Windows 8 OEM specs may block Linux booting

[Garbage]

Windows 8 OEM specs may block Linux booting
New secure boot process leaves unsigned Linux out in the cold

September 20, 2011, 9:45 PM —

After years of trying to cut off Linux growth as a desktop platform on x86 and x64 PCs, Microsoft may have actually figured out a way to stop Linux deployments on client PCs dead in their tracks.

At the very least, Linux deployment will be hindered on any Windows 8-certified machines to come, as new requirements for the Windows 8 logo come to light.

Red Hat's Matthew Garrett was one of the first to notice that according to the new logo rules, all Windows 8 machines will need to be have the Unified Extensible Firmware Interface (UEFI) instead of the venerable BIOS firmware layer. BIOS has been pretty much the sole firmware interface for PCs for a long time.

The EFI system has slowly been making headway in recent years, and right now EFI firmware is compatible with Windows supporting the GUID Partition Table (GPT), OS X/Intel, and Linux 2.6 and beyond machines. EFI is seen as a better hardware/software interface than BIOS, since it is platform-agnostic, runs in 32- or 64-bit mode, and GPT machines can handle boot partitions of up to 9.4 zettabytes. (That's 9.5 billion terabytes to you and me.)

EFI, and the later UEFI specification, is not the problem for Linux. The problem is Microsoft's other requirement for any Windows 8-certified client: the system must support secure booting. This hardened boot means that "all firmware and software in the boot process must be signed by a trusted Certificate Authority (CA)," according to slides from a recent presentation on the UEFI boot process made by Arie van der Hoeven, Microsoft Principal Lead Program Manager.

The slides, posted on Garrett's in a blog Tuesday afternoon, reveal Microsoft's plan to lock down the boot process, which Microsoft rightly points out has become a high-value target vector for injecting malware onto Windows PCs. To combat this, Microsoft is requiring all Windows 8 devices to have a hardened boot. Right now, even though there are EFI-ready Linux bootloaders and distros available, none of them are signed, Garrett reminded me.

It's not just a matter of replacing the UEFI system on the device with other, unencrypted, firmware. If all parts of the chain need to have a CA signature, then swapping out a machine's signed EFI layer with, say, an unsigned BIOS or EFI would not work. Garrett described the problem in more detail:

"Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely."

The upshot? Any device that ships with the manufacturer's keys and Microsoft's keys will not be able to boot a vanilla version of Linux.

The obvious solution--getting Linux distros signed so they can load on these machines--is clouded with uncertainty.

"Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by ever OEM."

That's a whole lot of unsavory options to look forward to.

Garrett, for his part, is not panicking about the new requirement. He's hopeful that OEMs will be able to include an option in their UEFI firmware to disable the secure booting feature. Even if that is allowed by Microsoft, one thing is clear: dual-booting systems will be out of the picture if Windows 8 boots always require a hardened boot environment. It may very well be that once you turn off secure boot (if you can), you won't be able to run Windows 8 again on that machine, until you re-secure the boot process.

Microsoft is spinning this as a way to finally lock down the boot process, but I can't help but wonder if the side-benefit of blocking Linux boots was something expected as well.

Something to which we need to pay attention, that's for sure.

Source - Windows 8 OEM specs may block Linux booting | ITworld

 

[Liverpool_fan]

Don't tell people will have to "jailbreak" (?) the so called "secure (?) booting" to install a damn distro in their machines... :/

Nothing to worry about though, would be cracked in a matter of days regardless of anything.

Good article covering "secure boot"
UEFI and "secure boot" [LWN.net]

 

[abhijangda]

once again a poor step by Microsoft.

 

[Sarath]

Aren't they likely to be slapped with Anti-competitive penalty for this again?

 

[Vyom]

Really, if this news is not a hoax, I would pity Microsoft!

You know what I like about Google? They let users choose between their and other's product.
Rather they make their product so good, that people automatically gets attracted to it.

Eg: When I install Chrome, it asks me to keep Google as their default search, rather than setting it by default!

It would really be a pity on M$ if this were to be true!

 

[doomgiver]

Really, if this news is not a hoax, I would pity Microsoft!

You know what I like about Google? They let users choose between their and other's product.
Rather they make their product so good, that people automatically gets attracted to it.

Eg: When I install Chrome, it asks me to keep Google as their default search, rather than setting it by default!

It would really be a pity on M$ if this were to be true!

IE latches on to your pc like a rabid leech and forces you to burn the afflicted pc to get rid of it.

anyway, lfc is right, it WILL be broken within days.
lets all learn low-level programming, so that we can help too

 

[meetdilip]

Don't worry, people will find some way out.

I wonder if it is true, didn't see in any of the major news portals.

Aren't they likely to be slapped with Anti-competitive penalty for this again?

Thinking the same.

 

[vaithy]

Well what I am thinking is, M$ is trying killing its Golden Goose..Enterprises which are relying on windows Xp and redhat linux may not upgraded, it 'll be a hard sell on the server side..
Hardware vendors may not agree to block additional revenues on non windows OS..chinese hardware vendors may sell millions without the features of UEFI, undercutting the likes of Dell,HP and acer etc.,
It is very ironic that the future of software freedom is depending on the likes of Iron curtain Nation's whim and fancies..

 

[Extreme Gamer]

I am sounding like a pervert, but:

Spoiler

Microshaft just proved their name.

Translation:

They just admitted that they cant compete with Linux

If you want to know the relevance of the bit in the spoiler tags, PM me. This thread is an inappropriate place both in topic and language(meanings) to explain.
Sorry mods, I do not have finer and less offensive terms for the bit in spoiler tags.

 

[Ishu Gupta]

If you want to know the relevance of the bit in the spoiler tags, PM me.

 

[Tech&ME]

Let us first get the clear picture. There is NO Official statement yet from Microsoft about any Hardware Lock for other platforms.

 

[Liverpool_fan]

Let us first get the clear picture. There is NO Official statement yet from Microsoft about any Hardware Lock for other platforms.

*video.ch9.ms/build/2011/slides/HW-457T_van_der_Hoeven.pptx

 

[infra_red_dude]

I don't see why this could be a big issue. Most Linux users build their own systems, which means all they will lack is a Windows 8 sticker and will not be mandated to have the secure boot enabled.

Also, most of the enterprise machines have 1 OS per system. I'm yet to see a dual-boot machine used for development in any company, unless of course it is a test bed system in some lab.

 

[Liverpool_fan]

I don't see why this could be a big issue. Most Linux users build their own systems, which means all they will lack is a Windows 8 sticker and will not be mandated to have the secure boot enabled.

Laptops. A voided warranty would hurt here...

Secondly, Ubuntu among few others do target the masses, and certainly will be affected badly.

I still don't see this going through but whatever...

 

[abhijangda]

I am sounding like a pervert, but:

Spoiler

Microshaft just proved their name.

Translation:

They just admitted that they cant compete with Linux

If you want to know the relevance of the bit in the spoiler tags, PM me. This thread is an inappropriate place both in topic and language(meanings) to explain.
Sorry mods, I do not have finer and less offensive terms for the bit in spoiler tags.

absolutely right dude!!
They just cant compete with OSS.

 

[baccilus]

How can this even be legal. I just can't understand just how this can be allowed. You know what will be the biggest effect of this:
Linux will have fewer newer users. Everyone I have introduced to linux has begun by dual booting. That will end. Moreover as soon as Windows 8 releases we will only see preloaded laptops in the market like it is happening now. A normal guy can hardly buy a well specced laptop that doesn't come preloaded with Windows 7 since the preloaded are the ones which a more available.

 

[Tech&ME]

^^
Microsoft seems to be moving toward the APPLE way of doing things now.

We will soon see Microsoft's own brand of Desktop Computer ( like iMac's ).... mPC !!!

 

[cute.bandar]

Does this mean we won't be able to use bootable disks like hirens ?

 

[baccilus]

I hope Windows 8 is a bigger failure than Vista.

 

[vaithy]

Here how it is goes,

A unrewriteable loader checks the UEFI image, confirms it is unmodified. Starts UEFI.
UEFI checks the bootloader, confirms it is unmodified. Starts the bootloader.
Bootloader checks the kernel and system files, confirms they are unmodified. Starts the kernel.
Kernel boot process confirms an integrity checker is unmodified, which then scans the entire OS to ensure the state of the system and all drivers.

If at any point it fails, it either attempts recovery (overwriting files with a failed signature check) or halts boot

Leave out installing Linux,
so if I am installing some video cards,than rebooted .. the system may hang or break..because the integrity of the system failed (a la vista ?)
when the system come with single partition of 500GB hard disk, later I make three partition for my use with third party partition manager, than again rebooted the syste may refuse to boot or reset old system ..
third party antivirus system usually modified the windows firewall sytem, than reboot, and found the system' banal'
very interesting idea..
after windows-7 I am , like others, eagerly waiting for the famous. BSOD wall paper, it seem, m$ s obliging in this release..

(I have already installed windows developers preview, and it is a nice Wall paper OS, and their titles are 'elephant' sized icons. beneficial to peoples who have vision ailments..looking forward to complete OS)