Forgot your password?
typodupeerror
Linux

Linux Foundation Releases Document On UEFI Secure Boot 318

Posted by Soulskill
from the keep-it-fair dept.
mvar writes "The Linux Foundation today released technical guidance to PC makers on how to implement secure UEFI without locking Linux or other free software off of new Windows 8 machines. The guidance included a subtle tisk-tisk at Microsoft's Steven Sinofsky for suggesting that PC owners won't want to mess with control of their hardware and would happily concede it to operating system makers and hardware manufacturers." Canonical and Red Hat have also published a white paper (PDF) suggesting that all OEMs "allow secure boot to be easily disabled and enabled through a firmware configuration interface," among other things.
This discussion has been archived. No new comments can be posted.

Linux Foundation Releases Document On UEFI Secure Boot

Comments Filter:
  • Let me guess (Score:5, Interesting)

    by 0123456 (636235) on Friday October 28, 2011 @11:51AM (#37869596)

    As I look into my crystal skull through the mists of time I see Microsoft release a white paper saying that OEMs will get $10 off the cost of Windows if they don't allow users to turn off 'Windows boot'?

    • I see Microsoft release a white paper saying that OEMs will get $10 off the cost of Windows if they don't allow users to turn off 'Windows boot'

      Then I see US v. Microsoft II.

      • by TheGratefulNet (143330) on Friday October 28, 2011 @12:03PM (#37869784)

        the US does not bite the hand that feeds it.

        corporations feed the US. people don't matter anymore.

        there are only going to be lawsuits in your dreams, my friend. big business is 'too big to fail' - no matter how large they actually are.

        the OWS guys are complaining about this very kind of thing, in fact. but it won't change. the system is already in the hands of the 1% and that's that until the next bloody revolution comes.

        • by tepples (727027)
          Red Hat and Google are corporations too, as is Free Software Foundation.
          • I believe that should be rephrased to "Justice is provided to the highest bidder" FSF and Redhat are both corporations, but unless their pockets are deep enough and ethics low enough to pay equal contributions. Their odds of success are low.
          • by Forbman (794277)

            That may be, but not even all the pigs in the barnyard are equal. The big corps that the OWS people are worried about are the proverbial 700 lb boars and sows that rule the feed trough and shit wherever they damn well please.

          • by ddxexex (1664191)

            The one I'd be worrying about would be IBM.
            Google just recently got their so-so patents; Red hat might have patents, but I don't think its enough to scare Microsoft too much. But IBM is quite pro-linux and probably have a patent portfolio large enough to engage in thermonuclear patent warfare with MS if they really wanted to.

            • by hairyfeet (841228)

              Shit they'd be the easiest to buy off as well. Big blue LIKES teh monies. I can imagine how that conversation would go: "Hey IBM? Yeah its MSFT, have you SEEN the sales figures for the X360? Sweet huh? And you remember how some corps used PS3s as HPCs? yeah we're planning on slaughtering that segment too...picture this, an X720 that can be BOTH a game machine and rack mountable blade! Cool huh? Now imagine it saying in giant letters "The MSFT X720...powered by IBM" doesn't that sound nice? You could have th

          • by dpilot (134227) on Friday October 28, 2011 @01:25PM (#37870950) Homepage Journal

            Other responses to this have replied that RedHat and Google don't spend the campaign contribution $$$ that Microsoft does, and therefore Microsoft can buy Ju$tice here.

            The other side of reality is that the server space is heavily Linux, much of that on workstation-class machines, but also many farms are based on commodity-class machines, too. So in this case, it's not just RedHat and Google complaining, it's also IBM, Oracle, Disney/Pixar, Dreamworks, atmospheric modeling people, the petrochemical industry, etc.

            My prediction is that the workstation-class market will have the switch from the get-go. Almost all of the commodity-class market will not have the switch, per Microsoft's wishes. But not all - because a few of those commodity-class manufacturers will have special boxes, probably at a slight, but tolerable premium, for the above-mentioned companies. Those few manufacturers will pick up the Linux business, lock, stock, and barrel. After a few quarters of that, some other commodity-class manufacturers will introduce their "Linux-capable" boxes in order to grab that same premium. It'll "race to the bottom" after that.

            The real question will then be how do the rest of us get our fingers on those "special Linux machines." At that point, we may not, but some motherboard vendor will realize that he can sell the "Linux-capable motherboard" at a slight premium to those who know that they will get crappy non-Windows support, and also let them shave the Windows support cost into their profit margin, too.

            Plus I need to write my Congress-critters. This Microsoft move is curiously soon after they've been released from Antitrust oversight. Maybe it's innocent and in the name of security and all of that, but the timing really stinks. Of course my Congress-critters don't give a hoot that I can't build and boot my own kernel. But I'd hope that they understand that we're shoving yet another piece of science and technology overseas, away from the US, reducing our competitiveness. The tinkerers who become future scientists and engineers will be on foreign shores, as well as those new ideas, products and business opportunities that my not fit into Microsoft's business plans. THAT's what I'll emphasize in my letters.

        • I seem to recall MS faced a few lawsuits from the Federal government a few years back that resulted in them paying some substantial financial penalties and agree to operation changes monitored my the court. Corporations deserve the spotlight to highlight and address their questionable practices. There are several really important changes I would like to see in regards to the corporate use of offshore tax havens and I think some corporations based in the US should be required to employee a certain percentage
          • One additional item. Corporations are vulnerable to citizen protests but the protests would be a lot more effective if the protesters targeted all their energy on individual corporations one at a time instead of going after an entire industry. CEOs and Board members really don't like being constantly hounded by protesters, cameras, and ambush interviews. Public corporations are required by law to publish a great deal of their business information and finding disgruntled employees or ex-employees can provide
          • by Jiro (131519) on Friday October 28, 2011 @01:50PM (#37871254)

            Microsoft faced those lawsuits because they were not yet politically savvy enough to buy off politicians. Now that they are, it's not happening again.

        • by w_dragon (1802458)
          So you think the richest 3.5 million or so people in the country control everything? That's not so bad, it only takes something like $380k annual income to make the top 1%, specialist doctors and lawyers can make that much. I have a hard time believing that the pediatric neurosurgeon I know, who certainly makes in the top 1%, would screw up the country.
      • I imagine it'll go like the last one. Microsoft will be fined tens of millions of dollars... after making billions.
      • by Hatta (162192) on Friday October 28, 2011 @12:18PM (#37869984) Journal

        Not going to happen. Microsoft lobbies heavily [commondreams.org] now.

        Microsoft didn't always seek support in Washington. For years, the software giant prided itself on steering clear of national politics and lobbying. But when their legal troubles started, that attitude quickly changed.

        "Microsoft, before their anti-trust case, had almost no presence in Washington," Arizona Sen. John McCain told The Chronicle editorial board earlier this year. "Now, I almost don't know a lobbyist who's not on their payroll."

        That was in 2001. After a decade of increasing corporate influence in Washington I doubt we'll ever see antitrust action against Microsoft again.

    • $10??? Try a 50% discount. Need to lock them in early then they are always on windows. This would be a major plus for Microsoft, Guaranteeing there market share.

    • by Bengie (1121981)

      That would break Win7 and WinPE boot discs.

      • by robmv (855035)

        Consumer devices do not use WinPE disk and many consumer devices manufacturers do not care if you can't go back to a previous Windows version, they will say: "Unsupported", better yet for them if they find a way to lock you and disable upgrade to Windows 9

    • Windows will lose money if they give $10 discounts for OEMs to lock out other OS's.

      Windows is so successful that Microsoft doesn't need to lock out the competitors. You really think Microsoft fears Linux with its 2% of the desktop market share? Not worth the loss in revenue.

      • by 0123456 (636235)

        Windows is so successful that Microsoft doesn't need to lock out the competitors. You really think Microsoft fears Linux with its 2% of the desktop market share? Not worth the loss in revenue.

        There used to be Linux netbooks. Then Microsoft started offering Windows for free or very low cost to netbook manufacturers. You really think Microsoft feared Linux with its miniscule mobile PC market share?

  • "...PC owners won't want to mess with control of their hardware and would happily concede that to operating system makers and hardware manufacturers."

    Put the word "most" in front of that and I'm on board. The PC as appliance that just works is really is what "most" PC owners want.
    • The game / app you want and secure boot can't be turned off on your dell?

      Say you want to play Leisure Suit Larry 2012 but sorry windows app store does not have adult games.

      So you try to install a steam game and a box comes saying that Steam Client Service does not work with Secure boot.

      • by 0123456 (636235)

        The game / app you want and secure boot can't be turned off on your dell?

        You bend over and pay $1000 for a motherboard with a switch that lets you turn it off. This whole thing is about destroying the open PC architecture and replacing it with vendor lock-in so they can rake in the cash.

      • by Bucky24 (1943328)
        Why on earth wouldn't Steam work with secure boot? Secure boot has to do with the boot up process. Steam is an application that runs AFTER the boot process is complete. Unless you're saying that Microsoft would modify Windows so that no unapproved software could run.
    • >The PC as appliance that just works is really is what "most" PC owners want.

      Actually people just want to own what they bought with out being told what it can and cannot be used for by the manufacturer.

      • by Bucky24 (1943328)
        I think the vast number of people who own iPhones prove you wrong on that point.
        • Which is countered by the huge number of non-tech users who beg me to jailbreak their iphones.
          • by idontgno (624372)

            Unless by "countered" you mean "feebly opposed by inferior number and singular anecdotes", I think you're mistaken.

            Random purported fact off teh Intarwebs: [numberof.net] 7% of all iPhones are jailbroken. The rest are still in their bright plastic chains.

            BTW, this is the result of a single google search. I still trust it more than a wikipedia article, and I would trust that far more than I'd trust your unsupported anecdotal assertion.

            I'm just sayin'.

            • It doesn't change the fact that more and more normal people are wanting more control. When my mom is asking me to jailbreak her phone so she can do X with it, I know the trend is changing. My mom is almost incapable of using an iphone out of the box.
    • by sjames (1099)

      That same MOST, however will want their little brother, nephew, kid next door, etc to be able to fix the machine from time to time. They, in turn, may want to boot a live cd as part of the repair process.

  • by SuricouRaven (1897204) on Friday October 28, 2011 @11:58AM (#37869710)
    Intel: We've invented a new technology that can be used to prevent low-level malware from being loaded during the pre-kernel boot process, when conventional antimalware techniques are ineffective. It could also be used by a manufacturer to prevent the user from installing any unapproved OS, as from a technological standpoint this functionality is identical to blocking malware, but that isn't what we designed it for.
    Microsoft: Oh, that sounds fun. Ok, all OEMs: If you want to ship with the 'windows 8' logo which everyone is going to want soon, you need to include support for this and it must be enabled by default. You will have to include Windows 8 on the trust list, but anything else you need to block as it may be malware. You can give the user the ability to turn this feature off and install non-Windows OSs if you want, but we don't really care.
    Linux supporters: But that means that unless an OEM has explicitly taken the trouble to install a feature that few users will even know of, it'll be impossible for us to use any OS except Windows - most seriously on laptops, where we can't build our own.
    Microsoft: Not our problem! Take it up with the OEMs. We're only mandating that they install linux-blocking capability, we're not asking them to actually use it.

    Throughout this, the OEMs have remained silent on the issue.
    • by Todd Knarr (15451) on Friday October 28, 2011 @12:35PM (#37870246) Homepage

      I think the big driver for OEMs telling Microsoft to rethink this will be Windows 7 and XP. A lot of major companies won't be ready to deploy Windows 8, especially with money tight. And they'll need to deploy, not stock Windows 7, but the specific image with the specific patches that they've certified compatible with all the other software they need to run. Fail to do that and IT's going to come back with a big requirement to re-certify everything that'll cost a lot of money and take a lot of time, and management'll buy off on it because it'll be phrased as "If we don't verify everything, we're risking another company-wide outage for some unknown number of weeks until the vendors get us a fix. Remember how much pain that caused last time it happened?".

      The big vendors like HP and Dell aren't going to go for something that'll cost them their biggest corporate customers. And the motherboard OEMs won't go for something that'll cost them both their big vendor contracts and their boutique component sales to gamers and the like.

      • by Bucky24 (1943328)
        I concur. Especially if Windows 8 is going to require this new hardware, I think a lot of companies will take a very long time to upgrade. A new OS is a lot cheaper to buy (especially if you buy a volume license) than a whole fleet of new desktops.
        • Windows 8 certainly won't require it, that much has already been made clear - and MS wouldn't want to make it impossible for existing users to upgrades. The only thing that requires it is the Designed for Windows 8 sticker, which all windows-selling OEMs need because it entitles them to OEM price for preinstalled windows and looks great in advertising. It's possible that a future version of Windows could require it, but that's quite a few years ahead.
      • Exactly, it took a lot of teeth pulling but we are just now looking at a windows 7 migration.
      • by jimicus (737525)

        You're not thinking longterm. Microsoft can be patient, and Linux on the desktop is not growing at a rate that merits rapid, drastic measures.

        I can see two paths:

        1. Microsoft provide a mechanism to sign deployment images which is extended backwards to Win7. This makes sense anyway; it's common for larger businesses to deploy standardised images. Will be interesting to see how third-party deployment product vendors deal with this.
        2. OEMs will indeed make sure it's switchable for Windows 8 PCs. But Windows 9

    • by Jonner (189691)

      I think that sums it up pretty well. I am very happy to see this well-written document from the Linux Foundation which OEMs who are serious about interoperability can use. When an OEM says "we can't make our Windows 8 Logo machine boot Linux or anything other than Windows 8" this document can be used to easily refute such laziness.

  • by Joe_Dragon (2206452) on Friday October 28, 2011 @12:04PM (#37869796)

    OEM can use this to lock in to there video cards that can cost $100+ the price of other on line stores, hdd that cost the full price of a 1TB disk to just upgrade from 500gb to 1TB. Maybe even ram lock in so you can pay $60 to go from 2gb to 4gb. But for about $50 you can get good 8GB ram kits.

    • They could... or, more realistically, they might just not *bother* to include an option to disable the windows-eight-only lock. After all, somewhere around 1% of their customers are going to want to run non-Microsoft OSs, hardly a thriving market. Scarcely worth the cost of having someone program, test and document another option in the setup program.

      Or maybe when Windows Ten comes out, Microsoft will demand that the windows-only-lock will be fixed on... as a security feature, of course, to prevent future
      • I think lot's of people may not like that new UI and other stuff in windows 7 that is being taken out in windows 8.

      • You really think it is that hard to program? There are many features in the bios that less than 1% of the population uses.

        Enterprise customers are going to provide enough demand to support that feature. There are also a significant portion of the population who will want to run Linux or another version of Windows to justify the costs. It would be stupid if manufacturers don't support it.

        • by idontgno (624372)

          Yeah, but "support" will be restricted to two major product line categories: "enterprise" hardware (i.e., "servers" and "workstations"); and "enthusiast" hardware.

          Do you see another common factor in those two market segments? Let me give a hint: it's spelled with currency marks, not alphanumerics.

          So, the beige-boxes sold to Mom, Pop, and the average kid going to school will be locked into Windows in ways that would make the ghost of Steve Jobs return from the Beyond seething with envy. Motherboards with "tu

    • by adonoman (624929) on Friday October 28, 2011 @12:16PM (#37869966)
      OEMs don't need this to lock in hardware, they can do this just fine [wikipedia.org]with regular BIOS. [linuxquestions.org]
      • It does still have the potential to pretty substantially change the game, though:

        Goofy hacks like custom SPD fields and PCI-ID checks are effective enough to spoil the day of Joe User; but most of the implementations in the wild are pitifully weak: SPD data, for instance, are stored on a totally normal little SMBUS eeprom chip. Cloning a vendor-lockout SPD field onto a generic chip of similar capability is not terribly demanding. The proposed cryptographic mechanisms, designed from the ground up for the
    • by Jonner (189691)

      OEM can use this to lock in to there video cards that can cost $100+ the price of other on line stores, hdd that cost the full price of a 1TB disk to just upgrade from 500gb to 1TB. Maybe even ram lock in so you can pay $60 to go from 2gb to 4gb. But for about $50 you can get good 8GB ram kits.

      Yes, UEFI Secure Boot can be used for such anti-competitive tactics. I hope somebody tries something like that, since it will demonstrate to those who don't care about alternative operating systems how evil it is to lock users out of decisions about what to use with their own computers.

  • mainstream vendors will completely ignore this. guys like Dell and HP have been testing the technology extensively to make sure it works on their products. it will be proprietary, guarded, and hard to manage, and probably bloated just like every other standard theyve championed.

    small players will either choose to ignore the technology entirely, or develop their own convoluted undocumented implementation that manages to lock out anything except what was imaged on the device to begin with. Expect the us
    • by Microlith (54737)

      Expect the usual BSD and Linux hackers to rise from the shadows to fix another broken mess of industry detritus.

      Just like how they fixed Motorola's secure boot process, right? Oh, wait. Those are still locked and the kernel can't be replaced.

    • by jimicus (737525)

      If you're disabling all the IPMI features as a sysadmin, you're seriously missing out. Remote serial access at a BIOS level, what's not to like?

  • by sgt scrub (869860) <saintium@@@yahoo...com> on Friday October 28, 2011 @12:11PM (#37869898)

    I don't want to disable the functionality to use Linux or any other operating system. I want it to be customizable so I can use it with any other operating system. Having it locked down for existing OEM's is what makes it evil.

  • Could we start a white list of compatible hardware manufacturers or a black list of offending hardware (which ever is easier to maintain) so it would help us users that are planning for our next PC build?

  • enterprise use will drive booting older windows + linux but I seeing systems / software needed windows XP being a point that force this to be off on at least some systems.

    Windows 7 that most enterprise is now moving to will HAVE TO WORK WITH Secure boot as I don't see windows 8 fitting into enterprise use the way that is now being planed.

    • UEFI systems without any sort of BIOS compatibility module won't be able to boot 32-bit versions of Windows XP. Of course that doesn't stop anyone from developing one (see efforts to boot Windows on x86 Macs pre-Boot Camp).
  • Like, "Unleaded Gas Only" just to make it visible to the idiot consumer what he or she is buying. "Runs Anything!" or "Runs Linux!" are optional, of course.

    I know, silly idea, but sometimes I feel that this world is rather silly as well. Forcing a machine in hardware to only run Windows, for example.

  • EU (Score:4, Insightful)

    by ThatsNotPudding (1045640) on Friday October 28, 2011 @01:14PM (#37870808)
    I just hope they sent a copy to the EU Competition Committee, as jack-shit will be done by USFedGov.
  • The bottom line is simple: a motherboard will not boot unless a third party permits. You will have no control over this. The computer is not yours.

Some people carve careers, others chisel them.

Working...