Microsoft Taking Aggressive Steps Against Linux On ARM 675
New submitter Microlith writes "Microsoft has updated their WHQL certification requirements for Windows 8, and placed specific restrictions on ARM platforms that will make it impossible to install non-Microsoft operating systems on ARM devices, and make it impossible to turn off or customize such security. Choice quotes from the certification include from page 116, section 20: 'On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enabled' — which prevents users from customizing their security, and in section 21: 'Disabling Secure MUST NOT be possible on ARM systems' to prevent you from booting any other OSes."
Re:Well... (Score:5, Informative)
Don't you mean iOS? My mac isn't locked down in the least, and in fact is more open than windows.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:4, Informative)
I don't understand if you're a troll, a shill, or simply an idiot. Microsoft is imposing this overly restrictive and anti-competitive measures on ARM hardware, in order for it to have WHQL certification, and you pretend to believe it is to stop malware? Really?
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:4, Informative)
He is a shill. Despicable. Just look at the posting time of the article and his comment. This was obviously pre-written.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:5, Informative)
OS X doesn't stop you installing other operating systems. OS X even comes with a tool that will resize your existing partition, provide space for another OS, and Apple computers have a graphical boot menu out of the box for selecting the OS to boot.
I'm not sure about iOS devices. The older iPods didn't actively stop you from installing other operating systems (they just didn't support it, which is fair enough). If the new iPods / iPhones do lock the bootloader and prevent you from installing something else, then that would be something worth complaining about, although there are enough other reasons for wanting to avoid Apple's locked-down consumer product lines that it's probably quite low on the list.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:4, Informative)
If it would have had been only a security feature, there would be an SD-card in the device storing encryption keys for approved OS software manufactures. The SD-card could in this case be made read only and if the user wants to disable any tampering, he could glue it in the slot. A user could add additional approved keys (even his own keys) by placing the card with write enabled in another machine.
In this case, it would have only been about security. As it stands now the MS rules is to lock out competitors from the market.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:5, Informative)
That's because Apple is a hardware company foremost. It works the other way with them. They don't want you installing their software on other hardware and work to prevent it. Microsoft is being forced into attacking linux on ARM in this way because they can't really compete against them any other way on that platform and they are desperate not to start losing market share even if they maintain their monopoly on pc architecture. MS knows that once linux really starts to take hold anywhere at all they are in danger everywhere.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:5, Informative)
If the new iPods / iPhones do lock the bootloader and prevent you from installing something else, then that would be something worth complaining about
They do. As do many (probably even the majority) of Android devices. And Symbian devices. And bloody well anything that runs on ARM! The number of locked ARM devices vastly outnumbers the number that are unlocked, or even have the ability to be officially unlocked. Should unlocked ARM devices be the norm? Yes. Is Microsoft's position the norm among every device and OS manufacturer? Also yes.
Also interesting to note is that the updated document specifically requires that UEFI Secure Boot settings can be modified by the end user, contrary to previous hooh-hah.
Re:Simple Solution (Score:4, Informative)
Tablet makers offer ARM tablets without WHQL Certification preloaded with Linux or Android.
They dont even have to be preloaded with either. They can be preloaded with Windows 8 .. just not WHQL certified.
..there was a big stink about that too, because Intel's shitty integrated video got certified but was incapable of the glitzy shit Vista promoted (we all remember that, right?)
WHQL certification means something only when upgrading to a new version of Windows is a selling point... for instance when Vista was just around the corner many manufacturers started selling computers certified to run Vista, even though it wasnt available yet...
We are talking about if the manufacturer can legally put a sticker on the box, not their capability to install Windows 8.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:5, Informative)
It does not make sense. You can always allow the user to add another key, and you can give clear warning when they do. Preventing the user from adding another key is not a security feature. Period.
But I guess you are paid to post this nonsense here.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:5, Informative)
Re:Well... (Score:3, Informative)
http://www.apple.com/opensource/ [apple.com]
Here's the source code to all the open source software in MacOSX, along with any patches they did to the source.
http://opensource.apple.com/release/mac-os-x-107/ [apple.com]
Here the sources for a bunch of the core system components, including the kernel.
Where's the source code for the Windows 7 kernel again?
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:5, Informative)
That's just it shill-boy.
They're not "simply going to another market".
They're adding stipulations to their credentialing process that REQUIRE hardware vendors to essentially lock out all forms of user choice for alternate OSes on their platform.
So if WidgetCo wants to sell their ARM-Widget 6000 with Windows on there, they have to lock the platform to the point where you CAN'T load the ARM-Widget 6000 with Android or another OS.
Essentially they're forcing hardware vendors to make an irrevocable choice about which market they're going to service instead of allowing them to service any/all of them.
That's quite clearly abuse.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:4, Informative)
Considering your astroturf account is only 140 users ahead of OP astroturf account, I dont trust what you have to say either.
Be gone astroturfers.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:3, Informative)
Last I checked, Google didn't produce any Android devices (yet).
Google didn't demand to lock the bootloader as a part of Android branding certification as well, which is why there's plenty of unlocked Android devices available.
Please shill harder.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:5, Informative)
Also interesting to note is that the updated document specifically requires that UEFI Secure Boot settings can be modified by the end user, contrary to previous hooh-hah.
What updated document? This is the text:
MANDATORY: Enable/Disable Secure Boot.
On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of Pkpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.
Nothing else applies to ARM system. It. Must. Not. Be. Possible. Ever. In any way.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:4, Informative)
a) His points are wrong, and rather obviously so, see rest of thread
b) He (and you) are obviously paid by MS to spread this FUD here
c) You are doing this so incompetently, even a young child can see it
d) After your purpose has been revealed, you keep at it, confirming the suspicion
Despicable and pathetic. Is MS to stingy to pay for good liars?
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:5, Informative)
His premise is entirely wrong. There are a number of ways to ensure the security of the boot sector from the software layer, locking it to one OS doesn't increase security beyond the fact that only one OS's flaws will be exploitable.
It's really a ridiculous attempt at justifying locking in a subset of arm chips to MS only.
good luck compiling it (Score:5, Informative)
as anyone who has actually tried to build that pile of ass knows, the apple 'open source' project is complete horse shit. they use an incredibly obfuscated build system that makes it impossible for anyone except Apple to actually compile their projects.
that is why there are no open source operating systems based off the Darwin Kernel, except for the highly alpha-level PureDarwin , and the completely abandoned OpenDarwin -- here we are ten years after OsX, and PureDarwin only recently announced "The dawn of network and audio support" in their OS.
GNU Hurd and Haiku are both farther along the way to being usable Operating Systems than any open system based on Darwin.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:5, Informative)
Nonsense. Rather obviously so.
Seems "everybody else is doing it" is really the last stance in your astroturfing strategy. This does not invalidate that MS is doing something blatantly anti-competitive here with zero technical reasons and zero security benefit. Allowing the user to add OS keys to the device they own and paid for is not a security risk, just a business risk. And that is why MS does not want that and pays you clowns to try to spin it differently.
Not his only first post (Score:3, Informative)
http://it.slashdot.org/story/12/01/13/1953230/microsoft-trustworthy-computing-turns-10 [slashdot.org]
There's probably more, but I only went looking in his recent history. So this isn't his only post dropped at the moment an article goes live. Sure smells like astroturf to me. And you can't use the "subscriber preview" argument, either, since there's no "*" after his username.
Re:Sounds anti-competitve to me (Score:4, Informative)
First off, show me the Tablet Monopoly that Microsoft Has. If Microsoft managed to increase their tablet market share 5 times more than it currently has, it still would be in the single digits.
Second, I don't see any reason why an OEM couldn't just release the same tablet with Android preinstalled instead of Windows 8. In fact, It would be severely stupid not to do it, especially since many of the Win8 tablet price rumors I've seen are at price points that are equal or more expensive than their better positioned and more established Tablet OS equivalents. The Touchpad Fire sale and the Amazon Kindle proved that people do not want to spend a ton of money on a tablet and people will just buy an iPad if your tablet comes close or is higher than Apple's price. If Windows 8 tablets violate both of these rules (which I can almost guarantee will happen). You won't need the feds to step in to stop a windows tablet monopoly from happening, Customer wallet's will do just fine.
Third, This is no different than Android having a locked bootloader. It will be cracked and people will install other OS'es on it.
Frankly, and this is coming from someone who is a Fan of Microsoft, Windows 8 is going to flop on tablets and it's going to piss off desktop users because it's so tablet focused it interferes with desktop useability. MS was much better off Focusing Windows 7 mobile in the tablet space, and use the courier as the platform to do it, but they decided to dick around some more while the competition sucked up market share like a vacuum, just like what happened to their smartphone market. It's too little, too late, and too expensive to compete in a marketplace with not one but two heavily established tablet OS'es.
Re:here comes another round of litigation (Score:3, Informative)
OS X comes on Apple hardware, which Apple manufactures, and you're free to not buy such Apple hardware. Third-party sellers of the "authorized Apple reseller" type are also free to sell you other hardware, not just Apple hardware. This is in fact one of the biggest differences of all, since Microsoft is a purely software company that does not produce its own hardware (in the computer biz anyway, I know they make some peripheral hardware).
Back in the day (and far more recently than just the IE case itself, really), MS's contracts with OEMs were vastly different. Windows came on everything. Microsoft didn't make its own hardware at all, but it made sure everyone else's hardware came with Windows. OEMs had to sell Windows pre-bundled, and they weren't allowed to offer you competing OSes due to the nature of their contracts with MS (remember the days before Dell sold RedHat Linux systems?). HP computers came with Windows and IE. Dell computers came with Windows and IE. Acer, IBM, Compaq.. you get the picture. It didn't matter WHAT brand you bought, they all came with Windows and IE. This not only was a problem for Netscape and the other browsers, but was also a problem for competing OSes, and remained so well after the Netscape case. Not just Linux, but many other operating systems that have come and are now more or less gone in the same manner as what happened to Netscape, like OS/2 and BeOS. In fact litigation from Be was one of the things that helped bring this OEM contract bullshit to light, though like Netscape before it, it came too late to save Be. Litigation from IBM over the OS/2 debacle is famously well-documented and I shouldn't need to explain it. Dell itself also brought litigation alongside RedHat.
As for tablet and such devices, yes it's true that Apple ones come with Safari and generally make it difficult to install other browsers (though they are now available, if in more limited quantity and not quite the same as the 'native' on-device Safari browser). However, those are Apple devices, not, say, HP devices with iOS on them. You're free to buy non-Apple devices. Just like if I bought a Microsoft-made Zune, I'd expect it to come with IE only. Yes I realize these days "Windows phones" aren't made by Microsoft. However, I can buy a Motorola with Windows Phone, or I can buy a Motorola with Android, or.. Yeah.
So please, don't compare apples to oranges (ha). Apple's no saint to say the least and they do pull a lot of ugly shit, but the "Safari bundling is the same as IE bundling!" line is old, tired, and it's bullshit.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:5, Informative)
Linux is already taking hold in pretty much every market except desktops...
Servers
Phones (Android, also WebOS/Meego)
HPC (see the top500 list)
Embedded devices like routers, set top boxes, televisions, voip phones etc...
Many people these days have more linux devices in their house than they do windows, and don't even realise it.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:5, Informative)
What they do is not secret: http://waggeneredstrom.com/about/approach [waggeneredstrom.com]
Monitoring conversations, including those that take place with social media, is part of our daily routine; our products can be used as early warning systems, helping clients with rapid response and crisis management.
Microsoft are No 3 on their client list
http://waggeneredstrom.com/clients [waggeneredstrom.com]
DavidSell ByOhTek antitithenai, Bonch, Dtech and others are psuedonyms/sockpuppets used by the team to "guide" discussions.
Good thing there's another mobile architecture... (Score:5, Informative)
Intel's new Medfield Atom [cnet.com] will run Android phones and tablets, Tizen [tizen.org] devices, Win 8 tablets and (if MSFT get's their head screwed on correctly) Win Phone. Since the underlying firmeware environment in the medfield platforms is driven by Intel's reference design, MSFT will not be able to dictate whether other OSes can boot any more than they can in the rest of the x86 world. (Assuming OEMs will be smart enough to let customers control UEFI authentication)
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:5, Informative)
a) OP's points are still wrong. You don't need to lock the hardware to one OS in order to prevent malware. Car analogy? No problem: It's like saying that the tire rims must be welded onto the wheels in order to prevent tire slashing. The OS (tires) can still be compromised no matter what you do to the underlying hardware, so the whole argument becomes one great big false premise.
b) there's no way to tell for certain, but it does happen a lot: http://waggeneredstrom.com/clients [waggeneredstrom.com]
c) Dude did do it incompetently. He's not a subscriber, yet there's a whole novella waiting mere moments after the story is posted publicly. His posting history also shows an incredibly strong pro-Microsoft bias, even to the point of nonsense at times.
d) see c)
As for the rest? Certainly you don't need WHQL certification to run drivers on Windows - but Joe Public will see a buttload of bells and alarms warning him if he tries to install it.
There are no major security reasons for doing it - period. Once someone has physical access, it's game-over anyway - no matter how hard you think you can lock it down.
HTH a little. /P
Re:Sounds anti-competitve to me (Score:5, Informative)
As we've seen with their IP licensing scams, all those vendors with previous or existing Microsoft licensing contracts signed on the dotted line for "protection" covering Android. So even though they don't have a monopoly on phones nor tablets they wield power from their existing monopoly in the PC segment and can be seen to be using it in demanding features which exclude other OS's from being installed on the hardware. Especially when they are not consistent with that on the PC segment. And it's very public that some businesses and organizations put Linux on devices instead of Windows specifically for better security. Example, the recent DoD migration from Windows to Linux for drone controller systems.
This will require investigating by the DOJ and not just asking if Microsoft threatens anyone. They'll have to look at lots of email and other statements to build the picture of how Microsoft coerces companies into doing their bidding. I doubt they'll put in the effort though.
LoB
Re:Sounds anti-competitve to me (Score:5, Informative)
I can't, but I'll show you the desktop monopoly that they're leveraging.
They won't for the same reason they rarely, if ever, release PCs without Windows: they don't want to piss Microsoft off by seriously offering other options.
And that's why MS is pursuing their lawsuits against distributors of Android: to inflate the costs of Android higher and higher. I'm sure we'll see another round of lawsuits and a per-device royalty fee increase if Microsoft does manage to buy Nokia's patents.
Cracked, you mean like all the Motorola devices whose bootloader chain has never actually been cracked? Whereas Microsoft can readily ignore pressure, unlike HTC and ASUS, when people pitch a fit after finding out they locked down their bootloader chain. Not that locking down a platform is good in ANY case as it only serves the vendor, not the user.
Re:Sounds anti-competitve to me (Score:4, Informative)
First off, show me the Tablet Monopoly that Microsoft Has.
We are not talking about tablet, unless you can show me tablets using UEFI. As far as I know, none use it (yet?).
Second, I don't see any reason why an OEM couldn't just release the same tablet with Android preinstalled instead of Windows 8.
Maybe because we aren't talking about tablets, but real computers, which are designed to run Windows?
In fact, It would be severely stupid not to do it
It would be severely stupid for OEM makers not to make computers that respect the specs of the OS that more than 90% of their customers is using.
Third, This is no different than Android having a locked bootloader. It will be cracked and people will install other OS'es on it.
Again, did you realize that we aren't talking about tablets, but about UEFI secure boot, which is going to replace (and in some case, is already replacing) your good old MBR by a (mostly, FAT) partition containing the bootloader? Maybe you should read this: http://lists.debian.org/debian-devel/2012/01/msg00168.html [debian.org]
Re:I will go without a phone (Score:4, Informative)
Why are you talking about phones? We're talking about UEFI here, which will be used for your next PC hardware... Will you do without a computer as well?
If by "PC hardware" you're referring to x86-based machines, the offending Microsoft document [microsoft.com] says:
So, just as they mandate "can't allow tweaking" for ARM, they appear to be mandating "can allow tweaking" for non-ARM.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:2, Informative)
A) Yes, actually you pretty much do. Otherwise, root kits can be installed, completely bypassing any other security on the system. Alternatively, security holes in the other booted software (rootkit, linux, etc) whether intentional or not can access the file system and modify the code as to disable windows security.
You may not like it, but yes, doing this does make the system more secure.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:4, Informative)
You missed the part where they demand to disable adding other keys/turning off secure boot by user - and they're only demanding it for ARM, x86 is free to have it. That's what's the article talking about, not the secure boot itself.
Re:MS Taking Aggressive Steps Against MALWARE On A (Score:4, Informative)
You don't need to lock the hardware to one OS in order to prevent malware
Yes, actually you pretty much do
That doesn't change the fact that doing so makes the device more secure.
Limiting secure boot to single certificate and single OS does not add any more security. If secure boot storage is not available after passing control to verified boot loader - which is pretty much a requirement for it to be secure - it doesn't matter how many keys are in there. Disallowing manual disable - note that it is also something not available to any software after secure boot finished its job - also doesn't make device more secure.
Do try harder.