
Microsoft confirms UEFI fears, locks down ARM devices - zoowar
http://www.softwarefreedom.org/blog/2012/jan/12/microsoft-confirms-UEFI-fears-locks-down-ARM/
======
kenjackson
First, tihs document is about HW Certification. You can ship an ARM-based
system that doesn't follow these rules, just won't be certified by MS -- much
like many Android devices aren't Google certified.

Furthermore, MS actually bent over backwards on x86 and required for
certification that the option to disable secure boot be provided (they could
have been silent on this issue):

"Enable/Disable Secure Boot. On non-ARM systems, it is required to implement
the ability to disable Secure Boot via firmware setup. A physically present
user must be allowed to disable Secure Boot via firmware setup without
possession of PKpriv."

I'd wait for MS's response on ARM. They've taken some interesting
architectural approaches with their current ARM implementation (striped and
actually secure SD cards). There may be architectural reasons for this. Or it
could be that there are security issues with it, given that UEFI on ARM is
pretty new.

But in any case, if this is important to an OEM they can simply not get HW
certification. This doesn't block anyone from actually installing Windows 8 on
ARM on machines w/o this capability.

~~~
brudgers
It appears that ARM devices can fallover to legacy BIOS mode to support non
UEFI OS's.

From page 109 of _windows8-hardware-cert-requirements-system.pdf_ :

    
    
      System.Fundamentals.Firmware.UEFIDefaultBoot 
    
      Target Feature: System.Fundamentals.Firmware 
    
      Title:  All client systems must be able to boot into UEFI
       boot mode and attempt to boot into this 
       mode by default 
    
      Applicable OS Versions: 
        Windows 8 Client x86 
        Windows 8 Client x64 
        Windows 8 Client ARM 
        Windows 8 Server x64 
        Windows Server 2008 Release 2 x64 
    
      Description: 
      The System firmware must be able to achieve UEFI mode
      boot by default. Such a system may also 
      support fallback to legacy BIOS mode boot for deploying 
      OS images which do not support UEFI, if the 
      user explicitly selects that option in the pre-boot UEFI BIOS menu. 
      This requirement is If Implemented for Server systems and applies
       only if a Server system is UEFI capable.

~~~
lgeek
There's no BIOS on ARM. BIOS is x86-only.

~~~
brudgers
It's "legacy Bios mode."

I believe that implementation requirements for legacy BIOS mode are not part
of the certification.

And in any event, it is likely that the BIOS Boot Specification (BBS) could be
used to provide for unique hardware requirements during booting.

------
dangrossman
Microsoft doesn't have a monopoly in the tablet or phone markets. Heck, it's
barely a market participant. If Apple doesn't have to let people install
Windows on an iPad, then the same should apply to Microsoft. This time,
there's no "but there's a monopoly and the rules are different for monopolies"
excuse.

~~~
X-Istence
Apple manufacturers both the hardware and the software and then sell it, there
is no 3rd party involved in this transaction.

Microsoft builds the OS and licenses it to a manufacture, they build the
device and sell it. At least 3 parties involved.

Microsoft's requirements need to be met to be able to license Windows 8 for
tablets. Microsoft is forcing manufacturers to lock down their devices or else
they aren't allowed to use Windows 8.

Google licenses the Android source code/platform/name whatever, and a
manufacturer builds the devices. The manufacturer chooses to lock down the
boot loader.

Google doesn't make any requirements on the manufacturers to lock their
devices down.

That is where the difference lies. Microsoft is being bad here because they
are forcing something on its manufacturers that its manufacturers may not have
wanted to implement.

I don't see why Apple should have to let people install Windows on an iPad, or
for that matter even make it easy for people to do so if they pleased. I don't
see why manufacturers should have to let people flash whatever firmware they
want to their device. But I do see why Microsoft shouldn't be telling
manufacturers that the manufacturers customers can't flash their device if
they so pleased.

~~~
dangrossman
> Google doesn't make any requirements on the manufacturers to lock their
> devices down.

But they do. Google has many requirements and if you don't meet them, you
won't be licensed the Google apps. That's the same thing Microsoft is doing
here. You can choose to make a tablet that doesn't meet their requirements,
you just can't sell it with Windows if you do so.

Microsoft isn't preventing anyone from making products or selling tablets
running other operating systems... just that the ones they sell with Windows
can't be re-flashed.

~~~
X-Istence
There is no requirement from Google to build a device that the customer can't
change at will after they purchase it. The manufacturers themselves have
locked the boot-loaders not at the will of Google.

~~~
sounds
Exactly.

Add to that the fact that Google releases the Android source code.
Manufacturers do produce Android derivatives (e.g. Kindle Fire) by removing
the Google branding. And HTC just relented by unlocking their bootloaders,
providing at least one data point that customers do want the ability to load
their own OS.

Must we relearn the lessons from the PC all over again?

------
daeken
I've been a Microsoft fanboy for a long time, and I've been speaking out about
the Secure Boot brouhaha because there was effectively no evidence that they
were actually attempting to lock anyone out, but this is simply inexcusable.
Sad.

~~~
melling
You can't seriously be surprised by this. Microsoft can't be trusted until
their desktop monopoly is destroyed. I guess the US vs Microsoft is 14 years
old this year. Maybe we've all forgotten how Microsoft destroyed all other PC
OS'es and how Windows wouldn't run without Internet Explorer; Microsoft
claimed it was part of the OS and there was no way to remove it.

<http://en.wikipedia.org/wiki/United_States_v._Microsoft>

"Microsoft's true anticompetitive clout was in the rebates it offered to OEMs
preventing other operating systems from getting a foothold in the market"

It shouldn't be a PC vs Mac world today. It should be PC, Mac, BeOS, OS/2,
Linux, etc.

~~~
cooldeal
>It shouldn't be a PC vs Mac world today.

I thought we were living in a post-PC world? Restricting Microsoft here would
unfairly advantage Apple's continuing monopoly of tablets.

~~~
melling
Apple doesn't have a monopoly on tablets and Google doesn't have a monopoly on
search, but people always throw them out as such.

Microsoft, however, has the monopolies (plural).

Btw, here are the numbers to prove that the iPad is not a monopoly.

[http://www.guardian.co.uk/technology/2011/dec/25/ipad-
tablet...](http://www.guardian.co.uk/technology/2011/dec/25/ipad-tablet-
dominates-third-quarter-2011)

Wouldn't it be great if Windows only had a 65%-70% market share?

~~~
recoiledsnake
The install base is what matters, not sales numbers for a short time period.

>Google doesn't have a monopoly on search,

Maybe you would like to look at a few real world numbers like these ones:

<http://news.ycombinator.com/item?id=3458947>

~~~
melling
I doubt if Microsoft would agree with your search numbers. Can you provide
some accepted industry source? At any rate, if you want to switch search
engines, it's trivial:

<http://duckduckgo.com/>

<http://bing.com/>

<http://yahoo.com/>

Let me know how easy it is to get enterprise to switch off the Office document
formats or off of Windows.

As for tablets, sales do matter. The Kindle Fire sold around 5.5 million
units. Android will be a strong player.

------
trotsky
I may be missing something, but it doesn't sound like an OEM is prevented from
including additional keys, from say cannonical and redhat, or even simply an
OEM key that is used to sign a generic boot loader like grub.

~~~
hetman
Meaning this is still much more open than the iPad.

------
Derbasti
Damn it, I was so sure that 2012 would be The Year of Linux on the Desktop.
And now this!

Kidding aside, there will always be IPhones/Playstations, which need to be
jail broken and there will be proper computers. If anything, this UEFI
lockdown will make it easier to find appropriate hardware for your Linux
box/server, since all that Windows-centric gaming stuff will be sold locked
down only.

------
nxn
Well, this piece of news certainly just killed my "Windows 8 App" project.
Even though I really do like Microsoft's tech, I just cannot support this type
of behavior in any way. Maybe with mono I'll at least be able to salvage the
server side parts and target Android based devices instead.

------
daemin
From my reading of the restrictions it appears that the restriction is only on
adding new keys to the boot ROM. So makers could ship arm computers with
appropriate linux keys in the ROM already, and still be compatible with the
WIndows 8 requirements.

~~~
justincormack
That would have to be a public key then. Which is just like allowing no key.

------
brudgers
The article is a blog post about a blog post about a blog post.

The Windows 8 hardware certification requirements comprise three documents and
more than 1000 pages. They are available here [warning license agreement
required]:

<http://msdn.microsoft.com/library/windows/hardware/hh748188>

------
salem
The moral of the story is, don't buy a windows phone if you want to reflash
it.

~~~
kennywinker
Or an arm-based ultrabook.

~~~
sounds
Or an x86-based laptop with UEFI Secure Boot*

* Windows 8 logo compliance still requires UEFI Secure Boot. This won't affect desktops as quickly but laptops come with minimal BIOS options. Managing keys to install another OS will be omitted by many laptop manufacturers.

~~~
cooldeal
Is it too much to ask to read the linked article? Please.

>For non-ARM systems, Microsoft requires that Custom Mode be enabled

~~~
sounds
Yes, I read it. Did you?

Microsoft is requiring Custom Mode not even be _present_ on some of its
Windows 8 platforms. How long until they "let it slide" on the rest?

You may be determined to let Microsoft do whatever they please with the
hardware you rightfully purchased. That doesn't mean I have to let them.

------
scottdw2
Vendor lockout is not the worst part.

I'd worry much more about the executive branch.

<http://www.sbir.gov/sbirsearch/detail/139791>
<http://www.sbir.gov/sbirsearch/detail/4957>

------
drivebyacct2
And that's how Microsoft killed ARM based netbooks, ultrabooks, tablets, etc
that could potentially run Linux because most OEMs will want to have them
licensed for use with Windows 8.

Can we rehash all the dozen posts about this from months ago when people swore
up on down that Microsoft wasn't going to do... well, what the rest of us
expect at this point?

~~~
burgerbrain
_"Can we rehash all the dozen posts about this from months ago when people
swore up on down that Microsoft wasn't going to do... well, what the rest of
us expect at this point?"_

This is almost the worst part of it for me. Those people get to play "the
voice of reason" at the time, but they don't receive any of the deserved
ridicule when their fantasy world doesn't pan out.

~~~
mattgreenrocks
It's almost as if being Right On The Internet doesn't mean anything in the
real world!

~~~
burgerbrain
More like: _"It's almost as if being right doesn't mean anything"_ , but yeah.

------
recoiledsnake
iPad has or had a monopoly in the tablet market, but where are/were the cries
for an open bootloader? Where were the complaints to governments?

Motorola and HTC phones/tablets ship with locked bootloaders while leveraging
the hard work of F/OSS developers for free. Not to mention the Nook
tablet/Kindle Fire which ship with a locked bootloader who get a free pass.

Note that this will be the same set of people who will slag Microsoft for
malware getting into the system and will recommend switching away from Windows
because it is insecure.

How about forcing Apple to allow users to load alternate OSes like Windows 8
or Android on the iPad?

~~~
sjs
People have hacked iPads and iPhones to run Android. And nobody actually uses
it because there is no hardware back button, etc.

When hardware and software are a cohesive unit it's hard to run something
generic on the hardware, or run the software on some other hardware. That is
not the case for Windows, Linux, and Android, which is why people feel
differently about that ecosystem.

~~~
gcp
_People have hacked iPads and iPhones to run Android. And nobody actually uses
it because there is no hardware back button, etc._

That must explain the lack of penetration of Android tablets! (They have no
back button either)

~~~
sjs
Do they have a home button? I'm sure the answer varies but in general you need
the hardware and software to agree on some things. That is my point. Even if
the software is flexible such as Android 4 that will display the buttons if
necessary, or use hardware buttons if they are available.

AFAIK Android was basically unusable on iOS hardware, using the sleep/wake
button in an odd way and other things that do not work well.

~~~
gcp
_Do they have a home button?_

Nope. Only volume and on/off. At least that's what the Galaxy Tab has. As you
pointed out, new versions of Android allow emulating whatever buttons the
device doesn't have on screen. And the newest phones basically don't have any,
relying entirely on the screen.

 _AFAIK Android was basically unusable on iOS hardware, using the sleep/wake
button in an odd way and other things that do not work well._

This sounds like the port was botched. Nothing you said explains why it
couldn't work. In fact the oppposite: you've already illustrated the button
layout is irrelevant.

------
motoford
And here I was starting to believe that other article about a calmer gentler
Ballmer.

------
InclinedPlane
Oh no, 0.0001% of all tablets sold this year may end up boot locked due to
this. Assuming there's nothing more to the story. Let's panic.

