Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Secure Boot Lock Out

  • 21-03-2015 6:20am
    #1
    Registered Users, Registered Users 2 Posts: 14,048 ✭✭✭✭


    It appears that MS have issued specs for their OEM suppliers which include a change in the Secure Boot requirements.

    This provides for OEMs to install Win 10 with the UEFI locked so that any OS which does not have Secure Boot provisions cannot be installed on that hardware.

    This would of course lock out not only all versions of Win prior to 8 but also most other operating systems.

    We know this 'Secure Boot' was bad from day one, and this just seems like the next logical step from MS.

    The third step maybe at the next MS major release (12?) will likely be to demand a locked down secure boot so the OEM has no choice at all.

    http://arstechnica.com/information-technology/2015/03/windows-10-to-make-the-secure-boot-alt-os-lock-out-a-reality/

    http://www.tomshardware.com/news/windows-10-system-requirements,28798.html


    All I can think of is the 2 year old hardware that will be discarded and I will not be able to grab it for Linux use because of the lock out. :(


Comments

  • Registered Users, Registered Users 2 Posts: 2,345 ✭✭✭Kavrocks


    This would of course lock out not only all versions of Win prior to 8 but also most other operating systems.
    Where there's a will there's a way.


  • Registered Users, Registered Users 2 Posts: 14,048 ✭✭✭✭Johnboy1951


    Kavrocks wrote: »
    Where there's a will there's a way.

    One that non-geeks will be able to do, without much effort?

    Do tell.


  • Moderators, Computer Games Moderators, Technology & Internet Moderators Posts: 19,242 Mod ✭✭✭✭L.Jenkins


    I discussed this on Facebook. I can see an anti competitive case been taken against Microsoft again, similar to the IE a few years ago.


  • Registered Users, Registered Users 2 Posts: 1,477 ✭✭✭azzeretti


    Itzy wrote: »
    I discussed this on Facebook. I can see an anti competitive case been taken against Microsoft again, similar to the IE a few years ago.

    I read this that Microsoft removed their stipulation that OEM suppliers must supply an option to disable secure boot. I think the onus is now on the hardware manufactures to apply this options, rather than Microsoft?


  • Moderators, Computer Games Moderators, Technology & Internet Moderators Posts: 19,242 Mod ✭✭✭✭L.Jenkins


    I don't know why Microsoft would want to stick their oar in when it comes to the development of Laptops and PCs. Yes, they bought out Nokia to start pushing Windows phones, but I think that's where their involvement in hardware should end.

    I myself prefer the option of deciding what OS I'll run, instead of being told what I can have.


  • Advertisement
  • Banned (with Prison Access) Posts: 16,620 ✭✭✭✭dr.fuzzenstein


    It seems that MS was stipulating that the switch to turn off secure boot is optional. No one ever said "MS stipulated that hardware will under no circumstances allow another OS".
    I think this is the same as the rumor that Audi will seal off the engine bay so that no one can access it but authorized Audi dealers.


  • Registered Users, Registered Users 2 Posts: 14,048 ✭✭✭✭Johnboy1951


    It seems that MS was stipulating that the switch to turn off secure boot is optional. No one ever said "MS stipulated that hardware will under no circumstances allow another OS".
    I think this is the same as the rumor that Audi will seal off the engine bay so that no one can access it but authorized Audi dealers.

    That is what the first post said ....... it is the consequences of this that is rather worrying.


  • Banned (with Prison Access) Posts: 16,620 ✭✭✭✭dr.fuzzenstein


    That is what the first post said ....... it is the consequences of this that is rather worrying.

    We see what happens. Remember XBox one games to be locked to a specific console? Never happened. MS will always try it on.
    If it does happen, at worst a new BIOS could be flashed to a machine to install another OS, worst consequence of that could possibly be the existing MS installation no longer working, but I'm just guessing here. And a little bit of care when purchasing old or new machines in order to install a Linux variant on them. But that is the case anyway. It's not like Linux will run without any issues on every single piece of hardware out there as it is.


  • Registered Users, Registered Users 2 Posts: 14,048 ✭✭✭✭Johnboy1951


    We see what happens. Remember XBox one games to be locked to a specific console? Never happened. MS will always try it on.
    If it does happen, at worst a new BIOS could be flashed to a machine to install another OS, worst consequence of that could possibly be the existing MS installation no longer working, but I'm just guessing here. And a little bit of care when purchasing old or new machines in order to install a Linux variant on them. But that is the case anyway. It's not like Linux will run without any issues on every single piece of hardware out there as it is.

    I haven't had any real difficulties running Linux on the old equipment (lots of it) that passed through here. So, while it won't recognise ALL used gear, it sure does most of it.

    Replacing the BIOS might or might not be possible ...... only a select few are possible at present .... and doing that is a whole different kettle of fish than just installing an OS.

    IF the worst happens and m/boards drop the option to turn off secure boot for Windows machines, then a heck of a lot more of them will be recycled rather than reused.
    By then it will be too late to do anything about it!


  • Closed Accounts Posts: 13 ASX


    Hi! ;)
    It appears that MS have issued specs for their OEM suppliers which include a change in the Secure Boot requirements.

    Yes, it appears so, but only for "mobile" platforms.

    This provides for OEMs to install Win 10 with the UEFI locked so that any OS which does not have Secure Boot provisions cannot be installed on that hardware.

    Correct.

    This would of course lock out not only all versions of Win prior to 8 but also most other operating systems.

    This will lock out any O.S. that is not secure-boot enabled, until they adopt one of the available solutions, see below.

    We know this 'Secure Boot' was bad from day one, and this just seems like the next logical step from MS.

    Among others, The Linux foundation disagree with you:
    "Linux and other open operating systems will be able to take advantage of secure boot if it is implemented properly in the hardware." (link 1)

    Also, there exists use cases where a locked down system may be a good things ... usually all embedded software, car infotainments systems, avionics, controller for robotics systems ... internet kiosks too.
    The third step maybe at the next MS major release (12?) will likely be to demand a locked down secure boot so the OEM has no choice at all.

    As of now, it look like not technically possible, because The Linux Foundation is providing a pre-bootloader signed from Microsoft. (link 2)

    All I can think of is the 2 year old hardware that will be discarded and I will not be able to grab it for Linux use because of the lock out. :(

    You will be able to use your old hardware, like now, except that you (your distro) will need an extension to the currently used boot loaders, like the one provided from The Linux Foundation.

    Alternatively a fully secure boot is already provided from RedHat and a few other distro, (shim) developed from RedHat's Matthew Garret allow for booting a completely signed system (kernel, modules, firmware).

    Also, there is to note that disallowing to turn off the secure boot could be a shoot in the feet for themselves, (MS), because some firmware shipped with some hardware may not be signed it will not be allowed run. (link 3).

    My guess is that most OEMs will allow to turn off secure boot, if not, solutions are already available to overcome the limitation.

    PS: due to my limited posts counts I'm not allowed to publish links, so I have forwarded them to you directly, you are invited to post the links on my behalf once you have verified their legitimacy. ;)


  • Advertisement
  • Banned (with Prison Access) Posts: 16,620 ✭✭✭✭dr.fuzzenstein


    I haven't had any real difficulties running Linux on the old equipment (lots of it) that passed through here. So, while it won't recognise ALL used gear, it sure does most of it.

    Replacing the BIOS might or might not be possible ...... only a select few are possible at present .... and doing that is a whole different kettle of fish than just installing an OS.

    IF the worst happens and m/boards drop the option to turn off secure boot for Windows machines, then a heck of a lot more of them will be recycled rather than reused.
    By then it will be too late to do anything about it!

    I have often flashed BIOS on a number of machines for "legitimate" installs of Windows 7. The aim is to convince 7 that it's running on a machine that is supposed to run 7, when combined with an activation program, the copy is certified genuine. Upgrades and everything else work, the resulting copy is fully working.

    My point is, if you have a machine with safe boot, it should be easy to flash the bios to a non safe boot option. The result may be that whatever OS on it won't run anymore, but Debian or Ubuntu, etc... should run no problem.
    Locked down BIOS, locked down phones, safe boot, etc..., none of it is uncrackable or insurmountable, you can run anything on anything. I wouldn't worry. Fully locked down hardware is rare and will never become the norm.
    The aim is more to invalidate the license or prevent the current system from running if tampered with, but it will always be possible to kick off the existing bios and OS.


  • Registered Users, Registered Users 2 Posts: 14,048 ✭✭✭✭Johnboy1951


    ASX wrote: »
    Hi! 
    Originally Posted by Johnboy1951 
    It appears that MS have issued specs for their OEM suppliers which include a change in the Secure Boot requirements.
    Yes, it appears so, but only for "mobile" platforms.
    At its WinHEC hardware conference in Shenzhen, China, Microsoft talked about the hardware requirements for Windows 10. The precise final specs are not available yet, so all this is somewhat subject to change, but right now, Microsoft says that the switch to allow Secure Boot to be turned off is now optional. Hardware can be Designed for Windows 10 and can offer no way to opt out of the Secure Boot lock down.

    I see no mention of 'Mobile' there.

    In fact I believe that MS have already determined that mobile devices with their software cannot have a user switch to turn off secure boot, and it has been this way for a number of years.

    This is referencing a change in hardware requirements for Win 10 .... where there is now no need for a user switch to turn off secure boot, to comply with the MS hardware spec requirements.
    The only change between Windows 8.1 and Windows 10 for system requirements on the desktop is the mandate of UEFI v2.3.1. Windows 8.1 was required to have UEFI v2.3.1 for Secure Boot, but this was an optional feature. In Windows 10 this is no longer optional.

    Those two quotes are taken from the links I posted in the first post. ;)

    Bottom line: It seems there is a change of MS spec for desktop hardware, bringing it a step closer to the spec for mobile hardware ... there now being no requirement for a user switch for secure boot.
    All they got to do to bring the desktop hardware into line with the mobile hardware is to specifically specify that there be no secure boot user switch.
    As I said, maybe Win 12 ;)

    ***

    Your links ...

    1) Dated 2011 ?
    This document is intended to describe how the UEFI secure boot specification can be implemented to interoperate well with open systems and to avoid adversely affecting the rights of the owners of those systems while providing compliance with proprietary software vendors' requirements.

    I never said there was any difficulty in allowing a secure boot switch.
    This is aspirational and for those who care ...... MS vendors do not care (for the most part) about other uses of the their hardware.

    2) Dated 2012
    I remember reading about this at the time, but I have not seen anyone referring to using it in the meantime.
    Have you used this?
    Does it require a means to turn off Secure Boot in BIOS/UEFI?
    How would the absence of such an option affect its use?


    3) MS stuff
    Also, there is to note that disallowing to turn off the secure boot could be a shoot in the feet for themselves, (MS), because some firmware shipped with some hardware may not be signed it will not be allowed run. (link 3).

    What it will do is ensure that their old OS versions will not be able to run on the hardware.
    This is very desirable for MS ..... if they could force people to update their OS they would. It appears to me they have tried and succeeded with most non-commercial users.


    In any case we have not seen any hardware yet so we do not know if this will happen.
    What I was pointing out was, it could be a disaster, IMO, for those of us who reuse older hardware rather than throw it in the recycle pound.

    MS mobile devices with no secure boot switch ..... are there reports of other OSs being installed on them?

    I haven't heard about it, but it would be interesting to find out ......


  • Closed Accounts Posts: 13 ASX


    I see no mention of 'Mobile' there.

    The reference was in that picture from arstechnica article you posted, it says:

    "Win 10 Destop: it is OEM option whether to allow end user to turn off secure boot
    Win 10 Mobile must NOT allow secure boot to be turned off on retail device".

    Whether the above info are definitive or not I don't know, but that is what I read elsewhere too.

    In fact I believe that MS have already determined that mobile devices with their software cannot have a user switch to turn off secure boot, and it has been this way for a number of years.

    It is/was so only for "ARM" based hardware, x86 hardware was excluded at the time.

    1) .... <snipped> :)
    2) Dated 2012
    I remember reading about this at the time, but I have not seen anyone referring to using it in the meantime.
    Have you used this?
    Does it require a means to turn off Secure Boot in BIOS/UEFI?
    How would the absence of such an option affect its use?

    No, I didn't used it directly, what I posted come from my readings on the argument.

    As for the second question, no, secure-boot doesn't need to be turned off, because a "signed" and trusted pre-bootloader would be needed only with secure boot enabled.

    3) MS stuff

    of course, but tell me how they could suggest to "turn off secure-boot" when they required that it should not be an option.

    What it will do is ensure that their old OS versions will not be able to run on the hardware.
    This is very desirable for MS ..... if they could force people to update their OS they would. It appears to me they have tried and succeeded with most non-commercial users.

    It appears to me that the pre-bootloader from the Linux Foundation could chainload grub2 and from there boot even their older OSes.
    In any case we have not seen any hardware yet so we do not know if this will happen.
    What I was pointing out was, it could be a disaster, IMO, for those of us who reuse older hardware rather than throw it in the recycle pound.

    It must be noted that UEFI is not equal to MS, and that "The Linux Foundation" is also a member of uefi.org ... so they are involved in the definition of uefi specs.

    Also, I have great confidence that the open source community will streamline the secure-boot procedure as much as possible.

    MS mobile devices with no secure boot switch ..... are there reports of other OSs being installed on them?

    I haven't heard about it, but it would be interesting to find out ......

    I feel the need for an official definition of "mobile" ... right now I can think of phones, tablets, netbooks and notebooks... but am unsure.


  • Registered Users, Registered Users 2 Posts: 14,048 ✭✭✭✭Johnboy1951


    of course, but tell me how they could suggest to "turn off secure-boot" when they required that it should not be an option.

    We seem to be at cross purposes.
    Up to the present time, MS specified that secure boot could be turned off.
    Your reference dates from back then.

    The latest (as reported) spec from MS does not have that requirement, so any reference to turning it off is not relevant to the new spec.

    The Linux Foundation PDF file makes interesting reading, although that too is a little dated.
    It is aspirational ..... it points out how correctly implemented UEFI could be used by various means to install open operating systems.
    There is no requirement apparently that all motherboards manufactured comply with those aspirations.

    MS has provided specs for those who want MS approval (all OEMs?)
    The manufacturers have no need to include a secure boot user switch for Win 10 approval. In truth MS would probably prefer it that way.
    OEMs will try to please MS.

    It will be interesting to see Win 10 hardware from the likes of Dell, HP, etc. to determine if there is a secure boot switch present.

    If not then we know which way this is going .....


  • Closed Accounts Posts: 13 ASX


    We seem to be at cross purposes.
    The latest (as reported) spec from MS does not have that requirement, so any reference to turning it off is not relevant to the new spec.

    The same slide from arstechnica link state as a MS requirements, compliance to: UEFI 2.31,

    The Linux Foundation refers to it as 2.3.1c in their 2011 pdf

    Because the latest UEFI specs are 2.5, a version 2.31 doesn't exists, they clearly refers to version 2.3.1.

    (see uefi.org website for details.)

    Well, if the word "compliance" means something ... to me it IS relevant.


  • Registered Users, Registered Users 2 Posts: 14,048 ✭✭✭✭Johnboy1951


    ASX wrote: »
    The same slide from arstechnica link state as a MS requirements, compliance to: UEFI 2.31,

    The Linux Foundation refers to it as 2.3.1c in their 2011 pdf

    Because the latest UEFI specs are 2.5, a version 2.31 doesn't exists, they clearly refers to version 2.3.1.

    (see uefi.org website for details.)

    Well, if the word "compliance" means something ... to me it IS relevant.


    What then would be your interpretation of MS not requiring the presence of a secure boot 'off switch' for their Win 10 approved hardware?

    You would not see that as 'an invitation' or 'an encouragement' to their vendors to omit it?

    If MS wanted 'strict compliance' rather than general compliance would they have any reason to mention it?

    The MS history regarding specifications is not comforting ;)


  • Closed Accounts Posts: 13 ASX


    What then would be your interpretation of MS not requiring the presence of a secure boot 'off switch' for their Win 10 approved hardware?

    You are driving me on a mined field. :)
    My interpretation is that OEM are free to choose it or not depending on products ... as I already wrote I see use cases where secure-boot would be welcome.
    You would not see that as 'an invitation' or 'an encouragement' to their vendors to omit it?

    As above.
    If MS wanted 'strict compliance' rather than general compliance would they have any reason to mention it?

    The MS history regarding specifications is not comforting ;)

    Guess you answered your own question. ;)


  • Registered Users, Registered Users 2 Posts: 14,048 ✭✭✭✭Johnboy1951


    ASX wrote: »
    You are driving me on a mined field. :)
    My interpretation is that OEM are free to choose it or not depending on products ... as I already wrote I see use cases where secure-boot would be welcome.

    Ah yes ....... OEMs freedom to choose.
    We have all seen how that works when dealing with MS in the past. :D

    It seems you are inclined to agree that there is a danger that OEMs will omit the secure boot switch in hardware for Win 10.
    It is obvious now that this would be desired by MS.

    That is the situation that prompted my original post ..... and the consequences of that decision, should it be taken.

    Yes, there are a few specialised areas where a locked hardware would be beneficial .... but not on consumer products .... at least not from the consumer viewpoint. :)


  • Closed Accounts Posts: 13 ASX


    It seems you are inclined to agree that there is a danger that OEMs will omit the secure boot switch in hardware for Win 10.
    It is obvious now that this would be desired by MS.

    First, I do not consider secure-boot a danger ...

    second, if MS would liked to have secure boot switch disabled on desktop, I don't see any reason why they would not ask for, it is their right to ask what requirements they like to allow the use of their certifications.

    They requested to remove the switch for "mobile" platforms ... they didn't for "desktop" platforms.

    Most likely the main reason of our different views is due to fact I think secure boot doesn't prevent the use of open systems while you think it will be an obstacle to open OSes adoption.

    I agree that secure boot imply to update the currently used boot loaders ... but the secure-boot support is already there and more extensions will come in the near future.
    That is the situation that prompted my original post ..... and the consequences of that decision, should it be taken.

    Yes, there are a few specialised areas where a locked hardware would be beneficial .... but not on consumer products .... at least not from the consumer viewpoint. :)

    Sorry, it seems that you are implying something which is not true at my eyes ... secure-boot doesn't equal locked down hardware ...

    It is true that secure-boot is another little barrier that each distro need to overcome at some point ... most likely is also an additional difficult for small teams and individuals, ... it is also true that there exists bugged UEFI/secure-boot implementations out there ... but it doesn't imply open systems are locked out. :)

    ~~~

    /joke mode on/
    do not worry much, systemd will take care of of secure-boot too :):):)
    /joke mode off/


  • Advertisement
  • Closed Accounts Posts: 1,576 ✭✭✭excollier


    ^^ None so blind as those who will not see. This a deliberate, underhanded ploy by MS to squeeze out open source OSes, nothing less.
    Thing is they are passing the buck to OEMs so they keep their own hands clean.
    Apple have their own hardware, so they can do what the hell they like with it. Microsoft, on the other hand, "think" that they own the hardware, and by this subtle action, they practically do. Shocking behaviour, but not out of character.
    If you want hardware with secure boot switchable, then you are going to have to pay more in future, like it or lump it.


  • Banned (with Prison Access) Posts: 10,087 ✭✭✭✭Dan_Solo


    excollier wrote: »
    Apple have their own hardware, so they can do what the hell they like with it. Microsoft, on the other hand, "think" that they own the hardware, and by this subtle action, they practically do.
    Um, I thought in both cases YOU own the hardware?
    Looks like it will be easily circumvented anyway.


  • Registered Users, Registered Users 2 Posts: 9,605 ✭✭✭gctest50


    excollier wrote: »
    ^^ None so blind as those who will not see. This a deliberate, underhanded ploy by MS to squeeze out open source OSes, nothing less........

    and they're really good at it ......
    well, there it is - no, there's no screen or keyboard on it - you use ssh and

    versus

    Powershell ..... no...Core Powershell gives you the power to .......

    "In fact, Nano Server does not support local access of any kind. All management is done remotely, via a combination of Windows Management Instrumentation (WMI) and PowerShell – or more accurately, Core PowerShell"



    and these local GUIs are poison ... The model here is we want to eliminate the idea of you ever sitting in front of a server, managing it."





    http://www.theregister.co.uk/2015/05/01/microsoft_nano_server_deep_dive/


  • Closed Accounts Posts: 1,576 ✭✭✭excollier


    Dan_Solo wrote: »
    Um, I thought in both cases YOU own the hardware?
    Looks like it will be easily circumvented anyway.
    You own it in so far as you do with it what they dictate - 'use our OS or the machine is useless, no alternatives allowed.'
    That's the plan they have.


  • Registered Users, Registered Users 2 Posts: 14,048 ✭✭✭✭Johnboy1951


    ASX wrote: »
    First, I do not consider secure-boot a danger ...

    Nor I.
    I think you need to read again what I wrote to get what I meant. ;)
    second, if MS would liked to have secure boot switch disabled on desktop, I don't see any reason why they would not ask for, it is their right to ask what requirements they like to allow the use of their certifications.

    They cannot as it would be anti-competitive due to their market share.

    They requested to remove the switch for "mobile" platforms ... they didn't for "desktop" platforms.

    They had no real presence in that market so their specification did not adversely affect others in the market.
    Most likely the main reason of our different views is due to fact I think secure boot doesn't prevent the use of open systems while you think it will be an obstacle to open OSes adoption.

    You seem to have completely missed the point of all my posts on this ....... the absence of a secure boot switch (to allow the user to turn it off as is presently the case) is the danger I see coming in the future.

    I agree that secure boot imply to update the currently used boot loaders ... but the secure-boot support is already there and more extensions will come in the near future.


    Sorry, it seems that you are implying something which is not true at my eyes ... secure-boot doesn't equal locked down hardware ...

    It is true that secure-boot is another little barrier that each distro need to overcome at some point ... most likely is also an additional difficult for small teams and individuals, ... it is also true that there exists bugged UEFI/secure-boot implementations out there ... but it doesn't imply open systems are locked out. :)

    If the user cannot turn off secure boot, that seriously limits what can be done by an individual who might inherit the hardware.

    ~~~
    /joke mode on/
    do not worry much, systemd will take care of of secure-boot too :):):)
    /joke mode off/

    :D:D


  • Closed Accounts Posts: 13 ASX


    Nor I.
    I think you need to read again what I wrote to get what I meant. ;)
    You seem to have completely missed the point of all my posts on this ....... the absence of a secure boot switch (to allow the user to turn it off as is presently the case) is the danger I see coming in the future.

    No, I didn't missed it, I already got it correctly!

    But may be I failed to explain my points.

    I will try to get some secure-boot enabled system and will come back some time later with some "facts" ;)


Advertisement