Print 59 comment(s) - last by alcalde.. on Jan 22 at 7:16 PM

Anti-Android crackdown would make Apple proud

Microsoft Corp.'s (MSFT) UEFI Secure Boot technology -- the long-awaited BIOS replacement -- has some people concerned due to its digital rights management features, which can be used by OEMs to prevent dual-booting to other operating systems like Linux.

Microsoft Windows President Steven Sinofsky sought to assuage disgruntled Windows users, writing:

There have been some comments about how Microsoft implemented secure boot and unfortunately these seemed to synthesize scenarios that are not the case so we are going to use this post as a chance to further describe how UEFI enables secure boot and the options available to PC manufacturers. The most important thing to understand is that we are introducing capabilities that provide a no-compromise approach to security to customers that seek this out while at the same time full and complete control over the PC continues to be available. Tony Mangefeste on our Ecosystem team authored this post. --Steven

Quick summary

UEFI allows firmware to implement a security policy

Secure boot is a UEFI protocol not a Windows 8 feature

UEFI secure boot is part of Windows 8 secured boot architecture

Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure

Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components

OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform

Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows.

In other words, Microsoft isn't forcing laptop and desktop makers to ban Linux, though it's giving them the tools to do so.

That statement rebuked previously claims of a Red Hat, Inc. (RHT) Linux engineer who posted:

Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.

A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.


Now, obviously, we could provide signed versions of Linux. This poses several problems. Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by ever OEM.

Or does it?

Computer World's UK correspondent Glyn Moody dug up this interesting tidbit in Microsoft's ARM license.  Writes Microsoft in "Windows Hardware Certification Requirements" for client and server systems, a document that regulates licensing (certification) (pg. 116):

MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of Pkpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.

In other words dual-booting Linux on a standard x86 desktop should be no issue.  But if you were hoping to load dual-booting Android and Windows kernels on a Windows 8 tablet (which will likely have an ARM) CPU or on certain notebooks with ARM chips, think again.  Microsoft could soften its stance and/or users could find a way to break its DRM protections -- but there's no guarantee of either outcome.

Windows with ARM
ARM on Windows 8 -- don't you dare dual boot. [© DailyTech/Jason Mick]

In this regard Microsoft is very much "following in Apple, Inc.'s (AAPL) line".  Apple has long prevented dual booting to Linux or the installation of OS X on non-Apple computers.  Apple does allow Windows installation via Boot Camp, but only via a special understanding with Microsoft who cross licenses patents with Apple.

Windows 8 was a star of the show at the 2012 Consumer Electronics Show and is expected to land in tablets and PCs this fall.

Sources: MSDN [1], [2], Red Hat, Computer World UK

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Did I get it right?
By Aries1470 on 1/20/2012 9:22:08 AM , Rating: 2
So lets see if I got it right:
This is about LAPTOPS (Netbooks & Net-tops) NOT Phones or 'Tablets' per se.

What is happening:

* MS allows x86 platform machines for the end user to be able to install ANY OS ON THEM., as is the norm today with your desktop, laptop what ever you have, even Mac Intels.


This is what it is all about.

Do NOT MIX UP EcoSystems!

I can buy today a LAPTOP, or Net-Top, and I can install the OS of MY OWN CHOICE (except legally (cr)APPLE OSX) on a x86 device. This includes all AMD, Intel & VIA CPU's.

I will have this choice taken AWAY FROM ME if I want to buy an ARM LAPTOP/NETBOOK/NET-TOP/ULTRABOOK or any other similar (enter future name here)device or even a MOTHERBOARD with an ARM processor, and the OEM will be FORCED to do this if they want it to work with WIN8!

So, where is my freedom of choice again?
Is it NOT a STRONG-ARM tactic by M$?

AGAIN, we are NOT TALKING ABOUT SmartPHONES!or even Tablets.

Ok, I hope this has cleared up, in a concise manner this subject!

Also note, that the x86 will be going through battery juice much more quickly than an equivalant specc'd ARM device.

So in short, on an x86 machine, I can put what OS I want, on an ARM, I will not be allowed to put an OS of MY CHOICE, or even dual boot. On ARM, there is a full desktop OS, that is Linux based, and can also use Android or WebOS but I will not be able to dual or triple or even format and install what I want, if I so desire.

RE: Did I get it right?
By Aries1470 on 1/20/2012 9:40:14 AM , Rating: 2
...and the OEM will be FORCED to do this if they want it to work with WIN8!

That should read:
...and the OEM will be FORCED to do this if they want it to sell their product with WIN8 installed!

Nearly all PC's come pre-installed today with MS, but they are all x86. So if you want an alternative, in this case an ARM CPU (SoC), the option of installing an alternate OS is taken away.

RE: Did I get it right?
By Labotomizer on 1/20/2012 12:47:07 PM , Rating: 2
So you don't have a choice to buy ARM or x86? Is someone forcing you to buy an ARM tablet? No? Then what the F is your problem?

And again, since you're reading comprehension is clearly flawed, this is for Windows 8 certification. So this would affect Tier 1 OEMs. I know there are many places you can buy systems that aren't certified for Windows 7 but it runs just fine.

No one is taking away choice because you always have the choice if buying something else. If you CHOOSE to buy an ARM device then you go into knowing these restrictions. So make another choice. But that's probably difficult for you to grasp.

RE: Did I get it right?
By alcalde on 1/22/2012 7:16:24 PM , Rating: 2
>So you don't have a choice to buy ARM or x86? Is someone forcing
>you to buy an ARM tablet? No? Then what the F is your problem?

He does have a choice to buy ARM or x86... and he made it . ARM. But he's not going to be allowed to. What the F is your problem with people being able to run what they want on their own laptops?

>And again, since you're reading comprehension is clearly flawed,
>this is for Windows 8 certification. So this would affect Tier 1

You love insulting people like that, don't you? Is your own personal identity tied up in the existence of Windows 8 on laptops or what?

> I know there are many places you can buy systems that aren't
>certified for Windows 7 but it runs just fine.

Kindly name any legitimate vendor that is able to survive selling machines that aren't certified to run Windows. Are you talking about some cheap Chinese no-names being sold on eBay?

Those are not the companies working on ARM Ultrabooks. Qualcomm has named Toshiba and Lenovo as the companies that are seeking to introduce these.

>No one is taking away choice because you always have the choice if
>buying something else.

This is like the claim, "gay people have the same right as straight people to marry someone of the opposite gender, so what's the problem"? He doesn't have the choice of buying whatever ARM device he chooses and being able to run his OS of choice on it.

>If you CHOOSE to buy an ARM device then you go into knowing these
>restrictions. So make another choice.

Um... no. How about YOU buy a laptop with a locked bootloader with Linux on it and have to figure out how to crack the encryption to run Windows on it. No? Then kindly stop telling other people they have to put up with it.

"So make another choice" is the same as "we don't serve your color in here". In a capitalist system, a monopoly doesn't get to tell people they can't use the competition's devices. With that line you've just proven the anti-competitive nature of the action. Linux isn't welcome on ARM laptops courtesy of Microsoft (not the OEMs, who wouldn't care what you did with it so long as you bought one).

>But that's probably difficult for you to grasp.

Ignorant, self-possessed with privilege, and rude. You've hit the unholy trifecta.

"Paying an extra $500 for a computer in this environment -- same piece of hardware -- paying $500 more to get a logo on it? I think that's a more challenging proposition for the average person than it used to be." -- Steve Ballmer

Most Popular ArticlesFree Windows 10 offer ends July 29th, 2016: 10 Reasons to Upgrade Immediately
July 22, 2016, 9:19 PM
Top 5 Smart Watches
July 21, 2016, 11:48 PM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki