backtop


Print 59 comment(s) - last by alcalde.. on Jan 22 at 7:16 PM

Anti-Android crackdown would make Apple proud

Microsoft Corp.'s (MSFT) UEFI Secure Boot technology -- the long-awaited BIOS replacement -- has some people concerned due to its digital rights management features, which can be used by OEMs to prevent dual-booting to other operating systems like Linux.

Microsoft Windows President Steven Sinofsky sought to assuage disgruntled Windows users, writing:

There have been some comments about how Microsoft implemented secure boot and unfortunately these seemed to synthesize scenarios that are not the case so we are going to use this post as a chance to further describe how UEFI enables secure boot and the options available to PC manufacturers. The most important thing to understand is that we are introducing capabilities that provide a no-compromise approach to security to customers that seek this out while at the same time full and complete control over the PC continues to be available. Tony Mangefeste on our Ecosystem team authored this post. --Steven

Quick summary

UEFI allows firmware to implement a security policy

Secure boot is a UEFI protocol not a Windows 8 feature

UEFI secure boot is part of Windows 8 secured boot architecture

Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure

Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components

OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform

Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows.

In other words, Microsoft isn't forcing laptop and desktop makers to ban Linux, though it's giving them the tools to do so.

That statement rebuked previously claims of a Red Hat, Inc. (RHT) Linux engineer who posted:

Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.

A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.

...

Now, obviously, we could provide signed versions of Linux. This poses several problems. Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by ever OEM.

Or does it?

Computer World's UK correspondent Glyn Moody dug up this interesting tidbit in Microsoft's ARM license.  Writes Microsoft in "Windows Hardware Certification Requirements" for client and server systems, a document that regulates licensing (certification) (pg. 116):

MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of Pkpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.

In other words dual-booting Linux on a standard x86 desktop should be no issue.  But if you were hoping to load dual-booting Android and Windows kernels on a Windows 8 tablet (which will likely have an ARM) CPU or on certain notebooks with ARM chips, think again.  Microsoft could soften its stance and/or users could find a way to break its DRM protections -- but there's no guarantee of either outcome.

Windows with ARM
ARM on Windows 8 -- don't you dare dual boot. [© DailyTech/Jason Mick]

In this regard Microsoft is very much "following in Apple, Inc.'s (AAPL) line".  Apple has long prevented dual booting to Linux or the installation of OS X on non-Apple computers.  Apple does allow Windows installation via Boot Camp, but only via a special understanding with Microsoft who cross licenses patents with Apple.

Windows 8 was a star of the show at the 2012 Consumer Electronics Show and is expected to land in tablets and PCs this fall.

Sources: MSDN [1], [2], Red Hat, Computer World UK



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By B3an on 1/16/2012 6:19:22 PM , Rating: -1
Exactly. Just another highly sensationalist post by Mick as usual.

Who would even want to replace W8 with a far less capable OS anyway. And if you want Android - get an Android tablet. It's also still possible for Linux/Android to work with Secure Boot anyway. Like you say it's an industry standard.


By someguy123 on 1/16/2012 6:45:06 PM , Rating: 2
The most confusing thing is this line:

quote:
In other words, Microsoft isn't forcing laptop and desktop makers to ban Linux, though it's giving them the tools to do so.


Microsoft did not give these people UEFI secureboot. Secureboot is a global standard. The line in microsoft's agreement is stating that vendors are free to sign anything they like, and that microsoft do not exert control nor take responsibility for other means of firmware control. Basically they're saying they don't care what you put on there as long as the vendor takes responsibility. How this ended up being misconstrued as microsoft giving vendors the ability to lockout other OSs is just baffling.


By alcalde on 1/17/2012 10:52:50 PM , Rating: 2
You manage to get almost every single sentence wrong. :-(

>Microsoft did not give these people UEFI secureboot. Secureboot is
>a global standard.

It's a shame we're not talking about secure boot then, are we? What we're talking about is Microsoft requiring OEMs to disable the custom feature of secure boot that allows users to enter their own keys to run their own OSes and to not allow secure boot itself to be disabled. The difference is akin to that between the TCP/IP standard and using the standard to implement a DDoS attack! Either you're not getting that or you're being intentionally deceptive. And I'll say it yet again: Timothy McVeigh didn't invent explosives either.

>The line in microsoft's agreement is stating that vendors are free
>to sign anything they like,

This relates to the Windows 8 ARM certification agreement. The vendors are putting Windows 8 on it by definition. Are you suggesting vendors will ship with multiple OSes? Even if you are, it's again completely irrelevant when the issue is end users being able to install the OS of their choice. The Wizard of Oz had less straw men than your post here,,, ;-)

>and that microsoft do not exert control nor take responsibility for
>other means of firmware control.

This is a sentence you seem to be the only source of and conflicts with the actual published information. They are mandating UEFI, mandating secure boot, mandating custom mode not be usable and secure boot not be disabled. So they won't be responsible for anything the OEM does over and above this? You're trying to trick the reader with this unsourced claim into thinking MS is saying they don't have to use secure boot. They do, and I've already quoted the specific lines that say so.

>Basically they're saying they don't care what you put on there as
>long as the vendor takes responsibility.

They do care... they're mandating it . How you read you must use secure boot, it can't be turned off and users can't add other keys as not caring is the only baffling thing. Also, again with the vendors. Please forget about vendors and talk about users, since the issue is how the end result of this will affect consumers, not how it affects vendors. We're consumers, not OEM vendors.

> How this ended up being misconstrued as microsoft giving vendors
>the ability to lockout other OSs is just baffling.

What is wrong with... argh. It's the Ed Bott strategy: just keep smirking, saying I don't know what you're talking about, you're just crazy. I buy some new Lenovo ARM laptop. Can I take the Microsoft 8 ARM off of there and install OpenSUSE Linux ARM? No, I can't? I'm stuck with Windows 8 even if I don't like it? Now, follow the dots... Microsoft... vendor... lock out... OS. I have an OS I want to use that can run on the device... I can't install it because a security feature is present that prevents it... the vendor was threatened with being denied Win8 certification unless it added that security feature... and the party that did this strong-arming was Microsoft. <Shatner>What... in... the...world... are... you... baffled... by?</Shatner>


"Intel is investing heavily (think gazillions of dollars and bazillions of engineering man hours) in resources to create an Intel host controllers spec in order to speed time to market of the USB 3.0 technology." -- Intel blogger Nick Knupffer














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki