backtop


Print 59 comment(s) - last by alcalde.. on Jan 22 at 7:16 PM

Anti-Android crackdown would make Apple proud

Microsoft Corp.'s (MSFT) UEFI Secure Boot technology -- the long-awaited BIOS replacement -- has some people concerned due to its digital rights management features, which can be used by OEMs to prevent dual-booting to other operating systems like Linux.

Microsoft Windows President Steven Sinofsky sought to assuage disgruntled Windows users, writing:

There have been some comments about how Microsoft implemented secure boot and unfortunately these seemed to synthesize scenarios that are not the case so we are going to use this post as a chance to further describe how UEFI enables secure boot and the options available to PC manufacturers. The most important thing to understand is that we are introducing capabilities that provide a no-compromise approach to security to customers that seek this out while at the same time full and complete control over the PC continues to be available. Tony Mangefeste on our Ecosystem team authored this post. --Steven

Quick summary

UEFI allows firmware to implement a security policy

Secure boot is a UEFI protocol not a Windows 8 feature

UEFI secure boot is part of Windows 8 secured boot architecture

Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure

Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components

OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform

Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows.

In other words, Microsoft isn't forcing laptop and desktop makers to ban Linux, though it's giving them the tools to do so.

That statement rebuked previously claims of a Red Hat, Inc. (RHT) Linux engineer who posted:

Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.

A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.

...

Now, obviously, we could provide signed versions of Linux. This poses several problems. Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by ever OEM.

Or does it?

Computer World's UK correspondent Glyn Moody dug up this interesting tidbit in Microsoft's ARM license.  Writes Microsoft in "Windows Hardware Certification Requirements" for client and server systems, a document that regulates licensing (certification) (pg. 116):

MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of Pkpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.

In other words dual-booting Linux on a standard x86 desktop should be no issue.  But if you were hoping to load dual-booting Android and Windows kernels on a Windows 8 tablet (which will likely have an ARM) CPU or on certain notebooks with ARM chips, think again.  Microsoft could soften its stance and/or users could find a way to break its DRM protections -- but there's no guarantee of either outcome.

Windows with ARM
ARM on Windows 8 -- don't you dare dual boot. [© DailyTech/Jason Mick]

In this regard Microsoft is very much "following in Apple, Inc.'s (AAPL) line".  Apple has long prevented dual booting to Linux or the installation of OS X on non-Apple computers.  Apple does allow Windows installation via Boot Camp, but only via a special understanding with Microsoft who cross licenses patents with Apple.

Windows 8 was a star of the show at the 2012 Consumer Electronics Show and is expected to land in tablets and PCs this fall.

Sources: MSDN [1], [2], Red Hat, Computer World UK



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By Labotomizer on 1/16/2012 12:00:09 PM , Rating: 2
And not all existing tablet and ARM device footsteps? Can I load iOS on my Android tablet? Can I install whatever I wish on my Android tablet? Nope. It has a locked bootloader. The secure boot technology is effectively a locked bootloader. I don't see why we want to vilanize Microsoft for doing what every other device maker is currently doing.

And yes, there are devices with unlocked bootloaders and others where you can hack them. Do you really expect Windows 8 tablets to be that much different? Android doesn't use a Grub bootloader so the GPL issue goes away. There will almost certainly be OEMs that offer tablets that are signed with multiple OS keys. Therefore you could have a single tablet OEM sign a tablet with both Windows 8 and their own Android distro and offer the choice to the user. Will all the devices do that? Of course not, not all devices have unlocked boot loaders either. It will be a way devices will distinguish themselves.

You also have to keep in mind that Windows 8 on an ARM tablet will be designed to compete with existing tablet markets. It won't have the full Windows desktop and it won't support x86 programs. It will only support Metro Apps. Which also means MS will be charging very, very little to OEMs for their Windows licenses on these devices.




By pixelslave on 1/16/2012 2:01:43 PM , Rating: 2
Also, judging from how MS chose to implement this, we may be able to install future Windows onto these so-called "locked" tablet by ourselves, assuming that MS sells a signed retail version of its ARM OS. If that is true, it's already better than how most Android tablet makers handle upgrade -- you couldn't even install a new Android OS yourself without hacking.


By someguy123 on 1/16/2012 4:47:02 PM , Rating: 2
I've seen this news posted on a few other sites and reacted the same way. How is this any different from something like the nexus having its bootloader locked? What about the various other phones, and devices like the asus transformer?

windows 8 isn't even out yet and it's getting flak for adopting a security standard that it did not create and was not the first to adopt. makes no sense to me.


By someguy123 on 1/16/2012 6:45:06 PM , Rating: 2
The most confusing thing is this line:

quote:
In other words, Microsoft isn't forcing laptop and desktop makers to ban Linux, though it's giving them the tools to do so.


Microsoft did not give these people UEFI secureboot. Secureboot is a global standard. The line in microsoft's agreement is stating that vendors are free to sign anything they like, and that microsoft do not exert control nor take responsibility for other means of firmware control. Basically they're saying they don't care what you put on there as long as the vendor takes responsibility. How this ended up being misconstrued as microsoft giving vendors the ability to lockout other OSs is just baffling.


By alcalde on 1/17/2012 10:52:50 PM , Rating: 2
You manage to get almost every single sentence wrong. :-(

>Microsoft did not give these people UEFI secureboot. Secureboot is
>a global standard.

It's a shame we're not talking about secure boot then, are we? What we're talking about is Microsoft requiring OEMs to disable the custom feature of secure boot that allows users to enter their own keys to run their own OSes and to not allow secure boot itself to be disabled. The difference is akin to that between the TCP/IP standard and using the standard to implement a DDoS attack! Either you're not getting that or you're being intentionally deceptive. And I'll say it yet again: Timothy McVeigh didn't invent explosives either.

>The line in microsoft's agreement is stating that vendors are free
>to sign anything they like,

This relates to the Windows 8 ARM certification agreement. The vendors are putting Windows 8 on it by definition. Are you suggesting vendors will ship with multiple OSes? Even if you are, it's again completely irrelevant when the issue is end users being able to install the OS of their choice. The Wizard of Oz had less straw men than your post here,,, ;-)

>and that microsoft do not exert control nor take responsibility for
>other means of firmware control.

This is a sentence you seem to be the only source of and conflicts with the actual published information. They are mandating UEFI, mandating secure boot, mandating custom mode not be usable and secure boot not be disabled. So they won't be responsible for anything the OEM does over and above this? You're trying to trick the reader with this unsourced claim into thinking MS is saying they don't have to use secure boot. They do, and I've already quoted the specific lines that say so.

>Basically they're saying they don't care what you put on there as
>long as the vendor takes responsibility.

They do care... they're mandating it . How you read you must use secure boot, it can't be turned off and users can't add other keys as not caring is the only baffling thing. Also, again with the vendors. Please forget about vendors and talk about users, since the issue is how the end result of this will affect consumers, not how it affects vendors. We're consumers, not OEM vendors.

> How this ended up being misconstrued as microsoft giving vendors
>the ability to lockout other OSs is just baffling.

What is wrong with... argh. It's the Ed Bott strategy: just keep smirking, saying I don't know what you're talking about, you're just crazy. I buy some new Lenovo ARM laptop. Can I take the Microsoft 8 ARM off of there and install OpenSUSE Linux ARM? No, I can't? I'm stuck with Windows 8 even if I don't like it? Now, follow the dots... Microsoft... vendor... lock out... OS. I have an OS I want to use that can run on the device... I can't install it because a security feature is present that prevents it... the vendor was threatened with being denied Win8 certification unless it added that security feature... and the party that did this strong-arming was Microsoft. <Shatner>What... in... the...world... are... you... baffled... by?</Shatner>


By alcalde on 1/17/2012 8:44:11 PM , Rating: 2
>How is this any different from something like the nexus having its
>bootloader locked?

There is a difference between a hardware vendor locking their own device and an OS vendor mandating locked devices. Both are anti-consumer, but the latter is anti-competitive. It's also different because we're not talking about phones, we're talking about general-purpose computing devices (we will probably be seeing ARM laptops in the near future as we already have ARM convertible tablets). We're talking about killing off Linux on ARM, for instance. It boggles my mind that the same people who are against Apple's lawsuit frenzy and SOPA are perfectly cool with general-purpose computing devices mandating what you can run on them.

>What about the various other phones, and devices like the asus
>transformer?

Ok, the first thing here is stop thinking phones. This isn't about toys and widgets. This is about future laptops and convertible tablets. The locking of the Transformer was anti-consumer, and the Linux and Android community raised so much fuss that within days ASUS agreed to unlock it. Meanwhile, MS had policy papers from two groups (including Red Hat) suggesting ways to implement secure boot without limiting user choice. They didn't acknowledge them, played word games, and then implemented this OEM policy anyway (as monopolies are wont to do). All of these things combined make this a heck of a lot more serious than one phone maker locking down a phone.

>windows 8 isn't even out yet and it's getting flak for adopting a
>security standard that it did not create

This statement is problematic on several fronts. First, those defending MS when the news first came out about secure boot advised waiting. Now that we've waited and ARM is locked down you're suggesting waiting again? If we sit down and shut up, it's too late. If Win8 ARM devices ship, the vendors will have already agreed to these OEM terms so the only hope to have MS reconsider them is long before Win 8 ARM ships.
Second, don't blame this on secure boot. It's INCREDIBLE how people are blaming everyone except Microsoft. My reply to you is the same I gave to someone else who told me "Microsoft didn't invent this" : Timothy McVeigh didn't invent explosives either. On top of that, Red Hat, like MS, is part of the UEFI steering committee . Red Hat told MS not to do this. In the article that announced the ARM restrictions, it was made clear that secure boot is being used in a way it was never intended to be used. It was not designed to prohibit end users from installing their own operating systems. Microsoft is abusing secure boot to block its competition (free OSes Android, WebOS and Linux) and prevent end users from trying them.

> and was not the first to adopt. makes no sense to me.

I'm sorry it doesn't make sense to you, but perhaps that's because you haven't read the relevant articles on the subject or are viewing this through partisan lenses. Microsoft is the first and only company to mandate to OEMs that end users not be able to disable secure boot. That is not part of the secure boot standard. There is nothing wrong with secure boot; there is something wrong with using it to keep consumers from installing their OS of choice.


By alcalde on 1/17/2012 6:31:36 PM , Rating: 2
>And not all existing tablet and ARM device footsteps? Can I load
>iOS on my Android tablet?

Did you think about that statement? You can't install iOS on your Android tablet because of Apple, not because of Android tablet makers. You get Apple to sell a copy of iOS separately, and I guarantee you we'll get it running on a similarly-speced Android tablet, just as Hackintoshes exist.

>Can I install whatever I wish on my Android tablet? Nope. It has a
>locked bootloader.

What device are you using? There are entire communities dedicated to producing custom Android ROMs, and a few days ago the CyanogenMod folks announced they'd surpassed ONE MILLION unique downloads. If all Android devices had a locked bootloader, who are these one million people downloading these ROMs?

ASUS locked the Transformer and Transformer Prime tablet/laptops, and there was a huge outcry from the user community, so much so that within a few days ASUS agreed to unlock the devices. Three months before MS implemented this OEM policy two different groups (including Red Hat, who also has a position on the UEFI board with Microsoft) detailed ways MS could gain the security of secure boot without infringing on people's right to install their own OS. Secure boot was never intended to lock people out of installing a new OS. MS ignored all of this input and produced this policy anyway.

>The secure boot technology is effectively a locked bootloader. I
>don't see why we want to vilanize Microsoft for doing what every
>other device maker is currently doing.

MICROSOFT IS NOT A DEVICE MAKER. Microsoft is an OS vendor. When Apple locks down its own iPad, that's anti-comsumer, but it doesn't hurt its competitors (e.g. Samsung). When Microsoft orders OEMs to not allow other OSes to be installed on any product they put Win8 ARM on, that is anti-competitive, as it locks out their direct OS competitors (Android, WebOS, Linux). There is NO valid security reason for not allowing the user to disable the secure boot. If there were, wouldn't they be doing it on the much more vulnerable x86 platform? This is about not wanting users to give Android, Linux or WebOS a try. Taking away user control makes Microsoft more secure, not the end user.

>And yes, there are devices with unlocked bootloaders and others
>where you can hack them.

You just negated your first paragraph.

>Do you really expect Windows 8 tablets to be that much different?

Yes. Secure boot is... well, quite secure. If you can hack it, you've either gotten quite lucky with a vendor who failed to implement the practice properly, you've cracked the encryption, in which case the NSA has a job for you and the government's own encryption is at risk, or... well, there is no clear alternative. This is a very secure method created by a consortium of companies and it's not something that one can make a simple end-round.

All of which is besides the point: I shouldn't have to be a hacker to install software on the hardware which I paid for. This isn't even like mobile phones where the device is using a carrier's network and certain restrictions make sense.

>Android doesn't use a Grub bootloader so the GPL issue goes away.
>There will almost certainly be OEMs that offer tablets that are
>signed with multiple OS keys.

You still fail to see the point. It's OUR device. We shouldn't need the OEM's permission to choose what we do with it once we've paid them for it. It's ours.

I use OpenSUSE Linux on my desktop. OpenSUSE is hard at work and making great progress on an ARM port, and I expect it'll be done before Win8 ARM releases. There will never be an OEM pre-installing OpenSUSE on a tablet. What this means is MS is shutting me out of running a full desktop OS on any device that comes with their OS, which will probably be all of the higher-powered ones (the best choice to run a full desktop OS on). If we start seeing ARM laptops appear (and we will) they'll almost certainly all being running Win8 and thus again that'll be a whole class of device I simply won't be allowed to run OpenSUSE or any other Linux on. That's incorrigible and I am simply gobsmacked how many people are shrugging this off just because it doesn't affect them personally. This is MS impeding other OSes and it's anti-competitive.

>You also have to keep in mind that Windows 8 on an ARM tablet will
>be designed to compete with existing tablet markets. It won't have
>the full Windows desktop and it won't support x86 programs.

This is somewhat in the air as they originally showed the full desktop running on ARM but it does seem that they've backed away from that so this will probably be the case. That's all the more reason this is infuriating. A full desktop OS is available now in the form of Linux but this lock-out won't let users use something demonstrably superior on the device. What more do you need to qualify as anti-competitive?


By Lugaidster on 1/17/2012 11:34:09 PM , Rating: 2
You've written an immense amount of lines in this article trying to say something completely wrong. You seem to confuse anticompetitive with undesirable. Microsoft is not mandating that anyone that wants to install Windows 8 on an ARM device conforms with this, it's mandating that anyone that wants a "Designed for Windows 8" (or something along those lines) certification on their device conform with this.

It is not anticompetitive to demand that companies that bundle your software with their devices and want your certification, conform to your guidelines. Maybe it's not what you want, but it certainly isn't anticompetitive (do you even know what that concept legally means?). Remember, this is a requirement for the certification, not for running Windows per se.

If the device isn't what you want, don't buy it. That crap about "We shouldn't need the OEM's permission to choose what we do with it once we've paid them for it. It's ours." is incredibly misguiding. It's certainly wrong to penalize people for doing what they want with their devices (A.K.A. hacking or modding), like what happened with Sony and the PS3. But this is a free market after all, companies and manufacturers aren't required to leave the device open so that a very vocal minority is happy.

I'll just write this again in case it isn't already clear, this are the requirements for the Windows Logo Program, not the System Requirements. If at any point this become the latter, then I'll gladly change my stance.


By alcalde on 1/18/2012 3:05:38 AM , Rating: 2
>You've written an immense amount of lines in this article trying to
>say something completely wrong.

I'd wager there's no one posting here who understands the issue better than myself.

>You seem to confuse anticompetitive with undesirable. Microsoft is
>not mandating that anyone that wants to install Windows 8 on an ARM
>device conforms with this, it's mandating that anyone that wants a
>"Designed for Windows 8" (or something along those lines)
>certification on their device conform with this.

And any vendor that shipped a Windows product without being certified would be eaten alive by its competitors for just that reason and it would be product suicide. Can you name any significant vendor who has ever shipped products that weren't certified? Microsoft is a monopoly and the devices need to have that certification. That's why MS needs to be extra careful to avoid stifling competition and why this move is quite clearly anti-competitive.

>It is not anticompetitive to demand that companies that bundle your
>software with their devices and want your certification, conform to
>your guidelines.

Sigh. Are you a trial lawyer by any chance? First of all, since we're talking about a monopoly, there's an entirely different set of measurements that come into play when gauging anti-competitiveness and you neglect to mention. But we'll set that aside for the moment. Of course there's nothing inherently anti-competitive about asking vendors to "conform to your guidelines". There is something anti-competitive when those "guidelines" include locking the customer in to your product and not allowing them to try or switch to a competitor's product. I see what you did there. Nice try. Would you say that if Microsoft decided to pull the same thing with x86 Win8 the Justice Department wouldn't be on them in an instant? No? If a "guideline" was that the device not be allowed to replace the browser with Firefox or Chrome, would that be just peachy too and not draw the attention of regulators? No? Then there goes your argument. I commend you for keeping a straight face while making it.

>Maybe it's not what you want, but it certainly isn't
>anticompetitive (do you even know what that concept legally
>means?).

You got me. I'm clueless about the concept and you've demonstrated here your superior grasp of the matter. You can do anything you want so long as you call it a "guideline". The fact that you're a monopoly and vendors need that certification to sell products doesn't even factor into it.

>If the device isn't what you want, don't buy it.

And when every eventual ARM laptop ships with Windows 8 just like every x86 laptop does, is that the same answer? Where were you during MS' anti-trust trial...

>That crap about "We shouldn't need the OEM's permission to choose
>what we do with it once we've paid them for it. It's ours." is
>incredibly misguiding.

Yeah, just crazy talk, right?

>It's certainly wrong to penalize people for doing what they want
>with their devices (A.K.A. hacking or modding), like what happened
>with Sony and the PS3.

I haven't seen an argument so boldly wrong since the 90s when Rush Limbaugh said that when we choose which color shirt to wear or which hamburger to order we're "discriminating" so therefore that proves that there's nothing wrong with discrimination. Yes, because we can't do things with our devices that are illegal, that negates the concept of being able to do whatever we want that is legal with our own property.

>But this is a free market after all,

Thank you for the perfect straight line... "Not if a monopoly like Microsoft can get away with things like this."

>companies and manufacturers
>aren't required to leave the device open so that a very vocal
>minority is happy.

Funny it's not the companies that are locking it then, huh? And are you guys all using the same talking points? The argument always goes from attempts to confuse to misusing terms to you're all crazy there's nothing to see here to you're just a minority so your opinion doesn't count.

Companies very likely will be required to leave devices unlocked for the good of consumers and to prevent MS from stifling competition. We'll see how long it takes the EFF to file a lawsuit, although I bet MS will change the policy before anything ever sees a court.

>I'll just write this again in case it isn't already clear, this are
>the requirements for the Windows Logo Program, not the System
>Requirements. If at any point this become the latter, then I'll
>gladly change my stance.

You've made it clear that you don't understand anything about monopoly power in a marketplace or may have been in a cave since the 90s to understand that in a monopoly market OEMs don't have a realistic option to not be certified and thus the monopoly has extra requirements placed on it to avoid using its position to eliminate competition (you know, the same reason the EU made MS put a browser choice screen on start-up to let users choose what browser they want to use).


By Lugaidster on 1/18/2012 4:46:46 PM , Rating: 2
> You've made it clear that you don't understand anything about monopoly power in a marketplace

You've made it clear as well.


By alcalde on 1/22/2012 5:56:25 PM , Rating: 2
I bow to that amazing refutation. Bowled over by the slew of facts you used to back up what would otherwise have been a groundless claim and an acknowledgment that my arguments couldn't be rebutted, I humbly yield.


"I want people to see my movies in the best formats possible. For [Paramount] to deny people who have Blu-ray sucks!" -- Movie Director Michael Bay














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki