
Good grief....
They never learn, do they? Ho hum.
GJC
Computer scientists warn that proposed changes in firmware specifications may make it impossible to run “unauthorised” operating systems such as Linux and FreeBSD on PCs. Proposed changes to the Unified Extensible Firmware Interface (UEFI) firmware specifications would mean PCs would only boot from a digitally signed image …
This post has been deleted by its author
Nope, gawd bless'em.
The whole trusted computing architecture thing died a death before and the world is a different place now - you know, with some real competition for MS, the fading monopolist. So I don't rate their chances this time around as well. TCA required the connivance of Intel and I get the feeling that's not as likely these days either.
But you can't keep a good tyrant down so it's probably a good thing to publicise what they are up to so they don't get away with it just because no-one was looking.
Bundled OS with hardware, does that sound familiar to you?
This proposal is the ultimate blasphemy. Here we go, re-flashing our motherboards with unlocked UEFI/BIOS/whatever.
Good, now we will have motherboards that behave like a PS3. </sarcasm>
Shotgun shell, meet foot.
Which may be a shame as it sounds like the sort of push that might finally lead to broad mainstream acceptance of Linux desktops.
Nothing people dislike more than being told they are having choices removed even if they had no intention of taking up the alternative options.
Apple don't stop you installing other operating systems on their hardware though. They are more concerned about you installing their software on hardware that wasn't sold by them. And only a very small minority of people who buy Apple hardware and the software that comes with it actually bother installing another OS. In either case though, you have bought Apple hardware and/or software and to some extent agree to the terms you've bought them on.
It seems that what Microsoft is attempting to do, is ensure that even though you'll inevitably buying your hardware from a third party manufacturer, you can only run Windows on it. Perhaps if I was buying Microsoft hardware such as an XBox it wouldn't be quite so unpalatable.
But I'm not even sure it's quite that bad either. So long as you have a suitably signed boot loader that the BIOS is prepared to execute, you're good to go. Perhaps Google will step in and get GRUB signed appropriately? Once the BIOS has passed control to the OS, you're trusting the OS anyway.
What it means for Microsoft, is that if your BIOS only allows bootloaders signed by a few authorities, and you run Microsoft's signed bootloader which is the only thing that can authenticate and launch a copy of Windows 8, then it's going to be hard for hackers to develop rootkits. It's one more backdoor that's been closed and not such a terrible thing from that perspective (i.e. would be useful for anyone wanting that chain of trust starting at the BIOS level).
But like I said the majority of people who buys Macs or PCs won't be installing other operating systems anyhow. I have 3 Macs and 3 PCs at home and only occasionally in the past have installed various versions of Linux, but never kept any of them in the long term.
So even if I can't install other operating systems in the future, it really wouldn't be a problem for me nor a lot of other people.
That's not to say I necessarily approve of it though. There is scope for it to harm competition and consumers but I have a reasonable amount of faith in the open source community, EFF and companies like Google, Redhat, etc. to prevent that kind of thing.
Seemed to me a lot of people were starting to panic.
As the article explains there are problems trying to release a signed copy of GRUB, it may violate the GPL v2, it definitely would violate the GPL v3.
On the other hand I don't expect this to go anywhere because it's Intel that has the most control over the BIOS/EFI layer and Intel don't want to make their kit less useful. Particularly with MS flirting with ARM, Intel have no reason to bend over here.
I don't think Intel will care as long as they are the major player in the technology.
A technology lock like this is just another method for other technologies, good or bad, to be excluded.
All the PR will be how they saved the world.
The reality is that there is no WMD out there, but it won't be played that way.
I will assume politicians taking money will pass laws, but manufacturers will have the ability to opt-out.
Sort of like when Xfinitity does not tell you about the free HD channels they must supply by law in the States. You'll never see them advertise that service.
Yeah, Apple allow you install any x86/x64 compliant O/S you want via boot camp and this new doo-dad from MS will allow you to run ONLY a signed and verified O/S and that would be...oh yes fricking Windows 8!
So Brain of Britain, which is worse? Apple allowing you to install any O/S you want on their hardware or Microsoft who want hardware locked down so tight that it only allows Windows to run on all non Apple hardware?!?!
Do you think for one second that Apple will not start to use this as well? They'll dress it up a bit better than MS and make it all shiny for you, but they will use it. Then where will you be?
Apple run the most locked-down and controlling hardware/software when they can get away with it. This will be just another way of doing that for them.
And do leave off the ad hominems, they really are pathetic.
You can boot linux on Apple hardware.
Not tan many bother as its overpriced.
When you buy apple, you buy a total solutions.
I have no objection to people buying total solutions BUT if people want to buy hardware, that hardware should not be crippled.
Will windows 8 load on a virtual machine without some pseudo signed BIOS? Not sure. Apple wont. (not without serious hackery anyway).
The answer of course is to write BIOSes for all boards that don't have this issue. Are most bioses not in FLASH these days anyway?
Because most people don't care. At all.
Your average (common?) PC buyer buys a PC and is even happy (relieved?) that it comes with an OS pre-installed because otherwise he or she wouldn't have the foggiest idea what to do. And those will be the same kind of people who may even support this movement because well (marketing crap here:) "It keeps my computer safe from booting unwanted or corrupted software such as virusses!".
I see a parallel here, though very vague... The European vote on encryption; the issue which would make it illegal for an household to own an encryption method /without/ handing a copy of the secret key to the government. Of course all in order to prevent "terrorism".
"It will never happen" people said, also because "We would lose our freedom". In the end hardly any political party cared (the attendance of said vote was very low) and it was IIRC Finland who eventually blocked the whole thing all together. Barely. It didn't even make it to the news.
While this thing may seem huge to us don't lose perspective; your average PC buyer or owner will probably have a hard time understanding what this fuss is all about.
Oh.Yes.There.IS.
This is clearly illegal -- the concept alone is enough to have it declared as an assault. Yes, it would be a physical assault. This really *is* the thin end of the wedge!
There's nothing bad about EFI itself and UNIX/Linux has no problem being made to boot from EFI (Apple already has it) but this "trusted computing" bullshit? This from MICROSOFT?!?!
ALL computing already IS a dozen times more secure and trusted than anything MS has to foist on the world.
"This is clearly illegal -- the concept alone is enough to have it declared as an assault. Yes, it would be a physical assault. This really *is* the thin end of the wedge!"
So "tying" is treated as "physical assault" in Europe? Somehow I doubt that. It is *certainly not* treated as "physical assault" under the Sherman Act, so it would interesting to know why you have even brought it up, unless, of course, you did so out of sheer ignorance and stupidity.
Indeed they most certainly would. It is impossible to believe that the competition authorities in Europe or in the US would sit still for this - the row would be unbelievable. However that is perhaps the point? The article does not quote MS on this subject or indicate whether any attempt to contact them has been made. I for one would be *very* interested in how Redmond would react to this accusation. If MS actually *wanted* to give Win8 the worst possible start they could scarcely have chosen a better way to do it - and it is precisely that point that causes me to have some reservations about this story. Not because I am under any illusions as to what MS might *like* to do if they could get away with it, I just have some difficulty believing that they would think that they *could* get away with this.
I agree that the EU might well look on this as a form of monopoly manipulation by MS, but the US?
I am not so certain that they would, look at the way the DOJ handled the last monopoly case against MS. That didn't do much harm to MS did it? After all they do invoke the magic words "security"in their specifications for Windows 8 and you know how keen the authorities are on that. It would not surprise me if MS spun this as a tool in the "fight against terror" or something.
So, if I am reading this correctly, MS will be saying that, although you own your hardware, the computer you have purchased, you can not run your OS of choice ?
So what, I wonder, if you decided to reject the EULA at boot up ? Rejecting the T/C's from MS but still having them control your machine or rejecting them and essentially then having a vanilla machine with NO MS junk at all ?
This is one occasion when I hope the EU does throw some weight around and say " get stuffed boys……..".
... the difference here is this :
A device written for a single job [playing games p'raps] only has one job in life. Play the damn games. And yes, it would be great to have one piece of hardware that would play all games, regardless of vendor. Maybe this will be the next step in games evolution.
That is where PC hardware is now. Standards to allow multiple O/S's. This MS proposal is, in my humble opinion a retrograde step and limits choice. At least in the games world, or mobile phone world, there is some choice, not much I grant you, but some.
And right now, I can buy [if I want] any laptop and then shove, say, Mandriva or Ubuntu on it. And then use FOSS and not have to keep coughing up more and more money to a company that I really don't want to. This is about choice. I choose to use Linux, I will decide on what I consider to be a good experience, not MS.
That, my Anonymous friend, is the difference.
Woooah there cowboy. Don't be so angry! I agree with your reply - I agree with your view about this being a horrible thing. As I said, I'm just surprised that you are SURPRISED that Microsoft want to do this.
I use Unix exclusively too. No MS or Apple lock-in.
Love, your anonymous friend.
Then, it should be a NATIONAL/GLOBAL mandate, not one from mshaft.
If it is about letting governments have backdoor, escrowed keys, then it should NOT BE ms that is the gatekeeper of those keys.
Stallman et al need to REALLY quit wasting time ranting about Android and kick it into full gear on this EFI/TC chip. Government COULD demand that all mass-maket or commercial/retail consumer computers capable of loading an OS must have a TC-type of BIOS regime, but then, it MUST be an OS agnostic system, not one that helps a piss-ant, ape-jumping company get rid of competitors.
Goddamn microsoft. JUST when I was gradually letting down my hair and easing up on anti-ms ranting, you STIR UP THIS SHIT AGAIN! I hate feeling filled with venom and vitriol, but goddammit, if i had the magic red nuke button, I'd kneecap that company, maybe up to the sternum.
All this benevolent kernel involvement was probably to get on working committees to get legit, timely, deep insight and constant data stream on how the Linux kernel development and deployment works JUST so ms and its root-sucking, jack-ass consortium of fools can support ms in coopting the boot/bios industry to the exclusion of all others, save for Apple.
Now, more than ever, foreign governments need to put a morningstar into ms' ass. In the name of national security, no government should let ms get away with this shit because it means likely only ONE country will have preview or full access to the global escrow.
This IS SCARY, and inFURIATING.
I still have a suspicion that ms has found ways to infiltrate and fuck up the distros distribution for the most popular distros such as Mandriva, PCLOS, Ubuntu and others. I for the past year have had increasing failure rates of installing PCLOS from magazine pressed/distributed discs than ever. It is maddening to have no clue, and no matter how thin or how fat an install, no matter which kernels, I have very little stability. I have no idea why ioslaves are rampantly failing for me. On FRESH installs, i'm talking about. It's so painful it drives paranoia a lot easier than questionable hardware. Each release of the kernels and update of KDE just brings me more and more frustration. I'm at the point where I feel I'd rather PAY $100 or $200 for someone to install it for me and provide me recovery disks and USB devices. But, i sure as hell will have them do it in a near-cleanroom setting, not from their own media and facility and have an opportunity to jack in some backdoor kit. I may inadvertently install a roge rpm, but it'll be MY error.
OTOH, I sometimes wonder whether the distros themselves may be making things randomly painful by over-providing, or on behalf of hardware dealers who wish they could be part of the build process. In either case, I want LINUX as the host OS, and any windows as a virtualized, sequestered, QUARANTINED GUEST! Not the other way around. It's my CHOICE and my RIGHT, and ms should be fracking happy they at LEAST get a legit sales via a legit consumer purchase out of me since my desired apps don't run well in wine or not at all in Linux.
If this was offered as an option at point of sale. I can see some benefit in corporate security terms in preventing a PC from booting from an "alien" OS eg off CD.
On the other hand if implemented across the board (no pun intended) it could well make homemade tools and recovery discs useless as well as dual boot systems.
But it would still boot off a signed CD (e.g. Windows).
If you don't want anything unauthorised booting it, turn off the boot from CD (floppy, usb, etc. etc.) options.
Even better, don't have a CD drive; lots of attack vectors suddenly disappear, and you don't want admin people walking around with CDs anyway; store them all on an admin only share.
It would *force* a company into a piecemeal upgrade of their systems.
No mid-to-large company wants to do that - they want to keep everybody on the previous version until they can shift everybody onto the new one.
This future is one where a company buying a new computer can *only* run the new OS on it. Your PC died and you need a new one, and it needs to run your legacy apps? Sorry, but MS says you can't do that.
You need those legacy apps to do your job? Oh, what a shame.
This would kill the Microsoft Windows PC, as no corporate could afford to accept it.
Businesses buy Windows PC's for end users. Consumers buy Windows PC's (and sometimes Apple's products)
Where exactly do you think the huge drop in sales is going to come from that would alter what manufacturers do? Do you honestly think that the tiny minority that run something other than Windows or Apple's OS, are going to influence manufacturers in any way whatsoever?
There are a variety of reasons why this initiative may fail dismally, and thankfully not make it to market, but a drop in sales isn't one of them.
"Where exactly do you think the huge drop in sales is going to come from that would alter what manufacturers do? Do you honestly think that the tiny minority that run something other than Windows or Apple's OS, are going to influence manufacturers in any way whatsoever?"
Um, do you have any idea how often the typical Linux user is asked for hardware purchase recommendations by non Linux users ? As far as I'm concerned, if hardware doesn't run Linux, by being closed, this means it's probably undocumented and barely tested, and we have no way of knowing how crap it really is. So it's likely to have problems being upgraded to the next version of ProprietaryNClosed OS, for which even the next forced patch level may very well break it.
Anyone who had to tell people to throw away cheap Winmodem crap once the software which worked on Windows N didn't work with Win N+1, and the manufacturer had lost interest in maintaining the drivers will know all about this.
Is only PART of the after-effect. For even daring to take part in such heinous acts they need to suffer severe legal retribution, plain, swift, simple, and enduring so they learn to not cozy up so much to a company that behaves like a tyrant yet donates to charitable causes to soften its rough edges.
Would ms and its chairpeople donate if the company's public image were not so under siege?
So, they finally feel bold enough to pull the trigger on Trusted Platform Computing? With the proliferation of tablets, cheap computers (Raspberry Pi), and phones?
Microsoft really thinks they are big enough to tell the PC makers "Hey, we want you to jump on this grenade to save us. Don't worry about the inevitable anti-trust suits, don't worry about having to keep your servers and your personal computer lines separate because servers need to run Linux, don't worry about anything but protecting Microsoft. GO!"
Wrong, GNU's Not Unix, but this is just blah blah and has nothing to do with what I'm saying here. Oracle (and Java probably too) aren't supported on FreeBSD, OpenBSD, NetBSD, fooBSD and barBSD while they are on RHEL, SLES, HP-UX, Solaris, AIX and even on Tru64 and this is what matters for server. If you are OK with limited box, then you may go with SheevaPlug and happily live together ever after. Most customers aren't and they want Linux
Ramazan, you are typical of the sort of fanboi I was referring to.
Have you looked at the top netcraft servers? Generally at least 4 out of 10 run FreeBSD. In the latest survey, there were more Freebsd than linux! http://news.netcraft.com/archives/2011/09/05/most-reliable-hosting-company-sites-in-august-2011.html
I also know MANY MANY enterprise servers that run FreeBSD, NetBSD, OpenBSD, etc.
netcraft themselves, yahoo, ISC, etc
Unfortunately, many of my customers are gradually switching to Linux, because a lor of the so called "unix" experts are only used to the many non-standard linuxisms with respect to unix (or unix like) implementations.
Why, isn't that smart? You buy a second-hand computer (not now, but say a tech generation or three after this gets put in practice) but no new copies of windows will run on it because the keys are "too old". And any alternative won't run at all. I can see why they like this idea. And now is a pretty good time to go for it, now that everybody knows that good handling of keys is essential and my aren't they proactive and Stuff. Only they're screwing you big time, like your computer is a game console. Only you didn't get the discount on the hardware. Way to productize your customers, micros~1.
I can't believe people didn't see this one. Even if they lose money on this now what it offers, in the future, is the ability to charge the hardware makers more in return for more sales.
Oooh IT downturn you say, we've got a new shiny shiny, but to use it you need to pay $X for each motherboard for your license to the key, so make them nice n pricey the sheep wont notice they'll just have to pay for a whole new system if they want it. They're used to that now...
Oh n dont forget as part of they key license, your only allowed to manufacture Y number of boards for those other OS's (erm non conforming boards)
Our only hope against this IS government intervention against the M$ monopoly. That has always worked in the past.... Ohhh.
It's a crying shame, but somehow I'm sure there will always be a market in motherboards that aren't crippled in this way.
Such a move would also create a new market in high quality firmware cracking tools just as there are already high quality Microsoft cracking tools. 'High Quality' means that they work and are not malicious, which is ironic because the copy protection mechanisms that they remove often do not work (self evidently) and are malicious (you're basically being spied on).
Inevitably though such firmware lockout schemes will make it into the millions of low quality computers that Dell and Acer must be selling at cost price these days. All Microsoft has to do is offer them another couple of dollars off Windows and the temptation to screw their customers would be overpowering as usual.
There is probably a market for this kind of thing in set top boxes and the like, when manufacturer's want to sell their hardware as a loss leader, and don't want some "scum" "bag" installing a proper OS on it and using it as a cheap PC. The Xbox will probably have this new firmware in it. But then the Xbox also breaks 5 times a day so there you have it.
The Great Jobs and his closed system goodness started all this and I hope the ifundies are proud of themselves for perpetuating it until it reached this epitome of ridiculousness.
If this isnt stopped then Microsoft have everyone by the curlies.
1. Assuming the ARM incompatibility re current windows apps is true - whole new app & systems will have to be upgraded, at once. Costs of which will kill small companies stone dead. Not to mention the lost business all such fundamental upgrades always bring.
2. Even if there *is* a way of bypassing it companies wont use it because of fear of being sued for using jailbroke software stacks. Think im a pessimist? Just look at the legal battles over curly corners happening right now.
3. Every single update will most likely break the jailbreaks that worked before. Another reason non MS will be killed in the commercial appspace. Companies just cant stop for 36 hours every time MS brings out an update.
This is the point the various monopoly commissions need to step in and kill this stone dead - if they dont its going to make the credit crunch look like a fender bender. Companies will fall left right and centre, destroyed by the very IT they rely on.
There is something even worse to contemplate. Lets assume, for example, Nokia drops WinPhone and keeps with Symbian and MeeGo. How hard would it be to introduce a bios level incompatibility? Ditto Android & even iOS. Syncing therefore impossible - or maybe modify Exchange to not talk to anything Linux based... And call it a bug, that we just cannot seem to fix...
If that happens there are two possibilities. Firstly, we all bend over and take it up the tuchus. Secondly - Microsoft single handedly make the desktop/laptop extinct. Whichever happens people and companies will suffer during the intermediate period and ultimately we all will as a result.
This is an extremely dangerous possibility and an entirely plausible one. And people wonder why I hate iFundies and the Steve they rode in on...
This has all the hallmarks of not just Microsoft but the whole "content" industry, whose efforts to ensure a secure copy-protected delivery chain at every stage from disc (or network) to screen have been so helpful to PC and TV users and content consumers in recent years. Not.
Apple make what are essentially unencumbered PCs -- which can be loaded with any OS you like. For the time being at least.
A Mac is just a perfectly standard Intel PC with the addition of a hardware EFI bootloader interface ... that's not a problem. You can run Linux, Windows or BSD Unix without a hitch either as a primary or secondary OS, as several comments have already mentioned.
What is being proposed here is that your hardware would be unable to run anything but the copy of Windows it came supplied with and NOTHING ELSE.
That's simply not the same thing, nor is it even remotely legal.
The whole thing smells of desperation on the part of MS.
The only benefit is to stop malware infecting your boot-up. As soon as the boot executables are nobbled, their signatures will change and the UEFI firmware will reject them. If the machine will only start securely signed bootloaders, it's therefore game over for the trojan trying to gain control of your PC during initialisation.
Unfortunately, there's no way (as it stands) to tell the difference between an unsigned malware-infected bootloader and an unsigned bootloader for Linux.
...there have already been cited instances of signed malware (indeed, malware signed with keys too ubiquitous to revoke--Realtek makes most of the mobo sound chips on the market; bye-bye sound?). What's to say some malware group enlists or worms a mole into Microsoft such that they can get at Microsoft's private keys? Or employ GPU-augmented botnets to find weaknesses in the signing algorithms? Either way, the end result would be a SIGNED malware bootloader. THEN what?
Won't work. Ever.
Just like the DVD scrambling didn't work, and ditto for Blu-ray, PS3, HDCP, printer-ink cartridges, iOS, etc... People will break / leak / work around the keys.
There are already virii that tamper with the BIOS. There are already Virii that get around only signed software installs / drivers, etc.
What it will (possibly) do is make it harder for people to install any OS they want. Apple might be happy because machines won't run Mac OS X (without even more effort).
Windows / OEMs may change the keys from one generation of Windows to the next or between OEMs, etc. No putting new windows on old H/W; you have to buy new H/W. No putting that HP OEM Windows on a home-build or Dell box.
Maybe even stop people putting old Windows on new HW. Enforced upgrade cycles are good for everyone (except the customers).
Instead of assuring only windows will be allowed to boot, why not lock up the boot sector with a switch that has to set. For the consumer who in smart enough to install a new operating system, setting that switch will be no real big deal. Unless this switch is set, it will be impossible to modify the boot record. Just a thought
It's been a while since we had a Professor Anderson story...
I will just observe that his blog post says: "I hear that Microsoft (and others) are pushing for this to be mandatory"
ie: He doesn't know that they are, but someone has said to him that they may be. It's the sort of thing that I'd take with a pinch of salt if I heard down the pub.
MS aren't going to support something that stops people running what they want on their own machines, the anti-trust guys would be down on them like a ton of bricks and the know it. However the combination of Prof "Against the banks" Anderson and an anti MS story chimes so strongly with Reg Commentators that he must be 100% correct and MS must be 100% evil and it doesn't even need to be checked out for basic facts or plausibility.
I was just trying to inject a little sanity into this "debate".
The story is obviously rubbish, no quotes from anyone in MS to back it up and even the person "quoted" said that "he has heard" rather than he actually knows. Besides this no-one has bothered to pause for a second and think that this will prevent all other MS OSes from working if adopted.
So it'll be impossible to run Linux on new Pcs? Like it's impossible to run Linux on PS3s, Xbox360s, and Wiis? Oh, wait a minute....
Yeah, nothing to worry about. We always have Linux bootloaders for consoles within a year of them being released and that's with just a small subsection of the Linux community working on it. When you start talking about PCs and give all of the Linux community a vested interest in making it work, I'm guessing you'll see this cracked wide open within a month or two of it hitting the market.
In Bill G's own words:
From: Bill Gates
Sent: Sunday, January 24, 1999 8:41 AM
To: Jeff Westorinon; Ben Fathi
Cc: Carl Stork; Nathan Myhrvold; Eric Rudder
Subject: ACPI extensions
One thing I find myself wondering about is whether we shouldn't try and make the "ACPI" extensions somehow Windows specific.
It seems unfortunate if we do this work and get our partners to do the work and the result is that Linux works great without having to do the work.
Maybe there is no way to avoid this problem but it does bother me.
Maybe we could define the APIs so that they work well with NT and not the others even if they are open.
Or maybe we could patent something related to this.
Source - http://groklaw.net/staticpages/index.php?page=ComesExhN05#E3020
vendors will have to provide option for installing keys in UEFI by the clients, by "clients" I mostly mean "corporations". These use Linux on servers in thousands, and won't give up only because some vendor thought not to make their ware fit for user requirements; they just change the vendor That's what competition is for.
Once vendors have to go through the work necessary to make UEFI keys installable, there is absolutely no reason not to make similar functionality available on "normal user" desktops. Doing otherwise would give them plenty of bad press, just (some) vendors started supplying drivers for Linux and generally pretending that they care.
Even if competition does not force that, consumer protection laws (at least in EU) will.
So nothing really to see here, move along.
I think it should be an option....
If when you go to PC world, you get a brand spanking new PC, with microsoft all over the box, and a MS operating system pre-installed. and that you can ONLY install the same version of windows on that PC with no other choice, then so long as the price tag reflects that your choices for future expantion are limited then thats fine by me....
Lets face it... most people who go into high street shops to buy a pc, run the OS on it, and by the time they have finished paying the finance they go buy another box... this will not make the slightest difrence to them.
So long as I can still go to my favorate PC hardware supplier and select what componants I want and put together my own machine, install whatever OS I want, then thats where choice comes in...
so long as corp buyers can buy whatever systems they want, maybe even self sign a os install so their own particular build of OS is the only one to work on the hardware they bought is a good thing... The IT department can still have signed boot disks to boot live versions of os's..
There is no way motherboard suppliers will only start to produce boards that will only allow one type of OS... they are not stupid enough to shoot themselves in the foot, not since the notorious meeting bill had with IBM anyway....
From Matthew Garrett's blog:
"Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load."
So assuming windows8 will have these Pkek keys the first exploit of windows 8 would then allow the malware to add the windows signing key to the blacklist and render the machine unbootable.
Or at least thats my cursory take on it.
Foot meet high velocity projectile :)
> the first exploit of windows 8 would then allow the malware to add the windows
> signing key to the blacklist and render the machine unbootable.
More likely, the FOSS guys would spend significant effort getting their keys into the whitelist. And, of course, those keys would be publicly available, so as to ensure users could install the bootloader of their choice...
Vic.
Er... you can run Linux on Apple hardware. They don't lock the bootloader. I've run Ubuntu as the primary OS on a MacBook Air (2010) for several months i.e. erasing and replacing Mac OS entirely.
Hardware-wise it's the best laptop I ever bought. Software-wise I think Apple need to up their game, OS X is infuriating in some respects. Mainly in multi-monitor setups. Sorry but the idea of a global menu and dock which appears only on one monitor is ridiculous. Also they should be embarrassed to advertise "full screen apps" and "cut and paste files" as new features in Lion.
Apple do not lock the hardware *yet*
Not even MS demands that OEMs lock the hardware *yet*
Do you get the point? It's NOT about what you have now it's about what you WILL BE FORCED to have. It's just like you cannot use HDMI due the various vested interests deciding that you freedoms and you rights mean jack-shit.
I mean, for the people/groups who like to create their own operating systems? Wont there be something out there that will cater for them? And would it be as simple as just deactivating this security?
This reminds me of the time when DVD players became popular - everyone wanted to know how to remove the region lockout on their drives in order to watch films from other regions. I could see something like this happening.
I dont honestly see a problem with the hardware on your machine verifying you have the right to boot a certain OS, but if this is just Microsoft trying to freeze out the open source community then they will need to go and sit on the naughty step for a while..
However all the technologically illiterate who 'just want it to work' wouldn't even think to question the salesman saying 'and it's safe to use since it will only run windows'.
I can't see anything like this succeeding, but then maybe they are just trying to sneak in another nasty and are using this as a distraction.
ttfn
No-one has mentioned hypervisors yet.
If you can boot a hypervisor, then you can run LInux, Windows, whatever under it. If you can't, then you are cut off from a lot of technologies that I expect will break out of the datacentre onto the desktop, as network bandwidth and hard disk sizes increase.
To take just one example: if you want to secure your data in a corporate environment, you want the hard disk behind locked doors in the datacentre or a data-safe-closet. Given a Gbit or faster network, that's easy. Boot a hypervisor on the desktop, then boot the disk in the datacentre across the network.
Perhaps the BIOS of the future ought to BE a hypervisor? Just as long as it's open to all client O/Ses, of course.
It all comes down to question : is this bootloader recognized as correctly signed by UEFI? This is valid question as long as the hypervisor is loaded from bootloader; but probably not so if it's all in BIOS .
Whilst I can imagine some machines will come with keys locked down in UEFI (still there would be hacker tools to change/add keys, pretty sure of that) it is going to be low segment of the market, if it happens at all. Perhaps tablets/laptops, too.
Anything that might be used with a hypervisor (or open source OS): servers, barebone systems, motherboards alone etc. would provide an option for user to install keys. Either competition or customer protection laws will force that. In other words, I don't believe vendors will be allowed (by either of these two forces) to ship systems which, by design, are unable to run an open source OS.
The prof says:
"I hear that Microsoft (and others) are pushing for this to be mandatory, so that it cannot be disabled by the user"
He then links to a blog post which says:
"There's no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code."
Perhaps they should talk to each other and compare notes?
http://www.prnewswire.com/news-releases/american-megatrends-announces-aptio-uefi-bios-support-for-windows-8-uefi-development-pc-at-build-conference-129744348.html
Unless AMI wants to offer a BIOS right now that runs none of the OSs available today, they have to provide a way to turn that damn thing off. But if Windows 8 won't boot without it, that still means that I will have to keep switching that thing on every reboot when I want to run another operating system.
Looking squarely at security for the common home or small business user this is a good idea - just make it so you can turn it off in the bios.
If you know how to install Linux, you'll know how to turn it off.
Making it impossible to turn off is overkill and I don't think it would happen unless there was a commercial imperative (i.e. subsidised hardware or software purchased as a bundle).
power users would know how to change it (so they can install Linux on it), my parents would have no idea there is such an option and thus their computer would be no safer for it.
I'd rather have signature check turned on by default, thank you very much. Even if I don't benefit from it directly, thousands of average Joes would. And that would, among other things, make the Internet slightly better place.
What a load of bollocks. Controlling what can *boot* on the machine [*] is a fairly trivial thing, and can be easily circumvented by: 1, lack of physical access to the machine; 2, not leaving it running with admin privs; and 3, a hardened IT policy that disables access to booting from specific devices (USB/SD, etc). Once the machine has booted, will this supposed security continue, or will Windows be a pwnable as before?
* - on XP machines where people have shut down badly and the thing boots to UNMOUNTABLE_BOOT_VOLUME messages, it is hell to get Windows to recover itself from a simple disc map corruption (because the recovery console is an add-on, not a standard issue). It is, however, a breeze to drop in a copy of Hirren's BootCD, fire up the NTFS version of DOS, then run a pass with chkdsk. Losing that sort of functionality will be annoying unless Microsoft fix their recovery tools, but given the (XP) version of ScanDisk couldn't detect a FAT disc on fire, never mind mildly corrupted, and that - believe it or not - command line chkdsk (actually vfat) has a habit of crashing when anything goes wrong, I don't trust Microsoft one bit in this respect. Their disc recovery tools are mediocre at best. Not something you want to discover when your supposedly secure computer got owned and now the damn heap is throwing up messages telling you that your recovery stuff isn't going to be booted...
The ability to RECOVER from a disaster is maybe even more important than avoiding problems.
Ensuring that your lost data is irrecoverable -- well that seems to be Microsoft's idea of security.
Some kind of Linux boot disk, most any kind of Linux boot disk, is often essential to recovering Windows machines.
UEFI in its purest form is there increase security on the end Pc. Rather than bitching and whining about how signed OS's (not Windows specifcially you note) are the only ones that will work with this tech, why doesnt the open source community modify lunix and other distros to be compliant / compatible? so far as I can see people are all hankering to cater for the lowest common denominator.
> why doesnt the open source community modify lunix and other distros
> to be compliant / compatible?
Because FOSS is about Freedom. The Freedom to roll your own version of the OS, for example.
In order to do that, you'd need to be able to sign it yourself with a key that is accepted by any putative lock-down UEFI. That means having a signing key readily available to all.
And if you can do that, then locking down the UEFI serves no purpose whatsoever, as anything that wants to circumvent it can do so trivially. The key would be readily available, y'see...
Vic.
You are perfectly correct but missed one thing : as long as the user is able to add own public key to UEFI , he will be also able to use own private key to build Linux, and such kernel would be validated by UEFI. So assuming this comes with option to add user-defined keys, there is nothing preventing Linux from running on such a machine. Installation might be slightly more complex, that's it.
I don't believe we are going to see PCs without ability to add own keys and without ability to disable this protection, so the whole article is just alarmist nonsense to me (feel free to vote me down). If this were to happen, I'm certain there are laws in place (consumer protection and x64 server market, among other things) to make vendors think twice.
...man can use for ill. Picture your scenario. Guaranteed, a malware will come along, able to hijack the keyboard and USB bus on low-level, and make out like it's you monkeying with the key registry. Purpose? To add a malware's signing key to the registry. Now it can safely take over the boot sector. Next time the machine boots, it sees the malware boot sector...but it signed and the key's known. KABOOM! Remember, SIGNED malware already exists. It can happen again.
> You are perfectly correct but missed one thing
No, I didn't.
> as long as the user is able to add own public key to UEFI , he will be also
> able to use own private key to build Linux
And if keys are readily available to sign Linux / alternative OSes, they're also available to sign the malware.
IOW, this whole plan would be a total waste of everyone's time and money. Except Microsoft's, of course; they'd make out ilke bandits. Again.
Vic.
"Anderson describes this as a return to the rejected Trusted Computing architecture"
Yeah, I remember how that actually useful technology was rejected because a bunch of overreactionary nerds couldn't keep their M-dollar signs in their pants long enough to actually figure out how it worked (it doesn't do anything unless you use something that calls on it, just like the DRM that's been in Windows for about a decade), that it was COMPLETELY FUCKING OPTIONAL (in most cases you can pull that eeeeeeeevil TPM chip right off the board!), or that there were NUMEROUS attempts to bring TC functionality to Linux as well as Windows. It's still around of course, but now it's actually quite difficult to find a good board with a TPM. Yet when Pimp Daddy Steve actually DID start telling the world what programs they could and couldn't run on the hardware they bought, many of the same nerds were conspicuously silent, just like they are today about Win8 ARM. Funny, that.
I don't know about you all, but to me, the thought of a BIOS or Option ROM rootkit (http://www.blackhat.com/presentations/bh-dc-07/Heasman/Paper/bh-dc-07-Heasman-WP.pdf) completely controlling my computer without me ever realizing it is a bit scarier than the thought of eeeeeeeeeevil M$ maybe potentially sorta possibly doing it in a way that everyone on earth will know about, in which case I'd STOP BUYING THEIR SHIT. It would be nice if you idiots would stop ruining things for everyone who actually cares whether their computer's lowest-level firmware has been tampered with.
There is plenty of knowledge out there when it comes to modifying BIOS ROMs.
Perhaps this is why Microsoft are suggesting this as some cack-handed way of protecting their IP.
However, I expect any system such as this implemented in UEFI would be undone or worked around in about 5 minutes.
Essentially, these large corporations would spend a fortune trying to implement this only to have it undone by a group of enthusiasts.
We've seen this happen sooooo many times.
Christ, even master keys get leaked ffs.
... there are plenty of servers and not all of them run Windows. Actually, significant part run on open source, since it makes support options cheaper.
So if there are server vendors wishing to lose a business, they are welcome to do so - there will be plenty left to buy hardware from.
So no, this isn't goint to happen (and I very much doubt Microsoft would even seriously consider pushing vendors in this direction - they paid enough fines already).
First let me kill one particular misconception: MacOS X is *not* a walled garden. If you think it is, you're thinking of iOS, and even that is pushing it, because people have jailbroken that. UNIX-based OS's (like MacOS X and iOS) cannot be a walled garden.
Now the reasons why the "forced Windows" will never come to pass:
1) Windows 8 will tank, harder than either Vista or ME, and it will be for the same reasons Office 2010 is still being eschewed in favor of Office 2007. Their 'ribbon' menu system is so vastly different than what people are currently used to. This is NOT what you want to force on less-computer-literate users who are used to the current "File Edit View" hierarchy. As for the "tiles" interface, it's not working for Apple (how many do you know actually use the "Launcher" as the main interface), so what makes MS think it will work for them on a desktop OS?
2) MS would have to make this LAW to succeed at it, and they would have to do it WORLDWIDE. Good luck with that, and good luck with the lawsuits from Apple and Google (both of whom have far better legal resources than MS) that would result from even TRYING to push this through law. Why would they sue? Because such a law would also illegalize MacOS X (UNIX), iOS (UNIX), Chrome (Linux), and Android (Linux)...not just the smaller UNIXes and Linuxes.
3) Because they would never be able to pass this worldwide, there would result in a grey-market for computers that can run other OS's, yet identify to internet routers as Windows to allow them online, completely killing the effectiveness of their plan.
There are simply way too many ways to keep MS from doing this. Their plan to lock everyone into Windows is a cry for desperation from a company that is hemorrhaging money. At this current rate, I don't see MS as being a viable company past the end of the decade. Look in comparison: MS tanked HARD yesterday in the stock market (about $1/share, but that's still about 4-5% - probably over the news that Bing lost them $5.5 billion over the last year), while Apple is posting its highest numbers EVER... *without* Steve as CEO! Wall Street knows where the companies are heading already.
Apple will welcome this. They sell a hardware+software stack (to stay in el reg terminology) and *do not want* anybody selling hardware for the purpose of running their software on it. So they'll take this, put their own keys in the BIOS*, and lock down their bootloader to their own hardware. No more hackingtosh.
And the ribbon? Remember how lose '95 was oh so different from lose 3.*? People wanted it so bad, just like how they felt they needed 3 "for the multitasking" a few short years earlier. Despite better OSes that actually did multitasking being available. With enough marketing push this'll go through. Just convince "everybody" it's the shiny micros~1y future and you don't want to stay behind in backwardistan, do you? It's quite amazing what influence a little marketeering can have on the great unwashed masses.
As to having to succeed world-wide, no they don't have to. Their primary market is the fortune 500, so shove that chock-full of this and the herd will follow. They already can enforce this through the DMCA and the USoA's stance on copyright and big corporate trading interests (in a nutshell: everybody else must bow to that, period). That there's a couple linux fanbois out there crying bloody murder, oh well, "they had it coming and good riddance", micros~1 will think.
I'm tempted by your analysis, but I don't think micros~1 sees it that way, and they have enough monies to make DC not only buy into their view, but then make it make the rest of the world bow to it too, see ACTA. Then again, micros~1 has been wrong before, and we might yet make them wrong this time.
* Or whatever you're supposed to call it with that newfangled thing.
Do not underestimate Microsoft, they will always attack any competition using any possible measures lawful or unlawful, and their power over OEMs is still stronger than anybody else's like before.
On the other hand, I have a feeling that the number of "friends" is decreasing.
...and their amount of importance/impact on the PC market...mainly Linux users.
Up in arms over possibly being shut out of modern hardware. How they will storm the barricades of computer tyranny (if there werent busy waiting for a torrent to finish or had to buy more crisps) etc. etc.
The other 99.8% of the computer using world doesnt either notice or care and carries on using Facebook etc.
The world keeps on turning.
As has been pointed out - but you seem to have missed - is that there are LOT of servers running Linux in the enterprise. If this lock down was implemented then MOBO manufacturers would face losing a lot of market unless they then create a locked down "client" PC MOBO and an open "server" MOBO.
I take it you've never tried "migrating" software that was designed to run on Unix systems, over to Windows?
Never seen the funny quirks that result, due to the software assuming a POSIX system?
Ohh, and of course, Microsoft Windows can do everything that Linux can do, and is every bit as flexible … not!
grub / bootcamp etc.
why?
The boot manager that comes in FreeBSD is less that 446 bytes, and loads up quickly and cleanly from the MBR itself.
Do you Linux fanbois really need a gui boot manager to satisfy your secret windows fetish?
http://www.freebsd.org/doc/handbook/boot-blocks.html
Well there are some positives such as quicker boot times and the end of root kits, if they make it optional fine. Surely we're at the stage where we need some kind of global body to ensure that companies don't employ anticompetitive measures to dominate a market and os have to be certified or something. Its in our own interest to have competition after all even if your not a fan of linux.
We already have that and it is called the World Trade Organisation. And it's so wonderful that it causes mass leftist riots whenever it convenes. Not to mention that it's the vehicle for ACTA and such. How do you propose we fix them dividing the world in corporations and consumers?
so really what there meaning is making it impossible for linux users to use linux next to windows in dual boot or single boot. heh this wouldnt suprise me microsoft will try anything to get people forced on windows only i mean there making ie 10 with no addon support so you would be stuck with it without flash. think il stick with 7 least its stable fast and im able to use my own browser with flash.
@PyLETS:
"Um, do you have any idea how often the typical Linux user is asked for hardware purchase recommendations by non Linux users ?"
Yes: once. After that, they've learned their lesson never bother to ask someone with such obvious sadomasochistic tendencies for advice on anything ever again.
*
- Consoles have been locked down since time began.
- Virtual Machines run just fine on Windows.
Furthermore, GNU / Linux and BSD are *niche* operating systems. GNU/Linux has had *twenty f*cking years* to "make it" on the desktop, and has failed dismally. And not just once, either. But this doesn't mean they're not popular in vertical markets like internet-facing servers, clustering, embedded devices, and so on.
For those markets, it *will* be possible to continue to buy parts for building suitable hardware. But it won't be cheap.
If GNU/Linux and similar platforms were any bloody use as consumer operating systems, the issue of finding computers capable of running them wouldn't exist even if MS did manage to lock down the UEFI: the market for GNU/Linux PCs would continue as, apparently, there's a massive demand for all this "openness" and "freedom" if posts to this website are representative of the general consumer market.
But it turns out readers of El Reg are *not* representative of the general consumer market, so you'll only be able to buy "unlocked" computers from a few dedicated suppliers.
Yes, they'll cost more than a cheapo Windows 8 PC, but guess what? That's what's *supposed* to happen in niche markets!
Cheap *GNU / Linux* PCs are, and always were, a market anomaly. Sucks to be GNU, I guess.
> Yes, they'll cost more than a cheapo Windows 8 PC
Why do you think that a W8 PC will be cheaper than an otherwise identical one with an unlocked MB and no cost of Windows ?
Do you think that Windows is 'free' because it is not a separate item on the invoice ?
If this does go ahead and W8 will only run on locked PCs then there will be no upgrades from XP or W7 PCs, they would have to buy a complete new machine.
Similarly there will be no downgrades with a new machine where the user wants to or must run XP or Win7.
There will be no upgrade vouchers for people buying W7 machines now.
Consequently the OEMs will not put up with this. Buyers will not put up with this. Just like Symbian, Windows 7 would be a dead-end product that will not be available on new hardware and W8 will not run on existing hardware.
It is also possible that W9 would repeat this so that new hardware is again required and W8 dead-ends.
Linux is still running on an 8 year machine here. That is considerably cheaper than having to buy new computers every couple of years or so.
Perhaps Linux users will just buy cheaply all the 'useless' Win7 computers when those who want W8 have to buy new PCs.
Hrrrm - lessee :
HPUX - 453
AIX - 324
Solaris - 213
Windows - 2845
Linux - 1483
about 85 of those Slowlaris hosts are on x86 UEFI boot.
about 1300 of the windows boxes are on UEFI boot
about 1100 of the linux boxes are on UEFI boot.
I work for a global corporation that both sells and supports UEFI boot hardware.
I really doubt the desktop space is going to drive this decision -
x86_(32/64) systems running something OTHER than windows are far more common these days. UEFI is UEFI - one of the advantages of UEFI is that it can be written once for an entire family of systems. From Desktop to Server.
if MS is applying to lock out any OS without an appropriate key, either the vendors will be making that an option that can be turned off or will be creating a method to update, add, modify the UEFI managed keys. And that action will NOT be complex, difficult or unmanageable. At least around here we're up over 250 servers/head on support levels. Automation is the ONLY way this works.
Long and short of it, I STRONGLY suspect that IBM, HP, Fujitsu and Oracle will beat MS to a bloody pulp on this one, not to mention Cisco playing (warning WoW reference) the rogue in stealth mode, even if HP makes their hardware.
Microsoft had better get their chequebook out if they want motherboard manufacturers to sign on to this, because it offers nothing but downsides to them. Secure boot covers up an extremely minor and difficult to exploit vulnerability, while at the same time increasing development costs and reducing end-user appeal. There might be a niche for extremely sensitive systems to use this technology, but extremely sensitive systems generally don't run Windows to begin with.
So in other words, this is going to die for exactly the same reasons the TCA did.
I suspect the main motivation is actually from Microsoft's 'friends' in Hollywood, however it is indeed disturbing.
If this was purely about making your computer secure, then I would suggest the bios should contain a key generator, that was activated by a hardware switch or link.
In key generation mode it would scrutinise whatever boot program was on the hard drive, store the key internally and do absolutely nothing else. To then run the system the switch would have to be reset.
If that area of the bios was also not flashable when in ‘run’ mode this should protect against any malware attempts.
Too easy?
Could we have a minimal signed boot loader that'll then chain-load unsigned code? Or maybe a signed hypervisor that'll then run the OS as a full-machine VM.
In fact I can see MS doing this; hyper-v being the loader and then allowing other OS's to run underneath it. Of course you'll need a Windows VM to manage hyper-v, and it'll let MS claim they have the worlds most popular hypervisor, but...
Will it exclude Windows XP as well? If so, this will not sit well in the corporate world (where XP is king).
Try telling your corporate customers that they've got to rebuild their legacy apps for Windows 8 and there will be dark muttering. Mention Metro and they'll be marching on the castle in Redmond with pitchforks and torches.
Of course, though, this wouldn't stop people from running Linux software with the help of applications such as andLinux. But you would still have to buy a copy of Windows.
What it would do is lock out boot sector viruses - which, of course, would be a good thing, because it would also lock out low-level anti-virus products.
Basically, this is indeed a disaster. But something like it would be a good idea. The right way to achieve this would be for the user to have to go into the BIOS screen, and digitally sign his Windows CD, or his Linux CD, or his antivirus product CD, from there to allow it to be installed - so that viruses, not being explicitly authorized by the user for booting from, would have no chance of invading.
Eliminate viruses not by locking the user out of the machine, but by giving the user more control over the machine!
Another way to do this: let the user go into the BIOS screen and add new keys - so that it would come with Microsoft's public key, but you could add one from your Linux supplier. (Or you could make a public/private key pair yourself and encrypt the kernel you compiled...)
So there is a way to make this work and avoid it ending OS competition.
... doesn't require crypto. All it requires is not giving them access to the boot sector, like, oh, by not running them with admin rights. It's a trick that systems like unix have known for half a century or more. But oh dear that'd require *the user* not to be running with admin rights all the time. And that is something micros~1 cannot bring themselves to make happen. So they "flee forward" and lock the user out of his own computer entirely instead. Why, isn't that bleeding edge technological advancement and industry standard innovation at the same time, I do say.
Don't those two words kinda make the whole point moot? Given a Privilege Escalation exploit, all they have to do is run at any level and you're pwned. Just one more hurdle for the malware writer to clear. It's the big hurdle with Windows Vista/Windows 7 now--getting past their version of the Admin guard: the Universal Access Control. AFAIK, no one's been able to get past UAC directly from userland on 64-bit Win7 yet.
Apple have messed with their firmware for a long time to prevent stuff they don't like running. With them, however, it's old versions of their own OS that are the enemy. Every time a new version of OS-X comes out a few months later boxes leaving the factory come with new firmware that won't let you install any OS-X older than the current version.The first Macs that will only run Lion and higher have just been spotted in the wild.
I'm a certified engineer for the Avid professional video editing platform. Avid is engineered and tested to provide guaranteed performance and due to the level of testing, Lion isn't a certified platform to run it on yet. Not-certified = no support from Avid if it doesn't work. This is a royal pain in the arse for the Avid channel as there's at least a month every time a new OS-X appears when it's not possible to buy hardware that can be used for a certified install until Avid's testing program and any bug fixes catch up.
So far, I've not found a competent Windows PE environment that MS roll (all our PE discs are from 3rd parties [thanks BART] so won't be signed). We use PE and Linux discs extensively in preparation, imaging and fault finding/disaster recovery of machines. To lose those would be a real blow to us. I assume this would also mean it wouldn't be possible to slipstream drivers into older Windows CDs any more (like I've done to help my friends upgrade from Vista to XP) when the XP CD suffered some fatal exception, like not being able to see the HDD controller or drives.
I don't think MS are that worried about people like me running Linux on premium hardware. What I think they would like is to make it difficult for the Linux community to install it on ordinary people's budget machines and thus slow down its spread. We've already seen this kind of behaviour with Windows Vista and 7 putting the immovable MFT right at the end of the boot drive so Windows can't shrink the boot partition to create a dual boot and if a 3rd party tool is used Windows becomes unbootable and needs repair
Another possibility is that this is politics in the mould of Britain's New Labour: They suggest something so bad that everybody is up in arms then they offer a "compromise" (read "what they really wanted to do in the first place but would have been unpopular.") People are so relieved the first proposal has gone they swallow the new one without a big fight and the proposer gets what they really wanted. If this is the case, what are they really up to?
Smart as he undoubtedly is, The Professor is failing to see the bigger picture. The future is not PCs and x86, its ARM and Linux/Android. So let M$ get on with hastening their own demise by further restricting the PC platform. Encourage them to do so even. The ecosystem will always come up with the goods eventually, the sooner people kick the Windoze/x86 habit and go cold turkey the sooner we can all embrace the more egalitarian digital future.
I have heard umteen people say to me they are fed up with all the controls in MS Windows and prefer Linux now. Even unexperienced users who know little about computers prefer Linux. Why? Simple: no constant nags and prompts.
Do I dare say now, its easier to use Linux than Windows?
I thought they were all made in China anyway. My current one is 3 1/2 years old and I have no intention of changing it yet. And yes I run Linux on it., plus XP on another disk in the same machine.
There will be plenty of people in other countries who would not want this to happen, they would not be able to use their 'unofficial' copies of Windows on new hardware. And would not want to upgrade either.
I am interested to see where this will go, if anywhere. It certainly does look like an attempt to stop other OS's running on X86_(32/64) hardware in a bid to kill competition. That is how it looks but maybe that is not their intention. Come on M$ let's hear from you.
Paris - because.
I may have missed this, but if the myriad Linux and FreeBSD kernel developers can't boot experimental kernels without creating signed kernels then either creating signed kernels will be so easy that there will be no point or all those millions of Linux servers will be looking around for a different architecture.
There might be some mileage in having a machine that can be configured to boot only a trusted kernel, but any machine that lands on my desk had better be able to boot my kernel or its going straight back to be fixed.