Ramblings of an old Doc

Claiming security as the reason, MS’s new OS W8 won’t allow “Dual Boot”. OK, no tragedy, right?

OEM systems shipping with Windows 8 will have secure boot enabled by default to only load verified operating system loaders during boot time. This prevents malware from switching the boot loader, but also other operating systems that are not signed from being loaded. According to the gHacks article I read (among others), this is only a issue for UEFI systems, if you plan to upgrade an existing system with BIOS you won’t be affected by it.

This is the foot in the door. How long will older Bios systems be around, especially when unknowing consumers get the spiel about how much more secure the UEFI systems are?

UEFI is touted as a more secure replacement for the older BIOS firmware interface, present in all IBM PC-compatible personal computers, which is vulnerable to bootkit malware.

While Windows 8 certification requires that hardware ship with UEFI boot enabled, it does not require users to be able to disable the feature (which can be done) and that it does not require that the PCs ship with any keys other than that of Windows. The main problem that the Free Software Foundation (FSF) sees is that Microsoft defines consumers as the hardware manufacturers and not the little guy at the store who actually buys the computer. MS sells OS’s, not computers.  MS is giving the manufacturers the power to decide how to implement the feature. That’s where the problems will come in:

  • Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
  • Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
  • Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
  • A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems. – M. Garrett, Red Hat

 

This will mean that you are no longer in control of your PC and might well not be able to switch graphics cards, nor hard drives, printers, sound or network cards:  All hardware that would otherwise be compatible with the PC won’t function because of missing signing keys in the OS.

That will be the purveyance of the computer manufacturer and any deal it may have made with MS (and anyone else). Proprietary hardware might see a heyday never before imagined. The opposite for software like OS’s, and perhaps browsers. No one should have the power to determine that for you:

“The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.

There is no centralised signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.” – M. Garrett, Red Hat

The biggest problem that will create (besides from a lack of competition) is that the consumer would have to do hours of research as to what hardware and software he or she could use with his or her system, which keys his/her machine has enabled for what. That’s ridiculous. How many people understand Pkek keys and couldn’t change them even if they did. It’s also way too limiting. Arguably, this is in restraint of free trade.

The Free Software Foundation wants people to urge computer manufacturers to enable the keys to allow software such as those for other OS’s and other software to be enabled. I agree, and anticipate you do as well.

What about Stardock’s software? Will you be able to install it? Will it be allowed to work on boot?

“Those who would sacrifice freedom for security soon have neither”, said Ben Franklin so long ago. How right he was. In so many ways.

By the way: Does anyone seriously think the hackers won’t find holes in the UEFI? I promise you they will. Then what will we have?

No security and no freedom.

I recommend you follow Martin Brinkmann's gHack.net website. It is a source of excellent reviews and commentaries.

Source:

http://www.ghacks.net/2011/09/23/windows-8-boot-security-and-third-party-operating-systems/

http://mjg59.dreamwidth.org/5552.html

http://mjg59.dreamwidth.org/5850.html


Comments (Page 7)
9 PagesFirst 5 6 7 8 9 
on Oct 30, 2011

RoodVargas
Isn't HP parting from making PCs? I think I read that on article a while back and I did see it on a Revision3 tech web episode.

They've reversed themselves according to an article I read yesterday on TechRepublic (I think).

Quoting DrJBHL, reply 85The BIOS board producers are the only hope, but with the size of the DIY community?

I'll say it again: You DO NOT need a BIOS-based board to run older OSes or to dual boot. An EFI board with signing turned off in the settings will work just fine.

But where will you find that? My concern also is that the chipmakers will go the route of the OEM's... Not a fact yet, but ...

on Oct 30, 2011

DrJBHL
But where will you find that?

The same place you find boards today. Off-the-shelf manufacturers aren't going to sell boards that only work with Windows 8. Forcing signing on is impossible for such vendors since they have zero control over what other hardware or software you might use, and attempting to gain such control would amount to market suicide.

You can nearly always bet on vendors taking the choice that results (or looks like it will result) in more near-term profit. Having every existing hardware vendor build its own walled-garden infrastructure and cut itself off from the existing PC ecosystem would be completely counter to that motive.

on Oct 30, 2011

since they have zero control over what other hardware or software you might use

Except voiding the warranty...

on Oct 30, 2011

i cant wait i never bought a complete prebuild pc and never had one in my life... so nothing to be scared of
besides how long will this prevention be stable until the walls start to crumble 

on Oct 30, 2011

Sorry to say it, Doc, but you are so, so right....  on so many levels, in fact... and not because you want to be right. but rather that the upper management of major PC manufacturers want it to be.  All too often OEM hardware and software has been sub-standard by design.. not to mention all the unnecessary bloatware which is not only annoying but is sometimes downright dangerous. Regardless of this, however, OEMs still persist and install it, regardless of what users as a whole want.

Shoot, I don't think OEM management gives a gratuitous flying fuck about its own [long suffering] shareholders. So long as obscene 'big buck' salaries to high ranking management figures keeps flowing in unabated, I very much doubt these free-loading mother-fuckers would give you or I the time of day, much less truth, honesty and respect as consumers.... even if we were shareholders, for that matter.  

The fact is, OEMs demand top dollar for products that were conceived by others with greater knowledge and expertise than themselves, yet they  continue to extract top dollar on diluted. watered down ideas because average users continue to accept mediocrity and nothing more..  .

Also, it is a complete fallacy based on complete and utter lies that the profit margin on OEM machines is quite small.  The truth is, profit margins are handsome enough and would be much greater if upper management and waste of space hangers-on, who do eff all for the money, were discarded entirely. So yes, while I may often speak regarding the greed and corruption within corporations, about those in high positions who use their power to enhance their wealth, the old saying is still quite true, that there's no smoke without fire.

Anyway, I'm near falling asleep right now cos it's gone 3.00am, I'm dog tired and need some urgent shut-eye, so I'll wrap this up for now and bugger off the bed.

on Oct 30, 2011

Oh, and sorry about the 'f**king' language, but these OEM mo-fo's really get my freakin' dander up and I'm prone to a bit of effing and blinding.

on Oct 30, 2011

Starkers - those public folders only take up a few MB in space and can be deleted. No big deal Last time I saved something I wasn't forced to use a public folder on my computer. No one is forcing you to do anything.

on Oct 31, 2011

kona0197
Starkers - those public folders only take up a few MB in space and can be deleted. No big deal Last time I saved something I wasn't forced to use a public folder on my computer. No one is forcing you to do anything.

Um, no, kona, those public folders cannot be easily deleted... not if you have WindowBlinds and other skinning apps... because Public Documents is where all your skins are installed... by default.  So, while these public folders take up only a few MB's shortly after the OS is installed, they soon swell in size when you have several libraries for various skinning apps.

In fact, with 78 gigs of skins in total, I had to significantly reduce library sizes and the number of skins I stored in those folders so as not to over-bloat the drive and cause operational issues... like there's not a lot of room left on a 120gb SSD with the OS and near 80gb of skins, so something had to go, and obviously that couldn't be the OS

As for not being forced to do anything, well I am.  I would rather my skin libraries be stored on another physical drive entirely, but cannot because the default path is to the public document folders at MS' behest.  This can only be changed by a registry hack, something I am loathe to do due to the various complications that could occur, so yes, I feel that I'm being forced to do stuff someone else's [Microsoft's] way rather than my own.

on Oct 31, 2011

Here's a thing to think about:

How many aftermarket boards are set up to allow or facilitate overclocking (usually with additonal options in the BIOS), and how many OEM boards are not?

And, how many of those overclocking options are used by the general public (answer, not very many).

So, here's the thing:

Most (if not all) of the same board manufacturers that currently support overclocking (and other user configurable options, like memory speed, etc.) aren't going to magically (and / or maliciously ) leave off an option that would be used by most of the same customers that use these other features.

My current MB is UEFI. It allows any OS to be installed and booted.

Yes, we should make ourselves heard, and let the board manufacturers know that we'll consider the option to disable secure boot a 'make or break' buying feature.

But, the betting odds are that (nearly) every aftermarket manufacturer will offer the option (why toss off a portion of your customer base by leaving out options?).

As far as the OEMs go, they're going to screw up their systems, just like they always do. The answer to that is pretty simple, 'DON'T BUY AN OEM SYSTEM' (at least if they remove your options).

See, this is the thing:

You WILL be able to acquire a UEFI motherboard that gives you the option to choose (or not choose) the secure boot option. There's a market for it, so there will be products to serve that market.

If you're that concerned about it, do your research, and either make sure that your OEM source isn't an idiot, or buy a standard aftermarket board that isn't crippled (and those *will* be out there).

There's enough to be worried about with the way MS does business, in many ways, but this is not as big of an issue as it's being made out to be.

Red Hat (and the others) aren't worried about UEFI systems that will exist and will allow the option to skip secure boot. They want the same ability to negotiate with the OEMs that Microsoft has, and while that may be an ideal and desirable position, it's not going to happen anytime soon.

But, to repeat (and repeat and repeat, ad nauseum): There *will* be UEFI motherboards and systems that are readily available and that either do not have secure boot, or that allow it to be controlled by the end user. Maybe some OEMs will buckle and screw their customers. Just avoid them. But you can bet (with a very high degree of certainty) that companies like ASUS, ASROCK, GIGABYTE, and so on, who make the biggest part of their business from hobbyist builders, will be more than happy to provide all of the options that their users want, including the ability to control the secure boot ability.

 

And to answer the (usually unstated or alluded to) point about the OEMs:

It seems as though a lot of this sturm and drang is focused on what the OEMs will do. Maybe they'll decide that it makes good business sense to stick with a single UEFI system that doesn't have the option to skip secure boot. And, you know what? They have that right. Maybe it makes sense for them to not have to code and test the option. And, you know what else? You have the equivalent right to not purchase their product.

As I mention above, the probability that every single aftermarket motherboard manufacturer will refuse to offer the option is so close to zero that it doesn't warrant serious consideration.

If you want one, there *WILL* be motherboards and systems easily available that give you the control you want.

Just buy one of those, and quit worrying about what Dell is going to give you.

on Oct 31, 2011

If MS was causing this to intentionally lock out competition they'd have the Justice Department right on their ass.  They aren't that stupid.  Last time that happened they lost a lot of customer respect and had to stop development on a lot of things (like IE) that've had a long and venomous tail.

Also, I like Metro.  The version in the Dev Preview does suck a bit, but it's already been modded for the better.

Anyway, I have stuff to do so it'll probably be a while before I'm back in nutter land (err the Stardock forums, I mean )

on Oct 31, 2011

Starkers: I don't use any skinning apps so nothing is stored in my public folders. I suppose you could move your skins with the click of a mouse and delete the public folders.

on Oct 31, 2011

kona0197
I suppose you could move your skins with the click of a mouse and delete the public folders.

Not so, kona. They are where the program puts them and if moved from there, WB will become nonfunctional. They can be duplicated to another location, but cannot be neither 'moved' nor removed from Public Documents. This was discussed in another thread recently.  

on Oct 31, 2011

Well my point was that Microsoft isn't forcing anyone to use the public folders and they can be deleted.

on Oct 31, 2011

Perhaps they are indirectly, kona, by requiring apps like WB to use the public folders in Win7.

If I recall correctly, Impulse would let you choose another folder other than the default for installing skins, at least on XP.  I've not used Impulse on Win7 & don't know if an alternative install location for skins will be an option with its replacement.

on Oct 31, 2011

Perhaps the Windowblinds programmers can have the skins install to a different location. It's that simple I would think. 

9 PagesFirst 5 6 7 8 9