back to article Red Hat engineer renews attack on Windows 8-certified secure boot

A senior Red Hat engineer has lashed back at Microsoft's attempt to downplay concerns that upcoming secure boot features will make it impossible to install Linux on Windows 8 certified systems. Unified Extensible Firmware Interface (UEFI) specifications are designed to offer faster boot times and improved security over current …


This topic is closed for new posts.
  1. Tom 15


    Surely people should be arguing with mobo manufacturers, not Microsoft. You can't really expect them to require a feature that isn't in their interests. Mobo manufacturers will want to give the option to turn it off as it requires no work from them and makes their boards more valuable.

    1. Nuke

      @ Tom 15

      That is a bit naive. MS will pressurise manufacturers NOT to allow the feature to be turned off.

      MS have massive power over device makers. Their threat is to withdraw discounting the cost of Windows to OEM PC makers who need to buy copies in bulk. No mainstream PC maker can stand up to that threat. In turn, that threat goes back to component makers.

      And it is no good the mobo maker building in a disable switch (hardware or code) because the PC maker would not pass it on to the end user if MS demand otherwise. The PC maker could disable any hardware switch by solder link; and a code could simply be binned after they have installed Windows.

      From then on that PC will boot nothing except that copy of Windows.

      1. frymaster

        MS isn't stupid

        "MS will pressurise manufacturers NOT to allow the feature to be turned off"

        That would leak in about half a second, and trigger a new round of EU _AND_ US antitrust penalties. They don't want that.

        1. Nuke

          @ Frymaster

          Loads of damning things have "leaked" out of Microsoft, from the Halloween documents years ago to their blatent stuffing of Standard Committees with their "partners" in the OOXML affair.

          But they are still here and they still carry on.

          Because most people (politicians especially) worship them as untouchable tin gods.

          1. Goat Jam


            They are the second most evil company in the world (after Monsanto)

            You are correct, things that would be fatally damning for most other companies are constantly made public about MS and they continue on unchecked.

            On the exceedingly rare occasion that they get prosecuted for something they simply throw a few "free" Windows + Office" licenses at education institutions in the complaining jurisdiction and their troubles magically disappear.

            The US won't touch them because the US has only 2 industries of any worth left, Tech and pop culture media.

            These are the only things that the US still has the ability to sell to the world, and it is no coincidence that these two industries are given complete freedom to screw everyone over in order to maintain their dominant positions in their respective markets.

            Should MS, Oracle and Apple fall along with the MPAA and RIAA members then the USA would be truly irrelevant to 95% of the planet.

            I'm sure politicians are aware of this and thus they allow them to get away with anti-consumer practices across the board in order to retain their relevance in world markets.

            All is not lost however because it is a negative strategy and ultimately negative strategies fail.

            Despite their best efforts to use hostile litigation and anti-competitive lock-in strategies to keep at the top of the heap, eventually others will come along who offer better products with less pent up antagonism directed at them.

            People increasingly come to resent being harassed, dictated to and having their choices removed for the benefit of corporate profiteers in another country.

            People no longer *like* Microsoft, or their products. They associate them with boring jobs, and having to wait for ages while the crappy slow corp PC they have on thier desk reboots after a crash . Even longer for patch tuesday, not that they know what patch tuesday is.

            Microsoft and Windows are not cool. There is no "wow, I must get the new Windows phone" factor and the few remaining OS fanboys out there are not enough to sustain the corporation that is the size of the Beast of Redmond. Most of the OS fanboys have the ability (and willingness) to pirate their copies of Windows Ultimate anyway.

            If they do manage to achieve what they are trying to do with this latest lock-in gambit then they will just cause even greater dissent from their existing customer base and increase the rate of user defections to other forms of computing, such as tablets and such.

            The thing that killed the netbook was MS and Intel trying to dictate to the OEMs what they could and couldn't build. In their arrogance they just assumed that everybody had no choice but to purchase PC's, and by creating a set of artificial limitations they could force people to purchase PC's with a more expensive processor and OS just so they could get what they actually wanted, which was a bigger screen.

            Of course this strategy failed spectacularly and simply left a gaping hole in the market in which Apple promptly shoved the ipad to great success.

            If MS succeed in their aims they will just push more people to purchase things other than PC's.

            In fact, it is intel who should feel most scared by this. If MS succeed in tying Windows to x86 hardware then it will be the ARM vendors who come in to take up the slack.

            I'm yet to be convinced that MS will be successful in their efforts to port their full Windows + Office stack to ARM so ARM makers would have no incentive to yield to MS threats and lock their hardware to Windows.

            Even if MS do succeed in getting Windows on to ARM, I doubt very much that most of the ARM vendors would be silly enough to listen to such threats anyway as it would mean cutting off what is currently 100% of their market in order to sell in a new market (Windows) which is completely unproven to this point.

            MS will fail. Every time they try one of the tricks that worked for them in the 90's they will find that those tricks no longer work in the more mature market of today.

            They remind me of Bart Simpson on that episode where Lisa was using him as a psyche test subject and the electrified cupcake.

            Hmmm, cupcake, OUCH!!!


            Hmmm, cupcake, OUCH!!!


            Hmmm, cupcake, OUCH!!!


            1. Field Marshal Von Krakenfart

              @Goat Jam

              Given that MS, Oracle, Apple, Intel and a host of other companies operate from non-'merkin tax havens, and that a significant portion of merkin businesses are owned by OPEC companies/countries, and those that arn't have outsourced most manafacturing to the far east it would seem that apart from supplying the world with petro-dollars, that the USA is truly irrelevant to 95% of the planet, aprt from the bits that it's bombing, invading, suberting or proping up the puppet goverment.

            2. Barracoder
              Paris Hilton

              And the prize for Most Egregiously OTT Comment goes to....

              "Microsoft - They are the second most evil company in the world (after Monsanto)"


              Paris, because she's hOTT.

              1. goats in pajamas

                Top 10

                Somebody has to be the most evil company in the world or the second most, because both evil and companies exist.

                Microsoft have become Mafia like - they extract protection money from people selling other OS's, extort funds from Public Budgets for "licences", tell lies to Government Inquiries and so on.

                Such behaviour is evil. You could also call it stupid, greedy, shallow, destructive, anti-social. Evil's just a convenient catchall term.

                But Microsoft surely are up there with the worst of them.

                Not sure about No2 my self. I think the makers of mines and depleted uranium weapons are a tad worse.

                But they all cause a great deal of poverty of opportunity and shortness of funds.

          2. llewton

            true in the united states of america.

        2. llewton

          rest assured there will be legal action in europe if this goes through.

          -- with or without leaks and "pressure".

          microsoft are threading very thin ice here.

    2. AdamWill

      "mobo manufacturers"

      you do know that, er, most consumers don't buy motherboards, right? they buy computers. and it's a bit difficult to build your own laptop, never mind tablet.

      1. Goat Jam

        You do know that

        "mobo's" are where the BIOS is physically located?

        Of course, being the genius that you so obviously are you are also aware that the ODM's (ie Dell, Packard Bell et al) of this world do not actually make their own motherboards.

        How it works is that OEM's make the motherboards on the behalf of the ODM's (sometimes to their designs, sometimes not) so my use of "mobo manufacturers" is broadly intended to include all manufacturers of all motherboards.

        But then I'm sure you knew that, seeing that you are a genius and all.

        All that semantic crap aside, I have no idea what your point is here. You say "it's a bit difficult to build your own laptop, never mind tablet.".

        This is in fact quite true. In fact I'm not sure how you came to the conclusion that I thought it was otherwise? Are you perchance responding to somebody else's post?

        1. Anonymous Coward
          Anonymous Coward

          Oh look...

          Goat Jam has gone on a large anti-Microsoft rant, full of factual inaccuracies and paranoid assertions, that's out of character.

  2. Field Commander A9


    Users are always in control: if you don't like a locked down computer, just don't buy it! Simple!

    1. BristolBachelor Gold badge

      "if you don't like a locked down computer, just don't buy it! Simple!"

      It's your choice. Where would you like your Etch-a-sketch laptop delivered?

      (It's the only non-locked-down laptop now available after nobody complained about the 2012 MS corruption of hardware manufacturers)

    2. John G Imrie

      Do you know

      How difficult it is to buy a PC without windows on it?

      Now tell me which OEM is going to jeopardize their Microsoft discount by not installing this feature?

      1. Mike Pellatt

        Do you know...

        Now tell me which OEM is going to jeopardize their Microsoft bribe by not installing this feature?

        There, fixed that for you.

      2. Field Commander A9


        Go to your local computer shop and let them make you one from standard parts. Or just DIY your own, since all you need to make a common PC is case+MB+CPU+RAM+graphic card+HDD+monitor+KB+mouse+speakers......I mean, just how hard can it be for an average El Reg reader!?

        Much cheaper than any OEMs and no software pre-installed!

        1. asdf


          So DIY includes putting together your own PCB mother board now too eh? This might have been possible in mid 70s with soldering skills but not so much today. The issue is on the motherboard bios not all the other components.

          1. Ramazan


            Best of all would be to force (by law, of cource) OEMs to ship BIOS/EFI source code _and_ build environment with every MB they sell.

        2. Hugh McIntyre

          Re: simple

          You make your own laptops?

          Simple for a desktop, not so much for a laptop...

          Plus even home-made desktops generally start with a motherboard which already contains BIOS, etc.

        3. Tom 35

          Build your own laptop?

          Lets see you build your own laptop...

        4. diazamet

          And for a laptop????

    3. h 2

      @Field Commander A9

      In the same way no one bought copies of "locked down" DVD's

  3. David Austin

    This could all be fixed in a simple way; The Unified EFI Forum could mandate in the UEFI Specification that SecureBoot can be toggled on or off. Bonus points for mandating a way for end users to upload their own signing keys.

    The first could be possible - I think there's enough different voices in the EFI Forum to power this through. I can see the second option being more of a problem, but at least then Power users will have the tradeoff option for potentially allowing rogue bootcode against installing any OS they wish to use.

    To be honest, it's not Microsoft abusing this that I'm too worried about; Apple have a track record of playing the walled garden game, and their mac hardware already use EFI to boot - I can see them jumping at using this to lock other Operating Systems off their hardware.

    If this goes through as planned, good luck trying to install Linux on the 2013 Macbook models....

    1. Red Bren


      Apple are happy for you to run other OSs on their hardware. They even provide tools and drivers. What they object to is you running OSX/iOS on anything other than their hardware.

      1. Anonymous Coward
        Anonymous Coward

        I like Bootcamp and i like Apple hardware...

        but I haven't managed to get AROS running on one yet.....

    2. This post has been deleted by its author

      1. Field Marshal Von Krakenfart

        "This most likely requires re-seating a jumper or something similar to assert "somebody is really physically at the hardware"."

        Why do you assume this will be a hardware reset, my suspicion of mickeysoft would say it is going to me more like connect to the interweb and then phone the premium line, have all your licence keys handy....

        "so anything signed with Microsoft keys loads up on your new machine"

        Including MS genuine (dis)advantage, mickeysoft DRM, etc.

        There seems to be a simple solution to all this, don't but MS.

      2. Ramazan


        I have read the spec you mentioned. These your statements are wrong:

        "The spec mandates that there must be a method to clear the platform and enter 'Setup Mode' again if the keys are lost. This most likely requires re-seating a jumper or something similar to assert 'somebody is really physically at the hardware'."

        What's said there is different from your version:

        27.5.2 Clearing The Platform Key

        The platform owner clears the public half of the Platform Key (PKpub) by calling the UEFI Boot Service SetVariable() with a variable size of 0 and resetting the platform. If the platform is in setup mode, then the empty variable does not need to be authenticated. If the platform is in user mode, then the empty variable must be signed with the current PKpriv; see Section 7.2 for details.

        This means that once platform is in "user" mode with MS keys, you're screwed.

    3. henrydddd

      pure greed plain and simple

      From an engineering standpoint, this who concept of a secure boot can be handled from a hardware change. If you have a switch ether on the motherboard or a jumper on a hard drive that when set, the mbr cannot be written. In the early 90's, motherboards had a bios switch which (in the bios setup there was on option of lot letting the Master Boot Record to be updated), when set would accomplish almost the same thing (like not letting malware update the mbr). I often was thwarted in installing an operating system when the words "an attempt to update the master boot record has been made" and I would ether have to go to the bios setup screen or answer a question "do you wish to proceed?". Some might complain that malware might reflash the bios, but a switch on the MB or disk drive would eliminate that worry.

      Considering how MS, Apple and others have attacked Linux, and Andriod, it should be painfully obvious that MS is using this approach to totally control the user. MS does not want a repeat of their mobile phone falling off the map. If you are a Windows user, you might just ignore this, but you also might have a few problems installing Windows 9 on a computer with Windows 8.

  4. ez2x

    Checkmate, freetards!

    Says billg

    1. llewton

      shareholders are curious

      with microsoft bleeding billions all over the place, will this attempt be worth the anti-trust fines, and the reversal/adjustment of policy that will be required of the company.

  5. Anonymous Coward
    Anonymous Coward

    Common sense...

    Just a little application of common sense:

    If MS force this, it will mean that you can't install any of their older OSes on new hardware.

    MS aren't stupid, they realise that there is a massive market in running their older OSes on new hardware, therefore they're not going to make hardware manufacturers prevent the end user from diabling. More than likely they will attempt to force hardware manufacturers to include a disable switch so that end users can continue to run XP, Vista, 7, 2003, 2008, etc. etc.

    1. Anonymous Coward
      Anonymous Coward


      they would just force you to upgrade. Not sure they really want anybody to still be running XP into the next decade.

    2. Nuke

      @ 1st Post AC - You've missed the point

      Wrote :- "More than likely [Microsoft] will attempt to force hardware manufacturers to include a disable switch so that end users can continue to run XP, Vista, 7, 2003, 2008, etc. etc."

      Crickey, you've managed to miss the point of this. Why the heck would MS want to do that? They want to SELL Windows 8, not let users get away with using XP or Win 7 for longer.

      And of course, MS want to lock out Linux and BSD from PCs.

      They wont get away with this nasty trick in the professional and server market (where it will be the USERS who "force hardware manufactures to include a switch [or the key, whatever]"). What it would stop though is the private user, having bought a PC from the high street, installing Linux - or just giving it a try. MS hate the private user doing that.

      Basically, this is part of MS wanting to turn the PC into a media platform, like a TV or phone, all on MS software and out of the users' control.

      1. Anonymous Coward
        Anonymous Coward

        Being a bit realistic

        Microsoft's main customers are corporate desktop users and corporate server users. Most of these companies require to change hardware on an approximately 3 year depreciation cycle. They don't however replace their OS builds in anything like this period. Typically you'll see most corporate users skiping at least one major version of the OS, certainly in desktop. In the server market, there are still a huge amount of W2003 servers, some W2000 servers and still some companies with a bit of NT4, mainly on up-to-date hardware. If the majority of customers are on W2003 - a nearly decade old OS, how long before they upgrade to server 8? The upshot of this is that if no facillity to disable secure boot is available, MS will seriously annoy all of their major customers.

        I repeat myself: It's not going to happen.

        1. Anonymous Coward
          Anonymous Coward

          Oh really

          "Most of these companies require to change hardware on an approximately 3 year depreciation cycle."

          That must be why I have posted this comment using IE6

          1. Anonymous Coward
            Anonymous Coward

            @AC 1602

            Read you post again, you make exactly my point:

            *Hardware* is replaced on a fairly regular basis.

            *Software* is replaced much less frequently.

            Therefore new hardware without the ability to switch off safeboot would be MS shooting themselves in the foot by alienating their corporate customers.

        2. frymaster


          All this means is that CORPORATE MANUFACTURERS will include such the "disable secure boot" toggle - they'd be stupid not to. That says nothing about the rest of the market, especially the pre-assembled end of it (I suspect consumer retail motherboards to be likely to support disabling it; OEM ones, _maybe_ not)

    3. cloudgazer

      'If MS force this, it will mean that you can't install any of their older OSes on new hardware.'

      You can't use existing builds of those OSes no, but there's nothing stopping MS producing a signed version of XP and making it available to enterprise clients. It will screw consumers trying to run old OSes, but mostly MS doesn't believe you have a valid license to your old OS anyway - except running on the old hardware it came with.

    4. CheesyTheClown

      Windows 8 will boot on old hardware, just not be certified.

      This is a requirement of the certification program for Windows. It has nothing to do with which machines Windows 8 will or won't run on. It has to do with requirements being met before you can put a Windows 8 Certified sticker on your box...

      Don't get carried away over nothing.

  6. DrXym

    So anticompetitive

    MS would love to pretend this is all about stopping malware. It might stop malware as a side effect but the real intent is stop consumers removing / rooting / jailbreaking their computers, especially tablet PCs.

    I think the issue is going to be difficult to resolve though. The traditional PC world is colliding head on with tablets which are more consumer devices. Should users be able to flash their devices in all circumstances? If I buy a Microsoft branded tablet, or one "designed for Windows 8", why should I even expect to be able to run any another OS?

    My own feeling is that Microsoft should do the right thing here and change their specs so desktop form factors must NOT use boot loader encryption by default, and tablet form factors submit all keys and device serials nrs, hardware ids to an independent key escrow service and provide a simple tool where consumers can feed their serial nr into their computer and receive an unlock code.

    At the end of the day it would avoid a lawsuit and I doubt they have much to worry about a significant percentage of people doing it anyway.

    1. Ken Hagan Gold badge

      "If I buy a Microsoft branded tablet, or one "designed for Windows 8", why should I even expect to be able to run any another OS?"

      Because it's your tablet.

      Obviously the vendor doesn't have to make it easy, but we're not talking about that here. We're talking about the vendor taking additional steps in order to make it difficult.

      1. DrXym

        That isn't the point

        Yeah its your / my "Windows" tablet. It was designed for Windows and it does what is says. Microsoft is under no obligation to make it easy for you to remove the OS it was designed to run. I'm sure it would be hackable, but MS isn't going to make it easy.

  7. Anonymous Coward
    Anonymous Coward


    "...he end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC..."

    What a load of paranoid nonsense. Does Garrett really think that MS are going to try to prevent people from upgrading their PCs? It's just not going to happen, if anything there is the issue that they'd end up with another anti-trust case on their books and they really don't want to end up there again.

    1. DrXym

      The problem

      Is people aren't thinking this through here. People look at Windows and think traditional PCs. Except Windows 8 isn't just for traditional devices any more. It's going to appear on tablets and other devices which are ostensibly "closed". What do you think the chances are that you can uninstall Windows from a tablet? Or from some hybrid device? Or even an ultrabook?

      Basically Microsoft will push it as far as they can go and manufacturers will facilitate them. Maybe your existin PC will never use the feature but that is no guarantee going forward for new hardware. The likes of Dell et al might decide stupid users don't need the choice in consumer models or they might sell you the key to unlock your own machine.

      There are so many worrying possibilities for this that people should be seeking action now, or Microsoft should be doing something in good faith to fix things before it reaches boiling point.

    2. Tomato42

      First they come and made preinstalled OSs. I did not oppose for I did not use the MICROS~1 OS.

      Then they come for signed bootloaders. I did not oppose for I was given ability to disable enforcement (with sirens and flashing screen).

      Later they came for hardware replacements...

      It's conditioning, testing how much we can take, little by little.

      1. Anonymous Coward
        Anonymous Coward


        Don't liken Microsoft to the Nazis, just don't ok? If you don't know why not, you may want to speak to a few jews or homosexuals and gypsies from the time. They are very hard to comeby for some reason.

    3. AdamWill

      welcome to 2004

      "What a load of paranoid nonsense. Does Garrett really think that MS are going to try to prevent people from upgrading their PCs?"

      They, er, already do? You know that WGA is tied to hardware, right? And if you change too many components in your system Windows decides it's a whole new system and requires you to call up Microsoft and plead with a phone droid to give you an exception?

      1. Anonymous Coward
        Anonymous Coward


        No, they don't. If you change some significant pieces of hardware you have to call them up and tell them that it's the same machine and go through an annoying, but basically fairly smooth process. This is totally different to MS deciding which pieces of hardware you may or may not use, or wholesale preventing you from installing new hardware, which is what Garrett said.

        1. AdamWill

          Well, no, that's not actually what Matt said at all. Here's the quote.

          "The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC."

          note the difference between 'not guaranteed' and 'wholesale preventing'.

  8. Random Noise

    Simple solution

    Surely a simple solution would be inlcusion of a jumper somewhere. If the jumper is not set (default) then only a digitally signed OS will boot.

    Change the jumper & when booting the firmware pops up a message to state 'unsecure boot' or whatever then carries on.

    Only people who have an idea what they are doing will open up the chassis & start meddling with jumpers. You need hardware access to the machine to change the jumper so no nasty virus can change the setting.

    The warning screen lets anyone who has had their machine physically hacked know that something is up with it.

    Seems like a simple solution, but I can't imagine its in the best interests of M$ to do so.

    On the other hand they could be staring down another anti-trust if they're not careful.

    1. Steve Evans

      @Random noise

      I agree that for the great unwashed, anything which stops them getting infected is a good move. Although convincing them to install something other than windows would probably do far more good than a locked down BIOS!

      A physical link would be a little annoying, a BIOS switch would be enough. There are already ones for protecting the boot sector, so along side that would seem to be a perfect place.

      But this *must* be written into the spec from the beginning.

      It is a little amusing that whilst M$ are going round trying to lock people into their OS, Android mobile phone manufacturers such at HTC are being forced to open theirs up due to the sheer pressure from handset owners.

    2. Nuke

      @ Random Noise

      Wrote :- "Only people who have an idea what they are doing will open up the chassis & start meddling with jumpers."

      You don't know many people do you?

      1. henrydddd

        Most Linux people do. Also, corporations who use Linux have people who can read a motherboard manual and set a switch

        1. AdamWill


          "most linux people do"

          that's an interesting misconception. Apart from those who actually work directly on hardware, I've found most software engineer types don't, as a general rule, know any more about hardware than many other people who use computers. I know plenty of people in the industry who buy all their systems from Dell. Or, hell, Apple.

    3. Red Bren

      Boot Options

      "Secure Boot" allows you to boot a signed but insecure Operating System.

      "Insecure Boot" allows you to boot an unsigned but secure OS.

      1. Tomato42

        @Boot Options

        That's the greatest irony.

        They are fighting problem that is at best rare in the wild (I never dealt with a boot-time malware and I've cleaned tens of viruses from computers of other people) while are doing hardly anything to fight the real problem: insecurity and instability of their own OS.

    4. Paul 129

      How can it be a microsoft anti trust?

      They only said secure boot was required for windows 8 certification. They didn't tell your favourite motherboard supplier Y to not allow you to disable it. So how can they be held liable.

      MS just give discounts based upon the % of systems supplier makes to win8 logo specifications, (which includes the os preloaded, so you linux guys can go rot nyahhh!)

      Microsoft is the good guy here (we've got the best/most lawyers and they say so), go take your complaints up with brand X, with not supplying you.

  9. Steve Davies 3 Silver badge

    Open your PC Case, go to jail, do not collect £200

    What Microsoft and the mainstream (eg large) PC Manufacturers want is the the PC of the future is locked down and that even opening the case would constitute a violation of the DMCA (or local equivalent).

    Gone would be the days when you could add RAM, a second HDD or swap the DVD drive for a BluRay one. Disabling the Secure boot could be regarded as copyright circumvention by some courts. Jail time anyone?

    The EU would like to make even changing the spark plugs of a car outside a recognised service centre illegal. It does not take much to extend that concept to PC's.

    Tux. could become extinct. Better add it to the 'Red List' pronto.

    1. Destroy All Monsters Silver badge

      Unfortunately, the move towards that is still on.

      And all because "the human rights of the creative people must not be violated, oh no" or some stupid, retarded self-serving crap like that.

    2. sisk

      They can try that, but they'll have no more luck with that than Apple did with making iPhone rooting a DMCA violation. Lobbyists aren't allowed to petition the Library of Congress folks who get to make that decision or their superiors for several steps up the chain, so they tend to let common sense rule DMCA exceptions. They seem to be insulated from bribes to (that or Apple is squeemish about offering them). Anyway the precedent is already in the law for "It's my hardware so I can do what I want with it" thanks to them.

      1. cloudgazer

        'Anyway the precedent is already in the law so I can do what I want with it'

        That's not a precedent, the DMCA exception for mobile phones is just for mobile phones and it sets no precedent - it's a time limited exception which may or may not be renewed - you can't read any more into it than that.

        You might be able to get it to apply to a win 8 tablet with integrated 3G (It's a 10inch phone gov'nor honest!) , but not a desktop.

  10. Anonymous Coward
    Anonymous Coward

    You can disable it

    Not a lot of bloody good then! Some nasty person will convince the marks to disable it ( if they haven't already disabled it! ) and back to square one!

    I appreciate it has some benefit and despite being a committed Linux/OSX fanboi I will give MS the benefit of the doubt, they seem to be being painted in a bad light over this lock-down BIOS business.

    1. Anonymous Coward
      Anonymous Coward

      Because vm-based viruses are so common in the wild. I mean, just look at those hacker OS: BSDs, Linuces, Plan 9s. They are used by criminals only!

      1. Anonymous Coward
        Anonymous Coward

        do you actually run Plan 9?

        I haven't seen that in print since I worked for AT&T.

  11. NogginTheNog

    Boot from what?

    Will this only apply to booting from internal storage, or CD/DVD/USB as well? If so then won't this bugger up using Live/Rescue disks for tech support, cloning, etc :-(

  12. The BigYin

    I am not sure...

    ...why MS should require other keys or the disable feature for Win8 certification, as neither of these affect Win8 running. Unless one buys a computer with another OS as standard (yeah, like that is possible for the average consumer outside of Apple).

    The real danger is that MS stuff the UEFI body so that the standard do not declare must be disable-able and to give the end-user some means to load new keys. MS already perverted one standards body (ISO), so why not this one too?

    The fact that (according to Red Hat) some unamed* vendors will not be shipping a disable feature and there appears to be no clarity on how an end-user can load new keys is deeply worrying.

    This is a shame as it looks like a secure-boot feature could be helpful against some attack vectors (until it gets cracked and presents a whole new set, that is).

    *El Reg - any chance to getting them named?

  13. TonyJ

    Isn't this just the way things are going?

    In fairness, how many end users (not techies) even want to change the OS from the one they bought with their el cheapo PC from the local computer shop?

    How many of them, if asked in plain English, would sacrifice the option of being able to install a different operating system for protection (perceived or otherwise) from nasties? Or a promised 8 second boot time?

    In some ways, Apple are responsible for this mindset - look at the iPhone. It's a fundamentally complex device with a locked in ecosystem and in some ways a "noddy" front end. But that, in some ways, is it's selling point: it just works.

    I'm not saying it's right or wrong, by the way, just a sign of things as I perceive them.

    1. Anonymous Coward
      Anonymous Coward


      "how many end users (not techies) even want to change the OS from the one they bought with their el cheapo PC from the local computer shop?"

      I've personally downgraded more than a couple of Vista machines to XP for friends and families... so maybe the better question to ask:

      Will Windows 8 be the next XP/7 or the next ME/Vista?

      1. Rameses Niblick the Third (KKWWMT)


        ME -> XP -> Vista -> 7.....8?

        It'll be shit then.

        1. Tomato42

          From announcements it doesn't seem that it will be shitty.

          It will be utter shit, at least on par with the disaster that was ME.

          1. Goat Jam

            Good Greif

            Are you 8 years old? Do you not remember the "announcements" prior to the release of Vista?

            Positively glowing "announcements" are the raison d'être of marketing departments.

            Whether such "announcements" are ultimately proven accurate when the actual product ships is clearly irrelevant to most punters if your statement is anything to go by.

    2. llewton

      there are anti-trust laws and consumer protection laws in civilized countries nowadays. your feelings about where things are going and what most people want are utterly irrelevant in this situation.

    3. BitDr

      Things happen for a reason....

      The reason for its existence is not that it is simply "the way things are going", someone stands to gain, and anyone who thinks that Microsoft is trying to push this to protect the user from malware does not know the corporate behavioural history of Microsoft.

      If Microsoft made printing presses they would be pushing the makers of paper to produce product which would work only in their presses with their ink, ostensibly so that they could protect us from the harm of misinformation, foul language and other nastiness.. Make no mistake, this is being pushed because Microsoft stands to gain by its implementation. The virus/malware prevention excuse is the emotional hot-button they are pushing to sell it.

  14. Red Bren

    What about older versions of Windows?

    It's not just linux that won't boot without a key. Older versions of Windows won't boot either. Red Hat et al might find a workaround with signed versions of linux, but you can bet MS won't provide keys for legacy versions of Windows. So if Windows 8 turns out to be another Vista, you won't have the option of installing your preferred Windows version on your shiny new hardware.

    Secure Boot works for the OEMs too. I'll bet you won't be able to run Windows 9 on Windows 8 hardware. If you want Redmond's latest offering, you'll need new kit.

  15. Antony Riley

    Aside from the other OS side of things, it will presumably prevent you from running an older version of windows which don't have a signed boot loader. Seems like a very lucrative thing for M$ especially as recently they've had problems getting people to upgrade to newer windows versions in a timely manner.

    I'd be a fan if they made it so the user had a way of modifying the list of keys the bios accepted, of course this needs to be protected so it can only be done through manual user intervention (i.e. not by a virus/trojan/root kit).

    Last I checked signing a binary object with a private key is compatible with the GPL version 2 or 3, so I'm not entirely sure how this precludes GPL'd bootloaders, it just seems like another GPL scare story with little substance. E.G. most Linux vendors provide all their software signed with their private key these days.

    1. Goat Jam

      You Seem To Be Labouring Under a Veil of Cluelessness

      The way this works is that MS creates a key pair using an asymmetric key generation algorithm.

      They give one part of this key to the mobo manufacturer and keep the other to themselves.

      When the motherboard begins its boot process, it demands from the booting OS its part of the key which it then attempts to use as a signature to confirm that it is algorithmically valid compared to the key it is holding.

      For Linux to do this, then mobo manufacturers would need to include a Linux key in their BIOS at the time of manufacture (assuming MS succeeds in forbidding user uploadable keys of course)

      The trouble is there is no such thing as a single Linux. Somebody like Redhat might be able to get its keys into some server based kit but then you would be stuck with using only RHEL (or no doubt Windoze) on that kit which is not much better than just being locked in to MS.

      Even then, what part of the OS do you tie the key to? How do you stop people from simply copying the key file from one Linux to the another? There are plenty of hackers out there who will figure out where the key is hiding irrespective of how well you try and obfuscate it. To stop copying the key around you then need to tie the key to a part of the OS in such a way that it can't be broken off. Which part do you tie it to? The kernel? What if you update the kernel? What if you need to roll your own kernel for a particular requirement?

      Nope, there is no way you can enforce this "Secure Boot" system on an open source OS, it is like trying to mix oil and water.

      The very notion of cryptographically signing software in order to control the users of said software requires that the software be totally closed off to scrutiny.

      Having said that I'm sure that it will only be a matter of time before the scheme is cracked allowing non Windows OS to load using faked or simulated Windows keys.

      This is when the true purpose of this strategy will become clear.

      Once MS start suing users whose only wish is to run "OtherOS" under the DCMA for it will become obvious to all that the intent of Palladium 2012 is to limit choice and has nothing to do with stopping viruses.

      The truth is there are plenty of ways that virus can be mitigated or defeated and none of them require the sort of draconian anti-competitive system that Microsoft is pushing here.

      1. yoofy

        .. unveiled further

        Not quite correct. It's not the OS which has to be signed by a key recognised by the firmware, it's the UEFI executable selected by the Boot Device selection process.

        Fundamentally, what this executable does determines what OS gets loaded. Of course, for a W8 platform, this is likely to be Windows 8, although it's possible it will allow multi-boot of other Windows versions.

        The UEFI spec allows for multiple signing keys to be established. Enlightened manufacturers might include additional keys (or at least one, which boots into a UEFI app which permits additional keys to be added). This allows other (signed) bootloaders to be used without turning off secure boot.

        1. Goat Jam

          A "UEFI executable"

          I think you need to define what a "UEFI executable" actually is.

          To me, this by definition is required to be some sort of closed binary blob.

          Requiring this sort of "UEFI executable" alone is more than enough to preclude any sort of open source software from qualifying as a valid "UEFI executable"

          However, let's just ignore that fact and pretend that it is in fact acceptable for something like Grub or LiLo to qualify as an "UEFI executable" and therefore allow "OtherOS" to subsequently boot unhindered.

          If this were in fact the case then it would be a trivial matter to engineer (actually hack together) a malicious root kit that simply uses a "UEFI approved executable" such as Grub to load itself.

          What would be the point of that as far as allegedly restricting the installation of malicious code?

          Nor would it restrict people from loading non approved (by MS) Operating Systems, which is clearly the primary goal of this "technology" anyway.

          No, the reality is that for this sort of restriction to actually work as it purports to, then it must have the ability to determine the "validity" of the actual operating system that is attempting to boot.

          To do anything less would render it unable to provide the alleged benefits that it claims (thwarting malware) as well as being unable to restrict the choice of consumers (thwarting Linux) which is clearly its primary goal.

          1. yoofy

            .. is PE32+

            I don't need to define what a UEFI executable is - the UEFI does it already (calling it an 'Image'). As it happens. it's a PE32+ format file, which is a familiar and defined format.

            Grub 2 and Elilo already have such executables. I've written another myself, in C, the programming language of UEFI. It's not rocket science, although it requires a shift in thinking.

            The point of the UEFI boot signature is to prevent arbitrary UEFI executables from running at all if they are not signed by a recognised key.

            Now, your (Goat Jam's) question boils down to: is it possible for malicious software booted by a signed grub to generate a key pair, sign itself and add its public key to the list of recognised keys without requiring user intervention?

            Obviously the first two can happen, but the achieve the third requires either the possession of a (private) Key Exchange Key, which shouldn't be available without user intervention, or for the platform to be forced into setup mode, which can only be done from UEFI preboot (thus ruling out the OS).

            The real issue is "who owns the Platform Key?". [UEFI Spec v2.3 sec 27.5] This is the key on which all the other keys depend.

  16. SImon Hobson Bronze badge

    Doesn't anyone read ?

    @ AC

    >> MS aren't stupid, they realise that there is a massive market in running their older OSes on new hardware ...

    Which is a big incentive for making Windows8 hardware requirements such that it won't run older versions. They'll have learned from the Vista debacle that they'll need to make it so users can't "downgrade" once they've bought a Windows 8 machine.

    @ Tom 15

    >> Surely people should be arguing with mobo manufacturers, not Microsoft.

    No, it's Microsoft that are going to FORCE hardware vendors to include secure boot. Without this pressure, they'd probably not bother and we'd not have to worry. But having been forced to put the feature in. most of them will consider it a case "runs Windows, job done" and leave it at that.

    It is true that we need to put presure on teh hardware vendors not to leave it at that, but it's Micro$oft that are driving this.

    @ Field Commander A9

    >> Users are always in control: if you don't like a locked down computer, just don't buy it!

    Have you been living on another planet for the last decade ? Your attitude suggests the hardware vendors will care if we buy their kit or not - any threatened boycott will get the response "fine, we'll still be selling to the other 99.9% of people who don't care."

    There's already a precedent for this. In the display card market, MSs requirements (driven by the big film studios) for video cards are to have a secure channel - locking down more and more into closed silicon and where certain technical details are NOT ALLOWED to be distributed. The result is fewer options for video cards, and less "open source" support for what there is.

    The manufacturers really don't care if a few people don't like what they sell - their primary market is Windows machines. The result is that for advanced graphics on non-Windows is nVidia with their closed binary drivers, or ... err I think that's it.

    David Austin has the best idea - the forum needs to make certain open features (ability to turn off secure boot, ability to upload additional keys) a mandatory part of the spec - that is the *ONLY* way to avoid this being a bad thing.

    1. Tom Stephenson

      Alternative to UEFI

      If hardware suppliers are really on the ball they will include a jumper that allows the user to boot using UEFI or a BIOS image. In that way you CAN upgrade/downgrade your OS and your hardware. The ultimate freedom. Lock into Win 8 or run as things are today.

      1. raving angry loony

        "If hardware suppliers are really on the ball"?

        I think you forget the power that Microsoft has to quietly suggest to these hardware vendors that if they were to do something so foolish, their massive OEM discounts would suddenly vanish. Microsoft has done it before and gotten away with it, why in hell wouldn't they do it again?

  17. Anonymous Coward
    Anonymous Coward

    Inevitable outcome

    The PC OS market is dead, in the sense that there isn't a 'market' when you only have one supplier. Linux is still too small to count. I'm not pleased to point it out, but it's just a fact. And Apple gave up the battle over a decade ago ["The PC wars are over. Done. Microsoft won a long time ago." - Steve Jobs, 1996]

    Windows is the *only* choice for a PC buyer. Therefore, any policy or decision from Microsoft is immediately a 'standard'. Fighting decisions like this is a lost cause.

    1. Bronek Kozicki

      tell that...

      to administrators of these thousands (or is it millions?) servers running Linux on commodity x64 hardware - you will find them in all large enterprises.

      I bet every hardware vendor dreams of removing himself from this market - not!

      1. Ocular Sinister

        Actually, hardware vendors do mostly want to get out of beige box business - high volumes, but very low margins: IBM got, HP want to. Only the very cheap far eastern manufacturers seem interested these days.

        1. Anonymous Coward
          Anonymous Coward

          Beige box != Server.

        2. Joe Montana

          Getting out of the market

          MS is one of the biggest reasons hardware vendors want to get out of the beige box business... They do not really produce products in their own right, they are just one of many Microsoft OEMs and are utterly dependent on MS for their business who could cripple any OEM at any time by refusing them volume discounts on windows. Similarly they cannot really differentiate their products, they are all built from the same components and run the same software.

          OEMs have the ability to bargain over hardware, since any given piece of hardware has an easily swapped competing alternative... They cannot argue with MS as there is no direct replacement for windows.

          It's no coincidence that the only desktop manufacturer with any decent margins is Apple, the only vendor who is not dependent on MS.

      2. Anonymous Coward
        Anonymous Coward

        Other players in a niche

        @Bronek Kozicki: "tell that to administrators of these thousands (or is it millions?) servers running Linux on commodity x64 hardware"

        Face it - Linux has crawled into the niches of the IT industry. If you scrape them all together, does it even make 3% of the whole market for computers? So if the vast majority of PCs are churned out with no ability to run anything but Windows 8, 97% of PC purchasers won't care. When MS says, "jump!", manufacturers say, "how high?" Sure, there will be some manufacturers who will fill the gap, and they'll probably charge you a nice premium for the luxury of being able to boot the OS of your choice.

        1. John G Imrie

          Face it - Linux has crawled into the niches of the IT industry.

          That will be niches like;

          mobile phones,

          tablet computers,

          web servers,


          PABX systems,

          U.S. Department of Defense, yeah there pritty niche,

          The Spanish Government, imagin what their debt proplem would be if they had baught Micosoft,

          U.S. Postal Service,

          German Universities,

          Many third world countries through the One Laptop Per Child scheme,

          Google, you might not have heard of them as they are a niche player in Internet searching,

          Voicemail systems,

          Amazon, a small book selling company you've proberly never heard of,

          International Stock exchanges, usally just after the big expencive Micosoft system that was splashed all over the bissiness pages, crashed ... again,

          Super computers, Ok I'll give you that one as a niche of the IT industry

          1. Anonymous Coward
            Anonymous Coward

            So the percentage of PCs is...?

            @John G Imrie : "That will be niches like; mobile phones,"

            I've no complaint against Linux or the hold it has in many other fields. But the article is about Windows running on PCs. The complaint is that you may not be able to run Linux on these PCs. It's not about all the other areas in which Linux is used.

            My point is that Microsoft can do whatever they like in the PC arena because they own it. The PC 'market' died some time ago. Or do you have figures do demonstrate that Linux is, in fact, more than a fringe player *on PCs*. If you can't, you have no leverage to change anything.

      3. Mark 65

        Do servers even count? I mean, wtf would a server vendor care given how many boxes are used for running VMs on top of ESX etc? The secure and fast boot part tells me this is desktop/device related - I don't tend to restart my servers all that often and I'm not convinced this will stop anything given just about every other cryptographic signing key used in this prohibitive way has been cracked. Blu-ray anyone?

  18. John Styles

    If Garrett is concerned this is a bad sign, I had put this largely down to the usual overreaction / scaremongering / tinfoilhattery but Garrett is typically very measured and one of the few people in the tech community whose opinion I give a high weight to.

  19. Richard Lloyd

    UEFI spec needs to insist on user being able disable secure boot

    Wouldn't the furore go away if the UEFI spec insisted that secure boot must always be able to be disabled by the end-user? Without that insistence in the spec, then Microsoft do indeed have a way to leverage their OEM clout to lock out any non-MS OS from being booted.

    Also, won't it mean that only MS-signed rescue disks can be used to recover Windows (bang goes all those third-party rescue disks that are generally better than anything MS provides)?

    Of course, Microsoft are being quite clever at using the Windows 8 logo cert programme to dangle a carrot at the OEMs to only ship Win 8 keys, whilst using a stick to beat away any other OS from being installed. This way, MS can try to get away with finger-pointing at OEMs from not providing the ability to disable secure boot.

  20. Anonymous Coward
    Anonymous Coward

    And what about restoring from backups?!?

    Maybe it's just me, but won't this also block all backup software which uses a Linux boot loader to restore a disk image?

    Now, I know that MS are spectacularly stupid at times, but would hardware manufacturers be stupid enough to prevent users from being able to fix their machines when they go wrong?...

  21. CaptainHook
    Thumb Up

    Linux at purchase

    In the past, I've brought PC's with Windows and just resigned myself to paying the windows tax because I know that I can get Linux running later once Windows has succumbed to registry bloat etc and needs to be wiped clean.

    In future, I'm going to insist on Linux being installed at the time of purchase because it will be the only to be sure the hardware is usable in the long term and not have any Windows OS on the hardware at the time of purchase, thus saving me the tax - thanks MS.

    1. lpopman

      titular admonishment

      Upvoted because I agree.

      However, the use of the phrase "I've brought PC's" is really annoying. It should be bought, not brought and I don't think you mean PC as possesive either.

  22. Voland's right hand Silver badge

    ... and I've seen it before .. and I'll see it again

    The word is about, there's something evolving,

    whatever may come, the world keeps revolving

    They say the next big thing is here,

    that the revolution's near,

    but to me it seems quite clear

    that it's all just a little bit of history repeating

    Propellerheads / Miss Shirley Bassey - History Repeating,

  23. andy 103

    ability to install extra signing keys

    Surely the compromise with all of this is to give the end user the ability to either switch it on/off, or install additional keys? This is no different to the way some operating systems come with a firewall installed, which the end user can either disable or customise - e.g. set up their own port rules - based on their needs. It's just a layer of security that can be customised.

    We have to remember that for the vast majority of people (not Reg readers, but everyone else!) whether this can be switched on or off will probably never be an issue.

    Or would people still have a problem for this if it was switched on by default with the ability to turn it off or amend it somehow?

    1. Nuke

      @ Andy 103

      Wrote :- "Surely the compromise with all of this is to give the end user the ability to either switch it on/off, or install additional keys?"

      That would be fine; but the fuss is that, as things stand, that is unlikely to happen.

      The issue is that Microsoft, which has immense power over PC makers, would be in a position to "encourage" them NOT to provide such a switch, and to throw away the UEFI software keys as soon as Windows 8 has been installed. Then that PC will never be able to run any other OS, ever.

      Microsoft are perfectly capable of such skullduggery. It is not in their interest ever to allow any other OS (such as Linux) onto that PC.

      Please read about this issue. Any requirement for OEM PC makers to include the function you suggest is conspicuously absent from MS's own proposed requirements for Windows 8 certification (ie to allow a "Designed for Windows 8" sticker).

  24. Paul_Murphy

    If this does come about then I would imagine that the non-corporate demand for these boards will be virtually zero.

    A secure computing environment is one thing, but this is just blatant bullying by Microsoft and I would like to think that at least one manufacturer will see the sales of their 'any OS' boards take up the slack.

    Also I wonder whether booting form a CD/USB drive will be 'allowed'.


    1. defiler

      Does anybody care?

      Non-corporate demand will be virtually zero? Have you seen where most people buy their computers? They go into PC World, Currys, Comet, whatever. They pick up a big box off the shelf, and it has everything in it ready to roll, including Encarta for Little Johnny. (Okay, I'm kidding about the Encarta thing, but that mindset is still there.)

      I have never bought a PC off-the-shelf. I'll pick and choose components that do what I want. I'm one of the crazy guys with a watercooled system because I like my peace and quiet. I've got the dual-VGA card and SSD going on. I want to be able to boot to Linux when I damn well please. I am less than 1% of the market. Dell, HP, Acer, Packard Bell etc etc will not give a shit if I'm not happy - the other 99.9999% of the market is delighted that they got a shiney, and it just works.

      It's like buying a car. I went into the showroom, picked the model, the specification, and the colour. Beyond that, the thing just runs. Except that I need a tax disc for the end of the month :-/

      Ordinary people don't buy kit cars. They just want their Focus to start when they turn the key.

  25. Matthew 17

    Don't see the issue

    If someone buys a Windows 8 PC, they'll do it to run Windows 8. Just like if someone buys an Apple Mac, chances are they'll want to run OSX.

    But if you want to run Linux, BSD, AmigaOS, OS2 or whatever on your computer, you'll buy appropriate hardware instead.

    This is better as it means you'll not be paying for a Windows License if you're likely to be using something else.

    Maybe MS want to copy Apple and sell the hardware as well, maybe they'll sell their OS for £25 too if you buy an MS branded box. I'd welcome this, not sure Dell would though.

    But to be able to buy a 'Designed for Linux' branded PC and not have to pay an MS tax would be rather nice.

    1. introiboad

      How many times...

      ... do people have to repeat this?

      Many users install Linux on computers they bought with Windows installed. Sometimes because they like the hardware, sometimes because they happened to get it from eBay cheap, sometimes because they rescued it from a garbage bin.

      Those computers are still perfectly usable and they can be recycled by installing Linux. If Microsoft prevents us from doing so, it will harm all users, including my brother who currently has a refurbished laptop that runs Ubuntu and originally came with Windows.

      1. candtalan

        I have a house full of recycled PCs that originally were sold with Windows. They all now run Ubuntu. None run Windows.

    2. DavCrav

      Well, I want a Linux laptop. Find one (that isn't incredibly expensive). Your choice just got massively reduced.

      1. Ilgaz


        Lenovo's business models come with IBM DOS, aka (if you aren't insane) nothing preinstalled.

        Funny thing is, I suspect they use the saved money for more than average RAM.

    3. Goat Jam

      @Matthew and all the other clueless idiots

      You don't seem to get it Matthew.

      Even if you are one of those fools who actually *like* Windows then this still damages your interests.

      The more ability that Microsoft obtains to *force* everyone to use Windows the less pressure there is on them to keep prices at sane levels.

      If you have zero choice whether you purchase Windows with every new PC then you can bet your bottom dollar that MS will squeeze you for every cent possible.

      This is all about removing choice. Nothing else.

      Having less choice means having less freedom. That is always a bad thing, regardless of whether you personally would choose to use Windows anyway.

  26. Ilgaz

    They must be joking

    So, Linux vendors including Google will have to instruct end user to "disable secure boot" to install their legimate operating systems?

    it sounds like "you will have to disable security so you can install our insecure operating system which may even "burn" your brand new equipment"

    Ask anyone who did end user/general public support, I am not exaggerating things.

    1. This post has been deleted by its author

      1. Ilgaz

        It is against GPL

        You can't enforce a unmodified Linux to user with a key.

        Free software may seem like some kid garage thing to you but it isn't, licenses are very strict. "key" is against the entire idea of open source to begin with.

        Seen any DRM containing open source software? You can't since it is impossible.

      2. Nuke

        @ ClueShell

        Wrote : "what hinders ubuntu, google, redhat, opensuse to submit their keys? if the OEMs load up 1 key or 6 who cares?"

        The mainstream OEMs would not be bothered to load keys for anything but Windows. All they want is to stick on that "Designed for Windows 8" label.

        As someone else here said, their attitude when they build a PC is "Runs Windows, job done".

        That is even without the fact that Microsoft is likely to use its power to deter them from allowing keys for other OS's. Just as now, if an OEM sells any PCs without Windows pre-installed they risk losing their bulk puchase deal with MS.

  27. Barry Tabrah

    Microsoft is irrelevant in this argument

    It's the OEMs that are going to have to allow disabling of this feature. Many organisations rely on older OS models and the arguments for keeping XP as an option are already pushing OEMs towards backward compatibility.

    This requirement for legacy support from medium and large business is why I'm not worried about this. Any decent OEM is going to include an option to disable this just to keep the business.

  28. John Robson Silver badge

    Return them

    Buy machine, wipe disk, start to install ubuntu - return PC to store as faulty

    Repeat with every machine there...

  29. big_D Silver badge
    Thumb Down

    3 points...

    Why, to obtain Windows 8 certification, would they require additional keys for other operating systems? It is up to the hardware manufacturer, whether they want to add additional keys. Microsoft wants to ensure that shipped PCs are safe and will be delivered without malware installed.

    That is a good thing, for 95% of potential private customers.

    As to not being able to switch it off, I don't really see many manufacturers not giving that option, given the number of corporate machines and enthusiast machines that are currently downgraded to Windows XP (or Linux).

    Thirdly, don't Android smartphone manufacturers already incorporate a similar mechanism in their handsets, to stop them being rooted?

    Essentially, this is just a bunch of hot air at the moment, and has nothing specifically to do with Microsoft, they are just taking advantage of an additional security feature, to help ensure that rootkits etc. can't (easily) get onto machines.

    Red Hat should be naming the hardware vendors that are taking the lazy route and not planning on having a disable option built in to their hardware. They are the ones at fault, but I guess shouting about Dell, HP or Acer won't get them any sympathy or further co-operation in getting hardware to work well, and Microsoft is always seen as the bogey man.

  30. Eradicate all BB entrants

    Totally stumped.....

    ..... by some of the responses. All the ranting about not being able to do what you want and you still buy from the big box vendors.

    If you want control build your own, like I do. It's not hard and the slight cost increase (sometimes it can be cheaper) pays for itself in 2 ways, you get the components you want and you have the lovely 3-5 year warranties on them you don't get from box pushers.

    Some crap analogies to help it along, Like buying a Ford then complaining you can't run Nissan's sat nav, buying a washing machine then complaining it breaks your dishes, buying a Yale lock and complaining a Chubb barrel won't fit in it ........

    1. introiboad


      ...laptops! How are you going to build your own laptop? If I happen to love Vaios and Linux, because I think the casing is great but hate Windows, what do I do now?

      1. Eradicate all BB entrants


        .... bug Sony about it. Bug Lenovo, Acer, Asus, Samsung and all the rest. The requisite is that if you want to ship boxes with W8 on this needs to be enabled. Nothing in there saying there can be an option to turn it off is there.

        And before you even think about stating 'normal users won't be able to do that/know that' normal users don't usually have dual boot systems. Despite using Open OS's you boys sure are closed when it comes to thinking about alternatives.

        Yes I am a windows fan, it lets me play all the games :P

    2. Mark 65

      Why should anyone who buys from a big box vendor get shafted? Should old people start building their own machines? Why shouldn't they benefit from Linux? Should I be unable to fix a relative's machine using a rescue disk/thumbdrive? Should all these PCs get dumped after 2-3 years as they're too slow to run the next incarnation and cannot be loaded with Linux?

      Please think a little outside your own use-case before posting.

  31. Anonymous South African Coward Bronze badge

    Resistance... Futile. Prepare to be Billywindowsed.

    Getting my jacket, want to get out of this mess of IT.

    1. Steven Roper
      Thumb Up

      Couldn't agree more

      With all the control-freakery around, IT is starting to suck.

      I remember back in the 70s and 80s you could repair your own car with a screwdriver, socket set and pair of multigrips if something went wrong with it. I've ridden in cars where the steering column was held on by a bent coat hanger and had a pair of pantyhose for a fan belt. Cars were simple enough that in a pinch you could cobble something together to at least get it to the nearest garage if things went pear-shaped while you were on the road. In the Australian outback, being able to do that often meant the difference between living and dying.

      You can't do that any more. With all the computers, control chips and crap on cars these days, if anything is wrong with it the car simply won't start. Forget bent coat hangers and pantyhose, if a single wire in the convoluted mess that passes for an engine these days is even slightly misaligned, the car will bitch and moan about not being roadworthy. Too bloody bad if you're stuck out in the middle of bumfuck nowhere with no mobile coverage 300 k's from the next nearest human being. You can just roast to fucking death out there for all the car manufacturers care.

      Now I see the same thing happening to computers now that happened to cars after the 80s. No user serviceable parts inside. Device must be used only as directed. So what if it's your fucking money? Give it to us and maybe we'll let you have temporary use of OUR device. Not YOUR device. OURS, even if you pay for it. We want to control everything you do with it.

      Fuck this. IT is going in a direction I'm beginning to find unpalatable. Maybe I'll go in for carpentry. At least you can still use a hammer and nails the same way I could as a kid.

  32. Anonymous Coward
    Anonymous Coward


    If Microsoft thought they could get away with it, Torvalds, Stallman et al would be in prison and Linux delcared a "terrorist threat".

    If Microsoft were Russian, Torvalds would already be dead.

    How many acts of bribery, deceit, bullying, lying and outright thuggery do Microsoft have to be shown to have committed before you stop givnig them the benefit of the doubt?

    1. Anonymous Coward
      Anonymous Coward


      What benefit of the doubt? There are about three people saying that MS should get the benefit of the doubt, everyone else is ranting their mouth off.

      Take off the tinfoil hat, go out, do something less boring instead. The world is not a giant conspiracy and you enjoy life a lot more when you realise it.

  33. richard 7

    maybe i missed the point...

    But didnt they say NoeXecute would save the world from rootkits and virii not long ago?

    1. Tomato42

      No, no, it was the completely rewritten kernel and security model of Vista.

  34. Doug 3

    Isn't this a responsibility of EU and DOJ due to monopoly positions

    Microsoft can not require a feature which would block other OS vendors from access to the systems. I would not think that anti-trust laws would allow them to do this and simply saying the OEM can decide is not a solution. If they require something which blocks over OS vendors then they must REQUIRE that feature have the ability to be disabled.

    Addressing this after the fact would be too late. Also, are they serious? Using a prototype tablet they had direct hand in and are using for their promos as proof that it's no big deal. Beta hardware and software is not what anyone should trust will be the norm and if you know Microsoft, their betas often look very different from what ships.

    1. asdf

      sneaky buggers

      >Microsoft can not require a feature which would block other OS vendors from access to the systems.

      No but M$ could say look some industrial standards body we bought did it not us.

  35. kain preacher

    One question

    Has any one here seen a UEFI mother board for an AMD cpu ? So if this goes through like most of you folks think it will it would kill AMD. That would trigger and ant trust action against intel, MS and the MB manufactures/ I know you folks want to believe the worst about MS . That MS has to be evil or it shatters your world view. But stop and think about a few things first. If it goes down like that you will have series of anti trust actions like you have never seen before .

    1. Tomato42

      Sorry, Microsoft has been multiply convicted of antitrust behavior. It's not a world view, it's simple empirical evidence.

      Or do you keep stepping on a rake because "maybe *this* time it wont hit me in the head!"?

  36. Anonymous Coward
    Anonymous Coward

    Here's a thought...

    "Windows 8 certification does not require that the system ship with any keys other than Microsoft's"

    That. is. because. it. is. for. Windows 8.

    If OEMs think that compatability with Linux is a valuable for sales, and the Linux community gets off its arse and produces a certifiable OS, then the OEMs will provide keys. I'm sure that they will providing keys for Chrome...

    1. Me Meeson


      C'mon Linux Community, get off your arses and produce an OS that Microsoft will want to certify!

    2. AdamWill

      nul points

      except that the thing that gets signed is the *bootloader*, not the OS. but thanks for playing.

      1. Goat Jam

        The bootloader is signed?

        What nonsense.

        How would that work? If your bootloader is signed then you can go ahead and boot any OS?

        Including a malicious one?

        If it were that easy it would not be a problem.

        All that would be required is that the Grub folks get their key out to the motherboard manufacturers and then *anybody* or *anything* could boot whatever they damn well please via grub, including a Grub loaded malware infestation.

        Good lord, if you don't have a clue what you are on about then please try and refrain from commenting. All it does is spread confusion.

  37. Anonymous Coward

    Lock-in that must be what makes Apple good right?

    I can see the rows of MS management desperately trying to find that thing that makes the Apple experience work for so many people (I'm not one BTW) -

    "they lock people in, maybe we should do that!", "Yeah lets lock them in -with their wallets OF COURSE (chuckles all round)" , "Hey how about blocking Flash!!! Apple do that!!!!" so it goes on -

    Good job you guys! you have identified some of the things other companies do, just not the things that are so innovative, well engineered and efficient that they can get away with that other shit.

    Let us know how that works out for you.

    1. Ilgaz

      Oh stop using Apple example

      Apple has been using open firmware for years and they have picked EFI for Intel since they can't be bothered with 80s archaic technology backward compatibility. However, they do some cool tricks to enable end users run competing operating system, windows even including a hassle free live disk partition built into disk utilities framework itself. That is a $50+ tool on Windows.

      They even include a freaking Penguin icon inside OS data for end users to pick the right OS when booted with alt key.

      In fact, I have seen many Apple engineers help Linux and BSD software authors (especially xorg) to enable their software on Macs.

      So, please , using Apple example doesn't work. You guys really don't know the history of Apple and how strict they think when it comes to boot etc. process.

    2. Goat Jam
      Thumb Up


      Microsoft are the Cargo Cultists of the IT industry.

  38. Anonymous Coward
    Anonymous Coward

    Prying the bogged-down UEFI IC off the motherboard is optional.

    "Garrett said that Windows 8 certification requires that hardware ship with UEFI secure boot enabled. A feature allowing secure boot to be disabled – necessary to run Linux and FreeBSD on certified systems - – is not required for certification."

    Expect new Dell machines with this feature. And the only way to disable it will be with a crowbar or blowtorch applied to the right IC in the motherboard. Maybe not even then.

    How is this different from Apple? Isn't it running on windows capable intel chips now? And it only runs windows with boot camp beneath it? What is the catch to run Windows in the bare metal Apple hardware ( not that you would want to do it) ? What about the reverse, why can't they sell Apple OS to x86 PC machines, like all those hackintoshes we hear so much about? If it is really good, then prove it, outselling Windows in x86 PCs. I would try it, at least once.

    It seems to me that MS is just copying Apple's strategy of walled garden.

    Apply evil icon, pirate icon, fail icon, penguin icon, fanboi icon, windows user icon, eat this icon, wtf icon, the flame icon (because I'm so pissed at the prospect of this feature), all at once. Apply FAIL twice.

    1. Cyberspice

      Different to Apple Bootcamp?

      "How is this different from Apple? Isn't it running on windows capable intel chips now? And it only runs windows with boot camp beneath it? What is the catch to run Windows in the bare metal Apple hardware ( not that you would want to do it) "

      Actually all boot camp is is a way of supporting an MBR in a partition on a disk that isn't in DOS partition format combined with a partitioning tool. This is because the Apple boot manager can only boot off of Mac partitioned disks. Windows *will* run on a mac without any apple software installed within Windows itself. Apple just provides a set of drivers to support the Apple hardware better than the standard Windows drivers.

      "What about the reverse, why can't they sell Apple OS to x86 PC machines, like all those hackintoshes we hear so much about"

      Because then they would have to support many many more devices and motherboards than they support now. Apple's success is because they have a defined sub-set of hardware within their products. This means they can develop device drivers which work well and with one another and test nearly all the combinations. Windows often relies on the hardware supplier for theirs and that supplier can't ever test all the combinations. Hackintoshes only work on a sub-set of hardware.

      One of the reasons Apple was an early adopter of bus standards like USB and Firewire is because of the defined protocols they use. Support one HID device and you support them all. PCI-E cases are coming for thunderbolt. It will be interesting to see how many cards actually work with OS-X.

      Apple can sell software cheaply because the development cost is covered by the margin on selling hardware.

      Basically you fail at business and technical know-how. However I do agree the MS thing looks bad.

  39. This post has been deleted by its author

  40. mark l 2 Silver badge

    UEFI is only required for Windows 8 certification, what does that mean?

    If the hardware manufacturer doesn't implement UEFI secure boot does that mean they can't ship there PCs with Windows 8 or that it just won't have one of those stickers on the outside that says 'Window 8 certified' but will actually happily boot Windows 8 without UEFI?

    Surely MS must allow Windows 8 to be installed on none UEFI hardware or else they will miss out on being able to sell an upgrade to those that bought windows 7 pcs that aren't UEFI compliant, like the laptop im currently typing on.

    1. Tomato42

      I wouldn't be surprised that to receive MS bribe^H^H^H^H^H rebate in volume licensing you have to have the sticker. And without the bribe^H^H^H^H^H rebate you just won't be competitive on the market.

  41. asdf

    Too lazy

    I wonder how this will affect PXE netbooting. I guess it will need to have keys in place before hand.

  42. Random Coolzip

    Re: older versions of Windows

    Older versions of Windows aren't really a concern, because they won't work without a BIOS. I haven't heard anything about UEFI providing a "compatibility mode" or any other accommodation for older software. Recent Windows software will probably work because MS abstracted all that away in the HAL, but I seriously doubt they'll ship a HAL for XP that speaks UEFI. And no more booting up with that old copy of DOS 6.22, either.

    1. Anonymous Coward
      Anonymous Coward


      Vista and 7 run with EFI or BIOS as does 2008 and IIRC 2003 as well, so yes, it is an issue for previous versions of Windows.

  43. Martin Usher

    Signed Malware?

    It would only be a matter of time before malware with appropriate signatures turns up. Its the old force/ equal and opposite force thing. The only way you're secure a PC is by burying it in concrete.

  44. Lars Silver badge

    Some hove

    I don't see Read Hat as the company attacking here.

  45. IGnatius T Foobar

    DVD Jon, where are you?

    DVD Jon, where are you? I hope you are working diligently on the important task of obtaining and publishing Microsoft's signing key.

  46. Herby

    So, how do I???

    Update the BIOS?

    Don't you need to do silly things like boot from something like a floppy, or USB device?

    I believe that the BIOS problem was solved before by "clean room" stuff, and I suspect that it will be done again!

  47. Anonymous Coward
    Anonymous Coward

    The new MS strategy ?

    I'm almost tempted to think that MS knows how well their new Win8 is going to be received by the major public (the desktop users); which I don't think is going to be all that positive.

    What was the first thing /many/ people did when they got themselves a Vista PC? Either re-installing XP on it themselves, getting one with allowed them to install XP or (as I have experienced a few times): calling a friend to help 'm out getting XP back onto it.

    One has to wonder... Maybe this is MS answer to all that; simply trying to disallow people to pull something like that off so that they have no choice but to stick to one of their more modern OS's ?

  48. defiler

    Console Development

    That's what this reminds me of. It makes me think back to the old Blue Playstations, or perhaps more accurately the black Yaroze boxes. They were just PS1 Playstations, but came with a simple dev kit (and a little extra hardware inside) that allowed hobbyists to program them. You could upload your finished programs and other people with Yaroze could grab them and run them.

    You see the parallel? In order to do Linux dev (or any unsigned OS dev for that matter) you'd need to buy into the 'Yaroze'-equivalent PC. The hobbyist's PC. Everyday bods buying a computer would just end up with the basic grey box.

    Maybe somebody can flesh out where that would drive the market, but it strikes me that anyone wanting to deviate from the mainstream at all would leave themselves at the mercy of the hardware manufacturers, and their altruism regarding releasing boards for unsigned code. As I understand it, Yaroze actually cost Sony money. But what they did get is a whole new generation of bedroom coders already experienced with the Playstation dev tools - that's a good investment. It scares me to think that Microsoft could create a world where a programmer's first experience of writing an operating system is when they start to work for Microsoft and finally get to recompile Windows and sign it with the MS key...

  49. GatesFanbois

    Linux is a pile of cack anyway. Microsoft is doing everyone a favour by preventing it being installed.

  50. Anonymous Coward

    Secure is a good thing

    If tinkerers want to run unsigned boot loaders then they can go out of their way to find the hardware to do it. Simple.

  51. Wibble 2

    What older versions of Windows?

    There seems to be a lot of moaning on here about a complete non issue as far as older versions of Windows are concerned.

    The only versions of Windows that support UEFI boot are Windows Vista SP1 x64 and newer. No 32 bit editions of any Windows version support UEFI.

    So the only old versions of Windows a user could install are Vista and Windows 7, and I can't imagine why anyone would install Vista rather than Windows 7.

    If you are the sort of person who installs your own O/S, then you are probably the sort of person who buys their own motherboard, so buy one that will let you turn the feature off. Not many aftermarket boards will ship with this feature unable to be turned off if they want to sell in any volume.

    The Dell's and HP's of this world cater to a mass market of people who are unlikely replace their O/S or install a dual boot system. Microsoft are not insisting that this feature not be allowed to be disabled, only that it is turned on when the PC ships to get the Windows 8 Certified Logo. It's not Microsoft's fault if the OEM don't allow it to be turned off.

    If Apple did this it would be a good thing, a great security feature, another reason why Apple are miles better than Microsoft etc.... but because its Microsoft it must be evil.

    I'm constantly amazed by the stupid comments from Microsoft haters who will find any reason to vilify the company, even without understanding what they are talking about.

    1. Anonymous Coward
      Anonymous Coward


      Server OSes are available as well... Also, many corporates may have moved on to Vista and be quite happy with it - becuase they set it up properly and they have the correct drivers.

  52. Andus McCoatover

    This is frightening -

    - for Microsoft. Anti-trust lawsuits, anyone?

    Of course, get a PC with Windows-8 basic chilfren's Edition, and run Ubuntu in a Virtual Machine. Simples, 'till Microsoft gt wise and forbid installing VM's....

  53. Corbot
    Thumb Up


    Enable it by default to block rootkits for the PC World crowd, allow it to be turned off for the advanced users who want to install other OS's. Pretty simple really, and an approach the OEM's will no doubt take to appease both MS and more savvy consumers.

    I see this as a good move against the army of rootkit induced bots living on grannys laptops.

  54. Watashi

    Damned either way

    Until Windows Vista came out, everyone complained continually and vociferously about how insecure Windows computers were. Apple used the security of Macs as one of their main selling points and sites like this gleefully poked fun at MS whenever a major security hole was found. Now Linux fanbois are saying MS should not implement security features because they actually quite like the fact that Windows computers are less secure than Apple ones.

    As a model for business PCs, the closed box approach is fine. It's a waste of money to add RAM to out-of-warranty PCs in this environment especially now that MS have finally gotten off the hardware upgrade requirement cycle for their OS (just as I predicted they would have to when Vista came out). As for laptops - well, what percentage of home laptop users ever upgrade them anyway? I'd say a very small percentage, and those who have done in the past had to because they moved from XP to Vista / W7. The move from Vista/W7 to W8 will not need a RAM upgrade because MS now designed OSes to make best use of the hardware available, rather than expecting businesses to go out and buy new computers specifically to use new OS. As for installing an old MS OS on a new computer - you ever heard of Virtualisation? Seriously, who wants to run XP as their main OS on a quad core PC with 4Gb RAM?

    I am a libertarian at heart, and I really do hope there will be enough of a market for up-gradable mobos to keep the geeks happy. However, to expect MS to base the design of their OSes around the desires of a tiny fraction of the consumer base is stupid. Widely used open Linux was only ever a fantasy and Linux users should count themselves lucky that they've been allowed to free-ride on the back of MS, Intel innovation etc over the last decade. The real future for Linux is in custom made hardware a la Chrome / Samsung laptops. Apple's hardware is designed for Apple OS, MS hardware is designed for MS OS and so why should Linux be any different?

    1. Bronek Kozicki

      Watashi, I understand your post was meant to provoke reaction and yet you made some good points. I will take the liberty to ignore those.

      Here is where you are mistaken:

      * assumption that huge majority of x86 PCs is running Windows. On desktops - agree. On servers - branded or beige boxes, no matter - it's Linux.

      * assumption that Linux fans want Windows to stay insecure. That's just silly, one point only - without vulnerable Windows boxes Internet would be nicer place for everyone and everyone Linux users included would receive less spam

      * assumption that UEFI secure boot would exclude Linux from desktops - why would it, if the feature can be disabled (as demonstrated on screenshoot)?

      * assumption that only geeks care about Linux on comodity PCs - ask Dell and HP how many of X64 servers they sold are being used under Linux

      1. Tom Mason

        Secure booting from UEFI is a good thing, from a security perspective. The ONLY problem with it is that they haven't mandated that a user with physical access must be able to install a non-signed OS bootloader if they so choose. I don't see how it's anyone's problem but GPL fanatics that their philosophy prevents them having a signed bootloader. They don't get to spoil the PC for everyone else just because of their bizarre views, any more that PETA should be able to prevent me enjoying a nice steak.

        As for people who continue to make jokes about winows being insecure, and linux being perfect, perhaps you could explain the and outages?

  55. FuzzyTheBear

    Our interrest in mind ? Microsoft ?

    You got to be kidding.Microsoft only have their shareholders interrest in mind.Not you.

    They do what they do to generate revenue.XP was good , still runs .. but by killing it MS makes money. By locking you in , they make money. It's not about you , it's not about the user ,it's about the bucks. So dont give them holy and clean intentions.

  56. jsusanka

    surprise, surprise

    "There are many rootkits and malware that run at the time of startup, so this step would be good for security."

    They still think linux is viral. no matter what they new release they give.

    Sure it will be up to the vendors just like what os to ship is up to them - wink, wink,

    Does this really surprise anybody that microsoft is doing this? They haven't changed and apparently DOJ or NO DOJ they never will change.

    microsoft is above the law - period end of story. welcome to the 21st century.

  57. 2cent

    The keys come with the car.

    The answer is pretty simple.

    Demand that any non-military hardware purchased using the Unified Extensible Firmware Interface must have the documented key with it.

    The problem lies with contacting Unified Extensible Firmware Interface Organization. You don't get to vote.

    Contact them or their members by any means demanding the keys.

    I think I could survive typing them in.

  58. mark l 2 Silver badge

    I give it about 6 months until someone cracks the encryption they use to store the keys and they will be readily available on pastebin, Both Sony and MS have similar secure boot systems on their consoles to stop unauthorised code being executed and look how secure they are.

This topic is closed for new posts.

Other stories you might like