
Machines shipping with Windows 10 may see OEMs enforcing Secure Boot - arnieswap
http://www.linuxveda.com/2015/03/21/no-love-lost-microsoft-tries-block-linux-windows-machines/
======
umurkontaci
I think the post pretty speculative, given the past and current efforts of
Microsoft to get together with OSS and Linux community; using a single slide
to come to a conclusion of "Microsoft stopped doing that or has been lying
about it" is very speculative.

I think we should give credit where it is due, MS is really trying to work
with OSS community.

Also, a lot of enterprise customer would want always on secure boot, and it is
up to OEM to decide whatever they want. How is this MS's fault?

~~~
plesner
Is there any evidence that MS's recent OSS efforts are a reflection of
anything other than the fact that Ballmer, who was ideologically against OSS,
has left and so now MS can act rationally and use the OSS community the same
way many other large companies do?

If working with the OSS community is in their own immediate self interest --
and I'm curious whether someone can point out something they've done that
isn't -- I don't know how much light it sheds on an area such as OEMs where
their self interest is best served by locking linux out.

------
lnanek2
> If Microsoft’s stance on this issue is not reversed it’s possible we will
> see a spike in sales by manufacturers such as System76 and ZaReason who ship
> computers running Linux out of the box without any signs of Secure Boot at
> all.

Come on. I prefer BSD based OSX and Linux myself, but to think that a large
enough number of buyers care about Linux support to "spike" sellers is just
silly. It's done well on servers, but it's a very small market for consumers.
Not to mention Ubuntu and RedHat are compatible, so it isn't even an issue for
some of the biggest distributions.

~~~
pXMzR2A
> I prefer BSD based OSX and Linux myself, but to think that a large enough
> number of buyers care about Linux support to "spike" sellers is just silly.

Hopeful rather than silly, I'd say.

Many people like you (who prefer BSD and Linux over MS) are still voting for
MS with their wallets (dealing with majority MS manufacturers/sellers) and
their discourse (the variations of how it all is "silly").

------
mark_l_watson
Ubuntu, Redhat, and other distros are compatible with secure boot.

I understand the concern, but the flip side is that if secure boot makes my
future Ubuntu laptops more secure that could be a good thing.

Linux is here to stay. Relax.

~~~
byuu
Serious question: how does Secure Boot make you more secure?

How many times has a virus latched onto your computer by executing before your
system booted up? I've never heard of this happening to anyone I've ever
known.

The only scenario I can imagine is having a PC set to auto-boot from
peripherals, and a USB key having something bad execute before invoking your
hard disk's boot loader. And that is obviously possible, but terrifying more
complex to pull off. But that seems a lot more like a local, physical attack
that's much less useful and more targeted than your ordinary viruses that
install after executing inside your OS, where viruses seem to have no problems
pulling off privilege escalation exploits to gain kernel access then. Plus you
can easily block this and then lock down your BIOS already.

It really seems like Secure Boot is solving a problem almost no one ever had.
I may well be misunderstanding the point, so please elaborate on how this is
useful and absolutely prevents a class of attack that could not be done
otherwise.

~~~
krylon
I read an article a couple of months back (like October-Novemberish 2014)
about the NSA putting a virus into the firmware of a RAID controller on some
Dell servers that would patch Windows Server 2003 (R2?) during startup.

So it is not entirely without precedent.

Then again, this did not touch the OS bootloader itself, strictly speaking and
might not have been prevented by "Secure Boot". Also, once you're diddling
with a devices firmware, you might as well tamper with "Secure Boot" as well
and defang the checking of the bootloader or even make the firmware live-patch
the bootloader...

So, while I am by no means a security expert, I have been wondering the same
thing. The entire "Secure Boot" stuff just seems like a lame excuse to allow
vendors control over what operating systems you can boot on their devices.

~~~
krakensden
> I read an article a couple of months back (like October-Novemberish 2014)
> about the NSA putting a virus into the firmware of a RAID controller on some
> Dell servers that would patch Windows Server 2003 (R2?) during startup.

The NSA and the PRC will get their payloads signed with the appropriate keys.
Everyone else will do something cheaper and simpler, like reading their
target's gmail accounts.

> So, while I am by no means a security expert, I have been wondering the same
> thing. The entire "Secure Boot" stuff just seems like a lame excuse to allow
> vendors control over what operating systems you can boot on their devices.

Yes:
[http://mjg59.dreamwidth.org/20187.html](http://mjg59.dreamwidth.org/20187.html)
[1]

[1]: It's worth noting that mjg59 is a big secure boot fan, and did most/all
of the Linux implementation.

------
BinaryIdiot
I don't really understand the concern here. Microsoft is simply saying it's
optional for its hardware partners to display the option to toggle it. I could
see plenty of enterprise systems wanting to not allow users to change this
setting. Microsoft isn't trying to block anything here.

If you want to use linux simply vote with your dollar and go to the vendors
that will let you install it (I imagine most will). That or use a linux distro
that is actually compatible with secure boot.

~~~
venomsnake
The problem was IIRC that you need something signed with MS key to be able to
boot whatever. If you are able to set your own keys - then there is almost no
problem (still usb flashes and so on will be harder to boot)

~~~
BinaryIdiot
> If you are able to set your own keys - then there is almost no problem

Doesn't this make the feature useless from a security standpoint? If you're
able to create your own keys then malware could create its own keys. Maybe if
manufacturers could do it that would be handy.

~~~
tbrownaw
I would assume that these UEFI machines have a built-in settings screen the
same as BIOS-based machines do (and that screen would be where the setting
we're discussing is found). If the only way to add keys is thru that screen,
then you'd need physical access and malware adding keys wouldn't be an issue.

~~~
TazeTSchnitzel
But that's not how UEFI works. Unlike your traditional BIOS, the settings can
be edited from a normal OS by command-line utilities and such, too. In fact,
often the only way to do anything useful, given how broken many UEFI setup
pages are, is to edit the settings directly.

~~~
makomk
You're not meant to be able to edit those settings from anywhere other than
the setup page. In practice, that's as broken as everything else in modern
UEFI implementations, and some allow userland processes within Windows to add
signing keys.

------
jacquesm
This whole discussion is misguided. It's not about Linux on 'windows
machines', there are no such things as 'windows machines', there are only
computers. Giving microsoft the ability to lock out their future competition
(emphatically _not_ linux) is where it goes wrong. Computers are universal
machines, this idiocy makes all this hardware an extension of a single
(software!) corporation that gets to decide after you buy the hardware what
you can do with it. If I decide to roll my own operating system I'm chanceless
to get the kind of support I need in order to get off the ground in the first
place.

Imagine Microsoft had had this capability in the early 90's, it would have
been a complete disaster. That server you're running linux/FreeBSD/OpenBSD on
today would have been running Microsoft software instead.

~~~
venomsnake
Well it was apple that started it and now everybody is just following suit ...

If people demanded root on the original 2007 iPhone when realized what really
were the capabilities of the device the walled garden model would have been
DOA.

People are well trained by now with consoles, tablets, phones and thermostats
that it is totally ok for someone else to tell you what to do with the
hardware you own ... and only a couple of old (30+) farts like us that
remember the wild west years of the internet and computing are kicking against
the trend.

------
kedean
Honest question: what's the defense that makes this not monopolistic behavior?
This is MS going around trying to get all of the vendors for hardware to
switch over to a system for which they are both the client AND the gatekeeper.
The end goal is clearly to prevent anyone from entering the consumer operating
system space without their express permission, giving them full monopoly over
the consumer OS space. This would be like if in 98, they hadn't just been
making it difficult to use other browsers, they had been asking all of the
other OS vendors to add IE to their systems and disallow everything else that
they don't like.

~~~
pgeorgi
The defense is that other vendors can get their key signed for $99, and
Microsoft promises to only retract it in case of security issues.

Redhat made Linux compliant to this scheme (through Shim), so there's an
example for the concept, and "choice".

------
arthurfm
I think the reason Microsoft are allowing OEMs to enforce Secure Boot is
because Dell, HP _et al_ are going to sell Windows 10 PCs that only run
trusted code. [1]

> With Windows 10 Enterprise edition and specially configured OEM hardware,
> administrators will be able to completely lock down devices so that they're
> unable to run untrusted code.

> In this configuration, the only apps that will be allowed to run are those
> signed by a Microsoft-issued code-signing certificate. That includes any app
> from the Windows Store as well as desktop apps that have been submitted for
> approval through Microsoft. Enterprises with internal line of business apps
> can get their own key generator, which will allow those apps to run on their
> network but won't work outside the network.

[1] [http://www.zdnet.com/article/microsoft-reveals-audacious-
pla...](http://www.zdnet.com/article/microsoft-reveals-audacious-plans-to-
tighten-security-with-windows-10/)

------
PaulHoule
A few things.

One possible direction the industry could go in (suggested by Win 8) is that
the "laptop" as we know it could be replaced by tablets, and potentially these
could be very low cost devices.

The fly in that ointment is that vendors are not that excited about selling
inexpensive machines. For instance, going with the "only a USB 3.1 port"
approach would make a lot of sense for a cheap tablet but Apple did it first
on a premium laptop because the PC industry had a "who moved my cheese"
freakout over Win8 and at the moment the industry has abandoned the race to
the bottom.

These super-cheap devices will have very different economics (they'll get a
free or cheap Windows license) so a major change in the contract between
manufacturers and users is possible.

The negative impact is not on the average Linux user who just runs a distro,
but it will be bad for anyone who wants to compile and run their own kernels.

~~~
danieldk
_The negative impact is not on the average Linux user who just runs a distro,
but it will be bad for anyone who wants to compile and run their own kernels._

It will be bad for the average Linux user, because whoever has the signing
keys can decide what Linux distributions a user can run and what versions not.

Let's not forget that e.g. Mint also started out as a distribution with a tiny
user base. They are now big, because users could install and try Mint. In a
UEFI world without unlockable boot loaders it's game over for OS competition,
because parties can be excluded because they are too small, too competitive,
or just because.

------
gcb0
the only reason my home does not have 4 ms surface pro is because Linux
support will be poor.

if they already sold it with dual boot i mighty even be tempted to switch to
use windows mostly with time, but on blind faith it ain't going to happen at
all.

------
everyone
That is really shitty. Though its only an OEM thing? If you build your own
machine your still ok I guess.

~~~
BinaryIdiot
> That is really shitty.

They're simply easing restrictions on their hardware partners especially since
many enterprise customers only want signed software running on their machines.

This is really not a big deal.

~~~
everyone
Yeah I've been reading some more of the informed comments here. The uefi thing
turned out to not be that big of a deal. I certainly dont know much about how
the hardware sector works. I am just a consumer. I guess I will not panic
until I hear more about this. Though I will now been checking any laptops or
mobos I buy for this.

------
powertower
It costs $99 to sign the software. I'm sure most of the distros can afford
that (unless they take a die-hard stand, in which case, just don't buy a
Windows pre-loaded PC from the OEM that disables the option to run Linux
with).

~~~
stonogo
And who gets that $99? Microsoft.

Some of us are not okay with one company charging a gatekeeper fee for access
to hardware we already bought from a different company.

~~~
caryhartline
If you buy from an OEM that pre-installs Windows then you are already paying a
fee for the Windows license. If you don't want to pay a fee for software then
just buy a from a company that pre-installs Linux.

~~~
stonogo
My organization provides the disk images to the manufacturer for the computers
we buy. This isn't about "paying a fee for software." It's about the fact that
Microsoft has used its industry influence (and cozy relationship with Intel)
to attach itself like a parasite to the process of bootloading in UEFI.

We currently pay our manufacturers to install _our_ signing keys into UEFI;
this is fantastically expensive. It's a damn shame that it is literally
impossible to buy a consumer UEFI device without Microsoft's keys in the image
unless you pay to have yours put in.

In short: it sucks that they are the default, and it sucks that Red Hat and
Ubuntu rolled over on the issue and pay the (latest) Microsoft tax. I would
have preferred a more flexible solution.

~~~
pbz
How much are we talking about?

~~~
pgeorgi
$99 (not sure for which time period) and the risk of losing your cert whenever
Microsoft thinks you compromised their platform.

Canonical uses kernels without signature checking, where you can just load new
kernel modules. In principle this allows to hack into a "Secure Boot" Windows
in a day or so (rough draft: have a kernel module, eg. kexec, that runs
Tianocore, which can load and run Windows, and pretend the system is "secure"
while there's random crap running in the background).

I think Microsoft is silent about Canonical's use of Secure Boot for now, but
they might change their tune (and once there's a PoC, they certainly will).

------
tbrownaw
[https://technet.microsoft.com/en-
us/windows/dn168167.aspx](https://technet.microsoft.com/en-
us/windows/dn168167.aspx)

"All Certified For Windows 8 PCs allow you to trust a noncertified bootloader
by adding a signature to the UEFI database, allowing you to run any operating
system, including homemade operating systems."

That's listed separately from disabling secure boot, which is what this
article (and the previous Ars Technica article) are about.

Is there any reason to think that this part has changed?

~~~
pgeorgi
There are two ways to edit the key databases:

1\. Without Secure Boot they're open to whatever you want to write.

2\. With Secure Boot, they're open to whatever you want to write, as long as
it's signed with a key that's trusted by the current database.

So if you can't disable Secure Boot, you need to ask Microsoft to sign your
key data, before you can add it. Might as well request a directly signed key
(within the MS trust chain) then - from there, you can also overwrite things
to honor a new trust chain, and Microsoft is probably more used to requests of
this kind than to the other.

------
hurin
For some reason I thought it would be interesting to keep Windows 8 on my
laptop to a dual boot with linux. Three hours of blank screen boots later I
realized it was the microsoft boot-loader's fault (which absolutely refused to
load Linux correctly or to link to a different bootloader, even with secure
boot disabled) - and deleted it's entry in the EFI shell.

For the average user installing an OS is hard enough, without the gotchas of
figuring out how to correctly adjust BIOS, UEFI and switch bootloaders.

------
sctb
[https://news.ycombinator.com/item?id=9240135](https://news.ycombinator.com/item?id=9240135)

------
cssmoo
Plenty of ARM SoC and even desktop class machines now. The problem will solve
itself pretty much instantly. No tears will be shed.

------
wolf550e
Personally, I'm waiting Matthew Garrett (@mjg59) to explain.

------
arvinsim
Well, at least VM's are still available.

------
wantab
While some are saying it's only optional and up to the hardware vendors, isn't
Microsoft giving Windows7 users a free upgrade? Is this the reason? A
potential lock in?

~~~
BinaryIdiot
> A potential lock in?

Secure boot is part of the BIOS so nope.

~~~
cwyers
I have no idea why people are downvoting you.This is about requirements for
new PCs, not upgrades - nobody is going to get their ROM updated by upgrading
to Windows 10.

------
ams6110
_If Microsoft’s stance on this issue is not reversed it’s possible we will see
a spike in sales by manufacturers such as System76 and ZaReason who ship
computers running Linux out of the box without any signs of Secure Boot at
all._

So... not a problem. If there is a market for non-Secure Boot machines, they
will be produced.

------
cwyers
The headline is sensationalist to the point of being false. Microsoft is doing
nothing to block Linux on Windows machines. Microsoft is allowing OEMs to ship
devices that no longer have an option to disable SecureBoot. Given how they're
positioning Windows 10 as a Run All The Things operating system, that's
probably just catering to people making low-end IoT devices and tablets and
whatever else. Dell and Lenovo have not been chomping at the bit to ban Linux
from their laptops, and I doubt they will change anything they're doing now.

~~~
sctb
We updated the title to something more informative from the article.

