Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Microsoft Security Software Linux

How Microsoft Can Lock Linux Off Windows 8 PCs 899

Posted by Soulskill
from the if-only-penguins-were-secure-enough dept.
Julie188 writes "Windows 8 PCs will use the next-generation booting specification known as Unified Extensible Firmware Interface (UEFI). In fact, Windows 8 logo devices will be required to use the secure boot portion of the new spec. Secure UEFI is intended to thwart rootkit infections by using PKI authentication before allowing executables or drivers to be loaded onto the device. Problem is, unless the device manufacturer gives a key to the device owner, it can also be used to keep the PC's owner from wiping out the current OS and installing another option, such as Linux."
This discussion has been archived. No new comments can be posted.

How Microsoft Can Lock Linux Off Windows 8 PCs

Comments Filter:
  • by ge7 (2194648) on Wednesday September 21, 2011 @07:12AM (#37466354)
    So it isn't really Microsoft that can lock you out, it's device manufacturer. Likewise they could lock you out of Windows if Linux was the OS that came with computer. Why don't we see a headline like "How Linux Can Lock Windows Off PCs"? Oh right, this is slashdot. We're here to bash Microsoft.

    Boot rootkits are a real problem. Microsoft is improving security here. In fact, Linux has had the capability to use (U)EFI for years. Now Microsoft is just making it default in their system, because quite frankly most people aren't that intelligent with computers and the OS needs to decide some security for them. It's funny how in other news Microsoft gets bashed for bad security, and then in other news they get bashed for implementing those security features.

    If you don't get the key when buying your computer, complain to your manufacturer. It's their fault. I don't know why you're buying a computer with Windows to begin with if you're going to install Linux anyway, you're just throwing away money. And nowadays there's lots of computers available without Windows, or you can just build it yourself.
    • by GameboyRMH (1153867) <gameboyrmh AT gmail DOT com> on Wednesday September 21, 2011 @07:15AM (#37466394) Journal

      And why would a device manufacturer lock the device to a particular OS? Maybe for the same reason they could be coaxed to only sell the device with a particular OS?

      You're absolutely right, if you completely ignore history.

      • by FictionPimp (712802) on Wednesday September 21, 2011 @07:35AM (#37466588) Homepage

        They don't have to be coaxed, it's in their best interests to lock it out from the purchaser. It's the same reason they lock you out of android phones. Installing your own OS is something they don't want you to do because they think it drives up support costs and makes their built in advertisements go away.

    • by kju (327) * on Wednesday September 21, 2011 @07:17AM (#37466402)

      In my opinion neither the title nor the article are overly sensational as claimed by you. While it is technically true that the device vendor does the lock out, this is nothing more than a smoke grenade tampering with the truth.

      The fact is that Microsoft will require the manufacturers to support this technology if they want to sell devices on which windows will run. Even more the fact is, that this means that they will have to include keys by Microsoft which will prevent the device from running unsigned code like Linux.

      And while it is still a rumor it can probably be taken as a fact that disabling this feature (if made possible by the manufacturers) will likely cause Windows to not start because this is what malicious software would do as well and allowing this would circumvent the security improvement.

      So cut the crap. Yes, it will be the device manufacturers who will effectively bring this restriction into life. But it will be Microsoft who forces them to do so.

      • Can you imagine having to change the uefi setup every time you switch OS?

        • Can you imagine having to change the uefi setup every time you switch OS?

          Yes, this inconvenience would be a good reason never to switch back to Windows... but do you really believe they will actually give you the option of switching this off?

          • by hot soldering iron (800102) on Wednesday September 21, 2011 @07:52AM (#37466776)

            I'll be in the market for a new laptop soon, and I've already decided to use a thin Linux server install with a VMware installation, and just run any desktop, Microsoft, or "other" OS as a VM. That way I'm not having to screw with dual booting. Yes, I will have a bit of constant system overhead, but I'll have some serious flexibility and system security. This is the same strategy used on servers, yes?

      • by QuantumRiff (120817) on Wednesday September 21, 2011 @07:59AM (#37466846)

        On the other side.. The SAME complaint was made 6 months ago (or is it a year now) about google's ChromeOS for notebooks doing the same exact thing..

    • by Aighearach (97333)

      Oh right, this is slashdot

      Get off my lawn!

    • by ArsenneLupin (766289) on Wednesday September 21, 2011 @07:21AM (#37466444)

      If you don't get the key when buying your computer, complain to your manufacturer. It's their fault. I don't know why you're buying a computer with Windows to begin with if you're going to install Linux anyway, you're just throwing away money.

      What about those people who buy Windows now, because they don't know any better, but then learn about Linux, and want to install it on their then old computer several years from now? This is not only a plausible scenario for installing Linux on a computer which had Windows initially, but it is also a scenario where complaining to the manufacturer won't help: he may no longer be in business by them, or not longer have the keys for obsolete machines.

      O, and another reason to buy a computer with Windows if you're going to install Linux anyways: maybe Microsoft is still so good at bribing most manufacturers that it is difficult to find computers of the desired spec without Windows.

    • by msauve (701917)
      Really? That's your complaint? You don't know that the vast majority of PCs currently being shipped, and expected to be shipped in at least the foreseeable future will come with Windows, and set up to MS guidelines? When the roles are reversed, and Linux is the majority player, driving how manufacturers configure their hardware (yea, right!), then you can complain that Windows is getting picked on.
    • by Kjella (173770) on Wednesday September 21, 2011 @07:24AM (#37466478) Homepage

      I don't know why you're buying a computer with Windows to begin with if you're going to install Linux anyway,

      Even if we ignore the new Linux installs, how about re-purposing an old PC, second hand PCs, corporate computers that are sold off for cheap, huge blocker for people wanting to migrate/test Linux and so on. Laptops pretty much all come with the OS preinstalled and the desktop market is dominated by OEMs. The volume of "virgin" hardware that's never been touched by Windows is just a few percent of the market (excluding Macs, but Apple might decide to do the same).

    • by zakkie (170306)

      Some devices just cannot be bought without MS Windows installed on them. I could not source a new laptop without it, for instance.

    • It's only "sensationalist" in the theoretical imaginary world where you focus purely on what the 'secure boot' sections of UEFI are capable of, and not at all on how the market can be expected to shake out...

      Purely architecturally, the cryptographic mechanisms are vendor-agnostic. They could as easily be used to enforce the tyrannical rise of a BeOS monoculture! Except, of course, that there is zero likelihood of that ever happening....

      In practice, it can reasonably be expected that OEMs will adopt th
    • by Attila Dimedici (1036002) on Wednesday September 21, 2011 @07:37AM (#37466612)

      I don't know why you're buying a computer with Windows to begin with if you're going to install Linux anyway, you're just throwing away money.

      Maybe because many manufacturers actually sell PCs with Windows installed for less than they sell PCs with Linux (or no OS).

      • by tepples (727027)

        There are two reasons for that. One is that hardware compatible with Linux might cost more. Case in point: In the dial-up era, winmodems were cheaper than modems with the full controller and DSP onboard. This was because they were glorified sound cards, and all the modem work was done by a driver specific to one operating system. A PC with a full hardware modem would cost more than a PC with a winmodem. Winmodem makers released a few drivers for specific Linux kernels, but there wasn't enough demand to get

      • by Xacid (560407)

        Ok, so I was starting to write a rant disagreeing with you and pointing out some links so where I've seen Dell offer a Linux machine for cheaper...then I proved myself wrong. They give you the choice of two computers with lame specs for maybe 50 bucks cheaper than their Windows counterpart. WTF.

    • MS is thinking of REQUERING any device maker that wants to use the windows logo on their product to secure the boot process so no other system can interfere with it, it is MS making these demands, not the device makers. No device maker cares about what you do with their product but MS cares about people installing another OS on hardware.

      And if you think everyone who runs their own software can afford to buy a key from a registar, you are just a dumb fuck Windows user trading security for freedom.

    • by andydread (758754) on Wednesday September 21, 2011 @08:17AM (#37467138)
      Because if you RTFA you see that Microsoft is mandating that all manufacturers do this. They mandated this. They know exactly what they are doing
      • by spongman (182339) on Wednesday September 21, 2011 @12:29PM (#37470312)

        Because if you RTFA

        RTFA, indeed:

        "Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled"

        there's nothing in there about "all manufacturers". it's a logo requirement, nothing more. windows 8 will run fine on my homebrew PC and i'll still be able to dual-boot debian.

    • The solution, if Microsoft wants to be the non-Evil (if not actually "good") guys, would be to require UEFI secure boot AND require that the key be furnished to end users for logo compliance. If they're worried about social engineering, they can put it someplace where it won't stop anyone who's likely to care about Linux, but be a substantial barrier to clueless end users who'd be a danger to themselves and others if they had it. Say, a sticker on the motherboard (or, for laptops and factory-built PCs, unde

  • Caveat Emptor (Score:2, Informative)

    Buyer Beware.
    • by Chrisq (894406)

      Buyer Beware.

      Seriously we moved passed "Caveat Emptor" centuries ago. Hence rulings on product safety, reasonable quality, being as described and not facilitating uncompetitive practices.

    • Re:Caveat Emptor (Score:5, Insightful)

      by Errol backfiring (1280012) on Wednesday September 21, 2011 @07:41AM (#37466666) Journal
      I'm aware. Does that mean I will have a choice then?
      • by gfxguy (98788)

        Yes, you'll have the choice to stay in the technological stone age.

        Actually, the way I see it, if you build your own, you will certainly have a choice; how can someone selling you a motherboard not give you the "key" to install whatever OS you want?

        It's companies like DELL I would be worried about - I'm sure they'd be happy as clams to lock you into the OS they put on the computer when they sold it to you.

        In the words of the Farnsworths:

        Prof. Farnsworth: Oh God! I clicked without reading!
        Cubert: And I sli

  • by Haven (34895)

    I'm sure that's really going to stop linux nerds from doing what they do... which is installing linux on anything and everything.

    This will be cured by a boot disk, ala iBoot.

    • Re:(*_*) (Score:5, Informative)

      by chill (34294) on Wednesday September 21, 2011 @07:19AM (#37466412) Journal

      Trusted Boot prevents the use of alternative boot disks. It is controlled from chips soldered onto the motherboard and PKI keys.

      No key, no boot. Replacing drives or using external drives does not help. There is no "BIOS Reset" option and you can't short jumpers to clear it.

      Google uses it on the CR-48 Chromebooks, but also includes a little switch under the battery to turn it off. With it turned on, the system boots only Google-signed images and nothing else. Period.

      • Re:(*_*) (Score:5, Interesting)

        by Lehk228 (705449) on Wednesday September 21, 2011 @07:47AM (#37466718) Journal
        If trusted boot is used to deny people's right to hardware they lawfully purchased I expect to see attacks of both technical and legal natures succeeding against trusted boot.

        it's not a bad idea in general as long as the owner of the device holds the key.
    • But will it boot at all from removable disks?

      Chances are, if they "secured" hard disk boot in such a way, they made booting from removable media impossible as well...

      • But will it boot at all from removable disks?

        Chances are, if they "secured" hard disk boot in such a way, they made booting from removable media impossible as well...

        but will it blend - sorry I had to do that..

    • by CastrTroy (595695)
      Exactly. We aren't supposed to boot other software on the Wii, XBox360, or Playstation. That doesn't stop us from doing it. In fact, they go through great lengths to ensure it doesn't happen, and it still does. Also, who cares if you can't boot Linux on a "Windows PC" with $25 ARM machines like Raspberry Pi coming out, I don't think we'll have much of a need to using the blessed Windows Logo machines for too long. Something majorly unexpected would have to happen for somebody to not be able to build thei
  • by gweihir (88907) on Wednesday September 21, 2011 @07:19AM (#37466420)

    Because it is anti-competitive. Unless the device manufacturers want their PCs and mainboards to be barred from being sold in the EU, they better find a way to make Linux installation possible.

    • by MichaelSmith (789609) on Wednesday September 21, 2011 @07:31AM (#37466550) Homepage Journal

      Are iPads legal in the EU?

      • by itsdapead (734413) on Wednesday September 21, 2011 @08:10AM (#37467020)

        Are iPads legal in the EU?

        If you think they should be, make your case to the EU. You never know. The existing rulings against Microsoft were made because companies complained. The way Apple is going, with a chance of achieving a monopoly in the tablet market, I suspect they'll cross swords with the EU at some point.

        However, the issue here is not whether Microsoft should be able to market their own-brand locked down tablet - its the hypothetical idea that MS could use its leverage with OEMs (i.e. the cost of MS software licenses, and other incentive schemes) to encourage them all to lock out non-MS operating systems. Hypothetical, but a plausible extrapolation from their past practices...

        But do not fret, you can still install whatever OS you like on an Apple Mac.

  • DejaVu (Score:4, Informative)

    by pmontra (738736) on Wednesday September 21, 2011 @07:21AM (#37466450) Homepage

    From one [lwn.net] of TFAs

    While it would be possible for various [Linux] distributions to get their keys added, that wouldn't help anyone who wanted to run a tweaked version of the "approved" bootloader or kernel. Distributors would not be able to release their private keys to allow folks to sign their own binaries either. Each key is just as valid as any other, so malware authors would just pick up those keys to sign their wares. Exposed keys would also find their way onto the forbidden list rather quickly one suspects.

    This reminds me of the way keys are used to protect DVDs and we all remember what happened.

  • by reiisi (1211052) on Wednesday September 21, 2011 @07:23AM (#37466464) Homepage

    Ten years ago, "Trusted Computing", or whatever it was, was sort of news. And it was not unexpected back then either.

    But PKI isn't going to be enough, really. They're going to have to find some people to make examples of and sic the lawyers on 'em.

    Of course, real security, in the form of a physical switch, is too simple, and too easy for the owner to, well, switch.

    Wow the masses, cow the masses.

  • Sorry I can't find any references but I remember a few years ago the RIAA said they wanted something like this. They used their usual dishonest wording and said something like "equipment should not allow the installation of any systems that allow the circumvention of DRM".
  • by Targon (17348) on Wednesday September 21, 2011 @07:24AM (#37466484)

    ...to enable or disable this. If you buy a name brand machine, then yes, you might expect it to be locked down, so if that is the case, then the Linux crowd will simply stick to machines they build themselves, or have built for them that are not locked down. Simple solution really.

    • market penetration (Score:5, Interesting)

      by wfstanle (1188751) on Wednesday September 21, 2011 @09:36AM (#37468234)

      Stopping dual boot or changing the OS by users would stop the market penetration by Linux. Maybe the knowledgeable Linux crowd might build their own computers but this is beyond the capacity of probably 99% of computer users. Market penetration by a competing OS would be stopped cold which is what MS wants. They want to stop the downward slide of Windows. Yes, Linux has a very small share of the OS market, but what about some new and different OS that is developed in the future. This would stop them from even starting. It's not just about Linux.

    • by Catbeller (118204) on Wednesday September 21, 2011 @09:40AM (#37468300) Homepage

      I must say you are not getting the way of the future here. There won't be any machines you can build yourself. The best and newest mobos will not support anything but Windows. You've been outmaneuvered - they've been working on this for over ten years.

      Just as you can't shut off GPS tracking on your phone, or the mic for that matter, you will not be able to bypass the switch on the mobo. Try to deactivate it, and the encrypted embedded software will prevent the board from booting, period.

        And remember this: any encryption on that subsystem will enable Microsoft to invoke the Digital Millenium Copyright Act against anyone who "breaks" the encryption. You might have rights to mod the hardware, but you have *no* right to break the DMCA and decrypt the bootup blocking software. This is a trap sixteen years in the making. Welcome to the future we warned you about.

  • Ten years ago this might have been a viable threat to Linux. Today, however, Linux is worth too much money to too many people for this to be used to wipe it out. At worst, it will mean that cheap hardware will be locked down.

    • Re:Only an annoyance (Score:4, Informative)

      by Microlith (54737) on Wednesday September 21, 2011 @09:34AM (#37468212)

      Yes, cheap hardware will be locked down and your only options will be $5K-$10K workstations and servers.

      That's exactly what they want: to push open computing outside the affordable range and outside the reach of most people. Thus they can keep people trapped in the Windows monopoly.

  • by Netshroud (1856624) on Wednesday September 21, 2011 @07:37AM (#37466604)
    Microsoft said they're trying to figure out how to allow users to dual-boot. In the //build/ video discussing the new Windows 8 boot process, the presenter said they were trying to figure out how to keep boot secure but still allow users to boot into Windows 7, since Windows 7 doesn't support this. And if it works for Windows 7, it'll probably work for Linux.
    • by Locutus (9039)
      yes they are. it'll go like this; 'ok, we now have Windows 7 booting so how do we stop them from booting Linux'. Have you not read any of the court released emails of how Microsoft operates to keep their market position?

      LoB
  • MS wants to take advantage of UEFI, which has obvious benefits. Chromebooks work the same way, but we don't read any heated /. articles about it because Google is charmed and MS is "evil".

    It is up to the device manufacturers to figure out a way to let the end-user ultimately take control of their own PCs. They could do that Chromebooks style -- a hardware switch -- or by distributing the key in a secure manner, such as mailing it to the owner's registered home address. Consumers who care about this issue should look for this feature in whatever device they purchase. What's all the fuss?

  • by wertigon (1204486) on Wednesday September 21, 2011 @07:40AM (#37466650)

    Windows will be very hard to pirate properly now.

    Why is this great news?

    Because now people who can't pirate will switch to Linux instead! :D

  • White Box Makers (Score:4, Insightful)

    by Ngarrang (1023425) on Wednesday September 21, 2011 @07:48AM (#37466734) Journal

    I fail to see how this new tech will become a problem. The hardware makers want to sell hardware. Given their already thin margins, it would be stupid of them to agree to limit their boards to any one particular OS.

    That said, maybe Dell might try that in the name of security, but that is an end-product seller decision. There will always OTHER makers. You can buy new motherboards from the likes of Intel and Asus, build your own systems.

    IF this conspiracy theory did come true, the number of lawsuits and investigations into unfair business practices would drown a the targeted company into oblivion. I guess that is one benefit to be such a litigious country now.

    • by itsdapead (734413)

      I fail to see how this new tech will become a problem. The hardware makers want to sell hardware. Given their already thin margins, it would be stupid of them to agree to limit their boards to any one particular OS.

      ...of course, those thin margins make any sort of branding/incentive scheme (a better deal on software licenses, a kickback for qualifying for and displaying some sort of "Works with Gizmos" badge...) awfully attractive. Fortunately, our tech firms are ethical and law abiding and would never resort to [wikipedia.org] using such schemes [wikipedia.org] to obtain an anti-competetive advantage.

      So that's all right then.

  • Pardon me as I ramble.

    As a guy in the phone support trenches for a certain OEM, I just have trouble seeing this work well for everyone.
    I see often enough that businesses will buy a brand new machine with Windows 7 pre-installed, then blow away the OS load to immediately try to install Windows XP.

    I have a hard enough time trying to teach these people that they NEED to include the Intel RST driver bundle in their image so that they stop getting STOP: 0x7B on their attempt to install or boot.
    I have a hard enough time trying to teach these people that they need to make sure their image is aligned on the new Advanced Format hard drives that are going in some of the smaller form factor machines (usually it's a 2.5" drive), since they want to install XP on the damn thing, then complain a week later that the machine is very slow and almost unusable.

    I don't speak to customers too often that aren't running some flavor of Windows, but the few I do run into seem happy when they get someone who understands the issue they've got, and will help them despite this OEM's general policy of not assisting with an OS that the OEM did not ship. These calls are usually large corporations that run Red Hat or SUSE or something else in their corporate environment, and prefer to pay for hardware support from the OEM I work for, just so they can have coverage for all of their users in nearly any country they visit.

    Keeping that last bit in mind: An OEM that implements a lockout 'feature' that prevents an operating system other than Windows 8 from being installed had better have a backup plan that keeps businesses happy, or else they've just committed suicide. It's business sales, more so than consumer sales that keep OEMs going, because businesses buy big damn contracts. Piss off the big damn contracts, and you piss off your paycheck.

  • help me... (Score:4, Interesting)

    by Charliemopps (1157495) on Wednesday September 21, 2011 @08:08AM (#37466976)
    Help me understand... all this does is provide keys and such... does it actually prevent anything from happening? My understanding of the tech is that it simply provides keys that allow the OS to know that it was booted cleanly and from the secure environment and also allows it to tell if the devices it's connecting to are really the devices they say they are and not rogue DLLs. Even if this system is in place, what's to stop Linux (or any other OS) from booting on the device and just ignoring the keys? Does the system itself actually prevent startup?
    • by Microlith (54737)

      It's a chain of trust.

      A unrewriteable loader checks the UEFI image, confirms it is unmodified. Starts UEFI.
      UEFI checks the bootloader, confirms it is unmodified. Starts the bootloader.
      Bootloader checks the kernel and system files, confirms they are unmodified. Starts the kernel.
      Kernel boot process confirms an integrity checker is unmodified, which then scans the entire OS to ensure the state of the system and all drivers.

      If at any point it fails, it either attempts recovery (overwriting files with a failed

  • by transami (202700) on Wednesday September 21, 2011 @08:24AM (#37467252) Homepage

    This is getting ridiculous. First the game consoles are locked down, then the phones, then the tablets and not they are ready to lock down the PCs too. How long did it take open source (Linux) to make headway? It never would have happened if this was in place.

    I say, if this goes down, then a big "open sit-in" at Redmond is in order. It would be great, like a OSS conference/protest all wrapped into one. And it would send a a nice message to the rest of industry too!

  • by voss (52565) on Wednesday September 21, 2011 @09:56AM (#37468502)

    Dont buy any computer with a Windows 8 logo.

    Its not just linux that is blocked its also unsigned versions of windows.
    Who makes all the generic motherboards we use?...China.
    Who pirates software more than anyone else?...China

    Do you honestly think the Chinese mobo makers are gonna make motherboards that wont run windows 7 (or pirated Windows 8)
    No microsoft cant block their import... "No sir, these motherboards are made for running linux...not pirated windows!!!"
    remember this term "Substantial non-infringing uses"

  • Virtualbox? (Score:3, Funny)

    by mynis01 (2448882) on Wednesday September 21, 2011 @07:29PM (#37474724)
    Now I'll have to virtualize Windows inside of Linux when I feel like running it....Oh wait, I all ready do that.
  • by mgiuca (1040724) on Wednesday September 21, 2011 @08:53PM (#37475352)

    Seriously, every time he opens his mouth he sounds like a conspiracy nut but he is so fucking on the ball that almost everything he says eventually comes true. His 1997 article The Right to Read [gnu.org] may have seemed ridiculous fourteen years ago, but reading it now it seems masterfully prophetic:

    Dan would eventually find out about the free kernels, even entire free operating systems, that had existed around the turn of the century. But not only were they illegal, like debuggers—you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that.

If a 6600 used paper tape instead of core memory, it would use up tape at about 30 miles/second. -- Grishman, Assembly Language Programming

Working...