With computers now shipping with UEFI Secure Boot enabled, users of any OS other than Windows 8 will want to know how to circumvent it. Jesse Smith of DistroWatch tells how he did it here. The Linux Foundation describes its approach here. If you want to boot an OS other than Windows 8, you’ll want to figure this out before you buy that new computer.
Hi,
I think Fedora are also planning to create a “shim”. The basic idea is that it’s signed with Microsoft’s key, and boots other boot loaders.
It’s possibly not that simple though – I think they’re planning to allow end users to add keys to UEFI’s store; so that if you try to boot a signed boot loader with the shim, it’ll ask if the key should be added. This way Linux can use secure boot too; and all those dual booting Linux users don’t have to worry about getting their Linux OS infected by viruses that Windows let in. 🙂
– Brendan
Does this mean that,
if using Windows Signature,
and BIOS activate the network,
then Microsoft could
play with my linux?
I know that UEFI is about identity;
The first in the stack “owns” the stack.
But, could it be that
the BIOS designer,
-the non writable part of the BIOS-
is the real “owner” of the stack?
Looks that way.
http://mjg59.dreamwidth.org/11235.html
Also, the reference UEFI implementation most motherboard builders are using is demonstrably buggy and at least as complex as your average OS kernel.
https://www.youtube.com/watch?v=V2aq5M3Q76U
One of the reasons I’ll probably be trying to source BIOS-based motherboards for as long as possible and, when that’s no longer an option, I’ll try to source something known to support reflashing with CoreBoot so I can prune it down to the minimum amount of code needed to boot Linux.
http://www.coreboot.org/
On the plus side, it does mean plenty of room for rooting the UEFI itself which could really put some egg on Microsoft’s face.
(I’m sort of hoping that UEFI rootkits make such a mess of things that Microsoft is forced to backpedal on this idiotic “kernel-sized, under-tested, buggy firmware blob” idea)
Brendan,
“I think Fedora are also planning to create a ‘shim’. The basic idea is that it’s signed with Microsoft’s key, and boots other boot loaders.”
It’s not exactly that simple. Because of the way secure boot was designed (for 3rd party control rather than security), it cannot pass control back to users without compromising security.
Consider that malware could exploit this and install the unrestricted bootloader (signed by microsoft’s key) and then install a backdoor through the unrestricted bootloader. This would break secure boot’s security on every secure boot desktop in the world and not just your desktop. Now MS would be forced to admit that secure boot is permanently broken, or it would revoke Fedora’s key and break legitimate linux installs everywhere.
This is another reason I hate microsoft’s secure boot design. Even if they had the best of intentions, it creates a single point of failure. One bug or leak breaks everybody’s secure boot security worldwide. It just reaffirms how secure boot has been designed for 3rd party control rather than security.
The shim you referred to can only run locked down versions of linux running signed components. It’s probably ok for normal users, but it’s not the same free/open linux kernel that we’re fond of. We’ll become dependent upon Fedora provided kernels, and they’ll become dependent upon MS, all so that home users can dual boot a restricted linux on their own machines.
Alfman posted…
Which is exactly why the hacking scene needs to get on breaking this single point of failure as hard and spectacularly as they can, then release something that crashes every system running “secure boot” in such a way to make it clear that it is worse than useless at what it was ostensibly designed to do. Better yet it needs to crash the hardware in such a way the OEMs are liable and it costs them enough pain they instinctively shy away from any future types of such systems. Maybe then it would make the whole thing go away again…
–bornagainpenguin
Shouldn’t be too hard when you have a modular firmware that’s essentially an OS unto itself. (as complex as an OS kernel, high-level programming interface, standard library of helper functions, its own drivers for things like the network card, facilities for storing what (depending on the vendor) could potentially be megabytes of data in on-motherboard non-volatile storage, etc.)
I’m hoping for the day when a piece of malware comes out that waits for its creator to inform it of a 0-day exploit, then exploits Windows and UEFI to set up shop as a UEFI rootkit and resist all attempts to remove it without desoldering the flash chip and replacing it.
It’d be a fiasco worse than the Intel FDIV bug and it’s completely possible because:
1. Every motherboard manufacturer is using Intel’s reference implementation of UEFI with their own modules added in. It’s effectively a monoculture like Windows. Hardware variations don’t really matter.
2. They discover new bugs in the reference implementation quite often. It’s like Windows in that way too.
Edited 2012-12-07 13:11 UTC
The UEFI “fiasco” is a good label for the actual delivery of UEFI implementations…
Or like Linux …or like pretty much any OS, you know.
bornagainenguin,
Implementation bugs can be a problem. I was actually referring to how we effectively have one key (microsoft’s) controlling the hardware/firmware secure features on every consumer computer from now on is an inherently poor security design. This is not something a competent standards security engineer could have signed off on unless there were ulterior motives. Of course they were working for microsoft so there you go.
I agree that finding an implementation vulnerability will be an embarrassment, but realistically what do we think will happen? I believe they’ll just fix the implementation & release patches, and then continue down the same path.
Edited 2012-12-07 16:00 UTC
That is, assuming they can convince the motherboard manufacturers to support things to a suitable degree.
This is basically like Android but with less thought put into how patches are going to get made and distributed for each of the gazillion different motherboard models that’ll go on the market, each needing its own combination of proprietary EFI add-on modules to work.
ssokolow,
“That is, assuming they can convince the motherboard manufacturers to support things to a suitable degree.”
Haven’t they already?
You honestly expect motherboard manufacturers to obsessively release patches for every single motherboard they offer for the entire 5-10 year lifespan of the manufactured boards and not screw up getting them actually installed in the end users’ PCs?
Last I checked, with BIOS-based motherboards, the solution was “release something tested, expect no more than 1% of users to need to update, and possibly provide updates when a hardware incompatibility or software bug is discovered.”
(I know of at least once instance where a Gigabyte rep insisted that it must be the owner’s fault that a fully-updated BIOS was still exhibiting a problem… maybe because they were running Linux before the problem was also proven to be present on Windows)
I seriously doubt motherboard manufacturers are prepared to handle reliably providing ongoing security fixes for what is essentially a small operating system.
ssokolow,
“You honestly expect motherboard manufacturers to obsessively release patches for every single motherboard they offer for the entire 5-10 year lifespan of the manufactured boards and not screw up getting them actually installed in the end users’ PCs?”
The good ones will offer updates to older MBs retroactively, the others will only fix it going forward. Either way real defections seem unlikely.
“I seriously doubt motherboard manufacturers are prepared to handle reliably providing ongoing security fixes for what is essentially a small operating system.”
There’s a huge technical difference. A real OS has to be secure while running arbitrary user programs. With UEFI, you’ll be hard pressed to find the opportunity to run your code in the first place because it’s not authorized. So you might have to find an OS level vulnerability to get system access in order to exploit the UEFI vulnerability.
Although that’s likely to happen eventually, it would become more useful to real hackers than users who just want to run linux. Once the windows vulnerability gets fixed, the UEFI one becomes inaccessible again.
Edited 2012-12-07 22:44 UTC
That’s like ‘circumventing’ the lock on a car door by climbing through the other unlocked door, reaching over, and hitting a switch.
However, those are instructions on disabling secure boot, which is something different.
I am getting a new laptop and of course comes with Windows 8 which I will either W7nize it or install Windows 7 64-bit. I already purchased W7 64-bit a few months ago. Anyway, before I picked the laptop, I emailed the manufacturer sales team asking if the laptop comes with TMP and if yes, I asked if it can be disabled. I was told the laptop is using UEFI but there is no TPM module installed. So this means, it has no secure boot. However it does have UEFI. Any gotchas? I hope not.
Edited 2012-12-06 08:34 UTC
Why not buy one without Windows?
http://lxer.com/module/newswire/view/177429/
Because they are crap for the price, or they only come with US keyboards.
Zareason, System76, Ohava and Think Penguin all sell machines where the ONLY preinstalled option is Linux. My guess is that they’ll have you covered on circumventing UEFI.
They are not available everywhere though.
System 76 is pretty terrible.
Terrible quality wise or terrible because of the high prices? I would buy one, if the prices were more reasonable. Its much cheaper right now ( well, before UEFI secure boot) to just buy better hardware with windows on it and wipe windows off.
/* Duplicate Post */
Edited 2012-12-06 16:01 UTC
There has been a lot of forum posts on problems with things not working with Linux after kernel upgrades etc.
This is the most notable posts and would put me off:
http://estrip.org/articles/read/tinypliny/54588/System76_Ubuntu_Dis…
http://ubuntuforums.org/showthread.php?t=1979573
if you google there are quite a few complaints about misleading product photos and patchy quality on the second page
https://www.google.com.gi/search?q=system+76+problems&oq=system+76+p…
IMHO with laptops in my experience, it best to buy dell latitude or lenovo.
I think this is very misleading. The laptops from system76 are no different than the windows laptops. They are just re-branded versions of the same hardware sold with windows installed.
Just because it’s sold by system76 doesn’t mean you can modify the installation without knowing what you are doing and expect it to still work.
You’ll find the same type of complaints about hardware not working for just about any set of components.
I’ve been using a System76 laptop for about 18 months now. Dual boots windows7 and Gentoo. Works just fine.
Kinda negates their main selling point then doesn’t it.
Yeah, I’d agree. If I’m buying a “linux laptop” they’d better have put in popular hardware that’s well supported by open source drivers, which will ensure its compatibility with future versions of linux for quite some time.
We could play the same game, I can find a few random internet posts complaining about the build quality (or technical problems with Linux) of either Lenovo or Dell laptops. And I can use those posts to tell you that their products are terrible and that you should instead buy brand XXX.
In fact, chances are that there are orders of magnitude of those posts than System 76. Given the larger market share and customer base of either of those brands.
I’m not endorsing any brand, just pointing out the fallacious nature of the argument.
The fact I found so many with a simple google pretty much invalidated you argument.
If the user base is quite small, I would expect better support from them not generic equivalent. Also I surely would find it harder to find examples than simply putting in “system 76 examples, if they are such a small player.
BTW the top post was, he emailed them several times for a response and found none … so the guy assumed they were going under (when they aren’t) … NOT GOOD.
A simple email saying that his support ticket was being looked into probably would have sufficed for the time being to let him know they were available.
Also a lot of the complaints is with their stuff supporting Linux itself … which negates the reason for buying from them!!!
Edited 2012-12-06 21:24 UTC
I have no preference for any vendor, so Lenovo or Dell may be better as far as I know. My point is that you were constructing an argument based on very flawed evidence. We could use an “appeal to google” to reach an opposite conclusion to the one you built. E.g. Let’s use google results for “VendorX latop linux support problems”TG
“System76 laptop linux support problems” returns 445,000 hits
“Dell laptop linux support problems” returns 87,600,000 hits.
“Lenovo laptop linux support problems” returns 7,840,000 hits.
The picture looks rather different now, does it?
PS. Most of the issues in the links you included relate to a wireless chipset which was poorly supported by Linux at the time (granted that seems like an idiotic decision for a Linux vendor to use it). That same chipset was included in certain Dell and Lenovo machines, so the same issues apply to them. Furthermore, in one of the web searches you submitted as proof for that company’s poor track record, the second or third result was a positive review.
Dell and Lenovo though main selling feature isn’t Linux compatibility.
Bill Shooter of Bul,
Yea, the trouble is that non-windows computers are a niche commodity. It’s often difficult to get a no-os computer from a brand name vendor with the benefits of scales of economy. They don’t want the trouble of supporting non-windows users when 95% of the customers are windows users and the remaining 5% will buy the windows computers anyways to wipe them.
This ultimately results in less competition selling non-windows computers making that segment even more niche than it already is.
I build my own desktops, but for laptops I still don’t have a good solution for my vendor/hardware/price/os requirements.
Yeah, I understand that scale has something to do with it. But with everyone outsourcing all the work to foxconn and the like, at some point I’d imagine those to diminish a bit. As a company you still need to make some money and the price you can get on laptops will depend on the number you order, but the barier to entry is much lower than the days where you’d have to do all the assembly yourself.
The economies of scale in Windows extend to marketing and sales, service and support.
Then there is the lucrative after-market in sales of Windows hardware, software and peripherals.
The Windows-only THQ Humble Bundle is closing in fast on a $4 million return from 700,000 sales, with five days left to go.
As I said, get Dell Latitudes or Lenovos (Thinkpad) with Intel chipsets and you are usually okay.
lucas_maximus,
“As I said, get Dell Latitudes or Lenovos (Thinkpad) with Intel chipsets and you are usually okay.”
Dells website shows some laptops are compatible with Ubuntu, but it forces me to buy a version of windows, which is part of the problem Bill_Shooter_of_Bul and I were talking about.
Incidentally, I had a horrible experience with dell. I tried buying a large stash of hard drives for a NAS, but the website informed me that bulk orders couldn’t be processed through the website and I’d have to call to place the order. I called and they quoted me a price that was higher than on the website, they spoke to a manager to approve the advertised price, and I gave them my credit card info and I thought my order was placed. But after several days I hadn’t received any kind of confirmation and the drives hadn’t arrived. I tried calling the rep but there was no answer. I called sales, and they told me my rep was on vacation and that they couldn’t find my order, but they didn’t want to ship other drives if my original order had already gone out, they had me wait for the original guy to get back. He forgot to place the order.
Now I know accidents happen and this is probably not typical, but my order was delayed by two weeks because they didn’t handle it, and to top it all off I did not get so much as an apology from them. I’ve stuck with newegg since, however they don’t offer any linux computers.
They don’t use the license, it is discounted to fuck, so I have no idea why people care. I run fedora on my Dell D430 (it is old yeah, but unbreakable it seems).
lucas_maximus,
“They don’t use the license, it is discounted to fuck, so I have no idea why people care. I run fedora on my Dell D430 (it is old yeah, but unbreakable it seems).”
Paying OEMs for windows licenses only to discard them after sale isn’t not a good way to convince OEMs to offer what we’d like in the future. If anything, it inflates windows sales numbers compared to linux. This further increases microsoft’s stranglehold over OEMs, and decreases the perceived demand for linux as a niche.
Look I don’t wish to be rude, but the downloads of Windows 7 beta dwarfed the desktop linux market share within a week … Even if it got upto about Macintosh levels of usage, it still really going to be cost effective to support.
There are a few reasons for this.
* Which version of Linux should you support (and they do have to support it) … RHEL (far more expensive than a Windows license), Ubuntu (new version every six months and the LTS is a joke), CENTOS (free but not official etc etc etc).
* Which version of the kernel do you support with apps and drivers that aren’t OSS (lets face it there is always going to be some).
Fragmentation is a major issue for anyone wanting to support Linux. The only examples that have done it well (nvidia) has basically replaced large amount of X, or they statically link everything in the install folder.
Also if Dell want to supply some sort of Warranty or Support contract they have to do the following things.
* Either fork their Own version of the distro.
* Rely on a 3rd party to supply support (the distro owner)
* Retrain the support channels (1st, 2nd, 3rd line support) in something which can be constantly changing.
Edited 2012-12-06 21:08 UTC
lucas_maximus,
“Look I don’t wish to be rude, but the downloads of Windows 7 beta dwarfed the desktop linux market share within a week …”
I’ve always maintained that linux is a niche, that doesn’t negate my arguments.
“Also if Dell want to supply some sort of Warranty or Support contract they have to do the following things.”
To be perfectly honest, that’s more than many of us are asking for: a no-os option would be great. Hell, it’d be great even for windows users who’d rather buy windows once and keep the license.
Edited 2012-12-06 21:26 UTC
I don’t understand how Linux shortcomings (which are plenty)justify Microsoft using their monopoly on the desktop to force Windows license purchases on people who have no intention on running Windows.
Using that same logic; Android’s market share dwarfs Windows on the ARM space. Therefore it should be OK for google to force any ARM vendor to include a non-free android license on all of their devices (passing the cost on to the end consumer), even when the end user has no intention on running Android whatsoever. No?
But those big PC makers do sell no-OS (or Linux) computers… But I take it you still haven’t found your local equivalent of ceneo.pl product & online shop catalogue? (you know, “no OS” & “Linux” filters for http://www.ceneo.pl/Laptopy;017P8-250094-250095.htm few hundred results; looks like all big vendors present at the first page… PL->EN GTranslate works decently)
Edited 2012-12-11 00:41 UTC
zima,
You keep mentioning this foreign example as though it’s proof that the situation is equal everywhere, but it is not. The few niche vendors who specialise in linux can charge more than their hardware is worth because big venders with scales of economy hardly ever bother selling linux or no-OS machines.
I understand you are tired of listening to us whine about paying the ms tax, but you should still recognise that it is a legitimate complaint and isn’t something we’re just making up.
Not as proof… but see, the thing is – many people in PL also still whine about it, despite the options being clearly available. Are you sure they are unavailable to you? (it would be a bit weird if those large PC manufacturers were doing this only for PL …the machines are the same, with standard US keyboard layout BTW, that’s what PL uses physically; also, at the very least – they are basically available, via my marketplace, to ~neighbouring EU residents)
zima,
For one thing, linux probably enjoys a greater market share in Europe than North America (1.14 vs 0.72).
http://royal.pingdom.com/2011/05/12/the-top-20-strongholds-for-desk…
http://royal.pingdom.com/2008/08/21/linux-popularity-across-the-glo…
So, if there were a linear relationship between market share and venders, we’d expect to see 60% more linux vendors in europe. However in reality it’s probably more of a power distribution where 99% of venders service the top 90% of the market (numbers are just illustrative). So the linux market may just not have the market share needed to spark interest in any significant US vendors.
The power distribution is often the result of a cyclic pattern: the US linux market share is small because there are so few vendors because the linux market share is small, etc. The difference between the US and Europe may have been the lack of governance in the US stemming back to the days when MS was committing flagrant anti-trust behaviours in those years before the feds stepped in. Or it may be as simple as linux having had a head start in europe because of it’s European roots. Or maybe microsoft has more government ties in the US, with rippling effects down to contractors and the private sector.
What you see at my place, the availability of many non-OS and “Linux” laptops, is almost certainly not only because of Linux market share.
As I wrote, IIRC, before – large part of those machines end up with Windows, anyway (oh, and that’s no-crapware-included Windows, rather decent) – at best a MSDNAA license. It’s just a way to save money on the license; to offer people, who in the end want Windows, a less expensive machine.
Generally, Linux is often just a smokescreen of the reputable big PC maker, who can say ~”we don’t facilitate piracy, all of our machines are sold with an operating system” or such. The devil can be in the details: in one case I’ve seen, it was just a Knoppix live-DVD thrown into the box; in one other, some Linux installation which didn’t boot into X. Few years ago, HP even sold laptops with “DOS2000″…
Yes, HP – if you’d look at the link I provided, those are laptops from big PC makers, also US-based; Dell shows up too.
zima,
I suspect the real reason most vendors won’t sell no-os is much simpler: it’s more profitable to oversell windows licenses (to both linux and windows users) than sell them only when a new license is needed by the customer.
I predict vendors will continue to be uncompetitive on alt-os until it reaches a 5% market share (1 in 20), at which point vendors will become interested in taking a larger stake in the linux market causing the market to snowball. We’re still in a catch-22 phase though, it could be a long while before it changes.
Edited 2012-12-11 19:27 UTC
I can agree with that hypothesis – it would largely explain the difference here, in a market where people have definitely less expendable income, and are less lavish with their purchases.
WRT numbers – out of 4125 laptop models listed by ceneo.pl, 159 come with Linux (or “Linux”…), 288 no-OS; the first equilibrium might be closer to 10% (even if OTOH, as I mentioned, many of those machines end up with Windows anyway)
A hop across the Oder, and: visiting “laptops” category of ceneo.pl (possibly the most popular and well-known here catalogue of products and online shops; surely you have similar services…) quite often shows a model without Windows at the top of popularity; and generally, “no OS” & “Linux” filters give http://www.ceneo.pl/Laptopy;017P8-250094-250095.htm few hundred results. Can’t be that different in DE …plus you can always shop in PL.
Secure Boot doesn’t require a TPM because they’re apparently too expensive to have while keeping mainstream motherboards competitive on price.
I can’t remember where I learned that, but it might have been this talk.
https://www.youtube.com/watch?v=V2aq5M3Q76U
Actually, that is not true.
They can still implement UEFI without a TPM. It will just be a lot easier to break for ‘hackers’. But that doesn’t mean easy to circumvent for consumers.
But what you should be asking is: can I provide my own keys or if that isn’t possible: at least disable it.
With my Samsung laptop its simply setting the bios to off or hybrid mode
There are UEFI bios whose firmware is looking for specific OS names:
http://mjg59.dreamwidth.org/20187.html
Jeez, there’s a problem we don’t need. Thanks for the link.
Fortunately it sounds like many computers come with a “legacy mode” setting that gets you out of the problems.
Edited 2012-12-06 10:16 UTC
Only if it is not an ARM device with Windows 8, if it is an ARM device with Windows 8 it will NOT have a disable button.
Microsoft demands it.
This is good to know. Should come in handy when I buy a Windows 8 machine and dual boot it with may be Ubuntu or Mint.
Edited 2012-12-06 09:56 UTC
Just don’t buy computers that don’t work with your OS of choice or wasn’t even designed to work with it.
Apple users buy Apple hardware. Microsoft wants you to buy Microsoft hardware. If you’re using GNU/Linux or *BSD, Haiku OS, just buy hardware certified for GNU/Linux. That way you will:
– show your disagreement to the practices of MS
– save quite some cash
– get perfect hardware support, things will just run
– invest in [your own/others’] freedom, openness and independence [open hardware is getting more popular]
– help to grow this market
– give yourself future option [you’ll have more FLOSS-compatible hardware vendors as a result of your choice]
Of course, you can also do nothing, buy random crap and keep whining it doesn’t support your OS. But you are the one who made that choice. Be wise, vote with your wallet.
While I agree with idea, you should also realise that in some (many?) markets importing costs and brand availability severely limit consumer’s options.
I looked at a bunch of Linux cert and Linux pre-installed options recently. They were all quite a bit more expensive than buying a computer with Windows and wiping the drive. Ranging in price difference from 50% up to 300%. With the price factor so much against Linux it’s much more appealing for most consumers to simply pay the MS tax.
As you’ve already mentioned, regular user pays “MS tax” [or Apple tax] anyway. Isn’t it better to pay this tax as an extra cost of the hardware? OS is free [as in cost] anyway, so you don’t really loose that much. In fact, you gain freedom, independence, etc.
I think it’s worth the game. Besides: we don’t buy computers THAT often. And we don’t HAVE TO buy them that often – FLOSS doesn’t make you upgrade everytime there’s new version of some software package.
That’s not really the case, FLOSS also participates in update treadmill, you’re expected to run the latest versions (which might not work that well on old hardware).
Firefox even requires more powerful GPUs (for GPGPU use) on Linux than on Windows, for the same effect. Driver situation doesn’t help…
Meanwhile Opera (closed software) is lighter, better suited for really old computers. Opera Mini gives good web access to millions of basic feature phones – while Mozilla said, after two abortive attempts, ~”we’ll wait for better hardware”
There will be a problem: If you divide the hardware into Apple / MICROS~1 / GNU/Linux — three parts! — you do not take into account that there are several other operating systems that would usually run on general purpose computers. Even though you could argue that “certified for GNU/Linux” means that the hardware will be compatible with BSD, Haiku or other “niche operating systems”, they are not explicitely mentioned. Certification might also add costs that those who provide (let’s say) an educational OS for free cannot bear.
So if there is a 3 part division, why not use this: Apple / MICROS~1 / standard, where “standard” means that the hardware will not be limited in any way, so the chances that a non-Apple and non-“Windows” OS will be able to utilize it properly will be high.
Just imagine the trouble that prior to purchasing a new computer, be it a desktop, laptop, server, whatever, you’d have to research compatibility to a specific operating system, maybe even one of its distributions or flavours, or version number. That simply looks overcomplicated.
Of course in a consumer-oriented marketing and sales approach, that would look reasonable. People value their time, and if a somehow crippled “Windows” PC is sold cheaper (and free of initial trouble) than “competitors” like one that could possibly run Linux, then what will the customer deceide for? Especially when he doesn’t know and doesn’t care?
On the other hand, there might be a market developing for the growing amount of Linux users. If more people insist on being able to run the OS they choose on the hardware they’re willing to pay money for, maybe manufacuters will also offer non-crippled computers (means: normal general purpose computers without artificial limitations) to obtain money from that specific market segment (with the potential of growth).
Sadly, that means it’s not possible to simply ignore them…
Except when there’s subvention from MICROS~1 to make the “Windows” versions cheaper than the non-“Windows” version, or they charge some kind of licensing fees or royalties for patent use of the non-“Windows” (as they have done in the smartphone market, making more money through the competitor’s sales than their own ones).
This is as it should always be. Standard compliance is an important step. Free specs for devices is even better. But of course every manufacturer is free to not publish his secrets. It’s also okay when one says: “No, I don’t want you to use this printer with Linux.”
This is very important, but won’t be noticed by the masses who don’t care.
In a free market, with participants thinking prior to buying, that would be the default. With enough momentum, things would change. But I sadly don’t see this happening. Hopefully I’m wrong.
I’m perfectly aware of the existence of other operating systems. I use many operating systems, usually OpenBSD, GNU/Linux distros and Haiku OS.
But yes – you’re right. I did this assumption about the “markets”, because – usually – FLOSS operating systems have that option to share drivers. That makes just one “market” for all of them – just by the nature of FLOSS. Of course, I won’t mention problems with communication between GPL and BSD guys when it comes to drivers. That’s a whole different story and I think It can be sorted out.
When I say “certified” I mean: “checked to run with FLOSS”. It means that such hardware would just work with FLOSS operating systems. The actual “certification” is not really needed. FLOSS is not [only] about “markets” anyway. It’s about freedom and independence. We don’t need costly certifications and other things that come from the corporate world. We only need working example of hardware that runs FLOSS operating system [like those that some companies sell in bundles – HW + GNU/Linux or OpenSolaris – as I’ve never seen anything with *BSD on board – yet! <I’m not talking about Soekris, OpenBSD, routers>].
It’s “open source” that’s more dependant from the “market” model. Libre software doesn’t share that dependance [again: not talking about Linux kernel development being sponsored in some parts by commercial companies].
I agree with you that “standardized” hardware would be the best thinh to get, but we live in kinda different reality, when there are even more an more closed ecosystems around us, everyday. Why not use that <flawed> model to create 100%-FLOSS compatible hardware [and thus – STANDARDS COMPLIANT!] rather then fight with some closed-minded corporate folks and “markets”? That’s just WAY more efficient and safe [for the future]. Let those FLOSS-compatible hardware makers arise. Vote for such hardware, show your interrest in such solutions, and there will be more of it. Use the “free market” to your own purpose – standarization.
As a side note – don’t think about the price alone. Think about other things:
– you don’t buy your hardware that often
– you are not forced to upgrade your hardware that often when you use FLOSS operating system
– you can pay few extra bucks to get it all, can’t you? I do it and I’d recommend it to everyone. Our freedom is worth it.
You seem to be pessimist on it all, but just think about it: is there any other way to make the things we are talking about a reality? we need to act and vote with our wallets right now. Not in the future. Don’t look at others. Just do what’s right and explain it to people. Some people will get it, and will explain it to other people, and so it goes.
People generally don’t “upgrade hardware” for an OS – they use it until it starts to die, and then some… (maybe not in some more lavish places, but an OS won’t change that)
And, looking at mobile, Android being OSS doesn’t prevent huge upgrade woes (especially if on not-high-end handset); it’s playing catchup to iOS.
Oh it’s worse – Linux fans keep whining about having to buy Windows …even when they really do have plenty of choice with “no-OS” or even “Linux” machines ( http://www.osnews.com/permalink?544628 ) from big vendors.
no personal offence but that argument’s Bull really
-As has been already pointed out, not only is the market for os-free or alternative-os-certified machines relatively small to begin with, but it’s artificially further deflated by the current de facto ‘choice’ (esp with laptops) alt-os lovers make which is to buy windows, sometimes os x machines wipe the pre-installed os and go from there.
It’s disingenous to suggest the alternative and preferable scenario you suggest of such purchasers holding out for certified or even specifically designed linux bsd haiku whatever- products. Because we all know they probably wouldn’t never even have ‘good android’/google/microsoft, let alone Apple level of fit and finish. and that’s just the truth.
One day -if there’s anything fair and truthful to our competition laws, there needs to be some legislative forced opening up of hardware or hardware-software lock-ins, from secure boot setups be they UEFI or locked mobile boot-loaders to the walled garden APP-o-spheres currently in vogue.
So everyone and anyone has the chance to ‘run what they want’ on a device that they ‘own’. We might ‘license’ the software but we ‘own’ the hardware (even if we don’t have right to reimplement it of course)
That’s that. That’s the fair end game – which is possible if people collectively give a shit.
Forced provision of open boot loaders is more likely than people really effecting change by ‘voting with their wallets’ – that never works! it’s like boycotts, if a reasonable % don’t care, which they never will, it’s not a boycott. If people have some low rent but extant options for running their alt-os of choice, well they’ll probably plump for that rather than the X million linux users in the world all coming together in a huge crowd-funding campaign and literally BUYING the rights to one of those we’ll-never-release-the-source-code-from-our-cold-dead-grasp and putting together a really good /decent totally open source laptop and tablet pair ; would be ace, but it’s dreaming.
edit – spelling
Edited 2012-12-08 04:47 UTC
I beg to differ.
You’re not going behind diagnosing the actual state. I’m going beyond that with suggestion on how this problem can be fixed. Besides: you’re trying to say that this “market” for FLOSS computers will never succeed, because it’s … small. You can’t really try to explain one thing with itself. The market is small, because people believe in the things you write about. They don’t give a damn, because they don’t understand and they don’t understand, because they don’t give a damn. They don’t have the knowledge, so they can’t really vote with their wallets. They just accept the things they are. Not very wise.
And when did you last check on that kind of hardware? System76, anyone? Just take a look around and you’ll find plenty of good hardware. In fact, most of the Windows-related hardware is cheap-ass crap that isn’t even worth its price, and Apple hardware is just overpriced hardware to make your ego feel more “premium”.
Thanks for the mention of System76 they look fairly useful actually, I’d never heard of them.
I agree with some of your points actually.
But I have to disagree still with the ‘voting with your/their wallets’ argument — I like the idea and the simplicity of [a bunch of potential customers] voting with there wallets and going elsewhere instead where they can get more open, or better supported systems etc but (and it’s got zero to do with their intelligence or level of informedness) (a) people are too lazy to follow through with their convictions a lot of the time, even if they believe it might be the right thing to do. A mix convenience, and yes I still say design and build too – forgot the ego massaging, I’m certainly not into that anyway, I’d still take an apple laptop to run non apple OSes on though – I’m no fanboy at all. (b) I completely believe not a big enough swathe of alt-OS users/customers are actually interested enough if buying into or even actually creating a new bigger ‘certified-hardware’ ecosystem to allow it to REALLY thrive – yes I know you mentioned system76, and I know there’s a bunch of other providers ..but they’re not big-players versus the majority who repurpose systems originally with win/mac installed or off the shelf PC boxes.
only my 2 pence worth.
What a mess. The whole clunking effort will fail as hacks/bypasses are developed. And the cost of the whole enterprise will be borne by the customer.
Looking for specific OS names.. how ugly is that. If I was that BIOS/EUFI developer I would be so ashamed.
I think the real worry is that on ARM systems certified for Win8 you as the customer can’t unlock the UEFI.
Where is the EU Commission when we need them …. Neelie ..?!
In 100 years we’ll all look back at this period and be amazed at the controlling antics of the corporations .. secureboot, DRM, locked bootloaders, dvd region codes, … how 20th century!
Nah… we’ll be amazed at the ‘anarchy’ of society… “circumventions, workarounds, hacks… and no jail time?… omg!!!”
Exactly. It shouldn’t be long before we start asking for Congressional exemptions for rooting PCs. We’ll get those for a few years… then as the Linux scene withers up they’ll stop coming. Bypassing UEFI will become a crime.
Edited 2012-12-06 11:56 UTC
The Linux scene is not going to die. The number of devices that run Linux is climbing exponentially. Sure, it hasnt made a whole lot of inroads on the x86 desktop, but thats a very small part of the overall OS universe.
Isn’t it possible to just flash a regular BIOS onto these mainboards or switch to it? I can’t really imagine a secureboot-only mainboard.
There are already a few without legacy mode available.
The scenario that people were saying it wouldn’t happen.
Ah yeah, I indeed wouldn’t expect that. I guess I would try to buy mainboards with a normal BIOS available for as long as possible. The real reason being that UEFI BIOSes are probably going to be buggy as hell the coming years.
Z_God,
As I recall, the secure boot specs specifically block flash updates which are unsigned by a secure boot key. So unless you find an exploit or can disable secure boot, you cannot flash away secure boot.
I am so thankful that, amid all the criticism, MS found it in their heart to force windows 8 machines to add a user accessible override for secure boot on x86. There was probably an internal fight at MS between lawyers worried about antitrust lawsuits and business suits wanting all computers to be locked down. It sucks that ARM computer users are still being shafted and that owner control still isn’t in the UEFI spec, but at least x86 users have a way to take control back.
Motherboard firmware is like Android but worse as far as driver support goes. Even if you disable secure boot and then re-flash it, you need a replacement firmware image that knows how to talk to all the different chips.
CoreBoot is your best bet… but the list of supported mobo models has a long way to go.
http://www.coreboot.org/
Yep, but I’d imagine the original vendor would make such a BIOS available for its mainboards.
While the hardware may be nice from the big OEMs I prefer to build my own computers (desktops at least) with parts I choose. Not always an option for Joe Consumer, sadly.
Because i usually build my own computers from lose components: What i would like to know is if secureboot is also standard set in newly manufactured motherboards?
Yes, almost all of them. I’ve bought two since March and both had UEFI on them. I disabled it easily in the BIOS settings and was able to install openSUSE (and Fedora) on them, although I had to wait until Fedora 16 to get it to work. openSUSE blew right past it since there was no other OS on the HD.
I am assuming this is x86/x64? if so, open up your bios, disable the secure boot and there you have it. I know, how difficult that is! next week on ‘pointing out the obvious’ we’ll have another super tip for all you kids!
That will work right up until the board manufacturers choose to (or are forced to) remove the ability to do so. It is coming, and it’s only a matter of time.
As I mentioned in another comment, there are already boards available where you cannot turn it off.
Then how do they get their Windows 8 certification?
It is a motherboard, why would it get Windows 8 certification?
Just read the thread.
http://mjg59.dreamwidth.org/20187.html#comments
One such motherboard is the MSI A55M-P35.
While Lenovo Thinkcentre M92p only allow Red-Hat Linux besides Windows.
Because MSI claims their boards are certified. See http://event.msi.com/mb/2012/win8/
And Microsoft is supposed to require that for Windows Certification a system has to allow disabling Secure Boot.
Then it is a very fishy certification process.
The certification process says nothing about whether a particular piece of firmware is buggy or not. It is one thing to say, “must have this feature” and another thing to say as part of the certification process, “oh, and btw make sure your firmware isn’t buggy as hell to the point that non-MS operating systems cannot run”.
Yes, but this is what the community was discussing all along when it was announced.
As always there were the cries of saying that some people were exaggerating, well now reality proves once again, how true those warnings were.
How is it Microsoft’s fault that the community are too lazy to actually find out what the certification process actually means? nothing has been proven other than a buggy firmware can result in an end user with a non-Microsoft operating system having a crappy time. Sorry but join the line of pissed off end users who have buggy firmware resulting in them having a ‘bad time’.
I’m confused because I read the first post and the issue has nothing to do with secure boot and everything to do with a buggy as hell firmware that is causing problems. It has nothing to do with conspiracy theories regarding Windows trying to ‘undermine Linux on the desktop’ and everything to do with a motherboard vendor failing to properly test their firmware for their motherboards. Btw, this isn’t new given that there are many issues that Linux users face off the back of lazy motherboard vendors and buggy firmware.
Regarding the Lenovo issue, he has received a reply from a Lenovo rep as follows: “Thanks for the well written article. It is unclear exactly why this was implemented as is, but we are aware of the concerns expressed here and are working on a BIOS update to address this.”
Btw, worse case scenario you can always drop back legacy mode if you want and avoid any of the problems in the mean time. I have the exact computer here (Lenovo M92p, 2999CTO) and haven’t had any problems so far but then again I’m running in pure UEFI mode with Windows 8 Pro 64bit so I guess I haven’t tripped up over any of the bugs related to compatibility with alternative operating systems.
Edited 2012-12-08 01:13 UTC
My apologies, I didn’t see your post before I replied to the same comment.
Unless you switch to legacy BIOS mode, which my M92p at work allows (soon to be my home workstation, thanks boss!!). From what I can tell, the M92p units now sold with Windows 8 still have a legacy BIOS option.
I must say, an Arch-based distro on a quad-core i5 with 8GB RAM is beyond bliss.
Edit: Instructions to fix the issue for anyone with a ThinkCentre with hybrid EFI/BIOS:
http://forums.lenovo.com/t5/Linux-Discussion/ThinkCentre-M92p-Linux…
Edited 2012-12-08 09:40 UTC
Then don’t buy motherboards or computers off dodgy vendors who do such things in the first place. You know, the whole concept of ‘putting ones money where ones mouth is”. I guess I’ll have to book mark this statement as well to see whether your horror story comes true in 2-4 years time just as a certain other person on this website claimed that OS X will be locked down and become ‘AppStore only’ in the future.
kaiwai,
“Then don’t buy motherboards or computers off dodgy vendors who do such things in the first place.”
But if it doesn’t get advertised, how would you know which models do it? That’s one of the points made by the article, he went back to look at the specs to confirm that UEFI wasn’t even listed at all, so there’s no way he could have made an informed decision for one product based on the merchant specs, much less scanning through hundreds of product listings.
Hopefully someone will come up with a public database for this kind of information. If anyone knows of one, please link!
That said, I think MS backed away from enforcing secure boot on x86 because they feared the legal outcomes of that battle. Like you, I don’t think they’ll be reversing this decision. Even so, they’ve still managed to put an end to the proliferation of trouble-free linux live boot media in the hands of newbies, which could be considered a partial victory for MS.
Edited 2012-12-08 01:40 UTC
1) Stop conflating UEFI with secure boot – they’re not interchangeable.
2) The issue is a crappy/buggy firmware which can occur in ANY motherboard and not just some nefarious evil doer rubbing their hands with glee dreaming up new ways to screw over the ‘growing Linux user base’.
3) Buggy firmware impacts on Windows users just as it impacts on alternative operating systems as well – it is just that Microsoft has the time and resources to spend working around the crapnastic nature of many motherboard vendors out there.
4) I just had a check out of the MSI motherboard in question and they made no secret that it uses UEFI – all you have to do is download their manual and read it. Again, the issue isn’t with UEFI but its poor implementation and like any horrible product you make the decision based on reviews, feedback from family and friends, asking online forums etc. Microsoft is in no way responsible for MSI’s lack time and effort when it comes to putting out a motherboard with a well tested and debugged firmware.
kaiwai,
“1) Stop conflating UEFI with secure boot – they’re not interchangeable.”
I’ve conflated them? I’ve reread that quote and the instances of “UEFI” and “secure boot” were both correct and intentional. Secure boot is a subset of the UEFI standard that’s required now by microsoft. I think we both already know this, so please let us not fuss.
“2) The issue is a crappy/buggy firmware which can occur in ANY motherboard and not just some nefarious evil doer rubbing their hands with glee dreaming up new ways to screw over the ‘growing Linux user base’.”
I’m sorry but I don’t know what this is in response to?
“3) Buggy firmware impacts on Windows users just as it impacts on alternative operating systems as well – it is just that Microsoft has the time and resources to spend working around the crapnastic nature of many motherboard vendors out there.”
Ditto here. But I’d add that manufacturers go out of their way to explicitly make their wares compatible with windows. Linux doesn’t get the same attention.
“4) I just had a check out of the MSI motherboard in question and they made no secret that it uses UEFI – all you have to do is download their manual and read it. Again, the issue isn’t with UEFI but its poor implementation and like any horrible product you make the decision based on reviews, feedback from family and friends, asking online forums etc. Microsoft is in no way responsible for MSI’s lack time and effort when it comes to putting out a motherboard with a well tested and debugged firmware.”
I’m taking the article’s claims at face value. I’d be disappointed if the author lied and the specs were listed at his merchant’s website, but it doesn’t really change his conclusion about secure boot: “Software freedom requires vigilance and I fear that is more true now than it was a year ago. Be careful when shopping for new computers, it is easy to purchase more trouble than one bargained for.”
The incompatibility therefore has nothing to do with ‘secure boot’ so why is the issue even raised in the first place? a crappy UEFI implementation – join the list of crappy motherboard vendors doing the same thing purely out of laziness rather than some sort of ‘evil master plan’ to ‘screw over Linux users’.
The implication that is at least implied by your posts (and others) that motherboards vendors are going out of their way to screw over Linux users.
Why should it receive the same attention when such a miniscule number of Linux users make up their customer base?
It doesn’t say it on the product page itself but if you go to the downloads section and read through the manual it makes several references to UEFI, how to get access to the UEF command line, how to UEFI boot off a USB thum drive etc. The issue ISN’T UEFI at all given that we’ve finally got a firmware that is properly documented and designed rather than a hacked together mess BUT if a vendor fails to test and debug their firmware then the issue has nothing to do with UEFI but the poor implementation of UEFI byt he said vendor and in all due respects the same thing can and has happened with traditional BIOS – I’m sure you remember not too long ago the Foxconn motherboard fiasco in reference to ACPI being deliberately incompatible with Linux. Having a traditional BIOS doesn’t some how give you the magic of being protected from not being screwed over by lazy companies.
kaiwai,
“The incompatibility therefore has nothing to do with ‘secure boot’ so why is the issue even raised in the first place? a crappy UEFI implementation”
It confusing as hell to understand who or what you are actually responding to here with these “incompatibilities”. The OP (which is you ironically), was explicitly talking about disabling secure boot to run another OS. The second poster (Morgan) said that might not always remain an option. My posts brought up the point made in the article that secure boot restrictions aren’t likely to be listed when consumers buy their hardware.
“The implication that is at least implied by your posts (and others) that motherboards vendors are going out of their way to screw over Linux users.”
I still have no idea what you are talking about. *I* don’t think manufacturers are going out of their way to screw over linux users.
“Why should it receive the same attention when such a miniscule number of Linux users make up their customer base?”
Well that’s my point. Linux is a niche, most manufacturers don’t bother supporting it explicitly.
“It doesn’t say it on the product page itself…”
That’s what the author said, but I don’t think he specified where he bought the product? Anyways the point was that consumers need to be more vigilant, which is true even when secure boot is in the manual. Some potential linux users won’t know why their live linux media stopped working and they might even blame linux itself without even being aware of the secure boot restrictions on their machine.
Edit:
Doing some detective work here, if I’m not mistaken, your comments are actually referring to this sub-thread. Well that makes a bit more sense, even if it’s not related to my posts.
http://www.osnews.com/thread?544479
I don’t think it’s a bug so much as something erroneously having slipped through the certification process. If you want to view bugs as a legitimate way of bypassing certification requirements…well I’m not going to argue with you about it.
Edited 2012-12-09 18:26 UTC
I think the point is that there are a lot of people who, either due to budget or due to circumstance, might no longer be able to learn Linux on an old clunker of a PC that someone gave them, they pulled out of an electronics recycling bin, or they bought for $100 from a liquidator/refurbisher.
All you have to do is research into how good the vendor actually are at providing updates and fixing bugs – how much proprietary tweaks do they add or do they give up that customisation in favour of conforming to open standards? these are questions a purchaser should ask when purchasing a motherboard or a computer. I’m assuming that if you do have an interest in non-Microsoft operating systems that you also have a reasonable level of IT knowledge as well.
As a hypothetical geeky teenager with little or no money (like I used to be), how do you propose I affect the buying decisions of people who, years down the road, will either throw out or give me a PC?
As a computer tech who refurbs old PCs using Linux and LXDE and gives them to needy families as a charity thing (what I actually do right now), how do you propose I affect the buying decisions of random strangers who, years from now, will give away their old PCs so they can be useful for more than obsolete scrap?
This isn’t about PCs bought new. It’s about used PCs for people who can’t afford to buy them new.
(Actually, this sort of reminds me of how big game publishers are trying to destroy or seriously cripple the used video game market with day-1 DLC under the misguided belief that they can force large numbers of people to pay full-price… or how textbook publishers are pushing e-textbooks as a way to save money because they know DRMed eBooks can’t be resold and can be revoked at the end of the course.)
Edited 2012-12-09 18:28 UTC
ssokolow,
I worry about that too. It is how most of us linux users picked it up originally: We either started by dual booting on an existing machine, or by completely wiping an old one. Without the option of trying linux on a “microsoft” computer, most of us would have never had the opportunity to start learning linux.
I’m thankful it hasn’t come to that yet (on x86). But there’s no doubt we are slowly loosing rights on our own machines, which few of us would have believed a few years ago. We cannot afford to let our guard down.
Please do so, I am ready to bet. I could even add some extra items to the prediction if you like:
The Linux scene, as of today, is too big to disappear in one day in the event of a Secure Boot apocalypse. There are too much professional interests invested on it. So what would likely happen is that we’d see more hardware manufacturers designing specifically for Linux support, kind of like what happens with Android phones and all these credit-card sized ARM computer projects that have popped up recently.
Since Windows is a clunky beast that requires lots of support from hardware manufacturers, it won’t run properly on such machines, even in a VM. The Linux community will thus lose all these users who like and use the OS, but still have to run Windows from time to time because they need some piece of software at work or want to play better games. What will remain will thus be a mix of die-hard zealots and people who need Linux for work and solely use it there.
And even if some that are nostalgic about the C64/Amiga era could perhaps see such a scenario as a good thing (“OMG ! Integration !”) , I personally think that it would be a disaster. Without the presence of “regular users” that report bugs, voice their opinion, and attempt to calm things down a bit, the developers would likely tend much more often to go completely overboard, Poettering-style. That is, they would change whatever part of the stack they think is ugly without much concern for stability, compatibility, and everyday usability. This would, in turn, irritate entreprise customers, who would become even more protective of whatever software version works, and stick with 10-year old software with long-solved bugs to this end. And, in turn, reduce the amount of testing that new software gets, perpetuating this vicious circle.
And the zealot population wouldn’t care, they are ready to spend money in hardware that only runs Linux, know how to fix their stuff and can remove/replace whatever is released in a broken state anyway. Perhaps they would be the only ones that would be happy in such a scenario, since at last Linux would get the recognition that it deserves instead of perpetually living in the shadow of Windows.
I would estimate that things would become noticeably unbearable for new users at most 10 years after full UEFI lockdown, so 12-14 years after now, if UEFI lockdown does happen, you’ll be able to tell me if I was wrong.
As for OSX, the extended prediction is simpler. Considering the attitude of most Mac fans around me when I express my concerns about the path Apple is currently heading, I’ll predict that a technically skilled minority (10-25%) will try alternatives to see if they can match their needs and moral convictions better, while the vast majority will just consider the lockdown as some sort of divine punishment for humanity’s sins and accept it as a fact of life without much complaining.
Edited 2012-12-08 08:11 UTC
Believe me, I hope it doesn’t come true, but I have to be realistic. Now that I’m getting a proper workstation next week (M92p with EFI/Legacy BIOS I mentioned earlier) I’m going to hang onto it and upgrade it as much as I can over the next several years, just in case I’m right.
But I still hope I’m wrong.
I wonder if there’s some way to class action lawsuit this or even try to push it into anti trust. Too bad it’s a bit too late.