Microsoft Responds To Linux Concerns Over Windows 8 and UEFI Secure Boot 389
CSHARP123 writes "A few days ago, Red Hat employee Matthew Garrett speculated that OEM machines shipping with copies of Windows 8 may lock out support for Linux installations. Garrett highlighted Microsoft's new Secure Build OEM requirements for Windows 8 systems. Microsoft chose to directly respond to confusion surrounding Windows 8's use of the UEFI Secure Boot feature on Thursday. Tony Mangefeste of Microsoft's Ecosystem team said, 'Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secured boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems.'"
Translation (Score:5, Insightful)
That is the only way I can see this playing out. What OEM would not jump at the opportunity to control its users and force people to pay more to do something they have been able to do at no cost all these years?
Re: (Score:2)
Well, more like:
"Vendors should provide a simple and standard way that lets us get our OS on any PC out there. Others are welcome to come up with vendor-specific hacks or negotiate with every vendor out there as they wish. You see, we're a monopoly so they come to us and we tell them what to do, and good luck competing with that..."
Re:Translation (Score:5, Insightful)
No, the problem is:
BIOS vendors are complete idiots
"EFI" vendors are the same guys
It's a crapfest of proprietary extensions, NIH syndrome and a million ways to change monitor brightness. And of course it's only tested on the latest Windows version, well, because...
Of course, Intel is to blame with the whole ACPI mess and looseness. Typical engineer mentality a standard that standardizes nothing.
Really, Intel and AMD should join forces in this: Make 'to change monitor brightness write a value from 0 (darker) to 0xff (brighter) to register 0xABC PERIOD'. "but but but", "I SAID PERIOD".
Re:Translation (Score:5, Interesting)
NIH syndrome
NIH is the reason why UEFI exists at all. OpenFirmware already existed, had several independent implementation (including some open source ones), and was a free standard that anyone could implement. So Intel made a new 'standard' that is a crappy copy of OpenFirmware.
Re: (Score:2)
Exactly
This is a mixture of corporate greed and engineering mentality of NIH syndrome
And of course, vendors took ages to implement UEFI, MS took ages to boot from UEFI, etc, etc
Re: (Score:3)
Apple OEM install discs only install on hardware they came with [...]
Gotta love it when a non-trivial amount of engineering goes into making the product less useful. What if your disc breaks and your friend doesn't have the same model?
If they weren't total assholes the disc would work, but would bill the owner of that install serial number for another install unless they proved it was to replace broken media. But at best they'd still be inconveniencing you.
Restricted yet easy far more open than MSFTS stupid plan.
Meh. Not noticeably different really. Big stonewalling company, DRM, requiring permission to install, abusive EULAs, etc
Re:Translation (Score:5, Informative)
ACPI was not designed by Intel alone, Microsoft was also there. And let's remember what Microsoft tried to do [slated.org]:
From: Bill Gates
Sent: Sunday, January 24, 1999 8:41 AM
To: Jeff Westorinon; Ben Fathi
Cc: Carl Stork; Nathan Myhrvold; Eric Rudder
Subject: ACPI extensions
One thing I find myself wondering about is whether we shouldn't try and make the "ACPI" extensions somehow Windows specific.
It seems unfortunate if we do this work and get our partners to do the work and the result is that Linux works great without having to do the work.
Maybe there is no way to avoid this problem but it does bother me.
Maybe we could define the APIs so that they work well with NT and not the others even if they are open.
Or maybe we could patent something related to this.
Re: (Score:3, Insightful)
Entirely coincidentally, most of the really buggy ACPI implementations out there - the ones that cause the most headaches for Linux and other OSes - are generated by a Microsoft tool that's carefully crafted to generate code that breaks under other OSes. It's probably also a coincidence that Microsoft encourages vendors to use WMI, a way of extending ACPI which means that every single laptop in existence needs its own drivers for stuff like hotkeys, backlight control etc, and these drivers are for some odd
Re: (Score:3, Insightful)
Translation: "We're doing all the work, how do we prevent the freeloaders from benefitting ?"
Ah, the battlecry of the American People(see healthcare, welfare, etc).
Re:Translation (Score:5, Insightful)
...you mean the same way Microsoft benefited from the work of IBM and other software vendors? Gates and Microsoft understand the ecosystem which requires sharing. They were and still are interested in embracing that ecosystem and then locking everyone into their twist on what they take from it. This can be seen everywhere and in everything they do. The Java law suit against Microsoft is probably the best example of this behavior by Microsoft but there are hundreds of other great examples out there.
Saying "we did the work..." is bullshit. They give away LOTS of things and waste LOTS of money. Their little bit associated with ACPI is a speck of dust in a drop in the barrel. This isn't about their trying to keep their work to themselves, it's about keeping the rest of the world from being compatible.
Re:Translation (Score:5, Insightful)
Maybe one day you will realize that every field protects itself. Doctors and lawyers restrict their trade. Regulators and government employees have direct access to government cash.
Economists call this behavior "rent seeking" and it is considered inefficient and undesirable. The idea that Microsoft should not be criticized for engaging in it is highly misguided.
Re: (Score:3)
Re: (Score:3)
Sounds like a lotta fear-based drivel to me. The needs of the many far outweigh the needs of the few, son.
Thanks, Karl.
Re: (Score:2)
Re: (Score:3)
This appears to be strictly feature driven by UEFI, and Win 8 supports this secure 'feature'. This functionality was apparently in UEFI all the time but not supported in Windows. What this appears to saying is that your motherboard (or PC manufacturer as the case may be) will be able to decide just how locked down your EFI is in regards to 'allowed' boot loaders. Windows doesn't have much to do with it other than opting in to that additional security. I'm guessing this was done to try and avoid rootkits?
Fro
Re: (Score:3)
The article is saying that to sell Win 8 logo branded products manufactures will have to support this feature, but there will be an option for OEMs to add more certificates and a setting to turn it off.
Re: (Score:2)
Re:Translation (Score:4, Insightful)
The OEMs for the most part will make it a user option for a simple reason.
A lot of people when Windows 8 comes out will want to keep Windows 7. If they have an install disk and it doesn't work their will be hell to pay.
Right now the UEFI folks are all going to be putting in an option to turn it off. Intel will without a doubt have that option in all of their reference motherboards which is what a lot of the OEMs use.
ASUS will put in that option as well.
The problem will be when at some point in the future someone has an old crappy Ultra book made by Ikkkiianu and wants to put Linux on it because Windows 9 doesn't work well on it and Windows 8 is too insecure.
Re:Translation (Score:4, Insightful)
But only some. Today you can throw Linux on any old hardware, and do something useful with it. 5-10 years from now, you'll have to specifically hunt down unlocked hardware. This has a rather drastic effect on the utility of Linux, which is Microsoft's intention.
Re: (Score:2)
What OEM would not jump at the opportunity to control its users and force people to pay more to do something they have been able to do at no cost all these years?
Those who don't want to lose business to the ones who don't charge more?
Re: (Score:2)
Depends on the competition. PCs are very cheap already and the manufacturers have very low margins. Seems to be working OK.
Re: (Score:2, Flamebait)
Is that so? Practically all OEMs force a Windows license on you, and have done so since forever (1995), as that's more profitable for them. None of them cares whether you actually use it, and I see no reason why they should start now.
I say you're a shit translator.
Re: (Score:2)
http://www.computerland.nl/ [computerland.nl] has been selling machines without OS for years. They have a whole range of machines, just just 1 for the linux guys. They'll assume you pirate windows or install Linux. And they'll happily sell you windows if you ask for it. They also have shops in all parts of the Netherlands, so they are not just some small single location store.
Re:Translation (Score:5, Insightful)
I'm well aware of how to buy computers, thank you very much. I'm just pointing out that forcing people to pay for Windows isn't new, and has fuck all to do with control. betterunixthanunix's "translation" is just a bunch of hyperbolic nonsense based on the theory that Microsoft will always be more evil than Satan himself, despite whatever the people at Microsoft claim themselves.
Of course, since this is Slashdot, facts are flamebait and paranoid fantasies are insightful.
Re: (Score:3, Insightful)
You're an idiot to base any argument on what Microsoft SAYS they will do.
They only thing that is remotely relevant is what they have actually done.
Do they have that well established history of not being totally evil yet? Can you point to it as a counterexample to everyone else's paranoid?
If not then you really have nothing to add to this conversation.
Re: (Score:3)
There is a long, sordid, history of BIOSes being released that don't even work well enough to keep the spec sheet from b
Re: (Score:3)
Yeah but Microsoft is head cheerleader for Team DRM. This is a big part of the problem.
If the AACS cartel tells Gates to get on all fours and bark, he'll do it. Microsoft has gone there and done that already. They just might dictate draconian UEFI lockdown to keep special DRM stuff that they've already got and no one else does (BluRay, CableCard).
Re: (Score:3)
I saw it as "We're going to leave it up to the OEMs on what to do, just as we leave the choice of what OSes they sell up to them right now. They'll be completely free to choose whether to maintain exclusivity agreements with us which may require UEFI bootloader signing. See, it's not us, it's the OEMs. ^_^ "
Re: (Score:2)
Google's Chromebook devices use the exact same
Re: (Score:2, Insightful)
The technology is clearly intended to block adoption of Linux (and other operating systems), or they'd provide a way for the owner of a device to whitelist new operating systems. BIOS rootkits are a convenient excuse.
Re:Translation (Score:5, Insightful)
In all seriousness, here is another method of solving the problem, which would be just as effective at preventing rootkits from hiding in the bootloader: make the boot medium a flash device on the motherboard, and have a jumper that enables writes to that device. This would not rob users of control over their system (although it may force people to get over their fear of opening their computer's case and changing a jumper), and would be just as effective at stopping the overwhelming majority of rootkits.
The real motive here is the same as it ever was with the TPM: they want to market Windows as a "media platform" and their "media partners" do not like the idea of users being able to control their own computers -- they want to enforce restriction technologies. GNU/Linux is an operating system that its users control, and so these "media partners" do not want to see it installed on anyone's computer. Likewise, they do not want to see people modifying Windows in a way that circumvents DRM. They want computers to be like cell phones and cable TV boxes, herding the users in ways that are convenient for various copyright-based corporations.
That this will block certain classes of rootkits is entirely incidental, despite the heavy marketing.
Re: (Score:3)
In all seriousness, here is another method of solving the problem, which would be just as effective at preventing rootkits from hiding in the bootloader: make the boot medium a flash device on the motherboard, and have a jumper that enables writes to that device.
Heck, a $0.10 switch on the back of the case...
Re: (Score:3)
Considering the reaction here; the OEMs that would do this would get so much bad PR, that a significant number of customers would flee to some other manufacturer.
The reaction from slashdotters who want to run Linux might not be representative of their market.
Re:Translation (Score:4, Insightful)
Re:Translation (Score:5, Insightful)
Considering the reaction here; the OEMs that would do this would get so much bad PR, that a significant number of customers would flee to some other manufacturer.
Of course you're right.
That's exactly what has happened with mobile phones. (cough).
Re: (Score:3)
Re: (Score:3)
Useless response (Score:4, Insightful)
If the vendors don't provide a way to boot other systems its not our fault!
Re: (Score:2)
Agreed, little more than shifting blame to the OEMs.
They'll be free to maintain exclusivity agreements with MS which may require bootloader locking, or they can not sell any Windows PCs. If Klupendorf Computers in Switzerland is the last company on earth selling unlocked PCs at Alienware prices, well, tough luck, that's capitalism.
I warned you fucking Apple fanboys this would happen. Thanks a lot, douchebags.
Re: (Score:2)
It's a real shame too. Even if most higher end PCs add the "flexibility" to let linux boot no problem, I'd hate to be the kid that wants to experiment with his computer, but whose parent's didn't consider what BIOS came w/ it and whether it could boot Linux when they bought it. When I was a kid, my sound didn't work and my video card was barely supported, but at least I could boot and play around in Linux.
The PC walled garden is coming (Score:2)
Been saying it for a while now. People laugh.
Just keep laughing.
Re: (Score:2)
Yes it it is anticompetitive behavior and a slight modification of embrace extend extinguish. Microsoft decides what security is. They determine if you are secure. They determine if they are secure. They deny you boot access with every turn in order to ensure vendors do not put competing OSes into consumers hands, and make it hard or seem insecure if you turn it off. For example the vendors turn it off to install other OSes, That puts their os at risk and probably denies win8 boot -- no secure boot th
translation (Score:5, Insightful)
"Microsoft will attempt to use our gorilla status to force OEMs to lock out non-Windows operating systems, but ultimately, it's their decision as to whether they want to make it possible for you to run what you want on their computer, or whether they want us to not bomb them into the stone age and build a parking lot on the smoking ruins of their company."
Re: (Score:2)
"Microsoft will attempt to use our gorilla status to force OEMs to lock out non-Windows operating systems, but ultimately, it's their decision as to whether they want to make it possible for you to run what you want on their computer, or whether they want us to not bomb them into the stone age and build a parking lot on the smoking ruins of their company."
The open source community is no longer a fringe and it grows as the years go by. If the OEMs want to engage in this behavior, members of the open source community (and I include myself as I run OpenBSD) could always just do an end run around the problem. In fact, with coreboot, the open source BIOS, it already makes easier. Also, there is nothing stopping us from building our own PCs and just voting with our wallets.
Re: (Score:2)
Best translation yet.
Re: (Score:2)
Yeah buncha Chicken Littles. After all their talk of doom and gloom about locked-down mobile devices, you can still buy open phones and tablets today. Not like their crazy cyberpunk dystopia where only a few devices could even be hacked to allow an open OS to be installed.
Re: (Score:2)
In other words (Score:3)
if the computer's locked down, blame the OEM, not us.
Re: (Score:2)
I think the general problem is the concept that the organizations with the ability to lock (and unlock) the resources are not the end-users, but the manufacturers.
It's the old tradeoff between responsibility and freedom: if computer users want "security" in their systems but don't want to be responsible for achieving that security (and instead give that responsibility to the hardware and software OEMs) then those users must by necessity give up some freedoms.
I think the issue here is that moves like this do
Re: (Score:2)
What are you talking about?
A motherboard or uefi vendor can a have a system giving the user the full ability to control the feature (a hardware switch, the ability to install new keys, etc), or they can only install Microsoft's keys and lock the user out. So it really matters what the actual practice ends up being, and it isn't at all clear what is going to happen.
It doesn't seem that likely to me that the various hardware vendors will shoot themselves in the feet by locking to Microsoft here (Microsoft won
Re: (Score:3)
Please also ignore the fact that our contract with the OEM required them to lock down their systems.
Re: (Score:3)
Microsoft's Customers (Score:3)
Are Microsoft's customers the OEMs, or consumers. If the former, what incentives would OEMs have to pass the decision on to consumers?
Re: (Score:3)
This doesn't help much with cheap consumer systems, or all the various no-you-can't-just-build-one-from-newegg-parts tablets and laptops and other consumer gear; but it does largely ensure that "Enterprise" desktops, laptops, and servers will have some sort of keyfill mechanism, quite possibly offered at an additional cost...
Re: (Score:2)
Looks like I'm going to have to start my own hardware company. With blackjack, etc.
Microsoft addresses concerns... (Score:4, Insightful)
...by confirming them. Microsoft's customers, the OEMs, will be free to decide who imports keys and how. That's what everybody has been worrying about, isn't it?
I see what you did there... (Score:5, Insightful)
Nutshell summary after actually reading the TFA:
"You can launch any operating system you like, but if you want to benefit from UEFI secure boot protection, you can only launch Windows 8."
From their screenshots and commentary, there doesn't appear to be any opportunity to add a new "trusted" O/S images to their database. So even signing your secure Red Hat Enterprise Linux won't help you. If you want to use it, you need to turn the bootloader security checks off. The obvious implication, if you want MBR protection you must run Windows 8. Anything else opens the door.
Yup, Red Hat's take on the situation seems the most accurate.
Re: (Score:2)
I think the definition of "trusted" is being stretched here.
The only thing I trust about Windows is that it's going to somehow line Microsoft's wallet with good old-fashioned dollars, directly or indirectly.
They can't even say the name honestly. Windows 8? Hello? It's an earlier version than Windows 95? It's an upgrade to Windows 3.11? What the hell is wrong with "Windows NT version 6.3" ???
Re: (Score:3)
If you can update the list of certificates and signatures through Windows 8, doesn't that ruin the security of the secure boot?
If you can't be bothered to RTF... (Score:5, Informative)
Just take a look at this image [msdn.com].
That's all you need to know.
In Summation: There is a genuinely good reason for enabling secure boot (malware prevention - genuine malware prevention, not just some underhand tactic that's masquerading as malware protection) and as long as your OEM isn't a dick, you should be able to disable it much like how you can disable features in your BIOS today. The decision to remove that ability is down to the OEM, not Microsoft.
Re:If you can't be bothered to RTF... (Score:5, Interesting)
yes. Well put.
And I want secure TPM booting for my linux/GNU machines too.
I want a way to install my key, enabled by a physical key & mechanic switch to electrically enable to update operation to write my signing key.
Re: (Score:2)
Ask and ye shall receive! Diablo 3 doesn't require Steam!
Yes, just like BEOS (Score:3, Interesting)
Re: (Score:2)
And that's great, as long as every computer offers this option. The danger is that in the not too distant future, OEM's may start building computers that don't have that option. It may be attractive for them to build computers that are "locked" in the same way that many phones are locked. It is up to us in the free world to continue to raise a big stink to make sure that doesn't happen, at least not without a fight.
Re: (Score:3, Informative)
You know something? I completely, utterly and wholeheartedly agree with this.
What I'm trying to get at is that everyone is jumping on Microsoft for this, when really it has little to do with them (aside from mandating that UEFI secure boot be enabled by default). Microsoft could turn around tomorrow and say "no actually it's fine, we don't want secure boot by default" and the situation wouldn't be any different at all - OEMs could still enable it and remove the option to disable it.
Using your phone example
Re: (Score:3)
And they aren't mandating UEFI secure boot be enabled by default. They are only mandating it if you want to put a little sticker on the device that says "Designed for Windows 8".
If you are buying a PC because it has a little sticker on the device that says Windows 8, then you are almost guaranteed to be in the gr
Re:If you can't be bothered to RTF... (Score:4, Insightful)
If you are buying a PC because it has a little sticker on the device that says Windows 8, then you are almost guaranteed to be in the group that could care less whether it's enabled or not as you aren't going to be putting Linux, OpenBSD, etc on it.
How many motherboard and hardware manufacturers do you think there are who don't want to be able to put a 'Designed for Windows 8' sticker on the box?
When Microsoft says your hardware must lock out Linux to get that magic sticker, manufacturers will lock out Linux.
Re: (Score:3)
Why? Some of us have working memories.
Microsoft would love nothing more than to lock out other operating systems at the hardware level, and the bootloader is the critical first step. Why isn't 55% of the computing world using BeOS? Because MS controlled the bootloader via OEM contracts, possible only because of their monopoly position.
I believe the reason we will ha
Re: (Score:3)
1) Microsoft says Windows 8 will need secure boot to boot.
2) Microsoft says OEMs are responsible for allowing the end-user to enable or disable secure boot.
3) Microsoft, behind closed doors, tells numerous OEM vendors, "Yeah, you're welcome to offer hardware that allows the
Re: (Score:3)
Maybe you should only buy computers that allow you to disable secure boot then. Or is that too obvious and uncontroversial?
Re: (Score:3)
The problem is that the number of Best Buy computer purchasers outnumber the number of us. There's little incentive for HP/Dell/etc. to continue supplying non-locked systems. Eventually, it'll be build it yourself expecting to put non-Windows in it or you'll never put anything but Windows in it. What would encourage a person going off to college to investigate if their PC could load Linux beforehand? When said student finds out about Linux... are you saying they should also be required to build a new PC
Re: (Score:2)
If you disable it then it is not genuine prevention any longer? If you disable it then win8 no longer boots. Microsoft get governments to consider it as part of the bid process and gets the governments to put it in the contracts. Certification takes significantly longer for non Microsoft products thus giving Microsoft the competitive advantage. If a contractor seems to be close they can slow down certification till they get the bid.
This is rife with abuse potential.
Re:If you can't be bothered to RTF... (Score:4, Insightful)
Incorrect.
This seems to be a common misunderstanding with the whole thing. Windows will boot no matter what, be it secure or unsecure. It's not Windows' decision, it's the UEFI system's decision if it should boot windows, Linux or whatever.
The whole point of the secure boot is to prevent malware that fucks with the bootloader, allowing rootkits to be inserted into the Kernel before any anti-malware gets a chance to run.
This is how a chain of trust works.
A -> B -> C -> D
A, ideally, is some hardcoded software that cannot be modified. In games consoles, it's usually a part of a ROM or in the Xbox-360's case, it's on the CPU itself. It checks that B hasn't been modified in any way, shape or form and if it passes, boots it. B then does the same for C and so on and so forth.
The principal is exactly the same here. If you disable UEFI secure, all you're doing is saying "Dear A, don't bother checking B, just boot the fucking thing". B will then happily continue on as normal, booting C which then boots D. At some point, D can look back and check that A, B and C haven't been modified but it's almost pointless because if they've already been compromised, they'll feed the next in the chain whatever the fuck the compromiser wants it to.
A = UEFI bootloader
B = Windows Bootloader
C = Windows
D = Anti-malware
Re: (Score:3)
as long as your OEM isn't a dick
That's a pretty big assumption right there.
And I should point out, this isn't just Dell or HP or Lenovo or something, it's also motherboard manufacturers who can get in on this game.
Re: (Score:2)
Hopefully the setting (if they make it available) will be locked down with a jumper on the mainboard, or a DIP switch, or something that is inaccessible to software.
The amount of stuff happening in changable storage makes me nervous with UEFI.
Re: (Score:3)
Re: (Score:2)
That screenshot is from the Tablet PC Microsoft themselves gave out at BUILD (before all this kerfuffle actually came up).
Re: (Score:2)
In other words, it's probably not the BIOS that will ship with the final product, and they can remove the ability to toggle that setting at any time in the future.
Re: (Score:2, Troll)
Yes and they can also superimpose the windows logo on top of the screen so it's permanently there, no matter what you use it for. They could also install a flash chip that wipes the hard drive and installs windows every time you press the Windows key. They could also make it play a "BILL GATES OWNZ YOU!!!!" soundbyte upon startup. There's all sorts of things they could do, but that doesn't mean they'll do it. As has been stated several times before, all the Linux doomsday prophesies rely on the OEM removing
Re: (Score:2)
No, Windows will still boot just fine. It has to, otherwise it wouldn't work on older, BIOS-only machines. It's not about "Will windows boot if UEFI security fails", it's more "Will UEFI boot windows if security fails". Windows won't care what's telling it to boot, be it UEFI, Microsoft's own loader, GRUB or whatever, but UEFI will make a distinction about what it's prepared to boot.
There are also means for the OS (Any OS) to communicate with the UEFI system to determine how secure the boot was. If secure b
Re: (Score:3)
Exactly... they want to be able to lock Linux users out of seeing the premium content that will ONLY be viewable on a machine that has been booted and verified as secure to play premium content via their key mechanism... there's even a TPM block shown in the graphic on the article. Don't forget that as far as Microsoft are concerned, their customers aren't the en
Re: (Score:2)
I don't see how that's an issue at all? If you want to install Linux, chances are you're capable of hitting F12 at startup and switching an option off. If you're not capable of doing this, then what the hell are you trying to install another OS for?
If you don't know about the option or BIOS, why would you want to disable it?
Realistically all the need is a clear boot warning (Score:2)
This way people could load Linux if they wanted but the "joe average" would know something is wrong if he was compromised by a boot virus. This would actually be more sensible than preventing other systems, otherwise they will have literally thousands of hackers trying to discover the boot sig
Re: (Score:3)
Re: (Score:2)
You're assuming there is such an option, and that the user won't be required to reboot, enter the menu and disable secure booting.
This isn't Microsoft (Score:2)
Linux has been able to use EFI at boot time since early 2000, using the elilo EFI boot loader or, more recently, EFI versions of GRUB.[21]
Which is from the UEFI wiki page and Linux documentation. The issue is that the boot might be locked, not that Windows 8 will find and delete Linux partitions, so really this has nothing to do with Microsoft, it has to do with OEM systems. If your concerned about this effecting you then build your own computer and it wont matter.
Re: (Score:3)
Stop spoiling this 2 minute hate on Microsoft with your facts.
Answer from Matthew Garret to this article (Score:2)
"Microsoft wrote an article about how they weren't making it harder to install Linux which described, in detail, how they're making it harder to install Linux. Here's my response" - https://plus.google.com/109386511629819124958/posts/GXc9y7E5uZX [google.com]
"in"secure boot (Score:2)
The problem with the secure boot system is that it won't work. It will fail for the same reason that DRM encryption on DVD's and BD disks failed. They were eventually 'cracked'. As soon as a third party OS (Linux, BSD, Mac, etc) is available for installation on systems with secure boot the 'secret' will be out to the malware writers and they will find ways to get in via subterfuge.
The concern is valid, if misplaced (Score:4, Insightful)
There is still cause for concern and the concern is misdirected at Microsoft. The bigger cause for concern should be the Motherboard manufacturers. Look at the issue from their perspective. They pre-install a certain number of certificates at the factory (Windows 8...).
They then have the choice on whether or not they want you to be able to install additional certificates beyond what it came with from the factory. In order to do this they have to enable the feature to allow the certificate store to be updated or the feature to be turned off. They also have to manage additional new certificates and or supporting the user installing their own. That means that they have to provide tech support to allow you to do this. That means additional testing beyond what it comes from the factory, additional support costs for users having trouble and so on.
Their financial interest is arguably in making sure that the certificates they expect you to need are included and that you have no way to modify this as that costs them money for what they will perceive as a market that isn't worth catering to. There is also the added fact that a motherboard that is locked to a certain Operating System can't run a new Operating System when it comes out. That translates into planned obsolescence where the user /has/ to replace their motherboard when a shiny new OS comes out that they want.
There is only one thing I can think of that would prevent this issue from being widespread on most motherboards. Enterprise environments need to use tools like Altiris to deploy OS's with PXE boot. If an enterprise can't image their computer they can't use it in fleet deployments and they won't buy it. Of course this does nothing to protect home users that don't have this requirement.
Bottom line, UEFI is an issue, but not for the reasons that everyone thinks it is.
Yet Another Translation (Score:4, Insightful)
I love the "translation" posts because I hate them all individually -- none of them stress my way of looking at the problem. Here's my translation:
Move along .. nothing to see (Score:3)
How many non-technical home users install a new OS on their hardware? How many of them even bother with an upgrade to a later version of Windows? The percentage has to be so small as to be non-existant. I'm not trolling here, I think its a legitimate question.
To expand on it. Computers have become commodity devices. People buy one, use it up, buy a new one in the same way they do TVs etc. As long as it lets them do the things they want they don't really care if its got the latest software on. They certainly don't care enough to install a new operating system. Most of them wouldn't even know that this was an option. This is the general population, not the tech elite that read slashdot. So, does this stop people who want to install a different OS from installing it? Yes and no. They might find that its not worth buying systems made by X, but they could always build their own, or buy from a different OEM that provides the access they need.
TL;DR its not a problem that will affect the vast majority of users. Those that it will affect will have an understandable way around it.
Re: (Score:3)
Let's hope that this isn't an empty promise
We're talking Microsoft here, you might as well hope that a leprechaun will bring you a pot of gold so that you can retire in never-never land and live happily ever after.
Re:Pass the FUD, I'm starving. (Score:4, Interesting)
Building your own machines will be a bit of a problem if all the new motherboards do the same thing. Do you honestly think the DIY vendors will not march to that drum unless they're gunning for the Linux user crowd in the first place?
Re: (Score:2)
I can totally see Asus having those features installed, and giving it some silly Asus name. "Super SafeBoot Deluxe!"
On the other hand, they will allow users to disable it in the "Boot" section of the BIOS setup.
Super SafeBoot Deluxe [No ]
(Description: "Enable/disable Super SafeBoot Deluxe" -- not very helpful).
Re: (Score:2)
Re: (Score:2)
- Is there some sort of policy on these blogs that prevents them from mentioning their competition?
Yes.
http://www.marco.org/2011/09/16/some-other-tablets-you-may-have-seen [marco.org]
Re:didn't Stallman... (Score:5, Interesting)
Stallman is possibly the most prescient (not best by a long shot, but most prescient) sci-fi writer ever. Everyone calls him a nut and then a couple decades later...he was totally, 100% right. Yeah it's not rocket science and he only writes near-future stuff, but still, he has a nearly flawless record.
Re: (Score:3)
I respect the man, and all he has done for software, and computing. But he is far to extreme. The truth is in the middle.
Re: (Score:3)
Unless you have some sort of proof that Microsoft forced the OEMs to not allow it to be disabled and did not allow for other OS's to be installed, any such cases would be immediately thrown in the trash where they belong. And no, a bunch of whining and 'what ifs' and 'it could happen' and even 'it happened before' do not count as proof.