back to article 'Stop-gap' way to get Linux on Windows 8 machines to be issued

The Linux Foundation is temporarily supporting a Microsoft security policy to ensure Linux isn’t blocked from running on PCs installed with Windows 8. The Foundation plans to obtain a Microsoft key to sign a pre-bootloader from core Linux kernel maintainer James Bottomley. Together, the key and pre-bootloader will allow users …

COMMENTS

This topic is closed for new posts.

Page:

  1. Wang N Staines

    hahahaha "should".

    1. mafoo
      Devil

      Win7

      I think equally importantly the question should be asked, "Is this going to prevent me from downgrading my OS to win 7"

      1. 4.1.3_U1

        Re: Win7

        or Fista, or even earlier win incarnations which are unsupported (or soon to be).

      2. Lewis Mettler
        Stop

        of course

        The purpose of this technology is to make sure you are paying Microsoft more money today.

        All other options are unauthorized.

      3. El Andy

        Re: Win7

        I think equally importantly the question should be asked, "Is this going to prevent me from downgrading my OS to win 7"

        No. Because x86 systems have to support turning UEFI secure boot off in order to get a Windows 8 logo. And ARM systems couldn't run Windows 7 anyway.

      4. RICHTO
        Mushroom

        Re: Win7

        Microsoft shoudlnt allow this. It is asking for people to write malware system boot loaders and use them to then load Windows with a root kit..

        Microsoft should only sign boot loaders than in turn only load fully signed OS kernels.

        This is all the more important for Linux distributions with their much higher vulnerability counts than Windows OSs.

        1. h4rm0ny

          Re: Win7

          "This is all the more important for Linux distributions with their much higher vulnerability counts than Windows OSs"

          It's not "much higher". It's about 5-10% higher. And it's counterbalanced by the fact that Linux users have a much higher technical level of expertise on average (any given Windows user or Linux user might be the same, but the Linux user base doesn't usually include all the additional technically ignorant people that do use Windows and Apple alongside us more savvy users).

          That said, your point is correct in that in theory someone could use a signed Linux loader to load malware into Windows. I personally find it unlikely that anyone who is able to install and manage Linux would be unable, or even discouraged, from doing so by having to change one minor setting and disable Secure Boot. But the LF and Canonical seem to believe so. They may be right.

          1. RICHTO
            Mushroom

            Re: Win7

            No, much higher - as in its more like 10 times higher:

            http://secunia.com/advisories/product/12192/

            http://secunia.com/advisories/product/18255/

            1. Anonymous Coward
              Anonymous Coward

              Re: much higher - as in its more like 10 times higher

              as it says on secunia's website -

              Secunia Advisory Statistics (2012) Statistics based on Secunia advisories released in 2012.

              PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.

              so fud off

              1. RICHTO
                Mushroom

                Re: much higher - as in its more like 10 times higher

                If you bother to read you will see that those links quote life time vulnerability counts. Circa 360 For Windows Server 2008, and 3700 For SUSE 10.

                They are actually quite comparible products - both Servers OS distributions of a similar age. Oh but of course as it shows just how bad Linux is - suddenly that's not a fair point?

                There was also an analysis done by a security expert that also cut the Linux distribution down to only match the out of the box functionality of Windows Server - and Linux stil has several times more vulnerabilities.

                This is why internet facing servers runing Linux are so much more likely to be hacked than Windows ones.

        2. nac

          Re: Win7

          Security is a difficult and sometimes controversial thing to analyze. The only truly "secure" operating systems are those that have no contact with the outside world. The firmware in your DVD player is a good example.

          Among all modern general purpose operating systems (Windows, Mac OS X, Linux, Solaris, FreeBSD, NetBSD, OpenBSD) the most secure by defualt is by far OpenBSD. OpenBSD has an extremely stringent security auditing policy; only two remote attack vulnerabilities have been found in the last ten years. This is because OpenBSD doesn't create a large attack surface by running a large number of networked apps.

          Of course, the sad fact is that any networked operating system can be made insecure through careful misconfiguration. Window's problems with security stem mainly from the fact that it runs with a large number of network services on by default, and that it (XP and prior) let the user run with full privileges by default. Windows Vista attempted to fix this issue, but people rejected it as "too confusing" and complained that their old apps did not work correctly under limited accounts.

          Mac OS X is better about user permissions, but still has had a (in)decent number of remote exploits. Apple's slow response to patch many of these issues will be even more worrying if it gains significant market share.

          Most Linux distributions have an excellent policy of quickly patching known security vulnerabilities. Unfortunately, two of the top ten distros deliberately use outdated code (Damn Small Linux) or make it too easy to run as a privileged user by mistake (Damn Small Linux, Puppy Linux). Were these distros to gain significant popularity, their users would be exposed to a larger number of vulnerabilites than if they encouraged proper security policies.

  2. wowfood
    Meh

    let me get this straight

    They put in the secure boot to prevent malware hijacking etc.

    To get past this temporarily Linux has gotten a microsoft key, which I assume costs money. This i a temporary measure, until they find alternate ways around the issue.

    But if they find alternate ways around the secure boot, then surely people will update their malware etc to abuse this new work around. And in response wouldn't microsoft have to block said workaround forcing linux back to buying the microsoft key?

    And yet it's google who are anti-competition.

    1. HMB

      Re: let me get this straight

      I'm afraid you haven't got it straight.

      The Register has previously reported on secure boot and Microsoft only give Windows 8 certification if the secure boot can be switched to accept alternative keys and can be turned off entirely (on x86 and x64.

      It appears that in an effort to whip up outrage from gnusers the same old is run again, but with the reassuring parts omitted.

      *sigh*

      1. Anonymous Coward
        Anonymous Coward

        @HMB - Re: let me get this straight

        Not quite straight!

        Microsoft will allow (but not require!) computer OEM to allow users to disable secure boot on non-ARM platforms and we all know how independent manufacturers are from Microsoft. So GNU users can still be rightfully outraged. Anyway it's not like you may freely install whatever you want on your (is it yours anymore?) PC.

        1. h4rm0ny

          Re: @HMB - let me get this straight

          "Not quite straight! Microsoft will allow (but not require!) computer OEM to allow users to disable secure boot on non-ARM platforms and we all know how independent manufacturers are from Microsoft"

          If you're going to correct someone, you should be correct. HMB has it right. It is a requirement that PC providers allow users to disable Secure Boot. The Reg. article or Linux Foundation are spreading FUD. Here is the relevant document:

          MS Hardware Certification Requirements. Because it's a long document, the part to skip to is the section on UEFI Secure Boot (begins page 118). The relevant paragraphs I have quoted below:

          "17. Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:

          a. It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.

          b. If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system is operating in Setup Mode with SecureBoot turned off.

          c. The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults.On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enabled.

          18. Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows Server may also disable Secure Boot remotely using a strongly authenticated (preferably public-key based) out-of-band management connection, such as to a baseboard management controller or service processor. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure Boot must not be possible on ARM systems."

          !--End Quote.

          Now, let's see who downvotes a post for putting factual information with a source.

          1. Anonymous Coward
            Anonymous Coward

            Re: disable secure boot on non-ARM platforms

            Fine, but there are lots (and an ever increasing number) of arm platforms I might want to install linux on; some of those may well start off with windows on them.

            1. h4rm0ny

              Re: disable secure boot on non-ARM platforms

              "Fine, but there are lots (and an ever increasing number) of arm platforms I might want to install linux on; some of those may well start off with windows on them."

              And I agree with you. I would like to see the same thing apply to ARM, more or less. But this article and the certificate the Linux Foundation are talking about is explicitly about x86. And at the time I write this, my post (which has been up about ten minutes) has already been downvoted twice. A post which simply provides the relevant facts and an actual referenced source and which indicates that people will actually be fine to install and run Linux on Win8 certified devices. What these downvotes indicate to me, is that there are people here who actively dislike being shown that MS hasn't blocked Linux. People who honestly prefer to see Linux beaten down so they can complain about that, than to see Linux given an opportunity to be installed and chosen by people.

              1. Destroy All Monsters Silver badge
                Linux

                Re: disable secure boot on non-ARM platforms

                > People who honestly prefer to see Linux beaten down so they can complain about that

                Linux Liberals!

                Solid info though, thank you.

                1. h4rm0ny
                  Linux

                  Re: disable secure boot on non-ARM platforms

                  "Solid info though, thank you."

                  You're welcome! I've been using Debian all day, today. Cheerleading for companies is...well, it's okay, but not to the point that people will actively fight against inconvenient facts. It's allowable that more than one OS can be good!

              2. Richard Plinston

                Re: disable secure boot on non-ARM platforms

                > What these downvotes indicate to me, is that there are people here who actively dislike being shown that MS hasn't blocked Linux.

                Which may be people who want to show MS as anti-competitive, Or it may be people who want MS to dominate the world and are upset that a Windows 8 machine could be corrupted with Linux (or Windows 7).

              3. Anonymous Coward
                Anonymous Coward

                Re: disable secure boot on non-ARM platforms

                whaaaa whaaaa someone downvoted me.. mummmmmmmy!

                1. h4rm0ny

                  Re: disable secure boot on non-ARM platforms

                  "aaa whaaaa someone downvoted me.. mummmmmmmy!"

                  You miss the point - the problem is not that someone downvoted me - that's just a personal thing that doesn't affect anyone. The problem is that indicates some people would prefer to feel victimised rather than actually learn they were wrong. Linux - or indeed any other OS - doesn't benefit from that sort of support.

          2. Euripides Pants

            Re: @h4rm0ny - some people still dual boot

            This would seem to be aimed at those who want to run Linux and Win8 on the same PC.

          3. HMB

            Re: @HMB - let me get this straight

            @h4rm0ny

            I would like to thank you for a very thorough, direct and sourced reply.

            The irony of the downvoters is that they think they are championing linux, but all they really do is make respectable linux users look more like goons by unfortunate association. They're the sort of people you don't invite along to parties because of inadequate emotional intelligence.

            One caveat I would come out with was that I could have made it clearer that ARM wasn't included in the fair secure boot plan. I don't agree with ARM being locked out on principle, but I find it distasteful that Microsoft gets singled out for this when Apple has been locking down it's platform for some time. At least bash both of them in a balanced way.

            1. h4rm0ny

              Re: @HMB - let me get this straight

              "The irony of the downvoters is that they think they are championing linux, but all they really do is make respectable linux users look more like goons by unfortunate association. They're the sort of people you don't invite along to parties because of inadequate emotional intelligence."

              I've been using Linux for around a decade. And before that I was using UNIX. I remember when Ubuntu appeared and looking down on it for the way everything was pre-compiled. :D Yes, we don't need champions who would prefer a helpful lie to the truth.

              "One caveat I would come out with was that I could have made it clearer that ARM wasn't included in the fair secure boot plan. I don't agree with ARM being locked out on principle, but I find it distasteful that Microsoft gets singled out for this when Apple has been locking down it's platform for some time. At least bash both of them in a balanced way."

              Agreed and noted. As I wrote elsewhere, I would also like to see ARM devices required to allow Secure Boot to be disabled. I have criticised MS for this on other occasions, but I guess here I was just focused on trying to correct the onslaught of misinformation (some of which is almost certainly deliberate as at least some of the people here must know better). I will keep it in mind for the future. Cheers.

              1. h4rm0ny

                Re: @HMB - let me get this straight

                Just to follow on about WinRT. I guess the difference as MS see it, is that with OEM devices, they are selling software. But with the WinRT devices, they are not selling software, they are selling hardware and software combined. And they don't want to be subsidizing competitors, e.g. Android, by selling hardware priced according to subscription models or offset by software costs, if someone will just take the hardware and use it as a cheap platform for a rival at MS's expense. E.g. a common rumour is that some of the WinRT devices are going to be sold on a subscription model much like phones. Naturally, MS would want the device to be locked, just like a phone is locked. Doesn't mean I agree with it, but I presume that may be the reasoning.

            2. Vic

              Re: @HMB - let me get this straight

              > The irony of the downvoters is that they think they are championing linux

              That's a bit of an assumption, unless you've got access to the vote database.

              IME<, downvotes occur whenever you make a firm statement here, no matter how reasonable or accurate it might be. Announcing bad news is guaranteed to bring out the downvotes...

              Vic.

              1. h4rm0ny

                Re: @HMB - let me get this straight

                "Announcing bad news is guaranteed to bring out the downvotes..."

                That's the point. It's *good* news. Unless you actively want MS to be oppressing Linux. In any other regard, my post is a good thing for Linux as far as Linux users are concerned. And Windows users generally don't care if Linux does well because they don't see it as a problem for them. I posted a clear fact, with source and got downvotes. Almost certainly, based on the general tenure in the posts here, because it contradicted someone who was saying that MS were doing something bad for Linux.

                1. eulampios

                  @h4rm0ny

                  Unless you actively want MS to be oppressing Linux.

                  Unless you don't see it happening every single day. I'd use the abusing its monopoly against many competitors wording though.

                  You got my downvoting for this phrase and the zeal of whitewashing the charcoal.

                  1. h4rm0ny

                    Re: @h4rm0ny

                    "You got my downvoting for this phrase and the zeal of whitewashing the charcoal."

                    Someone says Secure Boot is MS stopping Linux without this workaround. I point out that this is not the case with explanation as to why. A rational person who wants Linux to do receives the correction with pleasure because it means Linux isn't being held down. A person who is less interested in results but gets off on the company they dislike being shown to be evil and the entity they like being shown to be good (if you're oppressed, the logic says you are the good guy), regards my post as a bad thing because it shows what this article reports on isn't the negative thing that the original poster portrayed it as. So yes, I'm perfectly comfortable saying that those who downvoted my original post actively want MS to be oppressing Linux. I've just explained why. For such people, it's less about Linux doing well, and more about feeling they are right.

                    And you put yourself among those people.

                    1. eulampios

                      Re: @h4rm0ny

                      Even taking your own word on your decade of using Debian (Ubuntu etc) and the Microsoft related naivety doesn't undo many many bad things Microsoft has(ve, as in British) been doing for (the very) same decades.

                      Support of SCO, anti-ODF campaign, "Get the f**ts", "GNU/Linux, Android infringe on may of our patents" FUDs and more. "Windows Tax" is another way to oppress free market (not necessarily Linux, as you put it). To say nothing about their corrupted ubiquity in the public institutions.

                      They side with Apple oftentimes, because they see that evil likeness, kinship of black souls, brotherhood of crooks, so to speak. No wonder, why would they have publicly jeered at their partner's (Samsung) case loss.

                      Even if, once upon a time Chikatilo decided to be normal (just for now, of course)....

                      1. h4rm0ny

                        Re: @h4rm0ny

                        "Even taking your own word on your decade of using Debian (Ubuntu etc) and the Microsoft related naivety doesn't undo many many bad things Microsoft has(ve, as in British) been doing for (the very) same decades."

                        Yes, it may be difficult to believe but I distinctly remember using SuSE Linux 6.4 as my primary OS so yes, I have been using Linux for over a decade. And I was using UNIX and Solaris some time before that. As to "Microsoft related naivety", I was talking about Secure Boot. You are self-confessedly objecting to my correcting someone because you would prefer the party you dislike to look bad. That is called prejudice or bias. And you are now writing to explain why you feel that even if MS haven't done a bad thing in this instance, you feel justified in voting down a factual correction because you consider them to be evil. And you really don't see that as morally wrong? To try to vote down true facts because you would prefer the party you don't like to actually be doing something wrong so that others will feel the same way you do, rather than actually take satisfaction in the fact that there isn't a wrong here and that the earlier poster was wrong about Linux being restricted?

                        Thanks, but I have my priorities right, imo. I see Linux not be restricted by something (indeed, I hope to see it take advantage of the new technology in the enterprise), and that makes me happy, not angry that I have had ammunition taken away from me.

                        Seriously, when you find yourself resorting to bizarre character attacks, such as quoting and italicising my career history and implying I'm lying (especially when my argument isn't based on my experience in the slightest, but on actual sourced references I provided), when you start making arguments that involve "kinship of black souls" or suggesting Apple and Microsoft are drawn to each other because they see their "evil likeness", it's time to take a step back and re-assess if you're a fair and objective person.

                        1. eulampios

                          Re: @h4rm0ny

                          You got me wrong, I didn't question your experience. I just find it next to impossible to remain neutral towards Microsoft or even feel positive about them. I see it as paradox, myopia, amnesia or else.

                          The term "evil likeness" is not of course, what they discern in their own self. Well, I guess, Chikatilo must have had a good opinion of himself too.

                          Apple and Microsoft can't keep up with their competitors and resort to very similar dirty campaigns. Not only do they manage to spare each other, they even appear to be and are in unison.

                          Okay, secure boot is a nuisance and another *dirty* means against competitors. A number of machines with weird BIOS settings/features are already quite unfriendly to everything non-Windows. The whole controversy is just one more nail in the coffin, called "MS trust". I'd not waste my time in attempting to pull this nail out even if it was rusty.

                          1. h4rm0ny

                            Re: @h4rm0ny

                            "You got me wrong, I didn't question your experience"

                            You began your reply to me with: "Even taking your own word on your decade of using Debian (Ubuntu etc) " in italics. It's not even relevant to my original post, so it just sounds like you're trying to cast doubt on my word.

                            "I just find it next to impossible to remain neutral towards Microsoft or even feel positive about them."

                            RIght. Which is my point. People are downvoting a factual, sourced post which shows Linux is not being restricted, and they're doing so because their reaction is not positive because Linux isn't being blocked, but dislike of the post because it shows a party they are not neutral toward as less evil. The reaction of a normal person to finding something bad hasn't happened, is a positive one. The reaction of the downvoters (incl. you) is disappointment or anger. For such people, the need for the party they hate to be evil outweighs the actual desire for that party to do good. When you prefer someone to do evil rather than good, your hatred of them has gotten the better of you.

                            "Well, I guess, Chikatilo must have had a good opinion of himself too."

                            No idea who or what Chikatilo is but it's the second time you've brought it up. Searching brings up a Russian serial killer though. Are you now likening Microsoft to serial killers? Do you have any idea how ridiculous and maybe even offensive, that would sound to people outside of small anti-Microsoft echo chambers like The Register?

                            "Apple and Microsoft can't keep up with their competitors and resort to very similar dirty campaigns"

                            You've just named the two most successful OS producers in the world as those that "can't keep up with their competitors". You mean in technical features? Do you have even the remotest idea how difficult it is to write even just a modern OS's kernel? Have you ever worked on a project that size? Have you ever actually looked at what new features MS have come up with for Windows over the years? Why don't you do that before you dismiss without looking the work of thousands of skilled developers.

                            "Okay, secure boot is a nuisance and another *dirty* means against competitors"

                            Is the above just an article of faith with you that you feel you don't have to actually support? It has been shown that no PC is going to have a problem with Linux because of this. Will you be on here posting the same comment when Android devices start using Secure Boot? Will you be angry when CentOS comes as a signed kernel and uses that as a sales point over their competitiors?

                            "A number of machines with weird BIOS settings/features are already quite unfriendly to everything non-Windows"

                            UEFI is not BIOS any more than a car and a horse are the same thing. And what settings are you referring to, specifically? I'm okay with technical detail so when you make a comment like this, please feel free to specifically say what BIOS feature has caused you a problem. In fact, I insist. Otherwise I will not be convinced as I have Debian and Ubuntu running fine on two recent motherboards right here.

                            "I'd not waste my time in attempting to pull this nail out even if it was rusty."

                            It seems based on your desire to vote down inconvenient facts, that you'd go so far as to try and stop other people pulling out the nail if you could.

                            "I'd not waste my time in attempting to pull this nail out even if it was rusty."

          4. Lewis Mettler
            Stop

            the purpose

            The purpose here it to make it much more difficult to install anything other than the latest version from Microsoft.

            You are an idiot if you think otherwise.

            So you really think that Microsoft would except such roadblocks preventing the use of a Microsoft product.?

            Force consumers to buy the Microsoft product. And then make it as difficult as possible for a consumer to use anything else. It does not have to be technically impossible to have a huge affect upon consumers.

            Consumers are just dumb idiots being manipulated by Microsoft to secure their monopoly. You are real stupid if you do not understand that.

            1. HMB

              Re: the purpose

              @Lewis Mettler

              "...You are an idiot if you think otherwise..."

              How intellectually compelling. What an argument.

            2. dajames
              Pint

              Not quite an idiot ...

              @Lewis

              The purpose here it to make it much more difficult to install anything other than the latest version from Microsoft.

              Maybe, but not in the way that you mean.

              The actual purpose seems to be to enable Microsoft to claim to content providers that their platform -- especially the ARM platform, which they see as a platform that will be used almost exclusively for media consumption -- is a secure platform that will not allow its DRM measures to be hacked or circumvented.

              That way, they hope that media providers (read: music and movie companies) will license their content for Windows platforms, and not for the competition, and that Microsoft will be able to rake in the dollars for selling it through their store. Just look at how much of Apple's revenue is from OS and devices, and how much from iTunes.

              It's not about the platform, that hasn't enough value to be worth the effort, it's about the content market.

              I had thought that MS might also be trying to tie the device to the OS so that they could subsidize Win8 tablets by "selling" the OS to manufacturers at negative cost without having to worry that users could just strip Windows off and run Android, so getting a cheap Android tablet courtesy of MS! It now seems that it will be possible to get Linux or Android signed with the "Microsoft key" (isn't it actually a Verisign key?) so anything should be runnable, as long as it's signed.

              ... and having seen the expected retail prices of some Win8 tablets I know there's no subsidy!

              Beer glass, because the value is in the content.

      2. dogged
        Alert

        Re: let me get this straight

        Gavin, why don't you just write

        ZOMG THE WORLD IS ENDING MICROSHAFT IS KILLING LINUX BECAUSE STEVE BALLMER IS A FAT DEMON WHO SWEATS AND THEY WILL EAT YOUR CAT BTW WINDOWS 8 SUCKS SWEATY BALLMER BALLS AND SO DOES EVERYHTHING ELSE THEY EVER MAKE EXCEPT WHERE IT'S BRILLIANTLY EVIL EHRMERGERD

        You know you want to.

        It's pretty much everything you've written for eighteen months.

    2. Another Justin

      Re: let me get this straight

      Its not really a workaround that malware can use - the bootloader performs a "present user test" (just a prompt that says "WARNING: This Binary is unsigned, Are you sure you wish to run an unsigned binary in a secure environment?") before allowing an unsigned chained bootloader to run.

      Anyone who is not used to seeing this message (e.g. Windows users, or users of another signed OS) will be alerted to the ruse if malware attempts to use this to subvert secure boot. Anyone who is already using this bootloader is essentially disabling secure boot anyway.

      1. edge_e
        Stop

        @Another Justin

        This is alright by me as long as the message appears at first boot and then generates a key for the image it is booting and doesn't display the message again unless I've been hacked.

  3. Anonymous Coward
    Anonymous Coward

    Linux as an authorised piece of software on Windows 8 PCs

    One word: What The F***!

    1. Ragarath

      From what I understand (may be wrong).

      Windows 8 will require UEFI (A MS and others designed bit of hardware stuff) as most PC's get sold with Windows on. it will become widespread.

      Any software that wants to boot needs to be signed so that it is known not to be malware or if it is can be traced back to source I guess.

      Penguins have been clamoring that this locks them out because of the GNU and other licences that require them to be "open" which secure boot is not.

      Although the article makes it sound like it is Windows fault, it is not, MS stipulated it must be used to ship a Windows 8 PC but is can be disabled (unless it is uses ARM). The market share of MS is what is making the penguins worry because they think it'll stop people that have bought a MS PC from being able to load Linux.

      As far as I am aware there was discussion of allowing new keys to be uploaded.

      1. Destroy All Monsters Silver badge
        Holmes

        > Penguins have been clamoring that this locks them out because of the GNU and other licences that require them to be "open" which secure boot is not.

        NOPE. Do you hear "penguins clamoring"? Are we in Antarctica? No.

        What happens is that the bootloader has to be signed [by someone who owns the private key the public counterpart of which is on the motherboard]. Apparently this is MANDATORY on ARM machines for some reason.

        This as far as I can see has nothing to do with GNU licensing.

        It has to do with someone [who?] going to the keyholder guy [who owns the private key the public counterpart of which is on the motherboard] with a compiled version of GRUB2, then asking nicely whether he would like to sign this binary thank you very much and can we come back once the next bugfix release is due.

        Now the keyholder guy may want to get paid or the outfit which manages the certificate chain involved might. Apparently in this case the latter is Verisign and someone [who?] will come up with the cash.

        1. Wensleydale Cheese

          Not a big problem, unless you are developing for ARM, methinks

          @ Destroy All Monsters

          "It has to do with someone [who?] going to the keyholder guy [who owns the private key the public counterpart of which is on the motherboard] with a compiled version of GRUB2, then asking nicely whether he would like to sign this binary thank you very much and can we come back once the next bugfix release is due.

          Now the keyholder guy may want to get paid or the outfit which manages the certificate chain involved might. Apparently in this case the latter is Verisign and someone [who?] will come up with the cash."

          From the article it appears that both instances of [who?] will be the Linux Foundation, or Canonical for Ubuntu. If I remember correctly, the cost of signing is in the region of USD 95.

          For non-ARM machines, the check can be switched off if you have physical access to the computer (i.e. can modify the UEFI equivalent of BIOS settings).

          You are right about the bugfix problem of course. This could be a real pain for those involved in developing and maintaining GRUB2 and other boot loaders, especially for ARM systems.

        2. This post has been deleted by its author

        3. tom dial Silver badge

          BS!

          If I purchase a piece of hardware, that should include both the platform key and the software to generate and install a new one. Anything less is, to my way of thinking, a security vulnerability. On my hardware, I should be in position to control the installation of the keys that are used to manage software installation.

          If, on a machine with Windows I choose (either actively or passively, as most purchasers will) to delegate my rightful authority to Microsoft, that is my right. And although it is Microsoft's right to restrict certification of a system for Windows if they wish, it is not their right to control the platform key to a system that they do not own.

      2. Anonymous Coward
        Anonymous Coward

        @Ragarath - Small correction for you.

        Any software that wants to boot needs to be signed with Microsoft private key because UEFI specs do not allow more than one public key in firmware. This locks everyone else out of the PC platform and the fact that there was a discussion means nothing to them. It's not Windows fault, it is Microsoft that designed it like that.

        1. h4rm0ny

          Re: @Ragarath - Small correction for you.

          "UEFI specs do not allow more than one public key in firmware"

          They do allow multiple keys. But there are "platform keys" and "key exchange keys". There is only one "platform key" as far as I am aware, but you can have multiple keys for signing OSs and boot loaders. MS would not normally control the "platform key" for a device - that would be the maker of the hardware. At any rate, it is certainly possible to have multiple installs signed with different keys which is in contradiction to what you wrote.

          Also, you write that "it is Microsoft that designed it like that." This is also incorrect. MS do not control the UEFI Forum that produce it, nor do they have that much influence on the specification. It's a multi-partnered body with about a dozen members - everyone from Apple to AMD to Lenovo. Pretty much open to any of the main players in developing motherboards and related hardware.

          The amount of misinformation being confidently asserted as facts in this story and the comments here, is staggering. In some cases actually trying to correct people who know what they're talking about.

          1. Yet Another Anonymous coward Silver badge

            Re: @Ragarath - Small correction for you.

            They allow multiple keys on Intel but not on Arm.

            They feel they can get away with only allowing a single OS on a tablet/cell phone because Apple (and every other cell phone maker) already do - but if they locked all the world's PCs to be Windows only the anti-competition people would be round sharpish

          2. Anonymous Coward
            Anonymous Coward

            Re: @Ragarath - Small correction for you.

            "The amount of misinformation being confidently asserted as facts in this story and the comments here, is staggering. In some cases actually trying to correct people who know what they're talking about."

            This happens in every comment section on the reg. The signal to noise ratio is never good.

            You're only really noticing now because this article happens to concern a field in which you have some expertise.

Page:

This topic is closed for new posts.

Other stories you might like