Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UEFI Secure Boot and Linux: Where Things Stand

Unknown Lamer posted about 2 years ago | from the don't-boot-that-gnu dept.

DRM 521

itwbennett writes "Assuming that Microsoft doesn't choose to implement Secure Boot in the ways that the Linux Foundation says would work with Linux, there 'will be no easy way to run Linux on Windows 8 PCs,' writes Steven Vaughan-Nichols. Instead, we're faced with three different, highly imperfect approaches: Approach #1: Create UEFI Secure Boot keys for your particular distribution, like Canonical is doing with Ubuntu. Approach #2: work with Microsoft's key signing service to create a Windows 8 system compatible UEFI secure boot key, like Red Hat is doing with Fedora." itwbennet finishes with: "Approach #3: Use open hardware with open source software, an approach favored by ZaReason CEO Cathy Malmrose." When you can't even use a GPLv3 licensed bootloader to boot your system, you might have a problem. Why is everyone so quick to accept the corpse of TCPA in new clothes?

cancel ×

521 comments

Sorry! There are no comments related to the filter you selected.

No one cares (-1)

Anonymous Coward | about 2 years ago | (#40875001)

Can we move on now....

Re:No one cares (2)

lightknight (213164) | about 2 years ago | (#40875021)

Nonsense. People care so long as there is money to be made.

In this case, there isn't much to be made. MS & Canonical have written off the desktop market, and who knows what Apple will be doing next. As such, the lockdowns will continue while the tech sector undergoes decay, up until someone has a brilliant idea that forces the various players to reassess. Since many of them have consulted their crystal balls which say tablets and cell phones are the way of the future, this change is highly unlikely.

Re:No one cares (1)

Heretic2 (117767) | about 2 years ago | (#40875565)

If I use Macs and Linux servers... Should I care?

I care. (2, Insightful)

Anonymous Coward | about 2 years ago | (#40875033)

There are a lot of people who care. Unfortunately there are not enough people making purchasing decisions based on that.

Re:I care. (0)

Anonymous Coward | about 2 years ago | (#40875251)

Isn't not making purchases FOS?

It's freedom, not price that matters. (4, Informative)

Anonymous Coward | about 2 years ago | (#40875509)

If you purchase something purely based on price you are one stupid user. Freedom matters and just because the majority don't understand the issue doesn't mean it doesn't mean the lack of freedom isn't harming them.

The lack of freedom causes so many problems. It prevents competition, it prevents compatibility, it prevents upgradability, it makes common applications obsensely and abusively exspensive.

Now I'm not saying you shouldn't pay the developers. You should contribute. For most people payment is how one contributes. While selling free software may not work terribly well for developers due to the lack of understanding of what free software is and is not contributory models work fairly well if done right. So do agrements between companies supporting free software like ThinkPenguin and Trisquel. Or Google and distributions/web applications. There are other agrements as well. Such as CDs and merchandise. All of these have value and can and do fund free software development.

Approach no. 4 - Do nothing (2)

jkrise (535370) | about 2 years ago | (#40875019)

Just wait for a while. System admins will find it very difficult to install Enterprise Licensed Windows licenses. MS will be forced to cave in, and provide easy mechanisms to do that for early adapters. Just use whatever technique the local PC vendor guy recommends.

Re:Approach no. 4 - Do nothing (1)

Anonymous Coward | about 2 years ago | (#40875073)

My guess is that UEFI will say "doh, can't find Windows 8!" and then will kick off ye olde BIOS booting sequence. Gotta to be able to install Windows XP on these boxes somehow.

Re:Approach no. 4 - Do nothing (5, Insightful)

jkrise (535370) | about 2 years ago | (#40875129)

More than XP, I am thinking different flavours of Windows 8. System admins need to wipe off the OEM stuff and install their Enterprise License stuff on new kit. That could be a different flavour of 8 or earlier versions of the OS as well. If they can't do it, they will simply ignore Windows 8 and wait for the next version that removes the restriction of Secure Boot.

Re:Approach no. 4 - Do nothing (5, Interesting)

Anonymous Coward | about 2 years ago | (#40875267)

System admins need to wipe off the OEM stuff and install their Enterprise License stuff on new kit.

Most corporate desktop admins are far happier if the machine can be deployed with less mucking around. Just unboxing 1200 new machines is a pain in the ass... if they also have to reimage and reconfigure each new machine (actually easier and more streamlined than unboxing these days, but nonetheless, extra time, extra money they'd rather not spend), they'll not be so joyous, and everything slows down.

If they can't do it, they will simply ignore Windows 8 and wait for the next version

Half right... because this, basically, is wise. The other half is they will harden what they have. Microsoft early adopters and fanbois notwithstanding, Microsoft has done nothing to increase the productivity of the office worker since XP/Server 2003/Office 2003. The pitfalls of XP are well known and huge incident databases have been built: nothing can break that doesn't have an immediate fix. Seven and even Vista is still in the early stages of figuring out all the solutions of all that can and does go wrong. I think any large or medium sized corporations still on the 2003 paradigm are fine and well under the budget expendature of those idiots that needlessly and irrationally raced to upgrade as long as they are in a rotation of reimaging every XP machine every 4-6 months... if their network infrastructure is resilient to the trouble users can get into, they may never need to upgrade these to new systems until the physical machines and their components cease to function.

Re:Approach no. 4 - Do nothing (5, Interesting)

afidel (530433) | about 2 years ago | (#40875137)

WHAT?!? Secure Boot will do nothing to impede enterprise Windows users. You'll either use Windows8/2012 and have a signed boot loader or use 2008R2/7 and disable secure boot. Btw it would also do nothing to impede enterprise Linux users either, they'd either use a commercial signed distribution or build their own and have the build process install their keys into the TPM chip (trust me, enterprises already deal with crypto from internal PKI to external SSL to drive encryption).

Re:Approach no. 4 - Do nothing (1)

nazsco (695026) | about 2 years ago | (#40875195)

Yeah, because it departments are know for implementing the most sane and practical solutions for every problem, not the one that advertised itself as the only one available and take cto to dinner.

Man, I'm glad that means my it dept will drop exchange soon..

Re:Approach no. 4 - Do nothing (1)

perpenso (1613749) | about 2 years ago | (#40875377)

Just wait for a while. System admins will find it very difficult to install ...

I don't think so. I believe MS is requiring the ability to disable the secure boot in BIOS on x86.

So just wait for a while ... and see that nothing has really changed on x86 PC hardware?

Re:Approach no. 4 File complaint to D.O.J. (5, Insightful)

Anonymous Coward | about 2 years ago | (#40875411)

If this is not an example of Microsoft's monopolistic practices i don't know what is.

Re:Approach no. 4 - Do nothing (1)

Anonymous Coward | about 2 years ago | (#40875493)

The license doesn't matter. The enterprise disks will be properly signed and boot securely just fine. The Arch ISO, however, is not signed by MS and will not boot securely.

You don't enter the license key until long after you boot from the CD. I feel like you don't understand the problem at all.

no (0, Troll)

masternerdguy (2468142) | about 2 years ago | (#40875037)

Option 3: Watch ms stock tank as they go out of businss.

Re:yes and no (4, Interesting)

FudRucker (866063) | about 2 years ago | (#40875055)

i prefer option 3 too, but...
microsoft wont go out of business but they could very easily marginalize themselves to the point that they are no longer the 800 pound gorilla of the desktop PC market, and more than likely Apple and Linux will grab more userbase, i prefer old school distros like debian & slackware so apple wont be getting any of my money

Re:yes and no (1, Insightful)

hazem (472289) | about 2 years ago | (#40875211)

The problem is the whole "Desktop PC" market is becoming marginalized. Mobile devices are where a majority of computing dollars are going (in the consumer world).

Computers used to be huge and had a whole room dedicated to merely running them. Desktops revolutionized that, but the computer still lived in a specific room and you had to go to that room to do your computing (office or wherever).

The whole idea of going to a specific room to do your computer is going away; at least for average people. Microsoft will be marginalized if it tries to stay in that market, regardless of what it does there.

As an anecdote, my best friend and I both bought the same model of laptop computer a few years ago. I finally had to buy a new one and asked her if she wanted me to try to upgrade her old one (I'm much more of a power-user than she is). She said "sure", but that it really didn't matter that much because she doesn't use her computer much any more because she does everything on her phone now.

I love Linux and have been using it for years, but grabbing up more userbase in the desktop market won't account for much.

Re:yes and no (3, Informative)

ozmanjusri (601766) | about 2 years ago | (#40875329)

Mobile devices are where a majority of computing dollars are going (in the consumer world).

I think it may be where it's going soon in the corporate world too, especially with BYOD. If so, Ubuntu may be on to something with their Ububtu for Android kit.

It lets you run your phone/tablet as a portable device, then as a full desktop OS once it's docked with a monitor, mouse and other external peripherals. In the video, they're even showing it running Citrix for some legacy applications.

http://www.ubuntu.com/devices/android [ubuntu.com]

http://en.wikipedia.org/wiki/Ubuntu_for_Android [wikipedia.org]

http://www.youtube.com/watch?v=wzc0uMXGFBY [youtube.com]

Yes. Anecdotal evidence warning: (2)

aussersterne (212916) | about 2 years ago | (#40875505)

Both my wife and my sister have very nice laptops ca. 2009-2010. I used to do an ongoing and significant amount of Windows tech support for both of them.

Nothing in about 2 years. What they have in common: both have iPhones.

I don't live with my sister, so I don't know whether this is absolutely true in her case, but my wife hasn't even opened her laptop in months. I regularly see her using her iPhone for web browsing, Facebook, email, etc. (As in, for several hours a day.) And I have recently done iPhone-related tech support for both (sister: how to upgrade iOS 4 -> iOS 5 to install an app that she needed; wife: replace an iPhone battery that she basically wore out).

I do know that my sister is active on Facebook and she does communicate with me via email, so I'm making the assumption that she and my wife followed basically the same path: get an iPhone and never really use the computer again.

approach #4 (3, Funny)

Cyko_01 (1092499) | about 2 years ago | (#40875045)

Modify ntldr to boot to grub automatically and and remove all unnecessary windows components

Re:approach #4 (5, Informative)

epyT-R (613989) | about 2 years ago | (#40875203)

if ntldr is modified, it won't pass the hash check and the UEFI loader won't execute it.

Re:approach #4 (0)

Anonymous Coward | about 2 years ago | (#40875375)

What I don't see anyone mentioning is using ntldr to boot into GRUB or LILO as one of the options. I have done it for an XP system so I don't see why you would not be able to do a similar approach for this secure boot setup. As long as the windows stuff is left intact or modified through windows, I don't see the problem. But, since no one has mentioned it as far as I have seen, there must be something that prevents this

Re:approach #4 (1)

Cyko_01 (1092499) | about 2 years ago | (#40875449)

that is exactly what I was talking about

Re:approach #4 (0)

Anonymous Coward | about 2 years ago | (#40875499)

You can't do that on Windows on phone, so I assume you won't be able to on any other Windows on Arm install, either.

Aproach #4 (4, Insightful)

sapgau (413511) | about 2 years ago | (#40875049)

Lawsuit?

He's right you know... (-1, Flamebait)

Anonymous Coward | about 2 years ago | (#40875051)

Linux is completely unusable to the average computer user, so I dont think there is much loss here. Suffering from the same fragmentation as Android and lack of support for so many software companies. No one wants to find stupid workaround back-ass-wards ways to just get they're damn computer working.

Re:He's right you know... (1)

Anonymous Coward | about 2 years ago | (#40875387)

The average user thinks the damn PC can only do what they double click on the desktop and has to call tech support when they put the printer on a different USB port. It's not that it's unusable. It's that typically you need someone from IT to get the damn thing into a state where all they have to do is click the icon. With most Windows boxes, they get the PC pre-imaged with all the apps and drivers they want installed and are lost if it's anything otherwise.

Now, for intermediate users, yeah, linux sucks. I just worked for two hours trying to connect to a frigging router because the static IP configuration is so goddamn fragmented in Linux Mint. Is it really so hard to create a xwindows bin that edits /etc/network/interfaces and re-runs init.d/network restart after a change is confirmed? I would just vi the conf in bash, but when I did the thing started pulling a static IP network config from somewhere else, then something kept deleting routes. The supplied GUI apps, don't even show the current configuration, much less any new ones entered. WTF?

Re:He's right you know... (1)

FranTaylor (164577) | about 2 years ago | (#40875485)

tell that to all those people using android phones and nook e-readers

my nook tablet isn't fragmented, it's in one piece and it runs all kinds of android stuff just fine despite being a mongrel oddity with zero market share

ubuntu is way easier to install and set up than windows

the only reason windows is "easy" is because it's already installed when you bought the computer

Restrict Government PC Purchases to Open Hardware (4, Interesting)

Anonymous Coward | about 2 years ago | (#40875059)

It seems like the obvious way to block this type of stuff is to pass legislation requiring government agencies to only purchase PCs that are free from such encumbrances. The state and taxpayers benefit from keeping their OS options open on new computer hardware and more importantly they represent a large enough percent of total sales to actually get a proper response from manufacturers.

Re:Restrict Government PC Purchases to Open Hardwa (0)

Anonymous Coward | about 2 years ago | (#40875495)

You realize that governments want locked and signed bootloaders for their systems, right?

Secure Boot won't catch on (5, Insightful)

billcopc (196330) | about 2 years ago | (#40875061)

Approach #4: ignore UEFI Secure Boot. It's a blunt solution to an obscure problem. More importantly, it's such a huge pain in the ass, not just for Linux but for ALL system integrators, that anyone actually preventing the user from disabling Secure Boot will end up limiting their own marketability. Two things will happen:

1. It will be relegated to tiny niches where security trumps usability
2. It will be cracked

This is not an either/or. Both things will happen. This whole fiasco is nothing but a huge waste of time for everyone involved.

Re:Secure Boot won't catch on (2)

Dan667 (564390) | about 2 years ago | (#40875071)

If you have physical access to the hardware it is only a matter of time before it is cracked.

Re:Secure Boot won't catch on (0)

Anonymous Coward | about 2 years ago | (#40875089)

And you're not the only one with that access. Everyone in the world has it. By forcing it down our throats they have only sped its irrelevance.

Re:Secure Boot won't catch on (5, Informative)

Anonymous Coward | about 2 years ago | (#40875383)

In the past, I would have agreed with you, but hardware DRM is getting pretty good:

PS3s took almost five years to get cracked, and new PS3s are immune to any holes in them that were used by GeoHot to bust the thing open in the first place.

Satellite TV has not seen any cracks since the patch several years back which completely fried any "master key" cards.

The iPhone 4s is barely jailbroken with only userland available. This is with the best minds in the world working on cracking the thing.

Most Android phones still have locked bootloaders, which nobody has yet been able to get. Newer Android phones actually have a daemon that looks for root process signatures then "bricks" the phone if found until the firmware is reflashed... and with some devices, the reflash is not available to the public.

So, even though hardware might be in the user's physical control, it nowhere near belongs to the user.

Re:Secure Boot won't catch on (5, Insightful)

FranTaylor (164577) | about 2 years ago | (#40875503)

We used to call them "general purpose computers"

We dropped the "general purpose" part at some point, because it seemed redundant at the time.

Now maybe we need to bring back this term.

These machines you are talking about are not "general purpose" computers at all.

It once again goes to show that the Microsoft slogan is "Where do you want to be taken today"

Security will not catch on (2)

Anonymous Coward | about 2 years ago | (#40875155)

1. It will be relegated to tiny niches where security trumps usability

God forbid in this day of malware, server breaches, and root kits, someone should be triumphing that over usability.

Re:Security will not catch on (1)

0123456 (636235) | about 2 years ago | (#40875303)

God forbid in this day of malware, server breaches, and root kits, someone should be triumphing that over usability.

Indeed. If only people would dump Windows and run Linux, we'd all be better off.

Re:Security will not catch on (-1)

Anonymous Coward | about 2 years ago | (#40875491)

Kernel.org got rootkitted, and its safe to say they know more about Linux than 99% of us. As soon as there's support, I'll use secure boot.

Re:Secure Boot won't catch on (1)

Mashiki (184564) | about 2 years ago | (#40875501)

Well the proof of concept on how to poison UEFI and inject malware on mac's already exists, someone else can post the link to BH/Defcon if they want, I'm on my phone. So, with that it won't take any time at all to break it, disable it, and smash it into itty bitty pieces. Sure they can patch it, but it won't do any good.

Remember MS and their whole "we're updating the validation service to make it more secure" etc, etc, etc bit? Well I think it took all of about 40 minutes for that to be broken, it wasn't hard. Though legit users continue to have problems with it throwing up "your version of windows is invalid."

Another Approach (4, Interesting)

am 2k (217885) | about 2 years ago | (#40875075)

(Too many #4 here already, so I'll skip the numbering)

What about clustering all Linux enthusiasts' computers together and cracking Microsoft's signing key, SETI-style? I'm not sure about the mathematics there (taking longer than the galaxy will exist, etc.), but maybe it's possible. Or maybe somebody made a mistake and the key is much weaker than it is thought at the moment (see PS3).

Re:Another Approach (3, Interesting)

DaveAtFraud (460127) | about 2 years ago | (#40875121)

What makes anyone think that UEFI will be any more secure than anything else Microsoft releases? Actually cracking the key may take longer than the universe has been in existence but I'm betting dear Microsoft won't do any better at engineering this than anything else. There is probably an easily exploitable hole that doesn't require actually cracking the key.

Cheers,
Dave

Re:Another Approach (0)

Anonymous Coward | about 2 years ago | (#40875157)

From wikipedia:

"The Unified EFI Forum or UEFI Forum ... board of directors includes representatives from eleven "Promoter" companies: AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde Software, Intel, Lenovo, Microsoft, and Phoenix Technologies."

You were saying something?

Re:Another Approach (3, Interesting)

ozmanjusri (601766) | about 2 years ago | (#40875209)

UEFI and Secure Boot aren't the same thing.

Re:Another Approach (1)

DaveAtFraud (460127) | about 2 years ago | (#40875481)

Ask yourself which of those companies has the most to gain by requiring a secure boot scheme that limits the ability of "bad guys" to root a system and just happens to cripple their primary competitor at the same time?

Cheers,
Dave

Approach #4 (4, Informative)

Anonymous Coward | about 2 years ago | (#40875081)

Disable secure boot.

From http://msdn.microsoft.com/en-US/library/windows/hardware/jj128256:

"Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows Server may also disable Secure Boot remotely using a strongly authenticated (preferably public-key based) out-of-band management connection, such as to a baseboard management controller or service processor. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure Boot must not be possible on ARM systems."

They made disabling secure boot required for the Windows logo on x86 (while probably worried about the threat of an antitrust investigation).

Re:Approach #4 (1)

lister king of smeg (2481612) | about 2 years ago | (#40875185)

I wonder will that allow booting of fedora or ubuntu which are having their distros signed by Microsoft to boot on arm hardware? anyone else know i would really like to have a ubuntu tablet and that seems like a cheap way.

Re:Approach #4 (2)

ozmanjusri (601766) | about 2 years ago | (#40875229)

Just buy an Android one next year. It looks like you'll have the best of both worlds.

http://www.ubuntu.com/devices/android [ubuntu.com]

http://en.wikipedia.org/wiki/Ubuntu_for_Android [wikipedia.org]

http://www.youtube.com/watch?v=wzc0uMXGFBY [youtube.com]

Re:Approach #4 (-1)

Anonymous Coward | about 2 years ago | (#40875357)

You're masochistic...
You need to do more with a computer than just smile smugly and say "i'm runng xyz cool thing". ... Okay.. maybe *you* don't...

Re:Approach #4 (0)

Anonymous Coward | about 2 years ago | (#40875295)

Don't know but I'd doubt it as that would negate the whole point of not allowing secure boot to be disabled or other public keys to be installed on ARM.

Re:Approach #4 (1)

flimflammer (956759) | about 2 years ago | (#40875253)

No kidding. Where is the issue where when you can just do this? You'd think the the general population of people who will be loading their boxes with alternate operating systems could figure this out.

Re:Approach #4 (-1, Flamebait)

bhcompy (1877290) | about 2 years ago | (#40875371)

This is a problem because Microsoft insists on a unified platform. The reality is that SecureBoot is only a forced "feature" of Windows RT(that is, Windows 8 on ARM devices). It's also a problem because linux circlejerkists on /. are retards who don't know how to read, as well.

Re:Approach #4 (3, Insightful)

0123456 (636235) | about 2 years ago | (#40875389)

Yes, because Microsoft would never, ever, even possibly ever imagine thinking of making it compulsory on x86.

Re:Approach #4 (1)

Anonymous Coward | about 2 years ago | (#40875515)

Which is great for x86. They require you can't disable it on ARM, though. So that's still a problem there.

This is why I hate Microsoft (5, Interesting)

theRunicBard (2662581) | about 2 years ago | (#40875095)

They don't try to make better products, they just try to kill the competition. I see ads for their crap with cool songs, a lizard, and neat apps everywhere but the actual thing doesn't work. Even they can't work it right, as shown by several demos they have done. They seem to recognize it but instead of dealing with it, they just try to eliminate everyone else. Linux has a MUCH better programming environment than anything Microsoft can offer. Even its overall usability (I use Ubuntu) is more intuitive. So Microsoft tries this shit. It's not secure and it's not user-friendly. It's just meant to make Linux harder to install. And I can't support a company that takes this approach. Fuck them. It's a good thing their company is dying. Hopefully more OEMs see this and start offering Linux PC's, but I kind of doubt it.

Re:This is why I hate Microsoft (1)

nazsco (695026) | about 2 years ago | (#40875213)

And safeboot won. Thanks to Ubuntu having too much money.

Now it will be one more pain to buy new machines. Will have to scavenge model numbers know to have a correct implementation... Which will be rare.

BUT MOMMY, TIMMY WAS DOING IT TOO! (2)

bmo (77928) | about 2 years ago | (#40875115)

> Why is everyone so quick to accept the corpse of TCPA in new clothes?

Only softies and people who don't know any better do. Pointing at Apple and saying they lock their phones and tablets too ignores the fact that what they do is also wrong. It's like Timmy beating up Bobby on the playground, and when you beat up Bobby, you point at Timmy and say "well, he was doing it too!"

The rest of us want to punch people in the face for even suggesting TCPA 2.0

--
BMO

Re:BUT MOMMY, TIMMY WAS DOING IT TOO! (0)

Anonymous Coward | about 2 years ago | (#40875265)

If this were to take hold though, you realize the most open computer platform might turn out to be Apple? They've been pretty helpful in allowing people to boot other OS's on their computers, going so far as to sanction Boot Camp as an official OS utility.

Re:BUT MOMMY, TIMMY WAS DOING IT TOO! (1)

Anonymous Coward | about 2 years ago | (#40875271)

> Why is everyone so quick to accept the corpse of TCPA in new clothes?

Only softies and people who don't know any better do. Pointing at Apple and saying they lock their phones and tablets too ignores the fact that what they do is also wrong. It's like Timmy beating up Bobby on the playground, and when you beat up Bobby, you point at Timmy and say "well, he was doing it too!"

And what exactly is wrong with that reasoning? Bobby is a punk. He had it coming.

Federal requirement (0)

Anonymous Coward | about 2 years ago | (#40875523)

It's actually a federal requirement. But everyone is hush hush about it in public because its under some kind of 'national security' order; it's a pretty open secret among those of us working on PC firmware.

Re:Federal requirement (0)

bmo (77928) | about 2 years ago | (#40875567)

Citation needed.
--
BMO

Grub replacement. (0)

Anonymous Coward | about 2 years ago | (#40875117)

I wouldn't mind replacing Grub with Windows 8 if it boot faster.

Re:Grub replacement. (2)

lister king of smeg (2481612) | about 2 years ago | (#40875205)

um, grub is a bootloader not an operating system, and windows 8 is a operating system (the operating part is disputable) not a bootloader. the windows bootloader can't boot any operating systems other than other versions of windows. your comment does not make any since.

Re:Grub replacement. (1)

sjames (1099) | about 2 years ago | (#40875373)

He may be referring to loadlin [wikipedia.org] , a very old 'bootloader' that booted Linux from within Windows, effectively using it as a bootloader. However, it only ran on the Dos based Windows, not the NT based versions.

Re:Grub replacement. (0)

Anonymous Coward | about 2 years ago | (#40875453)

your comment does not make any since.

Parsing error near EOF.

Approach #99: Hyperbole (1)

Anonymous Coward | about 2 years ago | (#40875131)

- Buy computer
- Disable Safe boot ( http://www.howtogeek.com/116569/htg-explains-how-windows-8s-secure-boot-feature-works-what-it-means-for-linux/ )
- Install whatever you like and not worry about certificates or exaggerations of doom

Re:Approach #99: Hyperbole (2)

syockit (1480393) | about 2 years ago | (#40875285)

Either (a) you don't treat an ARM tablet as a computer, or (b) you didn't read the ARM part.

Re:Approach #99: Hyperbole (0)

Anonymous Coward | about 2 years ago | (#40875305)

Considering the 0% market share of Windows RT tablets, I don't think Microsoft is worried about complaints. It's Apple where you should be looking about ARM tablets and alternative OS's.

Flash the BIOS (4, Interesting)

bky1701 (979071) | about 2 years ago | (#40875135)

We already have hacked BIOSes for far more irrelevant reasons than this. I expect it to become a common thing to just wipe secure boot from the system entirely if this is a problem.

Re:Flash the BIOS (3, Interesting)

Anonymous Coward | about 2 years ago | (#40875275)

They are almost certainly going to be requiring signed firmware images on any Win8 Logo'd hardware so no you won't be hacking the BIOS so simply.....

Frankly from a security standpoint what they are proposing makes sense. they aren't even receiving any money from the likes of Ubuntu or RedHat if they choose to use this system. Yeah, it might be painful and it's certainly different but it makes security sense if done right. Had some sort of international consortium come up with this and Microsoft joined in would we be so upset? Oh wait that sort of did kinda' happen....

Will be very interesting to see how this plays out for sure!

P.S. Anon to preserve my moderations...

Won't Win8 compatible be enough? (0)

Anonymous Coward | about 2 years ago | (#40875437)

I know some OEMs (e.g. motherboard manufacturers) are already advertising Win8 "compatbility". Why do we have to assume that OEMs would die to be Win8 "certified" rather than merely being "compatible"? From what I've read about Win8, it appears the OS should be installable even on machines running only plain old BIOS. Or is Microsoft so stupid as to prevent Win8 from installing in virtual machines. If so, what's the point of Microsoft contributing copious amounts of code to the Linux kernel?

Anon because I'm too lazy to log in.

Wait wait... (2)

Mathias616 (2612957) | about 2 years ago | (#40875171)

People are going to use Windows 8?

Re:Wait wait... (0)

Anonymous Coward | about 2 years ago | (#40875277)

My Windows programer friend is thinking this is the best thing since sliced bread he can write his code once and it will work on anything... I just laughed and said what about XP users and Window 7 users you know the majority of users.

Re:Wait wait... (1)

pipatron (966506) | about 2 years ago | (#40875391)

My Windows programer friend is thinking this is the best thing since sliced bread he can write his code once and it will work on anything.

Like Java...

Re:Wait wait... (1, Funny)

epyT-R (613989) | about 2 years ago | (#40875315)

I will. it's an awesome operating system... since I spend 95% of my time in the start menu I'm glad they made it full screen and interactive.. it's like a video game!

Re:Wait wait... (1)

Darinbob (1142669) | about 2 years ago | (#40875425)

No, but people will eventually be purchasing new computers. Presumably these computers will be "Windows 8 Ready" and include UEFI, probably with windows 8 preinstalled.

I'm confused (1)

sayfawa (1099071) | about 2 years ago | (#40875193)

I thought this would only be a problem for people who are afraid to muck around in their bios. The situation is that even tech-savy users can't turn this shit off?

Re:I'm confused (1)

0123456 (636235) | about 2 years ago | (#40875319)

I thought this would only be a problem for people who are afraid to muck around in their bios. The situation is that even tech-savy users can't turn this shit off?

1. That makes life painful for non-techies who want to install Linux and can currently just boot from a CD or USB installer with no BIOS changes.
2. As soon as Microsoft can demand that this be made compulsory, they will.

Oh, sorry, I forgot 'the slippery slope is a logical fallacy', so Microsoft couldn't possibly ever do that.

Re:I'm confused (0)

Anonymous Coward | about 2 years ago | (#40875395)

No.

Approach #4 (0)

Anonymous Coward | about 2 years ago | (#40875197)

Enter cmos setup and disable secure boot. Virtually all retail channel boards will have this option, and a good number of OEM systems will too. Most OEMs sell systems of one type or another that run Linux. Geez, Steven is such a drama queen.

Re:Approach #4 (1)

jamesh (87723) | about 2 years ago | (#40875307)

I haven't read TFA but I assumed it was about ARM, in which case solution #4 is "buy x86". If TFA is about x86 then the author is an idiot. An article about how this could be the start of a slippery slope might be better, but unless something has changed since I last read the MS literature, disabling secure boot is an easy solution.

And given how easy rooting an Apple phone has been, I can't imagine that rooting UEFI will be any more difficult.

#1b: an Open UEFI Foundation for ALL DISTROS (1)

flankenstein (2663903) | about 2 years ago | (#40875223)

> "Approach #1: Create UEFI Secure Boot keys for your particular distribution, like Canonical is doing with Ubuntu."

: : : : : :

Approach #1B:
Instead of limiting it to your distro, let ALL distros share a central Secure Boot key infrastructure. Set up an open foundation to manage it.

Re: #1b: an Open UEFI Foundation for ALL DISTROS (2)

nyet (19118) | about 2 years ago | (#40875273)

And what if I want to run my own bootloader and kernel, on a machine I own?

Re: #1b: an Open UEFI Foundation for ALL DISTROS (2)

vux984 (928602) | about 2 years ago | (#40875511)

Then install your own key or disable secure boot. What else could you possibly expect to do? Secureboot isn't an issue for anyone running their own bootloader and kernel.

something better happen (0)

Anonymous Coward | about 2 years ago | (#40875243)

I hope some solution arises, because detaching open source from the PC pipeline, that is, only being
able to run Linux and other open source operating systems on special hardware, will make it much more
expensive, as well as preventing reuse for Microsoft-obsoleted hardware.

They have it backwards (0)

Anonymous Coward | about 2 years ago | (#40875291)

Microsoft should be the one following the lead of the linux/bsd distros for what bootloader should be standard. Microsoft is the the os of hacker choice, the worse with security and the slowest one to update. Why should the more secure systems have to implement what Microsoft thinks should be implemented? it's not like they have the most impressive track record when it comes to security and speed of patching breeches.

Besides, really if someone has physical access to your machines anyways you are pretty much ... well for lack of any better term... you're fucked!.

Approach 4 (0)

Anonymous Coward | about 2 years ago | (#40875311)

dump windows fully

Chrome OS Method (1)

GeXX (449863) | about 2 years ago | (#40875343)

How about manufactures do what chromebooks do and have a switch that flips between secure boot & standard, best of both worlds..

Just so true (0)

Anonymous Coward | about 2 years ago | (#40875381)

I know Cathy Malmrose, and she is what I would consider a friend - we met and shared a couple of meals at the Linux Collaboration Summit 2 years ago, and again in Chicago at the Flourish open source conference at the University of Illinois Chicago campus last year. Her comments on this issue are spot on. Allowing MS to dictate the terms under which people can use their personal computers is, in my opinion, an egregious violation of our rights, and MUST be resisted at all levels - personal, corporate, and legal.

News: Microsoft abuses major rival (0)

Anonymous Coward | about 2 years ago | (#40875413)

For many years they have been doing everything, legal or otherwise, to stop people from using other OS's.

This is one of the reasons they are loathed by people all over the world. Also, they are working with hardware manufactorers to make it so other companies have to pay microsoft to work on a basic hardware level.

EU vs monopolistic behaviour? (5, Interesting)

Richard_J_N (631241) | about 2 years ago | (#40875415)

Seems to me that this is a very serious violation of the spirit of the antitrust rulings when MS killed netscape. Why aren't our consumer protection agencies stepping in to forbid MS from doing this?

ROFL at you (-1)

Anonymous Coward | about 2 years ago | (#40875553)

Seems to me that this is a very serious violation of the spirit of the antitrust rulings when MS killed netscape. Why aren't our consumer protection agencies stepping in to forbid MS from doing this?>

Hey, how's that hopey/changy thing working for you?

I know I'm an AC, but for those of you modding me down solely because of it, remember, it doesn't change the fact that you (yes you, you know you did) foolishly gave your trust to a guy that allowed MS, a multi-billion dollar company (one worth watching) to do this to you... you usueful idiot, you.

Hey, BTW, there's another election coming up. Now remember, same story as last time, Obama is looking out for your interests, and that rich guy Republican is just a greedy rich guy. Now get out there and vote like we know you're going to.

(Keep modding me down, it doesn't change how you're going vote)

Re:ROFL at you (0)

Anonymous Coward | about 2 years ago | (#40875589)

Read this [macworld.com] , and this [nytimes.com] , and maybe learn a little something The Who taught us about bosses a long time ago.

Just sign your bootloader... (2)

Rich0 (548339) | about 2 years ago | (#40875441)

The MS specs require any MS-certified firmware to allow the user to load their own keys. So, if you want to install linux, just generate your own keypair, use it to sign any OSes you want to boot, and install it as a trusted key in your firmware.

Viola, you can still use secure boot, and you can boot whatever you want, and as a bonus not even MS can install something on your hard drive and have it be bootable.

Or you can just disable secure boot.

Distros should just make it easy for users to sign their bootloaders. This should be easy for distros that have the user manually install grub/etc. Or the distro could just supply a pre-signed bootloader and a key for the user to load into their firmware.

Re:Just sign your bootloader... (2)

FranTaylor (164577) | about 2 years ago | (#40875573)

You say "just" for things that require a second computer

Not so easy for the teenager who is mowing lawns and raking leaves to buy a computer to learn programming.

Now these kids are locked out of the Linux experience because they don't have the resources to "just do" the stuff you find so trivial.

Does it matter? (0)

Anonymous Coward | about 2 years ago | (#40875465)

Won't this be hacked the day it comes out?

Oracle is in on this (1)

FranTaylor (164577) | about 2 years ago | (#40875517)

Did you hear Oracle's latest pronouncement that they really don't care about x86 at all, they are much more interested in SPARC?

Maybe this is because they know that Microsoft is making it hard for Solaris to run on x86 also.

If they abandon the platform and move exclusively to SPARC then they don't have to worry about Microsoft any more.

Mixed messages from Microsoft (1)

FranTaylor (164577) | about 2 years ago | (#40875529)

Windows 8 gives the distinct impression that the desktop is just not so important to Microsoft any more

and yet they double down on their paranoia about competition on the desktop!

Really! They could care less about the desktop and they don't want anyone else to be there either! So weird.

what's the value to the user? (2)

FranTaylor (164577) | about 2 years ago | (#40875549)

Forgotten in all of this is that there is no actual value added for the user in all this.

When it's all said and done, from the user's point of view, it's a step backward in usability and utility without providing ANY extra security for the user's data.

Think about it: for an actual boot-sector virus to work, it have to break into your computer already. Well since it's already broken in, why does it need the boot sector? It can just break back in using the same mechanism it used in the first place. Secure boot gets you no extra security.

Notice that Windows had to mandate this, is there any clamor from the user base for computers that are more difficult to use?

Are people illiterate? (0)

Anonymous Coward | about 2 years ago | (#40875557)

#1 Being able to disable SecureBoot is mandatory on x86 = good. Its like having your cake and eating it. Signed bootloader so you know its secure and being able to do what you want.....perfect

#2 Windows 8 is perfectly fine, it gets stuff done, improves on 7 and is easier to use....our testsers find going from xp to 8 easier then seven osx, i especially like the new start menu, only thing missing is that the start key brings you to desktop when in the start menu.

#3 tge hlockdown is on windowsRT eg tablets, i dont see anyone being able to put android on the ipad/phone or saying that you should be able to run ios on the galaxy tab. No one is thinking of suing rim to get android on the playbook.

#4 The surface pro looks SWEET, we convinced our high management to wait for Win8 tablets to replace thier macbook airs as we have great trouble meeting the demands. Basicly they want the win7 integration in our Windows Environment with the OSX gui. They call us the most (why the fuck is it impossible to access a hidden share on mac????). Im happy that they look pleased with their win8 dual boot

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>