Windows 8 secure boot to block Linux Thread - Linux Gamers

Windows 8-certified 64-bit hardware will be forced to carry
security measures to stop the installation of other operating systems,
such as Linux, until the software is regarded as trusted, according to
Microsoft.

source: Zdnet.com.au

Yeah, I read about it, but I don't think its a big issue. Concern maybe. If I understood correctly, problem is only with pre-built PC when OEM vendor wants 'Designed for Windows' logo. I doubt MB vendors would lock their UEFI secure boot just for Windows. On the other hand, you will be able to lock your machine never to boot any Windows

Not a problem. Good board manufacturers include an option to disable this crap. Another failing attempt of M$ to slow down the unstoppable growth of alternate operating system using foul tricks and treachery. If they would start to compete with actually good things and advancements/improvements then I would have respect for them but they only can do medieval catapulting as they lack a solid castle to build upon.

I would be amazed if this passed in Europe. They wouldn't even let Microsoft ship with only Internet explorer.

So unless they have no plans to sell to Europe, they will have to work something out.

ubuntu-gaming wrote: Windows 8-certified 64-bit hardware will be forced to carry
security measures to stop the installation of other operating systems,
such as Linux, until the software is regarded as trusted, according to
Microsoft.

source: Zdnet.com.au

They're already working on fixing this.
Zdnet.com

Man, the comments in this article is full of so many assholes it's a shame to be a human being. Jesus, these M$ loving idiots with their old-aged and long time no more valid pseudo-arguments against Linux. Sorry guys but these totally idiots can go suck dick... really. Without Unix these assholes could not even browse half of their websites!

Dragonlord wrote: Man, the comments in this article is full of so many assholes it's a shame to be a human being. Jesus, these M$ loving idiots with their old-aged and long time no more valid pseudo-arguments against Linux. Sorry guys but these totally idiots can go suck dick... really. Without Unix these assholes could not even browse half of their websites!

Good for you for putting your 2 cents in but who cares what people post in comments on a news article? Just read the article and move on.

This is constantly misreported.
I know that we all love Linux and can't stand using Windows, but that doesn't make Microsoft evil (this statement is mostly aimed at Dragonlord). At least... not any more than any other corporations.

This secure boot thing wasn't developed by Microsoft. That's just an attention getting headline. It's not their "fail attempt to stop the growth of other operating systems". It is a BIOS feature. Microsoft is simply the first company with an operating system (Windows 8) that supports this feature.

It was actually developed by a forum/panel of many tech companies. Microsoft is a member of this panel, but so is Canonical (the guys that publish Ubuntu)! They say it's a huge step forward in security.

But these facts were buried by the Stallmans of the world as bloggers propagated the twisted version of the story that "ZOMG MICROSOFT IS KILLING TEH LINUX".

Edited by: Grickit

You don't get where the problem is. If you buy a computer with windows pre-installed (which is next to all unfortunately) and SB is in effect then you can not install Linux on this machine anymore no matter how hard you try. Even canonical can't do anything about that.

Yes I understand the problem. Linux can't be signed because everything is public. But that's not Microsoft's fault.

I'm nearly 100% certain this will be switchable off anyways. An "install mode" or something.

I'm honestly not worried at all about being able to put Linux on a new computer. Google has incentive to bribe people into making sure that works smoothly now (they want ChromeOS to work on arbitrary machines within the next few years). Also I doubt most BIOS programmers are doing their job on Windows. And then there's all the web-hosts in the world.

For BIOS makers and OEMs choosing what BIOS to put on, there's a lot of money in it for them to let people have it both ways.

I'm more interested in what this will mean for virtualization.

step 1 ) Disable secured bood!

stet 2 ) Enjoy linux

IF you can disable it. There's quite some talk around here about this problem especially since doing the lock-down is cheaper for the sellers (one OS only = less help desk costs). So I'm quite positive we have to fight hard in the future to find PC without locked down hardware. This really is a step backwards into medieval times.

I agree that some fight is necessary. OTOH I doubt MS will succeed to persuade all OEM vendors to lock secureboot. Not in todays time where MS power and Windows penetration is IMHO after its peak some years ago.

this secureboot is great for security for average joes!

thats not for preventing linux to be installed, but to prevent from some apps\people to mess where they shouldnt!

Canonical ( Ubuntu ) views on the issue

Blog.canonical.com

Edited by: dudumaroja

That's simply not true. Secure boot is not about preventing certain apps to be installed it prevents anything but the one OS pre-installed to be installed. This is a de-facto lockout of Linux unless Grub is pre-installed in which case Secure boot is of no use anyways since you can coax grub into booting anything bypassing the secure boot.

Dragonlord wrote: That's simply not true.

Three sources to why you're wrong, and all you keep saying is 'nope'. How about you post some proof instead of raging over nothing? So far everything I've heard has been saying that *nix distro's are just going to have to be members of this new panel, abide by the rules, and release their own code for secure boot to allow it.

Sure, maybe OEM's will lock the option out of the bios like they do with most settings but if you're using linux why not build your computer yourself? Even then that's a REALLY big maybe considering how many linux groups are planning on joining the panel. MS can't even get away with forcing users to deal with IE, how are they going to fair when they get busted for trying to something like this?

Calm down, you're only raising your blood pressure.

Edited by: wizardskill

It's a lock-down "in your BIOS". This is not IE you can skip by not using Windows at all. It's inside your motherboard. If you build your own computer you can escape Windows by not installing it. If the BIOS is though locked down building your own computer is futile. You still can't install anything else but Windows 8 if the BIOS is under lock-down. This is the major problem here that many try to swoop under the carpet. If you get a motherboard without a locked down BIOS then yes, you can, but do you really think your run-of-the-mill computer seller takes a fight with Microsoft to not use a locked down BIOS especially if this tons cheaper for them? Of course they won't. For a desktop PC you might find a clean motherboard but for a notebook/netbook you are definitely going to be in a pinch. All these "sources" named here just talk about the possibility of Linux getting signed too. While all nice and dandy this is not the source of the problem so all these sources are sugar-talk around the actual problem... a very "vital" problem indeed. In the end we need mod-chipping for motherboards to pry them out into freedom again. At last with consoles we've seen already that mod-chipping is a guaranteed success. Good thing I've got a soldering iron in my home at all times

The console analogy is a good one, because basically this is an attempt to "consolize" PCs.

Dragonlord wrote: It's a lock-down "in your BIOS". This is not IE you can skip by not using Windows at all. It's inside your motherboard.

I wasn't insinuating that IE was hard to get rid of, I mentioned that MS can't even get away with THAT without people getting mad and trying to sue them.

Dragonlord wrote: If you build your own computer you can escape Windows by not installing it. If the BIOS is though locked down building your own computer is futile. You still can't install anything else but Windows 8 if the BIOS is under lock-down. This is the major problem here that many try to swoop under the carpet. If you get a motherboard without a locked down BIOS then yes, you can, but do you really think your run-of-the-mill computer seller takes a fight with Microsoft to not use a locked down BIOS especially if this tons cheaper for them? Of course they won't. For a desktop PC you might find a clean motherboard but for a notebook/netbook you are definitely going to be in a pinch. All these "sources" named here just talk about the possibility of Linux getting signed too. While all nice and dandy this is not the source of the problem so all these sources are sugar-talk around the actual problem... a very "vital" problem indeed. In the end we need mod-chipping for motherboards to pry them out into freedom again. At last with consoles we've seen already that mod-chipping is a guaranteed success. Good thing I've got a soldering iron in my home at all times

But who is to say that the user won't be able to control secure boot? It hasn't been released, let alone the fact that it was basically started earlier this year. Until MS flat out says "No linux" and bans everyone from the panel aside from themselves this is all misguided speculation based on fear and anger.Perhaps the smaller distro's won't be able to participate as easily, but no one has heard many details (including the requirements).

rioninja wrote: The console analogy is a good one, because basically this is an attempt to "consolize" PCs.

What? If anything it's a stab at *nix & hackintosh marketshare, which hasn't been proven and by all accounts isn't the case.

If linux groups are part of the panel and they aren't yelping for a lawsuit, how big of a deal can this possibly be? It's not like MS is the only member of the panel.

Edited by: wizardskill

The problem is the type of lock-down secure boot involves. It is a final lock down hence after the manufacturer of the board configurated secure boot it gets locked down in a way the user can not revert the lock anymore. Hence if you get a mother board with secure boot set to allow only Windows 8 then you can not reverse the lock to configure it with a Linux signature. That's the tricky problem on secure boot. It's not about Linux having or not a signature it is if the lock down is a final one. M$ obviously wants to allow only Windows 8 on mother boards (aka computers in the end) which have a final lock down. And if this is the case there is no way for you to install Linux onto the computer no matter how hard you try.

So in a nutshell you have this situation:
- M$ demands a final lock down for Windows 8 to be installed
- If manufacturers want to have Windows 8 pre-installed they need to do a final lock-down
- If a manufacturer doesn't agree with a final lock down he can't have Windows 8 preinstalled

The decision for Windows 8 (final lock down) and against FOSS is thus quite an easy one. In the desktop area Windows is still the leader so majority of them are going to chose Windows 8 and do a final lock down. Hopefully this sheds some light on the situation.

Dragonlord wrote: ...M$ obviously wants to allow only Windows 8 on mother boards (aka computers in the end) which have a final lock down. And if this is the case there is no way for you to install Linux onto the computer no matter how hard you try.

So in a nutshell you have this situation:
- M$ demands a final lock down for Windows 8 to be installed
- If manufacturers want to have Windows 8 pre-installed they need to do a final lock-down
- If a manufacturer doesn't agree with a final lock down he can't have Windows 8 preinstalled

The decision for Windows 8 (final lock down) and against FOSS is thus quite an easy one. In the desktop area Windows is still the leader so majority of them are going to chose Windows 8 and do a final lock down. Hopefully this sheds some light on the situation.

You still haven't show any kind of source proving your claims. You keep restating the same thing even after multiple sources have shown there is no plot to eradicate linux through secure boot.

Here are more sources proving you wrong:

PCWorld wrote: ...At the heart of the Unified Extensible Firmware Interface (UEFI) secure boot protocol are Platform Keys (PKs)--which are designed to be controlled by the owner of the hardware in question--and Key-Exchange Keys (KEKs), which are controlled by the hardware and operating system vendors, the paper explains.“This separation is vital because it allows the platform owner to decide which keys they trust without compromising the ability of the KEK controllers to assure themselves that the OS booted securely,”

...While that may be a valid choice for some informed users, it's also essential that users be able to regain control by resetting their hardware back to setup mode, the authors argue.Toward that end, all hardware should ship in an open “setup mode” with no platform key installed. That way, hardware owners can install the platform key of their choice or let their operating system do so for them, Bottomley and Corbet explain.It should also be possible for the owner of a piece of hardware to return a system back to setup mode in the future, they add. Meanwhile, there needs to be a firmware-based mechanism for adding new KEKs to make dual-boot systems possible, as well as one for easy booting of removable media.

- Pcworld.com

ArsTechnica wrote: Microsoft, for its part, noted in a blog post last month that it does not “mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows,” but says UEFI secure boot addresses a pre-operating system environment that is vulnerable to attack. “At the end of the day, the customer is in control of their PC,” Microsoft says. Without mentioning Linux by name, Microsoft said “For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision.” Indeed, as we noted last month, the Windows 8 developer system built by Samsung and distributed at Microsoft’s BUILD conference contains the option to disable secure boot

- Arstechnica.com

ZDNet wrote: ...a Dell spokesperson told me, “Dell has plans to make SecureBoot an enable/disable option in BIOS setup.”

...The spokesperson confirmed for me that HP has no plans to participate in any conspiracy against a non-Windows OS: “HP will continue to offer its customers a choice of operating systems. We are working with industry partners to evaluate the options that will best serve our customers.”

...a spokesperson for leading BIOS maker AMI, who told me last month that ”AMI will advise OEMs to provide a default configuration that allows users to enable / disable secure boot, but it remains the choice of the OEM to do (or not do) so.”In fact, the closer you look at the movement against the Secure Boot feature, the more apparent it becomes that this is about propaganda, not technology.

- Zdnet.com

CNet wrote: ..."Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secure boot," wrote Mangefeste. "We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems."

Specifically, hardware makers would be able to customize how users can manage the security certificates and policies. Mangefeste also pointed out that people who want to run "older operating systems" would then have the flexibility to disable secure boot or otherwise modify the certificates if they chose to do so.

- News.cnet.com

These sources state that there is still fear, but it is not substantiated in any way, shape, or form. Please keep your fantasies and wild accusations to yourself until secure boot is released.

Edited by: wizardskill

I stand to what I say since these sources talk about "possibilities". As I outlined above the problem is not the possiblity but what the relationship with Windows 8 in this debate is. Maybe some make an on/off option for secure boot but this equals to nullifying the warranty. Besides people like HP said a lot of things and in the end didn't do much of it... especially in connection with Linux. As I said above, these sources are lots of copy-paste talk about possiblities or how-it-should-be (how often M$ shit on such standard? many times) but nothing substantial. Furthermore if the user can alter the secure boot certificates it is as insecure as without secure boot. I leave this up to you as an excercise to figure out why. Thus it's unlikely secure boot has no final lock down mode as this is the only thing which gives secure boot security.

Dragonlord wrote: I stand to what I say since these sources talk about "possibilities"

But that's all you're argument is based on: Propaganda without proof. Show me a statement directly from a company saying that SecureBoot is locked to only Windows to remove linux from the market, or realize that you don't know what you're talking about.

Dragonlord wrote: ...I leave this up to you as an excercise to figure out why.

Dragonlord wrote: M$

I see what's going on here. 7/10 made me reply.

Edited by: wizardskill

Microsoft has a long and dirty history of tactics very similar to this.

It's not "secure boot" itself that is locked to Windows only. This you could fix. It's that W8 demands a locked down "secure boot" (or at last that's what M$ wants). I'm not going to go through all the articles posted here again to find the places this is mentioned as I'm quite busy at the time. It's not hard to find if one reads past the huge amount of "ifs" and "possibilities". It's actually quite a smart move (from a marketing point of view) to couple W8 with a locked down "secure boot". If this holds in Europe has to be seen though. In America you are fucked but maybe in Europe we have a chance against this. Otherwise I'm sure there will be hacks sooner or later to "jailbreak" chained mother boards.