Linux Foundation Offers Solution for UEFI Secure Boot 308
Ever since news broke last year that Microsoft would require Windows 8 machines to have UEFI secure boot enabled, there were concerns that it would be used to block the installation of other operating systems, such as Linux distributions. Now, reader dgharmon sends this quote from Ars Technica about a new defense against that outcome:
"The Linux Foundation has announced plans to provide a general purpose solution suitable for use by Linux and other non-Microsoft operating systems. The group has produced a minimal bootloader that won't boot any operating system directly. Instead, it will transfer control to any other bootloader — signed or unsigned — so that can boot an operating system."
The announcement adds, "The pre-bootloader will employ a 'present user'; test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it."
So why even bother with secure boot (Score:5, Insightful)
As per subject
Re:So why even bother with secure boot (Score:5, Interesting)
Exactly. Malware authors can use this. So we've come full-circle and only gained a big heap of complexity. Which is the best we could hope for once this idiotic idea got going.
Re:So why even bother with secure boot (Score:5, Insightful)
Exactly. Malware authors can use this.
Not if everything in the startup chain has to be correctly signed ... something which a malware author can't do.
Re:So why even bother with secure boot (Score:4, Interesting)
They didn't seem to have any problem setting up boot sector viruses without UEFI secure boot, so if they can get a signed bootloader, why should they now? And signing the startup chain will remove even MORE user freedoms, it's a chicken-and-egg problem that won't end until the OS is at least as locked down as iOS.
Re: (Score:3, Interesting)
So the real value would seem to be found in upping the time, hardware, and interest requirements.
What could well happen is that, in making Windows really painful to integrate with other systems, Redmond kills their sales.
And wouldn't that just suck Puget Sound dry?
Re:So why even bother with secure boot (Score:5, Informative)
Not exactly, it was signed with a weak key produced by one of their remote desktop solutions that allowed licensing of components. Microsoft has since revoked those keys and bumped up the minimum allowed key size to stop this in the future. This was NOT a case of someone stealing a Microsoft key left in the parking lot.....
Re:So why even bother with secure boot (Score:4, Informative)
You seem to be assuming that the root for both key paths will be the same, somehow I doubt a key used to sign apps for a remote desktop application of any flavor is going to be allowed to sign bootloaders. It also seems you do not understand exactly how the other key came about, someone didn't just steal a Private key laying around. It's not "a" key but "THE" key that's required.
You might also want to figure out that Microsoft is NOT the signing authority for the key being used here. The Microsoft key is being used only because it's a widely distributed key and Microsoft has apparently agreed to allow it's use for others but if they refuse it's possible to have the CA sign another root. Unfortunately that Public key would be far less likely to be as ubiquitous as the Microsoft key. As it stands right now I see no reason why Microsoft wouldn't allow the signing with this key, it has protections built in to prevent malicious usage.
There will be no myriad of CA signing with the Private key to be hacked, Microsoft will have their Public key distributed far and wide in hardware. They will retain the ability to sign their code and the Root will apparently be able to sign other approved code that will leverage the same Public key. This way Linux kernels COULD be signed and use this key embedded in hardware if desired. Some distro are apparently looking to go that way. However kernels change and are sometimes custom so this shim was created and will be signed by this group to sidestep the hassle. They are getting signed by a key given to them that descends from the Microsoft key. I would bet that a revocation process does exist but I doubt it's a very smooth one.
Note that Verisign not Microsoft gets the fees from this process, they are the CA handling this.
Re:So why even bother with secure boot (Score:4, Insightful)
Re:So why even bother with secure boot (Score:5, Interesting)
And what will the average noob user do? Hit Enter to use their computer or use a Windows recovery disk* to fix the bootloader? And if they do hit Enter and the computer apparently works fine, what do you think they'll do then?
*Not sold with many PCs, must be burned from the hard disk
Re:So why even bother with secure boot (Score:5, Funny)
Become a Linux user?
Re:So why even bother with secure boot (Score:5, Insightful)
And I'd be really fucking pissed off if my Linux PC required a user present at the console to reboot. Seriously, how is this a fix?
Re:So why even bother with secure boot (Score:4, Interesting)
Here we go with the hyperbolics without even RTFA'ing. You can choose to install the key in the store when UEFI is in setup mode so that you don't see the prompt again.
http://www.linuxfoundation.org/news-media/blogs/browse/2012/10/linux-foundation-uefi-secure-boot-system-open-source [linuxfoundation.org]
Or just fricking turn off secure boot.
Re:So why even bother with secure boot (Score:5, Interesting)
Because it is a fix for those who cannot or will not use the alternative of entering their own list of acceptable signing keys into the UEFI, which would not require a user present but draws a great hue and cry that it is "too complex" for the average Linux user to accomplish.
1. Enter your keys into the UEFI key list, walk away; or
2. Have a user present to acknowledge that they want to boot unsigned/signed-but-not-entered code; or
3. Don't use a UEFI PC; but not
4. Prevent the rest of the world from having access to a secure boot chain because you refuse to lift a finger yourself
Re:So why even bother with secure boot (Score:5, Insightful)
Take it easy dude. Let's try to remember what this whole thing is for.
For all the bitching about secureboot, all currently known (yes, this can change) x86 machines which come with it, allow the user to turn it off. Remember the last 4 times you bought a new computer and, in fact, did diddle with stuff in the firmware, maybe to at least check the timings on your expensive Mushkin memory or whatever? Well, then, this whole article and the software it describes, isn't about you because you're going to turn off secure boot, making every aspect fo this boot loader irrelevant. You won't care about pressing enter, because you won't have to press enter.
This is for users who won't do that. This is for people who are dumber or lazier than your grandma's ditzy bridge partner, for which we do not expect them to follow any directions or do anything "extra" prior to using their computer. They're not installing headless servers. They're not "picky" except in the sense that they don't want to have to read or understand anything longer than one sentence. They can, and will, press enter.
The people who are opinionated enough to be "pretty fucking pissed" about pressing enter, will also tend to care enough to do what is needed in order to make pressing enter become unnecessary.
If there are any people left who become furious about pressing enter, but also feel entitled enough to refuse to turn off secureboot, but also feel entitled enough to refuse to install some other secureboot loader, those people can and should go fuck themselves. Or they can go buy a Mac. Or they can boot Windows, and (think about it) they will never notice that they're not running Linux. Just lie to them and tell them Windows 8 is Linux, and they will believe you, and the lie will never have any consequences because behind the blank smile they gave you when you lied, they already forgot what you said.
Re:So why even bother with secure boot (Score:5, Funny)
"system error: secure keyboard not found. hit any key to continue."
(that was sort of a real error message back in the DOS days. all except the secure part.)
Re: (Score:2)
I'm guessing the signing key would have to match or work with some checksum on the boot loader.
That means that changing the boot loader would cause the existing key to stop working.
Then again, malware authors/vendors have no problems with using stolen credit cards to get keys from legitimate vendors... So this whole thing is kindof nuts unless the cost for a bootloader key is absurdly high (on the 10s of thousands of dollars, at least).
Re:So why even bother with secure boot (Score:5, Insightful)
>and still find a way to keep the code signed?
With a certificate bearing the same CN as the original? Low, as long as the bootloader realizes that it's never seen anything signed by s0m3hack3r@foo.to, and presents the user with a dialog that says something like, "You have never booted an OS signed by s0m3hack3r@foo.to, and foo.to is not recognized as a known OSS Organization. Click here to boot into your computer's mini-distro and perform an automated legitimacy lookup (internet access required), or (... options that include 'continue if you trust them' and 'cancel'...)
For a side trip, boot into a mini Linux burned into flash that can grab an ip via dhcp or connect to wifi with ssid/key stored in flash or entered now & wget a lookup of the CN from the UEFI bootloader's organization. Known malware CNs would be blacklisted & identified as such, others could be further researched using Lynx before either continuing the boot (optionally remembering the CN for future boots) or aborting.
Re: (Score:2)
And it's my computer and if my computer has features that I can't access, disable or modify - like the encryption chip - then I have a problem with that.
If I need to change key depending on OS - then make it easy - like requesting a password for changing to another chain of keys.
Re: (Score:2)
I don't want a secure boot. I just want to be able to boot whatever I feel like booting.
Re: (Score:2)
I don't want a secure boot. I just want to be able to boot whatever I feel like booting.
Then... turn off secure boot?
Re: (Score:2)
If it is possible, I'm fine with that. But it is good to know there are alternatives available.
Re: (Score:2)
Did you miss the part about a present user test? It means someone will be presented a message and asked to approve before boot proceeds. Sounds like a good way to go to me however it will certainly screw up a server reboot lol.
Re:So why even bother with secure boot (Score:5, Insightful)
Because secure boot has never been about securely booting.
--
BMO
Re:So why even bother with secure boot (Score:5, Insightful)
The average computer user is not going to be monkeying around in the BIOS. This is about making life more difficult for non-MS OSes, and reverting the mistake that was the open x86 platform.
Re:So why even bother with secure boot (Score:4, Interesting)
You are assuming that BIOS settings will be user accessible in the future.
Re: (Score:2)
Because the machine comes that way, yet you also want it to boot.
Re:So why even bother with secure boot (Score:5, Interesting)
Do you really think that the makers of an operating system which requires 3rd party AV to correct its own security shortcomings devised secure boot to protect users from malware?
You mean the Linux folks designed UEFI Secure boot?
http://www.rootkit.nl/projects/rootkit_hunter.html [rootkit.nl]
I repeat it again, If you want to secure the bios put a jumper before the write pin of the eprom/flash memory/whatever. Those who can't open the case and locate it are surely not qualified for a bios upgrade.
I made one firmware upgrade in the last 15 years on my machines, and that upgrade was necessary only if I wanted 64bit linux.
Secure boot is not about the BIOS, it is about bootkits. You don't know what you're talking about and still get modded +4 interesting, typical Slashdot, really. See below for an example.
TDL4 is the most recent high tech and widely spread member of the TDSS family rootkit, targeting x64 operating systems too such as Windows Vista and Windows 7. One of the most striking features of TDL4 is that it is able to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled.
When the driver is loaded into kernel-mode address space it overwrites the MBR (Master Boot Record) of the disk by sending SRB (SCSI Request Block) packets directly to the miniport device object, then it initializes its hidden file system. The bootkit’s modules are written into the hidden file system from the dropper.
The TDL4 bootkit controls two areas of the hard drive one is the MBR and other is the hidden file system created at the time of malware deployment. When any application reads the MBR, the bootkit changes data and returns the contents of the clean MBR i.e. prior to the infection, and also it takes care of Infected MBR by protecting it from overwriting.
The hidden file system with the malicious components also gets protected by the bootkit. So if any application is making an attempt to read sectors of the hard disk where the hidden file system is stored, It will return zeroed buffer instead of the original data.
The bootkit contains code that performs additional checks to prevent the malware from the cleanup. At every start of the system TDL4 bootkit driver gets loaded and initialized properly by performing tasks as follows: Reads the contents of the boot sector, compares it with the infected image stored in hidden file system, if it finds any difference between these two images it rewrites the infected image to the boot sector. Sets the DriverObject field of the miniport device object to point to the bootkit’s driver object and also hooks the DriverStartIo field of the miniport’s driver object. If kernel debugging is enabled then this TDL4 does not install any of it’s components.
TDL4 Rootkit hooks the ATAPI driver i.e. standard windows miniport drivers like atapi.sys. It keeps Device Object at lowest in the device stack, which makes a lot harder to dump TDL4 files.
All these striking features have made TDL4 most notorious Windows rootkit and it is also very important to mention that the key to its success is the boot sector infection.
Another bit:
The original MBR and driver component are stored in encrypted form using the same encryption. Driver component hooks ATAPI's DriverStartIo routine where it monitors for write operations. In case of write operation targeted at the MBR sector, it is changed to read operation. This way it is trying to bypass repair operation by Security Products.
Honestly? (Score:2)
Unsuitable for server use? (Score:5, Interesting)
To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge
Doesn't this mean it is unsuitable for server use - or any "headless" operation such as MythTV?
Re: (Score:3)
I hope they mean before it boots for the first time... because otherwise, yes, this is crap.
Re: (Score:3)
On servers you'll just have to disable the secure boot feature, no problem for sysadmins, and anyone running a home server should have the skill to do the same, although this could give MS and advantage on HTPCs and home servers run by noobs.
Re:Unsuitable for server use? (Score:5, Informative)
From TFA:
To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge
Doesn't this mean it is unsuitable for server use - or any "headless" operation such as MythTV?
From TFA:
To facilitate repeat booting (and to make the pre-bootloader useful for booting hard disks as well as USB keys or DVDs) the pre-bootloader will also check to see if the platform is booting in Setup Mode and if it is, will ask the user for permission to install the signature of loader.efi into the authorized signatures database. If the user gives permission, the signature will be installed and loader.efi will then boot up without any present user tests on all subsequent occasions even after the platform is placed back into secure boot mode.
So they offer a solution for your problem, but user input is required for this as well.
Re: (Score:2)
From TFA:
To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge
Doesn't this mean it is unsuitable for server use - or any "headless" operation such as MythTV?
From TFA:
To facilitate repeat booting (and to make the pre-bootloader useful for booting hard disks as well as USB keys or DVDs) the pre-bootloader will also check to see if the platform is booting in Setup Mode and if it is, will ask the user for permission to install the signature of loader.efi into the authorized signatures database. If the user gives permission, the signature will be installed and loader.efi will then boot up without any present user tests on all subsequent occasions even after the platform is placed back into secure boot mode.
So they offer a solution for your problem, but user input is required for this as well.
OK, so what's to stop me installing a compromised version of Windows? If you can disable all warnings then isn't this bypassing any advantage of a secure boot?
Re: (Score:2)
OK, so what's to stop me installing a compromised version of Windows? If you can disable all warnings then isn't this bypassing any advantage of a secure boot?
Well, if you insist on installing a compromised version of Windows and allow it to boot, isn't that your problem? As long as others can't trick you into installing it by sending you some malware, I consider it a non-issue.
Re: (Score:2)
Yeah it does, and no I don't expect an option to skip the check else they would never sign it and revoke the key as has already been done in the driver world. If you've got a server or Myth box I would expect you to uncheck the option that requires secure boot and not sweat any of this as it wouldn't help you anyway since its currently only a Microsoft option.
Re: (Score:2)
Then either disable SecureBoot entirely, which makes you no worse off than you are now, or use a distribution that provides proper secureboot keys like Redhat. Companies, et al, who need to have secure operations should like this option very much.
mjg59.dreamwidth.org (Score:5, Informative)
Re: (Score:3)
You forgot to add this:
Re: (Score:2)
The solution is simple (Score:5, Insightful)
The solution is simple. Simply do not purchase ANY computer that requires secure boot, or does not allow you do disable it!
Personally, I think this is a "feature" that is going to come back and bite MS in the derriere.. At least I hope so! :-)
For newbies (Score:5, Insightful)
Your solution of any value mostly to newbies who are incapable of going to the BIOS and typing in a new signing key (yes, all BIOS manufacturers worth buying, like ASUS, offer this option). I, for one, will not purchase any computer without secure boot. I like having a trusted hardware root. I like the fact that no malware can get in the boot process without my consent.
Re: (Score:2)
Actually, if Linux could offer the users the ability to sign their own kernels and other boot pieces, then put the key into the BIOS it would provide greater security for Linux as well! Obviously the user would have to manage their signing key properly and kernel updates would be a hassle but the added security provided could be just as useful. Why not take advantage of this??
Re:For newbies (Score:5, Insightful)
Yeah, that works great until Microsoft deprecates the option for Windows 9 or 10. They've already done so on Windows 8 ARM tablets, why wouldn't they do it on x86 PCs?
Re:For newbies (Score:4, Insightful)
If motherboard manufacturers (not Microsoft) decide to not provide the option any more, we'll stop buying their boards. At this time this is a purely hypothetical and unlikely event, for that very reason. If and when it happens, we can complain and vote with our wallets; until then you're just spreading unjustified FUD.
Re: (Score:3)
we'll stop buying their boards
And just how much market clout do you think Linux desktop users have?
If and when it happens, we can complain and vote with our wallets
Yes, by buying specialty hardware that's likely to cost several times what mass market hardware does. The days of buying COTS hardware and just throwing Linux on it will be over.
until then you're just spreading unjustified FUD.
FUD, yes. Unjustified, no. There's plenty of reason to fear what Microsoft will do with secure boot. A lot of uncerta
Re:For newbies (Score:4, Funny)
Malware getting in the boot process... So we're creating a system of immense complexity, incompatibilities, which creates an all out shitstorm in the IT world, all to target that 0.001% of malware that actually infects the boot process? What popular malware has done this?
Is it even a credible threat?
Don't forget to visit the TSA website and drop in a few dollars in the donation form while you're at it.
Re:For newbies (Score:4, Insightful)
I like having a trusted hardware root.
The problem is that Restricted Boot (euphemistically known as "Secure Boot") is not there to work in your best interest. It is there to work in Microsoft's best interest. It is just another tool in Microsoft's arsenal to make sure you can't use your computer in any manner not approved by Microsoft.
Restricted Boot is not there to protect you. It is there to protect Microsoft from you leaving Microsoft. Any statement to the contrary is smoke and mirrors to confuse you.
Re: (Score:2)
Pretty sure Microsoft has said that they expect there to be a BIOS option to turn it off. I expect it will be harder to find one that doesn't allow it to be turned off than on that will. I certainly wouldnt buy anything that didn't allow it to be deactivated!
So (Score:5, Funny)
When I turn on my PC, it will boot the pre-boot loader, which will then boot grub, which will then boot my initrd which will finally boot Linux. Can we put any more steps in there?
Re: (Score:2)
Yes you'll have to press a key to approve the Linux bootloader, every time it boots. Not kidding, RTFA.
Re:So (Score:4, Insightful)
Every time it CHANGES. RTFA properly.
Re:So (Score:4, Insightful)
Yes you'll have to press a key to approve the Linux bootloader, every time it boots. Not kidding, RTFA.
I don't think so. From TFA: "To facilitate repeat booting (and to make the pre-bootloader useful for booting hard disks as well as USB keys or DVDs) the pre-bootloader will also check to see if the platform is booting in Setup Mode and if it is, will ask the user for permission to install the signature of loader.efi into the authorized signatures database. If the user gives permission, the signature will be installed and loader.efi will then boot up without any present user tests on all subsequent occasions even after the platform is placed back into secure boot mode."
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
All of which will happen in a fraction of a second if you don't have boot prompts enabled.
And all of which is nothing compared to the hoops that most system go through to get from switch-on to full operation on the CPU (real-> protected mode, etc.).
Re: (Score:3)
It's bootloaders all the way down!
Open Source Community (Score:2)
Re: (Score:3)
By buying a key from Microsoft.
Yeah. Nice way to work around this horrendous locking-down technology and promoting openness of hardware and all software (from BIOS up). "Let's buy a key to their proprietary lock-in systems that they can revoke at any time."
Re: (Score:2)
You should keep reading the article until it no longer means what you currently think it means.
Boot sector viruses? Zero fucks given (Score:3, Insightful)
Boot sector viruses are the rarest form of virus, require root permissions to infect, and aren't especially hard to remove. And we've handed over a big chunk of freedom and made things worse for everyone to fight this minor annoyance (yeah right). This is worse than the computer equivalent of the PATRIOT act.
ARM (Score:2)
There is a general truth to consider... (Score:4, Interesting)
If we make it, we can break it. Making secure boot just more locks to keep honest people out and more headaches for honest people to deal with.
Perhaps the real question here is why do people continue with Windows, when there are other options that have better general security?
Re:There is a general truth to consider... (Score:4, Funny)
Perhaps the real question here is why do people continue with Windows, when there are other options that have better general security?
Because in its current state Windows is secure enough. And after that, the other features matter more (all software and hardware works, it came preinstalled, etc).
Obtaining a Microsoft signature will take a while (Score:5, Interesting)
The purpose of Secure Boot is to prevent people from booting non-Microsoft operating systems.
Why on earth would Microsoft sign such a bootloader?
Anyone want to open an over/under line on when this happens?
I'll put $100 on the first patch Tuesday following the heat death of the universe.
Why is the linux community struggling with this (Score:2)
To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots.
That seems like a LOT more of a pain in the butt than simply turning off the secure boot option. In fact, it would be a deal breaker for any of my Linux machines that must be able to reboot unattended every time. It's a "solution" to a trumped up problem. There are plenty of legit reasons to hate Microsoft, but this isn't one of them.
The bottom line: UEFI secure boot is not going to be enabled on any machine shipping with Linux unless that distro has the keys themselves. That is most likely the only gr
Re:Why is the linux community struggling with this (Score:5, Interesting)
How long will motherboard BIOSes ship with the option to turn off UEFI secure boot? Maybe not tomorrow, but what about 1, 2 or 3 years down the road? That's the real issue here! The problem is that the PC commodity market is about to be turned into a walled garden controlled by, guess who? Microsoft in this case. That's pretty scary stuff actually, and I wouldn't wonder if the regulating authorities (at least in the EU) will sooner or later consider this as anti-competitive behavior.
Re:just let microsoft die (Score:5, Funny)
You target MS before Apple? That's like shooting at a vicious pomeranian nipping at your heels while a wolf is leaping for your throat.
Re:just let microsoft die (Score:4, Funny)
That's ridiculous.. they're both wolves, just one is in really sexy sheeps clothing.
Re: (Score:2)
Your Scottish, aren't you?
(sorry, I have a friend who's a Scottsman who loves to make jokes about Scotts and sheep...)
No true Scottsman (Score:5, Funny)
No true Scottsman jokes about sheep.
Re: (Score:2)
OK. I could have been mistaken in thinking they were jokes. They could well have been life (or even previous weekend stories).
Re: (Score:2)
Yah, they're always very serious when talking about sheep.
Re:just let microsoft die (Score:5, Funny)
I'm Scottish, and it's written Scotsman/Scots by the way.
Anyway, back to the topic at hand; I have to say that I don't know what you're talking about. I'd say that at least 80% of sheep aren't that sexually attractive.
Re: (Score:2)
Oh, so you're saying the other 20% are asking for it by dressing that way?
Re: (Score:2)
So far Apple only really care about and have control over their own products. Microsoft are trying to control everything else, which is something like 90% of general purpose PCs.
Re:just let microsoft die (Score:4, Interesting)
Apple is attacking the consumer's expectation of software freedom. You can't go any lower that that without a brain implant.
Re:just let microsoft die (Score:5, Interesting)
I think it's worse than that.
Apple is building /their/ product and trying to get everyone to adapt their needs to it. At least MS is trying to make it's product general purpose (if ineptly in some cases), and allow people to have options at every level except the OS. Apple tries to restrict options at ALL levels.
Re:just let microsoft die (Score:4, Insightful)
Apple is building /their/ product and trying to get everyone to adapt their needs to it. At least MS is trying to make it's product general purpose (if ineptly in some cases), and allow people to have options at every level except the OS. Apple tries to restrict options at ALL levels.
One huge difference between Apple and Microsoft is that nearly nobody is forced to buy or use Apple products : people use it by choice, and are free to use alternatives. Maybe a few persons use a Mac at work because their company enforce it, plus of course the iOS developers.
In contrast, millions (billions?) of persons use Windows and Office because they have to (company policy) or because they need to produce Office documents.
Re:just let microsoft die (Score:4, Interesting)
One huge difference between Apple and Microsoft is that nearly nobody is forced to buy or use Apple products
Okay, so what happens when millions (billions?) of persons use OS X and iTunes because they have to (company policy) or because they need to product iWhatever documents? Would you rather live in the Apple "Cupertino controls your entire experience" world or the "Build on top of our platforms to do what you want, just don't muck directly with the licensed software" world of Microsoft?
Re:just let microsoft die (Score:5, Informative)
Apple's policies only affect Apple hardware. Microsoft is pushing this on everyone.
Re: (Score:2)
Okay, it's a bit weird that I'm defending Apple here, but before the iPhone most people didn't even install apps on their phones. I did personally, but Apple actually increased people's expectations of their phones. Yes they keep a tight reign on their market, but for those people who actually care, there is Android. I have 3 Android powered devices that I use regularly, and I much prefer them to the Apple alternatives.
Most people don't care about software freedom, and never have. There is no "expectation"
Re: (Score:3)
Also I just RTFA and I saw this:
"Although Microsoft's stipulations require also that x86/x64 systems provide an option to disable Secure Boot"
The only problem I have is the layman will not want to "make their computer insecure by disabling secure boot" which only serves to stigmatize alternative OSes as the insecure option while Windows is viewed as "more secure."
Re: (Score:2)
"Although Microsoft's stipulations require also that x86/x64 systems provide an option to disable Secure Boot"
MS has to allow people to install other OSes in the x86 market. If you thought anti-trust over IE was bad, you'd love to see what happens if MS tried to lock down all computer systems with Windows installed.
They can get away with it in the ARM market because MS is ~1% or less of the market in that space, so they have absolutely zero monopoly power there.
Re: (Score:2)
It's true. Someone said nobody except a small subset of nerds even cares. If all the developers who use MacBooks stopped buying them, it would be a big hit for Apple. Corporations would need to do it to get Microsoft's attention. Of course, Apple may not care at this point. You need a MacBook to develop for iOS, and that seems to be the only platform they really care about these days.
Re: (Score:2)
And also points out that the vicious pomeranian is taking advantage of the situation by adding insult to injury picking on your heels when you've already got your hands ful dealing with the wolf.
Don't cut the pomeranian any slack just because the wolf happens to be bigger.
Pardon the pun, but dogpiling on someone already under attack is a pretty cheap tactic.
Re: (Score:3, Insightful)
cause, no one else except for a small subset of geeks even care
Re: (Score:3)
I suspect the vast majority of people who would be interested in your suggestion probably already pirate windows, if they use it at all. The negligible loss of sales you are promoting wouldn't even be an annoyance to MS.
Unfortunately, with the desktop losing a lot of ground, and that being the only really customizable platform (face it, DIY notebooks don't have nearly the variety of options, especially in the most important component - the motherboard), we won't see the option we would have seen a few years
Re: (Score:3)
Maybe it's because UEFI and Secure Boot are not the same thing.
That is correct. AFAIK, Secure Boot is an optional feature of UEFI
Re: (Score:3)
Personally I don't care much for the marketshare penis waving. Linux does me just fine
Good thing I wasn't drinking anything when I read this... ;)
Re:Virtualization (Score:5, Informative)
Not yet:
https://www.virtualbox.org/ticket/7702 [virtualbox.org]
But there's no reason it can't.
Re: (Score:3)
Re:Virtualization (Score:5, Interesting)
Windows 8 doesn't require SecureBoot, otherwise their enterprise adoption would be 0% instead of the likely 1-5%. Windows 8/Server 2012 works under ESXi 5.0 with patches and is supported under 5.1.
Re: (Score:3)
Technically, you bet.
Legally, like hell.
Re:Virtualization (Score:4, Informative)
I've installed and run Windows 8 correctly in VBOX on my Debian SID. I mean Win 8 final (RTM, not the CTP this version doesn't work). ...
It was just a glance at the OS though because I was expecting a real crap, and I wasn't deceived
Re: (Score:2)
What choice do they have?
MS already got out of the anti-trust nuke we lobbed at it and is still grabbing OEMs by the balls.
Re: (Score:2)
Re:Srsly, what is wrong with you people? (Score:5, Insightful)
Secure boot is a good thing when the owner of the PC has ultimate control over which signatures are valid. But Microsoft has tipped its hand with Windows 8 ARM tablets, and I see no reason not to expect them to lock down secure boot on x86 PCs in the future.
If this was a vendor neutral initiative, I can see how it would be useful. But this is being done by Microsoft, for Microsoft. This will not end well for open source.
Re: (Score:3)
Secure boot is only meaningful if the kernel refuses to load untrusted drivers and the signing keys needed to mark code as trusted are kept off the machine you are trying to protect.
A secure boot setup where the owner is in control is potentially useful for high security setups but also a massive PITA (to get any significant benefit you really need a dedicated machine to act as a signing box). A secure boot setup where someone else is in control of the keys means effectively giving up control of your comput
Re: (Score:3)
The computers I worked on from 1976 to 1991 didn't have a BIOS yet they managed to come up just fine.