
Windows 8 OEM specs may block Linux booting - ramen
http://www.itworld.com/it-managementstrategy/205255/windows-8-oem-specs-may-block-linux-booting
======
dpark
Unless I'm misunderstanding something, this is silly FUD. Microsoft isnt
stupid enough (or evil enough, despite what some like to believe) to attempt
to force PC oems to effectively block all OSes except Windows. They know this
wouldn't work, and there'd be no point in trying to force it.

Supporting hardened boot is not the same as _requiring_ it. Microsoft already
utilizes this for BitLocker. You can still install Linux on a machine that
supports hardened booting and signed images. You just can't enable hardened
boot unless you use signed images.

~~~
jonhohle
> Microsoft isnt stupid enough (or evil enough, despite what some like to
> believe) to attempt to force PC oems to effectively block all OSes except
> Windows.

Um, Microsoft used to do exactly this.
[http://www.theregister.co.uk/2001/08/31/jean_louis_gass_233_...](http://www.theregister.co.uk/2001/08/31/jean_louis_gass_233_e/)
I don't know if they have the muscle or the guts to try something like this
again.

edit: fixed typo

~~~
dpark
There's a rather large difference between contractually forbidding PC OEMs
from selling Windows machines bundled with BeOS and technologically blocking
non-Windows OSes from executing. It's one thing to say "you can't bundle
another OS with mine". It's another thing entirely to say "your hardware can
never run any OS except mine".

~~~
beagle3
There's actually a very small difference.

They both result from signing an agreement between said parties, and basically
provide the same benefits to both parties (given that most people won't
install an operating system themselves).

Except one leaves a choice to the end user, and the other doesn't.

------
sciurus
Here is a direct link to Matthew Garret's blog post so that you can skip
itworld's paraphrasing.

<http://mjg59.dreamwidth.org/5552.html>

~~~
timtadh
"An OS with a Pkek matching that installed in the firmware may add additional
keys to the whitelist."

Does this mean you can just add you own key and self sign any code you want?

~~~
keeperofdakeys
Presumably you have to sign a pkek key with the firmware key. Even then, you
don't actually have full control of your OS's kernel, so it may not be easy to
insert a key.

------
ghshephard
The first paragraph is just silly:

"After years of trying to cut off Linux growth as a desktop platform on x86
and x64 PCs, Microsoft may have actually figured out a way to stop Linux
deployments on client PCs dead in their tracks."

I'm quite certain Microsoft has (A) not put any significant effort into
cutting off growth as a desktop platform, and (B) If they had, they were
almost completely successful, and characterizing it as "trying" implies that
they had limited success.

~~~
mattgreenrocks
Shhh, not so loud! Such thoughts would destabilize Slashdot if they got out!

Seriously, this seems especially short-sighted, as the perception is that MS
is getting thrashed by Apple in the consumer market. I think its more about
preventing malware from getting ahold of the boot process, side effects be
damned.

~~~
Hyena
I don't see this. Apple sells hardware; incidentally, it comes with its own
OS. I haven't met many people who bought a Mac for MacOS since Windows XP.

~~~
ukaszg
As much as I don't like Apple/OS X, most of my friends do. Everyone got Mac
_because_ of OS X. One got it because of low latency, and because he was "sure
it won't hang up for a moment because of some background job". He uses it to
make music. Others got it for its (OS X's) usability.

~~~
Hyena
This is different from what I get from people I know, who comment on how great
they look.

------
jrockway
I doubt any major vendor will do this. First off, they don't want to be locked
into selling Microsoft-only machines. If they can't pretend Linux is an
option, Microsoft can charge them $1000 for a Windows license and there's
nothing they can do about it. If they have Linux hanging over Microsoft's
head, though, they'll get better pricing on Windows. (Think this won't happen?
It already did with XP on netbooks. When Microsoft realized that everyone was
happy to get $100 off the price of their laptop to run Firefox under Linux
instead of under Windows, they had no choice but to make it nearly free.)

If that doesn't work, the need for booting non-standard Windows images will
save us. I've never worked for any company that ran a stock Windows install --
everyone rolls their own. If new machines won't boot this image, guess what,
that new machine is bought from some vendor that doesn't do this to them. And
the only reason most people use Windows at home is because they use Windows at
work. If big companies started migrating away from Windows, Microsoft could be
in serious trouble. (Yup, Microsoft Word is much nicer than LibreOffice Writer
or AbiWord. But you don't know that if you've never used it. Or, you don't
care, because you're writing a memo, not a book. And that's $600 Microsoft
loses right there.)

Next, we're forgetting the all-important server market. Nobody uses Windows as
a server OS, so all those servers are going to have to be able to run Grub.
Since servers are what make the OEMs money (they actually need that quad core
chip, you don't), keeping users of that market happy will be the hardware
companies' biggest concern. If Intel chips stop booting Linux, guess what, AMD
is the new king of the market.

Finally, many of these companies are in markets other than consumer computers,
and they won't want to alienate their other partners. If, say, Samsung says
"our hardware will only run Windows", then they won't be manufacturing Android
phones or Chromebooks anymore. And that's a big deal, because they won't be
manufacturing iPhones either, and that means they're out of the mobile market.
(Have you ever seen anyone without MVP certification anywhere near a Windows
Phone? I didn't think so.)

Basically, Windows is important, but not so important that anyone would want
to be the first to go Windows-only in hardware. Hardware companies want to
provide nice computers at a nice price. End users mostly want to browse the
web. This puts Microsoft in a position to do exactly what the market wants,
not what it thinks it can bear. When you're at the top, the only place to go
is down. And that is where Microsoft is going.

~~~
recoiledsnake
> Nobody uses Windows as a server OS,

This is the problem with getting tech news only from HN.

~~~
palish
Yes. At my last job, they had 200+ servers, all Windows.

When I tried to bring up Linux as an option, they sort of winced and said
"Linux... ehhh... it's hard to get Linux doing what you want."

~~~
irahul
I have never used Windows servers, and I am curious how do you do things which
are obvious on Linux on a windows server?

1\. Can SQL server deployment be automated? I remember reading somewhere it is
mostly GUI administration, though things might have changed with WMI.

2\. How do you manage IIS? Say you need to restart IIS on 200+ servers?

3\. What is the remote model? Windows doesn't have a decent command line, so
ssh will be weird.

Do you write custom code for all this, because I find the ecosystem on Windows
sorely lacking.

~~~
FireBeyond
Two words: Power Shell. Well, one word.

PS is a "decent command line" for Windows, that can handle most of the things
you discuss pretty well.

~~~
jrockway
Why should I learn a new toolchain when I already have one that's just as good
but has been around for 30+ years? It's fun to reinvent the wheel, but as a
user, sometimes enough is enough. Just give me bash and the coreutils, kthx.

~~~
xyzzyz
You're completely killing innovation this way. Your bash and coreutils work on
Windows, they're just not as useful in that environment. Would you also expect
to have bash and coreutils on Lisp Machine?

Also if you don't know this anything about new toolchain, how can you say that
your old one is "just as good"?

Caveat: I have been heavy Linux user for past 7 years, but I'm not so quick to
dismiss alien technology, especially when it addresses obvious flaws in Unix
-- e.g. piping plain text with parsing and printing it again on all stages
seems so ancient, I would much rather like to be able to use structured data
instead. Also, you could remove the overhead of process initialization if your
command line tools are just functions, and not executables. Just sayin'.

------
daeken
This _could_ block Linux from booting, but realistically speaking, does anyone
believe that will happen? It seems very, very unlikely to me that you won't be
able to disable signing restrictions at the firmware level.

~~~
mjg59
I'm told that at least one vendor will be providing some systems that don't
allow you to disable the requirement.

~~~
jrockway
I'm told that at least one vendor is going to lose a lot of money when its
investors find out about this.

~~~
cosgroveb
I doubt that investors would be savvy enough to care but it would be a stupid
move, nonetheless.

Besides, the server is where Linux matters, not consumer hardware.

~~~
catch23
Investors are savvier than you'd think. Even on a rumor that the vendor is
doing an exclusive lock-in with MS, I'm sure you'd see the stock price dip.
Investors spend all their time looking at news reports in their target
industry, so I'm sure they'll notice something as big as this.

------
rdl
This is overblown. However, if this means secure boot hardware is even more
widely available, it is a win -- if the keys are under control of the user or
his organization, it is a huge security win.

------
yason
I've long thought that the only place where I allow Windows is in a virtual
machine. This seems to hint in that direction: buy a machine that isn't broken
(can boot Linux) and do your Windows duties under VirtualBox or something.

------
ableal
LWN notice and discussion of "Garrett: UEFI secure booting" at
<http://lwn.net/Articles/459569/>

------
tree_of_item
To everyone saying "I doubt anyone will do this": wasn't the consensus also
against Microsoft restricting application distribution to their app store?

~~~
recoiledsnake
Care to link to some examples of said consensus?

------
krschultz
It won't happen, and if it does happen, it won't matter.

Can you imagine the Anti-Trust problems this would create? Microsoft is still
a big fat target for anti-trust lawsuits and this one is pretty blatant.

And if it does happen, while we're waiting for the Justice Department to end
it I'm pretty sure the Linux hackers will find a way around it. When there is
a will, there is a way.

------
sunyc
chromeos has similar thing, with a developer switch at back basically turns
off the signature validation in firmware. what they should worry about is,
which CA root to put in there.

------
tbrownaw
> The two alternatives here are for Windows to be signed with a Microsoft key
> and for the public part of that key to be included with all systems, or

Does it have to be _directly_ signed by that key, or does it work like the CA
system that web browsers use?

> A system that ships with only OEM and Microsoft keys will not boot a generic
> copy of Linux. [ from the blog post rather than the article ]

Which tells us that either systems will not ship with only those keys, or
there will be a simple way to disable this ("Press F2 for setup"), or somebody
will be getting sued on antitrust grounds (which maybe would be ignored again
in the US, but not the rest of the world) and forced to provide a workaround.

------
TallGuyShort
No one seems to have mentioned the impact this will have on Live systems. I'm
frequently called on by Windows users to recover lost data on corrupted
systems, which I do using a Live Linux distribution (especially when they have
discarded their installation media & access keys, and have no interest in
investing money in continuing using Windows if I can give them a free
alternative to getting online). How will I be able to do that for people with
Windows 8 computers?

I'm sure I'll be able to find unsigned hardware for my personal use, but it's
the interoperability that concerns me.

~~~
wmf
To repair a Windows 8 system, you boot a live Windows 8 PE USB drive.

------
gizzlon
The articles doesn't say, but this would require an TPM in the machine to be
successful.. right?

Without a TPM how can the EFI be trusted? You just have to replace it as well
as the boot loader and kernel.

------
wedesoft
It certainly won't get easier to install a Linux dual-boot. It is already
difficult enough as it is:

* Windows PCs without installation medium

* Windows installation with a full partitition table (four primary partitions)

* (intentionally?) corrupted partition tables

I.e. installing GNU/Linux requires you to resize partitions with a potentially
corrupted NTFS file system and/or delete backup partitions. Alternatively the
user uses a Windows image file as Linux file system (Wubi) which is slower and
a more fragile solution.

------
jsz0
Linux (on the desktop) is probably of little or no concern to Microsoft at
this point. They've got bigger problems to worry about. If they want to focus
on making computers sold with Windows offer the best possible experience it
will benefit the most people. Possibly it will make things harder for Linux
users but from Microsoft's perspective if the OEM is shipping Windows there's
no reason to consider Linux as part of the equation.

~~~
th0ma5
My personal opinion is that it is indeed little concern, but a little concern
to many parts of MS, which compared to many other companies may well look like
a dedicated anti-linux corporation that outnumbers them.

------
moontear
"We will continue to support the legacy BIOS interface, but machines using the
UEFI interface will have significantly richer capabilities."

== Will not block Linux or any other OS booting. Secondly anti-trust cases
would kill MS if they would block any other OS, so they won't.

[http://blogs.msdn.com/b/b8/archive/2011/09/20/reengineering-...](http://blogs.msdn.com/b/b8/archive/2011/09/20/reengineering-
the-windows-boot-experience.aspx)

------
bitops
Agree that its a non-issue. Linux is established, would be a really dumb move
to block it like this.

In two weeks we'll have forgotten all about it.

~~~
dorian-graph
It's TPM like fear-mongering again.

~~~
elehack
Could it be that the "fear-mongering" and subsequent outrage is a major reason
why we didn't have this kind of lock-down 5-10 years ago?

I thing mjg's wait-and-see approach is good to do. Not panic yet. But
certainly not to forget either - keep an eye out, see how it develops, and be
prepared to oppose lock-down through various channels should it come (and
hopefully before it is to late).

------
christkv
If this makes it into real hardware I expect the EU to reopen their case
against Microsoft fairly quickly on anti-competitive grounds. There are to
many governmental institutions and businesses dependent on linux for their day
to day work for this to go unchallenged.

------
paulja
Thats one way to stop all the shops that slap XP on modern hardware, due to
corporate IT policy.

------
mkup
There was a time when Windows Logo was considered prestigious, respectable and
trendy thing.

With such a practice Microsoft is quickly approaching a time when Windows Logo
will be perceived like a hot-iron branding of robbers and other criminals in
the medieval era.

------
karolisd
Does this effect dual booting OS X? I doubt the side-effect of blocking Linux
boots was anything but a coincidence. But could Microsoft be fearful of
Hackintoshes becoming more popular and a increase of OS X running on non-Apple
hardware?

~~~
elithrar
> Does this effect dual booting OS X? I doubt the side-effect of blocking
> Linux boots was anything but a coincidence. But could Microsoft be fearful
> of Hackintoshes becoming more popular and a increase of OS X running on non-
> Apple hardware?

I doubt it. Whilst I don't mean to belittle the hard work that goes into the
hackintosh projects out there, we're talking about a tiny, tiny group of
people that probably have an imperceptible impact on MSFT's bottom line.

~~~
mattgreenrocks
Yep. Compatibility is extremely dicey on Hackintoshes -- the best seem to be
running hardware that is chipset identical to those in Macs.

I'd be more worried about Apple waking up one day and shipping an update that
breaks everything.

~~~
charliesome
My Hackintosh runs like a dream. The only post-install hacking I needed to do
was setup my graphics card's PCI string properly

------
dhimes
If the UEFI could be made to handle multiple keys, and allow the owner to
enter them into the firmware, then this could work. One more step in the setup
but a more secure system overall.

------
braco_alva
But even if this was true, there is still ways around this right? I mean rEFIt
does a pretty good job booting up Linux in Mac, so wouldn't this be possible
in those PC's as well?

~~~
raphman
nope, rEFIt would need to be signed, too, as it is involved in the boot
process.

------
prayag
I bought a Windows machine from Amazon. The reason that I wasn't able to
install Linux was acceptable enough for Amazon to pay for return shipping.

~~~
daeken
What shipping Windows machine can you not install Linux on? Or are you talking
about some sort of hardware support issue?

------
RexRollman
Why is this being written like it is solely a "linux" problem? It seems to me
that it effects every non-Windows operating system.

------
kvk
The start of a Windows jailbreaking scene?

------
nagnatron
I know I'm speaking through my reality distortion field, but who cares about
this?

------
ivanbernat
It looks to me like it's designed with tablets in mind, not desktops /
laptops.

------
lhnn
Wouldn't this draw anti-trust battles? Since complying with EFI signing is
against the license of one of the only other major alternatives to Windows,
this would not bode well for Microsoft.

~~~
dctoedt
_Wouldn't this draw anti-trust battles?_

Could be -- it sounds like a possible "tie-out" (a variation on tie-in). AFAIK
There haven't been many tie-out cases, but as antitrust litigator George
Gordon [1] put it a few years back, " _The term “tie out” is often used to
refer to arrangements in which a license prohibits a licensee from dealing in
and/or developing competing, noninfringing technologies. [Footnote omitted]
Such arrangements have been found to be intellectual property misuse and could
form the basis for an antitrust claim as well._ " [2]

If MS were to do something like this, I imagine Gary Reback [3], its nemesis
in previous antitrust battles, would be all over it ....

[1] <http://www.dechert.com/george_gordon/>

[2]
[http://www.dechert.com/library/Analyzing%20IP%20License%20-%...](http://www.dechert.com/library/Analyzing%20IP%20License%20-%20GGordon%205-02.PDF#page=9)

[3] <http://www.garyreback.com/garyreback.html>

------
dramaticus3
Summary : Machines that have the "Windows 8" logo must have UEFI, which means
the bootloader must be signed with a key that's in the BIOS. Additionally the
OS can use the keys to check other signed code : device drivers etc.

My conclusion : A smart vendor will include a signed program that will manage
said keys in the BIOS.

------
pointyhat
Like I suspected, this entire thread has been turned by zealots into a
Microsoft-bashing exercise.

I genuinely dispair for people who spend their entire time platform bashing
and don't add something constructive to the discussion or tar and feather a
side religiously. It paints a very bad picture of the "startup culture"
amongst more established organisations.

------
guard-of-terra
Does this also mean that you won't be able to boot Windows 8 on a PC you
assembled yourself? Oh, they did not think of that.

One more reason to hate MS and want it die everywhere.

------
brokensystem
I use ubuntu but surely my harddrive is full of malware (boot system
compromised). Linux is for hacker playing with backdoors. I like free software
and linux, but if I need a secure system, I should have to pay the prize of
using windows 8.

