LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices

Reply
 
Search this Thread
Old 09-20-2011, 11:46 PM   #1
mipia
Member
 
Registered: May 2003
Location: lake michigan
Distribution: Debian, Mint, Slackware
Posts: 457

Rep: Reputation: 35
Unhappy UEFI secure booting and the future


http://mjg59.dreamwidth.org/5552.html

A friend sent me this link from an article talking about how, in a nutshell, "made for win8" systems could quite possibly make dual booting, wipe & replace, or even driver installation a huge problem? Am I reading this right?
I ask as a desktop layman with genuine preference for my operating system. I'm not using Linux out of spite of something else.

It seems to me that this borderlines on illegal?

Thoughts? Ideas? Interpretations?

To quote the article:

The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.

This impacts both software and hardware vendors. An OS vendor cannot boot their software on a system unless it's signed with a key that's included in the system firmware. A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware.

Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.

Last edited by mipia; 09-21-2011 at 12:00 AM. Reason: added examples
 
Old 09-21-2011, 01:14 AM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 327Reputation: 327Reputation: 327Reputation: 327
It's only illegal (in the U.S.) if the Justice Department considers it a violation of the Sherman Antitrust Act. So long as consumers have a choice, they are unlikely to take action.

Likewise, this is only the case for companies that want to use the Windows 8 logo in advertising, on the product, or the packaging. Manufacturers can still indicate that the machine comes with Windows 8, they just have to limit how much free advertising they give Microsoft. They can provide an option to disable secure boot, disabling Windows 8, but enabling the installation of another OS. Since this lets them sell the same hardware to a larger audience, it's pretty much a nobrainer.

Overall, I don't think this will be a problem.
 
Old 09-21-2011, 09:39 AM   #3
ronlau9
Senior Member
 
Registered: Dec 2007
Location: In front of my LINUX OR MAC BOX
Distribution: Mandriva 2009 X86_64 suse 11.3 X86_64 Centos X86_64 Debian X86_64 Linux MInt 86_64 OS X
Posts: 2,369

Rep: Reputation: Disabled
Will it in the future be impossible to dual boot windows 8 and linux

I come across this article to day on http://mjg59.dreamwidth.org/5552.html
Personally I do not mind I do not use windows .
But a lot of people does .

Last edited by ronlau9; 09-21-2011 at 09:43 AM.
 
Old 09-21-2011, 11:18 AM   #4
16pide
Member
 
Registered: Jan 2010
Posts: 418

Rep: Reputation: 83
whether or not you use windows is not important.
The problem is that Microsoft wants future PCS to be unable to run anything except Windows.
If i understand correctly, to get the Windows 8 logos, computer manufacturers will have to comply to a bios feature that will need prevent booting anything other than Windows 8

So it's a major threat to Linux users.

Remember, it's almost impossible to buy a PC that does not have Windows on it. And the Linux users usually just erase the disk and install Linux on it. Looks like it won't be possible anymore.

Last edited by 16pide; 09-21-2011 at 11:21 AM.
 
Old 09-21-2011, 11:18 AM   #5
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,623
Blog Entries: 2

Rep: Reputation: 4078Reputation: 4078Reputation: 4078Reputation: 4078Reputation: 4078Reputation: 4078Reputation: 4078Reputation: 4078Reputation: 4078Reputation: 4078Reputation: 4078
What will all the Windows users do when we are not able to help them anymore with our Linux Live-CDs/USBs, when Windows is messed up once again?
Personally, If I would buy a machine that comes with an OS that forbids to run other OSes of my choice on my hardware I would sue them.
I also wonder how that would look to those people that are watching Microsoft for building a monopoly.
 
Old 09-21-2011, 12:17 PM   #6
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
There must be a way to hack it.
 
Old 09-21-2011, 12:39 PM   #7
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 327Reputation: 327Reputation: 327Reputation: 327
It took 5 years for the PS3 key to be discovered, and only then because of a flaw in the implementation they used. And that's only a single platform. It must be repeated for every model of every computer from every manufacturer. the only way around that is to get Microsoft's signing key for Windows 8, and you know that's not going to happen.
 
Old 09-21-2011, 12:57 PM   #8
ronlau9
Senior Member
 
Registered: Dec 2007
Location: In front of my LINUX OR MAC BOX
Distribution: Mandriva 2009 X86_64 suse 11.3 X86_64 Centos X86_64 Debian X86_64 Linux MInt 86_64 OS X
Posts: 2,369

Rep: Reputation: Disabled
16Pide
It is possible to buy a computer without any OS preloaded .
Just go to a computer shop who build one for you according to you're spec .
Off course it is comes as a tower or midi tower .
But the problem did it still comes UEFI .
 
Old 09-21-2011, 12:58 PM   #9
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
So, you're saying that there is no flaw in M$ implementation of this system ?
 
Old 09-21-2011, 01:32 PM   #10
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 327Reputation: 327Reputation: 327Reputation: 327
The implementation isn't Microsoft's, it's provided by various hardware manufacturers (a physical chip on the motherboard) and in the UEFI firmware.
 
Old 09-21-2011, 02:43 PM   #11
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
From what I read of UEFI, it is just a new interface between OS and BIOS firmware. Otherwise, it is much like a regular BIOS, I mean it can be flashed ... right ?

There are also efforts to make open UEFI implementations:
http://sourceforge.net/apps/mediawik...?title=Welcome

If someone could explain in short, what the difference between a regular BIOS and EFI are it would be very useful.

Honestly, I don't see any real benefit in UEFI over BIOS. Maybe supposedly better ACPI support, but other than that, it looks like they just pimped the BIOS graphics, added a few not too useful features, and forced it on everyone.

Last edited by H_TeXMeX_H; 09-21-2011 at 02:48 PM.
 
Old 09-21-2011, 03:18 PM   #12
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 327Reputation: 327Reputation: 327Reputation: 327
Opening the UEFI firmware doesn't change the secure behavior.

Think of it like GPG encryption. The implementation is open, but that doesn't provide any access to encrypted data.

The secure store (chip on the motherboard, tamper-resistant) contains the public key for Microsoft, signed by the hardware vendor. Microsoft has the private key, which they use to sign Windows (the message in the GPG analogy). The UEFI asks the hardware to validate the signature. UEFI never has access to the public key or the private key, though access to the public key is as meaningless as access to the GPG public key. Alter the Windows software after signing, and the validation fails. Attempt to tamper with the motherboard chip, and the machine is now permanently unable to verify signed software.

The only option is for the vendor to provide the UEFI option, via motherboard jumper or software switch, to disable secure boot. That lets you run other OS, but not signed OS. Dual booting requires opening the case or altering UEFI settings each time (not an end-user task). If the vendor does not provide the option to disable secure boot, it is a Windows-only machine.
 
Old 09-21-2011, 03:35 PM   #13
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
I see, I thought it might be something similar to GPG with the signing.

Still, the PS3 was broken, it's not impossible to hack this. It may take years.

If it is exactly as you said and there is no way around, I'm not buying any computer pre-installed with Window$ 8. I always build my own desktop computers, but laptops and netbooks often come with Window$.
 
Old 09-21-2011, 03:35 PM   #14
mostlyharmless
Senior Member
 
Registered: Jan 2008
Distribution: Slackware -current (multilib) with kernel 3.16.2
Posts: 1,568
Blog Entries: 13

Rep: Reputation: 181Reputation: 181
Typical Microsoft, lean on the hardware manufacturers to favor their business. They're trying to be Apple. As the article points out, manufacturers will probably make a lot of cheaper machines without the ability to disable the UEFI counting on the average consumer not knowing or caring. The sticker should say Windows 8 only, not ready or compatible. Feh.
 
Old 09-21-2011, 03:37 PM   #15
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
I do hope M$ gets sued for this. They probably will be sued in Europe, but not Amerika.
 
  


Reply

Tags
microsoft, uefi booting, windows 8


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
UEFI and BIOS: What is it really? cruiser General 10 09-27-2011 12:18 PM
Has anyone got UEFI working? BeaverusIV Arch 2 07-31-2011 07:47 AM
LXer: Shaping the future of secure Ajax mashups LXer Syndicated Linux News 0 04-04-2007 10:46 PM
secure booting of linux vijeesh_ep Linux - Security 4 08-15-2004 12:55 PM
Booting up with Linux Secure and a blank screen mykyl Mandriva 0 03-02-2004 12:25 AM


All times are GMT -5. The time now is 02:57 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration