Forgot your password?
typodupeerror
DRM Microsoft Windows Linux

Microsoft Taking Aggressive Steps Against Linux On ARM 675

Posted by timothy
from the justice-department-be-damned dept.
New submitter Microlith writes "Microsoft has updated their WHQL certification requirements for Windows 8, and placed specific restrictions on ARM platforms that will make it impossible to install non-Microsoft operating systems on ARM devices, and make it impossible to turn off or customize such security. Choice quotes from the certification include from page 116, section 20: 'On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enabled' — which prevents users from customizing their security, and in section 21: 'Disabling Secure MUST NOT be possible on ARM systems' to prevent you from booting any other OSes."
This discussion has been archived. No new comments can be posted.

Microsoft Taking Aggressive Steps Against Linux On ARM

Comments Filter:
  • Re:Well... (Score:5, Informative)

    by nurb432 (527695) on Saturday January 14, 2012 @09:09AM (#38696684) Homepage Journal

    Don't you mean iOS? My mac isn't locked down in the least, and in fact is more open than windows.

  • by Anonymous Coward on Saturday January 14, 2012 @09:11AM (#38696704)

    I don't understand if you're a troll, a shill, or simply an idiot. Microsoft is imposing this overly restrictive and anti-competitive measures on ARM hardware, in order for it to have WHQL certification, and you pretend to believe it is to stop malware? Really?

  • by gweihir (88907) on Saturday January 14, 2012 @09:19AM (#38696748)

    He is a shill. Despicable. Just look at the posting time of the article and his comment. This was obviously pre-written.

  • by TheRaven64 (641858) on Saturday January 14, 2012 @09:22AM (#38696770) Journal

    OS X doesn't stop you installing other operating systems. OS X even comes with a tool that will resize your existing partition, provide space for another OS, and Apple computers have a graphical boot menu out of the box for selecting the OS to boot.

    I'm not sure about iOS devices. The older iPods didn't actively stop you from installing other operating systems (they just didn't support it, which is fair enough). If the new iPods / iPhones do lock the bootloader and prevent you from installing something else, then that would be something worth complaining about, although there are enough other reasons for wanting to avoid Apple's locked-down consumer product lines that it's probably quite low on the list.

  • by lordholm (649770) on Saturday January 14, 2012 @09:31AM (#38696830) Homepage

    If it would have had been only a security feature, there would be an SD-card in the device storing encryption keys for approved OS software manufactures. The SD-card could in this case be made read only and if the user wants to disable any tampering, he could glue it in the slot. A user could add additional approved keys (even his own keys) by placing the card with write enabled in another machine.

    In this case, it would have only been about security. As it stands now the MS rules is to lock out competitors from the market.

  • by amiga3D (567632) on Saturday January 14, 2012 @09:40AM (#38696888)

    That's because Apple is a hardware company foremost. It works the other way with them. They don't want you installing their software on other hardware and work to prevent it. Microsoft is being forced into attacking linux on ARM in this way because they can't really compete against them any other way on that platform and they are desperate not to start losing market share even if they maintain their monopoly on pc architecture. MS knows that once linux really starts to take hold anywhere at all they are in danger everywhere.

  • by EdZ (755139) on Saturday January 14, 2012 @09:48AM (#38696950)

    If the new iPods / iPhones do lock the bootloader and prevent you from installing something else, then that would be something worth complaining about

    They do. As do many (probably even the majority) of Android devices. And Symbian devices. And bloody well anything that runs on ARM! The number of locked ARM devices vastly outnumbers the number that are unlocked, or even have the ability to be officially unlocked. Should unlocked ARM devices be the norm? Yes. Is Microsoft's position the norm among every device and OS manufacturer? Also yes.

    Also interesting to note is that the updated document specifically requires that UEFI Secure Boot settings can be modified by the end user, contrary to previous hooh-hah.

  • Re:Simple Solution (Score:4, Informative)

    by Rockoon (1252108) on Saturday January 14, 2012 @09:48AM (#38696952)

    Tablet makers offer ARM tablets without WHQL Certification preloaded with Linux or Android.

    They dont even have to be preloaded with either. They can be preloaded with Windows 8 .. just not WHQL certified.

    WHQL certification means something only when upgrading to a new version of Windows is a selling point... for instance when Vista was just around the corner many manufacturers started selling computers certified to run Vista, even though it wasnt available yet...

    ..there was a big stink about that too, because Intel's shitty integrated video got certified but was incapable of the glitzy shit Vista promoted (we all remember that, right?)

    We are talking about if the manufacturer can legally put a sticker on the box, not their capability to install Windows 8.

  • by gweihir (88907) on Saturday January 14, 2012 @09:52AM (#38696978)

    It does not make sense. You can always allow the user to add another key, and you can give clear warning when they do. Preventing the user from adding another key is not a security feature. Period.

    But I guess you are paid to post this nonsense here.

  • by TheRaven64 (641858) on Saturday January 14, 2012 @09:55AM (#38697004) Journal
    Bullshit. When OS X first came out, it only ran on PowerPC. It came with OpenFirmware, and which provided a graphical multiboot bootloader. When it was ported to Intel, Boot Camp was a separate download, now it's integrated.
  • Re:Well... (Score:3, Informative)

    by JBMcB (73720) on Saturday January 14, 2012 @10:03AM (#38697086)

    http://www.apple.com/opensource/ [apple.com]

    Here's the source code to all the open source software in MacOSX, along with any patches they did to the source.

    http://opensource.apple.com/release/mac-os-x-107/ [apple.com]

    Here the sources for a bunch of the core system components, including the kernel.

    Where's the source code for the Windows 7 kernel again?

  • by Chas (5144) on Saturday January 14, 2012 @10:15AM (#38697142) Homepage Journal

    That's just it shill-boy.

    They're not "simply going to another market".

    They're adding stipulations to their credentialing process that REQUIRE hardware vendors to essentially lock out all forms of user choice for alternate OSes on their platform.

    So if WidgetCo wants to sell their ARM-Widget 6000 with Windows on there, they have to lock the platform to the point where you CAN'T load the ARM-Widget 6000 with Android or another OS.

    Essentially they're forcing hardware vendors to make an irrevocable choice about which market they're going to service instead of allowing them to service any/all of them.

    That's quite clearly abuse.

  • by Anonymous Coward on Saturday January 14, 2012 @10:15AM (#38697150)

    Considering your astroturf account is only 140 users ahead of OP astroturf account, I dont trust what you have to say either.

    Be gone astroturfers.

  • by whosdat (2551450) on Saturday January 14, 2012 @10:16AM (#38697160)

    Last I checked, Google didn't produce any Android devices (yet).

    Google didn't demand to lock the bootloader as a part of Android branding certification as well, which is why there's plenty of unlocked Android devices available.

    Please shill harder.

  • by Kjella (173770) on Saturday January 14, 2012 @10:20AM (#38697204) Homepage

    Also interesting to note is that the updated document specifically requires that UEFI Secure Boot settings can be modified by the end user, contrary to previous hooh-hah.

    What updated document? This is the text:

    MANDATORY: Enable/Disable Secure Boot.

    On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of Pkpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.

    Nothing else applies to ARM system. It. Must. Not. Be. Possible. Ever. In any way.

  • by gweihir (88907) on Saturday January 14, 2012 @10:23AM (#38697228)

    a) His points are wrong, and rather obviously so, see rest of thread
    b) He (and you) are obviously paid by MS to spread this FUD here
    c) You are doing this so incompetently, even a young child can see it
    d) After your purpose has been revealed, you keep at it, confirming the suspicion

    Despicable and pathetic. Is MS to stingy to pay for good liars?

  • by Anonymous Coward on Saturday January 14, 2012 @10:24AM (#38697242)

    His premise is entirely wrong. There are a number of ways to ensure the security of the boot sector from the software layer, locking it to one OS doesn't increase security beyond the fact that only one OS's flaws will be exploitable.

    It's really a ridiculous attempt at justifying locking in a subset of arm chips to MS only.

  • by decora (1710862) on Saturday January 14, 2012 @10:29AM (#38697302) Journal

    as anyone who has actually tried to build that pile of ass knows, the apple 'open source' project is complete horse shit. they use an incredibly obfuscated build system that makes it impossible for anyone except Apple to actually compile their projects.

    that is why there are no open source operating systems based off the Darwin Kernel, except for the highly alpha-level PureDarwin , and the completely abandoned OpenDarwin -- here we are ten years after OsX, and PureDarwin only recently announced "The dawn of network and audio support" in their OS.

    GNU Hurd and Haiku are both farther along the way to being usable Operating Systems than any open system based on Darwin.

  • by gweihir (88907) on Saturday January 14, 2012 @10:35AM (#38697326)

    Nonsense. Rather obviously so.

    Seems "everybody else is doing it" is really the last stance in your astroturfing strategy. This does not invalidate that MS is doing something blatantly anti-competitive here with zero technical reasons and zero security benefit. Allowing the user to add OS keys to the device they own and paid for is not a security risk, just a business risk. And that is why MS does not want that and pays you clowns to try to spin it differently.

  • by Megane (129182) on Saturday January 14, 2012 @10:50AM (#38697408) Homepage

    http://it.slashdot.org/story/12/01/13/1953230/microsoft-trustworthy-computing-turns-10 [slashdot.org]

    There's probably more, but I only went looking in his recent history. So this isn't his only post dropped at the moment an article goes live. Sure smells like astroturf to me. And you can't use the "subscriber preview" argument, either, since there's no "*" after his username.

  • by Deathlizard (115856) on Saturday January 14, 2012 @11:22AM (#38697612) Homepage Journal

    First off, show me the Tablet Monopoly that Microsoft Has. If Microsoft managed to increase their tablet market share 5 times more than it currently has, it still would be in the single digits.

    Second, I don't see any reason why an OEM couldn't just release the same tablet with Android preinstalled instead of Windows 8. In fact, It would be severely stupid not to do it, especially since many of the Win8 tablet price rumors I've seen are at price points that are equal or more expensive than their better positioned and more established Tablet OS equivalents. The Touchpad Fire sale and the Amazon Kindle proved that people do not want to spend a ton of money on a tablet and people will just buy an iPad if your tablet comes close or is higher than Apple's price. If Windows 8 tablets violate both of these rules (which I can almost guarantee will happen). You won't need the feds to step in to stop a windows tablet monopoly from happening, Customer wallet's will do just fine.

    Third, This is no different than Android having a locked bootloader. It will be cracked and people will install other OS'es on it.

    Frankly, and this is coming from someone who is a Fan of Microsoft, Windows 8 is going to flop on tablets and it's going to piss off desktop users because it's so tablet focused it interferes with desktop useability. MS was much better off Focusing Windows 7 mobile in the tablet space, and use the courier as the platform to do it, but they decided to dick around some more while the competition sucked up market share like a vacuum, just like what happened to their smartphone market. It's too little, too late, and too expensive to compete in a marketplace with not one but two heavily established tablet OS'es.

  • by Mousit (646085) on Saturday January 14, 2012 @11:27AM (#38697640)
    Apple doesn't manage to "get away" with anything. Bundling Safari with OS X is substantially different from bundling IE with Windows, and do not try to confuse the two.

    OS X comes on Apple hardware, which Apple manufactures, and you're free to not buy such Apple hardware. Third-party sellers of the "authorized Apple reseller" type are also free to sell you other hardware, not just Apple hardware. This is in fact one of the biggest differences of all, since Microsoft is a purely software company that does not produce its own hardware (in the computer biz anyway, I know they make some peripheral hardware).

    Back in the day (and far more recently than just the IE case itself, really), MS's contracts with OEMs were vastly different. Windows came on everything. Microsoft didn't make its own hardware at all, but it made sure everyone else's hardware came with Windows. OEMs had to sell Windows pre-bundled, and they weren't allowed to offer you competing OSes due to the nature of their contracts with MS (remember the days before Dell sold RedHat Linux systems?). HP computers came with Windows and IE. Dell computers came with Windows and IE. Acer, IBM, Compaq.. you get the picture. It didn't matter WHAT brand you bought, they all came with Windows and IE. This not only was a problem for Netscape and the other browsers, but was also a problem for competing OSes, and remained so well after the Netscape case. Not just Linux, but many other operating systems that have come and are now more or less gone in the same manner as what happened to Netscape, like OS/2 and BeOS. In fact litigation from Be was one of the things that helped bring this OEM contract bullshit to light, though like Netscape before it, it came too late to save Be. Litigation from IBM over the OS/2 debacle is famously well-documented and I shouldn't need to explain it. Dell itself also brought litigation alongside RedHat.

    As for tablet and such devices, yes it's true that Apple ones come with Safari and generally make it difficult to install other browsers (though they are now available, if in more limited quantity and not quite the same as the 'native' on-device Safari browser). However, those are Apple devices, not, say, HP devices with iOS on them. You're free to buy non-Apple devices. Just like if I bought a Microsoft-made Zune, I'd expect it to come with IE only. Yes I realize these days "Windows phones" aren't made by Microsoft. However, I can buy a Motorola with Windows Phone, or I can buy a Motorola with Android, or.. Yeah.

    So please, don't compare apples to oranges (ha). Apple's no saint to say the least and they do pull a lot of ugly shit, but the "Safari bundling is the same as IE bundling!" line is old, tired, and it's bullshit.
  • Linux is already taking hold in pretty much every market except desktops...

    Servers
    Phones (Android, also WebOS/Meego)
    HPC (see the top500 list)
    Embedded devices like routers, set top boxes, televisions, voip phones etc...

    Many people these days have more linux devices in their house than they do windows, and don't even realise it.

  • by Anonymous Coward on Saturday January 14, 2012 @12:37PM (#38698124)
    They're not incompetent, and they're not MS. They're sockpuppets of a Waggener Edstrom rapid response team employed by MS.

    What they do is not secret: http://waggeneredstrom.com/about/approach [waggeneredstrom.com]

    Monitoring conversations, including those that take place with social media, is part of our daily routine; our products can be used as early warning systems, helping clients with rapid response and crisis management.

    Microsoft are No 3 on their client list
    http://waggeneredstrom.com/clients [waggeneredstrom.com]

    DavidSell ByOhTek antitithenai, Bonch, Dtech and others are psuedonyms/sockpuppets used by the team to "guide" discussions.

  • by Glasswire (302197) <glasswire.gmail@com> on Saturday January 14, 2012 @12:43PM (#38698164) Homepage

    Intel's new Medfield Atom [cnet.com] will run Android phones and tablets, Tizen [tizen.org] devices, Win 8 tablets and (if MSFT get's their head screwed on correctly) Win Phone. Since the underlying firmeware environment in the medfield platforms is driven by Intel's reference design, MSFT will not be able to dictate whether other OSes can boot any more than they can in the rest of the x86 world. (Assuming OEMs will be smart enough to let customers control UEFI authentication)

  • by Penguinisto (415985) on Saturday January 14, 2012 @12:48PM (#38698214) Journal

    a) OP's points are still wrong. You don't need to lock the hardware to one OS in order to prevent malware. Car analogy? No problem: It's like saying that the tire rims must be welded onto the wheels in order to prevent tire slashing. The OS (tires) can still be compromised no matter what you do to the underlying hardware, so the whole argument becomes one great big false premise.

    b) there's no way to tell for certain, but it does happen a lot: http://waggeneredstrom.com/clients [waggeneredstrom.com]

    c) Dude did do it incompetently. He's not a subscriber, yet there's a whole novella waiting mere moments after the story is posted publicly. His posting history also shows an incredibly strong pro-Microsoft bias, even to the point of nonsense at times.

    d) see c)

    As for the rest? Certainly you don't need WHQL certification to run drivers on Windows - but Joe Public will see a buttload of bells and alarms warning him if he tries to install it.

    There are no major security reasons for doing it - period. Once someone has physical access, it's game-over anyway - no matter how hard you think you can lock it down.

    HTH a little. /P

  • by Locutus (9039) on Saturday January 14, 2012 @12:55PM (#38698262)
    it is their monopoly on the PC which they are leveraging to force vendors to do these kinds of things. A few years ago, the head of the Taiwanese Manufacturers Association said something very telling during a conference when asked about Linux on netbooks and PCs. He said something to the effect of this, the manufacturers were afraid of Microsoft and so Linux would not be part of PC like devices(PC, laptops) but on devices not currently licensed for Windows they were fine with(phones, routers,etc).

    As we've seen with their IP licensing scams, all those vendors with previous or existing Microsoft licensing contracts signed on the dotted line for "protection" covering Android. So even though they don't have a monopoly on phones nor tablets they wield power from their existing monopoly in the PC segment and can be seen to be using it in demanding features which exclude other OS's from being installed on the hardware. Especially when they are not consistent with that on the PC segment. And it's very public that some businesses and organizations put Linux on devices instead of Windows specifically for better security. Example, the recent DoD migration from Windows to Linux for drone controller systems.

    This will require investigating by the DOJ and not just asking if Microsoft threatens anyone. They'll have to look at lots of email and other statements to build the picture of how Microsoft coerces companies into doing their bidding. I doubt they'll put in the effort though.

    LoB
  • by Microlith (54737) on Saturday January 14, 2012 @01:15PM (#38698418)

    First off, show me the Tablet Monopoly that Microsoft Has.

    I can't, but I'll show you the desktop monopoly that they're leveraging.

    I don't see any reason why an OEM couldn't just release the same tablet with Android preinstalled instead of Windows 8.

    They won't for the same reason they rarely, if ever, release PCs without Windows: they don't want to piss Microsoft off by seriously offering other options.

    You won't need the feds to step in to stop a windows tablet monopoly from happening, Customer wallet's will do just fine.

    And that's why MS is pursuing their lawsuits against distributors of Android: to inflate the costs of Android higher and higher. I'm sure we'll see another round of lawsuits and a per-device royalty fee increase if Microsoft does manage to buy Nokia's patents.

    This is no different than Android having a locked bootloader. It will be cracked and people will install other OS'es on it.

    Cracked, you mean like all the Motorola devices whose bootloader chain has never actually been cracked? Whereas Microsoft can readily ignore pressure, unlike HTC and ASUS, when people pitch a fit after finding out they locked down their bootloader chain. Not that locking down a platform is good in ANY case as it only serves the vendor, not the user.

  • by GPLHost-Thomas (1330431) on Saturday January 14, 2012 @01:59PM (#38698846)

    First off, show me the Tablet Monopoly that Microsoft Has.

    We are not talking about tablet, unless you can show me tablets using UEFI. As far as I know, none use it (yet?).

    Second, I don't see any reason why an OEM couldn't just release the same tablet with Android preinstalled instead of Windows 8.

    Maybe because we aren't talking about tablets, but real computers, which are designed to run Windows?

    In fact, It would be severely stupid not to do it

    It would be severely stupid for OEM makers not to make computers that respect the specs of the OS that more than 90% of their customers is using.

    Third, This is no different than Android having a locked bootloader. It will be cracked and people will install other OS'es on it.

    Again, did you realize that we aren't talking about tablets, but about UEFI secure boot, which is going to replace (and in some case, is already replacing) your good old MBR by a (mostly, FAT) partition containing the bootloader? Maybe you should read this: http://lists.debian.org/debian-devel/2012/01/msg00168.html [debian.org]

  • by Guy Harris (3803) <guy@alum.mit.edu> on Saturday January 14, 2012 @03:20PM (#38699590)

    Why are you talking about phones? We're talking about UEFI here, which will be used for your next PC hardware... Will you do without a computer as well?

    If by "PC hardware" you're referring to x86-based machines, the offending Microsoft document [microsoft.com] says:

    MANDATORY: On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:

    a) It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK.

    b) If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system will be operating in Setup Mode with Secure Boot turned off.

    c) The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults.

    On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enable.

    So, just as they mandate "can't allow tweaking" for ARM, they appear to be mandating "can allow tweaking" for non-ARM.

  • by KingMotley (944240) on Saturday January 14, 2012 @05:10PM (#38700516) Journal

    A) Yes, actually you pretty much do. Otherwise, root kits can be installed, completely bypassing any other security on the system. Alternatively, security holes in the other booted software (rootkit, linux, etc) whether intentional or not can access the file system and modify the code as to disable windows security.

    You may not like it, but yes, doing this does make the system more secure.

  • by anonymov (1768712) on Saturday January 14, 2012 @06:17PM (#38701058)

    You missed the part where they demand to disable adding other keys/turning off secure boot by user - and they're only demanding it for ARM, x86 is free to have it. That's what's the article talking about, not the secure boot itself.

  • by anonymov (1768712) on Saturday January 14, 2012 @06:49PM (#38701304)

    You don't need to lock the hardware to one OS in order to prevent malware

    Yes, actually you pretty much do

    That doesn't change the fact that doing so makes the device more secure.

    Limiting secure boot to single certificate and single OS does not add any more security. If secure boot storage is not available after passing control to verified boot loader - which is pretty much a requirement for it to be secure - it doesn't matter how many keys are in there. Disallowing manual disable - note that it is also something not available to any software after secure boot finished its job - also doesn't make device more secure.

    Do try harder.

Men love to wonder, and that is the seed of science.

Working...