Ramblings of an old Doc

Claiming security as the reason, MS’s new OS W8 won’t allow “Dual Boot”. OK, no tragedy, right?

OEM systems shipping with Windows 8 will have secure boot enabled by default to only load verified operating system loaders during boot time. This prevents malware from switching the boot loader, but also other operating systems that are not signed from being loaded. According to the gHacks article I read (among others), this is only a issue for UEFI systems, if you plan to upgrade an existing system with BIOS you won’t be affected by it.

This is the foot in the door. How long will older Bios systems be around, especially when unknowing consumers get the spiel about how much more secure the UEFI systems are?

UEFI is touted as a more secure replacement for the older BIOS firmware interface, present in all IBM PC-compatible personal computers, which is vulnerable to bootkit malware.

While Windows 8 certification requires that hardware ship with UEFI boot enabled, it does not require users to be able to disable the feature (which can be done) and that it does not require that the PCs ship with any keys other than that of Windows. The main problem that the Free Software Foundation (FSF) sees is that Microsoft defines consumers as the hardware manufacturers and not the little guy at the store who actually buys the computer. MS sells OS’s, not computers.  MS is giving the manufacturers the power to decide how to implement the feature. That’s where the problems will come in:

  • Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
  • Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
  • Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
  • A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems. – M. Garrett, Red Hat

 

This will mean that you are no longer in control of your PC and might well not be able to switch graphics cards, nor hard drives, printers, sound or network cards:  All hardware that would otherwise be compatible with the PC won’t function because of missing signing keys in the OS.

That will be the purveyance of the computer manufacturer and any deal it may have made with MS (and anyone else). Proprietary hardware might see a heyday never before imagined. The opposite for software like OS’s, and perhaps browsers. No one should have the power to determine that for you:

“The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.

There is no centralised signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.” – M. Garrett, Red Hat

The biggest problem that will create (besides from a lack of competition) is that the consumer would have to do hours of research as to what hardware and software he or she could use with his or her system, which keys his/her machine has enabled for what. That’s ridiculous. How many people understand Pkek keys and couldn’t change them even if they did. It’s also way too limiting. Arguably, this is in restraint of free trade.

The Free Software Foundation wants people to urge computer manufacturers to enable the keys to allow software such as those for other OS’s and other software to be enabled. I agree, and anticipate you do as well.

What about Stardock’s software? Will you be able to install it? Will it be allowed to work on boot?

“Those who would sacrifice freedom for security soon have neither”, said Ben Franklin so long ago. How right he was. In so many ways.

By the way: Does anyone seriously think the hackers won’t find holes in the UEFI? I promise you they will. Then what will we have?

No security and no freedom.

I recommend you follow Martin Brinkmann's gHack.net website. It is a source of excellent reviews and commentaries.

Source:

http://www.ghacks.net/2011/09/23/windows-8-boot-security-and-third-party-operating-systems/

http://mjg59.dreamwidth.org/5552.html

http://mjg59.dreamwidth.org/5850.html


Comments (Page 4)
9 PagesFirst 2 3 4 5 6  Last
on Oct 23, 2011

Yes, it does seem to be the foot in the door.

Best regards,
Steven.

on Oct 23, 2011

DrJBHL
Can those who wish a dual boot use a UEFI board? No. They must use a BIOS board because MS and the OEM's as well as Intel are the problem.

I'm not sure where you're getting this idea that UEFI boards can only run Windows 8 and nothing else, but it's completely incorrect.

The only issue is if you get a board with OEM-customized firmware that doesn't allow signing to be disabled; the concern in the industry is simply that some OEMs will not provide that option to users. There is no such issue with off-the-shelf boards, since the manufacturers have no way to know what they'll be used with.

EFI is and has been supported widely for several years, and there's no reason you can't install Win7, Vista SP1, Linux, or whatever on a standard EFI board. Macs have used EFI since the switch to Intel as well, though they use BootCamp to emulate BIOS for the benefit of WinXP and such since it didn't have EFI support.

on Oct 23, 2011

Secure boot is an option in the UEFI system, not an absolute requirement.

In most implementations, it can be turned off, allowing any OS (or combination of OSs) to be installed and booted from.

There *is* some concern that some of the OEM providers may hide or remove that option, whether to curry favor with MS or just out of laziness or stupidity.

I would avoid those.

Though there is some cause for concern with the OEM boards, even MS does not *require* that the option be unavailable, merely that it be enabled by default for certificaton (and it is likely that some OEMs will disable it, again, avoid them).

There is a virtually *zero* chance that most of the aftermarket motherboard manufacturers would hide or disable the option to turn off secure boot. They'd be giving up business to whatever company didn't do it.

As long as the option to disable exists (and it will, for the most part), there is no impediment to using and booting other operating systems (or dual or triple booting, as desired).

 

on Oct 23, 2011

DrJBHL

Quoting alaknebs, reply 31so, basically antivirus rescue disks are toast? don't need to be an enthusiast to use those surely?

I don't know that for a fact. Perhaps W8 makes it's own Rescue disk or system clone? If you're curious, ask MS re the OEM...

From Windows 8 Forum (about the preview w8):  http://www.forumswindows8.com/system-security/windows-8-recovery-disc-374.htm

 

not sure how windows making rescue disk helps any..

 

because the disks i talked about are from the likes of kaspersky, bitdefender, avg, etc. they boot into linux (on the cd/dvd) and scan your hdd for virus/etc crap.

 

---

aren't you supposed to use be able to use virtual pc or some such for running xp stuff in win7?

on Oct 23, 2011

Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems.

1. To get MS Certified (a selling point whose true meaning consumers don't understand), UEFI secure boot (NO other OS besides MS's may boot) must be enabled. MS owns greater than 90% of the OS market. Apple (even with its resurgence has at best 7%), the others way less.

That needs explaining. Computer sales are down, and the profit margin is slim:

"Competition in that market is tough, and vendors will take every break they can get. That includes the Windows logo program, in which Microsoft give incentives to vendors to sell hardware that meets their certification requirements. Vendors who choose not to follow the certification requirements will be at a disadvantage in the marketplace. So while it's up to vendors to choose whether or not to follow the certification requirements, Microsoft's dominant position means that they'd be losing sales by doing so." - Matt Garret (bottom OP blog ref.)

2. The consumer COULD be given the option to disable that, but some hardware vendors have ALREADY informed Matt Garrett (of Red Hat) they will not have this option.

Why? You have to be asking yourself that question. Why wouldn't they include that option? What other options did they already decide for you?

That means (for whatever reason they made that poor choice - you may speculate as well as I) the real consumer (the little guy at the counter) will not be able to have the choice which OS they may boot to on the machine he bought. To me, that is clearly a deprivation of choice. To me, that's like going to the restaurant, ordering vanilla ice cream with hot fudge, and chopped nuts and hearing from the waitress, "You may have vanilla, no fudge, no nuts." You'd put up with that? Who the heck is she to deprive you of the right to choice?

That is counter free-market and may result in the elimination of other OS's, and frankly reminds me of the stuff MS has pulled in the past. Now they're doing it "to make you more secure".

3. A UEFI board isn't by itself the problem. Forget that: Remember this - The OEM doesn't have to enable any other keys but MS's, but can "white list" or "black list" any devices they wish.

That means if they can make better deals (for advantage, profit, whatever) they are free to "black list" any device they wish. That will hurt the market and drive up prices for some devices while eliminating others.

on Oct 23, 2011

Is it hard to get past the technological speak of this (starting from first principles), but it does look like it is counter free-market.  Giving OEM providers, paid by MS to do the logo thing, the choice of which devices they allow is really anti-competitive.

What is the answer to this challenge?  Not buy Windows 8?

Best regards,
Steven.

on Oct 23, 2011

StevenAus
Giving OEM providers, paid by MS to do the logo thing, the choice of which devices they allow is really anti-competitive.

I'm sure the EU will have something to say about it

on Oct 23, 2011

The entire idea stinks big time, MS, and while my voice may only be one, soon there will be a whole chorus of voices telling you where to shove Win 8... and it'll be where the sun don't shine.  

The more I read about Win 8 the less I like it... so it's very doubtful it'll ever appear on my shopping list

on Oct 23, 2011

Competition in that market is tough, and vendors will take every break they can get. That includes the Windows logo program, in which Microsoft give incentives to vendors

Software vendors have always offered incentives for bulk sellers. This is why you can go over to Dell for example and spec out an identical Windows box and FreeDOS box and they'll have the same price; Microsoft and preload vendors provide significant subsidies. As long as the demand is there and buyers are willing to pay for the choice, they'll continue to offer it.

 

Why? You have to be asking yourself that question. Why wouldn't they include that option? What other options did they already decide for you?

OEMs make many choices as to what they will and won't support in their systems, in terms of both firmware (what BIOS options are available) and hardware (limited or non-existent expansion options, etc). Mass-market OEM machines very frequently only have the bare minimum needed to support the particular model's specs and whatever at-purchase expansion options they offer; aftermarket expandability isn't really something they care about.

If you have specific needs, it's your responsibility as a consumer to educate yourself on the product you're buying to ensure it meets those needs, because mass market products will always have certain limitations and design choices to cater to the target cost and market segment. If you know you need to tow heavy loads, you wouldn't just buy a random car without checking how much tow capacity the transmission has, would you?

 

To me, that's like going to the restaurant, ordering vanilla ice cream with hot fudge, and chopped nuts and hearing from the waitress, "You may have vanilla, no fudge, no nuts." You'd put up with that? Who the heck is she to deprive you of the right to choice?

I could likewise walk into a Mexican restaurant and demand they sell me a hamburger. It's all food, they sell food, why do they get to say I can't have one? Or maybe that's silly to expect and I should just go to the burger shop next door.

It's their choice what to offer for sale; you can ask they sell a particular product with particular specifications, but they're not under any obligation to do so. If a particular vendor does not offer a product that meets your needs and refuses reasonable requests to change their offerings, take your business elsewhere. It goes for both computers and ice cream that there are plenty of other places to buy, and if nothing else you can always get the ingredients and make your own.

 

The only case that this will really pose any issue is for casual Linux adoption (which is why Red Hat and such object), but that's an edge case and not anything remotely approaching the norm. The great majority of consumers never want, need, or care to change their OS in any case other than a direct upgrade.

on Oct 23, 2011

The only case that this will really pose any issue is for casual Linux adoption (which is why Red Hat and such object),

Which is pretty much what I said way back in.....oh .... post #5 ....

 

 

 

Meanwhile....the sky....it doth fall.....

on Oct 23, 2011

Software vendors have always offered incentives for bulk sellers.

Especially when they own 90% of the market. "Choice"? I could find other terms.

OEMs make many choices as to what they will and won't support in their systems, in terms of both firmware (what BIOS options are available) and hardware (limited or non-existent expansion options, etc).

And until people demand more, that will continue. Which is why FSF is saying that... losing Linux would be a loss.

aftermarket expandability isn't really something they care about.

Until people demand it. They won't do that until they know what's happening... sort of the reason I posted this topic.

If you have specific needs, it's your responsibility as a consumer to educate yourself on the product you're buying to ensure it meets those needs, because mass market products will always have certain limitations and design choices to cater to the target cost and market segment. If you know you need to tow heavy loads, you wouldn't just buy a random car without checking how much tow capacity the transmission has, would you?

Agreed to a point. You would expect a Doctor to lay out your treatment options if you had problem X, correct? By your logic, you would need to go become a Doctor first... or research things you know nothing about. That brings up the 'trust factor', doesn't it? Your way, the OEM has no responsibility to the buyer. I simply reject that idea. How can one know all the possibilities the OEM has? Only if they are revealed. There is little if any transparency in the current system. Time to change that.

Another reason I'm posting this. Kryo - how many people settle for less because they didn't know more existed?

I could likewise walk into a Mexican restaurant and demand they sell me a hamburger. It's all food, they sell food, why do they get to say I can't have one? Or maybe that's silly to expect and I should just go to the burger shop next door.

Not relevant to my example. One expects to be able to customize ice cream, not change the menu, kryo.

It's their choice what to offer for sale; you can ask they sell a particular product with particular specifications, but they're not under any obligation to do so.

Unless enough people know enough, right? Power of demand... supply should want to meet it. Unless there are restrictive forces at work.

The great majority of consumers never want, need, or care to change their OS in any case other than a direct upgrade.

Because they don't know or understand what's out there. Why not just surrender to MS and blindly accept what they and the OEM's in their infinite wisdom decide is good for you and 'what you need'?

If people understand what's being done and say 'Who cares?', that's one thing. If choices are being made for them without their knowledge that's quite a different matter... again the reason for this post.

 

on Oct 23, 2011

And until people demand more... Until people demand it... Power of demand... supply should want to meet it. Unless there are restrictive forces at work.

There are already options available for people who demand such things--simply buy from a vendor or builder who does make such considerations, or build your own. There is nothing stopping you from buying a machine that suits your needs, you just need to be aware of those needs and buy it from a vendor who sells such things.

 

You would expect a Doctor to lay out your treatment options if you had problem X, correct? By your logic, you would need to go become a Doctor first... or research things you know nothing about.

Not a valid comparison. Medical care is not a ready-made, mass market good; the product *is* the doctor's service and expertise.

 

There is little if any transparency in the current system.

Having transparency as to what the products sold do and don't contain (which is always good) is not the same thing as requiring that mass-market vendors offer all potential options, rather than allowing them to choose what they sell based on market forces.

 

One expects to be able to customize ice cream, not change the menu, kryo.

It's exactly the same thing, just exaggerated so it becomes more obvious. Either fudge syrup and nuts are on the menu or they aren't. If they aren't, "we only have plain ice cream" is a perfectly reasonable policy. Sure, you can ask them to add it to the menu, but if you're the only customer who likes fudge and nuts, why should they be obligated to add it and have that extra stock rotting on the shelf?

 

blindly accept what they and the OEM's in their infinite wisdom decide is good for you and 'what you need'?

If someone is buying a mass-market OEM machine, they've already accepted that in doing so.

 

If choices are being made for them without their knowledge that's quite a different matter

Happens every day in every part of life and has for all time. If you want to make all the choices yourself, find someone who is willing to work with your needs or do it yourself. If you're not willing to do that, you can't always expect to find a pre-built solution that matches all of your ideals.

on Oct 23, 2011

^sigh. I'll never convince him, and vice versa. Together with that, kryo - not everyone is as knowledgeable as you re computers... certainly not I. That doesn't mean what's happening is right.

Let this suffice:

If choices are being made for them without their knowledge that's quite a different matter

Happens every day in every part of life and has for all time.

Doesn't make it right, nor desirable. Quite the opposite, in this case. Paternalism is never an answer for dealings between adults.

People need to know what they're doing, and how to demand better or, "vote with their feet".

 

on Oct 23, 2011

Doesn't make it right, nor desirable.

Hazards of living in a mass-market consumer society. "If you want it done right, do it yourself" is as true as it has ever been.

 

People need to know what they're doing, and how to demand better or, "vote with their feet".

That's exactly what I've been saying: Be aware of what you need, what you're buying, and who sells it, and you'll have no problems. The options are out there, but if you have special needs you have to know what you're looking for.

On the other hand, if a consumer can't be arsed to be cognizant of his own needs, he shouldn't expect them to be reliably met by a blindly-purchased mass-market product.

on Oct 23, 2011

People don't want to know. People don't really care. Does it work? Does it do what they need it to do? That's the extent of it.

Think they really care if they can install another OS on it? Do they really buy an iPad because they don't care if they can install another OS on it? They buy an iPad because it does what an iPad does. People buy a laptop with a Word Processor and Internet Access because it has a word processor and internet access.

What you seem to think is that everyone wants or needs to really know everything they own or will buy. They don't. My fiance doesn't need to know anything about computers to want one that will let her do her writing on it. She just needs to be able to buy one that lets her do her writing on it. Linux, Windows, upgrades with anything, OSX, none of that matters. Only that it does what she needs it to do. Her choice came down to a Linux and a Windows netbook. She picked the Windows one because... it had a better keyboard.

The people that DO care, will vote with their feet. There are people that won't buy an iPhone because you can't do certain things with it... Oh wait that goes back to the original argument. They are looking at features, and picking based on that.

Well there are hard core nerds that want to be able to upgrade... No that's a feature.

 

Basically, don't think that people need to care about more about something than they already do. It leads to saying things like "The iPhone will fail because it's a closed system that doesn't allow XYZ".

9 PagesFirst 2 3 4 5 6  Last