SUSE Slowly Shows UEFI Secure Boot Plan 190
itwbennett writes "One blog post at a time, SUSE is revealing its plan for getting SUSE Linux Enterprise Server (SLES) to boot on machines with UEFI Secure Boot. The short version: 'For now, it seems, SLES will implement an approach similar to that used by Fedora,' writes Brian Proffitt. '[Director of the SUSE Linux Enterprise Olaf] Kirch's first blog entry on Tuesday merely introduced the problem of UEFI Secure Boot. Today's blog only specified the use of the shim bootloader.' Just dying to know what's next? Tune in to the SUSE blog."
what is the point again? (Score:2)
does UEFI secure boot bring any value to users or only to our corporate masters?
Re: (Score:2)
I think in theory it plugs a malware hole, that the whole OS is secure from the bootloader on up.
Re: (Score:2)
Yes. Like the "malware" that allows people to use a pirated copy of Windows 7.
Somehow, I think that is one of the main reasons they went after this "secure boot" thing.
Re: (Score:2)
The best thing that could happen to Windows 8 is for people to pirate it. Perhaps they're trying to build up a false sense of value.
Re: (Score:2)
When they do it's because they want to monetize these people without losing them - hence the dualistic approach.
Using logic is indeed not hard. Parroting silly press releases without engaging in any critical thinking is easier though, as your post shows.
Re:what is the point again? (Score:5, Interesting)
Think you can disable it? Think again: who is going to care about your being able to disable it when, eventually, Microsoft requires it to be always on on Intel versions of Windows just like they have done on ARM?
Re: (Score:3)
Think you can disable it? Think again:
Um, no. It is part of the spec that motherboards must be able to disable UEFI. So if you go out and buy a Windows 8 certified system then you will be able to install any operating system you want. And no amount of bleating about how nobody cares for your right to boot the old fashioned way will change this.
Re: (Score:3)
Re: (Score:3)
It is a different spec for ARM than Intel chips. The ARM version of Windows 8 does not have to maintain backwards compatibility with an existing user base. Intel Windows does have a long pedigree, and the OS will work on systems made in 2002. Given that they are trying to support computers that predate UEFI by a decade, then they can't start insisting on secure boot only.
Re: (Score:2)
then they can't start insisting on secure boot only.
Can't is a strong word in an industry where in the last few years we've seen companies abandon an entire computer architecture breaking all backwards compatibility, moving the software ecosystem from software as a product to software as a service, and one of the biggest vendors has now announced they will be competing directly with their OEM suppliers.
"Can't" is the one word we can't use to describe anything in the IT industry.
Re: (Score:2)
"Can't" is the one word we can't use to describe anything in the IT industry.
But have a look at the backlash that Microsoft received when Vista had high system requirements. Subsequent versions of Windows have tended towards better support for older systems, and not worse as would happen if secure boot was mandatory.
So until we actually see a change in Microsoft's policy, people are complaining about a fantasy future that does not match the current practices of Microsoft regarding Windows.
Re: (Score:2)
The current practices of Microsoft? You mean the current practices of a company which has in the last few year announced a change from producing an operating system that runs on an open PC architecture to announcing new plans for vendor lock-in (ARM), restrictive usage scenarios (limited app running capabilities), the start of a walled garden (Windows Store), and decided to compete directly with OEMs producing a fully closed hardware/software platform.
Regarding Microsoft's future, fantasy is the only thing
Re: (Score:3)
Think you can disable it? Think again:
Um, no. It is part of the spec that motherboards must be able to disable UEFI. So if you go out and buy a Windows 8 certified system then you will be able to install any operating system you want. And no amount of bleating about how nobody cares for your right to boot the old fashioned way will change this.
It is part of the spec AT THE MOMENT, but that doesn't mean it will remain part of the spec.
Re: (Score:2)
It is part of the spec AT THE MOMENT, but that doesn't mean it will remain part of the spec.
And it doesn't mean that it won't remain part of the spec. It is all guesswork. Should you really be able to deny people have security features added to Windows because in some dystopian future those features may be made mandatory?
Should we also ban firewalls because one day the built-in firewall may be only made configurable by a paid service rather than a local tool?
Re: (Score:2)
Re:what is the point again? (Score:4, Informative)
Generally they do what is necessary to boot Windows, and once that's working, call it good. They have no motivation to test and make sure disabling UEFI works.
Re: (Score:2)
Generally they do what is necessary to boot Windows, and once that's working, call it good. They have no motivation to test and make sure disabling UEFI works.
Except that if a motherboard can't disable UEFI then older versions of Windows (especially x86 versions) would not boot. Remember that Microsoft's biggest competitor to Windows is older version of Windows. This is going to become even more pronounced if people reject the Metro user interface (or whatever it is called now) and stay with XP or Win7.
Re: (Score:2)
They could have tried that in the '90s but, guess what? There was no standard, so forcing OEMs to secure their BIOS would have been a much bigger effort (and Microsoft was far from the size it has now). Now it is very easy: it is included in the standard.
Re: (Score:3)
No, it doesn't, and no, it doesn't.
It does not create any extra protection for IT people to use against their users. If they break into their computers enough to install a boot loader, Secure Boot doesn't stop them from doing anything else, besides installing some unigned Linux distro.
It also won't protect your computer against any trojan or virus that doesn't install a boot loader, and that set is basicaly all of them. There are a few exceptions, of course, boot loader malware exists, it is just very very
Re: (Score:3)
The EU would probably stop them.
Re: (Score:2)
The EU would probably stop them.
So why haven't they stopped Microsoft requiring 'Windows Boot' on ARM?
Re: (Score:2)
So why haven't they stopped Microsoft requiring 'Windows Boot' on ARM?
Because they obviously don't have a monopoly there, in fact they don't even have any presence in that market additionally the product they are releasing there is not the same as the one in which they have a monopoly. It's the same deal with Windows Phones, they don't have to open that up and provide all their private APIs because they don't have a monopoly in that market. They have a monopoly in x86 desktop/laptop computers (a market that doesn't include ARM computers) - it's all there in the EU and US DOJ
Re: (Score:2)
Re: (Score:2)
Same reason they haven't stopped any of iphones or android phones from doing the same thing. Lack of monopoly on the market.
There are many things that you can do that limit competition legally. Many of these options vanish when you become a monopoly. Windows has a near monopoly in desktop market (judged to be monopoly by EU). As a result, demands to not lock down the system on x86/amd64 PC are backed by anti-monopoly legislation. Demands for the same on ARM are not.
Re: (Score:2)
DoJ.
Re: (Score:2)
The DoJ is too busy suing states and trying to continue voter fraud to get involved in this
here's hoping.. (Score:2)
Seeing how Microsoft is currently pissing off Hardware vendors (and surface i
Re: (Score:3)
Yeah, I know that. Do you know what random typos are?
I'm getting tired of passive-aggressive gestures of submission by AC's.. I mean, I get it, but still.
Re: (Score:2)
Did you know? The word "hardware" is not a proper noun...
Some people [ancientfaces.com] would like to have a word with you.
There's a totally open source verified boot (Score:3, Insightful)
running on Chromebooks. All source is there. You can download it and study it and build something good on it.
So what are the "open source OS companies" putting all their effort into? Satisfying a closed, proprietary system designed to lock users in. Very disappointing.
Re:There's a totally open source verified boot (Score:4, Interesting)
UEFI is a standard. It's not a codebase. There's no reason there can't be F/OSS implementations of UEFI, and indeed Secure Boot - SB relies on asymmetrical key signing, which of course can be perfectly well implemented by F/OSS code. In fact, I think there's a partial F/OSS implementation of UEFI and SB for qemu already.
All that fighting for nothing? (Score:4, Insightful)
I don't get it.
So after several decades of fighting for free software (and computer freedom in general), all these distributions are just going to roll over on command for Microsoft?
You know what? Anyone who goes along with this UEFI bullshit is a fucking traitor, a coward, and a goddam disgrace to the open source community.
Playing along here is NOT THE ANSWER. Doing NOTHING is the only appropriate course of action. Why? Simple, because then you're shifting the problem to the hardware manufactures who are going to get shafted in sales because their stuff doesn't run Linux OOTB (not without configuring UEFI first). They're going to realize this mighty fast and either produce cheaper "Linux" versions of their motherboards without UEFI restrictions (or even better, without UEFI at all)- or just drop the whole Secure Boot thing all together.
Again, playing along with this mockery is the WORST POSSIBLE THING anyone could do. It's like letting the Germans into your country during 1945 because they promised they'd only ask for your papers when you're entering or leaving your own city. How long do you think it'll be until they have the same guards stationed everywhere? Train stations, food stores, clothe stores... How long before you're walking down the street in your own community and you're getting stopped for papers, only blocks away from your house?
I'm sick and tired of people saying "it's only the bootloader man, chill". Yeah, it might be today. What about tomorrow, when they drop the ability to manually disable Secure Boot permanently? What then, huh? Well, then Microsoft has the power to revoke your keys and doom your operating system to death. After everything Linux has been for, after everything Linux has stood for- why the fuck would you EVER want to give Microsoft this power?
Fedora, Ubuntu, and SUSE can kiss my fucking ass. All these distributions are a disgrace. A total fucking disgrace. The least they could do is show some goddam balls, stand up and say "No, we're not going to be your bitch". So what if your users have to manually disable Secure Boot for now. At least then they'll realize what is going on here and you might actually educate a few of them as to why CLOSED PLATFORMS ARE BAD.
-AC
Re: (Score:2)
Anyone who goes along with this UEFI bullshit is a fucking traitor, a coward, and a goddam disgrace to the open source community.
Ah, well at least you're putting forth a calm and rational argument.
Doing NOTHING is the only appropriate course of action. Why? Simple, because then you're shifting the problem to the hardware manufactures who are going to get shafted in sales because their stuff doesn't run Linux OOTB (not without configuring UEFI first).
This argument isn't going to fly. Most hardware manufacturers don't care about Linux. How long have Slashdotters bemoaned the lack of major manufacturer Linux options, or complained about the small forays by Walmart and Dell which are then pulled back?
It's like letting the Germans into your country during 1945
This kind of commentary is not doing your argument any favors. You're shooting yourself in the foot; you obliterate any useful point you may have.
The least they could do is show some goddam balls, stand up and say "No, we're not going to be your bitch".
Says the anonymous coward.
I have several times
Re: (Score:2)
Ah, well at least you're putting forth a calm and rational argument.
It is rational. It just isn't calm.
This argument isn't going to fly. Most hardware manufacturers don't care about Linux. How long have Slashdotters bemoaned the lack of major manufacturer Linux options, or complained about the small forays by Walmart and Dell which are then pulled back?
agreed. this argument doesn't make much sense.
This kind of commentary is not doing your argument any favors. You're shooting yourself in the foot; you obliterate any useful point you may have.
why? the whole nazi police state reference is a perfect analogy with the top down lock down that is signed UEFI. Sure, today, it can be disabled, but the slippery slope does apply here.
Says the anonymous coward.
In free societies, anonymity is perfectly acceptable. the argument stands or falls on its own. demanding id just demands an argument from authority. the only thing you might gain is slightly higher confidence in the speaker, but that doesn't p
Re: (Score:2)
It's like letting the Germans into your country during 1945
Learn a little history. In 1945, the War was ending. The Allied Forces were squeezing Germany like a lemon. Hitler was ordering that all industries, military installations, machine shops, transportation facilities and communications facilities in Germany be destroyed. German military leaders were committing suicide left, right, and center. There were probably untold thousands of German civilians fleeing the country in 1945. None of them would have been stopping people and asking for papers. They woul
Re: (Score:3)
I don't get it.
So after several decades of fighting for free software (and computer freedom in general), all these distributions are just going to roll over on command for Microsoft?
Secure Boot is not new.
Another case of trusted boot is the One Laptop per Child XO laptop which will only boot from software signed by a private cryptographic key known only to the OLPC non-profit organisation. However, the laptop and the OLPC organisation provide a way to disable the restrictions, by requesting a "developer key" unique to that laptop, over the Internet, waiting 24 hours to receive it, installing it, and running the firmware command "disable-security". The stated goal is to deter mass theft of laptops from children or via distribution channels, by making the laptops refuse to boot, making it hard to reprogram them so they will boot and delaying the issuance of developer keys to allow time to check whether a key-requesting laptop had been stolen.
Hardware restrictions [wikipedia.org]
Secure Boot makes a great deal of sense.
Secure Boot is biting the geek in the ass because of his pathetic dependence on affordable hardware designed and built for the mass market Windows platform and because he has had damn little influence or control over the explosive evolution of a mobile market defined and shaped by Apple.
You do not gain converts to Linux by disabling low-level hardware security in Windows.
You do not gain converts to Linux by encouraging
Re: (Score:2)
Re: (Score:3)
Erm, the person who posted the message is not as important as the message's content. In fact, the identity of the poster is almost completely irrelevant.
Re: (Score:2)
To make statements as bold as his without actually standing behind them damages the credibility of the statement itself, and makes one suspect trolling. When said AC proceeds to Godwin the whole discussion and compare a situation in IT to World War 2, it becomes clear why ACs are generally reviled.
One of the reasons to post AC is that you know your post is so ridiculous and out there that theres a 50/50 chance it will get flagged as the flamebait that it is. GP basically said "if you dont agree with me yo
Re: (Score:2)
his argument is spot on.. obviously since the only thing you could critique was his anonymity and his nazi reference...and honestly, the former is perfectly acceptable in a free society, and the latter isn't all that far off base.
Re: (Score:2)
Until countries are invaded and millions killed, no, it isnt like the Nazis at all.
Slashdot has gone batsh*t crazy (Score:5, Informative)
I'm used to a little bit of healthy paranoia here, but the amount of FUD and flat-out misinformation in Slashdot's UEFI reporting is frankly astonishing. Let's get a few things straight.
UEFI is not a Microsoft technology. It is an industry standard intended intended to replace the archaic x86 BIOS. Microsoft participated in the standard, as did Slashdot favorites Red Hat, Canonical, IBM, and AMD. You can freely download the full specification [uefi.org] from the uefi.org website.
Secure Boot is part of the larger UEFI specification. See section 27 for the technical details. Of particular interest to Slashdot readers will be section 27.7 which describes the key update mechanism.
Secure Boot is intended to solve the real-world security problem of boot-time malware. No operating system can defend against malware at boot-time; this would be equivalent to defending against the hardware itself. If it helps, imagine how you would defeat a keylogger embedded in your keyboard.
Secure Boot uses code-signing to defeat boot-time malware. This is the optimal solution and should be full-proof provided (1) the machine is physically secured, and (2) the private keys are secure. (I am defining "full-proof" here to mean the keys and hashes involved are adequately difficuly to brute-force with modern hardware. I am also explicitly discounting scenarios outside of UEFI's area-of-responsibility, such as vulnerabilities in the operating system's signed image.)
For some real irony, see the Slashdot article Windows 8 Secure Boot Defeated [slashdot.org]. Both the headline and much of the discussion in this article were flat-out wrong. The exploit in question targetted the legacy BIOS and MBR. This is exactly the problem that Secure Boot addresses, and it reinforces the need for this technology.
Secure Boot is not a DRM scheme, nor it is explicitly a tool for Microsoft lock-in. Remember that on x86 platforms, the end-user can edit the key database, and can disable Secure Boot entirely. I concur that Microsoft's treatment of ARM is a dick move, but is also typical for other vendors in that market segment. In either case, remember that Secure Boot is a logical solution to a real-world problem affecting all operating systems, and evaluate it on this merit first.
Just because the technology can be mis-used is no reason to completely boycott it. For my part, I intend to use Secure Boot when it becomes generally available, but only buy parts that allow me to edit the key database.
Links:
UEFI membership list: http://www.uefi.org/join/list/ [uefi.org]
UEFI specification: http://www.uefi.org/specs/agreement [uefi.org]
Re:Slashdot has gone batsh*t crazy (Score:5, Insightful)
UEFI is not a Microsoft technology. It is an industry standard intended intended to replace the archaic x86 BIOS.
OOXMLz [wikipedia.org] is a standard as well. Your point being?
Secure Boot uses code-signing to defeat boot-time malware. This is the optimal solution and should be full-proof provided (1) the machine is physically secured, and (2) the private keys are secure.
I guess you meant fool-proof. And it is. It is fool-proof against all those fools who want to decide to run their own code on the computer without having to ask permission beforehand.
Secure Boot is not a DRM scheme, nor it is explicitly a tool for Microsoft lock-in.
True, and yet... it can be used as such. Excuse me, I meant it is already being used as such (see Windows 8 on ARM).
Just because the technology can be mis-used is no reason to completely boycott it. For my part, I intend to use Secure Boot when it becomes generally available, but only buy parts that allow me to edit the key database.
You are free to decide what to use. Just tell me: what will you do when the parts that allow you to edit the key database stop being manufactured? What will you do when, say, the graphics cards you want to use require UEFI to protect their HDMI hardware? It will happen, and rather sooner than later.
Remember: it's not paranoia when they are out to get you. And they are, oh how they are.
Re: (Score:3)
Video cards have HDCP now and they don't need UEFI to lock it down.
Re:Slashdot has gone batsh*t crazy (Score:4, Interesting)
But HDCP is also weak and has already been defeated. Secure Boot could make it hard for instance to put in a driver that would accept non-HDCP links.
The problem is that Secure Boot is a solution looking for a problem. Boot-time malware can already be detected in software, is really hard to pull off, can be secured by not allowing software other than the OS to access the boot records and wouldn't be a benefit to anyone if it was undetectable.
Re: (Score:2)
video cards still have VGA or DVI ports with analog.
Also most laptops have HDMI + VGA out and lots of projectors setups are only cabled for VGA. Note I said cabled they have DVI / HDMI now but the cables in the rooms and switchers are VGA only on most of them.
Re: (Score:2)
Yes but 1080p or 120Hz won't work over the analog line and HDCP ensures that the WHOLE SCREEN will show static when any piece of it displays a DRM-protected piece of media and the output is not HDCP secured.
I work with high-def video in scientific systems and HDCP is a big pain in the neck as it will come on whenever and overlay static (even when no DRM is playing back especially in Windows 7). Disabling it is fairly easy but I can see where Secure Boot will refuse to boot Windows 8/9 if we don't have HDCP
Re: (Score:2, Insightful)
But it is paranoia when you assume people are out to get you and ignore the facts of the matter. Facts like:
1. UEFI Secure Boot is only required for Windows 8 Logo certification. It will not affect OEMs selling Linux machines, servers or hobbyist hardware.
2. Linux is now a multi-billion dollar market. Do you really think hardware makers are really going to stop supporting Linux? They'd basically lose all the major enterprises in the world over night.
3. The Secure Boot specification requires that it can be d
Re: (Score:3)
1. UEFI Secure Boot is only required for Windows 8 Logo certification. It will not affect OEMs selling Linux machines, servers or hobbyist hardware.
This IS THE PROBLEM. One should not have to go buy a different machine to run a different OS. Anyone who OWNS the machine should be able to install AND BOOT any OS they want. Your words are weasel words trying to make the problem look like it isn't there.
2. Linux is now a multi-billion dollar market. Do you really think hardware makers are really going to stop supporting Linux? They'd basically lose all the major enterprises in the world over night.
More stupid weasel words. The problem is not that they might stop selling hardware to be used for Linux. The problem is they won't be selling hardware that allows its OWNER to easily and securely change the OS (e.g. disabling UEFI is the wrong way to i
Re: (Score:2)
Anyone who OWNS the machine should be able to install AND BOOT any OS they want.
This is just plain false. Anyone who OWNS a machine should be able to use that machine as the manufacturer sold it. Period. If you buy a machine that says it is Linux compatible, then you should be able to boot Linux. If you buy a machine that says it is OS agnostic, then you should be able to boot any OS you want. If you buy a machine that says it runs Windows 8, then you should be able to run Windows 8.
Nobody is required to produce a product to your liking, ever.
Nobody is stopping you from doing wh
Re: (Score:2)
Of course nobody is required to make general-purpose computers easy to modify -- but the market can, and should, reject efforts to make har
Re: (Score:2)
Yes, the market can do whatever it wants. But please, don't try to claim that the people commenting on this article are supporting 'the market'. The number of people who will put an OS other than the one it came with on any device (computer, tablet, phone, embedded devices) is vanishingly small. There is zero market for devices that let you do that. I don't see much acceptance of that on here.
The market can reject it, true. The market should reject it? Why? If the vast majority of users don't care i
Re: (Score:2)
Simple: Artificially limiting the uses to which secondhand hardware can be put reduces resale value.
Re: (Score:2)
Haha! That is a good one. So this tiny percentage of people who can't influence the device manufacturers are going to have a significant impact on the USED market? Seriously? And how many people care about the resale value of a relatively cheap item anyway?
Re: (Score:2)
This has yet to be seen.
The people in the business of buying old hardware (which has often had its OS wiped) and reselling it for use, to start with.
Re: (Score:2)
1. UEFI Secure Boot is only required for Windows 8 Logo certification.
How many instances of Linux today are running on MS certified hardware? I'd be willing to bet most x86 Linux boxes were sold with XP or W7 stickers. What is going to happen to that segment of the open source ecosystem?
2. Linux is now a multi-billion dollar market. Do you really think hardware makers are really going to stop supporting Linux?
Sure, Linux is a multi-billion dollar SERVER market. Are OEMs selling internet appliances to
Re: (Score:2)
I guess you meant fool-proof. And it is. It is fool-proof against all those fools who want to decide to run their own code on the computer without having to ask permission beforehand.
You don't have to ask for permission - you just have to configure your computer to boot it. If you stick an Ubuntu CD in a PC that isn't configured to boot off of CD, it won't run that either unless you "ask for permission" by telling it to boot from CD.
On amd64 at least you'll be able to disable it if you want, or configure it with your own keys, so that MS won't be able to install something on your PC without asking YOU for permission.
Re: (Score:2)
On amd64 at least you'll be able to disable it if you want
For now. Microsoft has already declared the preferred configuration by requiring it on ARM.
Re: (Score:2)
I am afraid you missed my point: its being an standard, either "just" an industry standard like UEFI or an ISO standard like OOXML is irrelevant. The problem is it allows lock-in, as shown on Windows 8/ARM, and that is bad.
Re: (Score:2)
Excellent post. I have several times thought about pointing out these same points on UEFI, but always gave up. I figured "no point - it'll get modded down because people don't want to hear".
on x86 systems. (Score:2)
Oh ok. So it's all good and fine on x86 systems. Lets completely ignore the amount of "computing devices" which are today being released on an ARM platform rather than x86.
I was looking forward to UEFI and ARM devices with a proper BIOS and a way to run various operating systems on them. I mean we currently have people running Android on iPhones and on PCs, we have small embedded ARM devices running Linux, but who cares about that when in the future the vast majority of ARM devices will be locked to Windows
Re: (Score:2)
Why, exactly, do you expect the "vast majority of ARM devices will be locked to Windows only"? There are millions of ARM devices in use today, with the Windows marketshare being approx 0%. Do you expect Apple and all the Android device makers to just give up and switch to Windows-only? The idea is ludicrous. The only way that would happen is if Microsoft produces such a superior product that people simply stop buying Apple and Android. Do you forsee that happening?
Re: (Score:2)
The existence of an alternative platform to x86 will invite the microsoft certification. This has happened time and time again and there have been major court cases about people being allowed to put the coveted windows logo on their hardware. Windows 8 may be a flop but the existence of Windows on ARM at all lends weight to ARM being a viable alternative to the x86 platform in the future. In that case I actually truly expect the majority of ARM devices capable of running multiple a full blown OS to tend tow
Re: (Score:2)
While I'm all for getting rid of lock-in, the fact is that almost all arm-based system in consumer use have locked bootloaders already. Just about every android phone in use falls into this category (and yes, I know the sliver of market share held by Nexus devices are an exception).
Re: (Score:2)
This doesn't really counter the argument against vendor lock-in. Also the vast majority of ARM devices are actually NOT bootloader locked. Just go and check the compatibility list for Cyanogenmod.
Anyway the main point of my post was that there's a significant number of people who are interested in doing with their devices whatever the hell they want, and this even includes installing Android on an iPhone. People want to do this and given it's their hardware we should not be promoting systems to prevent this
Re: (Score:2)
The scheme is poorly designed. THAT is all the reason in the world to fight it every way possible. That and say BS to Anonymous Coward posts. I bet you are one of those Microsoft people, too. The correct way to do this is for the "chain of trust" to be rooted at the owner of the computer, not some corporation, not YOUR employer, and not Anonymous Coward.
The BIOS can do it this way. Start with a hardware feature that does not allow OS access to (write) BIOS code or data once BIOS "flips the switch" to t
Re: (Score:2)
Secure Boot is not a DRM scheme, nor it is explicitly a tool for Microsoft lock-in.
No, it's implicitly a tool for Microsoft lock-in.
Remember that on x86 platforms, the end-user can edit the key database, and can disable Secure Boot entirely.
For now.
Just because the technology can be mis-used is no reason to completely boycott it. For my part, I intend to use Secure Boot when it becomes generally available, but only buy parts that allow me to edit the key database.
When Windows 9 comes around, and Microsoft w
Re: (Score:2)
If Microsoft forced vendors, or even coerced them into something like that, there would be more antitrust trials both in the US, the EU, and probably a few other countries. It wouldn't be profitable no matter what, so they won't do it even if you think Microsoft is out to get you. It really is that simple.
Re: (Score:2)
They could refuse to certify their hardware, which would likely cost them any discounts on licensing.
Note that if this happens with Intel-based hardware, there will likely be an immediate anti-trust reaction, at the very least in EU, and also quite likely in US as well.
It might be easy enough for us.... (Score:5, Insightful)
Disabling secure boot, or manually installing a new vendor key, may be easy enough for us. But it adds another large hurdle for joe average user to try another operating system. That alone is reason enough to complain about it and object to it.
As it stands now the UEFI standard doesn't specify how the user can install a custom trusted key.
IMHO, hardware vendors should be required to leave the trusted key set empty from the factory. UEFI should then have a standard prompt to enable secure boot and install a key found on bootable media. If Microsoft were forced to guide the user through the same process that a linux installation would require, this process would get the attention it deserves to make it as user friendly and standardised as possible.
Re: (Score:2)
Re: (Score:2)
Absolutely, why not? Nobody is required to produce something just because you want it. No doubt some people would find it very interesting to be able to modify how the processor in their computer works (change the pipelining, add scalar processors, etc). Does that mean that processor manufacturers should be 'required' to only build processors out of discrete components? Is it OK for them to make it harder for people to modify the processor by using chips?
Re: (Score:2)
Re: (Score:2)
It's not a question of produce what you want. It's a question of use a device you now own.
It's one thing to not manufacture an ARM tablet because consumers don't want them, but it's quite another to manufacture and sell them, then explicitly prohibit the user from doing something with their device which it should be perfectly capable of doing for no other reason than vendor lock-in. I use ARM as an example because that's exactly what has happened. ARM Windows devices have Secure Boot enabled with no option
Re: (Score:2)
But there's the thing. This does not affect devices you now own in any way, shape, or form. This affects devices you may own in the future.
So you are saying it is a matter of produce what you want. What is being produced (in the future) is Windows tablets. Why should they be expected to do anything other than run Windows? They are advertised as Windows tablets, they are sold as Windows tablets, and that is what you get - a Windows tablet. Just because it is made of components that could be doing som
Re: (Score:2)
And that's the scary change I'm talking about. We're talking about a change from buying hardware and software and mating them to buying hardware with software with no flexibility or customisation. Do a survey on Linux / Mac users who are also gamers and find out how many people dual boot.
We as a species are dragged silently into a world of complete corporate control. If the world was like this 30 years ago then there would never have been a Personal Computer.
Re: (Score:2)
It's one thing to not manufacture an ARM tablet because consumers don't want them, but it's quite another to manufacture and sell them, then explicitly prohibit the user from doing something with their device which it should be perfectly capable of doing for no other reason than vendor lock-in.
So where was the uproar over locked CPU multipliers? Or locked GPU pipelines? Or fixed BIOSes?
ARM Windows devices have Secure Boot enabled with no option to disable. This means you can't install Android on it if you want to like you can on say an iPad.
So buy an iPad if that's what you want. There are devices that let you hack around so if that's what you want to do then buy them and support the companies that provide you the products you want. Are you also complaining about the inability to install iOS on an Android tablet? There's no reason they couldn't allow that, but they do prevent it. Just like with CPUs there are ones that have unlocked multipliers so if
Re: (Score:3)
Joe average user doesn't know Linux exists, but let's pretend he's heard of it somewhere - maybe due to a huge marketing push by a vendor.
With virtualization, joe average user can try another operating system even in the world of UEFI's Secure boot model. Even today Linux distros become just another "app" joe can download to joe's Microsoft desktop and run.
There are some downsides to this. Any killer app for Linux becomes also a killer app for Windows. The experience of moving from Metro or Aero to s
Re: (Score:2)
Of course, as a Convicted Monopolist, Microsoft can report these Linuxes as viruses or trojans and refuse to run Linux virtual machines.
No, as a convicted monopolist they are under much more scrutiny than other companies such that they don't abuse their position. I don't understand this perception that they are a convicted monopolist and somehow that means they can get away with anti-competitive practices, it means the opposite, they are a convicted monopolist so every competitive move they make is scrutinized by the US and EU.
Re: (Score:2)
Joe average user doesn't know Linux exists, but let's pretend he's heard of it somewhere
Booting Linux was once just the providence of the enthusiast.
If Joe Average doesn't know Linux exists, then booting Linux remains the sole province of the enthusiast.
For Joe, maintaining two operating systems, software libraries, and skill sets has all the appeal of root canal. What he needs to see is the "killer app" that makes the pain worthwhile. The FOSS app that hasn't been ported to Windows.
Name one.
Re: (Score:2)
Are you suggesting that if I sell somebody a phone it shouldn't be able to boot unless they insert an install SD card or such? Or does this just pertain to PCs? Most people buy PCs with pre-installed OSes. Is there really any value to making it so that those PCs can't be booted without sticking in a CD as the first step?
And if that happened, how would that help? Anybody with a Windows PC will have stuck in the Windows CD, which will install the MS key and now it won't boot linux when they want to switch
Re: (Score:3)
There are a couple of ways to get a linux install working right now. You could boot a liveCD or USB, which obviously requires you to obtain the correct media and tweak the boot order in the BIOS first. Getting the user to tweak UEFI probably won't add too much difficulty for someone who can already accomplish this, but it is an additional step that may have great big scary warnings all over it.
But what about running something like ubuntu's windows installer? This reboots into linux from a virtual disk that
Doesn't seem so bad (Score:2)
Maybe this is more of an issue with machines that have Windows pre-installed but I'm upgrading my motherboard and it has UEFI and the gentoo wiki doesn't make it seem so bad.
http://en.gentoo-wiki.com/wiki/UEFI [gentoo-wiki.com]
Laptops, of course are going to be an issue.
Re: (Score:2)
Current motherboards with UEFI don't support UEFI Secure Boot. Once Windows 8 comes out, they'll basically be required to support it by Microsoft, who's forcing all OEMs to ship Windows 8 PCs with Secure Boot enabled.
Re: (Score:2)
Having Secure Boot enabled is NOT an issue, by itself. A badly designed Secure Boot is the issue. It needs to have a means to allow the OWNER of the machine to indicate which systems are to be allowed to boot, while still having the means to verify that those OSes have not been altered. Too many OEMs won't do this because the UEFI/SB standard does not require it.
The chain of trust is WRONG for this (Score:2)
But it is the ROOT of the chain of trust that is wrong. Instead of some corporation being the root of trust, the owner of the computer should be that root of trust. A proper UEFI boot system needs to include an option in the BIOS to add ANY boot partition (such as the new OS you just installed) as trusted. That same menu should allow you to delete trust for any, as well. When you add trust, it scans the image to be loaded, calculates a checksum, and stores it into an area of Flash memory that can only b
Re: (Score:2)
That's pretty much how it works, except that instead of containing a list of boot loader hashes (which would require you to edit every time the boot loader is updated), it contains the list of valid signatures. But you can clear that list (thus revoking MS key), or add your own. The reason why Linux distros are signing their loaders with MS key is that it's the one that will be in the list by default on any PC that has "Certified for Windows 8" sticker on it (i.e. 99% of those sold via retail channels), and
It is a trap - control over the OS (Score:2, Interesting)
Re: (Score:2, Informative)
Re: (Score:3)
Only for ARM based systems. Microsoft has stated that all Windows 8 branded x86 PCs must have the ability to disable secure boot.
Sure, they say that now. Soon it will be optional, then it will be required that secure boot be unable to be disabled.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
They already do so on many linux (android) phones. The entire thing is old news in ARM world.
Re: (Score:3)
You havent used an apple product recently, have you?...
Linux runs just fine on my Macs.
Linux does have a spokeperson (Score:5, Insightful)
It is sad that the Linux distributions are bending over so easily, together they might have been a force to be reckoned with... they better f-well not say "we could not have known..." in a few years time, seriously.
What the linux distro distributors have failed to do, the Linux Kernel folks should pick up the slack
Do not forget, there exists a spokeperson for Linux - Linus Torvalds
It's up to Mr. Torvalds to decide which direction Linux should proceed on this UEFI issue
Re: (Score:2)
What the linux distro distributors have failed to do, the Linux Kernel folks should pick up the slack
How? What can they do? They are kernel developers, not bootloader developers. Maybe GRUB and LILO developers could get involved but i don't see why the kernel developers have any interest/responsibility in it.
Do not forget, there exists a spokeperson for Linux - Linus Torvalds
And don't forget Linux is just a kernel, Linus is the spokesman for the kernel.
Re: (Score:2)
Don't knock it till you tried it. I mean, people have no qualms talking about Ubuntu with a straight face here... wtf is up with that?! OpenSUSE is as awesome as they can be in a crappy world.