Print 59 comment(s) - last by alcalde.. on Jan 22 at 7:16 PM

Anti-Android crackdown would make Apple proud

Microsoft Corp.'s (MSFT) UEFI Secure Boot technology -- the long-awaited BIOS replacement -- has some people concerned due to its digital rights management features, which can be used by OEMs to prevent dual-booting to other operating systems like Linux.

Microsoft Windows President Steven Sinofsky sought to assuage disgruntled Windows users, writing:

There have been some comments about how Microsoft implemented secure boot and unfortunately these seemed to synthesize scenarios that are not the case so we are going to use this post as a chance to further describe how UEFI enables secure boot and the options available to PC manufacturers. The most important thing to understand is that we are introducing capabilities that provide a no-compromise approach to security to customers that seek this out while at the same time full and complete control over the PC continues to be available. Tony Mangefeste on our Ecosystem team authored this post. --Steven

Quick summary

UEFI allows firmware to implement a security policy

Secure boot is a UEFI protocol not a Windows 8 feature

UEFI secure boot is part of Windows 8 secured boot architecture

Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure

Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components

OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform

Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows.

In other words, Microsoft isn't forcing laptop and desktop makers to ban Linux, though it's giving them the tools to do so.

That statement rebuked previously claims of a Red Hat, Inc. (RHT) Linux engineer who posted:

Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.

A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.


Now, obviously, we could provide signed versions of Linux. This poses several problems. Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by ever OEM.

Or does it?

Computer World's UK correspondent Glyn Moody dug up this interesting tidbit in Microsoft's ARM license.  Writes Microsoft in "Windows Hardware Certification Requirements" for client and server systems, a document that regulates licensing (certification) (pg. 116):

MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of Pkpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.

In other words dual-booting Linux on a standard x86 desktop should be no issue.  But if you were hoping to load dual-booting Android and Windows kernels on a Windows 8 tablet (which will likely have an ARM) CPU or on certain notebooks with ARM chips, think again.  Microsoft could soften its stance and/or users could find a way to break its DRM protections -- but there's no guarantee of either outcome.

Windows with ARM
ARM on Windows 8 -- don't you dare dual boot. [© DailyTech/Jason Mick]

In this regard Microsoft is very much "following in Apple, Inc.'s (AAPL) line".  Apple has long prevented dual booting to Linux or the installation of OS X on non-Apple computers.  Apple does allow Windows installation via Boot Camp, but only via a special understanding with Microsoft who cross licenses patents with Apple.

Windows 8 was a star of the show at the 2012 Consumer Electronics Show and is expected to land in tablets and PCs this fall.

Sources: MSDN [1], [2], Red Hat, Computer World UK

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By alcalde on 1/17/2012 8:44:11 PM , Rating: 2
>How is this any different from something like the nexus having its
>bootloader locked?

There is a difference between a hardware vendor locking their own device and an OS vendor mandating locked devices. Both are anti-consumer, but the latter is anti-competitive. It's also different because we're not talking about phones, we're talking about general-purpose computing devices (we will probably be seeing ARM laptops in the near future as we already have ARM convertible tablets). We're talking about killing off Linux on ARM, for instance. It boggles my mind that the same people who are against Apple's lawsuit frenzy and SOPA are perfectly cool with general-purpose computing devices mandating what you can run on them.

>What about the various other phones, and devices like the asus

Ok, the first thing here is stop thinking phones. This isn't about toys and widgets. This is about future laptops and convertible tablets. The locking of the Transformer was anti-consumer, and the Linux and Android community raised so much fuss that within days ASUS agreed to unlock it. Meanwhile, MS had policy papers from two groups (including Red Hat) suggesting ways to implement secure boot without limiting user choice. They didn't acknowledge them, played word games, and then implemented this OEM policy anyway (as monopolies are wont to do). All of these things combined make this a heck of a lot more serious than one phone maker locking down a phone.

>windows 8 isn't even out yet and it's getting flak for adopting a
>security standard that it did not create

This statement is problematic on several fronts. First, those defending MS when the news first came out about secure boot advised waiting. Now that we've waited and ARM is locked down you're suggesting waiting again? If we sit down and shut up, it's too late. If Win8 ARM devices ship, the vendors will have already agreed to these OEM terms so the only hope to have MS reconsider them is long before Win 8 ARM ships.
Second, don't blame this on secure boot. It's INCREDIBLE how people are blaming everyone except Microsoft. My reply to you is the same I gave to someone else who told me "Microsoft didn't invent this" : Timothy McVeigh didn't invent explosives either. On top of that, Red Hat, like MS, is part of the UEFI steering committee . Red Hat told MS not to do this. In the article that announced the ARM restrictions, it was made clear that secure boot is being used in a way it was never intended to be used. It was not designed to prohibit end users from installing their own operating systems. Microsoft is abusing secure boot to block its competition (free OSes Android, WebOS and Linux) and prevent end users from trying them.

> and was not the first to adopt. makes no sense to me.

I'm sorry it doesn't make sense to you, but perhaps that's because you haven't read the relevant articles on the subject or are viewing this through partisan lenses. Microsoft is the first and only company to mandate to OEMs that end users not be able to disable secure boot. That is not part of the secure boot standard. There is nothing wrong with secure boot; there is something wrong with using it to keep consumers from installing their OS of choice.

"And boy have we patented it!" -- Steve Jobs, Macworld 2007

Latest Headlines
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
The Samsung Galaxy S7
September 14, 2016, 6:00 AM
Apple Watch 2 – Coming September 7th
September 3, 2016, 6:30 AM
Apple says “See you on the 7th.”
September 1, 2016, 6:30 AM

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
Snapchat’s New Sunglasses are a Spectacle – No Pun Intended
September 24, 2016, 9:02 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki