As is said in church...
Let us pray.
A Spanish open source software users' association has filed an antitrust complaint against Microsoft with the European Commission, claiming that the company's implementation of UEFI Secure Boot stifles competition. Hispalinux, an 8,000-member organization that advocates for and facilitates Linux use in Spain, filed the …
The "implementation of UEFI Secure Boot" may have been an attempt, by Microsoft, to stifle competition, but it's just so damned difficult to stifle Linux. Pray as much as you like, however, and I hope Hispalinux does not invest any money in this rather unnecessary effort.
They really don't get it.
If I had a house with a top of the range burglar alarm system, I wouldn't expect to have to remove it because certain visitors didn't like it. I also wouldn't expect to have to disable it at the control panel every time I had a new visitor. Linux needs to get it's act together to leverage what is a very useful security gateway.
This isn't a Microsoft issue at all. What Microsoft have done is for the potential benefit of all of us. Well, except maybe VXers and Malware writers.
"If I had a house with a top of the range burglar alarm system,"
And that's where your argument falls apart. "Secure Boot" only provides security in name. It doesn't solve any existing problem. Virtually no malware goes through the boot process today. It used to be a problem way back in the age of Parity Boot B. Today it is much easier to exploit Flash or Java holes. Tomorrow people might exploit bugs in UEFI, but once you are able to change the boot process, you are already root and can do anything you like on that system.
Actually, Secure Boot is a useful thing ... *when it is user-manageable*. The MS way of doing Secure Boot is locking the stupid thing with an MS provided master key, so only MS signed stuff will work. A truly secure system would have me being able to add my own master keys, or those from Fedora, Ubuntu, whatever.
Most if not all PKI systems have this ability, so should all "Secure Boot" systems have it.
This post has been deleted by its author
Seems really unfounded....up to the manufacturer how they want to provide secure boot ( could support any number of keys ) and is completely allowable to be able to turn off secure boot. Microsoft is just saying that it must be turned on for a default windows 8 installed system. Which is logical. Its up to the user then if they want to turn it off and be exposed to any associated risks.
All of our new cars will come with aldulterated gasoline detection systems. The 'oil company approved' gasoline has chemical tags in it, and the cars won't start or run if the sensors detect 'unsafe' fuel. I can turn that off, with the proper key from the manufacturer ... but they strongly advise against it. It will void the warranty and expose me as a reckless consumer. Oh, dear! Should I complain to the car makers, or the monopolistic oil company that forced this up0n us? But I do feel SO much safer ... !
Sort of, but MS designed Windows 8 (and the Recovery images made from a Win8 install) to not work with UEFI turned off after the fact. So, yes you can turn off UEFI in most new computers and install Linux, however, most of the time you will have to turn it back on to run Windows again. Yes, you can blow away all your GPT partitions (if you have the tools and know why you need to) and re-install Windows 8 (you'll have no disc and no physical key most of the time though) and then Linux, but be prepared to lose any factory recovery partitions (which also don't work if they were made with UEFI switched on when they were created (ala Sony)).
So yes, you can turn off UEFI, but it is not really just a matter of toggling a setting.
@MacGyver - Windows 8's boot security wouldn't be very effective if it did allow itself to be installed in a secureboot environment and then boot if secureboot was turned off, would it?
Besides, you can install, off the top of my head, Red Hat, Fedora, CentOS and Ubuntu with secureboot, so what's the problem?
@AC, I'm not sure why not? If a virus or something is able to flip settings in your NVRAM to turn on/off the secure state without you knowing (your proposal), then what would stop it from (in the future after someone is able to create their own keys, and this all becomes just another bother for legitimate users) injecting keys that match the boot changes it could make?
All I'm saying is that if a human is turning it off, then why wouldn't they at least allow that human the choice. We're not talking full drive encryption here, it would be trivial to allow the user to just run the recovery disk and move the install in legacy mode, but they have locked out that possible outlet (artificially I'm guessing).
The issue is that Hispalinux doesn't have keys, not those mainstream ones you listed. Hell from what I remember even Linus thinks that begging Microsoft for keys is wrong.
@MacGyver - The whole point of secure boot is to stop end users installing software or modifying the system to allow it to run malware. If you can get round this by entering a presumably non-password protected UEFI and switching off secureboot, I would wager quite a lot of money that it won't be long before there is malware that instructs users to do this. And it will work.
As for the keys - the UEFI spec requires and Microsoft require that you are able to add non-MS keys. The reason that MS have been signing bootloaders for some of the distros is that the distributers don't want to go to verisign directly (or whoever) in order to buy keys.
The potential problem is that Microsoft owns the key used to sign the shim/bootloader for other OSes and can, should it have a mind to, revoke that key.
Let's suppose that once booted, the Linux installation you have just added in doesn't force driver signing. That means that it could be possible for the Windows installation to be manipulated to run unsecure components despite still having secure boot enabled. Microsoft could decide that this is a security risk they won't accept and go into the procedure for notifying the Linux bootloader writers that they are giving notice of revocation unless the vulnerability is fixed.
Now, since Linus, among others, is pretty unhappy with some proposals to put extra stuff into the kernel to reduce or remove this attack method, it could end up that it isn't possible to fix the problem in a way that Microsoft can accept.
At that point, people with SB enabled UEFI dual boot Win8/Linux systems are no longer able to boot their Linux installations because Windows has updated the valid keys in the UEFI storage and the shim bootloader no longer has a valid signature.
I'm not saying that this will happen, but since the Linux community is beholden to MS/Verisign for the key(s) it needs then it could happen.
I think you seriously underestimate the amount of work, inter company co-operation, money and time that is required to design and build a system.
Linux would be, frankly, fucked if you needed special hardware to run it on. The strength of linux is that it's a free, open source operating system which can run on commodity hardware. Who would seriously go out and buy a proprietary computer in order to run linux?
"Windows 8's boot security wouldn't be very effective if it did allow itself to be installed in a secureboot environment and then boot if secureboot was turned off, would it?"
Why wouldn't it? It's up to the user to decide if they want that level of protection or not. It doesn't make it any less secure if the user does decide to use Secure Boot. It is Microsoft that insist that it can be disabled by the user for a PC to be Windows 8 certified, so that the user has the choice.
"The Free Software Foundation, which has lobbied OEMs to turn off the system by default and has urged consumers to boycott Windows 8 PCs."
Seems to me that Microsoft are doing a fine enough job of keeping People off of Windows 8 themselves, and don't need any further endorsements from the FSF spousing the same.
"...it appears that the OEMs can decide to give the end users the option to disable the UEFI secure boot..."
Exactly. OEMS *can decide* to give the users the option. Not "The OEMs have to give the end users the options". So, how many OEMs do you think will want to make their UEFI more complex by adding such an option if they don't have to?
"Exactly. OEMS *can decide* to give the users the option. Not "The OEMs have to give the end users the options". So, how many OEMs do you think will want to make their UEFI more complex by adding such an option if they don't have to?"
No, it's actually a REQUIREMENT for Microsoft Windows 8 certification that you can disable Secure Boot.
"No, it's actually a REQUIREMENT for Microsoft Windows 8 certification that you can disable Secure Boot."
Actually, it's a REQUIREMENT for Windows on ARM certification that you *CAN'T* disable Secure Boot. On PCs, they hastily added "user should be able to disable Secure Boot" after word got out of the Linux-disabling feature, and even then that was because MS knows they can't pull that off on x86 hardware without getting antitrust lawsuits in their face.
If Linux advocates spent one tenth of the hours that they spend whinging about Microsoft on forums actually coding, not only would we have seen the year of the Linux desktop, we may have reached the Technological Singularity.
Alas rather than trawl open source code for bugs and stuff, having a whinge about Microsoft and Apple is what counts as a meaningful contribution these days.
I'll summarize the extensive discussions that have taken place before as follows.
A) Secure boot has to be enabled by default for Windows 8 certification
B) Secure boot must be able to be switched off on all x86 devices for Windows 8 certification
C) The UEFI firmware specification is a collaborative effort that includes all the major PC manufacturers
Its almost as if Microsoft knew what would be fired at them with that when they specified point b. In basic terms thought there are so many other, better, things to lambast Microsoft for (their incompetent implementation of the browser choice screen, the car crash that is/was Metro). That's where penguinistas should be firing their volleys... Not this
P.s. Based on recommendations from here I am diving back into Linux this weekend after a long absence with Mint and cinnamon, yes, my Easter weekend looks like that
re is my experience of UEFI. Let me know If you would find this something you would be happy about.
I use linux to repair malfunctioning windows machines. I boot them via network PXE boot and then work on them with Windows essentially offline.
The new UEFI standard means on HP laptops I have to.
1. Find the magic key get into the bios
2. Diable secureboot and be told that this will likely make my system inoperable
3. Activate legacy boot options and enable
4. Enter a random generated pin to get the secureboot options off.
5. Reboot and press magic key #2 to get the legacy boot options to work at all, otherwise it boots stright into windows
6. Go and choose the network to boot from, even knowing I set it to be the defult boot option within the bios
7. Allow the machine to boot
(from this point if I want network boot I must repeat steps 5,6,7)
vs before UEFI
1. Find the magic key to get into the bios
2. Set the default boot device to be network,
3. often enable PXE rom in the bios
4. Reboot
(From this point boot OS is determined via dhcp options)
Now if to boot windows you had to
1. Go and set an option that tells you that it will destroy your computer
2. Enter a code to show that you really want to destroy your computer
then for each time you boot
3. press a key that is not normally displayed
4. Actually select that you wanted to boot windows not (linux ICK!)
Would you be happy?
Would you send the bloody stupid thing back cause its not fit for purpose?
Now as a consumer you cannot buy an alternative, because a behemoth company, used financial inducements to influence what you can buy.
Is the average lay person going to try a live CD when they are told that this will destroy their PC? This goes a little beyond a choice of browser. Unfortunately this is probably better describe as an anti competitive cartel. Action needs to be brought against the manufacturers. Otherwise Microsoft will just say it was up to the manufacturers if they wanted discounts for adopting a standard.
If MS loose a few billion. Nothing will change. If the manufacturers do, as well.....
Things will really change.
"Was insisted upon by MS to kill off boot loaders which circumvent their anti-piracy measures and is a handy DRM tool. It just happened that it gave them double jackpot in screwing over Linux."
You can simply turn off secure boot to do that. Which if you are going to the considerable effort required to pirate and properly activate Windows 8 is a pretty minor task.
This would truly be a case of the disease (e.g. Windows 8), being actually worse then the cure.
If I had to dig though that much muck to get a working Windows 8 install. I'd just give up and install some flavor of *buntu.... Oh wait I already have its called Mint and for Once I can truly say, that this is a Linux I can live with.
(Yeah I'm on XP again to clear up some crap with my *.m4p iTunes crap. it seems that nobody managed to port Requiem over to Linux. Probably 'cause you can't run iTunes in it. I guess I'm just sitting though the SP3 Install, just for old'times sake! Kinda pointless really. As I'll just park this HDD off and go back to my Main Drive which has Linux on it.
I just wished that I could've accessed my NAS and or USB Sticks under VirtualBox. Then i could've saved me this trip. Perhaps I'm still to noobish at this game....
I'm surprised no-one's mentioned the real reason Microsoft still allow secure boot to be turned off for Windows 8 Intel machines - it's *not* to allow Linux to be installed, it's to allow Windows 7 to be installed should the end-user "shockingly" decide that 7 is better than 8.
Proof of this? The ARM-based Windows RT has no predecessor to it in the Windows family, so that *does not* allow secure boot to be turned off. One suspects that once the supported Windows Intel family has all its keys available (by Windows 9?), then they will stop allowing secure boot to be turned off in future UEFI setups.
> And why should the big hardware manufactures follow them?
Simple, money !
If you think MS aren't doing some nice deals on licensing based on the manufacturer bending to their will, think again. Of course, they'll be covert about it - but there will be some form of financial incentive. AT one time they simple were up front about it - "buy a cheap licence for *EVERY* computer you sell or buy them at a much higher price". Then there will be "sales and promotional" incentives. And of course, all the deals struck are private, so no-one knows how much the others are paying for their licences, but will have to negotiate their deal with Redmond. If you think that some "unofficial" and not written down terms aren't involved, then you don't know anything about big business.
I honestly at first wasn't really concerned with putting Linux on, I really was just wanting to dual-boot XP Pro 64 and Windows 8, but that is blocked from installing under UEFI as well. I was just using Grub2 as a easy way to pick bootloaders. I'm going to pine of that Windows XP File Explorer for years to come, I can feel it.
Oh, a proper UNIX is totally acceptable use for good hardware. Solaris is a mighty fine and highly stable/performant server system. And some of the BSD variants are also nice and stable.
Now Linux, well Linux reminds me of the old joke where a Jew ask his Rabbi:
Rebbe, may I carry Dollar around on Sabbat - No my son
Rebbe, Deutschmark? - No way
Rebbe, Zloty? - Sure, the laws talk about money
Its about time that Microsoft tell the EU to shove it and close down all of their European subsidaries. As a former MS employee in Europe, it's laughable that the EU uses Microsoft as a cash machine everytime they need a bail out. Where the hell does this "fine" money go? Propping up piss-arse economies no doubt. It wouldnt be overly difficult for EMEA operations to be run out of the US.
In relation to this group complaining about UEFI, other O/S's support UEFI too, including Linux and UEFI is simply the evolvement of BIOS.
Oh FFS, the old Anonymous argument this time from "Billium" that most verifiable of names. You could also be RICHTO, one of Eadon's IDs (he's got at least two) and Anonymous Coward at the same time. For all anyone else knows I could be you replying to my mail.
I'll stop posting as an AC here when people like you start posting with your real name and stop accusing anyone who doesn't agree with you about something as being a shill.
Or is it I'll stop posting as AC as well as Billium? No-one knows. will I post an angry response to my mail under yet another name? Again, no-one knows. I may just claim to be anyone who replies to this mail, it makes no difference.
Actually, the MS shilltards are far more annoying than anything Eadon posts (or any of his alleged sock puppets). Proof of the AC shilltards being, well, retarded is the whole comment section for the article on Samsung's firmware doo-doo where booting Linux would brick a Sammy laptop. All of them saying "that's what happens to freetards".
Then someone made a PoC app that bricks the same laptop model from Windows, and the AC's go either quiet, or say "Will Eadon apologize now?"...
@billum: "If as MacGyver says is true, then M$ tax one has paid is lost (assuming laptops).
It's only "true" in the sense that XPx64 requires a legacy BIOS. If you have a UEFI laptop that doesn't support legacy BIOS emulation (or has it turned off), then naturally you can't boot XPx64 (or indeed any other earlier version of Windows). However UEFI devices that don't allow you to turn on BIOS emulation are pretty rare.
mandate that ALL devices sold must allow the user to run their own code, with full access to the hardware if the user wants to do so, no signing required.
Microsoft already made its intentions clear by requiring the ARM devices to be locked down with this, and it will find some way of strongarming the desktop market into doing the same if it can. Just because you can currently boot linux (with keys / signing provided by Microsoft....) doesn't mean you'll always be able to.
PS3 Linux already showed what happens if you give a big corp the keys to such a system, and that's what is in the process of being done with the PC. I really can't believe how naive people are being with the "it's ok, Microsoft signed our bootloader" viewpoint right now.
They're pushing too hard, we need laws on our side to push back, and maybe hurt them a little instead so I hope something good comes of this case.
I mean think about mobile phones, once the support from the manufacturer runs out they become worthless and dangerous as you won't get any security updates.
We should start mandating open interfaces between the hardware and the operating system (e.g. BIOS) so we can continue to use those computers longer just like we do with PCs today.
Actually you can run any OS on a x86 box - simply switch secure boot (NOT UEFI!) off and thats it. Won't change with an MS Update since it is Bios not OS (Unlike the PS3 where Sony could update the "BIOS"(1))
Most ARM-devices are currently locked down. Try running an other OS on iOS hardware or the typical Android. If you do not like that - buy a Rasberry pi.
(1) Not that it really mattered. 99.8 percent of the users that ran "OtherOS" as the feature was correctly called did not use the PS3 as a game platform and never upgraded, The 0.2 percent PinguBoys that did "because I can" where making a LOT of noise but that's it. PS3 was neither powerful nor low power so the game box was rarely used as a NAS - cheaper maschines for that around
Just what exactly in your own opinion, counts as an "Other OS" on ARM exactly?
With the exception of Windows RT, I'm not personally aware of any "official" Microsoft Builds for ARM.
Certainly nothing that is in fact available.
ARM can run many OSs
BusyBox (as like on my NAS Box and Router)
Linux
BSD (as in iOS)
and Unix
"PS3 was neither powerful nor low power so the game box was rarely used as a NAS - cheaper maschines for that around"
PS3 *is* powerful thanks to the CellBE processor, and people actually using the OtherOS feature, like me, were actually monkeying around with the special features of said processor. Of course, most of those who dabbled with Linux on the PS3 were trying to run it as a regular NAS/Desktop box, which sucks given the low RAM specs on the box. But removing features like that is pretty much frowned upon. My original phat PS3 is still on 3.15 FW, I ended up buying another PS3 to play more recent games and have PSN access.
The irony is that Sony's boneheaded decision didn't hit the "nonmarket" ... it hit the crossover market of dudes like me who actually play games *and* tinker around with Linux. That made it a FAIL, which morphed into an EPIC FAIL as it energized enough crypto-geeks to crack the box.
Welcome to the 0.2 percent group. I am well aware that the processor had some interesting features and the PS3 was used for engineering/scientific tasks because of that, But as said
>Not that it really mattered. 99.8 percent of the users that ran "OtherOS" as the feature was correctly called did >not use the PS3 as a game platform and never upgraded
Those users did not care. They never needed/used the Sony upgrade anyway. The crossover-group was extremly small. Loud but small
"By actively opposing Secure Boot, Hispalinux joins such organizations as the Free Software Foundation, which has lobbied OEMs to turn off the system by default and has urged consumers to boycott Windows 8 PCs."
It hardly needs these groups to be boycotting Window 8 from the result of the sale of the Surface they are doing that already
Like I stated a few Posts above...
Microsoft it would seem are doing a splendid job of keeping People of Windows 8 by themselves, and need no further help from the like of the Free Software Foundation.
To the Micro-Shrills, before ya'all down-vote me in you knee-jerk reactionary flames. Just answer me One very simple question first.
If Microsofts vision of the TIFKAM is sSOo great and wonderful, why is it that no One outside of Redmond has picked up on it yet? Ok I think we can all agree that Tablet Lite (i.e. Windows RT), is a joke so we'll gloss over that for a sec. Perhaps they'll have more luck with all those Ultrabooks that we've been hearing so much about lately. Its hardly to be marvel at the fact that Windows Phone is the best selling Mobile OS EVER!!! with a Market share of only (and let us be generous here!) 3% outta the whole 100% spit between Google, and Apple.
Clearly the Public (e.g. The Joe Average who isn't paid off in Software, much less Money), are just to dim to grasp this "greatness" of yours, and simply want no tuck with it. Its time to face facts that Microsoft have finally lost the plot guys. Nobody with any sanity left to 'em will touch the TIFKAM. Office365 is doomed to utter failure. And most People are now slowly getting the hint that its time to move on.
Enjoy Windows XP for another Year, and kiss it goodbye. Windows 7 will be right behind it soon enough. If you really think Microsoft will win this game of "We'll shove TIFKAM down everyones Throat till they suck on it!" Is ever gonna work out for them, then you are even bigger idiots then the clearly certifiable inmates in Redmond.
No one who has been with Microsoft since Windows 95 (or before!), all the way up through Windows 7, is ever gonna accept Microsoft Office as a SaaS ONLY! And Tossing its entire User-base (i.e. Desktop w/Mouse & Keyboard), for the wonderful new World of touchy-feely is clearly also insane. How the Hell they plan on selling this shit to the Corporates is beyond my comprehension.
But, please if you must down vote, hit on some of these points will ya?
kthxbye!
Three percent of WPhone? Wow - double the share Linux has on the desktop. So 2013 will be the year of WP8!
As for Win8 - we will see. Out since late Oktober, tablet pc with it are actually selling decently even without much advertisement. Companies do not pick it up (yet) since many have either just done the XP->W7 translation or are doing it this year. And for a company that is not a "long weekend" operation more a "long year" one.
Modern works. For everyone that does not wear blinds and instead actually TRIES the Win8 interface for an hour or two it works well, depending on usage better than Win7. Spend this week testing it with my elderly parents that will get new boxes(either Notebooks or Tablet-PC) in 2013. They liked it better than Win7 for their uses since they do not have to search in menues or dig out the desktop
Office365 is a "if you like it" - I don't. So when I upgraded to 2013 I got the standard office. I can see some uses and I can see some legal problems (Safe Harbour vs. Patriot act). If the legal probles are "solved" than companies that do not run their own IT department can get rid of the PFY "admin" and switch to O365 nicely. Say the estate agent or the local carpenter (German small/medium business use a "cloud" solution called DATEV for taxes/bookkeeping since the 1970s so more would not be too strange for them)
"Three percent of WPhone? Wow - double the share Linux has on the desktop. So 2013 will be the year of WP8!"
What makes this attempt at humor actually funny is that MS has been *claiming* every year since WP7's release the "year that WinPhone will take over the world", yet remain irrelevant.
Modern/TIFKAM Metro sucks donkey balls and exactly zero organizations have taken in that flying dung. In fact, our clients (big organizations, financial sector) actually *stopped* buying new PCs, or added a mandatory requirement for any new PC to have Win7. Hell, some of them are still in the process of jumping from XP to Win7!
Yes, we've tried Win8. The last dude that was still defending Win8 gave up last month, reformatted his laptop and went back to Win7. I have yet to see someone in the real world actually like the Win8 stuff.
It disables the PFY that runs around trying to convice anybody to "use Linux", often by installing it on other peoples systems by using the Fosstard special argument "It's free!". Switch it on, set a password to the BIOS and no more urgent calls "I have this new OS on my system from <enter PFY name> and now <enter beloved software> does not run any more. You must come here (only 200+km and I had other plans for the weekend) to fix it". Okay, the PFY might try to run amok in frustration but out here in rural germany we are still nicely armed so that is not a problem either.
So once there are OEM's who want to sell computers that ship with and run some form of open source software (ohh maybe in another 50-100 years) then the creators can put in a secure boot signed by the os provider and be happy. Until you have a mainstream request for your software don't bother because the majority oft the computer buying public could not and would not run any form of open source os distribution on their home computer.
Enough said....