Windows 8 To Shut the Door on Linux?

[nsane.forums]

PC users who run Windows and Linux on the same machine will want to do some research before purchasing a Windows 8 computer. That's because systems with a "Designed for Windows 8" logo must ship with UEFI secure booting enabled—a move that prevents booting operating systems that aren't signed by a trusted Certificate Authority.

This could pose a problem for Linux users, though in practice most can just change UEFI settings to disable secure boot before installing the open-source OS. But users will have to depend on hardware vendors to make this option possible in the first place.

Disabling secure boot

"Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled," Red Hat developer Matthew Garrett writes on his blog in reference to a recent presentation by Microsoft program manager Arie van der Hoeven. The Microsoft exec notes that UEFI and secure boot are "required for Windows 8 client" with the result that "all firmware and software in the boot process must be signed by a trusted Certificate Authority."

Microsoft has a good reason for this. A "growing class of malware targets the boot path [and] often the only fix is to reinstall the operating system," van der Hoeven said. "UEFI and secure boot harden the boot process [and] reduce the likelihood of bootkits, rootkits and ransomware."

Importantly, though, Garrett writes that "there's no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code."

For many (and hopefully most) Windows 8 machines, this means that users have a good chance of successfully entering the UEFI settings interface to turn off secure boot. But this will depend on the hardware vendor.

"Experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market," Garrett writes. "It's almost certainly the case that some systems will ship with the option of disabling this. Equally, it's almost certainly the case that some systems won't. It's probably not worth panicking yet. But it is worth being concerned."

Technically, vendors can ship Windows 8 PCs without meeting Microsoft's "designed for Windows 8" logo requirements, but major OEMs typically would not do that.

The Windows 8 developer tablet Microsoft handed out at this month's recent BUILD conference did include the ability to turn off the secure boot process. This is reminiscent of Google's Cr-48 Chromebook, which allowed users to turn off the Verified Boot process and install another operating system, though this involved flipping a physical switch instead of changing a software setting.

A signed OS

Besides disabling the Windows 8 secure boot process, another option for Linux lovers is installing a signed version of Linux. But "this poses several problems," Garrett notes. "Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by every OEM."

Current machines dual-booting Windows 7 and Linux should be able to upgrade to Windows 8 without wiping out the Linux install. As Microsoft notes in the Building Windows 8 blog, "We will continue to support the legacy BIOS interface." However, machines using UEFI instead of BIOS "will have significantly richer capabilities" including faster boot times and greater security.

Ultimately, the Windows 8 changes aren't likely to wipe out Linux dual-boot scenarios, but they could restrict the types of hardware that will allow them. PC users who would boot two operating systems tend to be highly technical, though, so we expect they'll find the necessary workarounds.

View: Original Article

[DKT27]

This is bullsh*t. WTF is M$ trying to achieve here? Kill open-source/linux/competition/piracy or anything not M$? As if driver signing in x64 is not enough, they want whole OS booting to be signed? :huh:

[DKT27]

A secure boot protocol in Microsoft's new operating system threatens to prevent Linux and other unsigned software from running on Windows 8-certified machines.

It seems safe to say that a sizable proportion of Linux PC users in the world today installed the free and open source operating system on hardware that originally came loaded with Windows. After all, while there are preloaded systems available, it often ends up being cheaper to buy a Windows PC and load Linux yourself.

Once Windows 8 starts shipping on PCs, however, that may no longer be possible. It turns out that a new feature included in the operating system in the name of security may also effectively make it impossible to load Linux on officially Windows 8-certified hardware.

"It's probably not worth panicking yet," wrote Red Hat developer Matthew Garrett in a Tuesday blog post on the topic. "But it is worth being concerned."

'It Won't Be Installable'

The problem derives from Microsoft's decision to use a hardware-based secure boot protocol known as Unified Extensible Firmware Interface (UEFI) in Windows 8 rather than the traditional BIOS we're all familiar with. Microsoft principal lead program manager Arie van der Hoeven explained and demonstrated UEFI in a talk at the company's BUILD conference earlier this month, and that explanation is still available in the video below.

Essentially, the technology is designed to protect against rootkits and other low-level attacks by preventing executables and drivers from being loaded unless they bear a cryptographic signature conferred by a dedicated UEFI signing key.

"There is no centralised signing authority for these UEFI keys," Garrett explained. "If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable."

Microsoft has said it will require that Windows 8 logo machines ship with secure boot enabled. Most likely, Windows on such systems will be signed with a Microsoft key, Garrett predicted.

Other operating systems, such as Linux, won't include any such signatures in their current state, of course. So, unless deliberate measures are taken to make them available, "a system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux," Garrett explained.

'Kernels Will Also Have to Be Signed'

Options for Linux include providing signed versions of the operating system, but there are several problems associated with that approach, Garrett pointed out.

First, a non-GPL bootloader would be required. Grub 2 and Grub are released under the GPLv3 and GPLv2, respectively, he noted.

Second, "in the near future the design of the kernel will mean that the kernel itself is part of the bootloader," Garrett added. "This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical."

Finally, if Linux distributions sign for themselves, the required keys would have to be included by every OEM, he said.

It may turn out to be the case that Microsoft will allow vendors to provide firmware support for disabling this feature and running unsigned code, Garrett acknowledged. Even so, however, it's unlikely that all hardware will ship with that option, he added, posing problems for at least some Linux users down the road.

It remains to be seen how this situation will play out, of course. For my part, though, it sounds like one more good reason to choose hardware with Linux preinstalled.

View: Original Article

[uVSthem]

I guess one would need to do the same if they were installing OSx86?

[marke68]

I'm most probably wrong but it looks to me like MS are changing the boot protocol to kill off the chances of bootloaders working on win 8 machines.

[RobrPatty]

I'm most probably wrong but it looks to me like MS are changing the boot protocol to kill off the chances of bootloaders working on win 8 machines.

Also to keep from flashing bios for a slic activation.

[Ambrocious]

This makes me want to learn how to use Linux REALLY badly. I have it installed on my other hard drive but I rarely use it. I was impressed by the latest build of Ubuntu and one day...maybe sooner than I think, I might migrate to Linux altogether.

What Microsoft is doing is vertical integration in a very bad way for people who truly desire a more free OS. It may become more secure by default which eradicates the need for actual learning "on the field" or for people who make money repairing computers. Overall, this will dumb the future generations down, discouraging growth and learning how to protect yourself online because it will be done "for you". Security is good but mandatory security is a form of tyranny. This move that Microsoft is doing will indirectly begin to eliminate competition, both corporate and non corporate. This has ALWAYS been the goal of Microsoft of course.

[nuthut]

I'll give the geeks a week before they can circumvent this latest attempt at keeping Windows 8 hack proof

[DKT27]

Microsoft clarifies Windows 8 UEFI concerns

Microsoft's latest update to "Building Windows 8" describes the security aspects of the OS's UEFI support, of which concerns were raised recently.

Microsoft published today the second of two Building Windows 8 blog posts detailing the operating system's new boot capabilities. Today's post focuses on the security aspects of supporting "secure boot" offered with Unified Extensible Firmware Interface (UEFI) computers.

The post comes on the heels of concerns raised yesterday by Red Hat developer Matthew Garrett, where he raised concerns about new Windows 8 machines - those that conform to the Windows 8 Logo program - may prevent alternate and/or older Windows operating systems from booting.

Microsoft's response, while addressing consumer concerns is fairly similar to Garrett's conclusion of how boot security will play out: security keys are signed by the OEM and are used to prevent unauthorized access to boot code. Firmware updaters supplied by OEMs contain the manufacturer's own key. In addition, while secure boot will hopefully be enabled by OEMs, it is up to the manufacturer to allow users to disable secure boot via the UEFI firmware's configuration pane, as is shown in the Samsung Windows 8 preview tablet:

Microsoft's summary of the security-related changes in Windows 8 is as follows:

• UEFI allows firmware to implement a security policy
• Secured boot is a UEFI protocol not a Windows 8 feature
• UEFI secured boot is part of Windows 8 secured boot architecture
• If desired, Windows 8 utilizes secured boot to ensure that the pre-OS environment is secure
• Secured boot doesn’t “lock out” operating system loaders, but is is a policy that allows firmware to validate authenticity of components
• OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
• Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows

View: Original Article

[ck_kent]

So, correct me if I'm wrong, only the OEMs (branded computers like DELL, HP, etc...) should be affected by this? Because branded computers are the ones who usually put "Designed for Windows..." on their machines. If you assemble your own computer this won't be an issue?

[myidisbb]

i believe it will be use to drm.

also to stop program loaders.

i really dont see any good malware protection from this. there is gong to be security holes that will be attacked later

[DKT27]

Microsoft, Red Hat Spar Over Secure Boot-loading Tech

Is Microsoft using a next-generation computing boot-loading technology to lock out the use of Linux and other OSEs on certain computers? While Microsoft has denied malicious intent, one Red Hat developer maintains that this may be the case.

Microsoft is mandating the use of the UEFI (Unified Extensible Firmware Interface) secure boot-loading capability with Windows 8 in such a way that "the end user is no longer in control of their PC," charged Red Hat developer Matthew Garrett in a blog entry posted Friday.

Microsoft has claimed that this charge is based on a misunderstanding of the company's intentions. "At the end of the day, the customer is in control of their PC," said Microsoft program manager Tony Mangefeste in another blog posting from Microsoft.

The controversy took root on Tuesday, when Garrett pointed out in a blog posting that Microsoft-certified computers running Windows 8 may not be able to be loaded with copies of other OSes, such as Linux. Users could not install Linux as a second OS, or replace Windows with a copy of Linux, Garrett argued.

Windows 8 will require its host computer to use the UEFI, the low-level interface between the computer firmware and the OS. Marketed as a replacement to BIOS, UEFI provides a secure boot protocol, which requires the OS to furnish a digital key in order to be loaded by the machine. UEFI then can block the operations of any programs or drivers unless they have been signed by this key, a move that should prevent malware from infecting machines by changing the boot-loading process.

With Windows 8, Microsoft will require hardware manufacturers (those wishing to display the Windows logo on their units) to ship their machines with secure boot enabled. Each machine would then require a digital key from Microsoft, the hardware manufacturer or, if it uses another OS, a secure key for that OS.

Users who customize their own versions of Linux, or use a generic OS that does not come with a key, may not be able to run these OSes on machines requiring this secure booting process, Garrett said. Nor would there be any guarantee that OEMs (original equipment manufacturers) even provide the ability for users to add their own keys, or give users the option to run other OSes without a key.

Garrett's blog post subsequently sparked debate in the trade press and Linux user communities.

Responding to the controversy on Thursday, Microsoft has denied that the intent was to shut out Linux. Although he did not mention Linux by name, Steven Sinofsky, president of the Windows and Windows Live Division, noted in a blog post that some of those commenting have used details of the new plan to "synthesize scenarios that are not the case."

The rest of the posting, authored by Mangefeste, noted that Microsoft is concerned only that Windows 8 be protected in a secure boot loader, and that OEMs are free to build in the option of disabling secure boot for running OSes without keys. Other OS providers are responsible for providing their own keys.

"For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision," Mangefeste wrote. "However, [disabling secure boot] comes at your own risk," he added.

"Microsoft's rebuttal is entirely factually accurate. But it's also misleading," Garrett responded in a follow-up blog item, posted Friday. Under the licensing agreement, the equipment manufacturer is under no obligation to provide users with the ability to disable the secure boot capability. Beyond the use of third-party OSes, this approach might also hamper the ability of users to upgrade components such as graphics cards, because there is no requirement to provide the user with the capability of installing additional keys.

"The truth is that UEFI secure boot is a valuable and worthwhile feature that Microsoft are misusing to gain tighter control over the market," Garrett charged.

View: Original Article

[kmr1684]

i do not care about this hancy phancy claim by M$ shit, it will take 1 to 2 months for good old linux developer to come with alternative to this i seen a lot of time M$ shit will develop something and it will take some time to beat that. it is always cat and mouse games, i really love it. :rofl: