UEFI secure boot discussion

[BkS]

Thought I'd drop in this thread as well, and give a little heads up on the Windows 8 UEFI. UEFI is what Windows 8 will come with, however it won't stop you from installing any other OS, unless the OEM doesn't include the "Secure Boot" option in the BIOS. This is basically an attempt to scare users thinkin' about moving to Linux off.

Here's a quote from one of Microsoft's Steven Sinofsky

…such decisions are left to the OEM.  There may be good reasons why certain enterprises may not want PCs that can be configured in such a way, and there may be good reasons why an OEM or white box retailer may choose to allow that flexiblity (sic) for their customers.  It’s all about choice and flexibility...

At the end of the day, the customer is in control of their PC. Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks.

[Mark Greaves (PCNetSpec)]

This topic was split from:
http://linuxforums.org.uk/general-discussion/this-is-all-a-bit-different!!!/
as it was sidetracking somewhat.


UEFI isn't the problem (indeed UEFI/EFI is a good thing), it's the "secure boot" option that M$ want enabled by default that *MAY* be an issue.

More info here:
http://mjg59.dreamwidth.org/5552.html
and
http://mjg59.dreamwidth.org/5850.html
and
http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface

In the comments on one of the above links, someone brings up the point of complaining to your MEP

Which may (for may, read should) raise the specter of another European Union Microsoft competition case

Maybe M$ are under the impression that forcing the OEM's to enable UEFI's "secure boot" feature as part of the "Designed for Windows 8" specification, but not specifying that secure boot must be disableable is a neat way to sidestep responsibility and won't be considered an unfair use of their market position... and they *may* be right.

But I'm willing to bet that if it gets in the way of other OS's (and hardware) being loaded/installed, that the hardware manufacturers and software developers won't take this lying down... and it may even leave the OEM's liable if they don't "explicitly" state that the PC will not be able to boot any other OS, and that simple hardware upgrades may not be possible.

Now I wonder how that would effect OEM sales.

Hell, Groklaw might even make a comeback if this becomes an issue


As I've previously stated Windows 8 is VERY unlikely to ONLY run on machines that support UEFI and have secure boot enabled... that would mean it ONLY runs on brand new "Designed for Windows 8" PC's... that would limit its market somewhat... no retail editions, or upgrade editions etc.

The final say as to whether secure boot will be an issue at all lies with the PC OEM's .. and something tells me they are not M$ fans themselves, and are unlikely to limit their hardware risking the wrath of their customers, and maybe the courts.

Also consider component manufacturers. .. do you think that say motherboard manufacturers are likely to NOT include an option to disable secure boot, thereby locking their motherboard to only one OS, and limited hardware ?

As usual, all M$ will manage to do is p*ss everyone off .. and maybe muddy the waters for a short while .. again.

[BkS]

If that was to be the case, then Windows would be treading fine waters with the Antitrust laws, and competition laws. I'll be sticking to my older hardware until it is confirmed that Secure Boot will be able to boot Linux.

[Mark Greaves (PCNetSpec)]

It would never be an issue for those that understand what "secure boot" is... just don't buy a "Designed for Windows 8" PC without first checking that secure boot can be disabled... or asking if it is Linux compatible (if they say it is... you can return it if it isn't)

Or self build.

Leaving the possible hardware upgrade issues aside, It will only really become an issue a few years down the road... anyone buying a "Designed for Windows 8" PC now, is likely to keep Windows on it (or know to have checked)... the problems will arise when the system is a few years old, and people decide "sod Windows", I'll install Linux, *then* find they can't .. but something tells me there will be a workaround by then

I suspect the only real difference it will make to Linux, is that when telling someone how to install Linux, the first instruction will probably be:-

Go to your BIOS and disable "secure boot"... or similar.

Thinking about it... it *may* cause more component/system manufacturers to label their products as "Linux compatible" which can only be a good thing... imagine, all Dell PC's and ASUS motherboards carrying 2 stickers... "Designed for Windows 8" AND "Linux compatible" .. and M$ discovering they've shot themselves in the foot again by creating an environment where hardware manufacturers feel the need to effectively provide free advertising for Linux

Something else that jumps out at me... if there is no option to disable secure boot, isn't this going to cause a major headache when you need to boot recovery and/or diagnostic software that hasn't had it's key included (so there will be no booting of recovery/diagnostic software that was made after your motherboard) ?

We all know that the Win8 UEFI signature key will be cracked and available (to malware writers, etc.) before Win8 is released anyway

[BkS]

It would never be an issue for those that understand what "secure boot" is... just don't buy a "Designed for Windows 8" PC without first checking that secure boot can be disabled... or asking if it is Linux compatible (if they say it is... you can return it if it isn't)

Or self build.

Well I kind of understand what it is, but I'd still self build, infact I'm planning a colossal build in the next couple of months =P

Leaving the possible hardware upgrade issues aside, It will only really become an issue a few years down the road... anyone buying a "Designed for Windows 8" PC now, is likely to keep Windows on it (or know to have checked)... the problems will arise when the system is a few years old, and people decide "sod Windows", I'll install Linux, *then* find they can't .. but something tells me there will be a workaround by then

I suspect the only real difference it will make to Linux, is that when telling someone how to install Linux, the first instruction will probably be:-

Go to your BIOS and disable "secure boot"... or similar.

Exactly, a few years down the road and by then it will be a little to late, especially for someone who isn't completely computer literate. What if they wanted to do a complete fresh install of Windoze or even install Linux? The windows disc wouldn't be read, unless microsoft/OEM supply a recovery disc with the keys to the firmware to allow hardware changes, and then for Linux to be installed, the developers would have to contact the OEM to have their discs signed so the firmware would read them.

If you think about it, if a complete newbie saw: "Goto your BIOS and disable "secure boot" (or similar)," their first reaction would be... It's free, and wants me to disable a security feature? No thank you.

Thinking about it... it *may* cause more component/system manufacturers to label their products as "Linux compatible" which can only be a good thing... imagine, all Dell PC's and ASUS motherboards carrying 2 stickers... "Designed for Windows 8" AND "Linux compatible" .. and M$ discovering they've shot themselves in the foot again by creating an environment where hardware manufacturers feel the need to effectively provide free advertising for Linux

Something else that jumps out at me... if there is no option to disable secure boot, isn't this going to cause a major headache when you need to boot recovery and/or diagnostic software that hasn't had it's key included (so there will be no booting of recovery/diagnostic software that was made after your motherboard) ?

We all know that the Win8 UEFI signature key will be cracked and available (to malware writers, etc.) before Win8 is released anyway

If that were to be the case, then more people would start to think, "what's Linux?". To which they then go look into to find it's free, even more secure than Windows. It's not just Dell & ASUS that are part of Windows incentives, there's Acer, HP, AMD, Intel, IBM, Samsung, etc. So the "Linux Compatible" sticker would be placed right next to the Windows 8 certified sticker... which IMO is a good thing, free advertising is what will most likely will boost our growth. It's down to the OEM to ensure they let the customers know what they're getting, and the whole point of buying a PC is so the end user has control over it, not the PC having control over the end user.

Like I stated in a paragraph above, the only way people would be able to do system dianostics, or recover their data is by Microsoft/OEMs giving the end user discs that are signed with keys. If they don't then it would cause so much upstir I reckon MS would be takin' to the courts again to open yet another case against them since the OEMs can't be competitive in a market that would be so restricted by hardware etc.

Yeah we all know that, but what has been brought to my attention is.. If people perhaps "lose" their recovery disc, and have the only option of using a pirated copy of Windows, how would they install it? because unless the UEFI has a key to which "one shoe fits every foot" then the end user wouldn't be able to install anything else rendering their PC useless, unless they can send it away to MS or some Windows 8 certified repair center?

[Mark Greaves (PCNetSpec)]

Of course it will have to be a "one size fits all" affair... you don't think they'll sign every disk differently ?

OK, OEM versions will probably have their own keys, as will VLK, retail, and upgrade editions.

There will be a limited number of safe boot signatures... and once they've been cracked, malware writers will find a way to sign their own code with the Win8 signatures, totally defeating the added security from bootable code.

Now I'm no expert on how safeboot works, so you may have to take the last sentence with a pinch of salt... but one thing is certain... time and time again, the virus/malware writers have proven themselves smarter and more capable than M$, so I know who I'd bet on

And once it's shown not to work, and does nothing more than cause Windows users issues, I don't think people will have much of a problem disabling the so called "secure boot" feature .. give people credit, they seem to quickly get their heads round the concept of not requiring AV in Linux, and that these things only exist because *Windows* security sucks so badly

Truth be told, I'd actually be a fan of UEFI if there was some kind of key management that let you add your own keys as you saw fit.


When I mentioned booting recovery and diagnostic tools, I was thinking more along the lines of Norton Ghost, and similar tools (not the M$ recovery disk) .. which you won't be able to boot unless their signatures are onboard... so any such tools released after the date your motherboard was manufactured will be useless to you... unless there was a key management facility, where you could *choose* to add the key yourself... or disable safeboot.

The more I've though/read/talked about safeboot, the less I'm inclined to think the OEM's are likely to allow it to become an issue... because any problems will fall at their door.

The home user, pissed off at HP because he can't add an aftermarket graphics card, etc.
The comany pissed at Dell because they can't use Norton Ghost, etc.

After all, it won't be M$ who have to fend off the complaints.... .

[SeZo]

Well this might be an old topic, but it is still relevant.

After all, it won't be M$ who have to fend off the complaints.... .

Since Widows 8 has hit the streets the vendor UEFI implementation seems to have started to bite (now they call it a bug)

A vendor appears to have actually written additional code to check whether an OS claims to be Windows before it'll let it boot. Someone then presumably tested booting RHEL on it and discovered that it didn't work. Rather than take out that check, they then addded another check to let RHEL boot as well.

http://mjg59.dreamwidth.org/20187.html

Perhaps it is time to list all vendors and products with broken or Linux unfriendly UEFI behaviour, so others can avoid them.