Will Secure Boot Cripple Linux Compatibility?

MojoMax writes "The advent of Windows 8 is drawing ever nearer and recently we have learned that ARM devices installed with Windows 8 will not be able to disable the UEFI secure boot feature that many of us are deeply concerned about. However, UEFI is still a very real danger to Linux and the freedom to use whichever OS you chose. Regardless of information for OEMs to enable customers to install their own keys, such as that published by the Linux Foundation, there are still very serious and as yet unresolved issues with using secure boot and Linux. These issues are best summarized quoting Matthew Garrett: 'Signing the kernel isn't enough. Signed Linux kernels must refuse to load any unsigned kernel modules. Virtualbox on Linux? Dead. Nvidia binary driver on Linux? Dead. All out of tree kernel modules? Utterly, utterly dead. Building an updated driver locally? Not going to happen. That's going to make some people fairly unhappy.'"

"Freedom"

[bonch]

Would someone interested in Linux on these particular tablets be able to order one from a vendor with Linux (or no operating system) pre-installed? I couldn't find information on whether or not OEMs are restricted from selling pre-installed Linux versions of the tablet. The SoftwareFreedom website says "any ARM device that ships with Windows 8 will never run another operating system, unless it is signed with a preloaded key or a security exploit is found that enables users to circumvent secure boot." The phrase there is "ships with Windows 8," which suggests to me that Custom Boot-enabled versions could ship without Windows. Admittedly, I have a hard time seeing it as a freedom issue, as these are just tech gadgets at the end of the day. I'd rather it was framed as an inconvenience argument, not a freedom one.

Re:"Freedom"

[hedwards]

Tablets won't be able to be fully certified by MS if they don't have secure boot enabled with no way of disabling it. There may be some manufacturers that opt to have a second line for Linux, but I doubt that will be very common. The problem is one of logistics it's not that much cheaper to have a second line that supports Linux, you have to support it and QA it. But, if you just ship hardware that's supported by Linux then you lose no money on that and sell more units. Of course MS is the party here that's misbehaving.

The issue is that ultimately, they're selling these devices that can't have other OSes installed without cracking them, that's inherently a freedom issue.

Re:

[exomondo]

The issue is that ultimately, they're selling these devices that can't have other OSes installed without cracking them, that's inherently a freedom issue.

So is Apple, but more to the point nothing is stopping Linux tablets from coming to market, in fact there are lots of them out there now. If you buy a 'Designed for Windows 8' device it's no different than buying an iPad with regard to the operating system. I doubt there are many people out there who bought an iPad and are complaining that they can't install Linux on it (me included), so why should it be any different for these 'Designed for Windows 8' devices?

Re:

[Tsingi]

I have an iPad, and I have two Linux Tablets (Before you declare me crazy, I only paid for one of them, a Linux tablet.) I don't see that this is a big issue for tablets. And I build my personal dev boxes from scratch, so I doubt it will be an issue there. You can buy Linux laptops now, not sure how this will affect that. I suspect we will get around it all pretty quick anyway.

All that aside, why would I want to buy a device that will not let me install whatever I want on my computer?

Also, Bonch, pl

Re:"Freedom"

[Microlith]

So is Apple

Apple does not sell its OS to 3rd party hardware vendors and dictate how to lock down the device.

nothing is stopping Linux tablets from coming to market, in fact there are lots of them out there now

There are, but how long until MS ramps up the pressure to push Android out of the market via legal and possibly illegal means?

If you buy a 'Designed for Windows 8' device it's no different than buying an iPad with regard to the operating system.

Sure it is. The vendor is being forced by the OS supplier to set the device up in a way that precludes alternatives, and leveraging their monopoly platform to do it.

I doubt there are many people out there who bought an iPad and are complaining that they can't install Linux on it (me included), so why should it be any different for these 'Designed for Windows 8' devices?

Yeah, minorities should ALWAYS be ignored. Only the masses should ever get what they want, everyone else can go fuck themselves. Right?

Re:

[drsmithy]

Sure it is. The vendor is being forced by the OS supplier to set the device up in a way that precludes alternatives, and leveraging their monopoly platform to do it.

Microsoft has a monopoly in tablets OSes ? When did that happen ?

Re:"Freedom"

[Microlith]

And they only have to lock it down if it's 'Designed for Windows 8'

Everything will be "Designed for Windows 8" if it runs Windows.

and if it's ARM, if they don't put on that Windows 8 sticker then they don't have to do anything.

And Microsoft also doesn't have to sell them licenses they can put on devices that don't meet the guidelines.

And i'm sure Google will just rest on their laurels and just let Android die.

Google may continue to fight but all MS has to do is hinder and slow it.

if you didn't want Windows 8 you wouldn't buy a device designed for it, unless of course you're an idiot.

Go find me a motherboard or graphics card that don't have the logo. Go on, do it. I doubt you can.

What the hell. Not a few years ago restrictions like this were acknowledged as being bad. Now people can't rush fast enough to defend lock down like this, especially with Microsoft pushing it.

Re:

[exomondo]

Everything will be "Designed for Windows 8" if it runs Windows.

No it won't.

And Microsoft also doesn't have to sell them licenses they can put on devices that don't meet the guidelines.

Citation? They don't have to give them discounts, but then the manufacturers don't have to sell them with Windows either, they could sell them with Linux.

Google may continue to fight but all MS has to do is hinder and slow it.

Hinder and slow it? Android dominates MS in the tablet market as it is. And of course Google or Apple couldn't do the same to MS.

Go find me a motherboard or graphics card that don't have the logo. Go on, do it. I doubt you can.

Why? The tablet market is already saturated with devices that don't have the Windows logo.

What the hell. Not a few years ago restrictions like this were acknowledged as being bad. Now people can't rush fast enough to defend lock down like this, especially with Microsoft pushing it.

Yeah look at how the ipad has destroyed the world with its lockdown.

Re:"Freedom"

[Microlith]

No it won't.

Do you seriously think that MS is going to let a vendor ship Windows on a device without their logo on it? Doubtful.

the manufacturers don't have to sell them with Windows either, they could sell them with Linux.

We've said that with PCs as well. Look where that went.

Hinder and slow it? Android dominates MS in the tablet market as it is.

Yeah, which is precisely why Microsoft is doing their little patent protection racket against every Android vendor in the market. They want to weaken Android and raise the cost of using it so that the vendors give up.

The tablet market is already saturated with devices that don't have the Windows logo.

Go do it. I asked you to go find me core system hardware that doesn't have the Windows logo on it.

Yeah look at how the ipad has destroyed the world with its lockdown

Sure, it's causing bullshit lock down and walled gardens to spread.

Re:"Freedom"

[Microlith]

Why not? How can they control who buys Windows?

Easily. Where do you buy licenses for the ARM version of Windows 8?

But in this case Android tablets already exist and are extremely popular.

They are, but how popular will they be if Microsoft starts subsidizing the tablets to undercut Android, while pressing the "it runs Windows 8 just like your desktop!" angle?

And that's resulted in the destruction of Android and booming market dominance of Windows Phone...if you live in a reality that isn't this one.

Hey, give them time. They're just getting started with their rampage.

Windows owns 90%+ of that market, naturally that's what hardware manufacturers want to tap into, that is NOT the case with tablets.

Yeah, Windows owns 90% of the desktop market. And now you can get it on your tablet too!

And those are really destroying the world, look at how the world hates them!

The "world" is largely unaware of how computers function as a whole. But it's gotten people like you to come out and defend their spread.

those who do just choose the alternatives.

While such alternates are available. Microsoft is working hard to ensure they cease to be.

Re:"Freedom"

[SuricouRaven]

"Why not? How can they control who buys Windows?"

Because they sell it! If they don't make an OEM licence available, then the tablet isn't going to ship with windows, and they won't make the OEM licence available to any manufacturer who doesn't get the sticker. The only other way they might be able to put windows on a tablet would be buying a retail licence, but that'll likely cost more than every other component of the tablet put together.

Re:

[Admiral Burrito]

Yeah look at how the ipad has destroyed the world with its lockdown.

Rome didn't fall in a day.

Re:

[letsief]

Retail motherboards and graphics cards don't need to meet these requirements. Only complete systems from OEMs do. I think the Windows logo for those products only means they've gone through WHQL testing.

Re:

[rtb61]

Consumer rights versus software company greed.

Does M$ have the right to brick someones computer because that person wants to load a different operating system?
Does M$ have the right to enforce breaking someone's computer completely because a root kit of any description has been installed by any means?
Does M$ have the right to force the majority of non-computer technical skill to spend hundreds of dollars on 'repairs' because M$ has secretly embedded the ability to brick their computer.
Does M$ have

Re:

[LifesABeach]

From my perspective, m$ historic QA on this topic is usually flexible. I plan to buy the tablet, stick a USB up its, "port," and run linux; life is good.

"Come Bell, I have something to show you." - the Beast

Re:"Freedom"

[Darinbob]

Because when you buy a device you should be allowed to modify it. It is your private property at that point. It doesn't matter how many stupid people only use them to show off to friends, if even one single person in the entire world wants to be able to modify their personal property in a way that causes no harm to others then it is their right to do so.

Re:"Freedom"

[sjames]

Of course you're free to take a walk in your own front yard, just watch out for the tiger pits we put in. And the bear traps. OH, and the unmarked minefield. But we have done absolutely nothing to stop you from taking a nice walk in your own front yard.

Re:

[hedwards]

The problem is the same as those designed for Windows devices in the mid to late '90s. You would pay about double for that logo even though what you were buying was typically stripped of the usual chips so that the functionality could be run through Windows only drivers. Except in this case it's even more insidious as the devices themselves will have all the capabilities needed to run something else, but because of MS will be rendered incapable of doing so.

It's clear there's antitrust violations involved wi

Re:"Freedom"

[hedwards]

There is no requirement that you dominate the market to be guilty of antitrust violations. Agreements between companies to lock out other companies to this extent are going to be in violation of antitrust regulations. This isn't just an exclusivity agreement between the companies, this is an exclusivity agreement that also involves the end user and prevents access to the device by other companies.

If MS contracted them to build the devices that would be a completely different situation. That's well established and Apple, for one, has been doing that for decades. What isn't well established is the practice of withholding certification if the product is capable of running a competitors product.

Re:

[KingMotley]

There is no requirement that you dominate the market to be guilty of antitrust violations.

Yes it is. It's the very definition of antitrust.

See:
antitrust/anttrst/
Adjective:
Of or relating to legislation preventing or controlling trusts or other monopolies, with the intention of promoting competition in business.

Windows is Oranges in this case

[Zero__Kelvin]

You are comparing Apples(tm) and Windows(tm). What OS does Apple sell? What computer models does Microsoft sell? See the difference?

Re:Windows is Oranges in this case

[Zero__Kelvin]

"If the vendors want to build devices and brand them as Windows 8 ..."

So you think a consortium of vendors got together and asked Microsoft to create Windows 8, and make sure that it is the only OS that can run on their hardware and thereby reduce their market share potential?

Re:Windows is Oranges in this case

[Rennt]

Vendors were already going to make devices to run Windows 8, and everyone was happy. Microsoft specifically asked vendors to build a device that can only run Windows 8.

Re:"Freedom"

[symbolset]

This disease has an easy cure. Just don't buy it. You don't want a Windows tablet anyway. Nobody does.

Re:

[1u3hr]

I doubt there are many people out there who bought an iPad and are complaining that they can't install Linux on it (me included), so why should it be any different for these 'Designed for Windows 8' devices?

The difference is: Apple makes and sells iPads. Microsoft doesn't make the hardware. They're leaning on the the manufacturers to prevent any competition.

Re:

[pclminion]

I don't see why Microsoft, the owner of the Windows trademark, cannot impose whatever rules it wants to on manufacturers who want to put the Windows logo on their products. This was a big deal in the 90's because Microsoft already had huge platform lock-in, so it was unfeasible to ship a product that wasn't Windows-certified. But on ARM? There's no Windows ARM software available, no multi-decade legacy of crap following behind it, so where is the lock-in? The Windows logo no longer indicates a platform adva

Re:

[hedwards]

Because there are limits to what you can require. Requiring that third parties only allow your OS to be installable is significantly worse than bundling a web browser with your OS. Ultimately this sort of multi-corporation misconduct is likely to be a violation of Sherman in so far as it stymies competion and prevents the user from having the full choice of OS on the device.

This is very different from the iPad where Apple pays for the entire development process and sells it to consumers.

Re:

[pclminion]

The only thing MS is requiring is that you play by their rules if you want to use their trademark. Seeing as there is no present market for Windows-capable ARM devices, I do not see how such a requirement amounts to an abuse of monopoly status -- there IS no monopoly status in this market segment.

On the other hand, there are already plenty of ARM devices out there which do NOT run Windows. These devices are enormously successful already. You can buy one right now. You are complaining that you cannot put a n

Re:"Freedom"

[Microlith]

The Windows logo no longer indicates a platform advantage

Sorry, no. It's a HUGE platform advantage, because they can place the same logo on tablets and desktops. The catch with the Windows 8 tablet is the software is available only via the store. This is great for Microsoft, because they can say "buy the software for Windows 8 on our store, and you can use it on both your desktop and tablet!"

So they link the desktop monopoly to the tablet space, and leverage it to extend their reach into another.

A manufacturer can still make an ARM device that runs Windows and allow Linux as well -- they just can't put the Windows logo on it.

Can they? I deeply suspect that Microsoft will make OEMs agree that any and all tablets running Windows will meet the logo requirements, or they won't get the OEM agreement they want (IE no Windows for your tablets.)

The problem is stupid consumers who demand to see that logo.

And that's exactly what Microsoft is banking on. Oh and finding some way to drive Android out of the market.

Re:"Freedom"

[Sir_Sri]

Other way around. These are linux (andriod) tablet makers being paid by MS to make a Windows version. Just like phones, these will be samsung galaxy tabs, acer iconias etc. with a minor refresh/rebrand to run windows. Not windows tablets being done the other way around.

The gadget market is very different from the desktop market anyway. Right now it's an iPad market, with some other hangers on. Whether MS can change that is an open question, but it's not like you can put linux on your iPad, and it has 90% of the market right now.

Re:

[CAIMLAS]

Tablets won't be able to be fully certified by MS if they don't have secure boot enabled with no way of disabling it.

So? When was the last time you heard anything even remotely interesting from Microsoft in the consumer market? And, in the consumer market, I mean "something which can validly appeal to Joe Sixpack".

Xbox 360? Before that, what? The Xbox?

This isn't Microsoft's market anymore. People buy Windows because it runs on the computers they buy, or because they need it for games or Office.

On the other hand, people actively seek out Android and IOS (Apple) products. They've been hot sellers at Christmas for years.

Micr

Re:"Freedom"

[Anne Thwacks]

Tablets won't be able to be fully certified by MS if they don't have secure boot enabled with no way of disabling it.

IANAL, but this would appear to contravene European laws on restrictive trade practices. I can see another monopoly related court case on the horizon, and a possible way for Europe to pay of its bankers.

Re:

[amorsen]

IANAL, but this would appear to contravene European laws on restrictive trade practices. I can see another monopoly related court case on the horizon

Yes, their wrist really HURTS from last timely. SURELY they won't do it again after such punishment.

Re:

[Wesley Felter]

They'll probably make a Windows 8 version (locked) and an Android version (also locked) of each tablet. The demand for anything else is too small to bother with. People who want regular Linux will have to jailbreak.

Re:

[forkfail]

That's the thing. You won't even be able to jailbreak.

Re:

[Anpheus]

If the Android version doesn't have a (securely) locked bootloader too then yes you will be able to.

The situation with Windows 8 on ARM *sucks*, I don't like it and I don't think they should dictate to OEMs that they must not allow custom mode. In my opinion, they went too far with locking down ARM and freeing up x86. For Windows 8 x86 machines, it is required that the OEMs provide a mechanism to install alternative operating systems. For ARM, it is required that they not. This is, to me, wrong. But c'est l

Re:

[ewanm89]

Of course you can, it may require replacing a chip on the motherboard but of course it's possible with enough time and effort.

Re:"Freedom"

[Microlith]

It's hard enough that no one outside of people with access to high end rework labs and the ability to repair damaged PCBs and reball SoCs is going to be able to do it. So claiming that "it's possible" with that degree of difficulty and barrier to entry is at best a sad, sad joke.

Re:

[Darinbob]

Yes, this is the entire point. They're bringing this concept to basic general computing; people are already annoyed at having to jailbreak consumer blackboxes like phones and tablets and game consoles, and now that the masses have rolled over and wagged their tails when presented with these restrictions the powers that be are going even further.

Re:

[forkfail]

The fundamental problem is that the relative market share is such that a whole lot of OEM's won't bother with non-Microsoft hardware. Given Microsoft's market share, they won't see adequate money in it (there would be money, just not enough). Add in Microsoft's perpensity to bully and persuade OEM's, the hardware just won't be there for the most part.

And this still doesn't address the problem of not really owning your hardware, which is what this change does. You will be absolutely limited in what softwa

Re:

[viperidaenz]

Microsofts market share? Tell me, what is their huge share in the ARM powered PC/tablet market?

Re:"Freedom"

[Darinbob]

It's a freedom argument. If I purchase a device then it is MINE. I should be able to control it, take it apart, paint it a different color, give it to my kids, etc. And this freedom means I should be able to put my own software on it without permission from some bozos in Redmond.

Pre-installed Linux is only halfway there. It means I can't change the linux if I want to, or put on BSD, etc. Stop treating these devices like stupid consumer gadgets. Ok, they probably are going to be just that in practice, but that doesn't mean they should be forbidden to be more than hipster jewelry.

Re:"Freedom"

[Darinbob]

There are some cases where secure bootloaders are valid. Ie, so that only owners can modify their devices instead of just anyone who has physical access (electricity meters), rented or leased equipment (broadband routers), and so forth. Sometimes the device requires a level of trust as part of its design and the owners insist on knowing that the firmware has not been tampered with, such as encrypted routers.

Additionally there is often a market need to create a secured device to prevent or discourage third party sales or hacking. I've seen this activity common in medical equipment where there can be an active trade in in Russia or China of buying old machines and reimaging them and there's no opportunity to sue (yes a murky issue as you buy software features separately from hardware, but the end-user is legally forbidden from putting their own software on in many countries). If I go in for radiation therapy treatment I want to know positively that the hardware/firmware/software has passed FDA scrutiny.

The issue here with Microsoft and Apple is that they are huge players in the market and they're not doing this to just niche devices. With MS specifically they have a known guilty track record of antitrust activity. MS isn't going to require signing of all third party apps, they specifically want to make sure there is no competition for the operating system

It would be better overall to allow the consumer to turn on and off the trust levels on the devices. If the operating system boots up and notices that it's not on a secured system then it can just warn the user instead of refusing to boot. This way you can make things more secure without denying the consumer their right to use the equipment in any manner they want.

Re:"Freedom"

[MrHanky]

So taking away your freedom to tinker with a gadget you own is an inconvenience issue, not a freedom issue? I think it's more than rather inconvenient that you no longer own the objects you buy. It's a property issue, not an inconvenience.

Simple solution

[NeoTron]

Don't purchase any of these ARM powered devices which run Windows 8.

Re:

[drinkypoo]

Simple, yes; solution, not so much. One of the wonders of Linux is its use as a windows replacement. This is an attempt to prevent that. Sure, if you bought something with Android you ought to be able to run a non-Android Linux sooner or later, but that's not nearly as important as being able to toss Windows over for it.

Re:Simple solution

[taniwha]

Oh no - you should purchase them .... but them return them because they don;t work with Linux

Re:Simple solution

[kj_kabaje]

come on mods!! That's funny. :-)

Re:Simple solution

[SeaFox]

No, he's being serious. If you buy then and then return them opened, the store can't resell them as brand new and lose money.

Re:

[viperidaenz]

Then be told to go home because that's not a valid reason to return it? Unless they told you it was compatable with Linux before you bought it.

Re:

[Techmeology]

Unfortunately, most consumer hardware (at least when it comes to complete systems) comes somewhat paired with software (such as the OS). Have you ever tried buying a laptop without an OS installed (or with Linux as that OS)? How about a tablet without either Android (and no official way of installing your own distro) or Windows?

Don't buy the incompatible hardware. Done.

[Vandil X]

When the incompatible hardware doesn't sell, the OEMs will hear you loud and clear.

Re:

[Anonymous Coward]

I don't think /. comprises that much of the tablet market.

Re:

[forkfail]

No, not really. Linux is a far smaller market share (the only place where it dominates is 'net servers, and server farms like Google's, Amazon's, etc).

The problem with this bit by bit elimination of Linux is that it makes it harder and harder to develop Linux; it is slowly but surely squeezing Linux out.

The OEM's will play along; that's where the lion's share of the money is. Linux will wither a bit more, despite being a better tool in certain applications.

And this won't be the final push to bind hardware

What this really affects

[exomondo]

It seems to me this only affects a subset of devices that don't even yet exist. If what you want to do is run linux with virtual box and other assorted unsigned kernel modules then why would you be buying a 'Designed for Windows 8' ARM device? You wouldn't, just like you wouldn't buy an iPad to do those things. You would buy an x86 device, or an Android device, or an ARM device that is not 'Designed for Windows 8'.

Re:

[forkfail]

Camel's nose, meet tent. Tent, meet Camel's nose.

Re:

[viperidaenz]

Where are the Camel toes?

Re:What this really affects

[ClioCJS]

Myopic.

Reminds me of when drug testing started to take hold in the 1970s - "If you don't want to drug test, you can choose to work at a job where you don't." Except generally, assholism comes with built-in scope creep. Now you can't get a job at Home Depot pushing carts without having machines inspect your personal fluids to determine your off-work behavior. The simply "if you don't like X, then go elsewhere" so-called 'solution' is a fallacy, and always has been. It's a way to avoid a problem; it does not fix anything, or prevent a problem from getting worse.

Another great example - "Don't like crime in this city? Move to another city." Or "Don't like the shitty laws here? Move to another country." {And when the countries of the world unite to form a cartel of shitty laws worldwide -- for instance ACTA -- they will be far harder to fight.}

Re:

[exomondo]

Except that it's not like that at all, you don't buy a hammer if what you need is a screwdriver, just like you don't buy a device specifically designed for an operating system if you want to run a different operating system, you choose a different device. What sort of entitlement complex do you have when you get to the point of thinking companies have to build devices that are everything to everyone?

Re:What this really affects

[ClioCJS]

The same entitlement complex that those who enforce anti-trust laws have.

Also, whoosh. My point went over your head based on your metaphor that does not represent the situation at all.

A more apt metaphor would be: What if new devices started using proprietary screwdriver bits? Maybe they get a kickback from the screwdriver bit industry, or manufacture the bits themselves to pad their profit (remember the outrage when the iPhone changed its screws?). The "if you don't want that tool, buy another tool" metaphor simply does not work. You cannot use their tool because they have changed it to be less adaptable. People can buy phillips and flathead screwed devices 'til the cow comes home, but there's enough mindless consumers and people that it would not change the bottom line enough for $CORPORATION to change their ways. After another company sees the money they make, they start using proprietary screws too. Eventually, it becomes an industry trend. You can either shell out for the proprietary screwdriver, or use none of these devices. Either way, your unwillingness to go with a bullshit 'feature' does nothing to stop that bullshit from creeping into every device in existence; you merely stuck your head in the sand.

YOU actually come off as the entitled one here, except that you feel entitlement for the faceless corporations that are only interested in your money, rather than for yourself and your own freedom of market choice. You somehow feel that if they were forced to offer something that costs the same to make, but allows people greater freedom, that somehow this affects your livelihood or your "feelings" on what a corporation should be allowed to do. Unless you're a CEO yourself, you're simply loving to learn the taste of the boots you lick. In fact, simply boycotting a product does not make its shitty features go away. And corporations were originally only allowed to continue existing if they served the public good; otherwise they died a mandatory, automatic death sentence. (That is, before those same corporations and their cronies re-wrote the law so that they have more rights than actual people. Privatize profits, socialize losses, no death penalty if you're a corp, and if you're a CEO you can kill someone and not go to jail because you're deemed more important than others.)

I mean, imagine someone saying "if you don't like the fact that airbags can decapitate your baby, then don't get a car with airbags". Do you think that stopped them from coming? Now I am in danger of responding to your bad metaphor with another metaphor, but my point -- which still stands -- is that simply avoiding something you don't like does not make it go away.

It's not a "simple solution". It is neither simple, nor a solution. It is not simple to reduce your freedom of choice, and it is not a solution in any way, shape, or form. A solution solves a problem. The problem still exists. You've done nothing.

"Don't like wars over oil? Then don't buy gas!"

"Don't like abortions? Then don't have one!" (This is a trick example, as I *love* abortions. But to someone who thinks abortions represent a problem {which is not me} -- this 'solution' does not actually solve the 'problem'.)

"Don't like the encroachment of civil liberties in the name of the drug war? Then don't do drugs (alternate: move to another country)."

"Don't like cops tasering people? Then don't mouth off to cops!"

Anyone who thinks this attitude constitutes a solution has a major cognitive logic defect.

Re:What this really affects

[ClioCJS]

It's actually more like: If McDonald's somehow had magical powers which kept me from putting ketchup (my preferred condiment for chicken) onto their sandwiches, even if it's my own ketchup, I own the sandwich, and were trying to do this at home -- I'd be all for preventing them from preventing that. It's not the same as forcing them to sell ketchup (or anything anybody demands) on every burger, which is how I'd characterize my perception of how you'd characterize the situation.

Point missed ... entirely

[Zero__Kelvin]

"Except that it's not like that at all, you don't buy a hammer if what you need is a screwdriver ..."

You buy a screwdriver and use the handle to pound in nails when they stop making hammers because Microsoft uses their monopoly to drive hammer makers out of the market.

Boycott

[woboyle]

The solution (yeah, as if that will ever happen) is to boycott any and all devices that come with Windows 8 pre-installed, including x86 systems. Microsoft has to be made to understand that they are NOT the only shark in the water.

This is more than just a phone and tablet issue

[Calibax]

Right now, the ARM architecture equates to tablets and phones for many, maybe most people.

However, a number of companies (Qualcomm, NVIDIA, and others) have announced that they are developing ARM processors to challenge Intel in laptops and desktop systems. Probably they are going with ARM because Intel is being somewhat uncooperative (and maybe anticompetitive) by not letting them have licenses that would allow them to produce x86 compatible systems.

For these companies, having Windows on their ARM systems is vital. However, we shouldn't be short-sighted - restricting the ability for ARM systems to boot anything but Windows will (in the long run) benefit Intel, AMD, Via, etc. as much as it will benefit Microsoft by restricting which operating systems the upcoming ARM based systems can boot. They will either run Windows or they will run everything else, depending on the boot ROM in the system. Guess which most will chose.

Self build ARM PCs

[Techmeology]

Unfortunately, most complete hardware systems tend to come paired with software (i.e. the OS). The only people who get to choose their OS are people who build their own PCs. If this becomes too common, the only way will be if it's possible to build your own (much as people do with x86 PCs today). Of course, that still sucks for anyone who wants a mobile device, or who has old (eventually) equipment, doesn't want to build them selves, etc.

Re:

[forkfail]

That's the thing. You won't be able to. The main board will be locked into a given OS if this goes forward. And it's possible that the ARM driven video cards and such may be locked into a given driver as well.

The days of Computer Shopper style homebuilds are already pretty faded, and I doubt that it would be a viable alternative here.

knoppix and other testing / recovery secure boot

[Joe_Dragon]

knoppix and other testing / recovery tools also need secure boot.

Does networking booting work with secure boot?

Ghost?

Hard Drive Diagnostics tools (self booting ones)

Dell Diagnostics tools (self booting ones)?

Acronis True Image

clonezilla?

Memtest86+ (better and more to the hardware then the windows memory test tool)

There is alot of stuff some still dos based that is need out side of windows.

Re:

[letsief]

Yep, that's true. Any bootloader, including bootloaders on boot CD/DVDs, will need to be signed when UEFI secure boot is enabled. You'll probably need to disable UEFI secure boot when using old add-in cards, like discrete video cards, too. At least, I think you''ll have to if you want to be able to be able to use your monitor in the preboot environment.

That actually raises an interesting question though... If you have a motherboard with UEFI secure boot enabled by default, and you try to use an old vide

I predict....

[Bravoc]

There will be a "jailbreak" or somesuch available for these within a matter of hours from when they hit the street.

Re:I predict....

[Microlith]

Just like the Motorola devices, whose boot chain is still unbroken and as a result hinders the ability for true 3rd party ROMs to appear?

Signed GRUB

[Alain Williams]

As I understand it this is about what the firmware loads having to be signed. It then trusts that program to do the right thing and apply tests to ensure that other operating systems or modues are correctly signed before loading them. Ie a chain of trust.

How long do you think it will be before a signed version of GRUB (that will happily load anything) appears on an FTP site somewhere ? Either by someone cracking the signing key, or someone working late at night at an office somewhere where they have the ability to generate signed binaries and doing a bit of unrecorded extra work. There is a good chance that whoever does it will not be caught ... just pass the binary down a chain of contacts the last of which puts it up somewhere.

Revoking a key will take a lot of work, it might not be possible to do on kit that is already out in the field. They might make using this signed GRUB illegal, but on what gounds ? They would need new laws.

What man can do - man can break.

Re:

[letsief]

If GPLv3 actually forbids a useful security mechanism, then GPLv3 is broken. Some people, like Linus Torvalds, already think it is. So, if you really aren't allowed to digitally sign GRUB due to GPLv3 (which I think is highly questionable), then the right answer is to switch bootloaders to one released under a more reasonable license. If the FOSS community found themselves in that position by not creating any GPLv2 or BSD licensed UEFI-compatible bootloaders, then its going to be up to them to get themse

Re:

[letsief]

UEFI secure boot is a perfectly legitimate mechanism to secure the boot process. That's really important, because any code that executes before the OS can insert a rootkit that would be very difficult to detect. I haven't heard of an equally good alternative that is suitable for the mass market. So, I really think people should be applauding Microsoft for what they're demanding on x86 systems. I agree the situation on ARMs isn't ideal. It's really not any worse than the policies of the competition, but

Re:

[Microlith]

Maybe this is a stupid question, by why would every distribution have to get their GRUB build signed?

Because each distribution builds its own GRUB, possibly with a different version of the compiler making each one different. Unless you want to coordinate every Linux distro to use a single source for a single build of GRUB.

For something like UEFI secure boot to work, you need to sign all code that executes during boot.

Correct, however that's not the hard part. The hard part will be getting the key included b

Re:Signed GRUB

[letsief]

Honestly, I think you have it backwards. I think its less that UEFI secure boot is most advantageous to Microsoft and more that it happens to be inconvenient to Linux. The open source community, for both good and bad reasons, has made a series of decisions that make a signed code model difficult to implement (and stomach).

Forgetting about who runs the signing service for a moment, do you have a better idea of how to solve security problems with boot firmware? It's one thing if you don't like the implementation of UEFI secure boot, but you seem to be suggesting that the entire concept behind UEFI secure boot benefits Microsoft. If that's true, what is the alternative?

I don't think Microsoft particularly wanted to run the signing service. It has already given them headaches, and it opens the door for a lot of potential problems with liability. But who else was going to run it? The UEFI Forum never gave any indication they were willing to run it when the specification was being written. Given they were the natural choice, I think it's pretty clear that means they explicitly didn't want to run it. Who else was going to run it? Verisign? I'm sure that would have gone over much better... Even if things did go that route, who was going to pay for it? If Microsoft funded it, which they probably would have had to, people would have just assumed Verisign was going to do whatever Microsoft told them to.

Red Hat and Canonical have never given any indication they were willing to run a signing service either. And people in the industry did ask them to. I'm not sure they ever explicitly said no, but they certainly never said yes either.

MUST is overrated

[WaffleMonster]

I've been known to piss on requirements in specifications from time to time because they subvert my interests or they have effects I believe to be more harmful than helpful.

All secure boot does is give the computer some assurance whatever it is handing off control to can be trusted.

There is no technical way for UEFI or anything else to enforce signed drivers in the form of modules loaded dynamically at runtime. If the kernel is blessed by the computer these "requirements" are simply empty words on a page that can and will be ignored with impunity.

Secure Boot is only for UEFI Executables

[letsief]

I'm really confused by Matthew Garrett's assertion that secure boot creates problems for virtualbox, OS device drivers, and other kernel modules. UEFI secure boot only applies to UEFI executables (basically UEFI device drivers and bootloaders). Only the bootloader hands off control to the OS, UEFI secure boot's job is done. It's up to the OS bootloader to decide if it wants to check a signature on the OS. And from there, its up to the OS to decide if it wants to verify signature on other kernel modules, including drivers. If the Linux folks aren't worried about malicious device drivers acting as rootkits, they don't need to verify device drivers. It's just that simple.

And maybe if Matthew and the FOSS community are that concerned about standardized key formats for UEFI they should actually join the UEFI Forum. Red Hat and Canonical have certainly been invited to the table, but they instead choose to criticize from the outside rather than be part of the solution. Microsoft has gone out of their way to try to placate the FOSS folks here, at least on x86 (I agree that the situation on ARM is a bit different). MS will sign other bootloaders, if someone will submit one, allowing Linux folks to take partial advantage of UEFI secure boot. MS is requiring user-configurable trust anchors on x86, which is exactly what Red Hat and Canonical asked for.

I really don't understand Matthew here. He got what he wanted on x86. I can understand him not being happy with the requirements for ARM systems, but he should be ecstatic with Microsoft's new draft requirements for x86 systems.

Re:

[Junta]

If you're using a different bootloader to load Linux, Microsoft doesn't care if your system gets infected with a rootkit.

But, if a signed grub.efi exists that is *ostensibly* for linux loading but doesn't validate content it boots, then a malware could bundle that and use it to chain their malware to rootkit MS instead of linux It's not like grub can't execute arbitrary efi executables. Even if in theory the loader *could* only do linux kernels, then a malware author can still make a rootkit that has entry points that resemble a linux kernel but instead rootkits MS.

This is really the challenge in 'secure boot' in any innocu

Re:

[letsief]

The threat you identified isn't special to GRUB or even bootloaders. Any EFI executable could potentially be "hiding" a malicious bootloader, or some other malicious payload that mucks with the way Windows boots up. I think you'll deal with this potential threat exactly one way: if you find out a previously-signed EFI executable is doing bad things, you'll add the signature associated with that executable to the "forbidden list" (essentially revoking the signature), and you'll go after whoever submitted t

This will only hasten their marginalization

[jimmydigital]

I'm sure they don't realize what they are doing... but they will in time. They (unlike apple) don't sell the hardware their software runs on. Therefore.. it's not under their control how many devices are in the market that can run an OS that is so locked down. At first there may be many... but those choices will taper off as sales of linux based devices will always be less expensive. That and people don't like windows on non desktop platforms and I seriously doubt they have done enough right with the next iteration of Windows to change that perception. So in the end.. this will resemble yet another failed Microsoft mobile platform and less like the next desktop OS for the future. In the mean time.. they will continue to shed 3rd party developers as this slow motion train wreck unfolds.

Re:

[dbIII]

Maybe it will be like the DVD region locking thing. Illegal to circumvent in the USA but the rest of the world, including the hardware vendors doesn't care so provide you with an easy way to get around it.

The irony

[CAIMLAS]

Does nobody see the irony of the people blasting Microsoft in preference for Android, which is (ultimately) a closed system, mostly installed on locked-down hardware and unrootable installs?

Re:

[bonch]

When Wikipedia's blackout is over, look up timezones.

Re:

[BitterOak]

Ummm. It was posted at 6:14 PM EST.

Re:

[Atlantis-Rising]

The user is, primarily, the problem, security-wise. Giving the user the ability to opt out of the security defeats it, because had they not been a problem to start with, the security would not likely be necessary.

Re:

[jd]

Then the solution is simple. Eliminate all the users. I suggest hiring the daleks for that one, they seem enthused with the idea.

Re:

[Z34107]

This is the approach that MS supports for x86 systems, but not for ARM-based ones. I say, screw MS!

I don't see a problem with them locking down the "designed for Windows 8"-emblazoned ARM tablets. Apple proved there's a market for unconfigurable iDevices, so let Microsoft have a stab at the "it just works" crowd. x86 tablets will be just as free as Windows has ever been.

Not that I'm likely to buy either, mind you. I just don't take personal offense to Microsoft trying to sell to my grandma.

Re:Organized trolling campaign on Slashdot

[Tsingi]

Oh fuck off.

Re:

[shentino]

Give the guy a break.

He already sold his soul, that silver is all he has left to live on.

Re:

[account_deleted]

Comment removed based on user account deletion

I guess the question I want to ask

[rsilvergun]

is why isn't anyone up in arms that Microsoft is going to heavily subsidize Windows 8 Tablet & phone sales. Isn't that an Anti-Trust violation? I'm pretty sure Walmart did the same thing with cosmetics and got in all sorts of trouble...

Re:

[Microlith]

Hey FOSSies, its just MSFT copying Apple again, so quit getting your panties in a wad, okay?

Yup, we should just STFU and let the two biggest companies in consumer computing shut down all but each other as options in the market.

There will be NO CHANGE when it comes to X86, in fact part of the "designed for Windows 8" specs state that they MUST allow the secure boot to be disabled

But none of how that works is defined, so chances are each vendor will have a different way of doing it and when that happens, the

Re:

[KingMotley]

we have anti-trust laws and such to prevent them

Uh, no we don't. Our society has not agreed that monopolies are not beneficial, in fact, quite the opposite in many cases. We have laws preventing monopolies from doing certain things, but not actually preventing monopolies themselves. In many cases, monopolies are better than the alternative, and is beneficial for society.

Re:Organized trolling campaign on Slashdot

[WorBlux]

hell you got choices coming out your asses, so WTF are you bitching for? Vote with your wallet okay? But just because YOU don't like doesn't mean you get to tell ME or anyone else what device we should buy or what features it should have. If I was gonna buy one of these things, which I'm not BTW, I wanna try one of those $70 Android Indian pads the net has been buzzing about, but if I did and was actually gonna use this for real work I'd WANT it locked down, because if its one thing we've seen its that these things are giant targets for the malware guys!

First it's a matter of culture, which does and can effect every one of us. A culture where corporation control what you can or can't do with a computer is a culture detrimental to everyone. Second who has the keys? Locking your stuff up as long as you have a key is not problematic at all. What is is when the key is controlled solely by someone who is willing to sacrifice your interests and goals for the sake of their own.

Re:

[account_deleted]

Comment removed based on user account deletion

IT'S OVER

[Jeremiah Cornelius]

SOPA PIPA, the "return" of public-domain artefacts to the status of "intellectual property", "secure" boot.

My .sig is no joke. If the elite in the US and Europe were told "make the choice between keeping Corporate Capitalism or Republican Government?

I think you know that the last vestiges of the old republic would be swept away... in a twinkling.

GET THIS STRAIGHT! Democracy is MORE IMPORTANT than mere COMMERCE!

But it's too late, isn't it? Now, it's all over - except the shouting.

Re:

[forkfail]

Nice non sequitur.

Re:

[Microlith]

Which has precisely nothing to do with the issue being discussed.

Re:

[Junta]

Linux they could run WINE and then access x86 applications that Windows 8 ARM cannot.

Wine on non-x86 can't run x86 Windows applications. Qemu in theory could... very slowly, but then again that can run on Windows too. They certainly want tight control over the ecosystem from top to bottom, but they are probably more afraid of consumers getting cozy with sideloading apps instead of the more profitable 'market' rather than Linux replacing their OS at this stage in the game. They are envious of Apple's model and desperately want that for themselves.

out-innovate on it as a community better then MS can (think kinect there).

I know many examples where OSS world has o

Re:

[Douglas Goodall]

I guess it is the user facing aspect of computers that I am most disappointed with. For me, the text editor is the performance benchmark. I edit large programs, sometimes thousands of lines. Way back, I remember running Wordstar on a Wyse 50 terminal at 38400 with no handshaking required, and the code flew past. Later on in the Windows NT time, I had a code editor with what I would call a live scroll bar. You moved the scroll bar, and the text flew past, thousands of lines if that was what you were working