Ramblings of an old Doc

Claiming security as the reason, MS’s new OS W8 won’t allow “Dual Boot”. OK, no tragedy, right?

OEM systems shipping with Windows 8 will have secure boot enabled by default to only load verified operating system loaders during boot time. This prevents malware from switching the boot loader, but also other operating systems that are not signed from being loaded. According to the gHacks article I read (among others), this is only a issue for UEFI systems, if you plan to upgrade an existing system with BIOS you won’t be affected by it.

This is the foot in the door. How long will older Bios systems be around, especially when unknowing consumers get the spiel about how much more secure the UEFI systems are?

UEFI is touted as a more secure replacement for the older BIOS firmware interface, present in all IBM PC-compatible personal computers, which is vulnerable to bootkit malware.

While Windows 8 certification requires that hardware ship with UEFI boot enabled, it does not require users to be able to disable the feature (which can be done) and that it does not require that the PCs ship with any keys other than that of Windows. The main problem that the Free Software Foundation (FSF) sees is that Microsoft defines consumers as the hardware manufacturers and not the little guy at the store who actually buys the computer. MS sells OS’s, not computers.  MS is giving the manufacturers the power to decide how to implement the feature. That’s where the problems will come in:

  • Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
  • Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
  • Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
  • A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems. – M. Garrett, Red Hat

 

This will mean that you are no longer in control of your PC and might well not be able to switch graphics cards, nor hard drives, printers, sound or network cards:  All hardware that would otherwise be compatible with the PC won’t function because of missing signing keys in the OS.

That will be the purveyance of the computer manufacturer and any deal it may have made with MS (and anyone else). Proprietary hardware might see a heyday never before imagined. The opposite for software like OS’s, and perhaps browsers. No one should have the power to determine that for you:

“The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.

There is no centralised signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.” – M. Garrett, Red Hat

The biggest problem that will create (besides from a lack of competition) is that the consumer would have to do hours of research as to what hardware and software he or she could use with his or her system, which keys his/her machine has enabled for what. That’s ridiculous. How many people understand Pkek keys and couldn’t change them even if they did. It’s also way too limiting. Arguably, this is in restraint of free trade.

The Free Software Foundation wants people to urge computer manufacturers to enable the keys to allow software such as those for other OS’s and other software to be enabled. I agree, and anticipate you do as well.

What about Stardock’s software? Will you be able to install it? Will it be allowed to work on boot?

“Those who would sacrifice freedom for security soon have neither”, said Ben Franklin so long ago. How right he was. In so many ways.

By the way: Does anyone seriously think the hackers won’t find holes in the UEFI? I promise you they will. Then what will we have?

No security and no freedom.

I recommend you follow Martin Brinkmann's gHack.net website. It is a source of excellent reviews and commentaries.

Source:

http://www.ghacks.net/2011/09/23/windows-8-boot-security-and-third-party-operating-systems/

http://mjg59.dreamwidth.org/5552.html

http://mjg59.dreamwidth.org/5850.html


Comments (Page 2)
9 Pages1 2 3 4  Last
on Oct 22, 2011

Hi, Uvah... very good to see you!

on Oct 22, 2011

CarGuy1
To be honest, I haven't checked 8 out enough to have an opinion about it but wouldn't putting requirements like this in place do allot to ensure it ends up being viewed as a Millinium or Vista OS?

 

How many folks will know or care about this in the general public?

 

 

on Oct 22, 2011

So...Linux is bitching about what is essentially MS following in Apple's footsteps.....

....locking people's computers to specific hardware?

WOW....who'd a thunk it?....
Dell's been doing it for a while now, if I'm not mistaken.

on Oct 22, 2011

So this is the future of UPnP?

on Oct 22, 2011

For research purposes, I have 7 and 8 dual booted. And I must say, dual booting is made very easy with Windows 8. I didn't even have to edit the MBR or anything to make Windows 7 the default. The ability is built right into Windows 8. Very easy!

 

Of course, this is with the old BIOS system.

on Oct 22, 2011

So this is the future of UPnP?

U may not be so U.

on Oct 22, 2011

Uvah, check your PMs.

on Oct 22, 2011

How is it going to stop me booting to a different SATA?

on Oct 22, 2011

John, if you boot from a non W8 system on which you install W8 (BIOS system), there probably won't be problems.

However, If you have a W8 OEM machine (in the future), your W8 OS may recognize the SATA (if the manufacturer puts it on the "white list" but won't let you boot from there if it has a different OS on it. That's because the UEFI W8's OS keys for that possibility will not be enabled because MS won't let W8 have that possibility. The UEFI by definition will boot only W8.

on Oct 22, 2011

starkers
And I won't be in the boat alone.... did I hear somebody say Windows Millenium II?

Wasn't Windows Vista nicknamed Windows Millennium 2?

on Oct 22, 2011

when it says it won't boot..

 

what does that mean? it won't boot another os from the hdd? or it won't boot from anything like different hdd, usb or cd/dvd?

because there are things like linux based antivirus cd/dvd... does that mean they won't work?

 

mind you.. first read this like a month or 2 ago..

on Oct 22, 2011

alaknebs
what does that mean? it won't boot another os from the hdd? or it won't boot from anything like different hdd, usb or cd/dvd?

As I understand it, it won't boot another OS period when it goes OEM UEFI.

Right now, you can boot W8 from a USB or other HDD because all systems are BIOS and not UEFI.

 

on Oct 22, 2011

So my question is will folks who build there own computers be able to find a motherboard that will still use BIOS and have a dual boot system?

on Oct 22, 2011

As I understand it, it won't boot another OS period when it goes OEM UEFI.

Right now, you can boot W8 from a USB or other HDD because all systems are BIOS and not UEFI.

So my question is will folks who build there own computers be able to find a motherboard that will still use BIOS and have a dual boot system?

UEFI is not the issue. Signing is just a part of the specification, and MS is requiring that it be turned on by default on OEM machines if they want to be able to put the "Windows 8 Certified" sicker on the box. It is not required in any circumstance other than that, and I don't expect you're going to see off-the-shelf boards (such as you'd build your own machine with) selling with it enabled since that would make them fairly useless.

EFI (of which UEFI is just the latest revision) has been supported by Linux for years and by Windows since Vista SP1 (and some older Itanium-specific versions). You do not need to purchase a BIOS board or even significantly concern yourself with the matter if you're building your own machine.

There's really no need for scaremongering here. If you're not an enthusiast, you're not going to care about dual booting, so it won't really matter. If you are an enthusiast, you're probably going to build your own machine, buy from a builder who builds them from off-the-shelf parts, or at a bare minimum research before buying; in the first two cases it won't matter, and in the latter you'll at least know what you're getting.

on Oct 22, 2011

Absolutely, Philly. Those who build their own can install W8 + any others without problems based on a BIOS system. Only the UEFI machines will be limited to W8 single boot.

9 Pages1 2 3 4  Last