Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
The Courts Australia Windows Hardware Linux

Australian Users Petitioning Against Windows 8 Secure Boot 386

In his first accepted submission, lukemartinez sends in an excerpt from a ZDNet article on continuing developments about Microsoft's UEFI secure boot requirements: "The Linux Australia community began petitioning the ACCC this week after Microsoft aired plans to mandate the enabling of Unified Extensible Firmware Interface's secure boot feature for devices bearing the 'Designed for Windows 8' logo. This means that any software or hardware that is to run on the firmware will need to be signed by Microsoft or the original equipment manufacturer (OEM) to be able to execute. This would make it impossible to install alternative operating systems like Linux..." Delimeter has further information on the petititions, and Matthew Garret recently posted a follow-up to Microsoft's response to the concerns about secure boot, calling them out on their misinformation.
This discussion has been archived. No new comments can be posted.

Australian Users Petitioning Against Windows 8 Secure Boot

Comments Filter:
  • by Manip ( 656104 ) on Wednesday September 28, 2011 @08:46AM (#37539002)
    This petition and the signers of it just show that they're ignorant of the technology and the implementation of it. Unfortunately you might have government bodies thinking there is no smoke without fire, and making threats about this or that. But truth is this is a manufactured story that really has yet to cause anyone any problems.

    Let me ask you this: Who has built a system with a UEFI subsystem which doesn't allow Secure Boot to be disabled by the user? Answer: Nobody.
    • This.

      UEFI Secure Boot allows you (the user/owner of the machine) to choose to verify that what you are truly booting is what you think it is. If you boot Windows 8 using this approach, you gain a higher degree of assurance that you're booting legit Microsoft code and not something that someone has infected your computer with. This is a big win for the *vast* majority of desktop users as most of them run Windows and most of them have a legitimate desire to not get bit by malware.

      If you to not use this, and
    • by gstoddart ( 321705 ) on Wednesday September 28, 2011 @08:53AM (#37539090) Homepage

      But truth is this is a manufactured story that really has yet to cause anyone any problems.

      Because they haven't shipped any yet, that's why.

      Let me ask you this: Who has built a system with a UEFI subsystem which doesn't allow Secure Boot to be disabled by the user? Answer: Nobody.

      And, who has seen a UEFI system which says it's been designed for Windows 8 they could test this against? Answer: Nobody.

      In the hands of Microsoft, I believe entirely they would insist their vendors build a machine which is really only capable of booting Windows without basically violating ACTA or something. They've never demonstrated any compunction about forcing lock-in if they get a chance. In fact, they have a strong preference for it.

      Hell, it took literally years and a bunch of lawsuits to buy a whitebox PC without Microsoft getting paid for the OS even if you didn't want it and weren't going to use it ... you think they'd hesitate to insist vendors ship something locked down to them?

      The reality is, almost any tech company would lock you into their product so fast it's not funny.

      • You are just spreading FUD.

        Windows 8 competes with Windows 7 and they have to allow users to upgrade with an old PC. It would be stupid to implement an OS that requires a Secure Boot mode, because it would mean that mean that users would have to buy new hardware.

        Even if they did, there will be anti-trust litigation in both the US or EU. Microsoft has been in trouble in the past for bundling software, which is a far less serious offense than actually locking out the competition. Any attempt would just be

      • Because they haven't shipped any yet, that's why.

        So you are protesting something that doesnt even exist! Do you realize that there is no limit to what you might protest when you allow imaginary things to be protested?

    • Exactly. This is for people who have no clue ... much ado about nothing.

      http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface [wikipedia.org]

      MS wants to present Win8 as a "secure" platform and UEFI in their minds is one piece of the puzzle. That's open to interpretation.

      The options are:
      a) disable UEFI in BIOS
      b) don't purchase a system that UEFI implemented that cannot be disabled
      c) urge your Linux-vendor (e.g. RH) to get on the UEFI bandwagon if you're so inclined

      • How exactly do you propose someone disable UEFI in BIOS?

      • The options are:
        a) disable UEFI in BIOS

        Provided that this will be an option.

        b) don't purchase a system that UEFI implemented that cannot be disabled

        Probably the same chance of being able to buy a system today without windows... Which is a slight chance for a desktop and no chance for a laptop.

        c) urge your Linux-vendor (e.g. RH) to get on the UEFI bandwagon if you're so inclined

        And having these linux vendor keys pre-installed on a system has the same chance of getting a system with linux pre-installed. (i.e. you're screwed)
        I can tell you right now that 3rd party keys will never be user installable. If they ever are this would be an attack vector. What use are secure keys if anyone can change them?

        • The options are:
          a) disable UEFI in BIOS

          Provided that this will be an option.

          I have a feeling if this option is left out this would break a lot of existing full-disk encryption solutions out there: WinMagic, McAfee, Pointsec, etc. They all kick in before the OS loads, so anything that forces UEFI enabled all the time may significantly impact it. I used all three products and I've had to do a lot of tinkering with the BIOS on various Dell, HP, and Lenovo workstations we purchased over the years. I'm sure t

        • Provided that this will be an option.

          So wouldnt the problem be that in theory it might sometimes be an option, rather than that Microsoft requires that the motherboard support secure boot for logo certification?

          Isnt is thus true that your hate for Microsoft has caused you to go overboard, missing the mark completely because you can't see clearly?

      • by Pax681 ( 1002592 )

        Exactly. This is for people who have no clue ... much ado about nothing.

        http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface [wikipedia.org]

        MS wants to present Win8 as a "secure" platform and UEFI in their minds is one piece of the puzzle. That's open to interpretation.

        The options are: a) disable UEFI in BIOS b) don't purchase a system that UEFI implemented that cannot be disabled c) urge your Linux-vendor (e.g. RH) to get on the UEFI bandwagon if you're so inclined

        ummmmm UEFI is REPLACING BIOS
        so perhaps you mean entering the UEFI and switching off the secure boot option?????????
        mind you that's IF the OEM gives you that option in the UEFI
        i always build my own so won't have this problem and indeed in my new sandybridge Asus P8Z68-V PRO Z68 mobo i do have that option.. all good
        i even tried it with windows 8 legitimately downloaded from HERE [tweaks.com]
        and i have to say that windows 8 sucks major dick and i'll just leave the gaming with windows 7 thanks very much
        so it boi

    • Re: (Score:3, Insightful)

      by karolbe ( 1661263 )
      It is just a matter of time when such systems will start appearing. I bought a laptop some time ago, and to my big surprise it had VT-x (Hardware Virtualization) flag disabled, enabling it by the vendor was just a matter of setting one bit in some processor registry, but still they decided to release BIOS without such option. You could buy similar laptop with VT-x enabled but it cost more. I expect that in 3 years time we will have to pay extra just to have Secure Boot option configurable. After all that fe
      • This happens across all industries, not just IT. Cars which have 70, 90, and 120 hp variants often only require a new ECM mapping. There's an old model HP plotter in which, if you hold a certain set of keys at boot up and short a couple of pins, can be changed between monochrome and CMYK. That's no software change at all; It's all already within the machine when sold as monochrome, and you pay for the upgrade to colour.

        As usual, the technical community will figure out how to get this functionality working
  • Europeans (Score:4, Insightful)

    by sg_oneill ( 159032 ) on Wednesday September 28, 2011 @08:47AM (#37539016)

    I'd strongly implore europeans to look at similar moves. The EU courts have proven time again to have backbone when it comes to anti-competitive behaviour in the IT industry, and right now this is Microsoft playing the checkmate card its been threatening for a long long time.

    • How about we wait for further information before freaking out like teenage girls when some rubbish boy band breaks up?

      There has been fuck all in Microsofts announcements that suggests a motherboard manufacturer has to allow Windows and nothing else. There has been no suggestion that secure boot cannot be disabled. There has been no suggestion that the user won't be in control.

      Hell, people should be applauding the securing of the boot process - I remember it being a huge problem on the Amiga with boot secto

    • Microsoft are not mandating PC manufacturers to have UEFI, that's only if they want to slap the "Designed for Windows 8" logo on the case. Neighter are Microsoft preventing manufacturers from distributing keys for other OSes along with the Windows one. It's a bit farfetched to dollow the reasoning: "Windows 8 is the dominant OS, having a Windows 8 sticker on your brand of PCs is highly desirable, to get that sticker you need UEFI and the Windows key installed, which means that all PC manufacturers will en
      • A question: does UEFI allow users to install additional keys later on?

        I believe it does, but only from an OS that booted in trusted mode.

        You may be able to do it from the UEFI interface,itself, but it would be kind of ironic to have to install Windows to "bless" your machine to secure-boot Linux.

        • The MS blog post [msdn.com] discussing this specifically mentions a requirement that there is no programmatic control of secure boot policies. If it were possible to add certificates while the OS is running, it would be easier for malware to add those certificates themselves.

  • What's with all this secure boot crap anyway? When did anyone last get a virus, trojan or worm through the boot process and not through say the browser or a rogue piece of software?

    Has Symantec or McAfee infiltrated into Microsoft or something?

    • Re: (Score:3, Informative)

      by maxume ( 22995 )

      Secure boot prevents those other malwares from subverting the boot process.

    • Re:secure boot?? (Score:4, Interesting)

      by Anonymous Coward on Wednesday September 28, 2011 @09:03AM (#37539196)

      This isn't designed to stop viruses (though theoretically it could help a little), this is part of Microsoft's anti-piracy push. Current methods of pirating Windows involve loading up something before the kernel to trick Windows into thinking it is installed on a machine with an OEM license. Obviously if the BIOS won't hand off to unsigned code then this becomes impossible and this method of piracy (which has been in use since Vista's time) is no longer viable.

      Hence why the don't want OEMs to give you the option to disable this feature or to load up your own keys. If they did then it would solely be a security feature and do nothing for piracy. Given that, it explains why Linux people are so worried, because Microsoft is pushing for exactly this and Linux is about to get caught in the crossfire.

    • It isn't from viruses that strike at the boot process, it prevents one that came in through a browser or rogue piece of software, from planting a root kit into the boot sector of the OS.
  • Dear Microsoft,
    Please include the requirement for secure boot. I know how to download vmware player to run the things I want to run in a virtual machine and I greatly desire to have a secure underpinning to my OS. Thanks.
    Gabe
    • Ok, but for that you'll have to boot a secure OS first so you can run Windows in that VM.

    • I know how to download vmware player to run the things I want to run in a virtual machine and I greatly desire to have a secure underpinning to my OS. Thanks.

      That's nice. I hope you only like ever running Windows natively, and having to always put Linux in a VM.

  • Impossible? (Score:3, Interesting)

    by maxume ( 22995 ) on Wednesday September 28, 2011 @08:55AM (#37539110)

    Only if there is no way to disable secure boot.

    The problem here is that a majority of users are Windows users that will actually benefit from running a computer with a secure boot loader. So Microsoft is serving the interests of their users by pushing for secure boot.

    The good reason to oppose secure boot is the fear that computers will ship locked to Microsoft's keys. Before petitioning the government to specify the terms under which Microsoft can offer a logo program, people should be encouraging Microsoft to add a requirement for a method of disabling secure boot to the logo program (this may well be futile...).

    The reason for Microsoft to do this would be to put the whole damn issue behind them, and it only really matters for random consumer hardware that might end up with Linux on it, not a space they face much competition in.

    (Server and business vendors will continue to sell their customers what they want, running arbitrary software on such systems will not be problematic)

    • people should be encouraging Microsoft to add a requirement for a method of disabling secure boot to the logo program (this may well be futile...).

      People should be encouraging their own government to add such a requirement for the OEMs. The problem is broader than Microsoft and Win8 - it's about being able to control what software runs on a PC you own, regardless of the exact mechanism, OS and vendor.

  • by holophrastic ( 221104 ) on Wednesday September 28, 2011 @08:57AM (#37539132)

    The article lists the hardware manufacturer -- the system builder -- as Microsoft's customer. This is not surprising, since they are the people giving money directly to microsoft.

    So like with everything else in life, if you want to have control over something, all you need to do is to pay for it. You're welcomed to purchase your computer from Best Buy, and thus give Best Buy all of the control. Best Buy can choose what you'll get vis-a-vis the security of the OS. Or, you can do what many of us do.

    You can purchase Windows 8 directly, and install it yourself. Then you'll be the "hardware manufacturer" (a term that's lost all meaning here), and you'll have complete control over it.

    Welcome to the power of money.

    • I can also see a potential problem of paying twice for an OEM PC. Their is nothing to stop an OEM from first charging for the PC, then charging for the unlock of the bootloader. Furthermore, said OEM can threaten those who "jail break" their own PCs with voiding the warranty. I wonder if people that decide to purchase Windows 8 to use directly on a PC they built would be required to install some firmware update to give Microsoft its way.
      • No, you build it yourself, and all is good. You just won't have the "windows 8 logo certification" sticker -- which indicates that you built it yourself.

        • No, you build it yourself

          That works if you want a desktop PC, but how many end users actually build their own laptops?

      • Their is nothing to stop an OEM from first charging for the PC, then charging for the unlock of the bootloader.

        Thats right.. there is nothing stopping them, yet in all these years the OEM's have never locked you to a particular OS, which would have benefited their support-cost bottom line all these years.

        Hell, even Apple lets you boot other OS's on Macs.

    • by Junta ( 36770 )

      If you buy from Best Buy, you bought from a system builder who bought from Microsoft nearly certainly. Ignoring the money they already gave to MS and enabled secure boot by default as well and giving MS *more* money to acquire the *same* software that will also be signed in a way to pass the same secure boot checking is only different in how convoluted the scenario is.

      Protesting having this enabled by default is a tad asinine for most desktop users. Demanding that Firmware be mandated to have a configurat

      • You're missing the point. Microsoft didn't restrict Best Buy from doing whatever Best Buy wanted to do. And you weren't forced to buy your computer from Best Buy. Every single problem that you have with this scenario is instantly gone when you buy windows yourself, and skip Best Buy entirely.

        You shop at Best Buy, you get what Best Buy is willing to give to you. Or you can just go out and do it yourself. That's your choice.

        So if you want to have control over windows, you need to buy windows from microso

    • Except that this is for the Windows 8 Logo. Many motherboards come with the Windows 8 Logo. I see nothing that restricts this to system builders.

  • by sgt scrub ( 869860 ) <saintium@nOSPaM.yahoo.com> on Wednesday September 28, 2011 @08:59AM (#37539150)

    I mean that sincerely but Microsoft has already implemented their legal stance, "It is not up to us. It is up to the vendor".

  • by neokushan ( 932374 ) on Wednesday September 28, 2011 @09:12AM (#37539316)

    ..It's the OEM's. Nowhere does Microsoft mandate that OEMs must remove the option to disable UEFI secure boot, only that it's enabled by default.
    For someone that's supposedly calling Microsoft out for misinformation, Matthew Garret does a great job of it himself. Here's a few points I noticed:

    Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.

    Which hardware vendors? Who? What hardware? Why? And what has that got to do with Microsoft?

    Windows 8 certification does not require that the system ship with any keys other than Microsoft's.

    And why shouldn't it? It also doesn't state that you can only ship Microsoft's keys. Why is it Microsoft's responsibility to get keys other than its own installed?

    A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems.

    Exactly, however a system that ships with UEFI secure boot and only includes a linux distribution's signing keys will only securely boot that linux distribution. Why is the latter ok, but the former not? Oh wait, because Microsoft is the big, bad buy? Once again - Microsoft doesn't mandate that UEFI secure boot be forced, its the OEM's decision to remove the option to disable it.

    Vendors who choose not to follow the certification requirements will be at a disadvantage in the marketplace. So while it's up to vendors to choose whether or not to follow the certification requirements, Microsoft's dominant position means that they'd be losing sales by doing so.

    Of course, this fails to mention (again) that OEMs are in no way forced to remove UEFI secure boot and by doing so, they'll be at a disadvantage in the marketplace and lose sales from people like this very writer....

    Why is this a problem? Because there's no central certification authority for UEFI signing keys. Microsoft can require that hardware vendors include their keys. Their competition can't. A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's. No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft's influence here is greater than even Intel's.

    In short: Because Nobody else can have secure boot, why should Microsoft get to have it? Apparently that's bad for even the likes of AMD and Intel.
    Nevermind that 99.99% of malware targets windows, that most "zombies" on the internet are Windows machines, that most spam is sent from windows machines, which affects everyone. In that instance, giving Windows machines that extra blip of security by default hardly seems like a bad thing.

    What does this mean for the end user? Microsoft claim that the customer is in control of their PC. That's true, if by "customer" they mean "hardware manufacturer". The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware.

    Woah woah woah! Didn't you just say that Microsoft were the only ones capable of forcing Manufacturers to include their signing keys? That the likes of AMD,

    • by Microlith ( 54737 ) on Wednesday September 28, 2011 @09:42AM (#37539736)

      ..It's the OEM's. Nowhere does Microsoft mandate that OEMs must remove the option to disable UEFI secure boot, only that it's enabled by default.

      Which is a great dodge. Then they can apply quiet, behind the scenes pressure to remove the option. Some vendors omit options regardless (like disabling VT-x.)

      It also doesn't state that you can only ship Microsoft's keys. Why is it Microsoft's responsibility to get keys other than its own installed?

      Yep, we're heading into THOSE days where only a select handful of operating systems are allowed to boot. If we're lucky, we'll be able to boot Fedora and Ubuntu. Gentoo users? Fuck you.

      This whole thing stinks of misinformation and FUD. The OEMs are the ones you want to pressure, not Microsoft.

      Do you seriously think that users can pressure OEMs harder than MS can? MS can kill their business overnight, and I don't doubt they've learned a LOT about how to act in unethical manner even under the eye of the DoJ. No, this is MS pursuing something and, much like Apple, hoping the inertia of the masses who don't care can overwhelm the complaints of the minority that understand why such unilateral, non-disablable lock down is bad.

      People are fighting so aggressively to defend MS, but in a few years we may wish for the day when we didn't have to violate the DMCA and ACTA to run whatever OS we choose on our systems.

      • by neokushan ( 932374 ) on Wednesday September 28, 2011 @09:59AM (#37539964)

        Some vendors omit options regardless (like disabling VT-x.)

        Which is why I say we should pressure OEMs. This decision has nothing to do with Microsoft so people are ignoring it, despite the fact that it is still an issue that people should be concerned with.

        Yep, we're heading into THOSE days where only a select handful of operating systems are allowed to boot. If we're lucky, we'll be able to boot Fedora and Ubuntu. Gentoo users? Fuck you.

        No, we're not. The thing to keep in mind is that there's a distinction between simply booting and secure booting. Right now, no operating system can secure boot (as far as I'm aware, anyway - if there is hardware+software out there that can utilise this, please let me know) and Microsoft wants to push it for Windows 8. It would be nice if we can also utilise this for other operating systems as well (or rather, other boot loaders, like GRUB), however that task lies with the OEMs and their willingness to let us add our own keys. Like I said before - this is the OEM decision, not Microsoft's.

        Do you seriously think that users can pressure OEMs harder than MS can? MS can kill their business overnight, and I don't doubt they've learned a LOT about how to act in unethical manner even under the eye of the DoJ. No, this is MS pursuing something and, much like Apple, hoping the inertia of the masses who don't care can overwhelm the complaints of the minority that understand why such unilateral, non-disablable lock down is bad.

        And there it is again! The assumption that you won't be able to disable secure boot. This assumption lies squarely with OEMs and not Microsoft.
        Consumers don't need to pressure OEMs more than Microsoft, they just need to pressure them. Microsoft is pushing to enable secure boot by default, while us users should be pressuring OEMs to give us control over secure boot. They are two entirely different things.
        Even if Microsoft changed their mind on the secure boot by default thing, we should still pressure OEMs to give us this control as it's a very useful security feature to have.

        Now, of course there's that idea that Microsoft might be in the background pressuring OEMs to remove the option to disable it, but so far this is based entirely on conjecture and speculation. If Microsoft does try it, they'll be liable for a massive class-action lawsuit, something that would cost them a lot more than the 1-2% of the marketshare they could possibly gain by blocking Linux. Until that happens, it's a non-issue. Rather than moaning at Microsoft, we should be moaning at the OEMs because they're the ones that will be taking these options from us.

        In the technology world, we shouldn't let the "maybes" get in the way of innovation. Secure boot would outrightly kill a lot of malware attacks, something that plagues windows a lot more than it does Linux.

      • by Cato ( 8296 )

        Mod parent up...

        Microsoft has a history of pressuring OEMs not to support alternative OSs, such as requiring a Windows fee on every desktop shipped, even if it didn't use Windows (and other less obvious pressure). It would be quite easy for them to exert some almost-deniable pressure to stop OEMs from shipping motherboards that have the option to disable secure boot. Then the (small) threat of Linux on the desktop would completely disappear - more seriously, a route for new people to learn to use and dev

    • Microsoft have a dominant position in the desktop operating system market.

      Why is it Microsoft's responsibility to get keys other than its own installed?

      It is, for the same reason MS was forced to offer some choice for the Internet browser in Europe, remember ?

      Oh wait, because Microsoft is the big, bad guy?

      Big guy: yes, again we are talking about dominant position and its consequences, which lead to more power and possible abuses, thus the bad guy. Don't you remember some MS abuses?

      Here's a few points I noticed: [...]

      Add to those points: the dominant position of Microsoft. It should help a lot to understand Garrett's answer [dreamwidth.org]

  • The Right To Read [gnu.org] from 1997:

    Dan would eventually find out about the free kernels, even entire free operating systems, that had existed around the turn of the century. But not only were they illegal, like debuggers--you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that.

    Not so sensationalist or paranoid now, is it?

  • I have NEVER seen a BIOS with minimal features.

    (The original RedHat complaint was that "MadeForWin8" machines must support UEFI, and must include Microsoft's boot keys; RedHat were worried that BIOS makers would ship with this bare minimum of support, i.e. not allowing you to disable UEFI or to add your own keys.) Disclaimer: I work at MS as a language designer.

    • I have NEVER seen a BIOS with minimal features.

      Then you haven't used a laptop or desktop from a major vendor, whose BIOS contains usually no useful settings of note. Redhat is absolutely right to be worried that laptop vendors will ship systems without any interface to disable this, especially if they brand the machine a "Windows 8" machine and do the bare minimums to meet that logo requirement.

    • by tepples ( 727027 )

      I have NEVER seen a BIOS with minimal features.

      How about the BIOS of the original Xbox, which used some sort of secure boot measure to make sure it would run only Microsoft's dashboard?

  • So even if I can disable Secure Boot, does this mean I have to go into the UEFI and re-enable it each time I boot back to Windows 8?

    At best, this is going to be a pain in the ass for people who dual boot.
  • While this may have little impact on the (large) US market, Australians might be in for a major jump in their (smaller) PC business. If they mandate an end user accessible UEFI 'switch', they'll grab a large part of the mail order PC business supporting alternate operating systems.

    If they can differentiate themselves from the rest of the world markets (OK, they probably won't be the only country passing such a law), they could potentially turn themselves into a key player in s/w development for advanced sy

  • Here's what I don't like about "secure boot" (from this article [theregister.co.uk]): "...The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor ..."

    So, given that major OEM's tend to ship as minimal as possible BIOS/UEFI options: If you buy a Dell computer and cannot turn off secure boot, are you limited by hardware signing to Dell branded (and priced) graphics cards and etc?
  • Photo documentary of this phenomenal event [wikipedia.org]

    Judge: Please swear to tell the truth and nothing but the truth
    Bill: The bootloaders are locked for security only
    Bill: I swear!

You know you've landed gear-up when it takes full power to taxi.

Working...