UEFI secure booting (part 2)

Sep. 23rd, 2011 07:57 am
[personal profile] mjg59
Microsoft have responded to suggestions that Windows 8 may make it difficult to boot alternative operating systems. What's interesting is that at no point do they contradict anything I've said. As things stand, Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems. But let's have some more background.

We became aware of this issue in early August. Since then, we at Red Hat have been discussing the problem with other Linux vendors, hardware vendors and BIOS vendors. We've been making sure that we understood the ramifications of the policy in order to avoid saying anything that wasn't backed up by facts. These are the facts:

  • Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
  • Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
  • Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
  • A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems.

Microsoft have a dominant position in the desktop operating system market. Despite Apple's huge comeback over the past decade, their worldwide share of the desktop market is below 5%. Linux is far below that. Microsoft own well over 90% of the market. Competition in that market is tough, and vendors will take every break they can get. That includes the Windows logo program, in which Microsoft give incentives to vendors to sell hardware that meets their certification requirements. Vendors who choose not to follow the certification requirements will be at a disadvantage in the marketplace. So while it's up to vendors to choose whether or not to follow the certification requirements, Microsoft's dominant position means that they'd be losing sales by doing so.

Why is this a problem? Because there's no central certification authority for UEFI signing keys. Microsoft can require that hardware vendors include their keys. Their competition can't. A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's. No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft's influence here is greater than even Intel's.

What does this mean for the end user? Microsoft claim that the customer is in control of their PC. That's true, if by "customer" they mean "hardware manufacturer". The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC.

If Microsoft were serious about giving the end user control, they'd be mandating that systems ship without any keys installed. The user would then have the ability to make an informed and conscious decision to limit the flexibility of their system and install the keys. The user would be told what they'd be gaining and what they'd be giving up.

The final irony? If the user has no control over the installed keys, the user has no way to indicate that they don't trust Microsoft products. They can prevent their system booting malware. They can prevent their system booting Red Hat, Ubuntu, FreeBSD, OS X or any other operating system. But they can't prevent their system from running Windows 8.

Microsoft's rebuttal is entirely factually accurate. But it's also misleading. The truth is that Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors. The truth is that it makes it more difficult to run anything other than Windows. The truth is that UEFI secure boot is a valuable and worthwhile feature that Microsoft are misusing to gain tighter control over the market. And the truth is that Microsoft haven't even attempted to argue otherwise.
Tags:
  • Add Memory
  • Share This Entry
Page 8 of 8 << [1] [2] [3] [4] [5] [6] [7] [8] >>
Threaded | Top-Level Comments Only

Monopoly vs freedom

Date: 2011-10-20 04:31 pm (UTC)
From: [identity profile] https://openid.org/anderslund
This would for sure be a violation of freedom rights, and maybe more importantly monopoly restricting laws. But of course a trial would last for years...

Date: 2011-10-22 05:46 pm (UTC)
From: (Anonymous)
The Fact is that 98% of normal people who work care squat about a bunch of l3ftard w@nkers coding in their mom's basement.

If you want a voice you need the support of .org's like NSF, RS, FAS etc..
Scientific institutions having large Loonix installations for their astrophysics sw are the ones who'se opinion matters..

You need to warn them about this problem, nor a great unwashed horde of Willy Wankers..

Re: How many...

Date: 2011-10-26 11:09 am (UTC)
dragonwolf: Wolf with Raven ("lobo") (Default)
From: [personal profile] dragonwolf
Actually, we're in a relatively good position with Dell right now. I got linked here from the Ubuntu Users group over at LinkedIn, where a rep from Dell has been gathering feedback for improving their Linux selection.

Their established relationship with Red Hat, and growing relationships with Canonical, put one of the biggest OEMs potentially on our side in this matter, if we play it right and make sure they know our concerns over this.

Global signing service

Date: 2011-10-31 03:40 am (UTC)
From: (Anonymous)
If Microsoft hosts a UEFI signing service, would it solve the problem? Would Linux be willing to use that service? Could Linux Foundation host a signing service for all Linux and ask the OEM to support that?

Re: Global signing service

Date: 2011-10-31 01:15 pm (UTC)
From: [personal profile] mjg59
Practically? No. How do you tell the difference between a malware author and a one-person Linux vendor?

Re: Huh?

Date: 2011-11-20 10:27 pm (UTC)
From: (Anonymous)
The OEMs probably won't. The competitors to MS will then need to do something to bring pressure on the OEMs or MS to mitigate the damage. The RH/open source community is openly discussing this (this posting, with OEMs and HW vendors like Intel/AMD). This is a more insidious form of attack similar to the http://en.wikipedia.org/wiki/Browser_wars.

Re: How many...

Date: 2011-12-28 10:18 am (UTC)
From: (Anonymous)
What may be interesting is that some HW manufacturers, like Dell, will gain competative advantage with linux users, development shops etc by making sure they have key management and or disable features in their products while other manufacturers don't. What I'd expect is the 2 bit cheapo laptop rubbish from PC world will not be suitable, but a Dell one (which is probably cheaper, but requires looking past the high street) would.
Linux users have always had to be a bit more discerning with their hardware - avoiding cheapest graphics, sound or other cards, printers and motherboards due to lack of driver support or documentation.

Uhhh

Date: 2012-01-18 01:11 pm (UTC)
From: (Anonymous)
build your own?

Re: Microsoft is a Monopoly if This happens

Date: 2012-02-12 02:34 pm (UTC)
From: (Anonymous)

This is really the key... even if this doesn't amount to an absolute lockout/control, if it interferes or prevents casual hobbyists/users from being able to download a Linux install image and start experimenting without a lot of fuss, it will effectively snuff out a lot of future Linux competition in the consumer world at least.

My heart goes out to the many smart computer science/IT types who have to spend years of their lives dealing with crappy Microsoft designs and systems just because its the practical, secure way to make a living in their industry because of Microsoft's monopolistic dominance.

Re: Bug-free firmware?

Date: 2012-02-16 02:02 pm (UTC)
From: (Anonymous)
"How much do you want to bet they will use this for anti-piracy?"

I sure hope they do as this might boost Linux adoption a lot in poor countries ;)

Re: How many...

Date: 2012-03-02 03:41 am (UTC)
From: (Anonymous)
I have always used MS operating systems and been satisfied with them, but having seen Windows 8 making my desktop look like a smart-phone I am seriously considering switching to another OS (probably Linux). I have been a software developer for 40 years and even with secure boot it is possible to screw your machine with malware from a social networking site. (I would consider Google adverts malware but that's another story). I have seen several comments on the net where people are suggesting they will change OS because of the abysmal UI on windows 8, I would suggest that MS are trying to stop people having the option as they have also read these comments, and if a OEM is told they cannot install windows 8 unless secure boot cannot be disabled they will do as they are told.

Re: Key compromises

Date: 2012-05-21 08:51 am (UTC)
From: (Anonymous)
Therefore, there must be a mechanism both for key upload and key revocation.
If they omit key upload, they *will* get lots of murderous looks from consumers once a real attack happens, which will likely be real soon.

Re: Source based distro's?

Date: 2012-05-21 08:56 am (UTC)
From: (Anonymous)
Recompile the trusted bootloader often? Why would you want to do that?

(E.g. GRUB EFI trusted module; tboot.)

Re: Alert EU comission

Date: 2012-05-21 09:04 am (UTC)
From: (Anonymous)
Not just disable. Also allow key management when Secure Boot is disabled.
Just having Secure Boot disabled negates a useful security feature.

Re: Planned obsolecence at its best

Date: 2012-08-10 06:52 am (UTC)
From: [identity profile] https://www.google.com/accounts/o8/id?id=AItOawlzxP5L74FjzdGpHF_Nyibf9vjTdKE3FVs
PPC is more energy efficient and runs faster than x86 due to the core design of the architecture. x86 was just a cheaper option for Apple because x86 processors are more available (since more people make them), which means they can save money.

VALUE???!?!?!?

Date: 2012-08-30 07:35 pm (UTC)
From: (Anonymous)
<
[Error: Irreparable invalid markup ('<there [...] boot.>') in entry. Owner must fix manually. Raw contents below.]

<<There is nothing preventing OEMs from adding value and making more features, like adding Linux keys, or creating an option to disable secure boot.>>

This is a value? I have to pay more money to the OEM to be able to install a free OS???!?!?!?

That my friend is the point! Microsoft does indeed bribe OEMs to not support other OSes because they now have to put in at least one set of keys in their UEFI (which will cost them resources --a.k.a., money) and will cost them more to provide all the keys to all the OSes.

So why do they just not provide any key and not get Windows8 Certified? because then it will cost them more to put Windows on their system (or cost their customers more in a retail version of Win8) and put them at a competitive disadvantage to other OEMs and VARs.

Unless MS charges the same cost to all OEMs and VARs, whether Win8 Certified or not, it amounts to a bribe to put other OSes and/or users of such at a disadvantage.

Not 'anti-piracy' but 'anti-competitive'

Date: 2012-08-30 08:47 pm (UTC)
From: (Anonymous)
[Microsoft is attempting to keep malware from being part of the boot process.]

...By preventing the computer owner from replacing the boot loader or MBR of his own HDD on his own computer?

Why not just secure his OS the way that OS/2 did or the way that Mac OSX or *NIX does? From the moment I boot my machine until the moment that my OS is fully loaded, how on earth is something like arootkit or bootkit going to insert itself into the boot loader or OS kernel or UEFI? It had to have done so prior to the last shutdown and herein lies the problem.

Most BIOSes I have played with in the past ten years had a feature to stop this. I could tell my BIOS to make the MBR read-only. I had to go into the BIOS to disable this feature before every new OS install I did then turn it back on after. This computer has a UEFI instead and actually lacks that feature. :-)

[virus writers get much more impact from writing viruses for the other 90% of the world]

Actually, they get more impact from writing viruses for the ubiquitous server OS which is... LINUX! LAMP is the most prominent stack in the server world. Problem is that their virus code does not work. Even "proof-of-concept" code does not work because they require a privileged user to deliberately execute it.

[The people in poor asian countries where many viruses are written...]

Really? Where is that statistic to be found? Based on cases going through the courts, they are found in Europe and America. Quit the racist remarks based on unproven stereotypes.

[They find old PCs and install some pirated version of Windows and start coding their exploits on the cheap.]

...And pirated versions of compilers too.... Would it not be simpler to get a free OS that comes with all the development tools they need and code on those? I.e., Linux, BSD, etc.? Then would it not be easier to write Linux viruses than cross-compile? Oh, wait.... Then they have to get the end user to run it as a privileged user instead of a drive-by install. My bad.

[Windows has a user security culture that is paranoid about security and malware.]

And with good reason: Windows has not secured their software so know they want to penalize OEMs who do not allow the end user/system owner to uninstall Windows or to dual-boot.

Logics

{FULL DISCLOSURE: I have been a UNIX user since 1988, an OS/2 user from Warp3 through Warp4 (up to 1998) and a Linux user since 1997. I have used Caldera, SCO, RH, Mandrake, Mandriva, PCLinuxOS, SuSE, Fedora, Open Suse, CentOS, Gentoo, Mint, Ubuntu, et al. I still regularly install PCLOS, Suse, Mint and Ubuntu for residential clients and Suse, Ubuntu, RH and CentOS for commercial clients.}

A few replies...

Date: 2012-08-30 11:04 pm (UTC)
From: (Anonymous)
{How does following a standard constitute misuse?}

Microsoft is free to follow the standard. They may tell their users, "System Requirements: 1) install security keys on PKI disk by inserting into optical drive and booting, 2) Enable Secure boot in UEFI, 3) Install OS on Windows8 disk by inserting into optical drive and booting."

Instead, MS says to OEMs, "You must have SB enabled and you must have our keys loaded or you will not get Win8 certified and your cost to sell a Win8 PC goes up."

The worst part is, SB is NOT a system requirement of Win8 and therefore there is no reason for MS to demand that Win8 certified PCs have it enabled by default.

{If you're going to buy a Windows 8 PC it will be for Windows, which will be clearly displayed all over when buying, so your whole argument is invalid.}

So because my video card did not say "Linux certified" I should not have expected it to work with my system even though it uses an nVidia GT440 GPU? How about my router, my switch, my Powerline extender and my cable modem, all of which clearly stated, "Microsoft Windows Certified," most of which stated, "Designed for Windows Vista," and also "system requirements: Windows XP or Vista," only one of which indicated that they work with Mac OSX (not Mac OS but specifically, X) and Windows98 and none of which indicated that they work with Linux even though all of them are 100% OS independent and none of them "requires Microsoft Windows?"

Besides, I have never bought a Microsoft PC in my life (although I once bought an MS mouse/kbd combo and regretted it as they were poorly built, both of which, as OS independent devices, were, "Designed for Vista").

{And people dont want to mess around choosing whether to install keys or not, they want to just use there PC.}

Precisely why MS should not be insisting that SB be enabled by default because I now have to either get a key or enter UEFI to disable an item that was never required to be enabled in the first place. If an OEM want to allow users to do as they please, they should never HAVE TO fiddle with keys unless they so choose. Just like I can install my Linux as is or I can CHOOSE TO harden it as I see fit.

{No one cares about this stuff apart from the ~1% of Linux users!! You're a minority and few others think like you.}

Like ILM, Digital Domain, Pixar and so many others? Take a look at RH, CentOS, Novel and Canonical sites at the list of large companies which use their Linux OSes and I do not mean for their servers but for their workstations.

Most 3D render software were designed for Linux and those that are cross-platform take a significant performance hit on Win7/Vista. I should know. I walk in those circles. I am talking about documented benchmarks in real-world scenarios.

{And Apple dont let you install Linux on there systems at all, so why not moan about that?? They have a large market.}
{I want Linux on my PS3! Seriously!}

Apple sells computers. PlayStation sells consoles. Microsoft does not sell hardware (except cheap mice and keyboards which break, and a few webcams, etc.) Besides, I can install Linux on my brother,s or sister,s Apple computer if they wanted me to do so and I know of a few who loaded Linux on their PlayStation (although I do not know why).

{Majority of users don't care as long as it works when they push a button.}

You are right. That is one reason why I install so many PCLOS and Ubuntu systems for ex-Win users who have hosed their systems and lost their install media. They do not care, as long as they can get on the Internet, access their email and use their IMs. I have gotten nothing but "thank you," paid invoices and referrals. Some also care about office apps and I gladly introduce them to LibreOffice which is pre-installed in the default configuration.

{It would be illegal for Microsoft to preclude OEMs from including other keys....}

It is that they are forcing OEMs to include their keys (which is consuming their resources, a.k.a., money), and enabling SB which, without all other keys included, (more resources/money), precludes competitive options.

There is nothing in Win8 which absolutely requires SB (except bugs and vulnerabilities) and so this burden on OEMs (and their customers) is unreasonable and stupid. The onus/burden ought to be on MS to fix their broken OS or to educate their customers on how to secure it.

{This is an issue for OEMs to resolve, not Micro$oft trying to steal your babies!}

Except it is not the OEMs that are making Windows insecure and if the onus is on the OEMs to make Windows more secure by enabling SB and providing MS PKI keys then the onus must also fall to them to provide all other keys....

You do see now where the argument fails?

{I see absolutely nothing that Microsoft could reasonably be held accountable for in terms of "having control" over anything other than their own Windows Certified branding.}

...And they are saying that "you cannot be Win8 certified if you do not provide this one thing that Win8 does not require in the least to operate but that will preclude our competitors from working smoothly"?

CONCLUSION:

For MS to say, "You have to have 'this and that' on your product for Win8 to function and therefore you cannot get Win8 certification without it," is quite acceptable as long as it does not interfere with other software.

For MS to say to an OEM, "We want to commission you to build an MS computer with 'this and that' which will only run Win8 and be sold as an MS brand computer," is also acceptable even if it interferes with other software (see XBox family of products).

For MS to say to all OEMs "We want you to do 'this and that' on all your PCs or you shall be penalized with a competitive disadvantage against other OEMs even though your product is fully capable of running Win8," is despicable and outrageous and should not be tolerated by anyone, even Windows fanboys.

Logics.

...And yes, I am a Linux fanboy! Why wouldn't I be? I make a living from their excellent free product which has rarely let me down, unlike Windows (and other MS publications) which has let me down plenty.
  • Add Memory
  • Share This Entry
Page 8 of 8 << [1] [2] [3] [4] [5] [6] [7] [8] >>
Threaded | Top-Level Comments Only