[personal profile] mjg59
Microsoft have responded to suggestions that Windows 8 may make it difficult to boot alternative operating systems. What's interesting is that at no point do they contradict anything I've said. As things stand, Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems. But let's have some more background.

We became aware of this issue in early August. Since then, we at Red Hat have been discussing the problem with other Linux vendors, hardware vendors and BIOS vendors. We've been making sure that we understood the ramifications of the policy in order to avoid saying anything that wasn't backed up by facts. These are the facts:

  • Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
  • Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
  • Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
  • A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems.

Microsoft have a dominant position in the desktop operating system market. Despite Apple's huge comeback over the past decade, their worldwide share of the desktop market is below 5%. Linux is far below that. Microsoft own well over 90% of the market. Competition in that market is tough, and vendors will take every break they can get. That includes the Windows logo program, in which Microsoft give incentives to vendors to sell hardware that meets their certification requirements. Vendors who choose not to follow the certification requirements will be at a disadvantage in the marketplace. So while it's up to vendors to choose whether or not to follow the certification requirements, Microsoft's dominant position means that they'd be losing sales by doing so.

Why is this a problem? Because there's no central certification authority for UEFI signing keys. Microsoft can require that hardware vendors include their keys. Their competition can't. A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's. No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft's influence here is greater than even Intel's.

What does this mean for the end user? Microsoft claim that the customer is in control of their PC. That's true, if by "customer" they mean "hardware manufacturer". The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC.

If Microsoft were serious about giving the end user control, they'd be mandating that systems ship without any keys installed. The user would then have the ability to make an informed and conscious decision to limit the flexibility of their system and install the keys. The user would be told what they'd be gaining and what they'd be giving up.

The final irony? If the user has no control over the installed keys, the user has no way to indicate that they don't trust Microsoft products. They can prevent their system booting malware. They can prevent their system booting Red Hat, Ubuntu, FreeBSD, OS X or any other operating system. But they can't prevent their system from running Windows 8.

Microsoft's rebuttal is entirely factually accurate. But it's also misleading. The truth is that Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors. The truth is that it makes it more difficult to run anything other than Windows. The truth is that UEFI secure boot is a valuable and worthwhile feature that Microsoft are misusing to gain tighter control over the market. And the truth is that Microsoft haven't even attempted to argue otherwise.
Page 1 of 2 << [1] [2] >>

Date: 2011-09-23 01:16 pm (UTC)
From: [identity profile] benanov.livejournal.com
"If Microsoft were serious about giving the end user control, they'd be mandating that systems ship without any keys installed. The user would then have the ability to make an informed and conscious decision to limit the flexibility of their system and install the keys. The user would be told what they'd be gaining and what they'd be giving up."

Sadly, this "inform the user" approach doesn't work 100% of the time. A lot of questions like this (say, on initial boot) are answered by someone who is not the user. Think "Best Buy Optimized."

I didn't think about the case of hardware swaps, and that's even more anti-consumer.

Date: 2011-09-28 02:23 pm (UTC)
From: [identity profile] kisai.livejournal.com
I think this might be overblown, yes it's a concern... but only for secondary sales.

The average joe user is going to go into a store and buy a desktop or laptop, and never install another operating system, let alone upgrade the OS. When that device reaches the end-of-life, it's given to their kid, or donated somewhere, that's when the hard drive is wiped and Linux is installed if the Windows keys aren't glued to the chassis and there's no reinstall disc.

So we're at least 4 years off before this gets noticed as a problem, and by then it would be too late, those machines get landfilled instead of reused.

For the server market, this feature will never be enabled, as the numerous hypervisor implementations will never have the OS talking to the real hardware. It's within reason for Xen, VMWare, etc to include secure boot keys if they must emulate the secureboot environment.

This leaves the enthusiast who builds their own computer, there will be no secureboot for these people, because the keys won't be available.

So the point is not that you can't buy a dell and install linux on it, but rather you can't get recycle any windows 8 computer that has secureboot enabled.

And yes the "bestbuy optimized" types do exactly that, they click through the EULA's for the included software, delete the OEM's bloatware off the desktop, and install the antivirus and printer drivers. No optimization actually takes place. They hire bored highschool students to do that work.

One fix

From: (Anonymous) - Date: 2011-09-28 03:12 pm (UTC) - Expand

Primary Sales

From: (Anonymous) - Date: 2011-09-28 03:25 pm (UTC) - Expand

(no subject)

From: (Anonymous) - Date: 2011-09-28 04:24 pm (UTC) - Expand

Date: 2011-09-23 01:21 pm (UTC)
pseudomonas: Dragon from BL manuscript of C14 French Ḥumash (Default)
From: [personal profile] pseudomonas
Is there anywhere a lay summary of the issues that this throws up that I can send to MEPs etc?

(no subject)

From: (Anonymous) - Date: 2011-09-23 02:38 pm (UTC) - Expand

Huh?

From: (Anonymous) - Date: 2011-09-26 04:43 pm (UTC) - Expand

Re: Huh?

From: (Anonymous) - Date: 2011-09-26 05:51 pm (UTC) - Expand

Re: Huh?

From: (Anonymous) - Date: 2011-11-20 10:27 pm (UTC) - Expand

Palladiation Arrives . . .

From: (Anonymous) - Date: 2011-09-23 04:06 pm (UTC) - Expand

Treacherous Computing

From: (Anonymous) - Date: 2011-09-23 04:24 pm (UTC) - Expand

I think your problem

Date: 2011-09-23 01:43 pm (UTC)
From: (Anonymous)
is with UEFI. This is nothing to do with Windows 8. I am not sure what makes you go about whining on Windows 8 though. If user wants to install other OS they will get the keys from OEM or disable the secure boot. Doesn't Chrome OS comes with something like this?

Re: I think your problem

From: (Anonymous) - Date: 2011-09-24 08:05 am (UTC) - Expand

Re: I think your problem

From: (Anonymous) - Date: 2011-09-27 05:43 am (UTC) - Expand

Re: I think your problem

From: (Anonymous) - Date: 2011-09-26 04:02 pm (UTC) - Expand

Re: I think your problem

From: (Anonymous) - Date: 2011-09-27 05:41 am (UTC) - Expand

Re: I think your problem

From: (Anonymous) - Date: 2011-09-28 04:05 pm (UTC) - Expand

Re: I think your problem

From: (Anonymous) - Date: 2013-10-17 11:50 pm (UTC) - Expand

Re: I think your problem

From: (Anonymous) - Date: 2011-09-23 01:52 pm (UTC) - Expand

Re: I think your problem

From: (Anonymous) - Date: 2011-09-26 06:31 am (UTC) - Expand

Re: I think your problem

From: (Anonymous) - Date: 2011-09-26 11:55 am (UTC) - Expand

Re: I think your problem

From: (Anonymous) - Date: 2011-09-23 11:52 pm (UTC) - Expand

Re: I think your problem

From: (Anonymous) - Date: 2011-09-25 05:15 am (UTC) - Expand

Re: I think your problem

From: (Anonymous) - Date: 2011-09-28 02:21 pm (UTC) - Expand

Re: I think your problem

From: (Anonymous) - Date: 2011-09-28 02:55 pm (UTC) - Expand

Re: I think your problem

From: (Anonymous) - Date: 2011-09-28 10:39 pm (UTC) - Expand

How are they misusing?

Date: 2011-09-23 01:46 pm (UTC)
From: (Anonymous)
Why do you subscribe to 80s boot loader. This could be better from the security stand point. To make it work with UEFI is your problem not theirs. I dont see this as being MS in control. I agree with you on OEM being in control. As the previous user indicated doesn't Google Chrome OS doesn't do something like this?

I guess...

From: (Anonymous) - Date: 2011-09-23 02:41 pm (UTC) - Expand

Ah

From: (Anonymous) - Date: 2011-09-23 03:08 pm (UTC) - Expand

Re: How are they misusing?

From: (Anonymous) - Date: 2011-09-23 03:35 pm (UTC) - Expand

Re: How are they misusing?

From: (Anonymous) - Date: 2011-09-23 04:35 pm (UTC) - Expand

Re: How are they misusing?

From: (Anonymous) - Date: 2011-09-26 04:59 pm (UTC) - Expand

Re: How are they misusing?

From: (Anonymous) - Date: 2011-09-28 02:27 pm (UTC) - Expand

Another misuse of monopoly

Date: 2011-09-23 01:51 pm (UTC)
From: [identity profile] https://www.google.com/accounts/o8/id?id=AItOawkztmvh3F32KzM11EajT4PC9eXpIo0881A
I think that in the EU Microsoft is on very thin ice considering how we've reacted to their misuse of monopoly in the past. This time however they're trying to hide behind that minor detail that Microsoft is "only" a board member of UEFI forum. I'd say they're shooting themselves in the leg with these kind of stunts. They're certainly not looking at the big picture. Instead of forcing others they should be doing something others really want to adopt (and not sue them over adopting it either).

You can't expect to be running a successful company if you're this fearful of competitors.

Re: Another misuse of monopoly

Date: 2011-09-26 04:10 pm (UTC)
From: (Anonymous)
I don't think they're trying to "hide" at all. They're using UEFI. You people had years to either influence the direction of UEFI or request some changes. But what did you do? Nothing? Even when Google implemented for Chromebooks you did nothing. Only when MS decided to implement this standard do you take issue with it and then pull out all the tired old arguments about monopoly and big bad MS. This is the same company that most of you claim is irrelevant daily. But now suddenly they're their late 90's invincible force.

Your complaint here is with the UEFI standard first, and OEMs second. MS can't speak for what OEMs will do. But I imagine most will offer a "disable secure boot" option. And if the blog author knows of OEMs who won't, why doesn't he list their names?

Re: Another misuse of monopoly

From: (Anonymous) - Date: 2011-09-28 03:05 pm (UTC) - Expand

Microsoft is a Monopoly if This happens

Date: 2011-09-23 01:59 pm (UTC)
From: (Anonymous)
Microsoft will have a monopoly IF this happens. However, I think that most companies wouldn't necessarily force UEFI secure booting. According to the Tested Podcast, there are already UEFI level 2 systems out there that can do this.

Most system vendors I know wouldn't lock you into....well anything. They'd rather make a sale then force you to use something you don't want.

I DO think having a central management authority over UEFI secure boot keys should be done or at the very least something like a multivendor alliance (like Open Handset Alliance but better...).

It would not help

Date: 2011-09-23 02:17 pm (UTC)
From: (Anonymous)
This would not help, since the GRUB EFI image is generated on the computer where you install it, in order to include the modules required for GRUB to find its files.

The user must be able to sign his own GRUB image himself, and this signature must be accepted by the board's firwmare.

Re: It would not help

From: [identity profile] http://users.livejournal.com/deviant_/ - Date: 2011-09-23 03:21 pm (UTC) - Expand

Re: Microsoft is a Monopoly if This happens

From: (Anonymous) - Date: 2011-09-23 03:18 pm (UTC) - Expand

Re: Microsoft is a Monopoly if This happens

From: (Anonymous) - Date: 2012-02-12 02:34 pm (UTC) - Expand

Re: Microsoft is a Monopoly if This happens

From: (Anonymous) - Date: 2011-09-26 01:54 pm (UTC) - Expand

This has anti-trust implications

Date: 2011-09-23 02:06 pm (UTC)
From: (Anonymous)
It would surprise me if the first motherboard manufacturer to sell a Windows-booting-only motherboard in the US to find itself, along with Microsoft, explaining in Federal Court just how this key signing scheme doesn't violate the Sherman Antitrust act or section 3 of the Clayton Act.

If I were a manufacturer I might think long and hard about having to make that argument, especially if my co-defendant was a convicted monopolist.

Re: This has anti-trust implications

Date: 2011-09-23 10:57 pm (UTC)
From: (Anonymous)
Please look into how much money Microsoft donates to the u.s. political caste, both color 'red' for republican and 'blue' for democrat. also please look at the previous jobs the head official's at the doj worked for. then come back and tell me with a straight face that they will do 'anything' at all..
THE best thing you can hope for is the E.U. to do something 10 years from now and then we can import machines that can boot the surviving versions of linux and bsd off of them. till then stock up on motherboards and parts and pray.. pray not all of them fail before then.

Re: This has anti-trust implications

From: (Anonymous) - Date: 2011-09-25 01:16 am (UTC) - Expand

Re: This has anti-trust implications

From: (Anonymous) - Date: 2011-09-28 02:22 pm (UTC) - Expand

Re: This has anti-trust implications

From: (Anonymous) - Date: 2011-09-26 05:01 pm (UTC) - Expand

Planned obsolecence at its best

Date: 2011-09-23 02:15 pm (UTC)
From: [identity profile] https://www.google.com/accounts/o8/id?id=AItOawnICbHaV3lMV4mOH5Vwq2G6wJ-9Y8kg-ao
Hm...
If Microsoft changes its UEFI keys on a future version of Windows, hardware that only stores the former version of Microsoft's keys on the bootloader will be stuck forever on an old version of the operating system.

Re: Planned obsolecence at its best

Date: 2011-09-23 02:27 pm (UTC)
From: [identity profile] benanov.livejournal.com
That makes Apple's "let's change chip architectures every 10 years and only support one more point release" look positively saintly.

Re: Planned obsolecence at its best

From: (Anonymous) - Date: 2011-09-23 07:54 pm (UTC) - Expand

What does this mean?

Date: 2011-09-23 02:26 pm (UTC)
From: (Anonymous)
The article is not very clear.

Does it mean that there will be hardware that refuses to boot anything that is not signed by Microsoft? (due to "incentives" provided by Microsoft)

If so, I assume that would be a gross violation of Antitrust laws everywhere and Microsoft should be brought to court ASAP over it if it happens, and warned in advance of this beforehand.

If instead it just means that the BIOS/bootloader won't give you "warm fuzzy security feelings" when you boot something not signed by Microsoft, most likely nobody really cares.

Re: What does this mean?

Date: 2011-09-23 03:37 pm (UTC)
From: (Anonymous)
Why, it's not the first gross anitrust violation by MS which goes unpunished. They try it, may be they get away with it, may be not. But they still try.

Re: What does this mean?

From: (Anonymous) - Date: 2011-09-26 04:53 pm (UTC) - Expand

Re: What does this mean?

From: (Anonymous) - Date: 2011-09-25 05:21 am (UTC) - Expand

How many...

Date: 2011-09-23 02:28 pm (UTC)
From: (Anonymous)
...Linux users buy a pc from an OEM?
versus buying from a component retailer?

Do you think ASUS, MSI etc will ship their consumer boxed MB's with secure boot enabled? Not if they want to shift any they units won't.

Of course the MB's they supply to HP, DELL etc will have exactly what the OEM wants on it and nothing else.

So we have a situation where Microsoft are looking at the issue from their perspective (shock horror), their competitors are throwing FUD.

You need to be engaging the Todd Bradley's of the world to get a commitment to allow disabling of secure boot if the USER wants to. That way we all win. 90% of the market sees no change and the rest get to choose. Note nothing to do with the OS vendor is required. The FOSS community is making itself look pretty crazy atm sadly.

Re: How many...

Date: 2011-09-23 02:42 pm (UTC)
From: [identity profile] marcanoonline.com
"...Linux users buy a pc from an OEM?
versus buying from a component retailer?"

Sure, next time I will build my laptop from components, instead of buying it already built

The option to disable Secure boot is not enough, we want to be able to secure boot other OSs, so an option to install keys is the only one I will accept

Re: How many...

From: (Anonymous) - Date: 2011-09-23 06:46 pm (UTC) - Expand

Re: How many...

From: (Anonymous) - Date: 2011-09-24 11:21 am (UTC) - Expand

Re: How many...

From: (Anonymous) - Date: 2011-09-25 05:25 am (UTC) - Expand

Re: How many...

From: [identity profile] benanov.livejournal.com - Date: 2011-09-25 03:32 pm (UTC) - Expand

Re: How many...

From: [personal profile] dragonwolf - Date: 2011-10-26 11:09 am (UTC) - Expand

Re: How many...

From: (Anonymous) - Date: 2011-12-28 10:18 am (UTC) - Expand

Re: How many...

From: (Anonymous) - Date: 2011-09-23 04:05 pm (UTC) - Expand

Re: How many...

From: (Anonymous) - Date: 2011-09-24 01:36 pm (UTC) - Expand

Re: How many...

From: [identity profile] http://openid.fraglimit.net/sorpigal - Date: 2011-09-26 05:08 pm (UTC) - Expand

Re: How many...

From: (Anonymous) - Date: 2011-09-26 02:24 pm (UTC) - Expand

Re: How many...

From: (Anonymous) - Date: 2011-09-26 05:04 pm (UTC) - Expand

Re: How many...

From: (Anonymous) - Date: 2012-03-02 03:41 am (UTC) - Expand

Date: 2011-09-23 02:31 pm (UTC)
From: (Anonymous)
If microsoft pull this off this anti-competitive behaviour, it can only end up in one place: the courts.

User in control ?

Date: 2011-09-23 02:36 pm (UTC)
From: [identity profile] https://me.yahoo.com/ydroneaud#8e5a5
BTW, what is going to happen when the secure boot failed to actually boot your system because some malware "corrupt" some part of the system ?

What will happen to your data ?

How can you recover your system in this case ?

Will Microsoft provide some signed removable bootable device to restore its operating system on your system ?

How anti-virus vendor will be able to provide tools to remove malware is such cases ?

Re: User in control ?

Date: 2011-09-23 03:50 pm (UTC)
From: [identity profile] http://users.livejournal.com/deviant_/
This case actually isn't terribly bad - you'll have to use a signed rescue CD or whatnot, but it's just a matter of replacing the binaries on disk with the correct ones and your system will boot again. Your data is not in jeopardy.

Date: 2011-09-23 02:50 pm (UTC)
From: (Anonymous)
Equally:

■Windows 8 certification does not require that UEFI secure boot can't be disabled

■Windows 8 startup does not require that the user be enables UEFI secure boot.

■Windows 8 certification does not prevent the system shipping with any keys other than Microsoft's.

■A system that ships with UEFI secure boot enabled and only includes Ubuntu's signing keys will only securely boot Ubuntu operating systems.

See the thing with this is that it is entirely down to what the OEMs decide to provide in their hardware implementation and that is fundamentally down to what purchasers want from their systems. Microsoft have no say other than it'll need a Microsoft key and secure boot support if they want to brand it as a Windows 8 PC, which makes sense.

It's not hard to see why, for example, a bank that runs Windows on it's corporate desktop might not want anyone booting from another OS that will be able to compromise system security and so will prefer systems that follow that approach. Equally systems sold to the general public will more likely have a flexible approach to how they're used.

It's about having the freedom to choose what functionality is in the PC you buy. Isn't that supposed to be a good thing?

(no subject)

From: (Anonymous) - Date: 2011-09-23 10:51 pm (UTC) - Expand

Why not?

From: (Anonymous) - Date: 2011-09-28 02:10 pm (UTC) - Expand

(no subject)

From: (Anonymous) - Date: 2011-09-23 06:32 pm (UTC) - Expand

Well said, but...

From: (Anonymous) - Date: 2011-09-25 11:09 am (UTC) - Expand

(no subject)

From: (Anonymous) - Date: 2011-09-26 05:07 pm (UTC) - Expand

Date: 2011-09-23 03:41 pm (UTC)
From: (Anonymous)
> The final irony? If the user has no control over the installed keys,
> the user has no way to indicate that they don't trust Microsoft products.

Very much to the point. Trust depends on mutuality. It's put very well in this short video:
http://www.youtube.com/watch?v=UnXU7z2_6Jg (http://www.youtube.com/watch?v=UnXU7z2_6Jg)

umm yes you do

Date: 2011-09-23 03:42 pm (UTC)
From: (Anonymous)
Don't buy them

Re: umm yes you do

From: (Anonymous) - Date: 2011-09-23 03:45 pm (UTC) - Expand

antitrust anything, part N?

Date: 2011-09-23 04:22 pm (UTC)
From: (Anonymous)
Seems like they don't mind another round of EU antitrust fines, even if they're highly "democrated" in the US...

Date: 2011-09-23 05:16 pm (UTC)
gerald_duck: (Default)
From: [personal profile] gerald_duck
OK. First, a dumb question: what does secure boot buy you that can't achieve by locking the BIOS down to booting from the internal hard drive anyway? Why would I want secure boot? What am I missing here?

Secondly, I wholeheartedly agree with the comments that the EU isn't going to like the anti-compatitive nature of this if it happens in Europe.

Thirdly, I'm wondering what happens if someone buys a computer then goes down the path of not agreeing with the Windows licence conditions when it powers up. Historically, one's been able to install Linux at that point (then go hunting a refund for the cost of the OEM Windows licence, in an ideal world) but with secure boot, one might end up with a brick. The refund requests could get interesting.

Fourthly, I'm guessing there are ways to circumvent secure boot. It would be ironic if Microsoft's actions both gave circumventers an excuse under the DMCA in the USA and an incentive, à la Playstation and XBox.

Key compromises

From: (Anonymous) - Date: 2011-09-24 02:49 pm (UTC) - Expand

Re: Key compromises

From: (Anonymous) - Date: 2011-09-25 05:33 am (UTC) - Expand

Re: Key compromises

From: (Anonymous) - Date: 2012-05-21 08:51 am (UTC) - Expand

(no subject)

From: [personal profile] lsorense - Date: 2011-09-23 05:43 pm (UTC) - Expand

(no subject)

From: (Anonymous) - Date: 2011-09-27 02:42 pm (UTC) - Expand

Weak arguments

Date: 2011-09-23 06:05 pm (UTC)
From: (Anonymous)
If the end user doesn't want Windows 8 running on his PC, then he shouldn't worry about key management and UEFI and such, he should just not buy a Windows 8 logo PC.

OEMs design computers and install operating systems according to customer demand. Not every PC is capable of running MacOS. Not every PC is capable of running Linux. If you want a Linux PC, buy a Linux PC. If you want a Mac, buy a Mac. Somehow it's expected that if you buy a Windows PC, that it must be capable of running every other operating system out there.

This is the age of appliance computing, brought to you by Apple. The age of tinkering has passed. There is nothing in Microsofts logo program that prevents OEMs from giving end users the options to disable Secure Boot, and nothing preventing them from engaging the Linux community to get some keys established.

I fail to see how this is Microsoft's problem to ensure that their business partners build products that support a competing product.

Re: Weak arguments

Date: 2011-09-23 06:22 pm (UTC)
From: [identity profile] benanov.livejournal.com
"Not every PC is capable of running Linux."

And those that aren't are thrown to the recyclers after I pick them up second-hand. Decreases their value considerably.

"If you want a Linux PC, buy a Linux PC."

Do tell where I can find one of these?

Re: Weak arguments

From: (Anonymous) - Date: 2011-09-23 10:53 pm (UTC) - Expand

Re: Weak arguments

From: (Anonymous) - Date: 2011-09-24 12:41 am (UTC) - Expand

Re: Weak arguments

From: (Anonymous) - Date: 2011-09-23 07:11 pm (UTC) - Expand

Re: Weak arguments

From: (Anonymous) - Date: 2011-09-23 10:20 pm (UTC) - Expand

Re: Weak arguments

From: (Anonymous) - Date: 2011-09-24 04:06 pm (UTC) - Expand

Re: Weak arguments

From: (Anonymous) - Date: 2011-09-24 09:17 pm (UTC) - Expand

VALUE???!?!?!?

From: (Anonymous) - Date: 2012-08-30 07:35 pm (UTC) - Expand

courts take a *l*o*n*g* time

Date: 2011-09-23 07:07 pm (UTC)
From: (Anonymous)
Several people believe that the legal systems in USA and Europe will solve this problem by hauling Microsoft to court. There are problems with this:
1) Microsoft can point at the OEMs and say it was their fault for not providing the end-user with a way to add keys.
2) Even if the courts do direct this back at Microsoft - it could easily take five years before anything happens. At that point Microsoft gets slapped with a billion dollar fine and told not to do that again - but by that point the new nefarious Windows9 scheme is already underway.

Re: courts take a *l*o*n*g* time

Date: 2011-09-24 09:20 pm (UTC)
From: (Anonymous)
Flash the UEFI, add more keys with new firmware if the OEM distributes them. Find a trustworthy OEM that works to earn your business, and you will be fine. Buy some cheap no-name brand and you will get support commensurate with the brand.

This is no different than any other support issue.

Source based distro's?

Date: 2011-09-23 07:32 pm (UTC)
From: (Anonymous)
Matthew, what does secure boot mean for source-based distributions like Gentoo? I understand that, if this scheme does not turn out to be gruesome, Red Hat, Canonical, etc. could get their keys to OEMs. What about the case where every user's kernel and bootloader is different? It seems the only option here is to allow users insert their own keys, which might be a real pain if one has to recompile these components very often.

Re: Source based distro's?

From: (Anonymous) - Date: 2011-09-24 09:21 pm (UTC) - Expand

Re: Source based distro's?

From: (Anonymous) - Date: 2011-09-27 11:21 am (UTC) - Expand

Re: Source based distro's?

From: (Anonymous) - Date: 2011-09-26 01:39 am (UTC) - Expand

Re: Source based distro's?

From: (Anonymous) - Date: 2012-05-21 08:56 am (UTC) - Expand

Bug-free firmware?

Date: 2011-09-23 09:07 pm (UTC)
From: (Anonymous)
Awesome that we will have bug-free firmware.
/sarcasm

In reality there will be bugs, naive implementations, etc. While (especially Windows pirates) will get through that (and stupidly continue dealing with it like there's no underlying problem), I don't want to have to fight to get my machine booting an OS I want (Gentoo here).

Are we even that much better off from getting away from BIOS anyway? Just because something is old, standardised (yet still not very much open source) does not mean it does not work. Give me the REAL benefits of UEFI vs BIOS that aren't aesthetic improvements. I hear standard API, good. I hear 'awesome graphics', don't care. Boot time improvement? Maybe interested, not really (as I rarely reboot, only Windows and Ubuntu/Debian machines do that constantly; even Apple rarely sends an update that requires a reboot).

This is written on a Mac (Lion upgraded). We can still choose any OS we want here (except can't go down a version from the one that came with the machine), EFI (and we can even install 'old-fashioned' BIOS based OS's too). I wonder if Apple will get involved, but considering Microsoft's track record with Apple I think not. Apple sells hardware after all. This is much more reflected in the price of Lion.
'We don't care if Apple succeeds in their endeavour or not.' <-- technical evangelist at MS, revealed during the anti-trust case, regarding Apple using certain MS technology (Win32 for Mac primarily) to 'improve' their apps in MacOS

Buy Macs and tell Apple why. Tell them you like choice. Apple loves marketing random things that make no real sense to the average consumer, but 'sound good'. In the end, this would be good.

Re: Bug-free firmware?

Date: 2011-09-24 09:31 pm (UTC)
From: (Anonymous)
"While (especially Windows pirates) will get through that"

This isn't an anti-piracy feature. It is an anti-malware feature. For all of the beating up that Microsoft gets over security issues, Microsoft is attempting to keep malware from being part of the boot process. Unless the malware gets signed by Microsoft's key (or any other OEM-approved key), a rootkit or bootkit won't be able to load during the Windows start up process.

As you are from the land of Mac, I will explain a bit more detail here. When a rootkit loads during boot, it can fool the rest of the computer (and all anti-virus products) that there is NO malware on the machine. This means that most measure to protect a machine from viruses and keyloggers can be circumvented by the presence of this software running.

Macs have benefited from 3 things security-wise.

1 - a different security architecture than Windows.

2 - a low market share, virus writers get much more impact from writing viruses for the other 90% of the world.

3 - The people in poor asian countries where many viruses are written simply cannot afford Macs. They find old PCs and install some pirated version of Windows and start coding their exploits on the cheap.

Microsoft has since changed its security architecture, and there are many new security exploits being released for Macs. Windows is now officially more secure than Macs. Additionally, Windows has a user security culture that is paranoid about security and malware.

Mac users are resting on their laurels thinking that security and malware isn't an issue for them. Apple does whatever it can to cover up these issues and not tell anybody about them until they have been addressed. Mac users are being mislead, by themselves and Apple, and even more vulnerable now than Windows users have been.

I welcome anything Microsoft can do to make the Windows experience more secure and stable.

Re: Bug-free firmware?

From: (Anonymous) - Date: 2011-09-25 09:50 am (UTC) - Expand

Re: Bug-free firmware?

From: (Anonymous) - Date: 2012-02-16 02:02 pm (UTC) - Expand

Not 'anti-piracy' but 'anti-competitive'

From: (Anonymous) - Date: 2012-08-30 08:47 pm (UTC) - Expand

Appealing to the wrong authority

Date: 2011-09-23 11:30 pm (UTC)
From: [identity profile] quux.myopenid.com
Matthew, I don't dispute the facts you present. But you also present the opinion that "If Microsoft were serious about giving the end user control, they'd be mandating that systems ship without any keys installed."

There's a problem. MS are in-scope to define the hardware features necessary to their own software. They would be out of scope to mandate even one iota more than that. Imho, a healthy market does not want MS (or any other vendor) mandating the set of keys which must be installed, even if 'the mandated set of keys' == 'no keys'. Similarly, MS should not be choosing the UEFI featureset delivered. Why should such this power be ceded to Microsoft? Answer - it should not. MS should only say which features are necessary to get its own products running. OEMs can deliver those features if they want MS software to work, but beyond that, no OEM should be taking its marching orders from MS.

There needs to be some other authority which provides mandates for things within this higher scope. Right now that authority is "the market" - but apparently you have little confidence that the market will demand the sort of openness you want to see. So I suppose you should start lobbying governments. Don't lobby MS to flex its muscles for you, because that cedes future power to them, which you might not want them to have.

Re: Appealing to the wrong authority

Date: 2011-09-24 06:27 pm (UTC)
From: (Anonymous)
Well said. But, you are missing one important point. Microsoft has contracts with most, if not all, OEMs to deliver no PC without an OS/Windows on it. If OEMs don't oblige, there will be severe consequences. Therefore, almost all PCs sold come with Windows. When Windows 8 starts shipping, the UEFI on all OEM PCs, as mandated by Microsoft, will require a CA key to install Linux. Practically speaking, the bottom line is, MS is indirectly but effectively preventing Linux from being installed on any PC that comes with Windows 8. Consequently, that will eliminate the flexibility that users now have to wipe the hard disk and install Linux, or even to have the option to dual boot like some users prefer to do.

You are right, we don't want MS, or any other vendor including OEMs for that matter, mandating what keys go on a PC. The market wants for OEMs to give complete control of a PC to the purchaser/user. Isn't that what users want, to use their purchased PC any way they choose?Many don't trust the OEMS just as much as they don't trust any other software vendor, especially MS since it has a well know recorded history in monopolizing and controlling the market.


Re: Appealing to the wrong authority

From: (Anonymous) - Date: 2011-09-25 05:37 am (UTC) - Expand

Re: Appealing to the wrong authority

From: (Anonymous) - Date: 2011-09-25 05:01 pm (UTC) - Expand

Re: Appealing to the wrong authority

From: (Anonymous) - Date: 2011-09-26 08:38 am (UTC) - Expand

Re: Appealing to the wrong authority

From: (Anonymous) - Date: 2011-09-27 11:26 am (UTC) - Expand

Re: Appealing to the wrong authority

From: [identity profile] quux.myopenid.com - Date: 2011-09-27 11:54 am (UTC) - Expand

Requesting a article on UEFI Secure Booting

Date: 2011-09-24 12:07 am (UTC)
From: (Anonymous)
You have no direct evidence that Microsoft is going to require OEM or PC vendors to do anything concerning keys generated by Microsoft. I could make the same unfounded statement concerning Red Hat's preferred PC Server and Workstation vendors (HP, IBM, Dell, etc.) using keys issued by Red Hat to lock out their competition like CentOS, Scientific Linux, Slackware, OpenBSD, etc. Try keeping your article on point using the facts instead of speculating. If you find evidence of a vendor producing a PC or PC components that are only valid with keys generated by a OS vendor then call them out publicly so that informed consumers can avoid purchasing these items and help drive sales to other vendors that do not follow these practices. An intelligent article that describes the technical merits and criticisms of UEFI secure boot would be more valuable than an anti-Microsoft article.

Re: Requesting a article on UEFI Secure Booting

Date: 2011-09-24 06:47 pm (UTC)
From: (Anonymous)
No, no one has this evidence except the parties of the contracts that Microsoft have OEMs sign. But there are many other indications, like the palladium venture that MS started a few years back, the attempts that MS is trying to stop Linux like, taking anyone they choose to court claiming patent infringement, which by the way, they won't disclose, if they don't sign an agreement, which also won't disclose.

I just have one question for you, what rock do you live under?


Re: Requesting a article on UEFI Secure Booting

From: (Anonymous) - Date: 2011-09-27 02:45 pm (UTC) - Expand

Alert EU comission

Date: 2011-09-24 02:39 am (UTC)
From: (Anonymous)
Please please please,
the only way i can think to avoid this is to alert the responsible authorities at Europe about the problem, letting them now about all the information we have and maybe give a plan to try to protect us.

They are the only ones that have fought the microsoft monopoly with some results.

It is best to alert them as soon as we can. The lawyers out there and for example fsf should do something.

Re: Alert EU comission

Date: 2011-09-24 09:38 pm (UTC)
From: (Anonymous)
This isn't a problem for Microsoft.

All that the EU has to do is require OEMs selling PCs in the EU to include a feature to disable Secure Boot. Of course, the market could determine this as well, along with every other feature of every product sold on the market.

Re: Alert EU comission

From: (Anonymous) - Date: 2012-05-21 09:04 am (UTC) - Expand

FUD

Date: 2011-09-24 08:25 am (UTC)
From: (Anonymous)
I cannot believe how paranoid some Linux users are.
RedHat spreads FUD, and everybody is ready to scream bloody murder.

"there's no central certification authority for UEFI signing keys"
How is this Microsoft's fault? Maybe companies like RedHat should have brought this up when spec was finalized.

Many spammers use rootkit infested machines to do their work, yet RedHat is upset that Microsoft is trying to combat this in future machines.
Linux companies should work with OEMs on a plan. Microsoft is working within an industry standard and is not doing anything illegal. Period. End of story.

Re: FUD

From: (Anonymous) - Date: 2011-09-24 04:38 pm (UTC) - Expand

Re: FUD

From: (Anonymous) - Date: 2011-09-25 05:39 am (UTC) - Expand

Re: FUD

From: (Anonymous) - Date: 2011-09-25 07:06 am (UTC) - Expand

Re: FUD

From: (Anonymous) - Date: 2011-09-26 12:13 pm (UTC) - Expand

Re: FUD

From: (Anonymous) - Date: 2011-09-24 07:02 pm (UTC) - Expand

Re: FUD

From: (Anonymous) - Date: 2011-09-24 07:13 pm (UTC) - Expand

Re: FUD

From: (Anonymous) - Date: 2011-09-24 07:16 pm (UTC) - Expand

Re: FUD

From: (Anonymous) - Date: 2011-09-28 02:26 pm (UTC) - Expand

So I guess CoreBoot is dead?

Date: 2011-09-24 11:05 am (UTC)
From: (Anonymous)
I thought I remember reading something about a bigger vendor will use it. Someday. Maybe.

Re: So I guess CoreBoot is dead?

Date: 2011-09-24 11:38 am (UTC)
From: (Anonymous)
RedHat could have joined the standards body that created UEFI and contributed, but they did not.

You are a BILLION DOLLAR COMPANY, your lack of participation is YOUR FAULT not Microsofts.

Stop playing the blame game, spend the $2K membership fee, and start participating like all of the other big boys do.

Re: So I guess CoreBoot is dead?

From: (Anonymous) - Date: 2011-09-24 11:41 am (UTC) - Expand

Re: So I guess CoreBoot is dead?

From: (Anonymous) - Date: 2011-09-24 09:40 pm (UTC) - Expand

Re: So I guess CoreBoot is dead?

From: (Anonymous) - Date: 2011-09-27 05:53 am (UTC) - Expand
Page 1 of 2 << [1] [2] >>

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Nebula. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags