Red Hat Engineer Calls out Windows 8 Secure Boot as a Linux Risk - Polidicks

[quote] Red Hat developer Matthew Garrett has discovered a potential Linux killing feature in Windows 8. Microsoft's next major OS is set include a secure boot. The system will prevent any executable from loading unless they are signed by a specific set of keys. The problem with that is non-key signed executable - say Linux - might not be able to put on a piece of hardware that has been built for Windows. [B]That's a problem.[/B] Many of us, (myself included) have hardware that was originally running Windows (the so-called Microsoft tax). That hardware has since been re-imaged or dual-booted to load something else, namely Linux. The Windows 8 secure boot process could potentially eliminate that ability on new hardware. [B]"Microsoft [URL="http://video.ch9.ms/build/2011/slides/HW-457T_van_der_Hoeven.pptx"]requires[/URL] that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled," Garrett[URL="http://mjg59.dreamwidth.org/5552.html"] blogged[/URL]. "A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux."[/B] That said Garrett added that, "there's no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code." In my view there are a few potential solutions to this issue: 1) Buy bare metal. If you buy a bare metal machine without the Microsoft tax than this isn't going to be an issue. 2) Grub replacement. As it stands Grub would likely not work under a strict interpretation of Microsoft's safe bootloader approach, that said, when something doesn't work in open source, there is an 'itch to scratch' and history has shown as that itches don't get left unscratched for long. 3) It won't happen with small vendors. Big vendors like Dell, HP and Lenovo are likely to preload and be part of this program. Smaller vendors that pre-load on site likely won't and will find their own workarounds too. 4) Virtualize. No this is not an ideal solution...but, if the secure boot can be linked to say Hyper-V (i know...),easy enough to run Linux virtualized. None of these solutions are ideal and the Windows 8 secure boot could be a real problem. The good news is that developers like Matthew Garrett are watching. Microsoft isn't going to surprise anyone this time.[/quote] [url=http://www.internetnews.com/blog/skerner/red-hat-engineer-calls-out-windows-8-secure-boot-as-a-linux-risk.html]Source[/url] This has been a concern over the past few days, but since a Red Hat engineer said something about it, that gives some credibility.

Time to bring out the anti-trust/pro-competition legislation and fine the pants off Microsoft again.

Ow cmon I actually started to like Microsoft.

They try shit like this every new Windows release, have they not learned?

Except it legitimately is a security feature. And.secure boot can be disabled from the EFI settings.

I thought Microsoft were starting to be bros with regards to Linux. Guess not

[QUOTE=sam2d2;32439493]I thought Microsoft were starting to be bros with regards to Linux. Guess not[/QUOTE] Not a chance. When Microsoft acquired Suse Linux, the community for it vanished overnight. They wanted NOTHING to do with it any longer. Thats why the Open Suse project happened, so that the world could still have an untainted Suse Linux. This is a dick move, and I really hope that this gets challenged. Apple gets away with crap like this because they control both sides of the computer market on their end. Microsoft is now pushing this crap on people and this is just the newest idea in a string of ideas to make linux look "illegal" and seem like "a security risk".

What is EFI?

[QUOTE=Killuah;32439838]What is EFI?[/QUOTE] In short, it's basically the new BIOS. That's kinda a bad explanation, but that's the easiest way for me to think of it.

[QUOTE=Fatal-Error;32439447]Except it legitimately is a security feature. And.secure boot can be disabled from the EFI settings.[/QUOTE] The argument is whether OEM suppliers will actually let you disable it in EFI settings or not. If they don't, you've got a Microsoft locked PC.

[img]http://www.torontothumbs.com/wp-content/uploads/2010/05/tf21.jpg[/img] [B][I]"Now buddy, I'm an engineer.. that means I solve problems. Not problems like, "What is Javascript?" Because that would fall within the purview of your conundrums of Website Design 2.0.. I solve practical problems."[/I][/B]

Does this mean custom builds can't run linux? Or just OEM Prebuilts.

I don't know exactly what this means, but it has to do with a large corporation and something that could hypothetically in the future at some point possibly lead to something that is not consumer friendly... ...so I'm going to assume that it's some gross plot to harm consumers and make more money.

Welp..... seems more of a reason to not buy prebuilt.

As someone else said, secure boot is a real security feature and I assume some people (business's and governments I assume) want / need it. It shouldn't be forced upon people though, if people want to use it they should have to enable it.

I really doubt Microsoft thought ahead about Linux when they designed this. They rarely have a tendency to think a head like that.

This is gonna have a considerably less impact than people think. Most people who use Linux are big enough nerds to build their own computers anyway.

[QUOTE=Sir Whoopsalot;32440570]This is gonna have a considerably less impact than people think. Most people who use Linux are big enough nerds to build their own computers anyway.[/QUOTE] But its common knowledge that if you try to dual boot, you want to boot Windows on first because it will remove a Linux partition if it it finds one. Again not a feature that Microsoft intentionally put in there to bone Linux users, they really just don't give a shit.

Isn't this pretty illegal?

Directed at all the 'it's a security feature so MS can just keep doing this' reactions, how about that MS just whitelists the common linux distro's from this system? That can't be that hard can it?

Microsoft's response: [url]http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx[/url] UEFI allows firmware to implement a security policy [B]Secure boot is a UEFI protocol [/B]not a Windows 8 feature UEFI secure boot is part of Windows 8 secured boot architecture Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure [B]Secure boot doesn’t “lock out” operating system loaders, but is is a policy that allows firmware to validate authenticity of components[/B] OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform [B]Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows[/B] also [img]http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-01-29-43-metablogapi/0624.Figure_2D00_5_2D002D002D00_Samsung_2D00_PC_2D00_secured_2D00_boot_2D00_setting_5F00_thumb_5F00_02016A69.jpg[/img]

[QUOTE=Swilly;32440586]But its common knowledge that if you try to dual boot, you want to boot Windows on first because it will remove a Linux partition if it it finds one. Again not a feature that Microsoft intentionally put in there to bone Linux users, they really just don't give a shit.[/QUOTE] Actually, Windows won't just remove a partition with Linux on it (in fact, I doubt it can tell what exactly is on that partition unless you were braindead enough to use NTFS), you can pick exactly which partition you install too, and it will only use that one. IT [B]does[/B] however replace the Bootloader that Linux should have installed, causing problems.

[QUOTE=hexpunK;32440681]Actually, Windows won't just remove a partition with Linux on it (in fact, I doubt it can tell what exactly is on that partition unless you were braindead enough to use NTFS), you can pick exactly which partition you install too, and it will only use that one. IT [B]does[/B] however replace the Bootloader that Linux should have installed, causing problems.[/QUOTE] One of the newer features in the bootloader (isn't in the dev preview) is boot from device and add another OS. I think that would make it easier to re-add a Linux bootloader if it overwrites.

I seriously doubt this was their goal when they implemented this feature... I'm sure it's going to be fixed before Win8 ships.

[QUOTE=Panda X;32440710]One of the newer features in the bootloader (isn't in the dev preview) is boot from device and add another OS. I think that would make it easier to re-add a Linux bootloader if it overwrites.[/QUOTE] Oh that is pretty cool to know actually. Faffing with Bootloaders is one of the more annoying parts of installing Linux sometimes. [editline]23rd September 2011[/editline] [QUOTE=Master Kief-117;32440794]I seriously doubt this was their goal when they implemented this feature... I'm sure it's going to be fixed before Win8 ships.[/QUOTE] It's an EFI feature, there is nothing to fix.

[QUOTE=subenji99;32439929]The argument is whether OEM suppliers will actually let you disable it in EFI settings or not. If they don't, you've got a Microsoft locked PC.[/QUOTE] Yeah but that's an OEM feature. Keep in mind OEM's often do things beyond the requirements of windows in order to facilitate a more closed system and to prevent their users from tampering with the system. Good long term examples - restore partititions as opposed to installable discs, preventing generic GPU drivers to work and a bunch of other stuff. Secure boot is in itself a very very good security feature. In the same way as UaC, driver signing, sandboxing and other stuff. [QUOTE=maurits150;32440622]Directed at all the 'it's a security feature so MS can just keep doing this' reactions, how about that MS just whitelists the common linux distro's from this system? That can't be that hard can it?[/QUOTE] The issue isn't the OS but the bootloader itself. Further MS does not have direct control. Thirdly whitelisting OS's is a really really bad. What if someone uses a more esoteric variety, what if someone uses a completely different OS, etc etc etc.

THE ENGINEER IS A SPY!!!

[QUOTE=wraithcat;32441197] Good long term examples - restore partititions as opposed to installable discs, preventing generic GPU drivers to work and a bunch of other stuff. [/QUOTE] Or just giving you a shitty locked down BIOS that doesn't allow you to do things, like enable VT-X on a processor that supports it.

[QUOTE=CoolHandLuke;32441213]THE ENGINEER IS A SPY!!![/QUOTE] ha ha, shit bro, us gamers, yeah,

[QUOTE=hexpunK;32440681]IT [B]does[/B] however replace the Bootloader that Linux should have installed, causing problems.[/QUOTE] Not too difficult. 1. Boot to a live CD. I'm going to assume your root partition is /dev/sda1 and you mount it at /mnt/sda1 2. `mount -t proc none /mnt/sda1/proc && mount --rbind /dev /mnt/sda1/dev` 3. `chroot /mnt/sda1 /bin/bash` 4. `grub-install --no-floppy /dev/sda` suddenly GRUB is reinstalled.