Jump to content


locked down UEFI


  • Please log in to reply
42 replies to this topic

#1 OFFLINE   crp

crp

    Board Bigwig

  • Members
  • PipPipPipPipPipPipPipPipPipPipPip
  • 2,602 posts

Posted 26 September 2011 - 11:51 AM

I don't have a problem with a pc manufacturer wanting to use UEFI to lockdown the OS that can be installed, but I would not purchase such a machine.My concerns would be three fold:
  • Would an update to the OS break the system?
  • Would upgrading the OS be possible?
  • Which hardware change would prevent a bootup? video, nic, new mb?

Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. ~C. S. Lewis

#2 OFFLINE   lewmur

lewmur

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,240 posts

Posted 26 September 2011 - 12:22 PM

View Postcrp, on Sep 26 2011, 10:51 AM, said:

I don't have a problem with a pc manufacturer wanting to use UEFI to lockdown the OS that can be installed, but I would not purchase such a machine.My concerns would be three fold:
  • Would an update to the OS break the system?
  • Would upgrading the OS be possible?
  • Which hardware change would prevent a bootup? video, nic, new mb?
In order for this to work, ANY change in the hardware that requires loading a driver, would have to have a pre-approved key.  And I don't see any other way to "lock down" Windows.  But I wouldn't buy a MB with this feature unless there was a way to turn if on and off at will.  IOW, turn it on when booting Windows but be able to turn it off to boot whatever else I choose.  Be it LiveCD, a grub menu, a USB stick or even an older version of Windows. But it does seem that MS is trying to sneak this in in such a way that it precludes users from booting anything but Windows if the manufacturer wants to use the Windows 8 logo.  If they succeed, I hope that the US Justice Dept and the EU come down on them hard for anti-trust violations.

Edited by lewmur, 26 September 2011 - 12:24 PM.


#3 OFFLINE   goretsky

goretsky

    Forum Fiend

  • Forum Moderators
  • 1,545 posts

Posted 27 September 2011 - 03:53 AM

Hello,As far as I can tell, the option to disable UEFI Secure Boot should be enabled in every BIOS^H^H^H^H UEFI firmware—the only place I could think of where it would not be available would be OEM builds for government, enterprise, etc.Regards,Aryeh Goretsky
Dexter is a good dog.
Aryeh Goretsky
Microsoft MVP Windows Expert - ITPro
My blog.

#4 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 27 September 2011 - 04:44 AM

I really have my doubts that Microsoft would go as far as to disable access to any other OS. I think the idea of a secure boot was floated around the meeting table, and everyone agreed it would be a good idea to prevent boot-time malware, viruses, and trojans from interrupting the boot process.Also, I have faith in the linux community to come up with a workaround if this does end up preventing a multiboot option.Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#5 OFFLINE   lewmur

lewmur

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,240 posts

Posted 27 September 2011 - 08:54 AM

View Postgoretsky, on Sep 27 2011, 02:53 AM, said:

Hello,As far as I can tell, the option to disable UEFI Secure Boot should be enabled in every BIOS^H^H^H^H UEFI firmware—the only place I could think of where it would not be available would be OEM builds for government, enterprise, etc.Regards,Aryeh Goretsky
The key word in your post is "should".  But the fact that it "should" be enabled by no means means that it "will" be enabled.

#6 OFFLINE   lewmur

lewmur

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,240 posts

Posted 27 September 2011 - 09:05 AM

View Postross549, on Sep 27 2011, 03:44 AM, said:

I really have my doubts that Microsoft would go as far as to disable access to any other OS. I think the idea of a secure boot was floated around the meeting table, and everyone agreed it would be a good idea to prevent boot-time malware, viruses, and trojans from interrupting the boot process.Also, I have faith in the linux community to come up with a workaround if this does end up preventing a multiboot option.Adam
If were possible for the "linux community" to get around then it would also be possible for the hackers.  And I don't doubt for a second the MS would implement it if they thought they could get away with it.  Afterall, doesn't Apple prevent you from running other OSs on their hardware?  Just because MS doesn't actually manufacture PC hardware doesn't mean they don't feel like they own it.  MS has been attempting to "lock down" their control of PC hardware for years.  Ever hear of the term "Trusted Computing"?

#7 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 27 September 2011 - 04:36 PM

View Postlewmur, on Sep 27 2011, 09:05 AM, said:

If were possible for the "linux community" to get around then it would also be possible for the hackers.  And I don't doubt for a second the MS would implement it if they thought they could get away with it.  Afterall, doesn't Apple prevent you from running other OSs on their hardware?  Just because MS doesn't actually manufacture PC hardware doesn't mean they don't feel like they own it.  MS has been attempting to "lock down" their control of PC hardware for years.  Ever hear of the term "Trusted Computing"?
Apple does not prevent installing other OSes.... they jsut don't support it.https://help.ubuntu....ro5-1_5-2/NattyAnd it looks like GRUB already supports uefi.Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#8 OFFLINE   goretsky

goretsky

    Forum Fiend

  • Forum Moderators
  • 1,545 posts

Posted 28 September 2011 - 03:27 AM

Hello,Well, yes.  Manufacturers make all sorts of interesting custom builds for enterprise customers, and sometimes those products end up in the computer surplus space.  I once picked up a motherboard that turned out to work with one particular model of CPU (it was a Fujitsu-Siemens motherboard, I think, originally destined for some kind of OEM use).  A friend of mine once picked up a new Unisys laptop that had a monochrome display and metal chassis; apparently it was surplus from a DoD build.  I think such things tend to be more the exception than the rule.  I can't see a manufacturer wanting to get bad publicity over something like this, can you?Regards,Aryeh Goretsky

View Postlewmur, on Sep 27 2011, 05:54 AM, said:

The key word in your post is "should".  But the fact that it "should" be enabled by no means means that it "will" be enabled.

Dexter is a good dog.
Aryeh Goretsky
Microsoft MVP Windows Expert - ITPro
My blog.

#9 OFFLINE   goretsky

goretsky

    Forum Fiend

  • Forum Moderators
  • 1,545 posts

Posted 28 September 2011 - 03:37 AM

Hello,I think it would require a more significant social engineering attack than we have currently seen to convince an ordinary PC user to go into their UEFI firmware and disable the secure boot option.PC hardware manufacturers are Microsoft customers, and they don't have to be exclusive ones, either (Ubuntu, Android, even Hewlett-Packard's ill-fated WebOS come to mind).  If Microsoft doesn't have a compelling OS for them, they'll go somewhere else, just as they are currently doing in the mobile handset and tablet market.It seems to be the Trusted Computing Group is more about providing a secure boot path and operating environment.  A quick look here at the membership reveals quite a few companies besides Microsoft, including some whom I think are quite receptive towards Linux, like IBM, Fujitsu, and Aruba Networks.Regards,Aryeh Goretsky

View Postlewmur, on Sep 27 2011, 06:05 AM, said:

If were possible for the "linux community" to get around then it would also be possible for the hackers.  And I don't doubt for a second the MS would implement it if they thought they could get away with it.  Afterall, doesn't Apple prevent you from running other OSs on their hardware?  Just because MS doesn't actually manufacture PC hardware doesn't mean they don't feel like they own it.  MS has been attempting to "lock down" their control of PC hardware for years.  Ever hear of the term "Trusted Computing"?

Dexter is a good dog.
Aryeh Goretsky
Microsoft MVP Windows Expert - ITPro
My blog.

#10 OFFLINE   lewmur

lewmur

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,240 posts

Posted 28 September 2011 - 09:45 AM

View Postgoretsky, on Sep 28 2011, 02:27 AM, said:

Hello,Well, yes.  Manufacturers make all sorts of interesting custom builds for enterprise customers, and sometimes those products end up in the computer surplus space.  I once picked up a motherboard that turned out to work with one particular model of CPU (it was a Fujitsu-Siemens motherboard, I think, originally destined for some kind of OEM use).  A friend of mine once picked up a new Unisys laptop that had a monochrome display and metal chassis; apparently it was surplus from a DoD build.  I think such things tend to be more the exception than the rule.  I can't see a manufacturer wanting to get bad publicity over something like this, can you?Regards,Aryeh Goretsky
You are missing the point.  UEFI is an extra layer of code between the BIOS and the bootloader.  It is a standard developed by a consortium of co.s that did include IBM and that, in and of itself, does nothing to preclude any OS from booting.  The problem is that MS is telling OEM's that in order to comply with the licensing terms needed to display the Windows 8 logo, they must implement the UEFI in such a way that it COULD exclude the booting of any other OS but Window 8.  In fact, not just Win 8 but the particular version of Win 8 covered by the OEM license.  (Take note.  This is not just for a limited "enterprise" or 'speciality" edition.  It is for ANY box displaying the Windows 8 logo.)MS has publically admitted that their demands on the OEMs gives them this ability and are asking everyone to trust them not to use it to prevent Linux from booting (or dual booting) on these machines. I dare say you will take MS at their word.  I, for one, don't trust MS as far as could throw Bill Gates.

#11 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum MVP
  • 18,971 posts

Posted 28 September 2011 - 12:25 PM

This is just all the more reason that I'm so glad I build my own machines. I've never bought a machine from a store. I don't intend to start now. :shifty:

Posted Image


Have a creepy little Halloween!


#12 OFFLINE   lewmur

lewmur

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,240 posts

Posted 28 September 2011 - 12:54 PM

View PostV.T. Eric Layton, on Sep 28 2011, 11:25 AM, said:

This is just all the more reason that I'm so glad I build my own machines. I've never bought a machine from a store. I don't intend to start now. :unsure:
I've always  built my own desktops but this also applies to laptops and netbooks that want to display the Win 8 logo.

#13 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum MVP
  • 18,971 posts

Posted 29 September 2011 - 05:43 PM

Yeah... gonna' possibly be ugly with lappys and n-books. :)

Posted Image


Have a creepy little Halloween!


#14 OFFLINE   lewmur

lewmur

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,240 posts

Posted 29 September 2011 - 09:40 PM

View PostV.T. Eric Layton, on Sep 29 2011, 04:43 PM, said:

Yeah... gonna' possibly be ugly with lappys and n-books. :)
Here's someone else who seems to share my opinion.

#15 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum MVP
  • 18,971 posts

Posted 29 September 2011 - 11:50 PM

I have two issues with all this:1) Color me naive, but I just don't really think that Microsoft is the EVIL EMPIRE (everyone knows that's Google :) ), and that they are soooooo scared of little ol' Linux.and 2) If MS really is trying this in an attempt to lock down the PC marked in their favor, I have a hard time believing they'll get away with it... especially in ANTI-antitrust Europe.We'll see, I guess...

Posted Image


Have a creepy little Halloween!


#16 OFFLINE   crp

crp

    Board Bigwig

  • Members
  • PipPipPipPipPipPipPipPipPipPipPip
  • 2,602 posts

Posted 03 October 2011 - 11:36 AM

View PostV.T. Eric Layton, on Sep 29 2011, 08:50 PM, said:

I have two issues with all this:1) Color me naive, but I just don't really think that Microsoft is the EVIL EMPIRE (everyone knows that's Google ;) ), and that they are soooooo scared of little ol' Linux.and 2) If MS really is trying this in an attempt to lock down the PC marked in their favor, I have a hard time believing they'll get away with it... especially in ANTI-antitrust Europe.We'll see, I guess...
I'm not so sure. MicroS does not seem to state anywhere that if you want to install Win8 you must use a locked down UEFI that must prevent other OS installs. But if you want to display our Win8 logo on your machine , then you must use a locked down UEFI - if that might prevent OS installs, that is not our problem. It is the "not our problem" that I think they are incorrect about, as per my OP.
Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. ~C. S. Lewis

#17 OFFLINE   lewmur

lewmur

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,240 posts

Posted 03 October 2011 - 12:15 PM

View Postcrp, on Oct 3 2011, 10:36 AM, said:

I'm not so sure. MicroS does not seem to state anywhere that if you want to install Win8 you must use a locked down UEFI that must prevent other OS installs. But if you want to display our Win8 logo on your machine , then you must use a locked down UEFI - if that might prevent OS installs, that is not our problem. It is the "not our problem" that I think they are incorrect about, as per my OP.
The way I read it, this won't effect the DIY market at all.  But that is a small percentage of the total market.  If MS can lock down the OEM computer market they can effectively maintain their monopoly on the desktop and, more importantly, laptop markets.

#18 OFFLINE   crp

crp

    Board Bigwig

  • Members
  • PipPipPipPipPipPipPipPipPipPipPip
  • 2,602 posts

Posted 03 October 2011 - 01:09 PM

View Postlewmur, on Oct 3 2011, 09:15 AM, said:

The way I read it, this won't effect the DIY market at all.  But that is a small percentage of the total market.  If MS can lock down the OEM computer market they can effectively maintain their monopoly on the desktop and, more importantly, laptop markets.
Can one be a msWindows OEM without using the logo?
Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. ~C. S. Lewis

#19 OFFLINE   Temmu

Temmu

    The Assimilator

  • Forum MVP
  • 11,851 posts

Posted 09 October 2011 - 09:13 PM

View Postgoretsky, on Sep 28 2011, 02:27 AM, said:

Manufacturers make all sorts of interesting custom builds ... it was a Fujitsu-Siemens motherboard
lol! me too!  i actually loaded windows server 2003 on it.  finding drivers took a while, um a long while, but it actually booted and ran!

View Postcrp, on Oct 3 2011, 12:09 PM, said:

Can one be a msWindows OEM without using the logo?
no.just sayin.
Posted Image

#20 OFFLINE   lewmur

lewmur

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,240 posts

Posted 19 October 2011 - 01:23 PM

View Postcrp, on Sep 26 2011, 10:51 AM, said:

I don't have a problem with a pc manufacturer wanting to use UEFI to lockdown the OS that can be installed, but I would not purchase such a machine.My concerns would be three fold:
  • Would an update to the OS break the system?
  • Would upgrading the OS be possible?
  • Which hardware change would prevent a bootup? video, nic, new mb?
Here is the latest on MS and the UEFI. In it Adrian Kingsley-Hughes contends that while, without a "kill switch", MS's demands for the Win 8 logo WILL lockout any other OS, that it is absolutely necessary to insure against "rootkits".  And I agree with that.  But what he misses is that the only way to insure that the OEMs offer a "kill switch" is that MS include that option as part of its Win 8 logo license requirement. If their intent is truly benevolent, that is a simple way to prove it.  Anyone here going to hold their breath waiting for MS to take that step?

Edited by lewmur, 19 October 2011 - 01:24 PM.


#21 OFFLINE   striker

striker

    handyman

  • Honorary Moderators
  • 8,501 posts

Posted 19 October 2011 - 05:15 PM

Here's what Ed Bott thinks about it:http://www.zdnet.com...ess-secure/4100and this one:http://www.zdnet.com...ust-issues/4112
striker

#22 OFFLINE   lewmur

lewmur

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,240 posts

Posted 19 October 2011 - 05:48 PM

View Poststriker, on Oct 19 2011, 04:15 PM, said:

Yeah, I've read what Mr. Bott thinks.  And as far as I'm concerned, he is full of it.  IMHO,he is a MS shill.  I think that most Linux users pretty much concede that anything that helps secure Windows is a good thing.  I, in fact, would prefer to see MS's UEFI solution applied, as is, if that was the only way it could be done.  But as I stated in the previous post, all MS needs to do is insist that not only do the OEM's need to have the "secure boot feature" but that they make a "kill switch" available in order to display the Win 8 logo.  That is the ONLY way to insure that OEM's will provide the "kill switch".  And the only thing it would cost MS is the competition from Linux that they claim doesn't concern them anyway.

Edited by lewmur, 19 October 2011 - 05:49 PM.


#23 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 16,003 posts

Posted 28 October 2011 - 11:28 AM

QUOTE
The Free Software foundation came out opposing Microsoft's requirements. More than 16,000 people signed the Free Software Foundation statement on “Secure Boot vs Restricted Boot”, which shows the users were concerned. We were expecting some response from the open source industry. Red Hat and Canonical have come forward. The two companies have published a white recommending how to implement 'Secure Boot', to ensure that users remain in control of their PCs.......

The white paper highlights the recommendations for OEMs which include:

The companies recommend that all OEMs allow secure boot to be easily disabled and enabled through a firmware configuration interface. The companies write that it is essential that users are able to remove secure boot restrictions, and boot the software of their choice on the devices that they own. Furthermore, the interface to configure this option should be easily accessible by non-technical users. Of course, this option should only be available to users with physical access to the hardware, and not be accessible via programmatic means.....

http://www.muktware.com/news/2823
Posted ImagePosted Image Posted Image
CNI Radio/Archlinux G+/Configs/PGP Key π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#24 OFFLINE   crp

crp

    Board Bigwig

  • Members
  • PipPipPipPipPipPipPipPipPipPipPip
  • 2,602 posts

Posted 28 October 2011 - 12:38 PM

QUOTE (securitybreach @ Oct 28 2011, 08:28 AM) <{POST_SNAPBACK}>

seems reasonable to me, I hope it will to microS as well.

Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. ~C. S. Lewis

#25 OFFLINE   lewmur

lewmur

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,240 posts

Posted 28 October 2011 - 05:10 PM

QUOTE (crp @ Oct 28 2011, 11:38 AM) <{POST_SNAPBACK}>
seems reasonable to me, I hope it will to microS as well.

Canonical, Red Hat and FOSS all put together don't have the clout to force OEM's to do anything.  Only MS, or the anti-trust depts of the worlds govts have that power.  And, of course, MS's purse strings have proven before to be to much of a temptation for govt politician to resist.  Just look at what happened with the .docx situation.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users