Ramblings of an old Doc

Claiming security as the reason, MS’s new OS W8 won’t allow “Dual Boot”. OK, no tragedy, right?

OEM systems shipping with Windows 8 will have secure boot enabled by default to only load verified operating system loaders during boot time. This prevents malware from switching the boot loader, but also other operating systems that are not signed from being loaded. According to the gHacks article I read (among others), this is only a issue for UEFI systems, if you plan to upgrade an existing system with BIOS you won’t be affected by it.

This is the foot in the door. How long will older Bios systems be around, especially when unknowing consumers get the spiel about how much more secure the UEFI systems are?

UEFI is touted as a more secure replacement for the older BIOS firmware interface, present in all IBM PC-compatible personal computers, which is vulnerable to bootkit malware.

While Windows 8 certification requires that hardware ship with UEFI boot enabled, it does not require users to be able to disable the feature (which can be done) and that it does not require that the PCs ship with any keys other than that of Windows. The main problem that the Free Software Foundation (FSF) sees is that Microsoft defines consumers as the hardware manufacturers and not the little guy at the store who actually buys the computer. MS sells OS’s, not computers.  MS is giving the manufacturers the power to decide how to implement the feature. That’s where the problems will come in:

  • Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
  • Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
  • Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
  • A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems. – M. Garrett, Red Hat

 

This will mean that you are no longer in control of your PC and might well not be able to switch graphics cards, nor hard drives, printers, sound or network cards:  All hardware that would otherwise be compatible with the PC won’t function because of missing signing keys in the OS.

That will be the purveyance of the computer manufacturer and any deal it may have made with MS (and anyone else). Proprietary hardware might see a heyday never before imagined. The opposite for software like OS’s, and perhaps browsers. No one should have the power to determine that for you:

“The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.

There is no centralised signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.” – M. Garrett, Red Hat

The biggest problem that will create (besides from a lack of competition) is that the consumer would have to do hours of research as to what hardware and software he or she could use with his or her system, which keys his/her machine has enabled for what. That’s ridiculous. How many people understand Pkek keys and couldn’t change them even if they did. It’s also way too limiting. Arguably, this is in restraint of free trade.

The Free Software Foundation wants people to urge computer manufacturers to enable the keys to allow software such as those for other OS’s and other software to be enabled. I agree, and anticipate you do as well.

What about Stardock’s software? Will you be able to install it? Will it be allowed to work on boot?

“Those who would sacrifice freedom for security soon have neither”, said Ben Franklin so long ago. How right he was. In so many ways.

By the way: Does anyone seriously think the hackers won’t find holes in the UEFI? I promise you they will. Then what will we have?

No security and no freedom.

I recommend you follow Martin Brinkmann's gHack.net website. It is a source of excellent reviews and commentaries.

Source:

http://www.ghacks.net/2011/09/23/windows-8-boot-security-and-third-party-operating-systems/

http://mjg59.dreamwidth.org/5552.html

http://mjg59.dreamwidth.org/5850.html


Comments (Page 3)
9 Pages1 2 3 4 5  Last
on Oct 22, 2011

so, basically antivirus rescue disks are toast? don't need to be an enthusiast to use those surely?

on Oct 22, 2011

I am already getting annoyed with Windows 7 anyways. DeVry University, my college, just upgraded to W7 this school year, and trying to open Citrix applications on lab.devry.edu in Firefox doesn't agree with W7, then there is the fact that older games like Star Wars: Empire at War perform better on XP than W7, and I like such older games. Windows 7 and other modern OS don't seem to be a good fit for me, unless I build the machine myself.

on Oct 22, 2011

alaknebs
so, basically antivirus rescue disks are toast? don't need to be an enthusiast to use those surely?

I don't know that for a fact. Perhaps W8 makes it's own Rescue disk or system clone? If you're curious, ask MS re the OEM...

From Windows 8 Forum (about the preview w8):  http://www.forumswindows8.com/system-security/windows-8-recovery-disc-374.htm

 

on Oct 22, 2011

Listen to Kryo [#29] ...

on Oct 22, 2011

I think this is a case of the way it was presented conditioned repliers to a certain response.  Based on what kryo is said, it doesn't sound too bad *provided* it isn't too difficult to make a dual-boot system without jumping through too many hoops (and that doesn't change in future).  For the moment I think I'll wait and see, but unless W8 gets absolutely fantastic reviews in all sorts of areas, I think I'll still stick to W7, especially since it has only been a couple of years it has been out.

Best regards,
Steven.

on Oct 22, 2011

How about Microsoft® Bob II?

on Oct 22, 2011

You do not need to purchase a BIOS board or even significantly concern yourself with the matter if you're building your own machine.

Ah, but what if you purchase an OEM builders copy?  Wouldn't the same thing apply, that no other OS will boot from the machine?

In any event, this is an attempt by Microsoft to impose greater controls over the consumer, for mine, and while non-enthusiasts may not care or even notice, discerning users with a mind of their own will reject this outright. In fact, it's this kind of shit that made Apple so unpopular with the majority of the computing world.

on Oct 22, 2011

Zeta1127
hen there is the fact that older games like Star Wars: Empire at War perform better on XP than W7, and I like such older games.

Agreed. It's hard to get older versions of Command & Conquer working on W7. However I will say W7 works better than XP in the WiFi connections department.

on Oct 22, 2011

this is a pretty sensationalist title.

 

It's not Windows 8 OEM that is enforcing this, it's just the UEFI. Finally, UEFI is based on the motherboard manufacturers: not Microsoft.

on Oct 22, 2011

Ah, but what if you purchase an OEM builders copy?

The big-name OEMs to whom Windows 8 certification will apply don't sell boards to consumers on their own. You might come by salvaged second-hand parts intended for repairs, but if you're insane enough to try building a new machine with such parts you deserve whatever you get.

on Oct 23, 2011

Back in Windows 98 and early XP days I had some issues on older machines with upgrades regarding Microsoft's Hardware Abstraction Layer (HAL...LOL--how ironic).  It was the first thing I ever ran into that really worked like a covert rootkit.

At the time I did some research and one of the little tidbits of the day--quiet and out of the news--was that Microsoft and Intel had actually collaborated on HAL as one of the long term goals for it was to facilitate OS to CPU private communication.  Basically, BIOS would boot your board and the first thing that would happen at start up is that your CPU and Microsoft OS would verify that they were legally purchased and installed. 

Essentially, Intel reserved a small cache on the chip that at one time was intended to "imprint" a unique signature from your particular OS installation to make sure you didn't bootleg one at a later time--or try to start your PC with one it didn't see as "official".

The cache was never utilized but both companies had already signed an agreement to this and the cache was designed.

But I'm sure we can trust them now...really.  I mean, that was years ago.

The only thing that has kept draconian measurs like this from being implemented in the past was technology limitations.  Now we have the technology.

on Oct 23, 2011

awuffleablehedgie
this is a pretty sensationalist title.

 

It's not Windows 8 OEM that is enforcing this, it's just the UEFI. Finally, UEFI is based on the motherboard manufacturers: not Microsoft.

The title is accurate. Microsoft is in fact doing precisely what I have written. Read the reference articles.

 

UEFI is not the issue. Signing is just a part of the specification, and MS is requiring that it be turned on by default on OEM machines if they want to be able to put the "Windows 8 Certified" sicker on the box.

That will affect a huge number of buyers... in fact, almost all.

There's really no need for scaremongering here.

UEFI is indeed part of the issue, as I explained. MS's not enabling Pkek keys is the other part.

No one's scare mongering. This happens to be the truth. Being cavalier about the issue does not equate to being correct about it, kryo.

Everything I have written is accurate, and referenced.

Can those who wish a dual boot use a UEFI board? No. They must use a BIOS board because MS and the OEM's as well as Intel are the problem.

Does the public even begin to suspect this? No.

Because of mass production, the Bios boards will eventually disappear. Will that eliminate OS's? It very well might.

To me, this is elimination of the competition by unfair means, and MS, Intel and the OEM's have a part of it.

on Oct 23, 2011

So Apple locks in the OS with the hardware and no one cares. MS tries to do the same thing and everyone is up in arms?

on Oct 23, 2011

DrJBHL

Quoting awuffleablehedgie, reply 39this is a pretty sensationalist title.

 

It's not Windows 8 OEM that is enforcing this, it's just the UEFI. Finally, UEFI is based on the motherboard manufacturers: not Microsoft.

The title is accurate. Microsoft is in fact doing precisely what I have written. Read the reference articles.

 


Quoting kryo, reply 29UEFI is not the issue. Signing is just a part of the specification, and MS is requiring that it be turned on by default on OEM machines if they want to be able to put the "Windows 8 Certified" sicker on the box.

That will affect a huge number of buyers... in fact, almost all.
Quoting kryo, reply 29There's really no need for scaremongering here.

UEFI is indeed part of the issue, as I explained. MS's not enabling Pkek keys is the other part.

No one's scare mongering. This happens to be the truth. Being cavalier about the issue does not equate to being correct about it, kryo. In fact, you essentially agree with me:

You might come by salvaged second-hand parts intended for repairs, but if you're insane enough to try building a new machine with such parts you deserve whatever you get.


Everything I have written is accurate, and referenced. I agree with Matt Garber of Red Hat's logic.

Can those who wish a dual boot use a UEFI board? No. They must use a BIOS board because MS and the OEM's as well as Intel are the problem.

Does the public even begin to suspect this? No.

Because of mass production, the Bios boards will eventually disappear. Will that eliminate OS's? It very well might.

To me, this is elimination of the competition by unfair means, and MS, Intel and the OEM's have a part of it.

on Oct 23, 2011

kona0197
So Apple locks in the OS with the hardware and no one cares. MS tries to do the same thing and everyone is up in arms?

We're talking numbers here, as well as elimination of other OS's. Apple's market share won't do that. MS's, Intel's and the OEM's will.

9 Pages1 2 3 4 5  Last