+ Post New Thread
Results 1 to 9 of 9
Windows 8 Thread, More on Windows8 UEFI booting in Technical; mjg59 | UEFI secure booting (part 2) Microsoft have responded to suggestions that Windows 8 may make it difficult to ...
  1. #1


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339

    More on Windows8 UEFI booting

    mjg59 | UEFI secure booting (part 2)

    Microsoft have responded to suggestions that Windows 8 may make it difficult to boot alternative operating systems. What's interesting is that at no point do they contradict anything I've said. As things stand, Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems. But let's have some more background.

    We became aware of this issue in early August. Since then, we at Red Hat have been discussing the problem with other Linux vendors, hardware vendors and BIOS vendors. We've been making sure that we understood the ramifications of the policy in order to avoid saying anything that wasn't backed up by facts. These are the facts:

    Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
    Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
    Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
    A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems.

    Microsoft have a dominant position in the desktop operating system market. Despite Apple's huge comeback over the past decade, their worldwide share of the desktop market is below 5%. Linux is far below that. Microsoft own well over 90% of the market. Competition in that market is tough, and vendors will take every break they can get. That includes the Windows logo program, in which Microsoft give incentives to vendors to sell hardware that meets their certification requirements. Vendors who choose not to follow the certification requirements will be at a disadvantage in the marketplace. So while it's up to vendors to choose whether or not to follow the certification requirements, Microsoft's dominant position means that they'd be losing sales by doing so.

    Why is this a problem? Because there's no central certification authority for UEFI signing keys. Microsoft can require that hardware vendors include their keys. Their competition can't. A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's. No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft's influence here is greater than even Intel's.

    What does this mean for the end user? Microsoft claim that the customer is in control of their PC. That's true, if by "customer" they mean "hardware manufacturer". The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC.

    If Microsoft were serious about giving the end user control, they'd be mandating that systems ship without any keys installed. The user would then have the ability to make an informed and conscious decision to limit the flexibility of their system and install the keys. The user would be told what they'd be gaining and what they'd be giving up.

    The final irony? If the user has no control over the installed keys, the user has no way to indicate that they don't trust Microsoft products. They can prevent their system booting malware. They can prevent their system booting Red Hat, Ubuntu, FreeBSD, OS X or any other operating system. But they can't prevent their system from running Windows 8.

    Microsoft's rebuttal is entirely factually accurate. But it's also misleading. The truth is that Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors. The truth is that it makes it more difficult to run anything other than Windows. The truth is that UEFI secure boot is a valuable and worthwhile feature that Microsoft are misusing to gain tighter control over the market. And the truth is that Microsoft haven't even attempted to argue otherwise.

  2. #2


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,355
    Thank Post
    241
    Thanked 2,808 Times in 2,073 Posts
    Rep Power
    812

  3. #3


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    MS just announced that they will lock ARM devices to windows only. PC's next I guess

    Microsoft confirms UEFI fears, locks down ARM devices - SFLC Blog - Software Freedom Law Center

  4. #4


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,355
    Thank Post
    241
    Thanked 2,808 Times in 2,073 Posts
    Rep Power
    812
    You won't be able to buy a copy of the ARM version of Windows 8, so having the bootloader locked isn't much of a problem, is it?

    In a practical sense, there is some truth to the argument that it doesn't matter. The main reason that people unlock the bootloaders of their Android devices is so that they can run Android kernels other than those that their device's manufacturer has specifically blessed. Android is substantially open source, and so third parties are able to compile their own kernel binaries. Since these third-party kernels lack any digital signature, a bootloader that's locked and requires signature is a serious impediment.

    Windows 8, of course, won't be open source. Windows 8 users might potentially want to "root" their operating systems, to for example allow side-loading of applications, but Windows 8 won't ever have a community of developers producing third-party kernels. As such, there's no direct equivalent to the Android scenario.

    In principle, some users might want to buy a Windows 8 ARM machine and then install Android, Ubuntu, or some other operating system on it. Even if secure boot could be disabled, it's unlikely that this could be done overnight; unlike x86 systems, which all look more or less identical from an operating system's perspective, ARM has few conventions: any Android port would have to be tailored to accommodate the particular vagaries of the boot process and hardware capabilities that ARM Windows 8 machines have (though it is likely that all Windows 8 ARM machines will be consistent in this regard, in spite of using processors from different companies). (Source)

  5. #5


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by Arthur View Post
    You won't be able to buy a copy of the ARM version of Windows 8, so having the bootloader locked isn't much of a problem, is it?
    Well yes, it is. If I bought a computer I'd expect to be able to run what choose on it.
    I don't believe that it is fair if MS put a artificial restrictions on devices, just to cripple their capabilities. I know they already cripple their own operating systems to force users to buy their more expensive products, but I think this is different. The only reason they are not doing this on PC's is that they would be illegally using their monopoly to gain more market share (not that this has stopped them in hte past). Restricting devices to only ever running one operating system that has a limited shelf-life means that it is built in obsolescence. I think this sets a dangerous precedent.

  6. #6

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,689
    Thank Post
    947
    Thanked 1,354 Times in 827 Posts
    Blog Entries
    1
    Rep Power
    451
    Quote Originally Posted by CyberNerd View Post
    Well yes, it is. If I bought a computer I'd expect to be able to run what choose on it.
    I don't believe that it is fair if MS put a artificial restrictions on devices, just to cripple their capabilities. I know they already cripple their own operating systems to force users to buy their more expensive products, but I think this is different. The only reason they are not doing this on PC's is that they would be illegally using their monopoly to gain more market share (not that this has stopped them in hte past). Restricting devices to only ever running one operating system that has a limited shelf-life means that it is built in obsolescence. I think this sets a dangerous precedent.
    It hardly sets a precedent thats exactly how the iPad works and its not like there is no choice but to buy Windows ones.

  7. #7


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by ZeroHour View Post
    It hardly sets a precedent thats exactly how the iPad works and its not like there is no choice but to buy Windows ones.
    Openiboot does allow running non ios kernels on apple devices. EUFI is entirely different.

  8. #8

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,689
    Thank Post
    947
    Thanked 1,354 Times in 827 Posts
    Blog Entries
    1
    Rep Power
    451
    Quote Originally Posted by CyberNerd View Post
    Openiboot does allow running non ios kernels on apple devices. EUFI is entirely different.
    Not at all tbh, EUFI is one way to lock out access, apple have been doing their own thing for idevices to prevent the whole booting other os's so its not like its a real option.
    You will note nothing past the iphone 3g is supported... they just get better at locking it down and without official support writing the drivers can be a nightmare.

  9. #9


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,355
    Thank Post
    241
    Thanked 2,808 Times in 2,073 Posts
    Rep Power
    812
    Interesting blog post from a Linux developer at Red Hat...

    Some things you may have heard about Secure Boot which aren't entirely true

SHARE:
+ Post New Thread

Similar Threads

  1. More on policies - digital rights / digital wrongs
    By GrumbleDook in forum School ICT Policies
    Replies: 15
    Last Post: 18th March 2008, 12:30 AM
  2. Replies: 60
    Last Post: 13th March 2008, 05:39 PM
  3. Turn on more info on software install.
    By Quackers in forum Windows Vista
    Replies: 7
    Last Post: 31st January 2008, 08:44 PM
  4. Replies: 7
    Last Post: 23rd May 2006, 11:08 AM
  5. More focus on RIS and Software Deployment
    By ajbritton in forum Comments and Suggestions
    Replies: 4
    Last Post: 5th September 2005, 11:41 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •