FSF Campaigns Against Windows 8's Secure Boot

[Vladislaus]

[citation][nom]Zanny[/nom]I know this is trollbait and all, but I just want everyone else reading this comment thread to know the reason the FSF is protesting this is that it basically does what Apple does with mac hardware, where the bios doesn't allow for any OS except OSX (in this case, windows) to boot, and since M$ is pushing EUFI in Windows 8, and most hardware manufacturers are swapping to it, all it takes is a little illicit pocket change from M$ to get asus msi etc to just take the secure boot toggle out of their BIOSes on preinstalled windows boxes.Every linux user now would not care the difference, we could flash the bios and do whatever we wanted, and we wouldn't get a system with Windows preinstalled. But for every Joe Shmoe computer user, this basically removes the ability to OS switch completely. And when it comes to laptops, without a unified component standard like ATX is for desktop we cant custom build laptops so we have to go through 3rd party distributors that M$ can buy out to preinstall windows 8 with secure boot disasbled and it will be a pain to reflash the bios.[/citation]
No, you can completely remove Mac OS from a Mac computer and install other OSes without using bootcamp.

 

[Wamphryi]

The rootkit threat is a very real one and it is evident that a hardware solution offers benefits that may assist in protecting PC users from themselves and others. What needs to be remembered is that the Enthusiast crew make up a small percentage of total users. A large number of on line PC's are unwitting members of Botnets which are used to initiate Denial of Service attacks, Spam, illegal pornography and monetary fraud. These activities degrade the services that we all require in our daily PC use. The threats to Internet integrity and E Commerce and the safety of the average user cannot be ignored. As long as the options remain for the Enthusiast then Secure Boot is an acceptable option. Enthusiasts must remember that the average user is responsible for the sale of most PC hardware and without those sales we would paying a lot more for our hardware. As the average consumer also pays for their product the industry must provide for them also.

 

[deanjo]

[citation][nom]back_by_demand[/nom].Totally agree, have Windows on one hard drive, Linux installed on another, it's not like it is difficult.[/citation]

Having OS's on different hard drives has zero effect on this. If signing is turned on in the bios it does not care which drive the OS is loading from. If the OS is unsigned it will not boot.

 

[sykozis]

[citation][nom]mykem[/nom]The reality is that no motherboard manufacturer in their right mind would leave out the option to disable secure boot, as this would restrict the computer to Windows 8. No previous version of Windows, no versions of Linux... nothing else could be used on that computer. The customer outcry would be deafening. There is no incentive to leave this option out of the BIOS.
citation]
The reality of it is that IF the motherboard makers remove the ability to install any OS but Windows, without proper and vividly public notice, they'll be at the mercy of the courts as will Microsoft.

Microsoft has already been told, very clearly, by the US Department of Justice that IF they do anything to hinder fair competition in the OS market, they will face Anti-Trust charges. Enforcing "Secure Boot" to the extent of blocking other operating systems would prevent "fair competition"....

 

[alcalde]

[citation][nom]back_by_demand[/nom]Here's the thing, why don't they wait until these new SecureBoot systems are in place, then modify the next version of the distro to be compliant with the required standards?Wringing your hands that you are unable to install a 5 year old version of Ubuntu on a cutting edge bit of secure hardware is a bit of a stretch isn't it? Work with the industry, not against it.[/citation]

I'm afraid you (and a lot of the posters here) don't understand the issue. There is no "standard" to be compliant with. The UEFI will contain a public key of Microsoft's. Windows 8 boot files will be signed with the private key of Microsoft's. Some mathematical magic gets done, and if the the proper results on the boot file aren't obtained, it is not allowed to boot. Think of it like a checksum.

These machines will ship with Microsoft's key in the UEFI. That means that boot files that aren't signed with Microsoft's key simply can't boot on the machine. This includes all older versions of Windows! (Which is probably the secret secondary reason Microsoft loves secure boot - Win7 can't become the new XP if Win8 becomes the new Vista).

If the system's motherboard doesn't give the user the ability to turn secure boot off, they can't boot Linux, Windows XP or anything else other than Windows 8 or above. If the user can't change the key(s) in the UEFI, they can't even add keys from Linux vendors like Canonical, Red Hat or Attachmate even if they decided to sign their OS boot files too.

Now do you see the problem?

Here's a key point to consider: Microsoft could not have missed this fact when deciding to require secure boot for Windows 8 logo certification (in effect, forcing all OEMs to include it or perish in the marketplace). If their intentions were solely about protecting Windows from viruses, they could have added the requirement for either secure boot to be turned off and/or the user to add additional keys into the logo requirement. They chose not to. That alone sends a wink-wink, nudge-nudge to OEMs about whether Microsoft wants them to include those features or not. The fact that Microsoft's replies about this issue have been incredibly coy, batting eyelashes and big smirks on their faces as they say they're simply giving maximum freedom to OEMs and complaining that others want PCs to have rootkits also diminishes the benefit of the doubt many initially afforded them. Again, I don't think the motivation is Linux; it's forced upgrade cycles (buy a new PC, be forced to use Win8 and Metro UI because secure boot won't let Win7 run on it - which they can also smirk and wink about and blame the OEM when it happens).

As ZDNet's Adrian Kingsley-Hughes has pointed out, OEMs often do inexplicable things with their BIOSes, including disabling virtual machine extensions with no ability to turn them on in the BIOS. Anyone who has a laptop can probably attest to the fact that most offer unbelievably paltry BIOS settings. Adrian rightly argues that regardless of your OS of choice, you should be able to use the OS you want on a PC you buy, and although he is an (up-to-date version of) Windows user, he signed the petition.

This isn't about fanboyism, and it isn't about secure boot (which is actually a nice feature). It's about giving up control about what can boot on your system (including drivers) to another company. All of the claims that "OEMs surely won't..." are just that... claims, hopes and wishes. It'll be too late if and when major OEMs ship PCs with secure boot locked on with unchangeable keys. All users need to speak up now and let OEMs know that they won't purchase systems where secure boot can't be turned off or keys can't be changed. This is about control over your own hardware, a cause I'd think the techno-geniuses that read Tom's could all get behind. Please sign this petition (and more importantly, agree not to support OEMs that don't allow end users OS/driver freedom).

 

[CyberAngel]

UEFI+Win8
Finally something that can keep that dreadful virus (or RootKit?)
from the icy Finland away from my PC - what was it called?
Penguin?

 

[dormantreign]

Meh, Windows 8......ill stick with 7 seeing i'm just starting to get happy with it and my move from xp.

 

[zybch]

Odd how nobody jumped on this same bandwagon when Google have done pretty much the EXACT SAME THING with their chromebooks, isn't it.
There is no current way to install a different OS on your expensive and limited toy chromebook, and yet we haven't seen any ignorant idiots whining about that have we.

 

[PreferLinux]

[citation][nom]lockhrt999[/nom]Well I've installed grub many times but if you want to add an option for booting into win 8 to GRUB it's not that straight forward.[/citation]
Actually, it is very easy. Add the following to the configuration file, assuming you are allowed to modify it (changing hd(0,0) to the appropriate values):

title Windows
rootnoverify hd(0,0)
chainloader +1

 

[randomizer]

To those saying that this is not a problem because there are workarounds: you're missing the point. There shouldn't need to be workarounds to install an alternative operating system, even if that operating system is another version of Windows. This isn't swapping out low-level firmware, this is just a restriction on the middleware which you can run unless you have the know-how to get around it. Sure, it's not difficult, but the FSF isn't going to support any added hoops to free use of the hardware that you own.

This is a whole different argument to the anti-piracy rubbish. You didn't licence the hardware, you bought it. You own it. At least you should own it.

[citation][nom]mykem[/nom]The other reason is that if the open source movement were smart, they too would integrate secure boot into Linux, since any OS that doesn't support it is vulnerable to rootkits.[/citation]

They certainly could, but the private key would need to be public, because otherwise it wouldn't be compliant with the GPL. That kind of defeats the purpose of it.

[citation][nom]zybch[/nom]Odd how nobody jumped on this same bandwagon when Google have done pretty much the EXACT SAME THING with their chromebooks, isn't it.There is no current way to install a different OS on your expensive and limited toy chromebook, and yet we haven't seen any ignorant idiots whining about that have we.[/citation]

How many people run Chromebooks? Not enough to cause a ruckus, that's for sure. I'm certain that if you asked the FSF what their opinion is on Chromebooks, it would be no different than here.

 

[alcalde]

[citation][nom]zybch[/nom]Odd how nobody jumped on this same bandwagon when Google have done pretty much the EXACT SAME THING with their chromebooks, isn't it.There is no current way to install a different OS on your expensive and limited toy chromebook, and yet we haven't seen any ignorant idiots whining about that have we.[/citation]

Your use of the term "ignorant idiots" reflects much more upon yourself than upon those you call out.

A Chromebook is a piece of hardware from Google designed to run Chrome OS. People are buying them specifically to run Chrome OS. Microsoft is a software maker with monopoly status. It is using its logo certification to dictate a design change to essentially all OEM PCs. As the Red Hat engineer who first called attention to this issue pointed out, no one else could do that. Red Hat, a billion dollar company, couldn't get all OEMs to do something. Google couldn't do that. Even Intel couldn't do that. Only Microsoft could do that.

People are not complaining about not being able to run another OS on Chromebook because 1) Chromebooks don't even have more than 16GB of storage and probably couldn't even effectively run a non-cloud-based OS, 2) they don't have to buy a Chromebook to run another OS on a stripped-down netbook. You could pay less for a better-speced netbook if you wanted to do that.

Microsoft's Windows 8 certification program affects all OEM PCs that will be Windows 8 certified, which is essentially all of them. This isn't an issue about one OEM manufacturer like Dell or HP... this is the entire industry. If OEMs don't enable the user to have control over the boot process, there'll be no way to buy a PC to run that alternate/older OS. People shouldn't need to build their own PC to do so... and who can build their own netbook, laptop or tablet?

That's why this is so much bigger than a niche cloud-based OS stripped-down netbook targeted primarily at businesses and schools (which would want to prevent people from running other OSes on it).

 

[zmanfx]

[citation][nom]xenol[/nom]Apple does this already. It's a combination of requiring UEFI (which most PCs don't have) and Intel's TPM chip. I think.[/citation]

incorrect on both counts, not to mention missing the point. Macs use EFI, not UEFI. Also, Macs don't use their TPM chip for copy protection: http://osxbook.com/book/bonus/chapter7/tpmdrmmyth/ missing the point because macs can use other operating systems as they please, even Linux.

 

[ano]

a better title would be "FSF trolling, again" !