Ramblings of an old Doc

Claiming security as the reason, MS’s new OS W8 won’t allow “Dual Boot”. OK, no tragedy, right?

OEM systems shipping with Windows 8 will have secure boot enabled by default to only load verified operating system loaders during boot time. This prevents malware from switching the boot loader, but also other operating systems that are not signed from being loaded. According to the gHacks article I read (among others), this is only a issue for UEFI systems, if you plan to upgrade an existing system with BIOS you won’t be affected by it.

This is the foot in the door. How long will older Bios systems be around, especially when unknowing consumers get the spiel about how much more secure the UEFI systems are?

UEFI is touted as a more secure replacement for the older BIOS firmware interface, present in all IBM PC-compatible personal computers, which is vulnerable to bootkit malware.

While Windows 8 certification requires that hardware ship with UEFI boot enabled, it does not require users to be able to disable the feature (which can be done) and that it does not require that the PCs ship with any keys other than that of Windows. The main problem that the Free Software Foundation (FSF) sees is that Microsoft defines consumers as the hardware manufacturers and not the little guy at the store who actually buys the computer. MS sells OS’s, not computers.  MS is giving the manufacturers the power to decide how to implement the feature. That’s where the problems will come in:

  • Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
  • Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
  • Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
  • A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems. – M. Garrett, Red Hat

 

This will mean that you are no longer in control of your PC and might well not be able to switch graphics cards, nor hard drives, printers, sound or network cards:  All hardware that would otherwise be compatible with the PC won’t function because of missing signing keys in the OS.

That will be the purveyance of the computer manufacturer and any deal it may have made with MS (and anyone else). Proprietary hardware might see a heyday never before imagined. The opposite for software like OS’s, and perhaps browsers. No one should have the power to determine that for you:

“The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.

There is no centralised signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.” – M. Garrett, Red Hat

The biggest problem that will create (besides from a lack of competition) is that the consumer would have to do hours of research as to what hardware and software he or she could use with his or her system, which keys his/her machine has enabled for what. That’s ridiculous. How many people understand Pkek keys and couldn’t change them even if they did. It’s also way too limiting. Arguably, this is in restraint of free trade.

The Free Software Foundation wants people to urge computer manufacturers to enable the keys to allow software such as those for other OS’s and other software to be enabled. I agree, and anticipate you do as well.

What about Stardock’s software? Will you be able to install it? Will it be allowed to work on boot?

“Those who would sacrifice freedom for security soon have neither”, said Ben Franklin so long ago. How right he was. In so many ways.

By the way: Does anyone seriously think the hackers won’t find holes in the UEFI? I promise you they will. Then what will we have?

No security and no freedom.

I recommend you follow Martin Brinkmann's gHack.net website. It is a source of excellent reviews and commentaries.

Source:

http://www.ghacks.net/2011/09/23/windows-8-boot-security-and-third-party-operating-systems/

http://mjg59.dreamwidth.org/5552.html

http://mjg59.dreamwidth.org/5850.html


Comments (Page 1)
9 Pages1 2 3  Last
on Oct 22, 2011

Like I've been saying for years--the goal is for you to lease your computer, operating system and software so that you can only use it when your "provider" determines you should--complete control of "what you want"...for you...and all at a charge for every step and piece.

You no longer have to think...Big Brother will think for you and free you citizen!

on Oct 22, 2011

Just one more reason to stay with Win7. Not that the Win 8 UI wasn't going to be reason enough....

on Oct 22, 2011

Well, I think that means a lot of people will not upgrade to Windows 8.  I was already unlikely to upgrade Windows 7 anytime soon, this makes it certain that I won't be upgrading my Windows OS for a long time.  And I bet MS likes the fact that you wouldn't be able to install any Linux OSs on a Windows 8 OEM system either.

Best regards,
Steven.

on Oct 22, 2011

Well, unless Windows 8 will multi boot on my current PC which is 2 years old, I won't be buying or designing for Windows 8 until XP, Vista and Windows 7 become non-existent. What a bunch of BS! Forcing people to buy certain hardware or they can't use your product?? Isn't that illegal?

on Oct 22, 2011

So...Linux is bitching about what is essentially MS following in Apple's footsteps.....

....locking people's computers to specific hardware?

WOW....who'd a thunk it?....

on Oct 22, 2011

well that sucks, there is no way in hell im going to buy a seperate pc just so i can skin w8 (even though i like it very much, by what ive seen so far)

talk about greed gone mad.........

on Oct 22, 2011

The biggest problem that will create (besides from a lack of competition) is that the consumer would have to do hours of research as to what hardware and software he or she could use with his or her system, which keys his/her machine has enabled for what. That’s ridiculous.

Generally speaking, the types of people who just buy a machine off the shelf without doing any research are not the types of people who will ever want or need to dual boot.

 

What about Stardock’s software? Will you be able to install it? Will it be allowed to work on boot?

Given that all Stardock software runs above the OS, what you can or can't boot isn't really relevant. It never touches that level. Executable signing is a bit more of a concern, but it would be marketing suicide to set it on a general purpose consumer PC. Though I can see Apple or tablet manufacturers using it.

 

Regardless, Windows 8 certification will boil down to whether MS lets them put a sticker on the machine saying it is so. If you want to just buy the OS and throw it on whatever machine that doesn't have signing support, there's nothing stopping you.

on Oct 22, 2011

So, we are blaming Microsoft because we think Hardware manufacturers are incompetent and won't do something to make their customers happy?

We are blaming Microsoft of trying to be more secure, and if you install their OS on hardware, require the hardware to be secure. Letting hardware people have the option to TURN IT OFF COMPLETELY, but it's Microsoft's fault that Hardware Manufacturers won't let you.

So instead of just not supporting the manufacturers that won't let you do what you want with the hardware, you blame the software company trying to be more secure.

Are we at least not the people who complain about Windows being full of security holes?

And once you turn it off, Windows 8 still boots. And any current machines without UEFI or secure boot enabled won't magically turn it on. So if you want to dual boot with Windows 8 on a machine you are already using, you will have no problems at all.

Even better? You can still buy a machine with Windows 8 on it without this enabled at all.

on Oct 22, 2011

Well, I don't think Windows 7 has nearly as many security holes as previous versions of Windows.  How big an issue is this boot-jacking?

Best regards,
Steven.

on Oct 22, 2011

Book Marking

on Oct 22, 2011

To be honest, I haven't checked 8 out enough to have an opinion about it but wouldn't putting requirements like this in place do allot to ensure it ends up being viewed as a Millinium or Vista OS?

on Oct 22, 2011

Ain't technology fun, now the folks that provide you the means to use the technology are going to tell us how we can use it.  Won't be long before we are told when we can use it.  Pretty much lets us know who runs our lives. 

 

on Oct 22, 2011

Microsoft has lost the plot.... and at least one customer, in me.  I won't be purchasing Win 8 unless MS does some major backflips in several key areas.

And I won't be in the boat alone.... did I hear somebody say Windows Millenium II?

on Oct 22, 2011

starkers
And I won't be in the boat alone.... did I hear somebody say Windows Millenium II?

can we get MS on that boat  you know their already wanting to walk the plank .. this way we can hear a plash

 

on Oct 22, 2011

I got Win 7. Until whoever does the right thing in all this Win 8 will go the way of IE...in the shit can. I for one want to have 'my' machine the way 'I' want it. To hell with what those idiots want.

9 Pages1 2 3  Last