Microsoft execs are likely far more worried about the tablet and smartphone markets, than masses of PC owners flocking to Linux with a few clicks of the mouse.
If any of this does result in Linux being difficult (or impossible, for the average user) to install, it will likely be a minor bullet point in the big picture for Windows and Microsoft, since there are real and worthwhile benefits to locking down Windows and the hardware that ends up in users hands.
I do wonder what happens when someone wants a refund for the Windows portion of the price of a new PC. Assuming a hypothetical PC model didn't allow you to run anything but Windows, what use would there be in requesting a refund for it?
There wouldn't really be a refund for Windows cost as most OEMs are making money off of windows by deals with software companies like norton and nero to install their trial software by default to new computers.
MS is not pressuring OEMs in any anti-competitive way. The requirement is simple: secure boot must be the default for any Win8 machine. That doesn't by any means prevent OEMs from shipping with a switch for this feature. The only information against this is FUD from a Redhat developer who says that he has information that one or more OEMs may ship without this switch, without giving anything more.
To say MS puts no pressure is ludicrous. If an OEM wants to have the sticker, they have to enable secure boot, end of story. There is probably a financial incentive there too, as OEM license prices are usually lower for PC manufacturers who enter programs such as this. Ever wondered why so many of them displayed "so and so recommends Windows x" in their pages? There was a license discount for those who did.
Also, there is some incentive for the PC makers to remove the possibility to disable it: people won't be able to reuse their machines a couple releases of Windows down the road. The shorter the useful life, the more boxes they move and higher the profit they make.
Obviously, they won't think through the consequences of tying their future to Microsoft. That would require thinking beyond the next bonus window, something most managers can't.
> To say MS puts no pressure is ludicrous. If an OEM wants to have the sticker, they have to enable secure boot, end of story.
Your wording is ridiculously deceptive. To get the sticker, they have to enable secure boot, sure. Secure boot is not an issue, as long as you can turn it off, which MS is not requiring. So no, MS is not putting pressure on OEMs to do anything remotely anti-competitive.
As for any incentive that PC makers may have for preventing secure boot's disabling, that's complete conjecture (even if it may be right in the future), so let's stick to the facts rather than FUD, ok?
> Secure boot is not an issue, as long as you can turn it off, which MS is not requiring.
True enough. They don't require manufacturers to make their computers competition-proof.
> So no, MS is not putting pressure on OEMs to do anything remotely anti-competitive.
Except that, in order to get the sticker (and to qualify to whatever incentive program Microsoft devises to go with it) manufacturers are required to make it at least very inconvenient to install anything other than the Windows that came built in. How can this be anything other than anti-competitive? A layperson can pop in a Ubuntu DVD and boot up a current PC and experiment with it. Two years from now, they won't.
PC manufacturer margins are so low any incentive will sway them. That's why every computer you buy with Windows comes with a ton of crapware - because crapware makers pay the manufacturers to do so and their low margins don't allow them to pass this offer up.
Not to mention, secure boot is a good goal. Booting two different operating systems is just fundamentally at odds with secure boot, in the same way that leaving open the window next to your locked front door is fundamentally at odds with physical security.
> Booting two different operating systems is just fundamentally at odds with secure boot...
Agreed with your first sentence but not really with the second. The idea is simply securing the boot process of an operating system from POST right through to the OS being ready for use. Having 2 operating systems is perfectly fine from that point of view as long as the integrity of the boot process can be maintained. Having a boot loader and 2 or more OS's available complicates things, but doesn't make it at-odds with secure booting.
Edit: Manually correcting autocorrect and adding a couple of words
>This pressure on OEMs is an anti-competitive move by a monopoly abuser and, as such, must be dealt with properly.
Dealt with by making an average Windows user more vulnerable to undetectable malware? The Chinese would be pretty happy with this.
Microsoft is feeling the pressure from Mac on the desktop regarding security and they should be banned from securing their machines? And this applies only to the "made for Windows 8" sticker, nothing else. It will happily boot on other and older machines.
The proper way to "deal" with this lies with conditions etc. imposed on the OEMs, not Microsoft who should have the right to secure their OS from undetectable rootkits. You're barking up the wrong tree.
Chinese would be extremelly happy with UEFI secure boot. They would force OEMs to include their chinese CA in every BIOS of every motherboard sold there, so they can boot whatever they want and the user would never notice.
>Imagine then a backdoor that allows a third party to remove Microsoft's key from UEFI.
You seem to have no clue how UEFI works. The keys are not stored in some magical place in the cloud. Removing MS's key from UEFI(even if it were possible) will only make Windows on that machine unbootable.
I was going with guard-of-terra's idea that all Chinese-made machines would be required to come with a key that could then be used in whatever cyberattack (or even spy-your-citizens-ware) the Chinese government wants to employ.
In this case, the Chinese won't even need to do the cyberattack themselves. Just leaking one of the signing keys to a willing third party would be bad enough.
Since a system that doesn't allow the removal of a compromised key is useless, there would be a way to remove Microsoft's key from all successfully compromised machines, rendering them useless.
So in both cases the government could install whatever they want. In both cases an uninformed user would be none the wiser. In both cases a very informed user would know that government hijacking was a possibility.
The only difference seems to be that some users would know that they were using secure boot, but not realise that the government could bypass it. I'm not sure that's a massive win for the government.
China has a big IT ambition and it surely doesn't want to get locked out of its own PCs, so it would try to push their CA into BIOSes just to be a first class citizen if they'll try to build their own OS.
But the fact that they have their CA in the BIOS would be unsettling for some.
"There's a lot of good stuff in Pd, and a lot I like about it. There's also a lot I don't like, and am scared of. My fear is that Pd will lead us down a road where our computers are no longer our computers, but are instead owned by a variety of factions and companies all looking for a piece of our wallet. To the extent that Pd facilitates that reality, it's bad for society. I don't mind companies selling, renting, or licensing things to me, but the loss of the power, reach, and flexibility of the computer is too great a price to pay."
In practise, this wouldn't work. You would need one certificate for linux for practicably reasons, so you distribute this to the distro makers. All of a sudden anyone who wants to make a custom kernel can't, what's worse is that many distro makers might not be trusted enough to keep it secret. Why not make a certificate that anyone can use? Then malware authors can use it, and secure boot would have no purpose. This is why it isn't practical to try to use linux with secure boot, and the option to disable it must be their for linux to work.
I don't think your conclusion that secure boot is impractical with Linux follows from the evidence you've given. I can think of some steps to make it work:
1. Display in large type with an unskippable timeout the name, vendor, and logo of the OS before boot (embed these in the cert). If the "anything goes" cert is in use, the metadata will say "third party OS signed on yyyy-mm-dd" or similar with a warning logo.
2. Require confirmation at the UEFI level of any change in the OS certificate.
3. Require mobo vendors to allow self-signed certificates to be generated, but only from within UEFI.
1. Most users don't read warnings, most would go next no matter wat. They would see a timeout as extra annoying. Also this would mean malware would come up with the same certificate as custom linux, which isn't any more 'secure', so you may as well have it disabled.
2. Again, users will just go 'okay'. Here we don't really care about power users, they will probably not buy things with the bios option disabled, this is about general users who go 'let's try this linux thing'. In fact, those users might be ones to click cancel at the first sign of trouble.
3. This could be hard for non-power users, at least a bios option isn't as hard as generating a certificate, and signing something.
I still think you're giving up too quickly. It doesn't so much matter if some users are deliberately careless enough to install boot loader malware by hand despite all the certificate signing steps and ugly warnings involved. It is also beneficial to protect a Linux system from the same kind of pre-boot malware.
It seems as though you're saying since we can't get it 100% perfect, we shouldn't do it at all. I'm saying don't let perfect be the enemy of the good. If secure boot is going to exist at all, I think we'd be far better off if both Linux and Windows can take advantage of it, with control of the hardware in the hands of the users (or their IT department).
Well to be fair, you could open it up for everyone to use if there were an independent CA. Add some basic security checks before you're key can be trusted and the ability to revoke keys and it should prevent malware. The later might be harder to implement as it would need to be updated.
The problem is, as an individual who wants to compile his own kernel, how would I pass security checks? Any malware author could do the same. Also, a CA doesn't really work because once Secure Boot systems are distributed, you can't revoke a CA or keys.
There is no indication that there will be any CA. Actually that's one of the points raised by Linux foundation. They advocated that an independent CA would be founded.
Currently some people believe that OEMs will include Microsofts certificates directly, so basically that would make MS the CA. Or alternatively OEMs themselves would be the CAs.
As for why Linux vendors can't sign their OSses, I think there is some issues with anti-tivoization clause in GPLv3. Also, Linux vendors would need to coordinate with each OEM individually, which would be rather unpractical.
Surely this could (should?) work something like this?
Person buys a new PC from a major OEM , this PC has secure boot enabled and the only key installed is the one which matches the OS that comes with the PC. For users who never want to install another OS this is fine and will never be changed.
In bios settings there is an option to download additional keys, this connects to the OEM (or global CA) website via SSL using the NIC that shipped with the PC. The SSL cert is used to authenticate that the CA is genuine.
The master CA then sends a list of other sub-CAs (e.g Microsoft , Ubuntu , RedHat, Haiku etc etc). The user can select which ones they want to allow.
When the Computer tries to boot something with a key that it doesn't recognise it will first try and SSL connect to the CAs that have been selected and find a matching key. These could also contain blacklists of known malware keys and warn the user. If the key is found it is then installed as a known good key and allowed to boot.
There could also be an 'advanced' section in the BIOS which could allow the user to either disable secure boot or manually add a key.
So if somebody was to recompile their kernel or bootloader (or just install a very obscure OS) (not sure which is required to be verified) they would simply have to write down the key (generated at compile time) on a piece of paper and input it. This would be a minor pain but would still allow for the option.
This would probably kill hackintoshes though as I doubt Apple would sign their OS for general PC usage, although manually adding the key may get around this.
My knowledge on trusted computing / crypto technology is a bit limited, any reason why this would not work / be a bad idea?
The user wouldn't need to know what a CA was unless they were planning on installing an additional/different OS. The default option would only allow the one that was installed by default. So unless they went poking around in bios they wouldn't even be aware of it unless some malware hijacked their bootloader in which case they would get a warning at bootup and have their last known good bootloader restored automatically.
Since all the sub-CAs would be verified either by the OEM or by a global authority of somekind users could assume that all the options they were presented with were trustworthy.
This seems like a whole lot of engineering to make that scheme work. You're saying that the BIOS should ship with a full TCP/IP stack and an SSL implementation. On top of that, you've got no way of updating the root SSL certs (or the SSL itself, in the event of a flaw being discovered) short of a firmware reflash. And you're requiring that the entire system depends on the root CA.
MS is pushing this so-called "secure boot" purely to prevent boot loaders from functioning. There is no "security exposure" that this plugs, this is a "piracy exposure" fix.
The only people who install pirated versions of Windows are typically more technically inclined - Joe Plumber isn't installing his own pirated version. Neither is Joe Plumber setting his machine to dual-boot to Linux.
If vendors do not include a way to bypass the "Secure Boot" option, this will NOT affect Joe Plumber, it will only affect his technician buddy. And his technician buddy will have an alternative crack for Windows 8 if the boot loader doesn't work.
But when Joe Plumber asks his technician buddy which computer he should buy, do you think the technician will recommend a computer with a BIOS that doesn't allow you to bypass secure boot? I think not.
So computer vendors have every reason to include secure boot and turn it on by default (so they can get the Windows 8 logo), but they also have every reason to include an option to turn it off (which Microsoft allows).
So I believe this will be a non-issue at Windows 8 launch, or perhaps several months later.
Has Microsoft indicated that they don't want it possible to disable Secure Boot? Have they stated that, or is there evidence that they've pressured OEMs in that direction? If not, it's not a piracy fix. Anyone willing to install some hacky boot loader should be able to turn off a setting in the BIOS.
The fact that you don't see the security issue doesn't mean it's not present. There are known boot-time attacks that no OS or anti-malware can reliably fix. Thankfully none of these are widely exploited at present, but a security problem should not need to be exploited on a wide scale before a fix is put in place.
I didn't say I didn't see a security issue (minor though it may be). I said that security is not the reason for this "fix" - the effort required for secure boot is completely out of balance with the potential exposure this plugs.
And if Microsoft is indeed pressuring vendors not to include an option to turn secure boot off, this is an ominous turn of events that would indeed force buyers to chooses carefully.
But as I said, I believe that those people who ask their tech buddies which computer to buy will be steered towards computers that give the option, or have no secure boot at all. This will ultimately force the vendors to discontinue models that lock down secure boot.
Yeah, you did: There is no "security exposure" that this plugs
> I said that security is not the reason for this "fix" - the effort required for secure boot is completely out of balance with the potential exposure this plugs.
The potential risk is massive. Malware that injects a hypervisor beneath the OS could be undetectable without external scanning and nearly unfixable for the typical user. Imagine botnets built like this. The OS is healthy, anti-malware says everything's great. Meanwhile the machine is being remotely controlled and no one knows it except the guy who's using it to hammer away as part of a DDoS attack, or using it to host child pornography, or whatever.
The effort required for secure boot actually seems quite small. The real effort is in making secure boot work for 3rd parties as well. That's a difficult problem because "I want to run some random crap in my bootloader" is in direct conflict with the "don't allow random crap to run in the bootloader" design goal.
> And if Microsoft is indeed pressuring vendors not to include an option to turn secure boot off, this is an ominous turn of events that would indeed force buyers to chooses carefully.
I seriously doubt that's happening.
> But as I said, I believe that those people who ask their tech buddies which computer to buy will be steered towards computers that give the option, or have no secure boot at all. This will ultimately force the vendors to discontinue models that lock down secure boot.
I agree. I think any vendor who sells a locked-down secure boot will see public backlash, and fix it in either future models or a firmware reflash.
Nobody knows if this will affect anybody at all, as no Secure Boot equipped hardware is in the wild, nor has any manufacturer or OEM announced anything related to it. The fear mongering is based on speculations and worst case scenarios mostly.
edit: I might add that any system that wants to be compatible with Windows 7 or XP needs to have the ability to disable Secure Boot. That fact will probably have larger effect on manufacturers than Linux users.
I agree that this is based on worst case scenarios , but it isn't really a bad thing to be concerned about since nobody has actually ruled out the worst case happening and it represents a plausible possibility to many people.
Even if to begin with it is not a problem and windows 8 does not require secure boot to be enabled for compatibility with older computers it is still possible that windows 9 or even a later service pack will change that once they are happy that there is sufficiently few older computers.
This could create a market for motherboard modification that would allow pirated versions of windows to run.
Getting Windows to run is the least of problems in the current light. The problem is running something that's not Windows. Nobody cares about some lousy pirates.
> I might add that any system that wants to be compatible with Windows 7 or XP needs to have the ability to disable Secure Boot. That fact will probably have larger effect on manufacturers than Linux users.
But MS could update Windows 7 & XP to be compatible, right?
In short, no. The secure boot is essentially optional from what I've seen so far; put Windows 8 on any old motherboard and it should work.
The whole reason this has come about is due to the vulnerability of people faking BIOS IDs and manufacturers on startup, allowing auto-authentication of pirate copies of Windows Vista and 7. In order for this auto-authentication to work in Windows 8 on a shipped bundle, secure boot will need to be activated. After the initial secure boot and activation, hopefully it can be turned off and allow more open access on OEM machines. (If it doesn't, then we have a problem.)
Great.. so its a good thing then, because maybe IT people will realize its not even worth pirating Windows (well, actually they won't be able to). Then they just edit the BIOS setting and install Linux.
It stops an avenue of piracy sure, it also stops code injecting into the startup which is also cool. The fun bit is going to be all the disk encryption software that will take a hit when people migrate to 8 (unless it's signed).
It's a pain agreed, but hopefully doesn't affect the ability to keep your system open enough to install non-windows OSes or restrict using non OEM equipment to run Win8.
Not necessarily, new versions of windows could ship signed with the same key.
You could install previous versions of Windows the same way if, for instance, there was a windows update or new service pack integrated with the install media that contained a signed kernel.
Excuse my ignorance, but doesn't this just mean that Linux users would have to go into the BIOS and switch off the Secure Boot setting? And isn't Secure Boot solving a real security problem?
Besides, if you're running a computer powerful enough for Windows 8, don't you also have enough computing power for a virtual machine? Or enough money for a second computer?
Not necessarily , I doubt that Windows 8 will require particually expensive or powerfull hardware to run especially since they are targetting tablets with it.
So it's likely that many users will not have the money for a 2nd PC and whilst virtual machines are nice in their own way there are allot of limitations with them so you may well want to run 2 full OSes directly on harware.
The issue is that there is no guarantee that users will be able to disable Secure Boot. If such guarantees would have been given then there would be no controversy.
This pressure on OEMs is an anti-competitive move by a monopoly abuser and, as such, must be dealt with properly.