Red Hat Will Pay Microsoft To Get Past UEFI Restrictions 809
ToriaUru writes "Fedora is going to pay Microsoft to let them distribute a PC operating system. Microsoft is about to move from effectively owning the PC hardware platform to literally owning it. Once Windows 8 is released, hardware manufacturers will be forced to ship machines that refuse to run any software that is not explicitly approved by Microsoft — and that includes competing operating systems like Linux. Technically Fedora didn't have to go down this path. But, as this article explains, they are between a rock and a hard place: if they didn't pay Microsoft to let them onto the PC platform, they would have to explain to their potential users how to mess with firmware settings just to install the OS. How long before circumventing the secure boot mechanism is considered a DMCA violation and a felony?" Note that the author says this is likely, but that the entire plan is not yet "set in stone."
If microsoft controls the 'keys' (Score:5, Insightful)
How can this be legal and not an abuse of their monopoly power?
Aside from the fact you can turn it off ( for now ) it still sounds like a clear case of abuse to me and someone should be talking to an attorney about this.
Re:If microsoft controls the 'keys' (Score:4, Insightful)
Yeah, if this isn't "monopolistic action in restraint of trade" I'm not sure what is. MS is probably greedy enough to try something like this, but I don't think they're stupid enough to think they can get away with it.
Re:If microsoft controls the 'keys' (Score:5, Insightful)
I particularly like how the UEFI signing format only allows one key to sign it and that signature being (apparently) on the hardware. Yeah, this isn't a clear way of entrenching a monopolistic interest at all. I mean, I understand why someone would want secured, signed hardware all the way up the stack (assuming, of course that no one breaks the scheme), but it's entirely obvious how this makes it harder for the little man to get ahead in the game.
Re:If microsoft controls the 'keys' (Score:5, Insightful)
Any proper system would have the end user hold the root key for the system and they could choose (or not) to bless certs from various vendors (or just directly sign the bootloader). Of course, MS doesn't want a proper system, they want lock-in.
Re:If microsoft controls the 'keys' (Score:5, Informative)
MS doesn't control the keys; it's just that they're the ones driving the requirement so no OEM has a reason to ship a system with security enabled and not have the MS key.
The requirements for x86 hardware are that the system must ship with restrictions enabled, but the user must be allowed to disable the restrictions or add their own keys. In other words, there is nothing preventing you (the owner) from doing whatever you want with the machine. If you don't want the restrictions, simply turn them off and install whatever code you like.
The only issue is that machines with the Windows 8 logo will be required to ship with the restrictions enabled and RedHat doesn't want installation instructions that start with "disable UEFI security" or "enroll the RedHat public key".
Other options they rejected are:
1. Get all manufacturers to ship with RedHat's key in the firmware (in addition to MS's). The manufacturers had no problem with this, but there's no way they could possibly find every OEM to get them to do it, and they didn't want to be in a privileged position ("install RedHat because it's trusted by your OEM").
2. Get all Linux distros to coordinate on a single Linux key and have the OEMs add it to their hardware. This is undesirable because nobody wants to be responsible for maintaining the One True Key, and even then there would still be OEMs who don't ship with it.
In the end, the easiest thing is to pay a one-time fee of $99 to MS and have them sign a mini-bootloader that can start up grub. That doesn't sound like such a big deal to me.
Note that the issue with having only one signature on a file is unrelated. That just means a user can't realistically remove the MS key from their system because lots of drivers will be signed with it. Allowing multiple signatures on a file would not change RedHat's position.
dom
Re:If microsoft controls the 'keys' (Score:5, Insightful)
In the end, the easiest thing is to pay a one-time fee of $99 to MS and have them sign a mini-bootloader that can start up grub. That doesn't sound like such a big deal to me.
Aaaaaand... this is precisely where the control of the keys lies. No, $99 is not a big deal for Redhat. Trusting M$ won't "Ooops, lol.. guess we borked your key sign just before you had that big competing product release. Gee, sorry. We'll get that fixed right away."
Re:If microsoft controls the 'keys' (Score:5, Informative)
Re:If microsoft controls the 'keys' (Score:5, Informative)
Microsoft was found to have committed
remember that the Jackson ruling was overturned in appeal and the two sides settled out of court.
Re:If microsoft controls the 'keys' (Score:5, Interesting)
Maybe that's why Microsoft was so eager to drop in that 'no class action' thing into their EULA.
Re:If microsoft controls the 'keys' (Score:5, Insightful)
Because charging Red Hat, a billion dollar company, $99 for access to signing services is not "monopoly abuse"? The author of TFA already pointed out that nothing stops somebody from providing the same services to the Linux community, but it's difficult and expensive and they can't be bothered, so it's easier to pay Microsoft to do it for them. As can anyone else.
Secure boots and trusted computing are fundamentally a good idea. Having OEMs provide a set of root keys to control what boots is a good idea. The problem is the creator of BobLinux who wants to have thousands of random users install his random kernel is indistinguishable technically from the creator of some boot sector malware who wants to have thousands of users permanently rooted. It becomes distinguishable once you have people who check out what the software is and signs it, which is the service Microsoft are providing - for very little, actually. As I said, apparently others don't feel like offering similar services when it's expensive to do and Microsoft are offering to do it cheaply. But they could.
Re:If microsoft controls the 'keys' (Score:4, Insightful)
Uhm, this is exactly monopoly abuse.
Industry: We should support code signing to ensure a trusted compute path.
Microsoft: I agree. Let's use this scheme that makes it impossible for drivers to be signed with multiple keys simultaneously. And if you want to work on Windows (the most popular OS out there) you need to use Microsoft keys, so we have to sign it. And this all has to be turned on by default.
The Rest: Wait, wouldn't that make it really hard for anyone else to get a large amount of buy-in resulting in installation of a non-Microsoft OS very difficult?
Microsoft: *Trollface*
Re:If microsoft controls the 'keys' (Score:4, Insightful)
Re: (Score:3)
Not anymore. Have you even read what TFA is about?
Re:If microsoft controls the 'keys' (Score:5, Informative)
Maybe I should have quoted the paragraph before that too:
We explored the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it, but turned it down for a couple of reasons. First, while we had a surprisingly positive response from the vendors, there was no realistic chance that we could get all of them to carry it. That would mean going back to the bad old days of scouring compatibility lists before buying hardware, and that's fundamentally user-hostile. Secondly, it would put Fedora in a privileged position. As one of the larger distributions, we have more opportunity to talk to hardware manufacturers than most distributions do. Systems with a Fedora key would boot Fedora fine, but would they boot Mandriva? Arch? Mint? Mepis? Adopting a distribution-specific key and encouraging hardware companies to adopt it would have been hostile to other distributions. We want to compete on merit, not because we have better links to OEMs.
So yes, Red Hat could have got (some) OEM vendors to carry their key, but they chose not to. Part of the reason is that they couldn't get all of them to do it, but a big part is that very few Linux vendors could do the same (probably only SUSE and Ubuntu). Whether this is just trying to make themselves look good after finding out that the other solution wasn't workable is up to interpretation, but they're right -- getting every Linux vendors' key into the BIOS is unworkable for small (or free) distros.
Of course there won't be a generic Linux key. The entire point of a secure boot system (even a honest one) is to not run whatever some random person put up toghether on the street. That does not makes it impossible for Red Hat to have a private key.
There's no reason you couldn't create a generic Linux key, and then only sign code that meets certain standards (basically do the same thing that Microsoft is doing with their signing program). The big problem is that verifying things is complicated and expensive, so no one (except Microsoft) wants to do it.
I agree that it would be preferable for a non-Microsoft entity to be signing the Linux keys, but such an entity does not exist right now. I hope one of Red Hat's priorities is to set one up, sometimes you have to just work with what you have.
And the reason Red Had had to pay Microsoft is that the MS's proposal only permits one key, so the hardware manufacturers can either permit RH's key or MS's key, not both.
One key per signature -- as in, I can't sign a bootloader with both MS's key and Red Hat's key. I can have both keys and sign one bootloader with one and the other bootloader with the other. They can -- and some vendors are willing to -- allow both MS and Red Hat's keys. The real problem that the one-key-per-signature (or one-signature-per-binary if you prefer) situation is that you can't use secure boot without trusting the MS key, since all of the included components are signed with it.
Re: (Score:3)
You sound really stupid yourself, considering that the technical issues are irrelevant to Microsoft's abuse of monopoly. The problem is Microsoft using their monopoly position to force vendors to ship computers with only Microsoft approved keys. Secure boot is a valid and useful feature, but preloading keys will have profound anti-competetive effects.
Actually, preloading keys prior to sale without a big disclaimer on the box will open MS to massive lawsuits. People will be buying a "Windows box" while under the false impression they're buying a personal computer with Windows bundled.
I think this would actually shake itself out pretty quickly. My guess is that the end result would be that the MS key gets installed during the "first use" process, and not as part of the build and ship process. The lawsuit will still happen, but it will take longer.
The n
Re: (Score:3)
Sigh.
Troll: "That ball's color is a mixture of red and blue."
Person: "Um, I see that ball and it's not purple."
Troll: "How does anyone interpret my post to mean that the ball is purple? Where did I say 'Purple'?"
Re: (Score:3)
Ok, if I have to spell it out from you, the DOJ used an entirely legitimate complaint against Microsoft as an excuse to shake them down. You can tell the DOJ wasn't really serious about protecting consumers, because in the end they did nothing at all to protect consumers. All they did is send Microsoft a message that they are not above paying the piper. Microsoft apparently heard that message loud and clear.
Since the previous antitrust actions were not intended to help consumers, then it would be unlike
PCs turning into a closed platform... (Score:5, Insightful)
Re: (Score:3)
Re: (Score:3)
This is exactly the same as what Apple does. I am totally embarrassed and full of pity when reading your comment.
Apple doesn't prevent users from installing other OSes on Mac hardware.
Re:PCs turning into a closed platform... (Score:5, Informative)
You say that, but Apple implemented EFI years ago, and then even helped users who wanted to install Windows or other operating systems via BootCamp.
Re:WRONG!!! (Score:5, Funny)
Re: (Score:3)
Re:PCs turning into a closed platform... (Score:5, Informative)
To prove that you CAN edit files in
http://www.youtube.com/watch?v=tWAKQjJWJvk [youtube.com]
http://www.youtube.com/watch?v=dvULnO52RY0 [youtube.com]
I suspect that you didn't notice the Enable: All TextWrangler Documents drop down menu. Don't ask me why that's necessary, but changing it to everything made all the
Re:PCs turning into a closed platform... (Score:4, Interesting)
And if you aren't the target market for the App Store, better hope Apple never pulls Gatekeeper out.
Deliberately crippling software so that its utility is limited in the name of "security," even if it hinders the end-user's ability to use it, is stupid as fuck.
I expect this too. And then we can mock anyone who suggests that OS X is an open platform.
Would someone please explain to me... (Score:4, Insightful)
... how the FUCK this passes the slightest hint of anti-trust scrutiny?
Re:Would someone please explain to me... (Score:5, Insightful)
http://www.opensecrets.org/orgs/summary.php?id=d000000115 [opensecrets.org]
Sure thing hoss (Score:3, Informative)
Entry no. 3 [opensecrets.org], in between all the banks, content owners, universities and trail lawyers.
Re:Would someone please explain to me... (Score:4, Informative)
a - Choose not to use Secure Boot, and run whatever the hell you want (i.e. the current situation with regular BIOS and UEFI)
b - Add your own key to the mobo, and sign your distro with it.
Both of these are predicated on buying a motherboard or pre-built that allows you to do so. The onus is on the manufacturer to allow you to do stuff with Secure Boot, the microsoft requirements (for non-ARM architectures) do not require Secure Boot be fully locked, only that the default setting is "boot Windows 8 securely".
Re: (Score:3)
Re: (Score:3)
Most efficient? Hardly.
One thing MS could have done was ensured, for the sake of not appearing totally anti-competitive, was to put a 3rd party in charge of the process, include guidelines in UEFI for how keys could automatically be installed safely, and specify a minimum functionality set for "custom mode" so using Linux and Windows securely on the same machine isn't a binary choice.
It is
rock meets hard place (Score:3)
I am pretty sure that if a hardware manufacturer like Dell locks out Linux operating systems that quite a number of large institutions like Universities will refuse to buy from them. I am not 100% sure because there are a lot of unis with microsoft-centric IT departments. Institutions with hard sciences depend quite heavily on different flavors of Unix and Linux to get work done.
Anyway... this is a disgrace and it's bound to blow up in quite a number of people's faces.
Re:rock meets hard place (Score:5, Informative)
I am pretty sure that if a hardware manufacturer like Dell locks out Linux operating systems
If Dell wants Windows Certification it better not do this. Per the Windows Certification Requirements [microsoft.com], page 122:
MANDATORY. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:
a) It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx) which will put the system into setup mode.
b) If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system will be operating in Setup Mode with SecureBoot turned off.
c) The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults.
Re: (Score:3, Insightful)
If Dell wants Windows Certification it better not do this. Per the Windows Certification Requirements [microsoft.com], page 122:
Of course for Windows 9, blocking non-Windows operating systems will become mandatory on all devices.
You don't get the 'slippery slope' thing, do you? Or are you one of those 'slippery slopes don't exist' bozos?
Re: (Score:3)
Re:rock meets hard place (Score:5, Insightful)
I am pretty sure that if a hardware manufacturer like Dell locks out Linux operating systems
That is not the case AT all.
Its REALLY simple; linux is not being locked out of desktops.
x86 hardware shipping with win8 pre installed needs to have:
a) secure boot functionality
b) windows 8 boot signing keys
c) secure boot functionality turned on
d) and it must be possible to disable secure boot
e) and it must be possible to load additional boot signing keys
So, linux users buying dell pcs (x86) will be able to exercise option d) and disable secure boot.
They can also exercise option e) and install a linux signing key, and leave secure boot enabled.
Linux users are NOT locked out at all.
However, if I want to try Linux for the first time, I'd like stick in a live CD and boot it... I might be intimidated by having to go into bios first to disable secure boot. I'm very likely to be intimidated by having to install a signing key into bios first.
Redhat wants linux to "just work" without the user having to jump through those hoops so the ideal option would be to coordinate with all the oem manufacturers to get a "redhat" or at least "linux" signing key into the bios, so that the linux bootloaders can be signed against that. (The OEMs were fine with this, even enthusiastic... but the cost to do this is extremely high, and there would still likely be several cases where the redhat key was missing, leaving us with an inconsistent and annoying situation.
The other option was to just sign the bootloader with the microsoft key; microsoft is already working with all the OEMs, and already has all the infrastructure in place. Fedora decided to piggy-back on the microsoft key and pay to get the bootloader signed by microsoft.
Is it ideal? No. But in terms of what it does for the users of linux? Its a great thing. Fedora will "just boot" in secure boot mode. Users don't have to disable secure boot to use linux, which is a good thing. Users don't HAVE to manually install a linux key into bios to use secure boot (although they still can if they prefer not to use the microsoft signed version).
The x86 ecosystem remains truly open (in that users can manage boot signing keys themselves if they wish), and trying out linux is remains easy because it will boot with the default installed microsoft keys.
Overall its a good compromise.
Note that on arm tablets the situation is entirely different. option d and e are not available, and fedora isn't getting the software signed for that platform... if you buy a windows 8 arm device you'll have to crack it to put linux on it.
$99 (Score:5, Interesting)
What the sensationalist headline and summary forgot to mention is that RedHat is paying a whopping $99 to Microsoft.
What is more worrisome and more headline worthy is that Microsoft has now become the de facto gatekeeper of your computer BIOS. Without their signature you operating system will not run.
/greger
Re:$99 ... 'Defective' Motherboards (Score:4, Insightful)
Actually (if you read the article) M$ does not get any of that $99. The fee goes to Verisoft. Microsoft is acting as the gatekeeper for the signup process.
Now I will be VERY pissed if I buy a new motherboard to build my own computer and it won't boot Linux unless I have to buy a key for $99. In such a case I would return the MB as being defective. I hope Asus and other MB makers will give me a choice of bios options when I buy a new MB.
Re:$99 (Score:5, Insightful)
Or you could... you know, turn on custom mode so that you can run any OS you like.
Or you could, you know, not allow the monopoly PC OS vendor to control the keys that allow the system to boot competing OS's.
Regardless of whether or not you _can_ turn off the secure boot, when you consider what the _majority_ of end users feel comfortable and competent in doing, what kind of barrier to entry does this raise? Would your parents know how to tweak this setting on their own, or feel comfortable doing so? I for one would not even bother attempting to ask my parents, or even some of my siblings, to go and change such an option.
Are the instructions to change this setting even consistent across hardware so that they can be easily published by alternative OS vendors?
RedHat should not have to pay a dime to MS for this IMO, and neither should anyone else. Why couldn't MS have made an option to turn on secure boot by user prompt when they first start their new computers, and require some method provided as standard in the BIOS that allows turning it on only?
They are talking about having to pay 99 USD. (Score:5, Informative)
Re: (Score:3)
Or just letting users install whatever OS they want?
That is Before Jobs thinking.
Today users are fully aware that their computers should be locked down and not allow them to do anything that The Jobs wouldn't let them do.
Wow (Score:5, Informative)
Re:"Literally" (Score:5, Funny)
I literally flew off my chair, steam coming out of my ears, when I read this!
Re:"Literally" (Score:5, Insightful)
Yes.
How is "controlling a system and getting money in exchange for licenses" not literally owning?
Up to now, their figurative owning is an "effective" ownership, as in "there are effectively no competitors in this space." However, should you know what you're doing, you could get something else with little effort. With this change, they are actually getting paid for compettitors to be allowed into their space. That is de facto, or literal, ownership.
Re: (Score:3, Insightful)
RTFA. Then comment.
Re:That's it... (Score:5, Insightful)
Re:That's it... (Score:5, Insightful)
Microsoft doesn't have the right to "license" hard ware. It's not their hardware, it's not even their design.
This is Microsoft forcing vendors in the corner with their O.S. once again. This is non-competitive behavior once again.
If they have such a great O.S. there is no need for locking out others. It's weak and it's sick.
Re: (Score:3)
Re: (Score:3)
They are going out of their way so you can run Fedora on the new hardware. And you want to ditch them because of it? Remind me never to buy you a beer.
They went out of their way to avoid exploiting Red Hat's privileged position with OEMS to gain an advantage over other Linux distros:
We explored the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it, but turned it down for a couple of reasons. First, while we had a surprisingly positive response from the vendors, there was no realistic chance that we could get all of them to carry it. That would mean going back to the bad old days of scouring compatibility lists before buying hardware, and that's fundamentally user-hostile. Secondly, it would put Fedora in a privileged position. As one of the larger distributions, we have more opportunity to talk to hardware manufacturers than most distributions do. Systems with a Fedora key would boot Fedora fine, but would they boot Mandriva? Arch? Mint? Mepis? Adopting a distribution-specific key and encouraging hardware companies to adopt it would have been hostile to other distributions. We want to compete on merit, not because we have better links to OEMs.
Implementing UEFI Secure Boot in Fedora [dreamwidth.org]
Re:That's it... (Score:5, Informative)
Red Hat Linux started on x86; it was never "only available for the DEC Alpha" (it didn't get ported to Alpha for several years).
They are doing this so that Fedora can be installed without end users having to disable Secure Boot in their UEFI firmware settings. If you want to disable Secure Boot, Fedora will run equally well. Fedora is also going to have signing tools, so you put your own key in the firmware and then sign your own loader and kernel (giving you more control, not less). If you switch to another distribution or OS that doesn't have a signed boot-loader, you'll also have to disable Secure Boot.
This "feature" exists because malware that affects the boot loader and kernel is a real and growing problem, and there isn't really any other technical means to block it. Setting up an independent CA to sign keys for loaders and then trying to get vendors to include the CA key would be highly expensive and would still result in Fedora having a key that you don't have. As long as Microsoft will sign things cheap, it is much better to go that route (if they were to stop signing, then this would obviously change).
The alternative is to tell users that want to run Fedora to not buy hardware that has the Secure Boot functionality, but that is going to become scarce once Windows 8 ships. Here in the real world, I'd like to continue running Fedora on new hardware.
Re:Why not hardware manufacturers? (Score:5, Insightful)
I don't understand how Microsoft is as fault here. Isn't it the hardware manufacturers that are locking out everyone but Microsoft? Shouldn't the hw people be the ones to make the platform open?
You have to do it MS's way or they won't let you sell hardware with Windows on it. MS controls the certificates used in the secure UEFI boot process. You either do it MS's way or you do it your own way ... without any MS products to pre-install.
Re:Why not hardware manufacturers? (Score:4, Informative)
Good thing Microsoft's way includes a required option in the UEFI setup to turn off secure boot. This whole story is horribly misleading.
Re:Why not hardware manufacturers? (Score:5, Insightful)
Good thing Microsoft's way includes a required option in the UEFI setup to turn off secure boot. This whole story is horribly misleading.
So they must turn off secure booting in order to run another operating system. The DMCA implications aside, I'm not sure which is worse for the consumer: a 'secure boot' of Windows or a 'non-secure' boot of any other operating system?
Re:Why not hardware manufacturers? (Score:4, Informative)
I'm going to go ahead and guess the computer you are using now boots through BIOS. The non-secure UEFI is practically the same as BIOS (doesn't require a signed boot loader). We dealt with it for a couple decades now, it can't be that bad.
Re:Why not hardware manufacturers? (Score:4, Interesting)
Re:Why not hardware manufacturers? (Score:4, Insightful)
Interesting then that Microsoft provide a way for others to sign their software... which is what Fedora is doing.
Exactly - by paying Microsoft for that right. Isn't that what this whole thread has been about?
Re:Why not hardware manufacturers? (Score:5, Informative)
According to TFA, the money actually goes to Verisign, not Microsoft.
Re:Why not hardware manufacturers? (Score:4, Interesting)
They probably have no real choice; if they locked out everyone else they would essentially be monopolizing the PC market and I don't think they want to go through that court circus again.
Re:Why not hardware manufacturers? (Score:5, Insightful)
Re:Why not hardware manufacturers? (Score:4, Interesting)
Non-secure is the same as what we have now, but it isn't all that great.
I'd love to be able to tell my computer to only boot an OS that I assign, so that I know that it can't get corrupted by viruses/etc. I could boot from a signed rescue disk if something goes wrong.
The problem is that the standard won't give the consumer choice over which OSes are trusted. The choices will be MS, or no secure boot at all.
Re:Why not hardware manufacturers? (Score:4, Informative)
Erm...except it does. Try reading the article, not the badly misleading summary. SecureBoot allows the user to add new keys as trusted keys. It will be perfectly possible to generate your own key, add it to your UEFI firmware, sign your OS bootloader with that key, and ditch the Microsoft key, if you don't want to boot Windows. pjones is in fact already working on tools to help you do this.
Re:Why not hardware manufacturers? (Score:4, Informative)
So they must turn off secure booting in order to run another operating system.
From TFA:
While Microsoft have modified their original position and all x86 Windows machines will be required to have a firmware option to disable this or to permit users to enrol their own keys
If they know what they're doing they're ok. Fedora is doing this for the rest of their users.
Re: (Score:3)
On the other hand, the Common Joe (that can't handle messing with the UEFI) shouldn't install anything in his computer at first place.
The problem here is that the average knowledge level of the computer users are dropping meteor style: fast and speculatively. This kind of user should not be expected to be able to install a Operating System - not mention trying to install a O.S. on hostile environment (i.e., a Windows computer - I don't have to mention all the little artificial problems MS caused in the past
Re: (Score:3, Insightful)
Why can't I just be in control of my own damn property without being at the mercy of manufacturers?
Re: (Score:3)
You dam geeks with wires really think your pc is your property? pc manufactures build it, we write the software. All you do is pay for it. That makes it more ours than yours. You geeks simply can't be trusted to do things in ways that ensure our profits, so we will do it for you.
now shut up and go back to playing with your wires... Leave the big decisions to us..
sarcasm-off
Re:Why not hardware manufacturers? (Score:5, Insightful)
Good thing Microsoft's way includes a required option in the UEFI setup to turn off secure boot. This whole story is horribly misleading.
G'uhgh.... once again geeks confusing a technical capability with a real-world practicality. Turning off secure boot sounds bad and raises the barrier to entry for non-Microsoft OS'es. It also complicates the newbie install experience, which is something that Ubuntu, Debian, and many others have worked for years to simplify. And now they are using their monopoly position to extort tribute from a competitor.
Re: (Score:3)
The amount doesn't matter. If someone wouldn't let you into your car unless you paid them a dollar, it would be the same thing as if they forced you to pay 99 dollars. It's still immoral to lock someone out of something they own. It's also still immoral to lock out one particular brand of gasoline.
Re:Why not hardware manufacturers? (Score:4, Informative)
Re:Why not hardware manufacturers? (Score:4, Informative)
You have to do it MS's way or they won't let you sell hardware with Windows on it.
OEM's can sell Windows 8 without secure boot. They can't put the sticker on the box that says "Windows 8 certified" without secure boot.
Re:Why not hardware manufacturers? (Score:5, Insightful)
MS is probably strongarming them.
Re:Why not hardware manufacturers? (Score:5, Funny)
But why? StrongARM processors are SOOO last decade. Besides, Windows 8 for ARM probably won't run on anything earlier than ARMv7 architecture.
Re: (Score:3)
There's plenty of fault to go around. MS is strong-arming the HW guys and the hw guys aren't even demanding lube. Meanwhile, the DOJ should be standing in the corner twirling a pair of handcuffs rather than sucking at Ballmer's ass.
Re:Why not hardware manufacturers? (Score:4, Funny)
I'm not sure I can tell which end that is anymore...
Re: (Score:3, Insightful)
I'm just wondering why Fedora doesn't include a small boot ISO that starts up, presents a simple menu, and takes the pain of unlocking the UEFI chip out of the equation.
I agree perfectly that they shouldn't have to do that, but the tech is certainly there, and most folks are sufficiently apt enough to do it (see also jailbreaking phones, etc).
Re:Why not hardware manufacturers? (Score:5, Informative)
Re:Why not hardware manufacturers? (Score:5, Funny)
Re:Why not hardware manufacturers? (Score:5, Interesting)
The UEFI spec (which Microsoft has a HUGE hand in writing these days) explicitly denies the ability to automatically install keys. They could have made it possible to do so, say by requiring it happen from read-only media, but they didn't.
It's left vague enough that it's virtually guaranteed to be an enormous pain in the ass to enable secure boot for any platform not explicitly blessed by Microsoft.
Comment removed (Score:4, Interesting)
Re:Why not hardware manufacturers? (Score:5, Interesting)
So I'm sorry but FUD is FUD and this is FUD
No, this is a classic slippery slope. In the UEFI version that supports Windows 9, only secure boot is supported. You can't turn it off, but you can still enter a key manually when installing an Untrusted Non-Microsoft OS (UNMOS). The key is 256 characters long, and looks like a ROT13-encoded Perl script.
The version that supports Windows 10 also supports secure boot only, and still requires key entry. This time, though, UNMOSes are now called IOSes (Insecure Operating Systems.) They will run under a Microsoft-supplied hypervisor that includes mandatory hardware packet filtering.
And wait'll you see the third-party OS support strategy for PCs approved for Windows 11, code-named "Overton." The plan for Overton is that third-party OSes called PDOSes, or Potentially Defective Operating Systems, can still be run, but not on your local hardware. They will run only on cloud-hosted secure platforms over VNC.
All of this will happen because someone noticed that people will cheerfully bend over and accept restrictions in each generation that would not have been tolerated in the previous one. Evidence of this claim? Look at the history of Trusted Computing [wikipedia.org]. Starting with the innocent-sounding idea of TPMs with unique CPU ID stamps, which were fought heroically by users until the next season of American Idol came on and everybody kinda forgot about it, the people behind the curtain have gotten everything they wanted over time. All they had to do was demand a little more "compromise" than they could get at any one stage of development.
In short, everything old is new again. We are all IBM customers now.
Re:Why not hardware manufacturers? (Score:5, Insightful)
because this does nothing to improve windows security. the purpose is to be a barrier to entry (installation) for non-microsoft operating systems. it doesn't have to be 100% effective, it just has to make it more difficult for non-experts to try out linux (or freebsd or whatever) or to use special-purpose linux-based boot CDs like clonezilla or gparted.
Also, there's no guarantee at all that disabling will be "as simple as flipping a single setting in BIOS". on some machines, it might be. on others, it won't.
Re:Congratulations. (Score:5, Insightful)
Congratulations, you are now a 'grown up'.
Sigh.
All we're saying is that it was considered a Pretty Good Thing when the mainframe era was brought down by the PC. Now, people like you are standing around cheering while the monster reassembles itself.
People older than you remember the way IBM dominated both the hardware and software sectors for many years. They held their customers hostage in every sense but the literal one. They used every technical and legal tool available to suppress third-party innovation. Eventually, people like Ross Perot, Jobs and Wozniak, and finally Bill Gates barged into the room and threw their proverbial hammers at the screen.
Fast forward to 2012. Steve Ballmer is pulling underhanded, abusive shit that would have earned him a fistbump from T. J. Watson. The rebels who once sponsored the '1984' commercial are now working feverishly to put the pieces of the telescreen back together... only this time, they're using Gorilla Glass.
Some of us are old enough to understand that this is not how things were supposed to go. If you're not so old or wise, that's fine... but by calling people who disagree with you "children," your post only shows your own lack of awareness and conscience.
Microsoft Pledges to Sell More Macs for Apple (Score:4, Interesting)
I was at 2 major industry tech conferences last month.
In every keynote and all-hands session, Apple hardware was center and present. Nothing special was made of this - just every damn computer used to demo solutions or held by a GM, VP or C-Level was a MacBook. Desktops were non-existant. Every time an iPad could be used, it was. There were a couple of minor Android appearances - demonstrating multi-platform support, or what not.
There were a few odds: The HP guys had their own gear, and the IBMers had Lenovos. Some brilliant man from SAP was sadly dragging a 'book of non-descript, perhaps Dell sourced, black plastic...
Overwhelmingly, if you wanted to look like you knew why-the-fuck you ought to be on stage, in front of 8,000 people, you went Mac.
Re:Microsoft Pledges to Sell More Macs for Apple (Score:5, Funny)
>Overwhelmingly, if you wanted to look like you knew why-the-fuck you ought to be on stage, in front of 8,000 people, you went Mac.
Think Different.
Re: (Score:3)
I noted the same at a Cisco show; all the vendors & booths were using iPads and Macbooks; the only PC devices were a few shared laptops in the Wireless cafe.
Re:Microsoft Pledges to Sell More Macs for Apple (Score:5, Interesting)
I can say firsthand that Macs have made serious inroads at Cisco, not just for mgmt but for programmers as well.
Re: (Score:3)
Or, if you're a premium-salary, in-the-spotlight kinda guy, you get a machine that looks good because looking good is an important criterion. More then tech specs, sturdiness...
Re:Microsoft Pledges to Sell More Macs for Apple (Score:5, Interesting)
Maybe in a perfect world, but in the enterprise, Apple is an obstacle and something to have to work around, rather than work with:
1: Can Apple get me product announcement roadmaps so I can time IT budgets to when models are released? Nope, Apple doesn't do that. IBM, HP, Oracle, and even Dell do, as long as you sign their NDA.
2: Can Apple get me flexible hardware and software GPOs? Windows's main thing is that I can manage all the thousands of users from relatively few boxes. There are very few tools for this on Mac, and they are department level, not enterprise grade.
3: Can I get TPM chips on the laptops to ensure protection of data? Nope. FileVault 2 is decent, but can be gotten around with a modified bootsector that would set aside the drive's encryption key. TPM chips stop that cold.
4: Can I get Macs without cameras due to policies? Sure, if I want Mac Minis.
5: Can Apple give me a 24/7/365 service time with a 4 hour tech on site? In the past yes, but with the death of the XServe, the best I can do is call and wait a day for a tech to wander out.
Sorry, Apple isn't enterprise grade. They know this too -- they are making their living by being a "toymaker" and selling to the consumer. I'd love it Apple could get some inroads into the enterprise, but right now, they are not interested in that market.
Re:Microsoft Pledges to Sell More Macs for Apple (Score:5, Funny)
Objections noted. Now either setup these iPads or we'll have to get somebody else.
Re:Microsoft Pledges to Sell More Macs for Apple (Score:4, Interesting)
FOUR LETTERS:
BYOD
This is the CIO's only strategy to win. He's accountable for a desktop that needs to remain compatible with apps that he has no responsibility over. That's why XP is still there.
BYOD moves IT out of the loop - and plays to new devices.
I still remember: "Who will support these "PC computers" that departments are buying, behing the back of MIS?"
And: "These LANs that you claim are so successful in a handful of special cases, will never scale to the needs of Corporate IT. "
Re:Microsoft Pledges to Sell More Macs for Apple (Score:5, Insightful)
Not really. Apple machines are a PITA with weird hardware for Linux users too. All it means is Linux users will go back to building their own PCs. Box shifters will simply do a parallel line for server sales.
You're right, this boneheaded move by Microsoft is the best help they could possibly give for Linux on the desktop. Of course, that just not let Microsoft off the hook for antitrust violations, specifically abusing its market power. I can smell a new EU action on the the way, at the very least.
Re:Microsoft Pledges to Sell More Macs for Apple (Score:5, Informative)
> You're right, this boneheaded move by Microsoft is the best help they could possibly give for Linux on the desktop.
> Of course, that just not let Microsoft off the hook for antitrust violations, specifically abusing its market power.
> I can smell a new EU action on the the way, at the very least.
Unless I'm misunderstanding UEFI, that's not quite right. Contrary to the headline-hype, I believe Microsoft's OTHER explicit requirement for certification is that end users must be furnished with a way to disable it that's impossible to do by mistake, but entirely possible to do voluntarily. For example, flip a DIP switch, place or pull a jumper, enter a 32-character encryption code printed on a tiny sticker permanently affixed to the motherboard, etc.
Put another way, the UEFI rules won't stop a single Slashdot user from using Linux. Redhat is paying Microsoft for explicit approval so it can sell Redhat Linux to the OTHER potential Linux users who don't WANT to go through that much trouble to unlock their PC.
I'm sure Microsoft's motives with UEFI aren't entirely pure & MUST be scrutinized constantly, but so far, they've played everything by the book. They've guaranteed that we'll get a copy of the keys to our own systems, even if we'll have to get our hands slightly dirty to actually USE them.
Truth be told, I fear Microsoft less than the possibility of TiVO-ized Linux. God forbid, if someone decided to start giving away free laptops that are bootloader-locked to an Ubuntu variant and have advertising & "analytics" baked into the kernel & network stack, and eventually induce others to do the same thing, we're screwed. By 2020, we'll be in a position where a "free" PC hardwired to ad-supported Linux is "free", but a "non-free" "unlocked" PC costs $2,000... and can't play rented movies, run half the commercial applications out there, or access some paranoid bank web sites because it it's "untrusted". *THAT* is the scenario we have to fight like crazy and ensure never happens.
For the most part, Microsoft DOES behave itself in public. It might be grudgingly-good behavior, and it probably has plenty of impure thoughts, but as long as the EU and US are keeping an eye on it, it's unlikely to try anything blatant that would give it a permanent "hard" monopoly over x86 computing architecture.
As long as anybody can download Ubuntu and install it over a "free" copy of Windows, Microsoft is legally off the hook (in the US, at least), regardless of how few people actually *do* it. Microsoft would have to be completely *insane* to give up that magic "See, we aren't a real monopoly after all because end users can theoretically install Linux!" get-out-of-jail-free card. Linux is USEFUL to them. In the phone arena, Linux is practically a cash cow for Microsoft... they make more in royalties from the sale of an Android phone than they do in licensing fees when a phone running Windows gets sold.
Re:Microsoft Pledges to Sell More Macs for Apple (Score:4, Insightful)
I'm an engineer. I use a MacBook. It works great - the only desktop Unix to date done right. Great quality hardware, too.
By the way, does your bitterness cause you physical pain?
Re: (Score:3, Insightful)
EU will have a field day with this in court. MS, of course, will be the ones having a bad day in court.
Re: (Score:3)
Re:$99 bucks (Score:4, Informative)
It's not $99 per pc , it's a one-time $99 dollar fee for access to the dev portal. But that is beside the point, Why should they have to pay MS anything? Why is it only MS that has the certificate for UEFI?
Re: (Score:3)
Re: (Score:3)
Even free would be too much. MS should not be in the position of controlling what I can boot on my hardware. You really think they will not in Win9 or Win10 demand that PCs only boot with the Secure boot on?
Then it is easy enough to refuse to certify any non-MS OS.
Re: (Score:3)
Erm. Red Hat pay $99, once. Everybody else pays nothing, ever.
The $99 basically covers Microsoft's administration costs. In business terms, this is a very nominal fee - Red Hat have spent more cash than that just investigating this issue ($99 covers maybe 3-4 hours of someone's time).
It actually looks pretty reasonable.
Re: (Score:3)
Nope, you've got it wrong. To get the Windows 8 "certification", Microsoft is requiring x86 vendors to ship systems with UEFI Secure Boot enable. They are requiring there also be a way for end users to add/remove keys and completely disable Secure Boot as well.
For Windows 8 on ARM, Microsoft is not only requiring Secure Boot, but requiring the exact opposite of x86: that it cannot be disabled or keys modified.
Note that Fedora is not planning on signing the ARM binaries; that would be releasing something t
Re:The article is wrong. (Score:5, Insightful)
This has nothing to do with PCs. Nothing. Not one thing.
This is all in reference to UEFI on ARM tablets that Microsoft has partnered up with OEMs to produce to their specs SPECIFICALLY FOR: Windows 8.
Nothing has changed here, nearly all ARM systems are locked down today by OEMs.
Do any of you expect Microsoft to produce one that isn't (zune: locked down xbox: locked down)?
You are completely wrong-- what you say is the opposite of true.
This is referring to x86, not ARM. Fedora is not going to play Microsoft's game on ARM where Microsoft has little influence. But they are going to pay Microsoft a fee to get their bootloader signed for the x86 platform so they can run in the Windows8 world.