Forgot your password?
typodupeerror
Microsoft Security Software Linux

How Microsoft Can Lock Linux Off Windows 8 PCs 899

Posted by Soulskill
from the if-only-penguins-were-secure-enough dept.
Julie188 writes "Windows 8 PCs will use the next-generation booting specification known as Unified Extensible Firmware Interface (UEFI). In fact, Windows 8 logo devices will be required to use the secure boot portion of the new spec. Secure UEFI is intended to thwart rootkit infections by using PKI authentication before allowing executables or drivers to be loaded onto the device. Problem is, unless the device manufacturer gives a key to the device owner, it can also be used to keep the PC's owner from wiping out the current OS and installing another option, such as Linux."
This discussion has been archived. No new comments can be posted.

How Microsoft Can Lock Linux Off Windows 8 PCs

Comments Filter:
  • Caveat Emptor (Score:2, Informative)

    by theshowmecanuck (703852) on Wednesday September 21, 2011 @08:15AM (#37466396) Journal
    Buyer Beware.
  • Re:(*_*) (Score:5, Informative)

    by chill (34294) on Wednesday September 21, 2011 @08:19AM (#37466412) Journal

    Trusted Boot prevents the use of alternative boot disks. It is controlled from chips soldered onto the motherboard and PKI keys.

    No key, no boot. Replacing drives or using external drives does not help. There is no "BIOS Reset" option and you can't short jumpers to clear it.

    Google uses it on the CR-48 Chromebooks, but also includes a little switch under the battery to turn it off. With it turned on, the system boots only Google-signed images and nothing else. Period.

  • DejaVu (Score:4, Informative)

    by pmontra (738736) on Wednesday September 21, 2011 @08:21AM (#37466450) Homepage

    From one [lwn.net] of TFAs

    While it would be possible for various [Linux] distributions to get their keys added, that wouldn't help anyone who wanted to run a tweaked version of the "approved" bootloader or kernel. Distributors would not be able to release their private keys to allow folks to sign their own binaries either. Each key is just as valid as any other, so malware authors would just pick up those keys to sign their wares. Exposed keys would also find their way onto the forbidden list rather quickly one suspects.

    This reminds me of the way keys are used to protect DVDs and we all remember what happened.

  • by Netshroud (1856624) on Wednesday September 21, 2011 @08:37AM (#37466604)
    Microsoft said they're trying to figure out how to allow users to dual-boot. In the //build/ video discussing the new Windows 8 boot process, the presenter said they were trying to figure out how to keep boot secure but still allow users to boot into Windows 7, since Windows 7 doesn't support this. And if it works for Windows 7, it'll probably work for Linux.
  • MS wants to take advantage of UEFI, which has obvious benefits. Chromebooks work the same way, but we don't read any heated /. articles about it because Google is charmed and MS is "evil".

    It is up to the device manufacturers to figure out a way to let the end-user ultimately take control of their own PCs. They could do that Chromebooks style -- a hardware switch -- or by distributing the key in a secure manner, such as mailing it to the owner's registered home address. Consumers who care about this issue should look for this feature in whatever device they purchase. What's all the fuss?

  • by Anonymous Coward on Wednesday September 21, 2011 @08:40AM (#37466656)

    Maybe you're just ignorant. I've asked three computer stores in my area, and they all say that they are contractually obligated to install Windows on every PC they sell. I asked if I could buy one with no OS, or with another OS installed, and they said their Microsoft contract forbids it. That was this year, not 15 years ago.

  • by tepples (727027) <`tepples' `at' `gmail.com'> on Wednesday September 21, 2011 @08:57AM (#37466820) Homepage Journal

    Then they get a device that doesn't require it. It's an OPTIONAL security addition

    The article I read claimed that Microsoft might require this lockdown on all machines preloaded with Windows 8. The Network World article cites a Microsoft presentation with a slide stating that UEFI Secure Boot will be "Required for Windows 8 client".

  • by rossdee (243626) on Wednesday September 21, 2011 @08:58AM (#37466826)

    Maybe you should buy online. There are places that sell barebones systems with no os. TigerDirect is one.

    And if the place you are buying from is not in your state, you can avoid the sales tax as well as the microsoft tax

    And you save a trip to the vets^Wstore too, they are delivered free right to your door.

  • by gfolkert (41005) <greg@gregfolkert.net> on Wednesday September 21, 2011 @09:00AM (#37466858) Homepage

    Stop complaining. Vote with your feet, and take your business elsewhere.

    Where? All the Big Box electronics stores where the average consumer buys things are all this way. Oh you mean the specialty shops only available on the Internet... Oh you mean Dell. Ohhh... right, try and find it on a powerful machine or laptop... Oh back to those Specialty shops on the Internet. Oh, Lenovo... try and order it from the website. Oh back to those Specialty shops on the Internet. Dude, you are batting pretty badly.

  • by billcopc (196330) <vrillco@yahoo.com> on Wednesday September 21, 2011 @09:14AM (#37467096) Homepage

    Disclaimer: I'm in the PC retail business.

    There are no "Microsoft contracts" up here in Canada, certainly not with the individual shops as that would be a logistical nightmare to administer, even for MS. What does happen is skeevy shop owners like to sell an overpriced OS with every PC, because it's often the only profitable part of the deal on low-end machines. They make up these ominous sounding "contractual obligations", to which the alternative is to buy the PC unassembled with only a 30-day (in-store) warranty rather than the usual 1-to-3 year deal. A lot of customers don't know any better, so they fork over an extra $150-200 for an OEM license of W7HP.

    With the big-box brands it's a bit different, because they love the preloading business. They still get paid to put bloatware on your machine - McAfee and MS Office trials - and of course they get a deep "volume" discount on the OS itself. There's still nothing that can legally force them to shove an OS down your throat, but since they don't list a price for an OEM license of the OS, nor many of the core components in the machine, they can argue that it's included in the base price, so there is no point in asking them to remove it since it's "free". They really could sell you a machine without Windows if they so wanted, and for larger corporate purchases you can specify that (or provide your own ghost image), but for the consumer stuff they would much rather sell you a preloaded PC that's ready for the average casual user. Just the support calls alone, from clueless users who bought a naked machine and don't know what to do with it, would be a PR nightmare and a huge cost sink. I've lost count of the times people bought naked machines from me, claiming they didn't need an OS, then returned a day later to buy the damn disc.

    Think back a few years, when Dell briefly offered Linux-ready PCs. They cost more than the Windows-loaded versions of the same machines. Now you can run up and down with your conspiracy theories about MS bribes and whatnot, but the reality is that charging a little bit more for the Linux-ready variant ensured that the average Joe Random would buy the cheaper Windows one, even if the difference was only $30 or so, it's sufficient. This, in turn, probably saved them countless frustrating support calls from irate morons. Then a bit later they started preloading Ubuntu on there, to at least have the machine boot to an internet-ready OS.

  • by andydread (758754) on Wednesday September 21, 2011 @09:17AM (#37467138)
    Because if you RTFA you see that Microsoft is mandating that all manufacturers do this. They mandated this. They know exactly what they are doing
  • Re:Only an annoyance (Score:4, Informative)

    by Microlith (54737) on Wednesday September 21, 2011 @10:34AM (#37468212)

    Yes, cheap hardware will be locked down and your only options will be $5K-$10K workstations and servers.

    That's exactly what they want: to push open computing outside the affordable range and outside the reach of most people. Thus they can keep people trapped in the Windows monopoly.

  • by sirwired (27582) on Wednesday September 21, 2011 @03:18PM (#37471500)

    Yes, IBM's enterprise machines, up until recently, let you run no alternative OS. But the IBM PC has been open from day one. You've always been allowed to run alternate OS'es on your PC. You thought Microsoft "let" you run alternate OS'es? They did not then, and do not now, own the PC HW architecture. It was IBM's openness that let you do this, not Microsoft's.

    (IBM did try to keep some of the particulars of the BIOS secret to prevent PC clones, but it was swiftly reverse-engineered and IBM did not stop it, despite the long-demonstrated ability to have their lawyers crush the opposition.)

"And do you think (fop that I am) that I could be the Scarlet Pumpernickel?" -- Looney Tunes, The Scarlet Pumpernickel (1950, Chuck Jones)

Working...