UEFI secure booting and the future
 

http://mjg59.dreamwidth.org/5552.html

A friend sent me this link from an article talking about how, in a nutshell, "made for win8" systems could quite possibly make dual booting, wipe & replace, or even driver installation a huge problem? Am I reading this right?
I ask as a desktop layman with genuine preference for my operating system. I'm not using Linux out of spite of something else.

It seems to me that this borderlines on illegal?

Thoughts? Ideas? Interpretations?

To quote the article:

The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.

This impacts both software and hardware vendors. An OS vendor cannot boot their software on a system unless it's signed with a key that's included in the system firmware. A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware.

Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.

It's only illegal (in the U.S.) if the Justice Department considers it a violation of the Sherman Antitrust Act. So long as consumers have a choice, they are unlikely to take action.

Likewise, this is only the case for companies that want to use the Windows 8 logo in advertising, on the product, or the packaging. Manufacturers can still indicate that the machine comes with Windows 8, they just have to limit how much free advertising they give Microsoft. They can provide an option to disable secure boot, disabling Windows 8, but enabling the installation of another OS. Since this lets them sell the same hardware to a larger audience, it's pretty much a nobrainer.

Overall, I don't think this will be a problem.

Will it in the future be impossible to dual boot windows 8 and linux
 

I come across this article to day on http://mjg59.dreamwidth.org/5552.html
Personally I do not mind I do not use windows .
But a lot of people does .

whether or not you use windows is not important.
The problem is that Microsoft wants future PCS to be unable to run anything except Windows.
If i understand correctly, to get the Windows 8 logos, computer manufacturers will have to comply to a bios feature that will need prevent booting anything other than Windows 8

So it's a major threat to Linux users.

Remember, it's almost impossible to buy a PC that does not have Windows on it. And the Linux users usually just erase the disk and install Linux on it. Looks like it won't be possible anymore.

What will all the Windows users do when we are not able to help them anymore with our Linux Live-CDs/USBs, when Windows is messed up once again?
Personally, If I would buy a machine that comes with an OS that forbids to run other OSes of my choice on my hardware I would sue them.
I also wonder how that would look to those people that are watching Microsoft for building a monopoly.

There must be a way to hack it.

It took 5 years for the PS3 key to be discovered, and only then because of a flaw in the implementation they used. And that's only a single platform. It must be repeated for every model of every computer from every manufacturer. the only way around that is to get Microsoft's signing key for Windows 8, and you know that's not going to happen.

16Pide
It is possible to buy a computer without any OS preloaded .
Just go to a computer shop who build one for you according to you're spec .
Off course it is comes as a tower or midi tower .
But the problem did it still comes UEFI .

So, you're saying that there is no flaw in M$ implementation of this system ?

The implementation isn't Microsoft's, it's provided by various hardware manufacturers (a physical chip on the motherboard) and in the UEFI firmware.

From what I read of UEFI, it is just a new interface between OS and BIOS firmware. Otherwise, it is much like a regular BIOS, I mean it can be flashed ... right ?

There are also efforts to make open UEFI implementations:
http://sourceforge.net/apps/mediawik...?title=Welcome

If someone could explain in short, what the difference between a regular BIOS and EFI are it would be very useful.

Honestly, I don't see any real benefit in UEFI over BIOS. Maybe supposedly better ACPI support, but other than that, it looks like they just pimped the BIOS graphics, added a few not too useful features, and forced it on everyone.

Opening the UEFI firmware doesn't change the secure behavior.

Think of it like GPG encryption. The implementation is open, but that doesn't provide any access to encrypted data.

The secure store (chip on the motherboard, tamper-resistant) contains the public key for Microsoft, signed by the hardware vendor. Microsoft has the private key, which they use to sign Windows (the message in the GPG analogy). The UEFI asks the hardware to validate the signature. UEFI never has access to the public key or the private key, though access to the public key is as meaningless as access to the GPG public key. Alter the Windows software after signing, and the validation fails. Attempt to tamper with the motherboard chip, and the machine is now permanently unable to verify signed software.

The only option is for the vendor to provide the UEFI option, via motherboard jumper or software switch, to disable secure boot. That lets you run other OS, but not signed OS. Dual booting requires opening the case or altering UEFI settings each time (not an end-user task). If the vendor does not provide the option to disable secure boot, it is a Windows-only machine.

I see, I thought it might be something similar to GPG with the signing.

Still, the PS3 was broken, it's not impossible to hack this. It may take years.

If it is exactly as you said and there is no way around, I'm not buying any computer pre-installed with Window$ 8. I always build my own desktop computers, but laptops and netbooks often come with Window$.

Typical Microsoft, lean on the hardware manufacturers to favor their business. They're trying to be Apple. As the article points out, manufacturers will probably make a lot of cheaper machines without the ability to disable the UEFI counting on the average consumer not knowing or caring. The sticker should say Windows 8 only, not ready or compatible. Feh.

I do hope M$ gets sued for this. They probably will be sued in Europe, but not Amerika.

Google does exactly the same thing with the Chromebook (Linux-based, obviously). They provide a hardware switch, under the motherboard battery, to disable secure boot. That lets you run any other Linux, but obviously not Windows or ChromeOS. Apple will likely follow suit with their machines (I don't believe any Apple hardware uses secure boot today).

So every OS has a hardware vendor that uses, or will shortly use secure boot. What needs to happen is that the ability to disable secure boot has to be user accessible and publicly available information (as is the case with the Chromebook). That's where market pressure needs to be applied.

Next thing it'll be illegal to have a non-UEFI machine with secure booting disabled... Homeland Security will probably conclude that Linux users are security risks and potential cybercriminals; in fact wasn't there something to that effect in the news a few months ago?

I think it's highly unlikely that secure boot will become mandatory. It's purpose is to protect the end-user from malicious code, and it does this very well. However, development still needs to occur, and there are millions of developers. Forcing the requirement for secure boot means that development stops - every test kernel (any OS) is not going to get some corporate exec out of bed to get the signing key out of the vault.

It's TCPA all over again. It will probably not be implemented, or will be implemented in such a form that it can't block non-Windows installs. As long as the right groups argue again, it will go away. Until the next time MS want to block our freedoms.

That certainly did come to mind, and I think that they may be planning this, along with the internet e-ID, and making sure your computer is safe to go on the internet ... you know that it runs Window$.

If hardware is physically accessible, any such feature can and WILL be bypassed or disabled. Excessive DRM will result in lost sales.

The article doesn't talk about encryption, it talks about signatures. Signatures != encryption. In case of signature there will be a subroutine that checks the signature for being acceptable and allows or denies execution of signed code, which is unencrypted. This subroutine can be hacked into always allowing launch. If I remember correctly, similar mechanism has been implemented on symbian, and it was bypassed - there are ways to turn off certificate checking.

This sounds nice in theory, but in reality most likely somebody will steal encryption key from Microsoft and publish it on the internet, as it happened with AASC encryption key. If hardware vendor will provide ability to upgrade built-in key, then the upgrade will be done via some kind of program, which can also be reverse-engineered, which means it will be possible to install different key into firmware. The whole endeavor is a waste of time. If they want unbeatable signature mechanism, they should make hardware physically inaccessible to user.

Sounds like paranoia to me. If this will happen, I'll surely have a good laugh. Anyway, this won't affect the rest of the world.

Yeah just a little flame baiting paranoia, H TeXMex H shouldn't have all the fun, heh, heh..

My first thought is will UEFI mobos become something sold exclusively in all countries around the world?

Probably not until a long time has passed by and win8 is history.

Why, because there are too many people in too many other countries who for many reasons (including financial) will not be purchasing the hardware and software meeting UEFI requirements. Not to mention the fact that the powers that be in countries such as India, PRC and Brazil will not be inclined to allow this to be somehow mandated or implied by law.

Maybe it will be shoved down the throats of N. America or survive a challenge in the EU. That's the market it is intended for.

I'm no expert on these matters but I think, if anything, it will, intentionally or not help to retain the MS home user customer base who don't think about these things, who think the computer is not working of they lost their internet connection and who are more inclined to purchase a complete new setup than just replace periphials. If any of them turn "Neo" and want try something else they won't be able to. As an added attraction the UEFI machine will be more "secure", i.e. less bothersome to Redmond.

Additionally, look what happened with XP's extended run because big business was not willing to embrace new software with new hardware requiremnts not to mention the fact that win8 is going to be a very big change to user interface. Rection against ribbon menus was bad enough; put all the receptionists and secretaries in front of Win 8 and see what they say.

I can remember businesses not upgrading to win 95 because staff refused to change from word perfect to word and I also remember typists who complained bitterly about having to use software with a mouse because it was slow compared to just using the keyboard. Change outside of the server room takes allot longer for the majority of the corporate world.

This isn't going to happen overnight, by the time it becomes widespread, if it does, there will be workarounds/hacks, and in the interim time non UEFI hardware will still be available because it will be manufactured for outside N. Am. and EU markets by the same people manufacturing for sale in the N.Am and Eu markets.

I tend to use virtual machines so I almost never dual boot. I use a dedicated OS or a VM.

I tend to think that TobiSG is on the right track.

I think I shall write my Congress critters and the FTC tomorrow.

Hi,

Too many people have their heads in the cloud. Literally!

Microsoft, Google and others are trying to get control and remain there in the clouds. Locking things up so no one has the key. Buyer Beware!

Microsoft can do whatever they want. It doesn't affect me, I stopped using windows eons ago. HAHAHA

Anyway, whatever OS that goes into the VM won't have access to the real hardware of your system. So for those who like using both windows and linux, you need to choose and weight the options.

I have merged the two identical threads together.

Do you know what is awesome about this? If those Windows *edited*people*end edit* (yes all you guys and gals who wanted flashing the bios support directly from windows) never got their way, we would never see this type of stuff. But people were too lazy to you know reboot and use a floppy or a usbkey to boot to flat mode and actually flash there BIOS, so now we have this shit to deal with.... thanks *edited* people *end edit*!

Somehow you forgot that PS3 is a proprietary closed hardware system, while on PC we have open architecture, which has such things are replaceable RAM, etc. This makes it much simpler to hack.

P.S. I have impression that there are too many paranoid people.

They probably cannot do this overnight ... well, technically they could, but it is unlikely. Still, they will push it until they get more and more control, you know with cloud and this "secure" boot until there will be no freedom, only control.

It's best to oppose it early, rather than find yourself a slave.

It is ludicrous that M$ wants to control a person's desktop and block other OSes from booting. I'm glad I'm not a sheep in M$'s herd.

Nice name man ;)

Thanks H_TeXMeX_H

That article add only this to the discussion:

I, for one, do NOT believe it, until I see it.

I don't use windows anymore, but I think that article might hold some water. Not only will people sue MS if they block other operating systems, but MS will look like villains in the computer industry. I don't think MS wants that kind of image.

MS might owned the OS on the computer, but the consumer owns the computer and they should put other OSes on them it they please.

Don't make me laugh MS. Of course MS cares. What were all those FUDD campaigns MS launched in the past and even today. MS is more afraid of linux than they were with Apple.

Hi,

@RedNeck-LQ
Unless you purchase the system without a OS you are standing on thin ice. Even then you had better know the hardware that is being purchased. You should read the EULA for M$ installed machines.

Sue Microsoft for your purchase of a appliance that doesn't suit you because it is locked. Judge will throw that out in a heart beat. You bought it, M$ did not force you. Purchase something else that allows the desired install or performance. That is if it can be found among new hardware. Trends are leading us to a closed system again. :(

More vendors are looking at special appliances: Google is one that comes to mind. Another is Apple.

Again buyer beware!

There was a good discussion about this on this week's TLLTS podcast (episode 421). It starts about 15 minutes in (I was on the road and unable to check the exact time on my podplayer). It may not be as ominous as it seems.

http://tllts.org/rsspage.php

@ onebuck

I don't read those EULAs or those agreements prior to installing a OS or software. They're always a mile long and in most cases they're not written in laymans's terms. But I do read between the lines as they say.

I believe in the age old adage. If I purchased it, it is mine to do whatever. That's just my personal opinion :)

Hi,

If it is commercial software and you are found to have violated that EULA then watch out. You might get away with doing it a few times but do it enough then someone is going to be knocking at the door. Piracy, cracking and hacking copyrighted programs can get you into trouble. Violating a license agreement that you agreed to by purchasing and using said software will get you into trouble as any other law that is broken.

You are missing my point. If you purchase the hardware then you had better know how and what can be done with it before you make that purchase. Select hardware that aligns with your believes. It is sad when the hardware is locked as most hardware is coming too. What are you going to purchase that suits your requirements of hardware with "If I purchased it, it is mine to do whatever."? Hardware hacks? Think not.

The field is getting thinner by the day to have hardware with open configuration that can be customized.

I agree with the spirit of what your saying but be sure to get your $$ worth by knowing if you can modify to suit. A few appliances that come to mind are; netbooks, tablets, Cel phones and even laptops that are locked to prevent a user to actually modify. Maybe polish in a controlled manner but still limited.

Heck, I come from the days when you could work on a car. Try that on new models. Without diagnostic tools and programs you are chasing your tail. Maybe change oil and other fluids but beyond that you are sunk.
That is what is coming for the computer industry. Back to locked system rooms that service us via whatever cloud or medium.

The masses are just wanting things to work and do it reliable at low cost. Hardware, Software & IT companies along with bean counters solution is to sell you the house but without a key to the front door.

After reading the article Microsoft could lock out Linux on Windows 8 PCs, but it won’t. I see it as a half glass full scenario.

For example, one member in the household is always the go to guy or gal and we have to constantly fix, remove viruses and malware and reinstall windows about 2,3 times a year from the family computer. There are viruses and malware that can boot as windows loads. If this UEFI chip does as it says, it can lesson the amount of stress we have fixing their computers from malware, viruses, or whatsoever. This is the first half glass look.

But do they listen. Noooo...

They will continue to open email attachments from the unknown and click on those pop-ups "HEY, You're Our One Millionth Visitor! Click here to clian your 1 million dollars!!!"

The second half is if M$ utilize this chip, they're just monopolizing their OS even more which I don't like.

Well, you should read them.

This adage does not apply to software. Software belongs to you only if you wrote it from scratch alone. Proprietary, Freeware AND OpenSource software does not belong to you - you get a right to use it as long as honor agreement. There are few exceptions, but they are extremely rare. You do not purchase software. I you purchase right to use it.

True, but I do buy the hardware, and they have no right to limit me to their OS on my hardware.

Umm... Are you sure about it? As I understand, it is a very tricky legal question.

As I understand it, when you buy hardware...

1. Physical hardware is yours, no question about it.
2. A design of hardware (circuitry, chip/microprocessor circuitry) may not be yours - it may be patented by manufacturers and may contain trade secrets.
3. Firmware and bios most likely are not yours - they are software products designed by somebody.
4. Hardware requires drivers that most likely do not belong to you (even on linux).

OS booting is related to #3.

Anyway, I do not think that MS would intentionally lock out OS on PC. Their intent is to get more money, and the easier way to do it would be to add extra bell/whistle to OS and generate ton of hype about it. (IMO) Locking out other operating systems does not guarantee profit, but will produce problems.

All that doesn't change the situation. If I buy a PC (even with Windows pre-installed) they have absolutely no right to lock it to Windows only, at least as long that machine isn't advertised as "Windows only" machine.

as for number 3, you're probably right, BUT if someone happenes to reverse engineer a replacement that can be flashed on to the chip, the chip itself is hardware and number 1 applies, you're not modifying the firmware you're erasing it, big difference

as for intentionally locking out linux, no that's just a bonus, doing it intentionally would be illegal, accidentally? oops.

Who own the software is irrelevant. Whoever owns it, they have no right to lock you out of your own computer, especially even before you purchase and use it and agree to any EULA. What if I refuse to agree to the M$ EULA ?

"Being locked out" presumes that you own computer, already has been using it for some time, and have files stored on it.
You can't be locked out of it before you purchase it. When a brand new machine refuses to boot and doesn't allow to install new system, it is a different story - you have no personal information on it yet, and without UEFI you would call it a "malfunction". In my region I can return such item (that cannot be used for my purposes) within certain period and get full refund - even if it works just fine and I simply disliked the color.

As for your "rights"... can you support your statement with anything? According to WHAT law they have "no right" to do that? You're no lawyer, I am no lawyer, but the whole thing sounds like a complicated gray area that needs to be settled in the court. Please note that *I* am not interested in explanation, but if *you* are afraid of Microsoft forbidding you to boot linux, you should at least know WHY they "have no right" to do that. Just in case this actually happens and you'll decide to sue them. Using word "rights" without knowing which laws grants them doesn't sound very convincing.

You return item back to the shop and demand a refund.

Actually, if I think over it, this may be very funny. Imagine someone manages to hack that functionality and spreads a malware that locks out Windows from booting.