UEFI secure booting and the future
http://mjg59.dreamwidth.org/5552.html
A friend sent me this link from an article talking about how, in a nutshell, "made for win8" systems could quite possibly make dual booting, wipe & replace, or even driver installation a huge problem? Am I reading this right? I ask as a desktop layman with genuine preference for my operating system. I'm not using Linux out of spite of something else. It seems to me that this borderlines on illegal? Thoughts? Ideas? Interpretations? To quote the article: The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load. This impacts both software and hardware vendors. An OS vendor cannot boot their software on a system unless it's signed with a key that's included in the system firmware. A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware. Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely. |
It's only illegal (in the U.S.) if the Justice Department considers it a violation of the Sherman Antitrust Act. So long as consumers have a choice, they are unlikely to take action.
Likewise, this is only the case for companies that want to use the Windows 8 logo in advertising, on the product, or the packaging. Manufacturers can still indicate that the machine comes with Windows 8, they just have to limit how much free advertising they give Microsoft. They can provide an option to disable secure boot, disabling Windows 8, but enabling the installation of another OS. Since this lets them sell the same hardware to a larger audience, it's pretty much a nobrainer. Overall, I don't think this will be a problem. |
Will it in the future be impossible to dual boot windows 8 and linux
I come across this article to day on http://mjg59.dreamwidth.org/5552.html
Personally I do not mind I do not use windows . But a lot of people does . |
whether or not you use windows is not important.
The problem is that Microsoft wants future PCS to be unable to run anything except Windows. If i understand correctly, to get the Windows 8 logos, computer manufacturers will have to comply to a bios feature that will need prevent booting anything other than Windows 8 So it's a major threat to Linux users. Remember, it's almost impossible to buy a PC that does not have Windows on it. And the Linux users usually just erase the disk and install Linux on it. Looks like it won't be possible anymore. |
What will all the Windows users do when we are not able to help them anymore with our Linux Live-CDs/USBs, when Windows is messed up once again?
Personally, If I would buy a machine that comes with an OS that forbids to run other OSes of my choice on my hardware I would sue them. I also wonder how that would look to those people that are watching Microsoft for building a monopoly. |
There must be a way to hack it.
|
It took 5 years for the PS3 key to be discovered, and only then because of a flaw in the implementation they used. And that's only a single platform. It must be repeated for every model of every computer from every manufacturer. the only way around that is to get Microsoft's signing key for Windows 8, and you know that's not going to happen.
|
16Pide
It is possible to buy a computer without any OS preloaded . Just go to a computer shop who build one for you according to you're spec . Off course it is comes as a tower or midi tower . But the problem did it still comes UEFI . |
So, you're saying that there is no flaw in M$ implementation of this system ?
|
The implementation isn't Microsoft's, it's provided by various hardware manufacturers (a physical chip on the motherboard) and in the UEFI firmware.
|
From what I read of UEFI, it is just a new interface between OS and BIOS firmware. Otherwise, it is much like a regular BIOS, I mean it can be flashed ... right ?
There are also efforts to make open UEFI implementations: http://sourceforge.net/apps/mediawik...?title=Welcome If someone could explain in short, what the difference between a regular BIOS and EFI are it would be very useful. Honestly, I don't see any real benefit in UEFI over BIOS. Maybe supposedly better ACPI support, but other than that, it looks like they just pimped the BIOS graphics, added a few not too useful features, and forced it on everyone. |
Opening the UEFI firmware doesn't change the secure behavior.
Think of it like GPG encryption. The implementation is open, but that doesn't provide any access to encrypted data. The secure store (chip on the motherboard, tamper-resistant) contains the public key for Microsoft, signed by the hardware vendor. Microsoft has the private key, which they use to sign Windows (the message in the GPG analogy). The UEFI asks the hardware to validate the signature. UEFI never has access to the public key or the private key, though access to the public key is as meaningless as access to the GPG public key. Alter the Windows software after signing, and the validation fails. Attempt to tamper with the motherboard chip, and the machine is now permanently unable to verify signed software. The only option is for the vendor to provide the UEFI option, via motherboard jumper or software switch, to disable secure boot. That lets you run other OS, but not signed OS. Dual booting requires opening the case or altering UEFI settings each time (not an end-user task). If the vendor does not provide the option to disable secure boot, it is a Windows-only machine. |
I see, I thought it might be something similar to GPG with the signing.
Still, the PS3 was broken, it's not impossible to hack this. It may take years. If it is exactly as you said and there is no way around, I'm not buying any computer pre-installed with Window$ 8. I always build my own desktop computers, but laptops and netbooks often come with Window$. |
Typical Microsoft, lean on the hardware manufacturers to favor their business. They're trying to be Apple. As the article points out, manufacturers will probably make a lot of cheaper machines without the ability to disable the UEFI counting on the average consumer not knowing or caring. The sticker should say Windows 8 only, not ready or compatible. Feh.
|
I do hope M$ gets sued for this. They probably will be sued in Europe, but not Amerika.
|
Google does exactly the same thing with the Chromebook (Linux-based, obviously). They provide a hardware switch, under the motherboard battery, to disable secure boot. That lets you run any other Linux, but obviously not Windows or ChromeOS. Apple will likely follow suit with their machines (I don't believe any Apple hardware uses secure boot today).
So every OS has a hardware vendor that uses, or will shortly use secure boot. What needs to happen is that the ability to disable secure boot has to be user accessible and publicly available information (as is the case with the Chromebook). That's where market pressure needs to be applied. |
Next thing it'll be illegal to have a non-UEFI machine with secure booting disabled... Homeland Security will probably conclude that Linux users are security risks and potential cybercriminals; in fact wasn't there something to that effect in the news a few months ago?
|
I think it's highly unlikely that secure boot will become mandatory. It's purpose is to protect the end-user from malicious code, and it does this very well. However, development still needs to occur, and there are millions of developers. Forcing the requirement for secure boot means that development stops - every test kernel (any OS) is not going to get some corporate exec out of bed to get the signing key out of the vault.
|
It's TCPA all over again. It will probably not be implemented, or will be implemented in such a form that it can't block non-Windows installs. As long as the right groups argue again, it will go away. Until the next time MS want to block our freedoms.
|
Quote:
|
Quote:
Quote:
Quote:
Quote:
|
Yeah just a little flame baiting paranoia, H TeXMex H shouldn't have all the fun, heh, heh..
|
My first thought is will UEFI mobos become something sold exclusively in all countries around the world?
Probably not until a long time has passed by and win8 is history. Why, because there are too many people in too many other countries who for many reasons (including financial) will not be purchasing the hardware and software meeting UEFI requirements. Not to mention the fact that the powers that be in countries such as India, PRC and Brazil will not be inclined to allow this to be somehow mandated or implied by law. Maybe it will be shoved down the throats of N. America or survive a challenge in the EU. That's the market it is intended for. I'm no expert on these matters but I think, if anything, it will, intentionally or not help to retain the MS home user customer base who don't think about these things, who think the computer is not working of they lost their internet connection and who are more inclined to purchase a complete new setup than just replace periphials. If any of them turn "Neo" and want try something else they won't be able to. As an added attraction the UEFI machine will be more "secure", i.e. less bothersome to Redmond. Additionally, look what happened with XP's extended run because big business was not willing to embrace new software with new hardware requiremnts not to mention the fact that win8 is going to be a very big change to user interface. Rection against ribbon menus was bad enough; put all the receptionists and secretaries in front of Win 8 and see what they say. I can remember businesses not upgrading to win 95 because staff refused to change from word perfect to word and I also remember typists who complained bitterly about having to use software with a mouse because it was slow compared to just using the keyboard. Change outside of the server room takes allot longer for the majority of the corporate world. This isn't going to happen overnight, by the time it becomes widespread, if it does, there will be workarounds/hacks, and in the interim time non UEFI hardware will still be available because it will be manufactured for outside N. Am. and EU markets by the same people manufacturing for sale in the N.Am and Eu markets. |
I tend to use virtual machines so I almost never dual boot. I use a dedicated OS or a VM.
|
I tend to think that TobiSG is on the right track.
I think I shall write my Congress critters and the FTC tomorrow. |
Hi,
Too many people have their heads in the cloud. Literally! Microsoft, Google and others are trying to get control and remain there in the clouds. Locking things up so no one has the key. Buyer Beware! |
Microsoft can do whatever they want. It doesn't affect me, I stopped using windows eons ago. HAHAHA
Anyway, whatever OS that goes into the VM won't have access to the real hardware of your system. So for those who like using both windows and linux, you need to choose and weight the options. |
I have merged the two identical threads together.
|
Do you know what is awesome about this? If those Windows *edited*people*end edit* (yes all you guys and gals who wanted flashing the bios support directly from windows) never got their way, we would never see this type of stuff. But people were too lazy to you know reboot and use a floppy or a usbkey to boot to flat mode and actually flash there BIOS, so now we have this shit to deal with.... thanks *edited* people *end edit*!
|
Quote:
P.S. I have impression that there are too many paranoid people. |
They probably cannot do this overnight ... well, technically they could, but it is unlikely. Still, they will push it until they get more and more control, you know with cloud and this "secure" boot until there will be no freedom, only control.
It's best to oppose it early, rather than find yourself a slave. |
It is ludicrous that M$ wants to control a person's desktop and block other OSes from booting. I'm glad I'm not a sheep in M$'s herd.
|
Nice name man ;)
|
Thanks H_TeXMeX_H
|
|
Quote:
Quote:
|
I don't use windows anymore, but I think that article might hold some water. Not only will people sue MS if they block other operating systems, but MS will look like villains in the computer industry. I don't think MS wants that kind of image.
MS might owned the OS on the computer, but the consumer owns the computer and they should put other OSes on them it they please. Quote:
|
Hi,
@RedNeck-LQ Unless you purchase the system without a OS you are standing on thin ice. Even then you had better know the hardware that is being purchased. You should read the EULA for M$ installed machines. Sue Microsoft for your purchase of a appliance that doesn't suit you because it is locked. Judge will throw that out in a heart beat. You bought it, M$ did not force you. Purchase something else that allows the desired install or performance. That is if it can be found among new hardware. Trends are leading us to a closed system again. :( More vendors are looking at special appliances: Google is one that comes to mind. Another is Apple. Again buyer beware! |
There was a good discussion about this on this week's TLLTS podcast (episode 421). It starts about 15 minutes in (I was on the road and unable to check the exact time on my podplayer). It may not be as ominous as it seems.
http://tllts.org/rsspage.php |
@ onebuck
I don't read those EULAs or those agreements prior to installing a OS or software. They're always a mile long and in most cases they're not written in laymans's terms. But I do read between the lines as they say. I believe in the age old adage. If I purchased it, it is mine to do whatever. That's just my personal opinion :) |
Hi,
Quote:
You are missing my point. If you purchase the hardware then you had better know how and what can be done with it before you make that purchase. Select hardware that aligns with your believes. It is sad when the hardware is locked as most hardware is coming too. What are you going to purchase that suits your requirements of hardware with "If I purchased it, it is mine to do whatever."? Hardware hacks? Think not. The field is getting thinner by the day to have hardware with open configuration that can be customized. I agree with the spirit of what your saying but be sure to get your $$ worth by knowing if you can modify to suit. A few appliances that come to mind are; netbooks, tablets, Cel phones and even laptops that are locked to prevent a user to actually modify. Maybe polish in a controlled manner but still limited. Heck, I come from the days when you could work on a car. Try that on new models. Without diagnostic tools and programs you are chasing your tail. Maybe change oil and other fluids but beyond that you are sunk. That is what is coming for the computer industry. Back to locked system rooms that service us via whatever cloud or medium. The masses are just wanting things to work and do it reliable at low cost. Hardware, Software & IT companies along with bean counters solution is to sell you the house but without a key to the front door. |
After reading the article Microsoft could lock out Linux on Windows 8 PCs, but it won’t. I see it as a half glass full scenario.
For example, one member in the household is always the go to guy or gal and we have to constantly fix, remove viruses and malware and reinstall windows about 2,3 times a year from the family computer. There are viruses and malware that can boot as windows loads. If this UEFI chip does as it says, it can lesson the amount of stress we have fixing their computers from malware, viruses, or whatsoever. This is the first half glass look. But do they listen. Noooo... They will continue to open email attachments from the unknown and click on those pop-ups "HEY, You're Our One Millionth Visitor! Click here to clian your 1 million dollars!!!" The second half is if M$ utilize this chip, they're just monopolizing their OS even more which I don't like. |
Quote:
Quote:
|
Quote:
|
Quote:
As I understand it, when you buy hardware...
Anyway, I do not think that MS would intentionally lock out OS on PC. Their intent is to get more money, and the easier way to do it would be to add extra bell/whistle to OS and generate ton of hype about it. (IMO) Locking out other operating systems does not guarantee profit, but will produce problems. |
All that doesn't change the situation. If I buy a PC (even with Windows pre-installed) they have absolutely no right to lock it to Windows only, at least as long that machine isn't advertised as "Windows only" machine.
|
Quote:
as for intentionally locking out linux, no that's just a bonus, doing it intentionally would be illegal, accidentally? oops. |
Who own the software is irrelevant. Whoever owns it, they have no right to lock you out of your own computer, especially even before you purchase and use it and agree to any EULA. What if I refuse to agree to the M$ EULA ?
|
Quote:
You can't be locked out of it before you purchase it. When a brand new machine refuses to boot and doesn't allow to install new system, it is a different story - you have no personal information on it yet, and without UEFI you would call it a "malfunction". In my region I can return such item (that cannot be used for my purposes) within certain period and get full refund - even if it works just fine and I simply disliked the color. As for your "rights"... can you support your statement with anything? According to WHAT law they have "no right" to do that? You're no lawyer, I am no lawyer, but the whole thing sounds like a complicated gray area that needs to be settled in the court. Please note that *I* am not interested in explanation, but if *you* are afraid of Microsoft forbidding you to boot linux, you should at least know WHY they "have no right" to do that. Just in case this actually happens and you'll decide to sue them. Using word "rights" without knowing which laws grants them doesn't sound very convincing. Quote:
|
Actually, if I think over it, this may be very funny. Imagine someone manages to hack that functionality and spreads a malware that locks out Windows from booting.
|
All times are GMT -5. The time now is 05:27 PM. |