Windows 8 OEM specs may block Linux booting

New secure boot process leaves unsigned Linux out in the cold

By Brian Proffitt

September 20, 2011, 9:45 PM —

After years of trying to cut off Linux growth as a desktop platform on x86 and x64 PCs, Microsoft may have actually figured out a way to stop Linux deployments on client PCs dead in their tracks.

At the very least, Linux deployment will be hindered on any Windows 8-certified machines to come, as new requirements for the Windows 8 logo come to light.

Red Hat's Matthew Garrett was one of the first to notice that according to the new logo rules, all Windows 8 machines will need to be have the Unified Extensible Firmware Interface (UEFI) instead of the venerable BIOS firmware layer. BIOS has been pretty much the sole firmware interface for PCs for a long time.

The EFI system has slowly been making headway in recent years, and right now EFI firmware is compatible with Windows supporting the GUID Partition Table (GPT), OS X/Intel, and Linux 2.6 and beyond machines. EFI is seen as a better hardware/software interface than BIOS, since it is platform-agnostic, runs in 32- or 64-bit mode, and GPT machines can handle boot partitions of up to 9.4 zettabytes. (That's 9.5 billion terabytes to you and me.)

EFI, and the later UEFI specification, is not the problem for Linux. The problem is Microsoft's other requirement for any Windows 8-certified client: the system must support secure booting. This hardened boot means that "all firmware and software in the boot process must be signed by a trusted Certificate Authority (CA)," according to slides from a recent presentation on the UEFI boot process made by Arie van der Hoeven, Microsoft Principal Lead Program Manager.

More: http://www.itworld.com/it-managementstrategy/205255/windows-8-oem-specs-may-block-linux-booting

seems to be secure keys for UEFI firmware can block loading of drivers and executables

so issue is whether the machine owner can somehow learn these key(s): i've bought machines, scrapped windows, and put linux on instead -- but in the future i may be somewhat at the mercy of manufacturers in this regard -- if a manufacturer preloads windows and won't give me the UEFI key, i'm outta-luck-stuck with the os the manufacturer chose for me

Microsoft could lock out Linux on Windows 8 PCs, but it won’t
http://www.extremetech.com/computing/96909-microsoft-could-lock-out-linux-on-windows-8-pcs-but-it-wont

unless they want to get slapped with the mother of all antitrust lawsuits. It will be up to the OEMs to supply keys. Some might go out of their way to be Linux friendly, others may not care. In either case, the days of walking up to a random PC and easily booting an alternate OS like the useful http://www.sysresccd.org">SystemRescueCD may be coming to an end.

Lock-out security tech can be disabled, if OEMs want
By John Leyden
Posted in Operating Systems
23rd September 2011 11:53 GMT

Microsoft has hit back at concerns that secure boot technology in UEFI firmware could lock out Linux from Windows 8 PCs, saying that consumers will be free to run whatever they want on their PCs.

Unified Extensible Firmware Interface (UEFI) specifications, designed to reduce start-up times and improve security, allow computers to verify digitally signed OS loaders before booting. The feature in UEFI, the successor to BIOS ROM, is designed as a countermeasure against rootkits and other bootloader nasties.

However computer scientists, including Professor Ross Anderson of Cambridge University, warned earlier this week that the approach would make it impossible to run "unauthorised" OSes such as Linux and FreeBSD on PCs. A signed build of Linux would work, but that would mean persuading OEMs to include the keys ...

http://www.theregister.co.uk/2011/09/23/ms_denies_uefi_lock_in/

Microsoft confirms that UEFI 'secure boot' might lock out Linux and older versions of Windows from new PCs

By Adrian Kingsley-Hughes | September 23, 2011, 6:02am PDT

Summary: If you’ll be wanting to install Linux or an older version of Windows on that Windows 8 PC, you’d better do your research before you buy.

A few days ago, Red Hat developer Matthew Garrett raised the possibility that Linux (not to mention earlier versions of Windows) could be locked out of new PCs due to Microsoft’s insistence that Windows 8 logo certified PCs will have the ’secure boot’ feature of UEFI enabled. Microsoft has now responded to this concern ... and there is cause to be concerned.

Microsoft’s Tony Mangefeste of the Ecosystem team has written a long post over on the Building Windows 8 blog. The post is, in my opinion, far too long and winding and the issue of ’secure boot’ and whether it can be disabled aren’t addressed until the last two paragraphs:

At the end of the day, the customer is in control of their PC. Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision ...

http://www.zdnet.com/blog/hardware/microsoft-confirms-that-uefi-secure-boot-might-lock-out-linux-and-older-versions-of-windows-from-new-pcs/14942

By Joab Jackson, IDG News

Is Microsoft using a next-generation computing boot-loading technology to lock out the use of Linux and other OSEs on certain computers? While Microsoft has denied malicious intent, one Red Hat developer maintains that this may be the case.

Microsoft is mandating the use of the UEFI (Unified Extensible Firmware Interface) secure boot-loading capability with Windows 8 in such a way that "the end user is no longer in control of their PC," charged Red Hat developer Matthew Garrett in a blog entry posted Friday.

Microsoft has claimed that this charge is based on a misunderstanding of the company's intentions. "At the end of the day, the customer is in control of their PC," said Microsoft program manager Tony Mangefeste in another blog posting from Microsoft.

The controversy took root on Tuesday, when Garrett pointed out in a blog posting that Microsoft-certified computers running Windows 8 may not be able to be loaded with copies of other OSes, such as Linux. Users could not install Linux as a second OS, or replace Windows with a copy of Linux, Garrett argued ...

http://www.pcworld.com/businesscenter/article/240480/microsoft_red_hat_spar_over_secure_bootloading_tech.html

By Joe Brockmeier
September 23, 2011 11:30 AM

... Microsoft has put up a post about secure boot in response to concerns about its effects on Linux and other operating systems. Microsoft has provided a very detailed explanation of what UEFI secure boot is, and what its benefits are. What Microsoft hasn't done is to actually respond to concerns raised by Matthew Garrett about its secure boot policies. In short, while Microsoft is requiring secure boot to be enabled, its policies do not require that users be able to turn the feature off. As Garrett says, "end user is no longer in control of their PC."

Microsoft's post is fairly lengthy and most of it is spent discussing the actual nuts and bolts of the secure boot features. I've included a few of the diagrams from the post to show how it works, but you should go read it. As a layperson's overview of UEFI secure boot, it's great. As an actual response to the issues that Garrett has raised? It almost completely avoids the topic, and certainly does little to address the issue ...

http://m.readwriteweb.com/hack/2011/09/microsofts-non-response-to-the.php

and will have to pay attention to this "feature" the next time I purchase a system.

Sep 27, 2011 9:00 pm
By Katherine Noyes, PCWorld

... Microsoft's Windows Certification program will require that all certified Windows 8 systems have secure boot enabled by default, according to a blog post published late last week by Steven Sinofsky, president of Microsoft's Windows division ...

Further, as Garrett says, “Windows 8 certification does not require that the system ship with any keys other than Microsoft's. A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems" ...

In fact, there is no requirement that certified PC makers give users the capability to disable UEFI secure boot, Garrett notes. And not only that, but "we've already been informed by hardware vendors that some hardware will not have this option" ...

Working with what we've seen so far, though, not buying a Windows 8 certified PC is certainly one obvious option for avoiding any potential problems, as is simply upgrading from Windows 7 on an existing dual-boot machine. Building your own machine is always an option as well ...

http://www.pcworld.com/businesscenter/article/240685/linux_and_windows_8s_secure_boot_what_we_know_so_far.html

By Luke Hopewell, ZDNet Australia, 28 September, 2011 13:00

The Linux Australia community began petitioning the competition commission this week after Microsoft aired plans to mandate the enabling of Unified Extensible Firmware Interface's (UEFI) secure boot feature for devices bearing the 'Designed for Windows 8' logo. This has raised fears that users could find it impossible to install alternative operating systems like Linux, or even older versions of Windows.

In an email response to Linux Australia members who railed against the idea, the ACCC has hinted that the angry open-source enthusiasts may have a case. "The situation you described may raise issues of exclusive dealing, but it is unclear from the details provided whether it would be likely to meet the competition test described," it said ...

http://www.zdnet.co.uk/news/desktop-os/2011/09/28/australian-commission-probes-windows-8-linux-fears-40094051/

... Secure boot works on classic code signing principles. The Windows 8 boot loader will be signed, and burned into the UEFI chipset will come a list of valid public keys. If your boot loader is signed with a private key that matches one of the burned in keys, away you go. If not, you will be locked out ...

The problem with this arrangement is that it ties a machine that once had Windows 8 on it in such a way that it can only run Windows 8, Windows 9, Windows 10 and so on. If you want to install Linux on it, or create a Hackintosh, or make up your own operating system with secure boot enabled, your boot will fail ...

Why the UEFI Windows 8 Secure Boot thing has me worried is because actually, we've come pretty close to a decapitation attack on Linux where motherboard manufacturers either build mobos that can run Windows 8, or Apple commission custom-made kit to run OS X. It's only Microsoft's lack of interest that's kept Linux on the table. Go back a few years when Microsoft was still worried about Linux on the desktop and a little more arrogant and this story could have been pretty different ...

As software engineers we need to be able to sniff packets, view source and disassemble code. If we can't do that, we can't learn. Importantly, if our kids aren't allowed to do that because commoditisation has created an environment that is too reductive, the next generation will be pretty crappy engineers.

http://www.guardian.co.uk/technology/blog/2011/sep/28/windows-8-secure-boot-worry?newsfeed=true