Matthew Garrett ([personal profile] mjg59) wrote,
@ 2011-09-23 07:57 am UTC
  • Previous Entry
  • Add to Memories
  • Tell someone about this!
  • Next Entry
Entry tags:advogato, fedora
Microsoft have responded to suggestions that Windows 8 may make it difficult to boot alternative operating systems. What's interesting is that at no point do they contradict anything I've said. As things stand, Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems. But let's have some more background.

We became aware of this issue in early August. Since then, we at Red Hat have been discussing the problem with other Linux vendors, hardware vendors and BIOS vendors. We've been making sure that we understood the ramifications of the policy in order to avoid saying anything that wasn't backed up by facts. These are the facts:

  • Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
  • Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
  • Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
  • A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems.

Microsoft have a dominant position in the desktop operating system market. Despite Apple's huge comeback over the past decade, their worldwide share of the desktop market is below 5%. Linux is far below that. Microsoft own well over 90% of the market. Competition in that market is tough, and vendors will take every break they can get. That includes the Windows logo program, in which Microsoft give incentives to vendors to sell hardware that meets their certification requirements. Vendors who choose not to follow the certification requirements will be at a disadvantage in the marketplace. So while it's up to vendors to choose whether or not to follow the certification requirements, Microsoft's dominant position means that they'd be losing sales by doing so.

Why is this a problem? Because there's no central certification authority for UEFI signing keys. Microsoft can require that hardware vendors include their keys. Their competition can't. A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's. No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft's influence here is greater than even Intel's.

What does this mean for the end user? Microsoft claim that the customer is in control of their PC. That's true, if by "customer" they mean "hardware manufacturer". The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC.

If Microsoft were serious about giving the end user control, they'd be mandating that systems ship without any keys installed. The user would then have the ability to make an informed and conscious decision to limit the flexibility of their system and install the keys. The user would be told what they'd be gaining and what they'd be giving up.

The final irony? If the user has no control over the installed keys, the user has no way to indicate that they don't trust Microsoft products. They can prevent their system booting malware. They can prevent their system booting Red Hat, Ubuntu, FreeBSD, OS X or any other operating system. But they can't prevent their system from running Windows 8.

Microsoft's rebuttal is entirely factually accurate. But it's also misleading. The truth is that Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors. The truth is that it makes it more difficult to run anything other than Windows. The truth is that UEFI secure boot is a valuable and worthwhile feature that Microsoft are misusing to gain tighter control over the market. And the truth is that Microsoft haven't even attempted to argue otherwise.

Page 2 of 2

<<   [1] [2]   >>

(193 comments) - (Post a new comment)
(Threaded) (Flat)

Boo hoo


(Anonymous)
2011-09-24 12:51 pm UTC (link)
This post is BS. If you're going to buy a Windows 8 PC it will be for Windows, which will be clearly displayed all over when buying, so your whole argument is invalid. And people dont want to mess around choosing whether to install keys or not, they want to just use there PC. No one cares about this stuff apart from the ~1% of Linux users! You're a minority and few others think like you. If you buy a motherboard on it's own then i'm sure that ALL off these DIY boards will have an option to disable secure boot. And Apple dont let you install Linux on there systems at all, so why not moan about that?? They have a large market.

Win 8 now has Hyper-V included but i dont see you making a big deal of this. Now anyone can easily try out Linux. Since i got VMware and Virtual Box for the Win 8 developer preview i've also been trying out loads of Linux distros. Now the same thing is built in to Win 8. You will end up getting MORE people trying Linux with Win 8. Not less.

(Reply to this)  (Thread)  (Show 4 comments)



(Anonymous)
2011-09-24 01:16 pm UTC (link)
"Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option"

Could you expand on this?

(Reply to this)  (Thread)  (Show 6 comments)



(Anonymous)
2011-09-24 04:06 pm UTC (link)
In fact, Microsoft is not very interested in implementing secure UEFI booting. They control more then 90% of PC market, so there is no reason to worry about market prevalence. I believe that the only reason to force implementation of new UEFI standard is the willingness of CIA and FBI to disallow end users to develop and use virus and spyware-free software. American government is fascist and extremist by nature. The want to intercept and record any byte and any minute of national and overseas traffic in the Internet, so they are capable to do this after 9/11 provocation, but recent progress in development of data encryption technology makes this state activity very difficult.

As some people say: if you are not satisfied with the message - hang the messenger.

With kind regards from Moscow, Masha Lukyanova =)

(Reply to this)  (Thread)  (Show 1 comment)


You are fighting this the wrong way.


(Anonymous)
2011-09-25 10:18 am UTC (link)
Matthew Garrett I do highly respect you but you are going the completely wrong way.

How is what Microsoft doing going to bite Microsoft Users.

Microsoft is handing the control of what OS can run on what hardware over to the hardware makers away from the users.

Microsoft has not included any way for customers to add like the keys for Windows 9 to a OEM device. Or to update the keys when they do leak if OEM are not pushing out updates.

The means to add Linux keys to the bios or anything else required even if it is by a bios only interface would solve most of our problems with it. This feature also solves the issue of OEM not updating keys on a device and it being able to take windows 9 since user can add the windows 9 key. So its in the Microsoft users best interest to back what we are asking for.

Microsoft users in this case should be our best friends. Time to get them on side.

Also there is no way to inspect what keys are installed in a bios or what is black listed either. Of course I can understand if this is a bios only interface no user mode software. This is customer abuse as well how can customer know what the hardware supports before buying hardware. Ie does not have the Nvidia signing key so cannot take an Nvidia video card. User cannot see until hardware does not work. This is customer abuse.

We are the 2 percent Microsoft users are the 80 if we can upset the 80 percent we will have leverage on Microsoft to alter to what we need.

Basically I know its hard you are redhat forget Linux for one moment and just think what is in the best interest of the Microsoft end user.

What Microsoft is putting forwards is not in the interest of there own users. They even state in there own documents customers should be left in charge of there hardware.

This is a way I would attack it. No way would Redhat treat its own users this badly we are totally awe struck that Microsoft would endanger the possibility of themselves being able to sell upgrades. Money talks if you can make the share market worry about what Microsoft has done Microsoft will worry.

Yes the art of spin we want Microsoft to provide us for something we also want Microsoft to look after there own end users.

oiaohm

(Reply to this)  (Thread)  (Show 1 comment)


12% linux market share on desktops


(Anonymous)
2011-09-25 05:22 pm UTC (link)
Your assumption of 1% is wrong. 1% is pretty much the sales volume of linux in the US. linux is free so 1% is quite a lot.

On the other hand if we count the number of installed linux desktop systems WORLDWIDE then linux comes up with 12%. Ubuntu alone has twice as many users as MacOx.

Dells Netbooks running Ubuntu alone acount for nearly 3% of all desktops worldwide.

See Wikipedia, "linux markes adoption"

(Reply to this)  (Thread)  (Show 1 comment)


UEFI secure booting


(Anonymous)
2011-09-26 09:38 am UTC (link)
Majority of users don't care as long as it works when they push a button. Unconcerned of the consequences. So where does it end? Unless someone stands for the rights of everyone.

(Reply to this


Do you think OEM's will be ready to lose money


[identity profile] mvadu.myopenid.com
2011-09-26 07:23 pm UTC (link)
I think you are missing a point here. If any OEM does not provide a way to turn off secure boot, they will be blocking Microsoft's old OS's as well. Not only Linux and its variants. Since all MS OSs will Windows-7 does not understand secure boot they won't booth with secure boot. As with Windows-7(people stuck to Xp) there would be lot of people especially from corporate customers who need to buy new PC's but would like to stick with Windows-7. So any business minded OEM would like to capitalize that desire by providing a way to turn off secure boot.

(Reply to this


Seriously, who gives a sheet.


(Anonymous)
2011-09-26 11:25 pm UTC (link)
If all 10 of you Linux users got together, then you could ask manufacturers to support your many and varied OSes.

OEMs can still tailor their hardware to Linux if the userbase is there. I guess this is the inflection point for you all; you all boast about how superior Linux is, well, let's see if the numbers back it up.

(Reply to this


Let it be


(Anonymous)
2011-09-27 05:17 am UTC (link)
I say, let it run.

My family, the company I work for, and I, will purchase Linux certified machines, or at the very least PC's with the ability to disable UEFI. Some of these people prefer Windows machines and that is fine, after all, it's all about preference and control.

Come Windows 9 there will be a lot of hell bent customers that can't upgrade, and will be forced to purchase new machines, or maybe not an issue with how cheap they will be. Regardless, it's asinine decisions that makes Microsoft the Titanic it is. Without a major shift in decision makers, it will sink, just not fast. Sadly though, the US government will probably claim them too big to fail and give them a healthy multi-billion dollar cash infusion.

(Reply to this)  (Thread)  (Show 2 comments)


Mac dominance


(Anonymous)
2011-09-27 06:03 am UTC (link)
Given that most people in Australia are looking more and more toward Mac and Linux, is this really a good option for Microsoft and the OEMs?

Most people are sick of having problems with Windows, having to pay for anti-virus software and the slowness of windows of new hardware.

(Reply to this)  (Thread)  (Show 1 comment)


Question


[identity profile] sirloxelroy.myopenid.com
2011-09-27 06:23 pm UTC (link)
I am a Linux geek, however some of the intricacies of this I am not sure of, but would not just a signature for version X.XX of LILO or Grub have to be loaded into the firmware? Then after that any OS can be booted. Am I correct or incorrect in that thought?

Chris Brandstetter

(Reply to this)  (Thread)  (Show 1 comment)


Antitrust?


(Anonymous)
2011-09-28 01:56 pm UTC (link)
Ya know, a decade ago or so we determined that Microsoft was an anti-trust miscreant. They forced OEMs to exclude other OS options if they wanted a Windows license. Sound familiar? Where's the Justice Department on this?

It would be illegal for Microsoft to preclude OEMs from including other keys, so it seems appropriate here to be pressuring these guys to provide alternative keys or methods for generating them.

This shouldn't be tough if everyone doesn't just bow and weep in front of the Redmondites.

(Reply to this



(Anonymous)
2011-09-28 03:00 pm UTC (link)
"Linux is far below that."

Maybe, but Microsoft forces any consumer who buys a pre-built PC to buy Microsoft Windows and counts them as a user. Even many computers with Linux pre-installed are merely PCs that originally had Windows with their drives reformatted. Unless you build a PC from scratch, it probably is counted as a "Windows" PC.

I know that I have bought at least SIX laptops that are counted as running Windows, two even came with Linux "pre-installed" but I know they were originally shipped with Windows.

None of them run Windows. They just count as if they do.

(Reply to this


Let's try to be clear on the facts


(Anonymous)
2011-09-29 09:15 am UTC (link)
First let me say that I agree in principle with the concerns. BUT, I do not agree that this is a Microsoft "issue, problem, power play, etc." but instead an OEM responsibility.

Facts:

"Windows 8 certification requires that hardware ship with UEFI secure boot enabled."

Check. That's a good thing, right?

"Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option."

Check. Why would Microsoft be responsible for requiring OEM vendors to implement any feature of UEFI? Also, could you elaborate on which hardware vendors specifically have informed you that "some hardware" will not have this option? If not, why not? More detail on "some hardware" would also be helpful.

"Windows 8 certification does not require that the system ship with any keys other than Microsoft's."

Check. Again, why would Microsoft have any responsibility for including a requirement to ship any keys other than their own?

"A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems."

Well, that's not entirely true - if anything, another omission of truth at best. It should read:

"A system that ships with UEFI secure boot enabled [with no user option to disable] and only includes Microsoft's signing keys will only securely boot Microsoft operating systems." Right?





(Reply to this)  (Thread)  (Show 2 comments)


Antitrust


(Anonymous)
2011-10-03 08:57 am UTC (link)
This is a lawsuit waiting to happen. If Microsoft thinks it will get away with this massive abuse of market power it had better think again.

(Reply to this


This sounds familiar..


(Anonymous)
2011-10-14 08:52 pm UTC (link)
This situation seems similar to users that had upgraded from a Windows only to find that they could not use their modem in 'nix/bsd.

It also seems that, as a hardware/software developer, I'd have to pay to be a "Windows 8 Certified Developer" just to run the drivers that control the telescope I built.

It also sounds like recovery/repair would also be a thing of the past since you wouldn't be able to boot from a CD/DVD to fix/restore a MBR, check for filesystem errors or any of the myriad operations that can't be done from the OS while it's in use (assuming that it's bootable).

So the security and integrity of the W8 OS hinges on immutable encryption keys which will inevitably be cracked. That's a shame for people that find themselves in the position of having to use W8. My biggest concern is the likelihood of inflated prices of non-compliant motherboards. The only pre-built computer I've ever owned was a Commodore 64.

(Reply to this


UEFI not Microsoft


(Anonymous)
2011-10-18 03:36 am UTC (link)
Matthew,

UEFI was created in 1996 for break 16 bits barrier by Dell, HP, IBM and Intel. At this time others players is included. Please, consult http://www.uefi.org/about/ and see this.

Other incorrect information is a Microsoft include keys in UEFI. Apple products is EFI, precursor UEFI with same behavior.

If you not use Windows or IOSs, buy other products.

Regards.

(Reply to this)  (Thread)  (Show 1 comment)


Monopoly vs freedom


[identity profile] https://openid.org/anderslund
2011-10-20 04:31 pm UTC (link)
This would for sure be a violation of freedom rights, and maybe more importantly monopoly restricting laws. But of course a trial would last for years...

(Reply to this



(Anonymous)
2011-10-22 05:46 pm UTC (link)
The Fact is that 98% of normal people who work care squat about a bunch of l3ftard w@nkers coding in their mom's basement.

If you want a voice you need the support of .org's like NSF, RS, FAS etc..
Scientific institutions having large Loonix installations for their astrophysics sw are the ones who'se opinion matters..

You need to warn them about this problem, nor a great unwashed horde of Willy Wankers..

(Reply to this


Global signing service


(Anonymous)
2011-10-31 03:40 am UTC (link)
If Microsoft hosts a UEFI signing service, would it solve the problem? Would Linux be willing to use that service? Could Linux Foundation host a signing service for all Linux and ask the OEM to support that?

(Reply to this)  (Thread)  (Show 1 comment)


Uhhh


(Anonymous)
2012-01-18 01:11 pm UTC (link)
build your own?

(Reply to this


A few replies...


(Anonymous)
2012-08-30 11:04 pm UTC (link)
{How does following a standard constitute misuse?}

Microsoft is free to follow the standard. They may tell their users, "System Requirements: 1) install security keys on PKI disk by inserting into optical drive and booting, 2) Enable Secure boot in UEFI, 3) Install OS on Windows8 disk by inserting into optical drive and booting."

Instead, MS says to OEMs, "You must have SB enabled and you must have our keys loaded or you will not get Win8 certified and your cost to sell a Win8 PC goes up."

The worst part is, SB is NOT a system requirement of Win8 and therefore there is no reason for MS to demand that Win8 certified PCs have it enabled by default.

{If you're going to buy a Windows 8 PC it will be for Windows, which will be clearly displayed all over when buying, so your whole argument is invalid.}

So because my video card did not say "Linux certified" I should not have expected it to work with my system even though it uses an nVidia GT440 GPU? How about my router, my switch, my Powerline extender and my cable modem, all of which clearly stated, "Microsoft Windows Certified," most of which stated, "Designed for Windows Vista," and also "system requirements: Windows XP or Vista," only one of which indicated that they work with Mac OSX (not Mac OS but specifically, X) and Windows98 and none of which indicated that they work with Linux even though all of them are 100% OS independent and none of them "requires Microsoft Windows?"

Besides, I have never bought a Microsoft PC in my life (although I once bought an MS mouse/kbd combo and regretted it as they were poorly built, both of which, as OS independent devices, were, "Designed for Vista").

{And people dont want to mess around choosing whether to install keys or not, they want to just use there PC.}

Precisely why MS should not be insisting that SB be enabled by default because I now have to either get a key or enter UEFI to disable an item that was never required to be enabled in the first place. If an OEM want to allow users to do as they please, they should never HAVE TO fiddle with keys unless they so choose. Just like I can install my Linux as is or I can CHOOSE TO harden it as I see fit.

{No one cares about this stuff apart from the ~1% of Linux users!! You're a minority and few others think like you.}

Like ILM, Digital Domain, Pixar and so many others? Take a look at RH, CentOS, Novel and Canonical sites at the list of large companies which use their Linux OSes and I do not mean for their servers but for their workstations.

Most 3D render software were designed for Linux and those that are cross-platform take a significant performance hit on Win7/Vista. I should know. I walk in those circles. I am talking about documented benchmarks in real-world scenarios.

{And Apple dont let you install Linux on there systems at all, so why not moan about that?? They have a large market.}
{I want Linux on my PS3! Seriously!}

Apple sells computers. PlayStation sells consoles. Microsoft does not sell hardware (except cheap mice and keyboards which break, and a few webcams, etc.) Besides, I can install Linux on my brother,s or sister,s Apple computer if they wanted me to do so and I know of a few who loaded Linux on their PlayStation (although I do not know why).

{Majority of users don't care as long as it works when they push a button.}

You are right. That is one reason why I install so many PCLOS and Ubuntu systems for ex-Win users who have hosed their systems and lost their install media. They do not care, as long as they can get on the Internet, access their email and use their IMs. I have gotten nothing but "thank you," paid invoices and referrals. Some also care about office apps and I gladly introduce them to LibreOffice which is pre-installed in the default configuration.

{It would be illegal for Microsoft to preclude OEMs from including other keys....}

It is that they are forcing OEMs to include their keys (which is consuming their resources, a.k.a., money), and enabling SB which, without all other keys included, (more resources/money), precludes competitive options.

There is nothing in Win8 which absolutely requires SB (except bugs and vulnerabilities) and so this burden on OEMs (and their customers) is unreasonable and stupid. The onus/burden ought to be on MS to fix their broken OS or to educate their customers on how to secure it.

{This is an issue for OEMs to resolve, not Micro$oft trying to steal your babies!}

Except it is not the OEMs that are making Windows insecure and if the onus is on the OEMs to make Windows more secure by enabling SB and providing MS PKI keys then the onus must also fall to them to provide all other keys....

You do see now where the argument fails?

{I see absolutely nothing that Microsoft could reasonably be held accountable for in terms of "having control" over anything other than their own Windows Certified branding.}

...And they are saying that "you cannot be Win8 certified if you do not provide this one thing that Win8 does not require in the least to operate but that will preclude our competitors from working smoothly"?

CONCLUSION:

For MS to say, "You have to have 'this and that' on your product for Win8 to function and therefore you cannot get Win8 certification without it," is quite acceptable as long as it does not interfere with other software.

For MS to say to an OEM, "We want to commission you to build an MS computer with 'this and that' which will only run Win8 and be sold as an MS brand computer," is also acceptable even if it interferes with other software (see XBox family of products).

For MS to say to all OEMs "We want you to do 'this and that' on all your PCs or you shall be penalized with a competitive disadvantage against other OEMs even though your product is fully capable of running Win8," is despicable and outrageous and should not be tolerated by anyone, even Windows fanboys.

Logics.

...And yes, I am a Linux fanboy! Why wouldn't I be? I make a living from their excellent free product which has rarely let me down, unlike Windows (and other MS publications) which has let me down plenty.

(Reply to this


(193 comments) - (Post a new comment)
(Threaded) (Flat)

Page 2 of 2

<<   [1] [2]   >>