early OS environment initialises the keyboard, it can notice that the key is held down and then issue the reboot-from-CD; the Mac does it in the firmware IIRC, but it'd be workable in the early OS environment from a one-off usability point of view).

Ewen

Re: Tying

[(Anonymous)]

It seems like the mentioned "UEFI variable" is in nvram, and as such will survive on a powered-off system. It would make sense then to use such a flag for indicating, as Ewen suggests after a full install and successful boot, that FastBoot should be used from then on. But yeah, obviously that would go against any possible scheme, as is suggested in this thread, to make it complicated to install a different OS.

Reboot to firmware menu

[(Anonymous)]

On a tangential topic, does the Linux reboot process have a way of setting that UEFI flag to request a reboot into the firmware menu?

Re: Reboot to firmware menu

[(Anonymous)]

Depends on the system, but on my ThinkPad X220, 'efibootmgr' lists an option to go into the ROM Setup. You just tell it to set it as a "BootNext" choice, and on next boot it'll go straight into the ROM Setup tool. As long as that's the case (not all, but many, do), it's easy enough to do.

For example, with mine, running 'efibootmgr -n 0000' selects the ROM Setup to boot on next reboot (and boots it only once).

A system's design shows it's true intent

[(Anonymous)]

The Spaniards should submit this as evidence to the European Commission. Forced licensing and obstruction of basic hardware functionality. (mouse,keyboard)

shift f10

[(Anonymous)]

Have you tried pressing shift-F10 at the EULA screen? At various points in setup, that key combination will bring up a command prompt. Not sure about the specific screen you're talking about though.

Re: shift f10

[(Anonymous)]

No, that key combo only works in PE. This EULA screen is during OOBE.

[(Anonymous)]

I've yet to see a machine that doesn't have a key combination at start that allows selecting boot device etc. Are there really those around? Lots of them? Or is this just a theoretical thing?

[(Anonymous)]

Thats pretty much the problem he is describing. Maybe that combination is there. But how are you going to press it if you can't use your keyboard?

Boon for ransomware, by the looks of it

[(Anonymous)]

Speaking as someone who's often had to boot up RescueCD to rescue a PC from malware or so, and having just read recently about ransomeware, it strikes me that Microsoft's UEFI shenanigans are a boon for ransomeware. If there is no way to get around such a fixed sequence of boot events except by expensive radical open-heart computer surgery, instead of the quick-and-easy reboot with a secure OS from CD or USB stick and running anti-malware software from it, a time-tried-and-proved method, then we have yet another few years of malware supremacy to look forward to: MSWin9x revivus.

Wesley Parish

ALT Linux Rescue

[(Anonymous)]

Try booting http://en.altlinux.org/Rescue -- recent builds (as of end of November 2013) will cope with UEFI SB left on.

--
Michael Shigorin

With legal problems, lawyers are the solution

[pavelmachek.livejournal.com]

They can't force the EULA on you, that's why you have to agree to it. (Is the copy of EULA somewhere?) It probably says something like "if you don't like this EULA, remove windows without running it". If it turns out that can not be done... well it turns agreement into blackmail. Antitrust lawyers are probably way to go.

Or perhaps you can argue that EULA is invalid because you were blackmailed into it. That should give you some attention.

Re: With legal problems, lawyers are the solution

[(Anonymous)]

It's clearly invalid. There was no meeting of the minds. But, of course, proving that likely requires expensive legal shenanigans, much more expensive than sucking up the cost of the Windows license for the OS you're never going to use.

Not at *all* like Prenda Law. Oh no.

what did you mean is :

[(Anonymous)]

"you still need to boot your install media in the first place."
this make no sense.
still need to boot your install media?
boot the "install media"? "install media" is media, or as we call it , data. you cant boot data, its not a computer. booting data is "clearing it?"

im not sure what you ment there.

Re: what did you mean is :

[(Anonymous)]

Media is not data. Media is that which hosts the data. The install media is the media which hosts the install data. It can be a CD, an USB key, a special recovery partition, a network resource...

does shift-F10 work at the EULA screen?

[(Anonymous)]

can you bring up a command prompt when you see the EULA?

Try to make it crash?

[(Anonymous)]

Someone mentioned at hackernews that a failure to boot should make it turn off fast boot. So how about trying this:

Boot to the EULA screen, and while at it, hold the power button firmly until it powers down (power down forced by the hardware, the same one you would use if it stopped responding). This would look like a crash (no normal shutdown), so it is possible that it would allow you to get to the firmware on the next power on.

Re: Try to make it crash?

[(Anonymous)]

The problem with this method still in it being a "workaround", that most probably a "techie friend" would know how to deal with, not a normal person "who heard about 'Unbun-something'" to replace Windows.

It isn't show as an simple option for the user =/

Press power button for 5 seconds

[(Anonymous)]

Hello, I didn't even notice the issue. I simply kept pressed the power off button for 5 seconds and the PC did a full initialization allowing me to press F12 to get into the bios. The problem I have now with secure boot is that the text console is only on the laptop internal panel, so with a dual monitor setup and a docking station in the office I'm not able to see the text consoles on the external monitor. I need to re-open the lid and look at the laptop.... bah.

Re: Press power button for 5 seconds

[(Anonymous)]

Exactly, this is what I was thinking as I read this.
I've got an Intel board with 67 chipset, which has comparable tech in it.
The way to do a full initialise, i.e. turn off all the optimisations, is to press and hold the power button for about 4 seconds (it gives off four beeps). Then you are in a full BIOS/UEFI environment, and you can change the optimisations to allow booting from USB.

[(Anonymous)]

Simple answer build your own, dont get stuck in the neverending mish mash of complexity that is Windows

Build your own?

[(Anonymous)]

Yeah, that's a great idea.

Unless you want, you know, a laptop. Or a netbook.

You can bypass Fast Boot

[(Anonymous)]

On my Dell Inspiron 14z I just press F12 to get the boot menu, or F2 to head straight into firmware. I think there's a very very tiny window for pressing the shortcut key but it's there. Once those tiny dots start spinning you're out.

Once in there you can disable Secure Boot and enable Legacy boot devices to get good ol' BIOS behaviour. I don't know if this is true of all Windows 8 machines but it seems Secure Boot must be disabled or there's no option to boot to anything but Windows or network

Re: You can bypass Fast Boot

[mjg59]

You can bypass it on some systems. Other systems won't bother to initialise anything unless told to. And you can boot plenty of modern Linux distributions without disabling Secure Boot.

Recent example

[(Anonymous)]

See http://people.skolelinux.org/pere/blog/How_can_I_install_Linux_on_a_Packard_Bell_Easynote_LV_preinstalled_with_Windows_8_.html and http://people.skolelinux.org/pere/blog/How_to_install_Linux_on_a_Packard_Bell_Easynote_LV_preinstalled_with_Windows_8.html for a recent example of that.

hardware switch

[(Anonymous)]

why not use an hardware switch right on the motherboard or next to the power button for switching fast boot on or off?

this would of course have to be implemented on the next generation of motherboards and/or computer chassis and is not a solution viable solution right now but for the future i think it seems simple and practical, dont you?

Re: hardware switch

[mjg59]

Why would most hardware vendors go to the effort and expense?

Long Press

[(Anonymous)]

Why not disable fast-boot if the power-button is pressed longer than 1 sec on poweron. The Powerbutton is basically connected to a GPIO pin, so it can be detected very easily.

Re: Long Press

[(Anonymous)]

That's one of the most reasonable things in this conversation. Do you know what the feasibility is of adding this kind of detection to the uEFI setup, is the power button state not easily accessible or readable in early firmware initialization and can this be overloaded with the other function of long-press which is power-off.

Firmly of the opinion...

[(Anonymous)]

It's like, if you were a slave building the egyptian pyramids, and you'd be complaining how it's unfair that you have to be whipped all the time, because you'd totally be willing to help with the pyramids anyway because "there are definitely benefits to building them".

There is no benefit to SB, not in it's current form, not as long as we have to accept Microsoft as any kind of authority. Develop tools that are in the user's control, not in Microsoft's. That's the only way for any meaningful security.

Microsoft signing keys will be compromised. Secure boot will be broken. It's only a matter of time.

Re: Firmly of the opinion...

[pjakma.wordpress.com]

Secure Boot provides no security, regardless of whether MS' keys are compromised or not. By far the weakest link in the chain is the kernel - it is swiss cheese, riddled with security holes and more keep being added.

Secure Boot doesn't buy anything, until and *UNLESS* you have something secure to boot. And we don't.

[(Anonymous)]

This just shows that it's important to buy systems that don't come with a proprietary operating system pre-installed. It's bad for your freedom. Instead, buy systems with a free GNU/Linux distribution like the FSF-endorsed Trisquel distro pre-installed. Try to support companies that at least try to do the right thing. If you can't help support freedom, then at least buy a computer with no operating system, that's at least neutral. If you can't do that or at least remove the drive and erase it beforehand so that nothing is found to boot from and thereby short circuiting the whole "I must click agree" deal.

Windows 8 EULA

[(Anonymous)]

Since one can return the entire system for a full refund if you don't want to agree to the EULA it might grab the large vendors attention if many, many customers did just that.

Re: Windows 8 EULA

[(Anonymous)]

That is bad...last week I was checking an acer notebook...It has UEFI but the secure boot was gray out...Trying to partition the harddisk makes it unusable...

Examples of models that have this problems

[(Anonymous)]

I'm going to submit a complaint to the competionoffice and consumerNPO here in Sweden about this. I need some examples, could you write down some models in this thread if you had this problem, thanks.

Re: Examples of models that have this problems

[(Anonymous)]

Should be "competition" above, sorry.

[(Anonymous)]

how about PXE boot? I guess that will suffer the same problem, since fast boot will ignore everything except the hard drive?

[(Anonymous)]

I am not surprised what Microsoft does - it does that all the time in order to maintain its rule.
So, I don't think too much, and I don't waste time on "fixing" the issues they've imposed on their customers. If I encounter a hardware with win8 preinstalled, first thing I do is wipe off the hard drive, to make sure all Microsoft excrements are gone for good (excuse me for tough words, but this is least how we should behave towards someone who takes our money and spits in our face)

Linus on Windows 8 hardware.

[(Anonymous)]

I have a VAIO Duo 11 and to get to the boot menu for a USB you need to press an Assist key that is entirely different to the power button and in a location that you would not normally expect - under the front part of the device/ keyboard. You then get a menu for BIOS or USB, or Ethernet boot. This will only work if you fully shut down the device - not it's typical anticipated mode of operation. It still doesn't boot from the USB.

I have a Toshiba P50T (4th gen i7) and cannot get it to boot from a bootable USB.

The USB is a bootable Ubuntu instance (current at time of posting).

I have tried disabling secure boot in the Sony BIOS, but it made no difference.

A legacy Toshiba Satellite Pro A120 boots from the USB not problems e.g. the USB is verified.

The result is I have two high end very much contemporary devices that are useless for booting anything other than Windows 8.