“The Free Software Foundation released a statement open for public signing, titled ‘Stand up for your freedom to install free software’. The statement is a response to Microsoft’s announcement that if computer makers wish to distribute machines with the Windows 8 compatibility logo, they must implement a system called ‘Secure Boot’. The FSF statement warns against the danger that, if done wrong, this system would have to be called Restricted Boot, because it could make computers incapable of running anything but Windows.” Signed.
It is “secure”, but most people don’t/won’t realize that this is intended to secure microsoft against intentional end user modification. All the engineering behind “secure boot” points to this. If security against malware were the objective, then there are far less intrusive ways to build it while keeping the end-user in control.
A good secure boot feature is one that:
1) any operating system can employ without discrimination by third parties.
2) is 100% controlled by the end user, not by ms or the manufacturers.
Please do a little research before spreading FUD – the idea is pretty decent, and has legitimate uses.
That said, the FSF campaign *is* warranted, since the mechanism could certainly be implemented to lock out anything but Microsoft software. Microsoft says it wont do this[1], but there’s room for worrying.
[1] http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os…
f0dder,
What fud? If I write an operating system, secure boot will not be available to me or my end users. The keys are in 3rd party control.
That depends on the OEM.
If for example the OEM gives you a boot-CD (or some BIOS-option) which can be used to load other keys, in that case you can use it for other OS too.
Lennie,
“That depends on the OEM. If for example the OEM gives you a boot-CD (or some BIOS-option) which can be used to load other keys, in that case you can use it for other OS too.”
Everyone should read the UEFI spec, specifically section 27.5. Here is a partial extract.
http://www.uefi.org/specs/agreement/survey_form/process
*** BEGIN ***
27.5.2 Clearing The Platform Key
The platform owner clears the public half of the Platform Key (PKpub) by calling the UEFI Boot Ser-
vice SetVariable() with a variable size of 0 and resetting the platform. If the platform is in
setup mode, then the empty variable does not need to be authenticated. If the platform is in user
mode, then the empty variable (just the monotonic count) must be signed with the current PKpriv.
The name and GUID of the Platform Key variable are specified in chapter 3.2, “Globally Defined
Variablesâ€
*** END ***
The above piece describes a method under the spec to remove the hard coded public manufacturer key, however it requires the the private manufacturer key to do it, so it’s useless. Read it carefully, the manufacturer CAN NOT create a secure generic unlock disk using this mechanism. If the manufacturer signs any end user platform keys to enable them to unlock secure boot, then any of those users can then use this signature to install malware keys on any system sharing the same manufacturer platform key.
*** BEGIN2 ***
The platform key may also be cleared using a secure platform-specific method. In this case, the
global variable SetupMode must also be updated to 1.
*** END2 ***
So, the spec leaves the possibility for keys to be reset using unspecified methods. But what are the chances “designed for win8” computers will provide this at all? If it’s not supported, bootling alternate operating systems on this hardware could be impossible (say a live cd). If it is supported, the methods to boot alternate operating systems could become platform specific.
It’s good to have a security feature to secure the bootloader, it’s bad that this feature is under third party control. Third party control is not a necessary function of secure booting. The design of it is actually quite poor and it seems to me that the underlying goal was to secure microsoft windows from end user modification rather than to secure the end user from malware.
It sounds to me like you could make a setup-mode switch in the “BIOS” configuration screen and boot from the OEM CDROM to setup the keys.
While it might not happen (one can hope, though), there’s nothing stopping an UEFI implementer from allowing users to manage their own signing keys.
And even if that doesn’t happen, there’s the possibility of allowing ‘insecure boot’ of alternate OSes, but requiring Win8 to be booted securely (whether 100% enforced or with an optional group policy).
I think it’s likely MS is using this to test the waters, though, and the old saying about giving the devil your little finger does come into mind. At the same time, I don’t think we should be painting said guy on the wall.
Its FUD, which coming from the FOSS camp is more than a little funny. Protip: MSFT makes TONS OF MONEY by allowing companies to put OLD VERSIONS on new computers. Hell if you have an MSDN you can even go back to as far as Win 3.x if that fries your bacon! I’ve personally built several Win2K machines in the past two years for companies that had a mission critical app that required Win2K, these machines are simply kept on a private VLAN and used for this application while they convert their data over to Windows 7, which since Win 7 will be supported until 2020 THAT will be the OS NOT Windows 8 that many of the businesses will be standardized on.
So make no mistake its FUD. MSFT would be slitting their own throats not to mention throwing away millions and millions of dollars in MSDNs and software assurances contracts if they didn’t allow other OSes to be installed, not to mention this would bring up anti-trust all over again.
But again this doesn’t surprise me, the Linux community has this truly incredible game changer and they are just ignoring it while they act like its 1997 and Gates is still running MSFT. You want Linux to win, not be an also ran? get behind ExpressGate/SplashTop and PUSH IT as hard as you can! With EG/ST it doesn’t matter what they have on the hard drive as it BYPASSES the whole thing! We are talking 6 second boots, even with HDDs, access to ALL the media on the drive and ALL the web, chat, email, surfing, all at your fingertips.
Instead of caring what MSFT does you could bypass them completely and have a Linux based OS on EVERY machine by giving the user CHOICE instead of the lame dual boot either/or way of doing things now. But it really needs the community behind it and writing more apps for it so instead of trying to beat MSFT at its own game you could simply be built into every machine and when the user wants Windows apps? let them use Windows. when they want the web at their fingertips? YOU give them everything faster, leaner, with better battery life, and with non of the tradition geek BS that usually goes with Linux like CLI or forum fixes. it could truly change the game if the community would quit acting like its 1997 and get behind this new technology.
You seem to be missing a few points. Most of Microsoft’s sales come from new computers. New computer are almost never sold with older OS’s. Winxp was the exception primarily because of netbooks. Right now, Winxp is not a choice on new computers AFAIK. Sure, you can still buy Win2k, but it isn’t Microsoft selling it. They are done selling that product. As people buy new machines, the number of Windows 8 installs will increase. So while this isn’t a problem now or even next year, in as little as 2 years, all OEM computers will have this technology.
And why not blame Microsoft. Its their technology. And they are forcing it on OEM’s through their compliance program. You think ANY OEM wants to be the one that can’t advertise “Made for Windows 8”? Might as well shoot themselves if that’s the case.
Actually it just shows you’ve never worked corp. You CAN buy Win2k from MSFT, in fact there is two different ways: MSDN or software assurance and believe me friend it makes MSFT a LOT of money. an MSDN costs around $300 a year and software assurance costs even more.
so if you honestly think MSFT is gonna kill ALL those fat contracts, risk getting antitrust falling on them again and for what? to lock out an OS that even on the most optimistic prediction has MAYBE 3%? Its crazy. MSFT may be a tough competitor but crazy?
You wanna know how this will work? i’ll explain it easy peasy. you’ll have a free tool, probably based on the Windows 7 PE you can download for free from MSFT now. Its called KB3AIK_EN if you want to try it, it gives you a “Live CD” of Windows 7. this will have a “click to deactivate secure boot” and will give you the standard “are you sure?” so there is no mistake. this will give the OEMs a CYA excuse to not support you if you wanna run something funky, it gives MSFT a CYA to not support you if you bypass security, and it gives those on MSDN or software assurance an easy peasy way to run any old OS. Win/win all around.
Would you please STOP calling everything a FUD almost immediately, without even realizing it’s not a FUD?
It sounds almost as silly as calling everyone on the planet a TROLL just because he/she has other opinion.
It’s getting really boring. Stop supporting stupid trends on the internet. Many people are already fed up with this kind of talk.
If you were actually honest you’d actually admit the fact that the power resides in the hands of the hardware vendor and not Microsoft in very much the same way that it was FoxConn and NOT Microsoft who f-cked over users with its Windows only ACPI implementation in the motherboards they were selling (reported on various outlets almost a year ago).
I mean, I love bashing Microsoft as much as the next person but holy sh-tballs come on – the issue of whether or not one can disable secure boot or enable alternative operating systems have access to such technology clearly resides with the hardware vendor itself so maybe it would be more productive to direct the geek rage to the very institutions who hold the power.
Edited 2011-10-20 03:11 UTC
kaiwai,
What was dishonest?
Will you conceed any of the following points?
1. Microsoft has a hand in developing UEFI secure boot.
2. Microsoft is forcing vendors to implement UEFI secure boot.
3. Microsoft controls what windows will do in the absence of UEFI secure boot.
4. 3rd party secure boot keys raise the barriers to entry for independent developers whether microsoft holds the keys or not.
5. Secure boot could have been engineered with the owner in control.
6. The most logical reason to remove the owner from the chain of trust is to enable DRM.
… am I missing anything?
Edit: I don’t blame MS exclusively, after all manufacturers could benefit from this power play also. But MS intentions are probably far from innocent.
Edited 2011-10-20 08:31 UTC
The point is: Who cares who did and didn’t develop it given that the issue is about the fact that there are hardware vendors who aren’t offering the ability to turn the feature off in the UEFI settings. If you want to direct your geek rage then once again I state that you should direct it at the hardware vendors not Microsoft or Intel because NEITHER companies have any say as to whether HP, Lenovo, Dell or so allows a user to disable ‘secure booting’.
So yes you are being dishonest or obscenely ignorant as to the real situation – the power lays in the hands of OEM’s and whether THEY provide the ability to disable it.
kaiwai,
Either you are being obtuse, or some of this logic has gone right over your head. Depending on how microsoft implements secure boot (specifically whether they decay the experience via DRM when secure boot is overridden) then dual booting will be problematic even if the manufacturer has provided an option to disable secure boot.
MS is 100% responsible for whether it forces users to enable secure boot in order to run windows without breaking functionality (aka DRM). If users are forced to enable secure boot in order to run windows, then alternative PC operating systems will become second class citizens since secure boot will not authorize them to run.
Please reread this until you understand what it means before you call me dishonest or ignorant again.
Edited 2011-10-20 17:24 UTC
Secure Boot should be an optional checkbox in your instalation that is not checked by default.
But, I still think this is just the FSF cherry picking a subject to gain publicity.
Edited 2011-10-18 21:35 UTC
Security to a large degree means protecting users from themselves, so this option _has_to_be_ enabled by default. I would not recommend a Win8 machine to anyone if it doesn’t have this feature.
No need for this ‘Occupy Redmond’ stance. Next they’ll be requiring open source graphics drivers for Windows…
what is a „Win8 machine�
What is wrong with porting Linux open source graphics drivers to Windows ? AMD/ATI recently started to do so:
http://www.phoronix.com/scan.php?page=article&item=amd_linux_wec7
It might be enabled by default, but the real problem is that some OEM might not even add an option to their BIOS.
That means you can’t even install, for example, Windows 7 if you would wanted to do so.
This isn’t just about Linux or BSD, but about choice.
To prevent the PC becoming a smartphone or game-console which first has to be rooted before you can install an other operating system.
Edited 2011-10-18 22:29 UTC
To their UEFI, you mean 🙂
If that happens, that’s a real problem, and then you’ve got a piece of hardware that’s as handicapped as Apple’s commodity hardware. And I do agree that there’s a lot of reason for concern, which is why I welcome the FSF campaign.
But to be taken seriously, people should try to avoid the “zomgMSareevilthisWILLhappen” doomsday theories.
By demanding that OEMs implement this for Windows 8 obviously Microsoft is increasing the risk for everyone.
And no-one will deny that Microsoft wouldn’t mind if OEMs mess up and thus not allow people to install an alternative operating system.
Hence why the FSF campaign is good.
True – except that there’d probably be enough outcry (and perhaps boycotts) to harm them – it’s not a 100% clear-cut win
All the existing FSF and “Linux community” news items about “Secure Boot” are all pre-emptive strikes obviously.
Who knows, maybe we can prevent any disaster this time (probably not).
Uhhh…dude? Didn’t read your own link? They ported it to Windows embedded which has about as much to do with the Windows everyone uses as an X360. WinCE is frankly a dead OS anyway as most OEMs are looking at either WinPhone or Win 8 if they want Windows but for some reason don’t want to use…well Windows.
Exactly what wide-spread real-world threats does Secure Boot protect the average user from?
Terrorists
Worse: Dirty Hippie Terrorists!
After a long hiatus, MBR based rootkits are semi-slowly starting to appear again. And the MBR is not the only time you can attack the boot sequence if BIOS-based operating systems. x64 versions of Windows have enforced driver signing, but there’s plenty of time during the boot sequence before those checks are being done.
f0dder,
“After a long hiatus, MBR based rootkits are semi-slowly starting to appear again.”
Your missing the key piece though, the system will have been infected through another vulnerability in the first place – secure boot does NOT fix that!!!
And in any case, we’re not arguing against secure booting, that’s a total red herring. We’re arguing against a security feature a 3rd party holds the keys to. I don’t mind that a 3rd party holds the keys by default – but to be a legitimate security feature the spec would have to provide an explicit method for the owner to take control and stop trusting microsoft/vendor.
It doesn’t stop the “buggy OS” attack vector – that much I agree on. But it can plug the “hotel cleaning maid installs industrial spionage rootkit on laptop with bootcd” attack vector. Or the “disgruntled employee exfiltrates corporate data from otherwise locked-down system” attack vector.
Agree 100% – the UEFI key management needs to remain under our control.
I get the evil maid attack vector; more easily solved by putting one’s boot loader on removable media attached to your keychain but sure, a secured boot process does mitigate modifying the boot process (I just question Microsoft’s intended implementation).
But a disgrunteled employee? How does a Microsoft certified secure boot process stop an employee from walking data out of the building in any of a hundred other methods? Why would an employee use a modified boot process in the first place? “to get other’s passwords” doesn’t even make sense given the low cost and skill needed to operate a physical keylogger. What disgruntelled employee is being foiled by Microsoft authorizing the booting of my workstation?
Interesting, I can remember back ion the day when MBR viruses was all the rage but that was like 20 years ago.
An interesting question is what happens if the verification fail. Is your PC effectively bricked? Can you still boot from other media? If yes, What if you don’t have any install/recovery media (increasingly common today)?
Yeah – it takes quite more sophisticated code to infect via this vector than it did back in the DOS days
All very good questions!
It partly depends on how the Secure Boot feature is implemented by the UEFI vendor – whether you’re allowed to add your own signing keys, and whether you are allowed to boot unsigned OS loaders.
Microsoft states[1] that “Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows.” – let’s hope they don’t backtrack on that one.
[1] http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os…
What you call a theory, some would call a likelihood. An engineer at Red Hat has already claimed that some OEM’s have told him that they WON’T be putting in a disable option. Now, he won’t say who, so you have to take this with a grain of salt. But I would be highly surprised if he was just out right lying.
On top of it all, there are better ways of securing the OS without this. Really, all the UEFI needs to be able to do is check for changes since last boot. Some BIOS already do this. Not allowing the machine to boot period is a bit extreme.
Lastly, why does Microsoft assume its secure? I consider Windows to be the virus. IF I was a company, it would be Windows I wouldn’t allow to be booted. But we as the end users can’t make that change can we? Who else is to blame for this other than Microsoft?
It *is* a likelihood, but don’t get too carried away on blaming MS for everything.
OEMs will support Secure Boot because Microsoft require it as part of certification, but if they support it in such a way that no other OS is supported, I’d be hesitant to blame MS for that. Not that Microsoft wouldn’t be delighted by that outcome, but if it happens, it will be because of laziness and cost-cutting by the OEM, not from any extra pressure by MS.
Microsoft are fully aware of this laziness and are basically counting on it…
Take another example, mono… Technically you can produce cross platform applications, but cross platform ability is not the default like say Java, you have to go out of your way to produce a cross platform application and MS know that most developers won’t do this. Thus they appear to be offering a choice, when in reality they know most developers will spring the lock-in trap for them.
The same will happen with UEFI, MS prime the trap but the OEMs spring it.
TechGeek,
“Lastly, why does Microsoft assume its secure? I consider Windows to be the virus. IF I was a company, it would be Windows I wouldn’t allow to be booted. But we as the end users can’t make that change can we? Who else is to blame for this other than Microsoft?”
That’s a great point. Although I’ll go at it another angle.
Let me re-iterate for those not aware, secure boot only secures the boot sequence, it’s up to the OS how to proceed securely once it’s loader is running. Once windows is running, it will be just as secure as it is today.
Once any component of the windows kernel is compromised it will be possible to re-infect the system with these older signed (I hesitate to say…legitimate) components, which are obviously being approved by the bootloader, which has been approved by secure boot. It will always be possible to reinstall this vulnerable chain unless the keys are blacklisted at the top.
However, if any of the keys are blacklisted on the motherboard, it might make reinstalling windows impossible. The official microsoft install CD might need to be blacklisted – or just as bad, the hidden recovery partition. This is unpalatable, and yet this is exactly how secure boot is designed.
is that some brands and/or models will only allow you to boot Windows but most, probably even all when it somes to server hardware, will allow you to either boot whatever OS you want or manage the keys.
Even if we paint the devil on the wall and MS want to force only allowing Windows to boot most vendors will not give in. No sane business person will cut themselves out of the large server market share that isn’t Windows.
Edited 2011-10-18 23:36 UTC
I started out with Windows and then tried different operating systems over a long period of time which eventually led me to leave the Windows platform entirely. I’m certain that the majority of Linux/BSD etc users of today had a similar experience.
Had locked down ‘safe boot’ been on my computer then I would never even have had the opportunity to try another operating system unless I was willing buy/build another computer which allowed this, and I likely wouldn’t have.
Now I hope I’m wrong, but nothing in Microsoft’s past or present history makes me think that this isn’t an attempt to lock down the OEM pc market to Windows under the guise of security.
OEM’s doesn’t have to lock their machines to Windows but Microsoft has everything to gain if they do so and will obviously offer incentives (lower licence costs, advertising…) to make it happen.
So yes, spreading awareness of this is something I think is very important. Not particularly for ‘myself of today’ since I know about this and will be able make appropriate choices concerning hardware, but rather those who like ‘myself back then’ went with Windows ‘because it’s what the computer came with’ only to later finding that there were other operating systems that I’d much rather be running, FREE even.
If only people would read this comment, comprehend it, and stop starting stupid non-arguments about how current other-OS users can still build their own unlocked PCs.
Maybe but a bigger problem might be to have manufacturers implement this at all in a non-buggy way. Never underestimate the power of incompetence. Considering how long it took them to get standard-compliant, non-buggy ACPI implementations this could take quite a while.
Yes, I agree that it’s an important campaign.
And MS i scertainly offering incentives. By requiring this “feature” to be implemented in order for manufacturers to display a win8 compatibility logo it allows manufacturers like gigabyte (who tell their customers to “go run windows” instead of fixing their broken apm implementations) to lock out any other OS.
The biggest crime here will very likely be that NO DISCLAIMERS will be anywhere stating that your purchase is exclusively “tied (magic word in EU courts)” to Microsoft products. Innocent end users beware.
Its going to become a PITA to figure out what to buy, will probably be a PITA to bypass, an added PITA for the manufacturers to add a disable option which they would also have to test.
I do possibly anticipate this ending up in court in the EU at least. I certainly hope it does.
We’re almost to the official unveiling of the next Google phone and you’re here posting an article about the biggest hypocrites/weasels in the industry?
Vendors selling premade computers have every right to do what they wish to their products. If you want to buy a computer but don’t want Windows 8, don’t buy a Windows 8 computer. It’s as if some of you think the possibility to build your own, custom order your own, or buy a barebones system will suddenly vanish and then entire world will be forced into Windows 8 submission.
Anybody who is truthfully scared over Secure Boot needs treatment by a professional. Of all of the countless times I’ve heard people swear the sky is about to fall, it never has. If you’re looking for something to panic over, make it something of real substance.
ilovebeer,
“Vendors selling premade computers have every right to do what they wish to their products.”
Technically, once we purchase these computers and we are the owners, shouldn’t we have the right to do what we wish with our computers?
“If you want to buy a computer but don’t want Windows 8, don’t buy a Windows 8 computer.”
It’s not that simple. Alot of windows users today call us technies when they need help. And we, as techies, often use linux tools to troubleshoot/backup/restore systems because they’re the best tools of the trade. When a consumer buys a win8 computer, they will not realize that secure boot could restrict their service options.
Even if they do want a computer that can be unlocked, there is little likelihood that they’ll be able to find out which systems are unlockable from the presented specs, and it’s doubtful that the store associates will know either.
Lastly, many if not most of us started using linux alongside windows either by dualbooting or repurposing an older machine (I include myself). Nothing in the history of computing this far prevented us from installing linux/bsd on a “designed for win xp” computer. Microsoft has not clairified whether dualbooting will be possible, but if not it will be alot more difficult / expensive for users to try any alternative operating systems. Perfectly good hardware may end up in the bin because it’s tethered to an obsolete operating system.
“Anybody who is truthfully scared over Secure Boot needs treatment by a professional. Of all of the countless times I’ve heard people swear the sky is about to fall, it never has. If you’re looking for something to panic over, make it something of real substance.”
The sky won’t fall, but it’s stupid to have a trust model built into the hardware which keeps the owner out of the loop.
So a “techie” is someone who boots a Linux live CD? Do you have some proofs to support your affirmation that linux tools are the best for troubleshooting a windows system?
You’ll think it’s weird, but I do a good job troubleshooting windows systems by using recovery console from XP CD or command prompt from Windows 7 DVD.
twitterfire,
“So a ‘techie’ is someone who boots a Linux live CD?”
If that works for them, then why not?
“Do you have some proofs to support your affirmation that linux tools are the best for troubleshooting a windows system?”
A windows recovery disk is still necessary but is wholely inadiquate. A linux livecd is much less vulnerable to windows malware. It lets you bootup the system with full hardware support to copy files, backup files to external drives and even over the network, test equipment, get device ids, download windows drivers (this can be a pain on many uninitialized windows systems) resize/recreate file systems. Linux has special data recovery tools. It has tools to clone drives with defective clusters. A techie who isn’t familiar with linux PC support tools still has a lot to learn.
The point isn’t that no windows tools are available, but that they require a working windows installation. Well, maybe you have a bartpe disk that works for you, but otherwise a linux live CD does alot more.
“You’ll think it’s weird, but I do a good job troubleshooting windows systems by using recovery console from XP CD or command prompt from Windows 7 DVD.”
Use whatever works for you. Sooner or later though you’ll end up tearing the machine apart to put the drive in another machine when an rsync line would have sufficed.
Well, no, legally you don’t have that right. Also, while you may own the hardware, you do not own the software (in any form) that runs on it, but merely possess a usage license. And of course there are terms to usage licenses.
Yes, it is that simple. If you don’t like what buying a certified prebuilt Windows 8 box entails, then you opt for one of the alternatives; custom order, build your own, buy a barebones. There’s absolutely _nothing_ difficult about this.
About the claim that Linux ‘repair’ tools are the best of the trade — that’s complete fluff. There isn’t a single maintenance tool available to Linux that doesn’t have a Windows alternative.
There’s no proof of this.
Again, no proof. This is all total speculation and generated fear. The thing about playing what-if, …people tend to get all worked up and panicky over things that usually never materialize. I’m going to reserve my worry until there’s something tangible to actually worry about.
All this freaking out is based on peoples imagination of what _might_ happen, but based on nothing in reality. There’s no reason to believe users won’t be able to continue to install over their preinstalled OS. Further, if you want a Linux box, why waste your money on buying a prebuilt Windows box where part of the cost goes towards a Windows usage license? Maybe people should be reminded you can easily custom build, or buy barebones desktops & laptops.
There isn’t a single piece of evidence that says that’s the case. But even if it turns out to be, we just come back to what I mentioned in the beginning… if you don’t like it, don’t buy it — there are alternatives.
There’s no proof that consumers are ignorant of the technical details of the pre-built systems they buy? Are you really that stupid, or are you just being glib for the sake of argument?
Ugh, here you go again. In what alternate dimension do retailers know what the hell they’re talking about and in which intimate details of the UEFI/BIOS implementation are made readily available? Even when you build your own systems, you invariably end up scouring obscure forums for compatibility details not make available through any official channels.
Aside from, you know, all the technical details that have been released. It’s even been covered in this thread:
http://www.osnews.com/thread?493410
Nothing like putting your fingers in your ears, wilfully ignoring the evidence and accusing others of ‘not being based in reality’.
Why are they bothering to tell people this?
MS have said it won’t stop people installing other OS’s and the only people that will ever hear about this warning are the sort of people who will find away around it anyway… the kind of nerds who care what OS there computer has.
Correct. As far as Microsoft’s requirements are, it won’t stop you installing other OSes. What *will* stop you installing other OSes is the OEMs simply not bothering to add it as an option. Look at the BIOS in any Dell machine, for example. There are very few options for those who like to tinker – no bus speed or core voltage settings to adjust, because they sell their machine as a consumer device to last a few years and be replaced. If they follow the same pattern with secure boot settings then there’ll be no option to disable it, and therefore no way to run Linux. Like others have said, this isn’t a big deal for those of us who build their own PCs anyway, but others who might try Linux out on their home PC might find they can’t do that, and chuck out a PC which might otherwise have had a few years of life left running another OS…
daedalus,
“What *will* stop you installing other OSes is the OEMs simply not bothering to add it as an option.”
You have a well reasoned post, however my objection goes being simply being able to disable it for two reasons:
1. We shouldn’t have to disable “secure boot” to run software which would otherwise be compatible with secure boot if the keys weren’t locked.
2. Microsoft has yet to announce whether windows will run with secure boot disabled. If secure boot must remain enabled to run windows (say, to enforce MS DRM), then it prevents users from dual booting or using live cds.
The thing that’s frustrating about this whole ordeal is that secure boot never should have been designed to exclude owners from the chain of trust.
Then they would learn a valuable life lesson about not buying crappy $300 Dells wouldn’t they? I mean the OEMs have been putting craptastic BIOS in the machines for years that cripple the heck out of the machines, so what do you expect? Just the other day i had to tell a customer he was gonna have to toss his RAM, because the crappy eMachines BIOS would NOT ALLOW non matched sticks, it would simply read one.
Again as others have pointed out you have CHOICE, you can go whitebox, you can DIY, you can go to a vendor like System76. it is REALLY disturbing how many want to take the rights away from the vendor instead of …you know…actually getting off your butt, doing a little research, you know THINKING about what you are doing? I swear its like everyone wants to baby proof the planet! Its called personal responsibility folks, and sometimes being lazy gives you an expensive life lesson that teaches you not to be lazy in the future.
Hi,
Computer/device manufacturers could provide tools to allow the end user to manager their own keys, and could provide an option to disable Secure Boot. I hope all of them will do either (or both) of these things.
I fully expect that laptop/desktop/server manufacturers will do at least one of those things (and will allow other OSs to be installed) in the short term; in the same way that I expect that laptop/desktop/server manufacturers will continue to provide “legacy BIOS” compatibility (where there is no Secure Boot) in the short term. I also fully expect that some 80×86 devices (smartphones, tablets, maybe some media centres, maybe some notebooks) will be “Windows only” in the short term. In the long term (e.g. maybe 10 years) it’s harder to predict – maybe it’ll be cracked wide open and become a non-issue (unlikely), maybe manufacturers will start “accidentally forgetting” and make it impossible to install other OSs on laptop/desktop/server (much more likely).
I also don’t think Microsoft are the only people to worry about. Nothing prevents someone like Apple from selling computers that refuse to boot third-party OSs. This would be easy for Apple to do because they sell both the hardware and the software, and they already tweak the firmware to suit OS X (e.g. add support for HFS+ to the firmware).
If all computer and device manufacturers never create “locked down” hardware (and regardless of whether or not FSF’s statement has any effect on manufacturers) you lose nothing by signing FSF’s statement.
The *only* reason not to sign FSF’s statement is that you do want to buy and/or recommend “locked down” hardware. There’s very few good reasons for wanting that.
Sign it.
– Brendan
Next thing you hear is that the FSF recommends buying Apple Computers because they don’t implement “Secure Boot”…
Just curious when was the last time you saw a boot sector virus? Used to be all the rage when we had floppy drives, funny boot, stoned, 2kb.
Can’t think of when I last saw one – I can see with flash drives it’s possible, but when did you last see one?
So is MS protecting users from a reincarnated stoned or Linux BSD etc?
This is not the first time Microsoft has tried to restrict what OS you can boot. Remember the early days of Trusted Computing? Same thing there… for your own safety we’ll restrict what you can boot. Or how about their early attempts to lock down boxes for DRM? Same thing again. And the attempt to leverage Intel’s CPU ID for locking…
MS tries this exercise every few years. I only hope the independent community is strong enough to beat back the threat, yet again.
I have a question: Where was your outrage when Google did it? FYI this isn’t “trusted computing” this is MSFT ripping off Google specifically ChromeOS SafeBoot. Everyone knows MSFT wants to get in on the tablet/convertible craze so they are just ripping off Google, which ATM the Linux community think of as Gods. IIRC there is NO way to bypass ChromeOS SafeBoot either BTW.
I think it isn’t viruses or worries about system integrity. In fact MS fears piracy and plays the security card. Like they ask you to update your WAT and tell you “it will protect you”. It’s bullshit, they are protecting themselves.
This secure boot won’t work for limiting piracy, for 2 reasons:
1. OEM keys will be leaked
2. In the first 2 day/weeks “smart guys” will find a way to break/circumvent secureboot. They can even put a TPM on it like Apple. It won’t work.
Nobody wants to play in locked platform regardless of what OS he uses (except Apple users). But frankly, the vast majority of users now, aren’t as techinical inclined as those from 2000 and they don’t know the difference between a computer, windows, a web browser or google search engine. Nor do they care.
We don’t need to worry about secureboot because we will find a way to jailbreak it, even if some stupid OEM will enforce it to us.
And secureboot is concerning only ARM right now, as MS wants Windows 8 to be able to run on existing PCs.
Of course Microsoft doesn’t want people pirating their software. Like every other company, they want to protect their interest and that’s 100% completely legitimate. Maybe I’m interpreting your intention wrong but it borderline sounds like you think Microsoft has no right to protect themselves. I hope that’s not what you’re thinking.
I’m fully confident in both your points.
While there’s no shortage of people who fit that description, I do think you’re vastly underestimating people. There are a lot of very computer savvy individuals out there. Remember, we have a generation of adults who grew up with computers now.
If you’re implying people should be more reserved with their panicking, I totally agree.
Of course they have all the rights to protect their software. What I’m trying to point is they aren’t 100% sincere , the method of choice is not the most fortunate and it won’t be efficient.
This is a good thing for linux. The same ides here can protect a linux OS.