
The right to dual-boot: Linux groups plead case prior to Windows 8 launch - llambda
http://arstechnica.com/business/news/2011/10/the-right-to-dual-boot-linux-groups-plead-case-prior-to-windows-8-launch.ars
======
rbanffy
I have no illusion as how Microsoft is happy this will make it harder for
users to move away from Windows.

This pressure on OEMs _is_ an anti-competitive move by a monopoly abuser and,
as such, must be dealt with properly.

~~~
mrsteveman1
Microsoft execs are likely far more worried about the tablet and smartphone
markets, than masses of PC owners flocking to Linux with a few clicks of the
mouse.

If any of this does result in Linux being difficult (or impossible, for the
average user) to install, it will likely be a minor bullet point in the big
picture for Windows and Microsoft, since there are real and worthwhile
benefits to locking down Windows and the hardware that ends up in users hands.

I do wonder what happens when someone wants a refund for the Windows portion
of the price of a new PC. Assuming a hypothetical PC model didn't allow you to
run anything but Windows, what use would there be in requesting a refund for
it?

~~~
rbanffy
> If any of this does result in Linux being difficult (or impossible, for the
> average user) to install, it will likely be a minor bullet point

that will still bring great satisfaction.

------
nodata
"There's a lot of good stuff in Pd, and a lot I like about it. There's also a
lot I don't like, and am scared of. My fear is that Pd will lead us down a
road where our computers are no longer our computers, but are instead owned by
a variety of factions and companies all looking for a piece of our wallet. To
the extent that Pd facilitates that reality, it's bad for society. I don't
mind companies selling, renting, or licensing things to me, but the loss of
the power, reach, and flexibility of the computer is too great a price to
pay."

\-- Bruce Schneier, on Palladium (August 15 2002,
<https://www.schneier.com/crypto-gram-0208.html#1>)

------
jeza
Who will be the CA? Is there any reason why Linux vendors can't sign their
mainstream releases? Cost?

I'm sure it won't help if you want to boot a custom kernel or similar, though
presumedly in that case you'd be capable of changing the BIOS settings.

~~~
keeperofdakeys
In practise, this wouldn't work. You would need one certificate for linux for
practicably reasons, so you distribute this to the distro makers. All of a
sudden anyone who wants to make a custom kernel can't, what's worse is that
many distro makers might not be trusted enough to keep it secret. Why not make
a certificate that anyone can use? Then malware authors can use it, and secure
boot would have no purpose. This is why it isn't practical to try to use linux
with secure boot, and the option to disable it must be their for linux to
work.

~~~
nitrogen
I don't think your conclusion that secure boot is impractical with Linux
follows from the evidence you've given. I can think of some steps to make it
work:

1\. Display in large type with an unskippable timeout the name, vendor, and
logo of the OS before boot (embed these in the cert). If the "anything goes"
cert is in use, the metadata will say "third party OS signed on yyyy-mm-dd" or
similar with a warning logo.

2\. Require confirmation at the UEFI level of any change in the OS
certificate.

3\. Require mobo vendors to allow self-signed certificates to be generated,
but only from within UEFI.

~~~
keeperofdakeys
1\. Most users don't read warnings, most would go next no matter wat. They
would see a timeout as extra annoying. Also this would mean malware would come
up with the same certificate as custom linux, which isn't any more 'secure',
so you may as well have it disabled.

2\. Again, users will just go 'okay'. Here we don't really care about power
users, they will probably not buy things with the bios option disabled, this
is about general users who go 'let's try this linux thing'. In fact, those
users might be ones to click cancel at the first sign of trouble.

3\. This could be hard for non-power users, at least a bios option isn't as
hard as generating a certificate, and signing something.

~~~
nitrogen
I still think you're giving up too quickly. It doesn't so much matter if some
users are deliberately careless enough to install boot loader malware by hand
despite all the certificate signing steps and ugly warnings involved. It is
also beneficial to protect a Linux system from the same kind of pre-boot
malware.

It seems as though you're saying since we can't get it 100% perfect, we
shouldn't do it at all. I'm saying don't let perfect be the enemy of the good.
If secure boot is going to exist at all, I think we'd be far better off if
both Linux and Windows can take advantage of it, with control of the hardware
in the hands of the users (or their IT department).

------
jiggy2011
Surely this could (should?) work something like this?

Person buys a new PC from a major OEM , this PC has secure boot enabled and
the only key installed is the one which matches the OS that comes with the PC.
For users who never want to install another OS this is fine and will never be
changed.

In bios settings there is an option to download additional keys, this connects
to the OEM (or global CA) website via SSL using the NIC that shipped with the
PC. The SSL cert is used to authenticate that the CA is genuine.

The master CA then sends a list of other sub-CAs (e.g Microsoft , Ubuntu ,
RedHat, Haiku etc etc). The user can select which ones they want to allow.

When the Computer tries to boot something with a key that it doesn't recognise
it will first try and SSL connect to the CAs that have been selected and find
a matching key. These could also contain blacklists of known malware keys and
warn the user. If the key is found it is then installed as a known good key
and allowed to boot.

There could also be an 'advanced' section in the BIOS which could allow the
user to either disable secure boot or manually add a key.

So if somebody was to recompile their kernel or bootloader (or just install a
very obscure OS) (not sure which is required to be verified) they would simply
have to write down the key (generated at compile time) on a piece of paper and
input it. This would be a minor pain but would still allow for the option.

This would probably kill hackintoshes though as I doubt Apple would sign their
OS for general PC usage, although manually adding the key may get around this.

My knowledge on trusted computing / crypto technology is a bit limited, any
reason why this would not work / be a bad idea?

~~~
nodata
If users knew what a CA was and how to determine whether or not a CA was
trustworthy, there wouldn't be a need for "secure" boot.

~~~
jiggy2011
The user wouldn't need to know what a CA was unless they were planning on
installing an additional/different OS. The default option would only allow the
one that was installed by default. So unless they went poking around in bios
they wouldn't even be aware of it unless some malware hijacked their
bootloader in which case they would get a warning at bootup and have their
last known good bootloader restored automatically.

Since all the sub-CAs would be verified either by the OEM or by a global
authority of somekind users could assume that all the options they were
presented with were trustworthy.

------
DayTrader
MS is pushing this so-called "secure boot" purely to prevent boot loaders from
functioning. There is no "security exposure" that this plugs, this is a
"piracy exposure" fix.

The only people who install pirated versions of Windows are typically more
technically inclined - Joe Plumber isn't installing his own pirated version.
Neither is Joe Plumber setting his machine to dual-boot to Linux.

If vendors do not include a way to bypass the "Secure Boot" option, this will
NOT affect Joe Plumber, it will only affect his technician buddy. And his
technician buddy will have an alternative crack for Windows 8 if the boot
loader doesn't work.

But when Joe Plumber asks his technician buddy which computer he should buy,
do you think the technician will recommend a computer with a BIOS that doesn't
allow you to bypass secure boot? I think not.

So computer vendors have every reason to include secure boot and turn it on by
default (so they can get the Windows 8 logo), but they also have every reason
to include an option to turn it off (which Microsoft allows).

So I believe this will be a non-issue at Windows 8 launch, or perhaps several
months later.

~~~
dpark
Has Microsoft indicated that they don't want it possible to disable Secure
Boot? Have they stated that, or is there evidence that they've pressured OEMs
in that direction? If not, it's not a piracy fix. Anyone willing to install
some hacky boot loader should be able to turn off a setting in the BIOS.

The fact that you don't see the security issue doesn't mean it's not present.
There are known boot-time attacks that no OS or anti-malware can reliably fix.
Thankfully none of these are widely exploited at present, but a security
problem should not need to be exploited on a wide scale before a fix is put in
place.

Disclaimer: MSFT employee

~~~
DayTrader
I didn't say I didn't see a security issue (minor though it may be). I said
that security is not the reason for this "fix" - the effort required for
secure boot is completely out of balance with the potential exposure this
plugs.

And if Microsoft is indeed pressuring vendors not to include an option to turn
secure boot off, this is an ominous turn of events that would indeed force
buyers to chooses carefully.

But as I said, I believe that those people who ask their tech buddies which
computer to buy will be steered towards computers that give the option, or
have no secure boot at all. This will ultimately force the vendors to
discontinue models that lock down secure boot.

~~~
dpark
> _I didn't say I didn't see a security issue_

Yeah, you did: _There is no "security exposure" that this plugs_

> _I said that security is not the reason for this "fix" - the effort required
> for secure boot is completely out of balance with the potential exposure
> this plugs._

The potential risk is massive. Malware that injects a hypervisor beneath the
OS could be undetectable without external scanning and nearly unfixable for
the typical user. Imagine botnets built like this. The OS is healthy, anti-
malware says everything's great. Meanwhile the machine is being remotely
controlled and no one knows it except the guy who's using it to hammer away as
part of a DDoS attack, or using it to host child pornography, or whatever.

The effort required for secure boot actually seems quite small. The real
effort is in making secure boot work for 3rd parties as well. That's a
difficult problem because "I want to run some random crap in my bootloader" is
in direct conflict with the "don't allow random crap to run in the bootloader"
design goal.

> _And if Microsoft is indeed pressuring vendors not to include an option to
> turn secure boot off, this is an ominous turn of events that would indeed
> force buyers to chooses carefully._

I seriously doubt that's happening.

> _But as I said, I believe that those people who ask their tech buddies which
> computer to buy will be steered towards computers that give the option, or
> have no secure boot at all. This will ultimately force the vendors to
> discontinue models that lock down secure boot._

I agree. I think any vendor who sells a locked-down secure boot will see
public backlash, and fix it in either future models or a firmware reflash.

------
w1ntermute
Does anyone know if this will affect non-OEM motherboards, like those sold on
Amazon and Newegg?

~~~
zokier
Nobody knows if this will affect anybody at all, as no Secure Boot equipped
hardware is in the wild, nor has any manufacturer or OEM announced anything
related to it. The fear mongering is based on speculations and worst case
scenarios mostly.

edit: I might add that any system that wants to be compatible with Windows 7
or XP needs to have the ability to disable Secure Boot. That fact will
probably have larger effect on manufacturers than Linux users.

~~~
jiggy2011
I agree that this is based on worst case scenarios , but it isn't really a bad
thing to be concerned about since nobody has actually ruled out the worst case
happening and it represents a plausible possibility to many people.

Even if to begin with it is not a problem and windows 8 does not require
secure boot to be enabled for compatibility with older computers it is still
possible that windows 9 or even a later service pack will change that once
they are happy that there is sufficiently few older computers.

This could create a market for motherboard modification that would allow
pirated versions of windows to run.

~~~
zokier
Getting Windows to run is the least of problems in the current light. The
problem is running something that's _not_ Windows. Nobody cares about some
lousy pirates.

~~~
jiggy2011
lousy pirates care about lousy pirates. In many countries pirate windows is
the #1 OS

------
gerggerg
This will also make installing previous versions of windows impossible no?

~~~
bru
... and installing next versions too. You won't be able to install the next
version of Windows on your computer : you will have to buy a new one.

~~~
mappu
Not necessarily, new versions of windows could ship signed with the same key.

You could install previous versions of Windows the same way if, for instance,
there was a windows update or new service pack integrated with the install
media that contained a signed kernel.

------
dguido
Excuse my ignorance, but doesn't this just mean that Linux users would have to
go into the BIOS and switch off the Secure Boot setting? And isn't Secure Boot
solving a real security problem?

Besides, if you're running a computer powerful enough for Windows 8, don't you
also have enough computing power for a virtual machine? Or enough money for a
second computer?

~~~
jiggy2011
Not necessarily , I doubt that Windows 8 will require particually expensive or
powerfull hardware to run especially since they are targetting tablets with
it.

So it's likely that many users will not have the money for a 2nd PC and whilst
virtual machines are nice in their own way there are allot of limitations with
them so you may well want to run 2 full OSes directly on harware.

