mirosoft latest trick

bpb101

http://www.omgubuntu.co.uk/2011/09/windows-8-secure-boot-prevent-linux-installation/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+d0od+(OMG!+Ubuntu!)&utm_content=FaceBook

they want to put on a "secure boot" that will stop other os going on to a laptop

humbert

I think Windows 8 is their tablet OS and most phones/tablets have this (HTC, iPhone).


They or Intel were looking into processor level security some time back which worried me more but I haven't heard anything more about it?

Galen

UEFI secure booting http://mjg59.dreamwidth.org/5552.html
http://www.itworld.com/it-managementstrategy/205255/windows-8-oem-specs-may-block-linux-booting

microsoft tried this rubbish before with their 'trusted' chips. Windows 8 is for desktops and notebooks too.

AnCatDubh

ah, so i can take it that there are no bugs or security holes in their software systems now that their attention is turning to signed driver chipy thingy :rolleyes:

There are probably better things that they could spend their time on like where the real and present dangers may be are, or maybe they've that one cracked already

bpb101

i think the eu will step in , the only thing the eu could do right

bpb101

Galen wrote: »

Windows 8 is for desktops and notebooks too.

ye i know , i just gave an example.

bpb101

they made mirosoft let people browers

but on what grounds?
there locking your computer to their preferences...
also people have a legal right to refuse a contract(the t's and c's u agree to when u first load any mircosoft os)

bpb101

OSI wrote: »

How is it stopping another OS from being put onto the laptop?

It's stopping unsigned code from booting on the machine yes. And to be honest, I welcome this.

There are viruses now that will lodge themselves in your BIOS code and overwrite your MBR every time you boot the machine, making detection and removal an utter bitch fest. By introducing this kind of code checking, this will be become vastly more difficult, if not near impossible.

what if i want to make my own os , (i cant)
but i have a right to develop on my personal computer

Johnboy1951

Oh, and the simple conecpt of disabling secure boot in the UEFI!!!

Do you have a reference indicating this is to be allowed?

But, even if it is, then it will be totally impractical to dual boot with Windows, because Windows will not boot with secure boot turned off.

There is a possibility, that something may be added to the motherboard which would automatically invoke secure boot when Windows is involved ...... and I guess we would all have to pay the MS price again!

Robdude

I don't understand why people are upset over this.

UEFI is not a Microsoft thing. It's a replacement for BIOS. It has a lot of features - like Secure Boot. Secure Boot is not a Microsoft thing. Any OS can do it.

All Microsoft is saying is, IF you want to be an OEM Vendor and have the Windows 8 Logo and ship with Windows 8 installed; you need to have Secure Boot turned on, by default.

Galen

http://mjg59.dreamwidth.org/5850.html

UEFI secure booting (part 2)

Sep. 23rd, 2011 07:57 am
mjg59Microsoft have responded to suggestions that Windows 8 may make it difficult to boot alternative operating systems. What's interesting is that at no point do they contradict anything I've said. As things stand, Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems. But let's have some more background.

We became aware of this issue in early August. Since then, we at Red Hat have been discussing the problem with other Linux vendors, hardware vendors and BIOS vendors. We've been making sure that we understood the ramifications of the policy in order to avoid saying anything that wasn't backed up by facts. These are the facts:

• Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
• Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
• Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
• A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems.

Microsoft have a dominant position in the desktop operating system market. Despite Apple's huge comeback over the past decade, their worldwide share of the desktop market is below 5%. Linux is far below that. Microsoft own well over 90% of the market. Competition in that market is tough, and vendors will take every break they can get. That includes the Windows logo program, in which Microsoft give incentives to vendors to sell hardware that meets their certification requirements. Vendors who choose not to follow the certification requirements will be at a disadvantage in the marketplace. So while it's up to vendors to choose whether or not to follow the certification requirements, Microsoft's dominant position means that they'd be losing sales by doing so.

Why is this a problem? Because there's no central certification authority for UEFI signing keys. Microsoft can require that hardware vendors include their keys. Their competition can't. A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's. No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft's influence here is greater than even Intel's.

What does this mean for the end user? Microsoft claim that the customer is in control of their PC. That's true, if by "customer" they mean "hardware manufacturer". The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC.

If Microsoft were serious about giving the end user control, they'd be mandating that systems ship without any keys installed. The user would then have the ability to make an informed and conscious decision to limit the flexibility of their system and install the keys. The user would be told what they'd be gaining and what they'd be giving up.

The final irony? If the user has no control over the installed keys, the user has no way to indicate that they don't trust Microsoft products. They can prevent their system booting malware. They can prevent their system booting Red Hat, Ubuntu, FreeBSD, OS X or any other operating system. But they can't prevent their system from running Windows 8.

Microsoft's rebuttal is entirely factually accurate. But it's also misleading. The truth is that Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors. The truth is that it makes it more difficult to run anything other than Windows. The truth is that UEFI secure boot is a valuable and worthwhile feature that Microsoft are misusing to gain tighter control over the market. And the truth is that Microsoft haven't even attempted to argue otherwise.

bpb101

Robdude wrote: »

I don't understand why people are upset over this.

UEFI is not a Microsoft thing. It's a replacement for BIOS. It has a lot of features - like Secure Boot. Secure Boot is not a Microsoft thing. Any OS can do it.

All Microsoft is saying is, IF you want to be an OEM Vendor and have the Windows 8 Logo and ship with Windows 8 installed; you need to have Secure Boot turned on, by default.

but they should have this optional and be turned off by default ,

Robdude

But why?

I realize there is no perfect source, but using the numbers at : http://www.w3schools.com/browsers/browsers_os.asp

Windows - 85.1%
Linux - 5.2%
Mac - 8.2%
Mobile - 0.9%

Mac users are not buying OEM Windows Machines.
Mobile users are not buying OEM Windows Machines.
A percentage of Linux users are not buying OEM Windows Machines.

Let's assume 90% of Linux users *are* buying OEM machines. In my experience, it's lower. People who run Linux are very particular about their hardware and also go to great lengths to avoid supporting Microsoft.

This impacts, optimistically, 5% of people purchasing OEM Windows Machines
95% of customers would be better off with the option turned on.

Why 'should' 95% of people either have to go through extra configuration or miss out on available security features because 5% of people don't want to have to go through extra configuration hassles?

Would you also require Linux shops to have this security feature disabled by default on all machines they sell?

bpb101

i accept that linux has a small minority and in this occanion mac are excluded
but it the same as your phone, being block to vodafone

bpb101

http://www.omgubuntu.co.uk/2011/09/microsoft-attempt-address-windows-8-linux-worries/

mircosoft say that they want manufactures to disable , disabling secure boot. for a some cert

EvilMonkey

Microsoft get enough criticism for having security features disabled by default. Now people are complaining when they look for one to be turned on.
I cant see this stopping anyone capable of installing Linux from doing so.

Pygmalion

EvilMonkey wrote: »

I cant see this stopping anyone capable of installing Linux from doing so.

As I understand it the hardware will refuse to run a bootloader that hasn't been signed with a per-device key.
If you don't get that key then it would require, at the very least, some kind of hardware hack to get it working, even if GRUB and Linux add support for it.

Enabling an opt-out software security feature in the OS and requiring devices to have locked down hardware aren't the same thing.

bpb101

added a poll , to see what everybody thinks on wheather it will go through or not

Pygmalion

What about a "Yes, but with the bootloader key printed on the PC case" option?
That seems to be the sensible way for this to go, allows modifying bootloader but only with physical access, and key could be removed in a business environment.

evercloserunion

OSI wrote: »

On what grounds?

If they were to intervene, it would most likely be on competition grounds, ie Microsoft using this to foreclose the market to competitors.

Galen

http://www.theregister.co.uk/2011/09/26/uefi_linux_lock_out_row_latest/

bpb101

"Galen http://www.theregister.co.uk/2011/09...ut_row_latest/"


i dont see how the signing keys for every linux would work.
there are thousands(over statement to raise a point ) of linux's being released every few weeks (including alphas and betas )
will they have to do a bios release every day , and will they continue to do these updates years later , decades later ???

Knasher

OSI wrote: »

How is it stopping another OS from being put onto the laptop?

It's stopping unsigned code from booting on the machine yes. And to be honest, I welcome this.

There are viruses now that will lodge themselves in your BIOS code and overwrite your MBR every time you boot the machine, making detection and removal an utter bitch fest. By introducing this kind of code checking, this will be become vastly more difficult, if not near impossible.

I agree in principle, the secure boot feature is a good idea and should be included, but only if it can be disabled by the user. My worry though stems from the view I think Microsoft is taking.

Currently one of the principle methods of Windows piracy involves loading something before handing off to the Windows kernel, which tricks it into thinking it is running on an OEM system. (Just FYI I've done work in a security field, hence why I'm familiar with how it is done, I did buy my copy of Windows) This method has been in use since Vista and AFAIK Microsoft still haven't found a way to close it. Secure boot would make this sort of piracy impossible, but only if Microsoft get their OEMs to not have the ability to disable the feature or load their own keys.

Given what Microsoft have to gain from this, and the fact that most legit non-Linux users won't even notice, I would be very surprised if Microsoft doesn't exploit this. I'd be surprised if Microsoft doesn't start encouraging the OEMs not to include the ability to disable or modify secure boot.

bpb101

people new to linux will be highly less lightly to use linux if they have to go to the end of the earth to install linux ,
f u ck this ideas of it is for your security it is to stop people changing os to linux based ,(or at lease part of )

speedbird834

I won't go through hoops to dual boot if it does happen. Not that I would like to be forced to use windows on a day to day basis - it will probably drive me to switch to mac.

bpb101

speedbird834 wrote: »

I won't go through hoops to dual boot if it does happen. Not that I would like to be forced to use windows on a day to day basis - it will probably drive me to switch to mac.

but for people who want a computer , but cant afford a mac
it is trying to force people away from linux

Galen

Besides ****ing it up for Linux users like myself, how long until Microsoft goes back to it's old complacent ways - it's no wonder that their developers are pissed.

Galen

http://www.itwire.com/opinion-and-analysis/open-sauce/50081-gnulinux-users-given-false-hope-over-windows-8-issue

bpb101

bpb101 wrote: »

people new to linux will be highly less lightly to use linux if they have to go to the end of the earth to install linux ,
f u ck this ideas of it is for your security it is to stop people changing os to linux based ,(or at lease part of )

If anything I'd say it's being done to stop people using SLIC loaders to bypass activation.

bpb101

Karsini wrote: »

If anything I'd say it's being done to stop people using SLIC loaders to bypass activation.

i dont see this begin used (invented ) only for the consumer
there some other reason , mabey it because o the activation

bpb101

how will you reinatall window .
example of what i mean is:

i build a pc , and put 8 on it
and supprize , supprize i get a virus , i need to reformat , how do i?
it wont allow me to because it a something trying to run from boot

or will it just detect 8

another problem
what if i want to run a raid (is raid on the boot system already ,not quite sure on how to enable raid , never need it )on it , that from boot , so what the story

or what the stroy with a linux pc and window 8 on a SECONDARY os .
in which linux was installed FIRST



any thoughts