locked down UEFI

[crp]

I don't have a problem with a pc manufacturer wanting to use UEFI to lockdown the OS that can be installed, but I would not purchase such a machine.My concerns would be three fold:

• Would an update to the OS break the system?
• Would upgrading the OS be possible?
• Which hardware change would prevent a bootup? video, nic, new mb?

[lewmur]

I don't have a problem with a pc manufacturer wanting to use UEFI to lockdown the OS that can be installed, but I would not purchase such a machine.My concerns would be three fold:

• Would an update to the OS break the system?
• Would upgrading the OS be possible?
• Which hardware change would prevent a bootup? video, nic, new mb?

In order for this to work, ANY change in the hardware that requires loading a driver, would have to have a pre-approved key. And I don't see any other way to "lock down" Windows. But I wouldn't buy a MB with this feature unless there was a way to turn if on and off at will. IOW, turn it on when booting Windows but be able to turn it off to boot whatever else I choose. Be it LiveCD, a grub menu, a USB stick or even an older version of Windows. But it does seem that MS is trying to sneak this in in such a way that it precludes users from booting anything but Windows if the manufacturer wants to use the Windows 8 logo. If they succeed, I hope that the US Justice Dept and the EU come down on them hard for anti-trust violations. Edited September 26, 2011 by lewmur

[goretsky]

Hello,As far as I can tell, the option to disable UEFI Secure Boot should be enabled in every BIOS^H^H^H^H UEFI firmware—the only place I could think of where it would not be available would be OEM builds for government, enterprise, etc.Regards,Aryeh Goretsky

[ross549]

I really have my doubts that Microsoft would go as far as to disable access to any other OS. I think the idea of a secure boot was floated around the meeting table, and everyone agreed it would be a good idea to prevent boot-time malware, viruses, and trojans from interrupting the boot process.Also, I have faith in the linux community to come up with a workaround if this does end up preventing a multiboot option.Adam

[lewmur]

Hello,As far as I can tell, the option to disable UEFI Secure Boot should be enabled in every BIOS^H^H^H^H UEFI firmware—the only place I could think of where it would not be available would be OEM builds for government, enterprise, etc.Regards,Aryeh Goretsky

The key word in your post is "should". But the fact that it "should" be enabled by no means means that it "will" be enabled.

[lewmur]

I really have my doubts that Microsoft would go as far as to disable access to any other OS. I think the idea of a secure boot was floated around the meeting table, and everyone agreed it would be a good idea to prevent boot-time malware, viruses, and trojans from interrupting the boot process.Also, I have faith in the linux community to come up with a workaround if this does end up preventing a multiboot option.Adam

If were possible for the "linux community" to get around then it would also be possible for the hackers. And I don't doubt for a second the MS would implement it if they thought they could get away with it. Afterall, doesn't Apple prevent you from running other OSs on their hardware? Just because MS doesn't actually manufacture PC hardware doesn't mean they don't feel like they own it. MS has been attempting to "lock down" their control of PC hardware for years. Ever hear of the term "Trusted Computing"?

[ross549]

If were possible for the "linux community" to get around then it would also be possible for the hackers. And I don't doubt for a second the MS would implement it if they thought they could get away with it. Afterall, doesn't Apple prevent you from running other OSs on their hardware? Just because MS doesn't actually manufacture PC hardware doesn't mean they don't feel like they own it. MS has been attempting to "lock down" their control of PC hardware for years. Ever hear of the term "Trusted Computing"?

Apple does not prevent installing other OSes.... they jsut don't support it.https://help.ubuntu.com/community/MacBookPro5-1_5-2/NattyAnd it looks like GRUB already supports uefi.Adam

[goretsky]

Hello,Well, yes. Manufacturers make all sorts of interesting custom builds for enterprise customers, and sometimes those products end up in the computer surplus space. I once picked up a motherboard that turned out to work with one particular model of CPU (it was a Fujitsu-Siemens motherboard, I think, originally destined for some kind of OEM use). A friend of mine once picked up a new Unisys laptop that had a monochrome display and metal chassis; apparently it was surplus from a DoD build. I think such things tend to be more the exception than the rule. I can't see a manufacturer wanting to get bad publicity over something like this, can you?Regards,Aryeh Goretsky

The key word in your post is "should". But the fact that it "should" be enabled by no means means that it "will" be enabled.

[goretsky]

Hello,I think it would require a more significant social engineering attack than we have currently seen to convince an ordinary PC user to go into their UEFI firmware and disable the secure boot option.PC hardware manufacturers are Microsoft customers, and they don't have to be exclusive ones, either (Ubuntu, Android, even Hewlett-Packard's ill-fated WebOS come to mind). If Microsoft doesn't have a compelling OS for them, they'll go somewhere else, just as they are currently doing in the mobile handset and tablet market.It seems to be the Trusted Computing Group is more about providing a secure boot path and operating environment. A quick look here at the membership reveals quite a few companies besides Microsoft, including some whom I think are quite receptive towards Linux, like IBM, Fujitsu, and Aruba Networks.Regards,Aryeh Goretsky

If were possible for the "linux community" to get around then it would also be possible for the hackers. And I don't doubt for a second the MS would implement it if they thought they could get away with it. Afterall, doesn't Apple prevent you from running other OSs on their hardware? Just because MS doesn't actually manufacture PC hardware doesn't mean they don't feel like they own it. MS has been attempting to "lock down" their control of PC hardware for years. Ever hear of the term "Trusted Computing"?

[lewmur]

Hello,Well, yes. Manufacturers make all sorts of interesting custom builds for enterprise customers, and sometimes those products end up in the computer surplus space. I once picked up a motherboard that turned out to work with one particular model of CPU (it was a Fujitsu-Siemens motherboard, I think, originally destined for some kind of OEM use). A friend of mine once picked up a new Unisys laptop that had a monochrome display and metal chassis; apparently it was surplus from a DoD build. I think such things tend to be more the exception than the rule. I can't see a manufacturer wanting to get bad publicity over something like this, can you?Regards,Aryeh Goretsky

You are missing the point. UEFI is an extra layer of code between the BIOS and the bootloader. It is a standard developed by a consortium of co.s that did include IBM and that, in and of itself, does nothing to preclude any OS from booting. The problem is that MS is telling OEM's that in order to comply with the licensing terms needed to display the Windows 8 logo, they must implement the UEFI in such a way that it COULD exclude the booting of any other OS but Window 8. In fact, not just Win 8 but the particular version of Win 8 covered by the OEM license. (Take note. This is not just for a limited "enterprise" or 'speciality" edition. It is for ANY box displaying the Windows 8 logo.)MS has publically admitted that their demands on the OEMs gives them this ability and are asking everyone to trust them not to use it to prevent Linux from booting (or dual booting) on these machines. I dare say you will take MS at their word. I, for one, don't trust MS as far as could throw Bill Gates.

[V.T. Eric Layton]

This is just all the more reason that I'm so glad I build my own machines. I've never bought a machine from a store. I don't intend to start now.

[lewmur]

This is just all the more reason that I'm so glad I build my own machines. I've never bought a machine from a store. I don't intend to start now.

I've always built my own desktops but this also applies to laptops and netbooks that want to display the Win 8 logo.

[V.T. Eric Layton]

Yeah... gonna' possibly be ugly with lappys and n-books.

[lewmur]

Yeah... gonna' possibly be ugly with lappys and n-books.

Here's someone else who seems to share my opinion.

[V.T. Eric Layton]

I have two issues with all this:1) Color me naive, but I just don't really think that Microsoft is the EVIL EMPIRE (everyone knows that's Google ), and that they are soooooo scared of little ol' Linux.and 2) If MS really is trying this in an attempt to lock down the PC marked in their favor, I have a hard time believing they'll get away with it... especially in ANTI-antitrust Europe.We'll see, I guess...

[crp]

I have two issues with all this:1) Color me naive, but I just don't really think that Microsoft is the EVIL EMPIRE (everyone knows that's Google ), and that they are soooooo scared of little ol' Linux.and 2) If MS really is trying this in an attempt to lock down the PC marked in their favor, I have a hard time believing they'll get away with it... especially in ANTI-antitrust Europe.We'll see, I guess...

I'm not so sure. MicroS does not seem to state anywhere that if you want to install Win8 you must use a locked down UEFI that must prevent other OS installs. But if you want to display our Win8 logo on your machine , then you must use a locked down UEFI - if that might prevent OS installs, that is not our problem. It is the "not our problem" that I think they are incorrect about, as per my OP.

[lewmur]

I'm not so sure. MicroS does not seem to state anywhere that if you want to install Win8 you must use a locked down UEFI that must prevent other OS installs. But if you want to display our Win8 logo on your machine , then you must use a locked down UEFI - if that might prevent OS installs, that is not our problem. It is the "not our problem" that I think they are incorrect about, as per my OP.

The way I read it, this won't effect the DIY market at all. But that is a small percentage of the total market. If MS can lock down the OEM computer market they can effectively maintain their monopoly on the desktop and, more importantly, laptop markets.

[crp]

The way I read it, this won't effect the DIY market at all. But that is a small percentage of the total market. If MS can lock down the OEM computer market they can effectively maintain their monopoly on the desktop and, more importantly, laptop markets.

Can one be a msWindows OEM without using the logo?

[lewmur]

I don't have a problem with a pc manufacturer wanting to use UEFI to lockdown the OS that can be installed, but I would not purchase such a machine.My concerns would be three fold:

• Would an update to the OS break the system?
• Would upgrading the OS be possible?
• Which hardware change would prevent a bootup? video, nic, new mb?

Here is the latest on MS and the UEFI. In it Adrian Kingsley-Hughes contends that while, without a "kill switch", MS's demands for the Win 8 logo WILL lockout any other OS, that it is absolutely necessary to insure against "rootkits". And I agree with that. But what he misses is that the only way to insure that the OEMs offer a "kill switch" is that MS include that option as part of its Win 8 logo license requirement. If their intent is truly benevolent, that is a simple way to prove it. Anyone here going to hold their breath waiting for MS to take that step? Edited October 19, 2011 by lewmur

[striker]

Here's what Ed Bott thinks about it:http://www.zdnet.com/blog/bott/why-do-linu...ess-secure/4100and this one:http://www.zdnet.com/blog/bott/with-window...ust-issues/4112

[lewmur]

Here's what Ed Bott thinks about it:http://www.zdnet.com/blog/bott/why-do-linu...ess-secure/4100and this one:http://www.zdnet.com/blog/bott/with-window...ust-issues/4112

Yeah, I've read what Mr. Bott thinks. And as far as I'm concerned, he is full of it. IMHO,he is a MS shill. I think that most Linux users pretty much concede that anything that helps secure Windows is a good thing. I, in fact, would prefer to see MS's UEFI solution applied, as is, if that was the only way it could be done. But as I stated in the previous post, all MS needs to do is insist that not only do the OEM's need to have the "secure boot feature" but that they make a "kill switch" available in order to display the Win 8 logo. That is the ONLY way to insure that OEM's will provide the "kill switch". And the only thing it would cost MS is the competition from Linux that they claim doesn't concern them anyway. Edited October 19, 2011 by lewmur

[securitybreach]

The Free Software foundation came out opposing Microsoft's requirements. More than 16,000 people signed the Free Software Foundation statement on “Secure Boot vs Restricted Boot”, which shows the users were concerned. We were expecting some response from the open source industry. Red Hat and Canonical have come forward. The two companies have published a white recommending how to implement 'Secure Boot', to ensure that users remain in control of their PCs.......

 

The white paper highlights the recommendations for OEMs which include:

 

The companies recommend that all OEMs allow secure boot to be easily disabled and enabled through a firmware configuration interface. The companies write that it is essential that users are able to remove secure boot restrictions, and boot the software of their choice on the devices that they own. Furthermore, the interface to configure this option should be easily accessible by non-technical users. Of course, this option should only be available to users with physical access to the hardware, and not be accessible via programmatic means.....

http://www.muktware.com/news/2823

[crp]

http://www.muktware.com/news/2823

seems reasonable to me, I hope it will to microS as well.

 

[lewmur]

seems reasonable to me, I hope it will to microS as well.

Canonical, Red Hat and FOSS all put together don't have the clout to force OEM's to do anything. Only MS, or the anti-trust depts of the worlds govts have that power. And, of course, MS's purse strings have proven before to be to much of a temptation for govt politician to resist. Just look at what happened with the .docx situation.

 

[mac]

Canonical, Red Hat and FOSS all put together don't have the clout to force OEM's to do anything. Only MS, or the anti-trust depts of the worlds govts have that power. And, of course, MS's purse strings have proven before to be to much of a temptation for govt politician to resist. Just look at what happened with the .docx situation.

 

I hate to burst your bubble lewmur, but:

Leading PC makers confirm: no Windows 8 plot to lock out Linux

By Ed Bott | November 2, 2011, 5:29am PDT

 

Summary: The drumbeat from Linux advocates about a key security feature in Microsoft’s forthcoming Windows 8 is getting louder. They call it an anti-Linux plot. But the two leading PC makers disagree with them. I’ve got exclusive details.

 

You can read the rest here.

 

Oh, and there's this:

 

Linux Foundation: Secure Boot Need Not Be a Problem

By Katherine Noyes, PCWorld

 

There's been considerable concern in recent weeks over the secure boot mechanism planned for Microsoft's upcoming Windows 8, primarily among Linux users and others worried that the technology will make it impossible to run alternative operating systems on Windows 8 certified PCs.

 

Such fears were only compounded when the Free Software Foundation weighed in with its own statement of concern about what the technology might mean for users of free and open source software.

 

On Friday, however, the Linux Foundation added its own voice and perspective to the mix with an explanation of why secure boot doesn't necessarily have to be a bad thing for Linux users.

 

'If It Is Implemented Properly'

 

Secure boot offers “the prospect of a hardware-verified, malware-free operating system bootstrap process that can improve the security of many system deployments,” write Linux Foundation Technical Advisory Board Chair James Bottomley and Technical Advisory Board Member Jonathan Corbet in the group's six-page document (PDF).

 

“Linux and other open operating systems will be able to take advantage of secure boot if it is implemented properly in the hardware,” they add.

 

That's a big “if,” of course, and the paper makes several key recommendations to help ensure that happens.

 

The rest of the article is here.

Edited November 11, 2011 by mac

[réjean]

Good! Now I feel better.

Not that I would want to install Win 8 on any of our machines, mind you.

[V.T. Eric Layton]

AWWWW! No anti-Linux conspiracy? Darn! >_

[ross549]

Yeah, we'll have to put the pitchforks and torches away......

 

Adam

[V.T. Eric Layton]

BURN THE WITCH! Oh, umm... sorry. I get carried away when someone mentions pitchforks and torches.

[lewmur]

I hate to burst your bubble lewmur, but:

 

 

You can read the rest here.

 

Oh, and there's this:

 

 

 

The rest of the article is here.

First of all, I addressed Ed Bott's article several post back. I'll just add that IMHO, he is a blatant MS shill.

 

As to the Linux Foundation quote, the key word is "necessarily". I'll say it one more time for those who aren't paying attention. MS could end the controversy with a "stroke of the pen". All they need to do is add the "on/off switch" requirement to their Win 8 logo license. Then the "necessarily" goes away.