backtop


Print 59 comment(s) - last by alcalde.. on Jan 22 at 7:16 PM

Anti-Android crackdown would make Apple proud

Microsoft Corp.'s (MSFT) UEFI Secure Boot technology -- the long-awaited BIOS replacement -- has some people concerned due to its digital rights management features, which can be used by OEMs to prevent dual-booting to other operating systems like Linux.

Microsoft Windows President Steven Sinofsky sought to assuage disgruntled Windows users, writing:

There have been some comments about how Microsoft implemented secure boot and unfortunately these seemed to synthesize scenarios that are not the case so we are going to use this post as a chance to further describe how UEFI enables secure boot and the options available to PC manufacturers. The most important thing to understand is that we are introducing capabilities that provide a no-compromise approach to security to customers that seek this out while at the same time full and complete control over the PC continues to be available. Tony Mangefeste on our Ecosystem team authored this post. --Steven

Quick summary

UEFI allows firmware to implement a security policy

Secure boot is a UEFI protocol not a Windows 8 feature

UEFI secure boot is part of Windows 8 secured boot architecture

Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure

Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components

OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform

Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows.

In other words, Microsoft isn't forcing laptop and desktop makers to ban Linux, though it's giving them the tools to do so.

That statement rebuked previously claims of a Red Hat, Inc. (RHT) Linux engineer who posted:

Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.

A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.

...

Now, obviously, we could provide signed versions of Linux. This poses several problems. Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by ever OEM.

Or does it?

Computer World's UK correspondent Glyn Moody dug up this interesting tidbit in Microsoft's ARM license.  Writes Microsoft in "Windows Hardware Certification Requirements" for client and server systems, a document that regulates licensing (certification) (pg. 116):

MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of Pkpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.

In other words dual-booting Linux on a standard x86 desktop should be no issue.  But if you were hoping to load dual-booting Android and Windows kernels on a Windows 8 tablet (which will likely have an ARM) CPU or on certain notebooks with ARM chips, think again.  Microsoft could soften its stance and/or users could find a way to break its DRM protections -- but there's no guarantee of either outcome.

Windows with ARM
ARM on Windows 8 -- don't you dare dual boot. [© DailyTech/Jason Mick]

In this regard Microsoft is very much "following in Apple, Inc.'s (AAPL) line".  Apple has long prevented dual booting to Linux or the installation of OS X on non-Apple computers.  Apple does allow Windows installation via Boot Camp, but only via a special understanding with Microsoft who cross licenses patents with Apple.

Windows 8 was a star of the show at the 2012 Consumer Electronics Show and is expected to land in tablets and PCs this fall.

Sources: MSDN [1], [2], Red Hat, Computer World UK



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Why do you say they follow in Apple's footsteps
By alcalde on 1/17/2012 11:09:34 PM , Rating: 2
Sadly, you're wrong. MS specifically forbids users being able to enter their own keys (something many articles haven't made clear but the Software Freedom Law Center has). It doesn't matter if what I have is signed or not if I can't enter my own key into the device.

This is not a "sane" policy, if by sane you mean genuinely interested in security. It's sane if you want to prevent users from trying competing OSes.

Finally this isn't all about Android either. If we're talking real ARM laptops, the elephant in the room is Linux. If Microsoft indeed backs down on running the full desktop on at least the first ARM devices, and Android is still phone/tablet oriented, that leaves Linux with a significant advantage because full desktop ARM versions of Linux exist, and many of the remaining major distros that don't have one are already hard at work on them and should be completed before Win8's ship date. Linux would be both head and shoulders above the available ARM OSes intended for devices with the most powerful ARM chips, and locked out of being run on most of those devices. That's anti-competitive and not good for the consumer.


By Labotomizer on 1/19/2012 1:50:11 PM , Rating: 2
Dude, get off your high horse. The only difference between this and what Apple and Google do with their tablets is it has the Microsoft name on it. Period. What about ChromeBooks? Google, the OS vendor, mandates that secure boot be enabled and cannot be tampered with on a ChromeBook. Where's your outrage?

Oh, MS doesn't have a monopoly on ARM. They were found to have a monopoly on x86 desktops and laptops. So you're wrong there too. And they have mandated that the option to disable secure boot MUST be availabe on the x86 platform.

So if you want your Lenovo tablet that you can load Linux on, go buy an x86 tablet. What's the big deal? Because the "cheap" platform doesn't give you the options the more expensive one does?

You're a self righteous idiot and that's about all I gathered from your numerous posts here. And about as arrogant as they possibly come. I don't suppose your initials are SJVN are they?


By alcalde on 1/22/2012 6:59:29 PM , Rating: 2
>The only difference between this and what Apple and Google do with
>their tablets is it has the Microsoft name on it.

Two hundred thousand times you're asked to stick to Microsoft and two hundred thousand times it's explained to you the difference between a device vendor and an OS vendor (and Google doesn't even make tablets) and two hundred thousand times you're asked to address the impact of users not being able to install their OS of choice and two hundred thousand times people like you just repeat the same claim without addressing the refutation that's had to be written ad nauseum.

>Period.

Don't you realize that when you can only offer "uh-uh" or "is too" that you've already lost the argument, and never really belonged in it in the first place?

>What about ChromeBooks? Google, the OS vendor, mandates that secure
>boot be enabled and cannot be tampered with on a ChromeBook.
>Where's your outrage?

This is something that's patently false and invented, but first... this isn't about CHROMEBOOKS. This is about MICROSOFT. Secondly, Google has A PHYSICAL SWITCH ON THE DEVICE ALONG WITH A SOFTWARE COMMAND THAT LETS YOU OVERRIDE THE SECURE BOOT. IT ALSO HAS ANOTHER PHYSICAL SWITCH THAT RESETS THE DEVICE TO FACTORY SETTINGS. But this nonsense keeps getting repeated over and over. To return the ZDNet reference you make later on, are you Will Farell or Cylon Centurion or Loverock Davidson, all of which repeat this endlessly despite apparently never having seen, touched, or used a Chromebook?

>Oh, MS doesn't have a monopoly on ARM. They were found to have a
>monopoly on x86 desktops and laptops. So you're wrong there too.

The chipset is irrelevant. They have a monopoly in desktop operating systems. This is like claiming that when the finding was made PCs were mostly running Intel chips, so they don't have a monopoly on AMD.

>And they have mandated that the option to disable secure boot MUST
>be availabe on the x86 platform.

Again, you folks must be working from a script. That's irrelevant to the issue at hand, which is forthcoming ARM laptops and tablets, particularly a new product class of ARM-based ultrabooks.

>So if you want your Lenovo tablet that you can load Linux on, go
>buy an x86 tablet.
>What's the big deal?

I'm reminded of the response the writer of the Dragon Age game to a gamer who complained that the secondary characters in Dragon Age 2 no longer seemed all designed to appeal to straight male characters like Dragon Age 1, and asked for a "no homosexuality option" to get rid of the gay characters and strong female characters he didn't want to see:

quote:
If there is any doubt why [catering to a broad audience] might be met with hostility, it has to do with privilege. You can write it off as 'political correctness' if you wish, but the truth is that privilege always lies with the majority. They're so used to being catered to that they see the lack of catering as an imbalance. They don't see anything wrong with having things set up to suit them; what's everyone's fuss all about? That's the way it should be, and everyone else should be used to not getting what they want.... the person who says that the only way to please them is to restrict options for others is, if you ask me, the one who deserves it least."


Sorry, but I'm not going to roll over and declare that since I don't use the monopoly operating system I just can't have an ARM ultrabook because the monopoly operating system, rather than the hardware vendor, won't let me. You wouldn't settle for that for a moment and you should be ashamed demanding other people do so.

>Because the "cheap" platform doesn't give you the options the more
>expensive one does?

Because ARM platforms have an advantage in battery life and by extension weight,size,heat and noise.

>You're a self righteous idiot and that's about all I gathered from
>your numerous posts here.

I'll agree with the second part of that. You're experiencing cognitive dissonance and frustration because it would seem from your final line you're a ZDNet reader and suddenly you're encountering serious posters who are well-informed and actually challenge arguments rather than hurling insults like pro wrestlers. You try to repeat the same straw men and false information over and over but you finally lash out with insults when it doesn't work and your discomfort grows.

>And about as arrogant as they possibly come.

They say in Texas, "It ain't braggin' if you can really do it." The moment someone actually addresses the issue at hand without turning it into "But Sally ran with scissors too!" or otherwise engaging in strawmen and actually address the issue of the first laptops in history shipping that will be mandated by Microsoft to only be allowed to run Windows, I guess I'll be confident that I actually understand the issue more than other posters. Heck, many of those replying don't even appear to have read this article, much less the original ones and the source documents and the Red Hat and Linux Foundation white papers, before replying.

>I don't suppose your
>initials are SJVN are they?

Ah, the old ZDNet canard. I've asked ZDNet posters to demonstrate to me one instance where Mr. Vaugn-Nichols has "lied" or "schilled", and I've yet to hear one. That is of course opposed to merely being wrong, which certainly happens, especially with his periodically crowning browsers speed kings based on two outdated benchmarks. But I guess if you label someone "biased" you don't have to address any of their arguments.


"What would I do? I'd shut it down and give the money back to the shareholders." -- Michael Dell, after being asked what to do with Apple Computer in 1997














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki