back to article 'Stop-gap' way to get Linux on Windows 8 machines to be issued

The Linux Foundation is temporarily supporting a Microsoft security policy to ensure Linux isn’t blocked from running on PCs installed with Windows 8. The Foundation plans to obtain a Microsoft key to sign a pre-bootloader from core Linux kernel maintainer James Bottomley. Together, the key and pre-bootloader will allow users …

COMMENTS

This topic is closed for new posts.
  1. Wang N Staines

    hahahaha "should".

    1. mafoo
      Devil

      Win7

      I think equally importantly the question should be asked, "Is this going to prevent me from downgrading my OS to win 7"

      1. 4.1.3_U1

        Re: Win7

        or Fista, or even earlier win incarnations which are unsupported (or soon to be).

      2. Lewis Mettler
        Stop

        of course

        The purpose of this technology is to make sure you are paying Microsoft more money today.

        All other options are unauthorized.

      3. El Andy

        Re: Win7

        I think equally importantly the question should be asked, "Is this going to prevent me from downgrading my OS to win 7"

        No. Because x86 systems have to support turning UEFI secure boot off in order to get a Windows 8 logo. And ARM systems couldn't run Windows 7 anyway.

      4. RICHTO
        Mushroom

        Re: Win7

        Microsoft shoudlnt allow this. It is asking for people to write malware system boot loaders and use them to then load Windows with a root kit..

        Microsoft should only sign boot loaders than in turn only load fully signed OS kernels.

        This is all the more important for Linux distributions with their much higher vulnerability counts than Windows OSs.

        1. h4rm0ny

          Re: Win7

          "This is all the more important for Linux distributions with their much higher vulnerability counts than Windows OSs"

          It's not "much higher". It's about 5-10% higher. And it's counterbalanced by the fact that Linux users have a much higher technical level of expertise on average (any given Windows user or Linux user might be the same, but the Linux user base doesn't usually include all the additional technically ignorant people that do use Windows and Apple alongside us more savvy users).

          That said, your point is correct in that in theory someone could use a signed Linux loader to load malware into Windows. I personally find it unlikely that anyone who is able to install and manage Linux would be unable, or even discouraged, from doing so by having to change one minor setting and disable Secure Boot. But the LF and Canonical seem to believe so. They may be right.

          1. RICHTO
            Mushroom

            Re: Win7

            No, much higher - as in its more like 10 times higher:

            http://secunia.com/advisories/product/12192/

            http://secunia.com/advisories/product/18255/

            1. Anonymous Coward
              Anonymous Coward

              Re: much higher - as in its more like 10 times higher

              as it says on secunia's website -

              Secunia Advisory Statistics (2012) Statistics based on Secunia advisories released in 2012.

              PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.

              so fud off

              1. RICHTO
                Mushroom

                Re: much higher - as in its more like 10 times higher

                If you bother to read you will see that those links quote life time vulnerability counts. Circa 360 For Windows Server 2008, and 3700 For SUSE 10.

                They are actually quite comparible products - both Servers OS distributions of a similar age. Oh but of course as it shows just how bad Linux is - suddenly that's not a fair point?

                There was also an analysis done by a security expert that also cut the Linux distribution down to only match the out of the box functionality of Windows Server - and Linux stil has several times more vulnerabilities.

                This is why internet facing servers runing Linux are so much more likely to be hacked than Windows ones.

        2. nac

          Re: Win7

          Security is a difficult and sometimes controversial thing to analyze. The only truly "secure" operating systems are those that have no contact with the outside world. The firmware in your DVD player is a good example.

          Among all modern general purpose operating systems (Windows, Mac OS X, Linux, Solaris, FreeBSD, NetBSD, OpenBSD) the most secure by defualt is by far OpenBSD. OpenBSD has an extremely stringent security auditing policy; only two remote attack vulnerabilities have been found in the last ten years. This is because OpenBSD doesn't create a large attack surface by running a large number of networked apps.

          Of course, the sad fact is that any networked operating system can be made insecure through careful misconfiguration. Window's problems with security stem mainly from the fact that it runs with a large number of network services on by default, and that it (XP and prior) let the user run with full privileges by default. Windows Vista attempted to fix this issue, but people rejected it as "too confusing" and complained that their old apps did not work correctly under limited accounts.

          Mac OS X is better about user permissions, but still has had a (in)decent number of remote exploits. Apple's slow response to patch many of these issues will be even more worrying if it gains significant market share.

          Most Linux distributions have an excellent policy of quickly patching known security vulnerabilities. Unfortunately, two of the top ten distros deliberately use outdated code (Damn Small Linux) or make it too easy to run as a privileged user by mistake (Damn Small Linux, Puppy Linux). Were these distros to gain significant popularity, their users would be exposed to a larger number of vulnerabilites than if they encouraged proper security policies.

  2. wowfood
    Meh

    let me get this straight

    They put in the secure boot to prevent malware hijacking etc.

    To get past this temporarily Linux has gotten a microsoft key, which I assume costs money. This i a temporary measure, until they find alternate ways around the issue.

    But if they find alternate ways around the secure boot, then surely people will update their malware etc to abuse this new work around. And in response wouldn't microsoft have to block said workaround forcing linux back to buying the microsoft key?

    And yet it's google who are anti-competition.

    1. HMB

      Re: let me get this straight

      I'm afraid you haven't got it straight.

      The Register has previously reported on secure boot and Microsoft only give Windows 8 certification if the secure boot can be switched to accept alternative keys and can be turned off entirely (on x86 and x64.

      It appears that in an effort to whip up outrage from gnusers the same old is run again, but with the reassuring parts omitted.

      *sigh*

      1. Anonymous Coward
        Anonymous Coward

        @HMB - Re: let me get this straight

        Not quite straight!

        Microsoft will allow (but not require!) computer OEM to allow users to disable secure boot on non-ARM platforms and we all know how independent manufacturers are from Microsoft. So GNU users can still be rightfully outraged. Anyway it's not like you may freely install whatever you want on your (is it yours anymore?) PC.

        1. h4rm0ny

          Re: @HMB - let me get this straight

          "Not quite straight! Microsoft will allow (but not require!) computer OEM to allow users to disable secure boot on non-ARM platforms and we all know how independent manufacturers are from Microsoft"

          If you're going to correct someone, you should be correct. HMB has it right. It is a requirement that PC providers allow users to disable Secure Boot. The Reg. article or Linux Foundation are spreading FUD. Here is the relevant document:

          MS Hardware Certification Requirements. Because it's a long document, the part to skip to is the section on UEFI Secure Boot (begins page 118). The relevant paragraphs I have quoted below:

          "17. Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:

          a. It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.

          b. If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system is operating in Setup Mode with SecureBoot turned off.

          c. The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults.On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enabled.

          18. Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows Server may also disable Secure Boot remotely using a strongly authenticated (preferably public-key based) out-of-band management connection, such as to a baseboard management controller or service processor. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure Boot must not be possible on ARM systems."

          !--End Quote.

          Now, let's see who downvotes a post for putting factual information with a source.

          1. Anonymous Coward
            Anonymous Coward

            Re: disable secure boot on non-ARM platforms

            Fine, but there are lots (and an ever increasing number) of arm platforms I might want to install linux on; some of those may well start off with windows on them.

            1. h4rm0ny

              Re: disable secure boot on non-ARM platforms

              "Fine, but there are lots (and an ever increasing number) of arm platforms I might want to install linux on; some of those may well start off with windows on them."

              And I agree with you. I would like to see the same thing apply to ARM, more or less. But this article and the certificate the Linux Foundation are talking about is explicitly about x86. And at the time I write this, my post (which has been up about ten minutes) has already been downvoted twice. A post which simply provides the relevant facts and an actual referenced source and which indicates that people will actually be fine to install and run Linux on Win8 certified devices. What these downvotes indicate to me, is that there are people here who actively dislike being shown that MS hasn't blocked Linux. People who honestly prefer to see Linux beaten down so they can complain about that, than to see Linux given an opportunity to be installed and chosen by people.

              1. Destroy All Monsters Silver badge
                Linux

                Re: disable secure boot on non-ARM platforms

                > People who honestly prefer to see Linux beaten down so they can complain about that

                Linux Liberals!

                Solid info though, thank you.

                1. h4rm0ny
                  Linux

                  Re: disable secure boot on non-ARM platforms

                  "Solid info though, thank you."

                  You're welcome! I've been using Debian all day, today. Cheerleading for companies is...well, it's okay, but not to the point that people will actively fight against inconvenient facts. It's allowable that more than one OS can be good!

              2. Richard Plinston

                Re: disable secure boot on non-ARM platforms

                > What these downvotes indicate to me, is that there are people here who actively dislike being shown that MS hasn't blocked Linux.

                Which may be people who want to show MS as anti-competitive, Or it may be people who want MS to dominate the world and are upset that a Windows 8 machine could be corrupted with Linux (or Windows 7).

              3. Anonymous Coward
                Anonymous Coward

                Re: disable secure boot on non-ARM platforms

                whaaaa whaaaa someone downvoted me.. mummmmmmmy!

                1. h4rm0ny

                  Re: disable secure boot on non-ARM platforms

                  "aaa whaaaa someone downvoted me.. mummmmmmmy!"

                  You miss the point - the problem is not that someone downvoted me - that's just a personal thing that doesn't affect anyone. The problem is that indicates some people would prefer to feel victimised rather than actually learn they were wrong. Linux - or indeed any other OS - doesn't benefit from that sort of support.

          2. Euripides Pants

            Re: @h4rm0ny - some people still dual boot

            This would seem to be aimed at those who want to run Linux and Win8 on the same PC.

          3. HMB

            Re: @HMB - let me get this straight

            @h4rm0ny

            I would like to thank you for a very thorough, direct and sourced reply.

            The irony of the downvoters is that they think they are championing linux, but all they really do is make respectable linux users look more like goons by unfortunate association. They're the sort of people you don't invite along to parties because of inadequate emotional intelligence.

            One caveat I would come out with was that I could have made it clearer that ARM wasn't included in the fair secure boot plan. I don't agree with ARM being locked out on principle, but I find it distasteful that Microsoft gets singled out for this when Apple has been locking down it's platform for some time. At least bash both of them in a balanced way.

            1. h4rm0ny

              Re: @HMB - let me get this straight

              "The irony of the downvoters is that they think they are championing linux, but all they really do is make respectable linux users look more like goons by unfortunate association. They're the sort of people you don't invite along to parties because of inadequate emotional intelligence."

              I've been using Linux for around a decade. And before that I was using UNIX. I remember when Ubuntu appeared and looking down on it for the way everything was pre-compiled. :D Yes, we don't need champions who would prefer a helpful lie to the truth.

              "One caveat I would come out with was that I could have made it clearer that ARM wasn't included in the fair secure boot plan. I don't agree with ARM being locked out on principle, but I find it distasteful that Microsoft gets singled out for this when Apple has been locking down it's platform for some time. At least bash both of them in a balanced way."

              Agreed and noted. As I wrote elsewhere, I would also like to see ARM devices required to allow Secure Boot to be disabled. I have criticised MS for this on other occasions, but I guess here I was just focused on trying to correct the onslaught of misinformation (some of which is almost certainly deliberate as at least some of the people here must know better). I will keep it in mind for the future. Cheers.

              1. h4rm0ny

                Re: @HMB - let me get this straight

                Just to follow on about WinRT. I guess the difference as MS see it, is that with OEM devices, they are selling software. But with the WinRT devices, they are not selling software, they are selling hardware and software combined. And they don't want to be subsidizing competitors, e.g. Android, by selling hardware priced according to subscription models or offset by software costs, if someone will just take the hardware and use it as a cheap platform for a rival at MS's expense. E.g. a common rumour is that some of the WinRT devices are going to be sold on a subscription model much like phones. Naturally, MS would want the device to be locked, just like a phone is locked. Doesn't mean I agree with it, but I presume that may be the reasoning.

            2. Vic

              Re: @HMB - let me get this straight

              > The irony of the downvoters is that they think they are championing linux

              That's a bit of an assumption, unless you've got access to the vote database.

              IME<, downvotes occur whenever you make a firm statement here, no matter how reasonable or accurate it might be. Announcing bad news is guaranteed to bring out the downvotes...

              Vic.

              1. h4rm0ny

                Re: @HMB - let me get this straight

                "Announcing bad news is guaranteed to bring out the downvotes..."

                That's the point. It's *good* news. Unless you actively want MS to be oppressing Linux. In any other regard, my post is a good thing for Linux as far as Linux users are concerned. And Windows users generally don't care if Linux does well because they don't see it as a problem for them. I posted a clear fact, with source and got downvotes. Almost certainly, based on the general tenure in the posts here, because it contradicted someone who was saying that MS were doing something bad for Linux.

                1. eulampios

                  @h4rm0ny

                  Unless you actively want MS to be oppressing Linux.

                  Unless you don't see it happening every single day. I'd use the abusing its monopoly against many competitors wording though.

                  You got my downvoting for this phrase and the zeal of whitewashing the charcoal.

                  1. h4rm0ny

                    Re: @h4rm0ny

                    "You got my downvoting for this phrase and the zeal of whitewashing the charcoal."

                    Someone says Secure Boot is MS stopping Linux without this workaround. I point out that this is not the case with explanation as to why. A rational person who wants Linux to do receives the correction with pleasure because it means Linux isn't being held down. A person who is less interested in results but gets off on the company they dislike being shown to be evil and the entity they like being shown to be good (if you're oppressed, the logic says you are the good guy), regards my post as a bad thing because it shows what this article reports on isn't the negative thing that the original poster portrayed it as. So yes, I'm perfectly comfortable saying that those who downvoted my original post actively want MS to be oppressing Linux. I've just explained why. For such people, it's less about Linux doing well, and more about feeling they are right.

                    And you put yourself among those people.

                    1. eulampios

                      Re: @h4rm0ny

                      Even taking your own word on your decade of using Debian (Ubuntu etc) and the Microsoft related naivety doesn't undo many many bad things Microsoft has(ve, as in British) been doing for (the very) same decades.

                      Support of SCO, anti-ODF campaign, "Get the f**ts", "GNU/Linux, Android infringe on may of our patents" FUDs and more. "Windows Tax" is another way to oppress free market (not necessarily Linux, as you put it). To say nothing about their corrupted ubiquity in the public institutions.

                      They side with Apple oftentimes, because they see that evil likeness, kinship of black souls, brotherhood of crooks, so to speak. No wonder, why would they have publicly jeered at their partner's (Samsung) case loss.

                      Even if, once upon a time Chikatilo decided to be normal (just for now, of course)....

                      1. h4rm0ny

                        Re: @h4rm0ny

                        "Even taking your own word on your decade of using Debian (Ubuntu etc) and the Microsoft related naivety doesn't undo many many bad things Microsoft has(ve, as in British) been doing for (the very) same decades."

                        Yes, it may be difficult to believe but I distinctly remember using SuSE Linux 6.4 as my primary OS so yes, I have been using Linux for over a decade. And I was using UNIX and Solaris some time before that. As to "Microsoft related naivety", I was talking about Secure Boot. You are self-confessedly objecting to my correcting someone because you would prefer the party you dislike to look bad. That is called prejudice or bias. And you are now writing to explain why you feel that even if MS haven't done a bad thing in this instance, you feel justified in voting down a factual correction because you consider them to be evil. And you really don't see that as morally wrong? To try to vote down true facts because you would prefer the party you don't like to actually be doing something wrong so that others will feel the same way you do, rather than actually take satisfaction in the fact that there isn't a wrong here and that the earlier poster was wrong about Linux being restricted?

                        Thanks, but I have my priorities right, imo. I see Linux not be restricted by something (indeed, I hope to see it take advantage of the new technology in the enterprise), and that makes me happy, not angry that I have had ammunition taken away from me.

                        Seriously, when you find yourself resorting to bizarre character attacks, such as quoting and italicising my career history and implying I'm lying (especially when my argument isn't based on my experience in the slightest, but on actual sourced references I provided), when you start making arguments that involve "kinship of black souls" or suggesting Apple and Microsoft are drawn to each other because they see their "evil likeness", it's time to take a step back and re-assess if you're a fair and objective person.

                        1. eulampios

                          Re: @h4rm0ny

                          You got me wrong, I didn't question your experience. I just find it next to impossible to remain neutral towards Microsoft or even feel positive about them. I see it as paradox, myopia, amnesia or else.

                          The term "evil likeness" is not of course, what they discern in their own self. Well, I guess, Chikatilo must have had a good opinion of himself too.

                          Apple and Microsoft can't keep up with their competitors and resort to very similar dirty campaigns. Not only do they manage to spare each other, they even appear to be and are in unison.

                          Okay, secure boot is a nuisance and another *dirty* means against competitors. A number of machines with weird BIOS settings/features are already quite unfriendly to everything non-Windows. The whole controversy is just one more nail in the coffin, called "MS trust". I'd not waste my time in attempting to pull this nail out even if it was rusty.

                          1. h4rm0ny

                            Re: @h4rm0ny

                            "You got me wrong, I didn't question your experience"

                            You began your reply to me with: "Even taking your own word on your decade of using Debian (Ubuntu etc) " in italics. It's not even relevant to my original post, so it just sounds like you're trying to cast doubt on my word.

                            "I just find it next to impossible to remain neutral towards Microsoft or even feel positive about them."

                            RIght. Which is my point. People are downvoting a factual, sourced post which shows Linux is not being restricted, and they're doing so because their reaction is not positive because Linux isn't being blocked, but dislike of the post because it shows a party they are not neutral toward as less evil. The reaction of a normal person to finding something bad hasn't happened, is a positive one. The reaction of the downvoters (incl. you) is disappointment or anger. For such people, the need for the party they hate to be evil outweighs the actual desire for that party to do good. When you prefer someone to do evil rather than good, your hatred of them has gotten the better of you.

                            "Well, I guess, Chikatilo must have had a good opinion of himself too."

                            No idea who or what Chikatilo is but it's the second time you've brought it up. Searching brings up a Russian serial killer though. Are you now likening Microsoft to serial killers? Do you have any idea how ridiculous and maybe even offensive, that would sound to people outside of small anti-Microsoft echo chambers like The Register?

                            "Apple and Microsoft can't keep up with their competitors and resort to very similar dirty campaigns"

                            You've just named the two most successful OS producers in the world as those that "can't keep up with their competitors". You mean in technical features? Do you have even the remotest idea how difficult it is to write even just a modern OS's kernel? Have you ever worked on a project that size? Have you ever actually looked at what new features MS have come up with for Windows over the years? Why don't you do that before you dismiss without looking the work of thousands of skilled developers.

                            "Okay, secure boot is a nuisance and another *dirty* means against competitors"

                            Is the above just an article of faith with you that you feel you don't have to actually support? It has been shown that no PC is going to have a problem with Linux because of this. Will you be on here posting the same comment when Android devices start using Secure Boot? Will you be angry when CentOS comes as a signed kernel and uses that as a sales point over their competitiors?

                            "A number of machines with weird BIOS settings/features are already quite unfriendly to everything non-Windows"

                            UEFI is not BIOS any more than a car and a horse are the same thing. And what settings are you referring to, specifically? I'm okay with technical detail so when you make a comment like this, please feel free to specifically say what BIOS feature has caused you a problem. In fact, I insist. Otherwise I will not be convinced as I have Debian and Ubuntu running fine on two recent motherboards right here.

                            "I'd not waste my time in attempting to pull this nail out even if it was rusty."

                            It seems based on your desire to vote down inconvenient facts, that you'd go so far as to try and stop other people pulling out the nail if you could.

                            "I'd not waste my time in attempting to pull this nail out even if it was rusty."

          4. Lewis Mettler
            Stop

            the purpose

            The purpose here it to make it much more difficult to install anything other than the latest version from Microsoft.

            You are an idiot if you think otherwise.

            So you really think that Microsoft would except such roadblocks preventing the use of a Microsoft product.?

            Force consumers to buy the Microsoft product. And then make it as difficult as possible for a consumer to use anything else. It does not have to be technically impossible to have a huge affect upon consumers.

            Consumers are just dumb idiots being manipulated by Microsoft to secure their monopoly. You are real stupid if you do not understand that.

            1. HMB

              Re: the purpose

              @Lewis Mettler

              "...You are an idiot if you think otherwise..."

              How intellectually compelling. What an argument.

            2. dajames Silver badge
              Pint

              Not quite an idiot ...

              @Lewis

              The purpose here it to make it much more difficult to install anything other than the latest version from Microsoft.

              Maybe, but not in the way that you mean.

              The actual purpose seems to be to enable Microsoft to claim to content providers that their platform -- especially the ARM platform, which they see as a platform that will be used almost exclusively for media consumption -- is a secure platform that will not allow its DRM measures to be hacked or circumvented.

              That way, they hope that media providers (read: music and movie companies) will license their content for Windows platforms, and not for the competition, and that Microsoft will be able to rake in the dollars for selling it through their store. Just look at how much of Apple's revenue is from OS and devices, and how much from iTunes.

              It's not about the platform, that hasn't enough value to be worth the effort, it's about the content market.

              I had thought that MS might also be trying to tie the device to the OS so that they could subsidize Win8 tablets by "selling" the OS to manufacturers at negative cost without having to worry that users could just strip Windows off and run Android, so getting a cheap Android tablet courtesy of MS! It now seems that it will be possible to get Linux or Android signed with the "Microsoft key" (isn't it actually a Verisign key?) so anything should be runnable, as long as it's signed.

              ... and having seen the expected retail prices of some Win8 tablets I know there's no subsidy!

              Beer glass, because the value is in the content.

      2. dogged
        Alert

        Re: let me get this straight

        Gavin, why don't you just write

        ZOMG THE WORLD IS ENDING MICROSHAFT IS KILLING LINUX BECAUSE STEVE BALLMER IS A FAT DEMON WHO SWEATS AND THEY WILL EAT YOUR CAT BTW WINDOWS 8 SUCKS SWEATY BALLMER BALLS AND SO DOES EVERYHTHING ELSE THEY EVER MAKE EXCEPT WHERE IT'S BRILLIANTLY EVIL EHRMERGERD

        You know you want to.

        It's pretty much everything you've written for eighteen months.

    2. Another Justin

      Re: let me get this straight

      Its not really a workaround that malware can use - the bootloader performs a "present user test" (just a prompt that says "WARNING: This Binary is unsigned, Are you sure you wish to run an unsigned binary in a secure environment?") before allowing an unsigned chained bootloader to run.

      Anyone who is not used to seeing this message (e.g. Windows users, or users of another signed OS) will be alerted to the ruse if malware attempts to use this to subvert secure boot. Anyone who is already using this bootloader is essentially disabling secure boot anyway.

      1. edge_e
        Stop

        @Another Justin

        This is alright by me as long as the message appears at first boot and then generates a key for the image it is booting and doesn't display the message again unless I've been hacked.

  3. Anonymous Coward
    Anonymous Coward

    Linux as an authorised piece of software on Windows 8 PCs

    One word: What The F***!

    1. Ragarath

      From what I understand (may be wrong).

      Windows 8 will require UEFI (A MS and others designed bit of hardware stuff) as most PC's get sold with Windows on. it will become widespread.

      Any software that wants to boot needs to be signed so that it is known not to be malware or if it is can be traced back to source I guess.

      Penguins have been clamoring that this locks them out because of the GNU and other licences that require them to be "open" which secure boot is not.

      Although the article makes it sound like it is Windows fault, it is not, MS stipulated it must be used to ship a Windows 8 PC but is can be disabled (unless it is uses ARM). The market share of MS is what is making the penguins worry because they think it'll stop people that have bought a MS PC from being able to load Linux.

      As far as I am aware there was discussion of allowing new keys to be uploaded.

      1. Destroy All Monsters Silver badge
        Holmes

        > Penguins have been clamoring that this locks them out because of the GNU and other licences that require them to be "open" which secure boot is not.

        NOPE. Do you hear "penguins clamoring"? Are we in Antarctica? No.

        What happens is that the bootloader has to be signed [by someone who owns the private key the public counterpart of which is on the motherboard]. Apparently this is MANDATORY on ARM machines for some reason.

        This as far as I can see has nothing to do with GNU licensing.

        It has to do with someone [who?] going to the keyholder guy [who owns the private key the public counterpart of which is on the motherboard] with a compiled version of GRUB2, then asking nicely whether he would like to sign this binary thank you very much and can we come back once the next bugfix release is due.

        Now the keyholder guy may want to get paid or the outfit which manages the certificate chain involved might. Apparently in this case the latter is Verisign and someone [who?] will come up with the cash.

        1. Wensleydale Cheese

          Not a big problem, unless you are developing for ARM, methinks

          @ Destroy All Monsters

          "It has to do with someone [who?] going to the keyholder guy [who owns the private key the public counterpart of which is on the motherboard] with a compiled version of GRUB2, then asking nicely whether he would like to sign this binary thank you very much and can we come back once the next bugfix release is due.

          Now the keyholder guy may want to get paid or the outfit which manages the certificate chain involved might. Apparently in this case the latter is Verisign and someone [who?] will come up with the cash."

          From the article it appears that both instances of [who?] will be the Linux Foundation, or Canonical for Ubuntu. If I remember correctly, the cost of signing is in the region of USD 95.

          For non-ARM machines, the check can be switched off if you have physical access to the computer (i.e. can modify the UEFI equivalent of BIOS settings).

          You are right about the bugfix problem of course. This could be a real pain for those involved in developing and maintaining GRUB2 and other boot loaders, especially for ARM systems.

        2. This post has been deleted by its author

        3. tom dial Silver badge

          BS!

          If I purchase a piece of hardware, that should include both the platform key and the software to generate and install a new one. Anything less is, to my way of thinking, a security vulnerability. On my hardware, I should be in position to control the installation of the keys that are used to manage software installation.

          If, on a machine with Windows I choose (either actively or passively, as most purchasers will) to delegate my rightful authority to Microsoft, that is my right. And although it is Microsoft's right to restrict certification of a system for Windows if they wish, it is not their right to control the platform key to a system that they do not own.

      2. Anonymous Coward
        Anonymous Coward

        @Ragarath - Small correction for you.

        Any software that wants to boot needs to be signed with Microsoft private key because UEFI specs do not allow more than one public key in firmware. This locks everyone else out of the PC platform and the fact that there was a discussion means nothing to them. It's not Windows fault, it is Microsoft that designed it like that.

        1. h4rm0ny

          Re: @Ragarath - Small correction for you.

          "UEFI specs do not allow more than one public key in firmware"

          They do allow multiple keys. But there are "platform keys" and "key exchange keys". There is only one "platform key" as far as I am aware, but you can have multiple keys for signing OSs and boot loaders. MS would not normally control the "platform key" for a device - that would be the maker of the hardware. At any rate, it is certainly possible to have multiple installs signed with different keys which is in contradiction to what you wrote.

          Also, you write that "it is Microsoft that designed it like that." This is also incorrect. MS do not control the UEFI Forum that produce it, nor do they have that much influence on the specification. It's a multi-partnered body with about a dozen members - everyone from Apple to AMD to Lenovo. Pretty much open to any of the main players in developing motherboards and related hardware.

          The amount of misinformation being confidently asserted as facts in this story and the comments here, is staggering. In some cases actually trying to correct people who know what they're talking about.

          1. Yet Another Anonymous coward Silver badge

            Re: @Ragarath - Small correction for you.

            They allow multiple keys on Intel but not on Arm.

            They feel they can get away with only allowing a single OS on a tablet/cell phone because Apple (and every other cell phone maker) already do - but if they locked all the world's PCs to be Windows only the anti-competition people would be round sharpish

          2. Anonymous Coward
            Anonymous Coward

            Re: @Ragarath - Small correction for you.

            "The amount of misinformation being confidently asserted as facts in this story and the comments here, is staggering. In some cases actually trying to correct people who know what they're talking about."

            This happens in every comment section on the reg. The signal to noise ratio is never good.

            You're only really noticing now because this article happens to concern a field in which you have some expertise.

    2. ed2020
      Thumb Up

      Re. "One word: What The F***"

      That's three words, not one.

      Pedantry aside have an up vote because I totally agree with the sentiment.

    3. shade82000
      WTF?

      Re: One word: What The F***!

      Exactly that: W T F ?

      Don't get me wrong, Linux, Windows 7, Windows 8 & Windows XP (in that order) are all great OSes, but ...

      I dont, have never and never will buy a 'Windows 8 PC'

      I will however buy a 'PC version of Windows 8' and a 'PC that runs Windows 8'

      There is a big difference there and MS should understand their position in the stack.

      1. tom dial Silver badge

        Re: One word: What The F***!

        If you buy a 'PC version of Windows 8' you may have trouble installing it on a platform of your choice. If you buy a 'PC that runs Windows 8' it will be Windows certified and according to Microsoft's plan you will not own the platform key. Accordingly, you will not be allowed to install a boot loader that is not signed by Microsoft for Secure Boot. And if the equipment is ARM you will not be able even to turn off Secure Boot and boot an unsigned boot loader, which many of us have been doing for years without serious problems.

        What irritates ne most about Secure Boot (Windows 8 and RT style) is that the security benefits are marginal and the inconvenience, for anyone who wants anything but Windows, is not. It is fairly clear that Microsoft is implementing it to reduce the risks associated with Windows software vulnerabilities; constrain the spread of non-Microsoft (and older Microsoft) operating systems; and possibly manage Windows licensing for virtual machine environments. I haven't heard the wailing, but Secure Boot affects other OS like FreeBSD equally with Linux.

    4. dssf

      Does that mean that on x86 platforms, Ballmer no longer sees

      Linux as a virus?

      Wow, never thougt i would live to see this day, hahahaha..

      1. Anonymous Coward
        Anonymous Coward

        Re: Does that mean that on x86 platforms, Ballmer no longer sees

        We don't know that, but he does now get to control it to some extent. If you can't beat it get into the position to be able to control it.

  4. Peter Gathercole Silver badge
    WTF?

    Eh?

    "Microsoft key"? UEFI is not owned or controlled by Microsoft, so why should they certify it? Something's gone desperately wrong if Microsoft have control of Secure Boot certificates other than their own.

    1. JDX Gold badge

      Re: Eh?

      That was my thought. Unless MS have given them one of theirs as a gesture of friendliness?

    2. Tom Chiverton 1

      Re: Eh?

      Because 90% of motherboards only contain the MS key. So you have to use the MS key to sign the Penguin boot loader. Which rather defeats the point of secure boot...

    3. HMB

      Wood for the Trees Problem

      I think we have a "can't see the wood for the trees" problem here.

      No one is stopping Linux software companies from doing the same as Microsoft and saying "if you want Linux certification, you need a linux Master key in your BIOS".

      If you have a problem with Microsoft putting down specs for a piece of hardware that will be licensed to run Microsoft software, don't buy that hardware.

      If you have a problem with being forced to buy Windows when you buy hardware, I support you. It's anti competitive that Microsoft have strong armed companies into this practise that used to sell PC's that would run a few O-S' (Now I'm thinking way back to Dr-DOS and IBM Warp!).

      Microsoft can be sneaky bastards, but they are being fair about Secure Boot.

      1. h4rm0ny

        Re: Wood for the Trees Problem

        "No one is stopping Linux software companies from doing the same as Microsoft and saying "if you want Linux certification, you need a linux Master key in your BIOS"."

        That's an interesting point. Fedora and Ubuntu are the first Linux distributions to do signed boot loaders, but I would imagine Google / Android to be the first to actually roll out devices locked to the installed device, a lá WinRT devices. It will be interesting to see the anger displayed or not displayed, when they do so.

  5. g e

    You know what?

    If the PC vendors told MS to get stuffed MS would drop it. Talk about cart before the horse.

    1. JDX Gold badge

      Re: You know what?

      That implies a secure boot thingie is a bad idea in principle. Is it?

      1. TRT Silver badge

        Re: You know what?

        It is for the myriad of bootable CDs/DVDs I've got to test hardware, defrag drives, kill rootkits etc.

        1. Wensleydale Cheese

          Re: You know what?

          @TRT

          "It is for the myriad of bootable CDs/DVDs I've got to test hardware, defrag drives, kill rootkits etc."

          Presumably everyone can grab the signed versions of GRUB2 supplied by the Linux Foundation or Canonical, and no doubt other major suppliers will provide their own as well.

          You might be stuck if you want to use some other boot loader of course.

          If you can boot from the rescue or diagnostic CD of choice you probably have physical access to the system and can disable the check (on non-ARM systems).

          But for anyone who wants to run dual boot Windows and non-Windows systems, turning the check off permanently is probably not a good idea.

          I would feel sorry for anyone trying to develop for ARM, except they have shown themselves to be pretty good at, for example, jail breaking phones.

          1. Yet Another Anonymous coward Silver badge

            Re: You know what?

            It does pose a problem for GPL3 software.

            If you distribute some GPL3 software - such as a bootloader - you also need to distribute the keys to require it to run. This is the circumvention measures (anti-tivo) clause. This was canonical's problem with Grub - if they used Grub they felt they would need to release their private key as part of the GPL requirements.

            If I read it correctly this is a work-around where you have a lowest level bootloader that is signed ( but whose key you don't have and so can't replace ) to boot Grub or any other unsigned bootloader.

      2. tom dial Silver badge
        Linux

        Re: You know what?

        Secure Boot is not a bad idea in itself, although the security benefit seems to me to be fairly small. Secure Boot only makes sense if you trust the signer of the key exchange keys that control booting and software installation. Since these keys need to be signed using the platform key, you also must trust the platform key signer. Please tell me why I should trust Microsoft.

        So Secure Boot where Microsoft owns the platform key is a Bad Idea.

      3. Anonymous Coward
        Anonymous Coward

        Re: You know what?

        "That implies a secure boot thingie is a bad idea in principle. Is it?"

        On balance, yes, it probably is. It's not all bad but it's certainly not all good and for me the price is too high.

    2. Anonymous Coward
      Anonymous Coward

      @ge - Re: You know what?

      And what other OS are they going to sell then ? Remember, when Microsoft sneezes PC OEMs are catching pneumonia. Look at the joke the netbook has become when Microsoft imposed their specs on OEMs.

    3. h4rm0ny

      Re: You know what?

      "If the PC vendors told MS to get stuffed MS would drop it. Talk about cart before the horse."

      It's the "PC vendors" that came up with UEFI and Secure Boot. MS are one of about twelve partners on the UEFI forum and UEFI has been developed and pushed by hardware makers - from AMD to Lenovo to Apple.

    4. dssf

      Re: You know what? Spoonerism alert...

      Maybe itnis heart before the course.. The course of things should be that the hardware owner decides what os can be allowed on the mqchine, but ms or an os vendor would decide what software behaviors would be allowed in the kernel and in user space.

      But, due to ms' money and marketing dollars, hardware vensors' hearts are in the money. Cart before the horse AND heart before the course (a Spoonerism i had been waiting for at lest 15 years to use...).

  6. Anonymous Coward
    Anonymous Coward

    Yo dawg...

    ..we heard you liked bootloaders...

  7. Anonymous Coward
    Anonymous Coward

    The wrong way to go about it. If Linux suddenly stops working on all PCs and servers I'm sure Intel or whoever would soon change their product once sales of hardware fall.

    This is the beginning of the end of the open PC.

    1. Anonymous Coward
      Anonymous Coward

      If Linux suddenly stops working on all PCs and servers I'm sure Intel.....

      1. It Windows 8 so does not in any way relate to Servers.

      2. It's only needs the key to install Windows software on x64 machines, it can be turned of for other OS's.

      3. Where it is mandatory it's ARM, so why the crap would Intel give toss. As it's ARM, they don't make any chips. So they don't give a toss. As it's likely to be on Tablets and phones, it means the manufactures don't need to support other OS's, so they don't give a toss.

      In all you are 100% correct on all the other points.

      1. JDX Gold badge

        Re: If Linux suddenly stops working on all PCs and servers I'm sure Intel.....

        What about Windows 8 Server?

        1. El Andy

          Re: If Linux suddenly stops working on all PCs and servers I'm sure Intel.....

          What about Windows 8 Server?

          Since there is no ARM version of Server and since it is a requirement to be switch-off-able in x86/x64 machines, it's a complete non-issue.

  8. Blitterbug
    Unhappy

    I would comment, but...

    ...Last time I received a huge ad-hominem rant, so frankly can't be arsed.

    1. Destroy All Monsters Silver badge
      Trollface

      Re: I would comment, but...

      I hereby insult you!!

  9. tempemeaty
    Paris Hilton

    -____-

    I can't believe the industry allowed this appalling situation to to happen in the first place.

    Paris? Because the industry is not making it's own decisions anymore...it seems she's doing it for them.

  10. Anonymous Coward
    Anonymous Coward

    eugenicist bill gates

    wants to get you used to having the kill switch in your PC so he can kill linux 10 years down the line when no one can do anything to have the kill switches taken back out.

    1. Anonymous Coward
      Anonymous Coward

      Re: eugenicist bill gates

      Stay right where you are, I've called the hyperbole police and the paranoia ambulance, they'll be right with you.

  11. Reallydo Wannaknow
    WTF?

    what about installing from USB?

    "The pre-bootloader will allow you to install Linux from CD, DVD or via download" ... surely I'm not the only one who prefers to boot from USB?

    1. JDX Gold badge

      Re: what about installing from USB?

      Windows 8 supports boot-from-USB (for Windows 8 at least) as one of the handy features they've been going on about.

  12. Mystic Megabyte
    Unhappy

    Do we have any intelligent politicians?

    When you buy a Mac it is made by them and you expect their OS. That's fair.

    Microsoft don't make any PCs so it should be illegal for their OS to be paid for in the purchase price.

    Why not have it like shareware? At initial boot-up get the option* to pay $60 to use Windows or $1 to use Linux.

    *maybe a one week free trial before paying.

    Sorry if I have said this before but it needs repeating until someone in power does something about it.

    This is a bad case of a monopoly gone wrong.

    1. Tom Chiverton 1
      Stop

      Re: Do we have any intelligent politicians?

      "Microsoft don't make any PCs "

      *didn't* - or did you miss the Surface Laptop thing ?

      1. Anonymous Coward
        Anonymous Coward

        Re: Do we have any intelligent politicians?

        > *didn't* - or did you miss the Surface Laptop thing ?

        Don't… and I'm pretty sure they aren't going to be making Dell's laptops, Toshiba's laptops, Lenovo's laptops… etc even if they do start making their own.

        So the original argument still holds. And even if they did, what right have they to dictate what you do with the said hardware? Unless I missed something, these are machines that are being sold to the end user, ergo, they own them, not Microsoft, Lenovo or anyone else.

        Man must be master.

    2. Anonymous Coward
      Anonymous Coward

      Re: Do we have any intelligent politicians?

      ... or go to Novatech (or similar) and get a PC with no O/S and pay £90 less for the privilege.

    3. westlake
      FAIL

      Re: Do we have any intelligent politicians?

      >> Microsoft don't make any PCs so it should be illegal for their OS to be paid for in the purchase price.

      Bare Bones doesn't sell worth spit.

      The PC as a "name branded" plug and play home appliance or workhorse office machine has been around for about 35 years now.

      That makes it easy to sell and easy to support under warranty,

      Linux is hopelessly fragmented. The geek 's next demand --- quite plausibly --- would be for an generic OS system ballot. Then a Linux distro ballot.

      Then a UI ballot...

  13. mr_jrt
    Stop

    Nice in theory, but...

    Secure boot is a wonderful thing - as long as it's your keys in the motherboard, and you sign the software you're installing. No nasty viruses then.

    ...but that's not what Microsoft are"allowing". They allow you to turn it off on x86...so it's their way or the highway if you want security....unless the mobo manufacturers play nice and let us upload our own keys....otherwise our PCs essentially belong to whomsoever's keys are on the motherboard - i.e. Microsoft.

  14. Anonymous Coward
    Facepalm

    Here We Go Again

    If anyone here has heard of Google, why not do some research before jumping up and down and making silly untrue statements. As well as falling for yet more Register baiting tactics.

    Apologies for the caps only but for those who would rather whinge than understand I feel it the only way to hopefully get the message across:

    UEFI

    IS NOT INSTALLED BY WINDOWS 8

    IT IS FIRMWARE THAT WILL BE INSTALLED ON SOME MOTHERBOARDS

    YOU CAN DISABLE IT - SO YOU CAN INSTALL WHATEVER OS YOU CHOOSE - EITHER WITH OR INSTEAD OF WINDOWS 8 OR ANY OTHER WINDOWS VERSION

    IF YOU KNOW HOW CHANGE BOOT DEVICES YOU WILL KNOW HOW TO DO THIS

    The only people that UEFI will prevent from installing Linux will be the people who wouldn't do that anyway.

    1. Destroy All Monsters Silver badge
      Holmes

      Re: Here We Go Again

      Yes we got that...? Mais encore?

    2. Anonymous Coward
      Anonymous Coward

      Re: Here We Go Again

      I have EUFI laptop and the only way to get Linux on is via the Ubuntu installer that slips it into the Windows boot menu somehow. cant seem to get a better distro on there because there is simply no option to choose the boot device or do anything to the machine pre-boot.

      1. h4rm0ny

        Re: Here We Go Again

        "I have EUFI laptop and the only way to get Linux on is via the Ubuntu installer that slips it into the Windows boot menu somehow. cant seem to get a better distro on there because there is simply no option to choose the boot device or do anything to the machine pre-boot."

        If the only way to get Linux onto your laptop was via the Ubuntu installer, then Ubuntu would be the only Linux distro in existence. You can manually install Grub (or even LiLo if you want). I *think* you can still boot Win7 from both of these as well. If you meant you want to dual-boot, then the Ubuntu installer is a nice friendly way to do this by inserting it into the Windows boot menu, but there are most certainly other ways to do this. I really hate to come across as a grouchy old hand, but if you see the Ubuntu installer as the only way to get Linux on somewhere, then you'd never have survived the days of compiling your own kernel. Try getting hold of Gentoo or Arch to experience "real" Linux. ;)

        1. John Deeb
          Boffin

          Re: Here We Go Again

          Uhmm, h4rm0ny, it seems you misunderstood the whole topic. Read up on the material here for example:

          http://www.rodsbooks.com/efi-bootloaders

          1. h4rm0ny

            Re: Here We Go Again

            "Uhmm, h4rm0ny, it seems you misunderstood the whole topic. Read up on the material here for example: http://www.rodsbooks.com/efi-bootloaders"

            Would you like to actually try pointing out somethig I have got factually wrong or have misunderstood? Linking to a page about bootloaders doesn't really say anything. If you're implying I don't understand how they work, you're incorrect.

  15. This post has been deleted by its author

  16. Anonymous Coward
    Anonymous Coward

    Protecting their investment

    I bought a Toshiba NB200 the other year. I wanted the model but I wanted it without Windows on it. I didn't want to pay the windows tax/

    Toshiba would only sell it with Windows because Microsoft had paid them and effectively stopped them from offering the machine in other formats; because they'd subsidised teh cost of the netbook.

    In this case, I could happily wipe Windows and put Linux on it .... but with this UEFI business there is the possibility that Microsoft could get the manufacturer to ship a machine with only certain keys on it.

    In the world of the desktop, it is easy to get a mother board with whatever you want. When it comes to portable devices; phones (ARM) tablets, laptops, netbooks, notepads, power books, whatever the heck you want to call them ... you're fucked.

    The potential here is frightening. I for one, am writing to my MP about this.

    1. westlake
      Holmes

      Re: Protecting their investment

      >> Toshiba would only sell it with Windows because Microsoft had paid them and effectively stopped them from offering the machine in other formats; because they'd subsidised teh cost of the netbook.<<

      Walmart spent the better part of a decade trying to explain Linux to its big box retail market.

      Having no success whatever in this, the chain was reduced to running yellow-striped borders --- like a CSI crime scene tape --- around Linux info boxes warning its customers that these systems would not run software sold for the Windows OS.

      Despite its enormous purchasing power, Walmart could not deliver a credible Linux PC that cost significantly less than its brand name Windows competitors.

      The geek simply ignores economies of scale --- which is the real meaning of the Microsoft "Tax."

      Walmart BTW sells tons of software, hardware and accessories to its Windows customers. The after-market in Windows is golden.

      In 2012 Walmart.com offers over 300 flavors of the Windows laptop. While Toshiba remains in the business of delivering a product retailers are anxious to have in stock.

      1. Wensleydale Cheese

        Re: Protecting their investment

        @westlake

        "Walmart BTW sells tons of software, hardware and accessories to its Windows customers. The after-market in Windows is golden."

        Another aspect of this is that a young lady at work was complaining that all her friends were recommending various bits of Windows software to buy, but she had bought a Mac and didn't know where to look to buy equivalents.

        I honestly didn't know where to point her (this was pre-App Store days), simply because I am capable of hitting open source stuff and building it, or rolling my own solutions.

        This was a lesson to me that we geeks don't always get it.

    2. h4rm0ny

      Re: Protecting their investment

      "The potential here is frightening. I for one, am writing to my MP about this."

      It's good to hassle MPs, but you have your facts wrong in this case (unsurprisingly as the Reg. article gets it wrong). It is required that any device manufacturer allow a physically present user to disable Secure Boot if they want the device to be certified for Windows 8, so with this requirement, MS are actually ensuring that the scenario you describe can't happen (unless Toshiba chose to forgo getting Win8 certification which they will not).

    3. Shaun Bartoo

      Re: Protecting their investment

      What part of 'subsidized' did not click in your brain? MS threw in money, so the NB200 ends up cheaper at market than it would have been if it hadn't. So if they hadn't made that arrangement, the device would have (theoretically) been more expensive without it.

      There are plenty of things to go to your MP about. This is hardly one of them.

      1. Anonymous Coward
        Flame

        Re: Protecting their investment

        Now to the point - where is my ability to buy an NB200 without Windows on it? I can't, because Microsoft locked down my purchasing ability.

        The fact that I was able to wipe the machine and put my prefered solution on it, is what saved me. Otherwise I would have been unable to buy the hardware at any price ... because it would be locked to Microshaft's bloatware.

        So no matter what you think, I'm complaining to my MP. I have machines that run 24/7 and bring themsleves back up after a power cut that is beyond the UPS ... amd I supposed to always be there to press a button when this happens? No way.

        Also, why are the US companies Intel and AMD allowed to have a get out while UK company ARM isn't ?

        This whole microsoft requirement stinks like shit; I'm as mad as fucking hell and my MP is damn sure going to know about it.

        1. h4rm0ny

          Re: Protecting their investment

          "Now to the point - where is my ability to buy an NB200 without Windows on it? I can't, because Microsoft locked down my purchasing ability."

          That really has nothing to do with this story about Secure Boot, but have you contacted Toyota and asked if they'll reimburse you if you don't use Windows? Dell, Acer, Lenovo and HP have all refunded people for the cost of the Windows licence if unused. Toshiba might also. That said, with volume licencing and the fact that the NB200 is very old and comes with XP on it, you're probably going to get very little back. (And it's Toshiba who are selling it with Windows on, not MS, just for accuracy). You could also buy it second hand as it's a few years old in which case you wont be paying for a Windows licence if that helps?

          "So no matter what you think, I'm complaining to my MP. I have machines that run 24/7 and bring themsleves back up after a power cut that is beyond the UPS ... amd I supposed to always be there to press a button when this happens? No way."

          I'm not sure what you're talking about here. Are you talking about Secure Boot blocking unsigned code from loading without user verification? Surely you would want that if you have Secure Boot turned on as that is what it is supposed to do. If you don't want that, just turn it off. (I am assuming that you aren't talking about 24/7 ARM machines on UPS).

          "Also, why are the US companies Intel and AMD allowed to have a get out while UK company ARM isn't ?"

          Because AMD and Intel make x86 hardware and ARM does not. Incidentally, ARM architecture was designed by a British company but the technology is actually licenced by a large number of hardware companies including US companies.

          "This whole microsoft requirement stinks like shit; I'm as mad as fucking hell and my MP is damn sure going to know about it."

          I genuinely don't understand why you are angry about the Microsoft requirement for Secure Boot which is that a user has the ability to turn it off on x86 devices. Without that requirement, device manufacturers could lock their x86 hardware to a specific OS. You understand that UEFI is not a Microsoft technology and nor is Secure Boot? It's produced by a forum of hardware manufacturers of about a dozen major hardware manufacturers. Linux distributions are also perfectly capable of signing code for Secure Boot.

          1. Anonymous Coward
            FAIL

            Re: Protecting their investment

            It has everything with secure boot.

            Toshiba wouldn't SELL me an NB200 without Windows on it. Don't people understand this yet?

            Microsoft had contributed to the cost of the NB200 that was sold with Windows. Even if I wanted to pay the extra, I couldn't get an NB200 without Windows. It has nothing to do with the fact that manufacturers couldn't sell laptops with Linux.

            As long as this kind of thing is possible, then what is to stop Microsoft insisting that the only keys installed on the NB200 (as a future example) is for the operating system that it is shipped with ... as it is ploughing money in to the sale.

            Whether there was any part of the deal between Toshiba and Microsoft that restricted how Toshiba could otherwise sell the hardware, I don't know. All I know was that I wanted an NB 200 so that I could do my own thing with ... and the only way I could do that was because secure boot wasn't being enforced a few years ago.

            What the potential is for secure boot to play a part in such microshite/manufacturer deals now ... who knows, but I'm very, very wary of it and concerned about the situation.

            1. h4rm0ny

              Re: Protecting their investment

              "It has everything with secure boot. Toshiba wouldn't SELL me an NB200 without Windows on it. Don't people understand this yet?"

              I actually just looked up the Toshiba NB200 to see why you are having a problem. This machine doesn't even have UEFI. It has BIOS. You're insisting that a model that does not support Secure Boot, which comes installed with an OS (XP or Win7) that cannot not use Secure Boot, has "everything to do with secure boot". It doesn't. That's what I've been telling you - what you're angry about has nothing to do with Secure Boot.

              "Microsoft had contributed to the cost of the NB200 that was sold with Windows"

              If that is true, then doesn't that mean that MS are subsidising the cost of the NB200. Your second comment: "Even if I wanted to pay the extra, I couldn't get an NB200 without Windows" doesn't make sense - if you're willing to pay extra for a device without Windows for some reason (I would not be), then you can just wipe the Windows that comes with it and not have to pay the extra. And again, this is nothing to do with Secure Boot. Do you think for some reason that Secure Boot would prevent you wiping Windows from your x86 device? If so, you have a very, very incorrect understanding of what Secure Boot actually is.

              "As long as this kind of thing is possible, then what is to stop Microsoft insisting that the only keys installed on the NB200 (as a future example) is for the operating system that it is shipped with ... as it is ploughing money in to the sale."

              As has been pointed out several times - MS are actually requiring hardware manufacturers to allow users to disable Secure Boot on PCs. Are you getting angry about hypothetical scenarios? Is that the issue?

              "What the potential is for secure boot to play a part in such microshite/manufacturer deals now ... who knows, but I'm very, very wary of it and concerned about the situation."

              Okay. Fine. But your earlier posts were giving the strong impression you were angry about an actual wrong being done now.

              1. Anonymous Coward
                Anonymous Coward

                Re: Protecting their investment

                What is so hypothetical about this?

                Do you think it is wrong for an operating system manufacturer to hold sway over a hardware manufacturer?

                Why would Microsoft subsidise the cost of a netbook? What is in it for them? Do you think it is coincidence that Toshiba wouldn't sell me an NB200 without an OS? I'll tell you this .. that I personally can think of no other reason that an OS manufacturer would put money behind the sale of hardware unless it was for the reason of keeping competitors off that platform.

                I have no proof, but that is my personal opinion.

                If you do accept this, then you have to think where microsoft would draw the line; what kind of behaviour they wouldn't indulge in, in order to prevent their competitors from being in the market.

                Hardware and software companies performing, "lock in" to their products is prety much IT legend. Greed is all over the place; even as the UN wants companies to get around the table, the next headline I hear is that MS is bashing Google directly over the head with a legal hammer. (they're all at it, in my humble opinion, but that doesn't detract from my point.)

                If Microsoft are in a position to control what will boot on a computer, or under what conditions things can boot ... then that is over the line. Concessions or not, that is directly over the line.

                If the industry thinks that this is the way to go, then control needs to be in the hands of a neutral body and all hardware, no matter who makes it, should have the option for the owner of the hardware to turn secure boot off ... and none of this, someone has to be there to press a key garbage.

                WHY does MS think that it is OK for i86 to be allowed to be turned off, while ARM can't? That's one question I've not yet heard convincingly answered.

                1. h4rm0ny

                  Re: Protecting their investment

                  "What is so hypothetical about this? Do you think it is wrong for an operating system manufacturer to hold sway over a hardware manufacturer?"

                  Well, the question you ask is hypothetical when it comes to PCs because the devices are not locked to a particular OS manufacturer and MS require any manufacturer to ensure that they are not under threat of withholding Win8 certification from them. So that is what is hypothetical.

                  "Why would Microsoft subsidise the cost of a netbook? What is in it for them? Do you think it is coincidence that Toshiba wouldn't sell me an NB200 without an OS? I'll tell you this .. that I personally can think of no other reason that an OS manufacturer would put money behind the sale of hardware unless it was for the reason of keeping competitors off that platform."

                  Again, I point out that this has nothing to do with Secure Boot, that neither the NB200 supports it (it's not even a UEFI device) nor the OS (XP or 7) can use it. Do I think it's coincidence that it's only sold with Windows on it? No of course not - marketing decisions don't just happen by coincidence. I imagine it's mainly because, as Asus found, the market for PCs delivered with Linux on them was so small to not really be worth the extra support and bureacracy and that they also got hassle from people returning them because the buyers were ignorant that PC does not mean Windows. And this is the case for nearly all mainstream sold PCs, not just this one that you say MS subsidized. I also have to ask what you actually mean by MS subsidised the cost of the laptop. Taken literally, it seems to imply that money was flowing from MS to Toshiba, which seems unlikely. Should I read you as saying MS charged Toshiba less? That is quite common - large sellers always negotiate their own deals and these are often quite closely guarded secrets, so I want to know what the terms are that you say MS made Toshiba not sell blank devices.

                  "I have no proof, but that is my personal opinion."

                  It's possible. But as I've shown, there are also other explanations even though you stated you couldn't think of any. So we don't know if it's really the case or not, it's just hypothetical and as it's hypothetical it may not be appropriate for you to get as angry about it as you don't know whether it's the case or not.

                  Most of the rest of your post is just general comments against Microsoft and I don't know why you're directing them at me as I was talking about Secure Boot. I am not Microsoft. I'm just someone who understands how Secure Boot actually works. If you're going to reply to my post about Secure Boot, you should be addressing Secure Boot, not just using my comment as a platform for general anti-Microsoft attitude because the latter is not really a reply to what I was talking about.

                  "WHY does MS think that it is OK for i86 to be allowed to be turned off, while ARM can't? That's one question I've not yet heard convincingly answered."

                  I commented on this elsewhere. We don't know - it's not even out yet. But ARM devices are less generic beasts than x86 devices - the software is a lot more closely written to each individual device. (If Linux has only just built a generic layer for ARM, then I can only guess how far behind Windows is). In short, I don't know but I guess they are seen more like phones where the product is a closely-integrated hardware+software designed and sold (and cruicially, budgeted for) as a single saleable thing, rather than as one thing (hardware) that comes with another thing (software). At least I presume that is the mindset. Basically, it's the same model Apple use with the iPad and some Android devices. You're not supposed to rip it apart for the parts. It may be that these are priced on the expectation that the installed OS will remain there. E.g. the iPad is priced as is because Apple expect to make money from people buying apps for it through the store. If it were generic hardware, it would be more expensive. Don't know on that front, but this is my guess for the motivations.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Protecting their investment

                    So in the absence of some more information on the reasonings behind some of the behaviours and motivations, we'll have to agree to disagree.

                2. Richard Plinston

                  Re: Protecting their investment

                  > WHY does MS think that it is OK for i86 to be allowed to be turned off, while ARM can't? That's one question I've not yet heard convincingly answered.

                  Because 'secure boot' not only locks out Linux, it also locks out XP and 7. MS would like to do that but the OEMs obviously would not, they have corporate customers that _will_ run XP or 7 and if the machine can't do that they will not buy them. If there was no option then the OEMs would make bare machines with no secure boot for that market. That would be unacceptable to MS as it loosens their control.

                  Home users, however, do not have an IT dept and will be unlikely to know or care how to turn it off. So they will not be able to try out CD or USB live Linux distros, nor set up a dual boot. Job done.

                  With ARM there is no previous Windows versions so locking out _everything_ does not disadvantage Windows users or OEMs while still achieving lockout of Linux and Android.

            2. Richard Plinston

              Re: Protecting their investment

              > Microsoft had contributed to the cost of the NB200 that was sold with Windows.

              It is extremely unlikely that MS contributes actual money to a computer, it may discount the licence fee. It has been said that XP for netbooks cost $25 which is much less than what was charged XP on laptops and PCs. MS does also contribute to general advertising as long as such things as 'Designed for Windows', and no other OS are mentioned, are on the OEM's advertising.

              > Even if I wanted to pay the extra, I couldn't get an NB200 without Windows.

              That may be true. MS give 'loyalty' discounts to OEMs. As long as every one of particular models* are sold with Windows then there is a discount which is applied to _all_ licences. If they sell one machine of those models without Windows then they could lose the discount, not just for that machine, nor just for that model, but for _all_ MS software. That would be $millions.

              * Other models may be offered without Windows due to anti-trust issues, but those would have lower sales and proper costings would give them higher prices.

          2. Anonymous Coward
            Anonymous Coward

            Re: Protecting their investment

            "That really has nothing to do with this story about Secure Boot, but have you contacted Toyota and asked if they'll reimburse you if you don't use Windows?"

            How can I be reimbursed for money that the OS manufacturer has contributed towards the cost of the machine on my behalf? Please re-read what I've written with a little more patience and then come back to me again.

        2. Richard Plinston

          Re: Protecting their investment

          > This whole microsoft requirement stinks like shit; I'm as mad as fucking hell and my MP is damn sure going to know about it.

          Then don't buy the machines, there is no requirement that you purchase a computer with Windows on it, there are plenty of other companies that will sell you the parts or machines without Windows. Granted they may not be in your local high street store.

          1. Anonymous Coward
            Anonymous Coward

            Re: Protecting their investment

            The Tosh sales person told me that Microsoft had contributed to the price, that buying it without the OS would cost more, even if they could do it, which they couldn't. That's what I was told and I wish that I had it on tape.

            It would be great not to buy the machines, and standard PCs are a no brainer, indeed it is preferable to buy the bits and have control over where your money gets spent; but when you're talking netbooks or something that you can't get the parts for yourself, you've got a problem. Even if you can, it takes more than a bit of courage to get the spare parts for a device and then assemle it yourself.

            The NB100 didn't have the spec of the 200 at the time. I wanted the 200; the reviews were good, the keyboard was nice ... what am I to do ... buy nothing? No. I want MS to stop using their leverage to tie up the market.

  17. Steve Martins

    wild speculation...

    But no worse than the rest of you!

    My assumption is that Win8 *requires* UEFI secure boot so if you want to dual boot linux / win8 (on x86) you can't disable the windows key. Can anyone tell me how wrong i might be?

    1. This post has been deleted by its author

    2. Adus

      Re: wild speculation...

      I could be wrong, I don't think Windows 8 itself requires it, but Microsoft require OEMs who want to sell boxes with Windows 8 preloaded to support it.

      I've ran Windows 8 on boxes without UEFI secure boot without a problem.

  18. Eduard Coli
    Linux

    Where is the Justice League?

    Where is the Justice League, Just-us Department err Justice Department and why aren't they kicking M$ in the groin over flagrant antitrust settlement violations like this?

    1. JDX Gold badge

      Re: Where is the Justice League?

      Too many big words, why don't you explain what you think MS have done wrong so we can ridicule you?

  19. Anonymous Coward
    Anonymous Coward

    Bahahahaha

    Linux... Signed by Microsoft.

    Isn't the world funny.

  20. Anonymous Coward
    Anonymous Coward

    Why bother?

    Let MS get it on the market, then get onto Neelie Kroes.

    MS have had a few dealings with her already (including the current "Oops we forgot to agree to the judgement for 1.5 years".

    1. Anonymous Coward
      Anonymous Coward

      Good idea

      I am technically outside the EU, so thought that the lack of the browser "Poll" in my copies of WIndows 7 and WHS 2011 was sharp practice on the behalf of MS.

      But in fact both were manufactured in Germany.

      1. Al Jones

        Re: Good idea

        The browser poll is delivered by Windows Update, which probably uses your IP address to decide whether or not to deliver it.

        It has nothing to do with where you PC was manufactured.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why bother?

      Neelie Kroes is obviously in Microsoft's Pocket, or she would have hammered them over the way they forced Linux out of the Netbook Market.

  21. Yet Another Anonymous coward Silver badge

    Exactly how does UEFI protect me?

    I buy a MB from an unknown cheapest supplier in China, they claim to have implemented UEFI and installed a genuine copy of Windows8 - and it must be genuine because otherwise UEFI wouldn't allow it.

    That's like the international Association of Crack Dealers claiming that their new secure crack pipe only allows pure crack - and my local crack dealer then sells me a crack pipe and crack and it must be pure because otherwise the crack pipe wouldn't work!

    1. h4rm0ny

      Re: Exactly how does UEFI protect me?

      Secure Boot (not UEFI, Secure Boot is only a small part of UEFI) doesn't protect you against a corrupt hardware manufacturer. It protects you against malware that interferes with the boot process, taking effect before normal anti-malware measures are running. So just like buying a car alarm and immobiliser wouldn't protect me against corrupt car alarm manufacturers, but it does help protect me against everyone else. Basically, don't disregard a security measure because it's only effective against 98% of potential attackers, instead of 100%. There are boot process attacks out in the wild right now.

  22. g7rpo

    How does this work when you buy your components individually?

    Are all mobos gonna be subject to the same or is this just M$ forcing their wills on OEMs?

    1. h4rm0ny

      Re: How does this work when you buy your components individually?

      "Are all mobos gonna be subject to the same or is this just M$ forcing their wills on OEMs?"

      You have it the wrong way around. UEFI is created by the hardware manufacturers (AMD, Intel, Lenovo, etc.). MS are actually forcing a requirement on them that Secure Boot can be disabled. No x86 hardware is currently blocking MS due to being sold with Windows on it. The article is flat out wrong.

  23. jonfr
    Boffin

    Failure to prevent malware

    This secure UEFI boot is just a scam. It is not going to prevent malware infection of Windows 8 PC. This just shameless attempt to control the PC market by Microsoft.

    I run Gentoo Linux. It does not come with secure keys and I am not going to start paying Microsoft for one once I upgrade to UEFI computer. It is just not going to happen. I am going to find a way to disable UEFI secure boot and wipe the security key from Microsoft clean out. At the same time when I delete Windows 8 or Windows 9 when this happens.

    UEFI secure boot is only good for one thing. That is too lock the boot loader forever like is already done on ARM computers (mobile phones, tablets etc).

    This UEFI secure boot is not a good idea. It is not going to solve anything. It is going to lock things down for the PC in the future. Something that must not happen.

    1. Shaun Bartoo

      Re: Failure to prevent malware

      What part of 'Microsoft did not come up with UEFI, and is actually attempting to force the coalition that did, to allow it to be disabled' does not get through your head?

  24. h4rm0ny

    "This secure UEFI boot is just a scam. It is not going to prevent malware infection of Windows 8 PC. This just shameless attempt to control the PC market by Microsoft."

    This is dangerous misinformation and you are plainly not someone who has current knowledge of malware. There is malware active and in the wild that works by altering the boot process and which would be protected against by Secure Boot. For example, look at the Alureon family of Malware which infects device drivers and the disks MBR. A significant and widespread piecce of malware.

    "run Gentoo Linux. It does not come with secure keys and I am not going to start paying Microsoft for one once I upgrade to UEFI computer. It is just not going to happen. I am going to find a way to disable UEFI secure boot and wipe the security key from Microsoft clean out."

    That's very easy. It is a requirement of Win8 certification that you be able to disable Secure Boot. If someone can change the device they boot from in BIOS, then they similarly ought to be able to find the option to turn off Secure Boot in UEFI. It doesn't require hacker-level abilities.

  25. h3

    jonfr - If you use gentoo you can probably take advantage of secure boot better than most people.

    Hardened gentoo with signed binaries (With your own key in the bios). Probably the first place it will turn up.

    Just fixing Paludis to sign the binaries afterward.

    Or you could use it partially just sign the kernel and bootloader.

  26. just_me
    Boffin

    UEFI is a lockdown technique, NOT designed to prevent malware.

    Most if not all malware does not compromise the computer through the boot process. It compromises one or more of the running processes on a running computer to 'own' the target. The computer is already running at this point. UEFI only protects boot, not the running OS. Therefore the UEFI is NOT an anti-malware technique. The real purpose is to take ownership of the computer away from the person who actually bought it. Effectively the EULA that states that you are only 'leasing' the software is now being extended to the hardware.

    The additional effect is that Microsoft can put a 'check' of the booting OS DLLs to see if any of them are non Microsoft blessed. While this 'may' prevent some malware.. it also allows Microsoft to enforce what gets run on the operating system. Want a non-Microsoft blessed software product.. forget it unless Microsoft wants to allow it. Want that custom driver for that special piece of hardware? The developer has to get their OS kernel DLLs blessed by Microsoft, with probably appropriate fees paid to Microsoft.

    Presently there is a 'work around' and a non-enforce option on the hardware. How long will this last? ARM has already been completely locked for Win8 compatible versions. Will Windows 8 boot require it to be turned on to boot? Then instead of just selecting which OS to run on boot, you have to change hardware settings first then boot.. or if Linux or something else.. disable it first before booting. The question also occurs, what happens if Microsoft breaks and you need something like Knoppix to fix it?

    1. h4rm0ny

      Re: UEFI is a lockdown technique, NOT designed to prevent malware.

      "Most if not all malware does not compromise the computer through the boot process. It compromises one or more of the running processes on a running computer to 'own' the target. The computer is already running at this point. UEFI only protects boot, not the running OS. Therefore the UEFI is NOT an anti-malware technique"

      I can categorically state that you are not an active professional in the field of anti-malware development. I've elsewhere linked to entire families of malware that infect the boot process. I'll give you an example of a trojan. The user receives it somehow (typically an email attachment) and they run it. Now they're not going to run that executable every time they turn their computer on (particularly if it did not contain the video of Cheryl Cole naked that they were promised the first time) so the malware needs to infect the PC so it runs automatically. There are a variety of places it can hide and run and one of those places is the boot process. The advantage of the boot process is that the malware can activate before the anti-malware software (Norton, MS Security Essentials, whatever) can start - which helps it hide. By verifying that the code to be booted is signed and not altered, Secure Boot can protect against this. You can state that it isn't so, but I've actually linked to such software definitions elsewhere. It exists and it is widely known.

      1. Charles 9 Silver badge

        Re: UEFI is a lockdown technique, NOT designed to prevent malware.

        And don't say they'll just sign the malware code. That would involve getting Microsoft's PRIVATE platform signing key. In the history of PKI, only one major company has had its private signing key compromised (Realtek, for the Stuxnet attack, and that likely took state-level resources to pull). The companies know those keys are the weak links in the trust chain, so they're guarded as fiercely as the accountants hide their trade contracts (which contain trade secrets the competition would kill to get). So any malware that appears with a completely valid Microsoft code signature would be a sign of a bigger problem than just signed malware.

  27. IanPotter
    Stop

    Oh good

    I was starting to almost get blasé about buying hardware for running whatever I damn well please, back to checking compatibility of everything again. Marvelous..

    UEFI itself is not a big problem (well not if you don't want to p2v a UEFI based Win2k8 system anyway) my works laptop is UEFI based. But having been bitten before by shonkey gear that doesn't follow the specs until I have evidence that I will be able to utilize the motherboard/laptop in whatever way I see fit I will not be buying.

  28. John Savard Silver badge

    User-Generated Keys

    This article itself, not to mention the previous article another post has cited, notes that there was no problem on x86 computers, since on them the user can generate a key, and only on ARM systems would alternative operating systems be locked out. But it seems to say otherwise in the beginning; or is it that the key for Linux would simply make installing it more convenient (not having to go into the BIOS)?

    1. h4rm0ny

      Re: User-Generated Keys

      "or is it that the key for Linux would simply make installing it more convenient (not having to go into the BIOS)?"

      This last bit. You can simply turn off Secure Boot on a PC and not need the signed boot loader, but Ubuntu and the Linux Foundation have gotten themselves one so that the user doesn't have to go into the UEFI interface (UEFI is a successor to BIOS) because they believe that it might discourage users from trying out Linux. I'm trying to resist making a "back in my day" style comment about Linux users who would be discouraged by having to change the equivalent of a simple BIOS setting, but maybe things have changed and it really would put some off. Personally, I think they should just be grateful they don't have to hand-edit lilo.conf *grumble grumble kids today grumble* ;)

  29. Keep Refrigerated
    Trollface

    Quite Simple for me...

    I'm no longer going to buy hardware with their shit pre-installed. Where I can't obtain a shit-free alternative - or lets say it's my next company laptop - if I am unable to install Linux, I will bring it back to the supplier and report it as a fault with the hardware.

  30. just_me
    Boffin

    The keys are not controlled by the owner.

    If UEFI was intended to protect from malware, the user could enter their own keys for what they want to have boot. This is not the current approach.

    "This is dangerous misinformation and you are plainly not someone who has current knowledge of malware. There is malware active and in the wild that works by altering the boot process and which would be protected against by Secure Boot. For example, look at the Alureon family of Malware which infects device drivers and the disks MBR. A significant and widespread piecce of malware."

    So how did the malware get into the machine in the first place. It didn't get in through the boot process. The boot process is altered as part of the infection. What will happen is that the machine that gets infected will turn into a 'brick' and won't boot. You will not even be able to run anti-virus on the machine to fix it, if you shut down before detecting the infection. How did that prevent the malware infection? I can now see a large number of really pissed of 'brick' owners. True, you could try to re-install the OS and everything that was installed.. but how many people out there have OS install disks as opposed to the vendor 'fix' disks?

    The way to prevent malware infection is at the point of infection. Fix the programs that are running, use qualified knowledgeable programmers instead of cheap off-shore labor. Take the time to test. Run boundary checking and fuzzing software against critical CIs..

    1. h4rm0ny

      Re: The keys are not controlled by the owner.

      "If UEFI was intended to protect from malware, the user could enter their own keys for what they want to have boot. This is not the current approach."

      How would a piece of firmware tell the difference between a self-signed piece of software that the user wanted, and a self-signed piece of software that the user didn't want (i.e. malware). It's similar to self-signed certificates on servers - you need a trusted third party to verify (i.e. sign) your certificate else it's just a piece of software saying: "trust me because I say you can." Unless the code to be booted is signed with a key that the firmware recognizes (i.e. the device maker's key), then it can't know if the signature is valid. Yes - Secure Boot is designed to protect against malware. I linked you to a specific example of malware that would be blocked by it. There was an article on The Reg. here not long ago where someone had demonstrated how they were able to carry out an attack which was blocked if Secure Boot was enabled. It's downright bizarre that you claim it is purely a scam. Which brings us to this...

      "So how did the malware get into the machine in the first place. It didn't get in through the boot process. The boot process is altered as part of the infection. What will happen is that the machine that gets infected will turn into a 'brick' and won't boot."

      I gave you a direct link to an example piece of malware. You ask how did the malware get onto the machine in the first place. If you check the first line of the summary for that malware (or the technical name of it), you'll see that it is described as a Trojan. This means that the user has actively installed it, typically under the expectation that it is something else, e.g. porn or some such.

      And nowhere in the description does it say that the infected device will become "a brick". Are you under the impression that Secure Boot will turn the device into a brick because of an infection? That's a good guess at what might happen if you haven't read up on it, but actually there are a range of options. First, note that this whole thing applies not just to the kernel itself but device drivers as well (which can also be infected). So you might for example, boot up in what used to be called "Safe Mode" with some functionality disabled allowing anti-malware software to re-install drivers or clean up infections. Also, typically, the system might start a separate repair or remediation process distinct from the normally booting OS which will again repair or clean up the infected system. There are all sorts of options, basically. Simply bricking the device and refusing to do anything...? Not by design, anyway.

      And remember that the goal of modern malware is not normally to brick someone's device, but to either extract information or subvert their resources (e.g. for DDOS). I suppose if you're asking could someone write a piece of malware that infected not only the OS that ran, but destroyed the alternate systems put in place to recover from that as well with the deliberate intent of making the device a brick, I don't know. Maybe. But it would be a near-useless piece of malware to write and without profit. You can write a virus now today that goes and destroys an OS and user data with less privileges than are required to pull off a bootkit. So Secure Boot is not opening up any vector for attack that isn't already there.

      Besides, you are aware that in the "bricking" scenario you have described, however unlikely, the user can just turn off Secure Boot, right?

      "The way to prevent malware infection is at the point of infection. Fix the programs that are running, use qualified knowledgeable programmers instead of cheap off-shore labor. Take the time to test. Run boundary checking and fuzzing software against critical CIs.."

      The whole principle of layered defence has just been discarded by you then? Firewalls should be disabled because no software on an OS will have a vulnerability that could be exploited? Suhosin and other server-level security should be disabled because no web-application written will have flaws in it? We should never scan for trojans because no user will ever install something without knowing what it does? We should never verify the signature of code we are booting because no malicious code will ever make it onto the device? That last one about verification of code - that's what Secure Boot does. I do not like your approach to security and I sincerely hope you are not involved in the field, though I get the impression you are not.

      Honestly, you say you use Linux - one of the most secure OS's ever written, and yet you post arguments against a useful security mechanism that Linux can also take advantage of. What are you going to say when most Linux distributions are also using this security measure? Are you going to write angry posts about how CentOS or Ubuntu Server should not have this security measure?

      1. tom dial Silver badge

        Re: The keys are not controlled by the owner.

        You have just explained fairly well why those of us who use Gnu/Linux, FreeBSD, NetBSD, etc, might want to use Secure Boot. You have not explained why we should not have the platform key and sign boot and other software as we choose, or delegate that to a key authority of our choice rather than to Microsoft, whom some, at least consider a bit untrustworthy. I see no reason why I should have less trust in a key that I generate myself than one generated by a third party. The risk of a self-generated key is not that it (or its controller) is untrustworthy, but that I will use it unwisely and thereby harm myself (or my computer system). But it is my system, and my risk.

        1. h4rm0ny

          Re: The keys are not controlled by the owner.

          "You have just explained fairly well why those of us who use Gnu/Linux, FreeBSD, NetBSD, etc, might want to use Secure Boot. You have not explained why we should not have the platform key and sign boot and other software as we choose"

          I never tried to explain why you shouldn't. I'm all for user ownership of the device. I'm just trying to correct some of the horrendous misinformation and outright untruths flying around here, e.g. that Linux is blocked from being run on x86 without this "workaround" or that Secure Boot is just a scam without purpose. I'm pro-Security and pro-Accurate Reporting, not pushing any other agenda.

          I guess I would say that if you routinely re-compile your kernel and modules then that mitigates some of the gains of self-signing. I.e. either you remove malware infections by recompiling, or if not then you're actually signing infected code. Though please don't think I'm arguing it has no value. I just think it more useful a scenario in the enterprise where you want to push out verfied code to a lot of users, rather than worry about your own box when you're already an expert user. So I love seeing that Red Hat are leading the way in this for Linux. Being able to roll out Linux to a thousand PCs and know that no-one can alter that install without an alert or being locked out - that's good stuff. My (admittedly somewhat out of date) Gentoo box, I would be either forever generating new keys for a system where I reckon I know what I'm doing anyway (and for which there's very little malware out in the wild) or I'd just turn Secure Boot off. Anyway, those are my thoughts on it.

        2. dajames Silver badge
          Boffin

          Re: The keys are not controlled by the owner.

          You have not explained why we should not have the platform key and sign boot and other software as we choose...

          How would you know that the boot or other software that you signed with your key had not been interfered with between its leaving the supplier and your signing it? It would be OK if you compiled everything from source yourself (and checked the source for alteration before doing so) but most people don't do that.

          By having the supplier apply the signature you ensure end-to-end authentication of the software, which offers a higher degree of confidence that your software is genuine -- so long as you trust the supplier (and whoever provided the supplier with their code-signing certificate).

          ... or delegate that to a key authority of our choice rather than to Microsoft, whom some, at least consider a bit untrustworthy.

          As I understand it, the key will actually be the root of a PKI belonging to Verisign, not Microsoft. If that's so then you should be able to generate your own key and buy a code-signing certificate for it that's part of that PKI and (re-)sign the code yourself, if that's what you want to do. Of course, you'll have to pay Verisign for the privilege.

  31. Anonymous Coward
    Anonymous Coward

    Curious

    this isn't going for or against any of the arguments here but I wonder how many people will pay a premium for OEM hardware with Win 8, said hardware is typically shit, with rarely updated drivers and often locked down tighter than a ducks arse without MSs having anything to do with it, just to then remove windows and run Linux instead

    yes yes there is freedom of choice etc, but by an large the VAST majority of OEM users will not know what Linux is, and on the same coin, the VAST majority of Linux users wouldn't buy OEM gear anyway.

    Course one of the marvels of capitalism is that there is plenty of choice, if an OEM decides not to allow it to be disabled then through the wonders of choice you just choose someone who does. You can bet your life that if an OEM sees that there is a market for the unlockable device it will make it that way and make a shit load of money doing so until the other OEMs catch up.

    you know, once all this is out in the open and IF it turns out everything is crapping on the end user then fine, lets slate the OEMs and MS, but until we know for sure what is going to happen, it all seems a bit of a storm in a teacup for the very reason and most logical outcome as I have already described above.

  32. catphish
    Linux

    I'm too lazy to actually read the specification, but why is it such a problem for major Linux distributors (Ubuntu, Redhat) to build secure bootloaders and sign them properly in the same way that Microsoft do with Windows?

    I realize yhey would then sign kernels accordingly, and of course end users would never be able to build their own kernels (else malware could do the same), but most don't need to.

    Not necessarily an approach popular with hardcore free software types, but on most of my desktop systems where I don't build my own kernels, I'd happily see my system made more secure by an Ubuntu signed secure kernel.

    Penguin, because.

  33. Destroy All Monsters Silver badge
    Stop

    CALLING EL REG

    Instead of potentially inflammatory not too clear articles [and the readership being utterly confused / in thrall to confirmation bias as evidenced by the comment section] how about setting up an UEFI/SIGNED BOOTLOADER FAQ to clarify this controversy somewhat?

    Just a thought.

  34. johnwerneken

    Ubuntu Linux runs fine on my win8 machine, has for ages.

    Currently running the real RTM, plus the last beta aka RTM-time-limited-trial, and win8 RP, win7, win8 server, windows server 2008, and Unbuntu, plus have a bootable dos as well...all on one box.

    They must be talking about the ARM machines, which in fact would be a great environment especially for non-desktop distros. But I'd rather not compute while driving walking or eating, and can take x86 with me on a plane or find it at any physical location I'm willing to spend much time at.

  35. Anonymous Coward
    Anonymous Coward

    All your base are belong to us

    Someone had to say this. And you think this kind of DRM/treacherous computing was intended for the end user's benefit ?

  36. Anonymous Coward
    Anonymous Coward

    I am not sure why but for some reason...

    .. after reading this the image in my head is like when you see the swampy beardy weirdy types screaming and complaining outside a government building about down with capitalism and stick it to the man! - then they all get on bus and go to collect their government dole handout.

  37. eulampios

    h4rm0ny, enough pro-MS trolling already

    Do you have even the remotest idea how difficult it is to write even just a modern OS's kernel? It gives you away. +10^3!!! You made my day! Are you yourself writing kernels, Mac OS X? NT? So writing code, according to you, for Linux or, say, NetBSD kernel projects is an easier job?Taking much much higher portability of the latter two.

    Why don't you do that before you dismiss without looking the work of thousands of skilled developers. The main thing is that in proprietary projects developers are a proletariat, so the managers who often write nothing at all are the ones that make decisions (Darwin is not proprietary, I don't have any problems with it either)

    Okay, I see you trolling for Microsoft quite often, why is that? Do you work for them or your job depends on them?

    1. h4rm0ny

      Re: h4rm0ny, enough pro-MS trolling already

      "It gives you away. +10^3!!! You made my day! Are you yourself writing kernels, Mac OS X? NT? So writing code, according to you, for Linux or, say, NetBSD kernel projects is an easier job?Taking much much higher portability of the latter two."

      Where the Hell did you get that from? I wrote "how difficult it is to write even just a moden OS's kernel". Modern OS covers everything from Windows 7 to Solaris. I just wanted to exclude things like DOS or OS/2 (even these aren't small projects). Go and look at kernel.org and spend even half an hour looking through what goes into the Linux kernel. Then you will appreciate that you shouldn't make casual comments dismissing the work of people who write the OSs that are in use today. It's a massive job to create any of them and you make comments about not being able to keep up. Just staying on top of changing hardware is a massive job, let alone introducing new features. I have literally no idea what you think I am "giving myself away" or where you got the completely made up nonsense about my saying writing for Linux is an easier job. I was trying to get across to you that it is a hard job and you running down developer's efforts because you don't like a company is out of order.

      "The main thing is that in proprietary projects developers are a proletariat, so the managers who often write nothing at all are the ones that make decisions (Darwin is not proprietary, I don't have any problems with it either)"

      Firstly, you are obviously not aware that managing a large (or even small) software project can be a lot of work and that it can be entirely appropriate to make decisions without being a developer. It is not always a developer's job to know which features are most in demand from a customer or to keep track of what resource is available for different projects. Again, you're very quick to dismiss people's jobs.

      Secondly, this again has nothing to do with Secure Boot. I say it's wrong to downvote facts because you hate a company. Your only responses have been to pile on reasons why you hate Microsoft in the mistaken belief that if you can show they are evil enough, it's okay to call non-evil actions evil (and by inference, condemn me for pointing out that they are not). That's just silly. You prefer an actual evil to be done so that you can show people they are evil, than for them not to do an evil in the first place - i.e. you are arguing that it is right to downvote corrections showing an evil wasn't done. That's madness.

      "Okay, I see you trolling for Microsoft quite often, why is that? Do you work for them or your job depends on them?"

      How am I trolling? I just posted a factual correction and got massively downvoted. If there's any trolling going on here, it's you who keep launching unprovoked attacks at companies you hate or anyone who dares to point out an error in someone's criticism of them. And no - I've never worked for Microsoft nor expect to.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020