Tasting the Ice Cream Sandwich [LWN.net]

Tasting the Ice Cream Sandwich

Posted May 20, 2012 17:48 UTC (Sun) by djao (subscriber, #4263)
In reply to: Tasting the Ice Cream Sandwich by Cyberax
Parent article: Tasting the Ice Cream Sandwich

Sure. But now it's required for ALL new PCs.

So, which new (Intel) PCs are incapable of running Linux because of secure boot requirements? Be specific please. Make, model, etc. The truth is, Intel PCs are just as Linux-capable as they always have been. You can always turn off secure booting on PCs. The spec even requires (largely in response to user protests) that the user can turn it off on PCs (Custom mode):

"MANDATORY: On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: 'Custom' and 'Standard'. --Windows Hardware Certification Requirements, May 9, 2012, p. 122"

(The above clause applies to complete computer systems. Theoretically, it would be possible for a component maker such as a motherboard manufacturer to ship a compliant computer component that had no way to turn off secure boot. But, given that such a part could not be used as part of a Windows 8 certified system, my guess is that the number of such parts in the marketplace will be next to nil.)

I am a heavy Linux user, and at one point I had serious concerns about secure boot as well, but the latest news coming out of Redmond is much better than feared. At worst one could say that secure boot lays the groundwork for future lock-in on PCs. While it's true that Microsoft's history has not been good, I think there is some room to give Microsoft the benefit of the doubt here. Malware really is a serious problem on PCs, even for Linux users (who have to deal with Windows botnets on their networks), and secure boot does have nonzero benefits in terms of stopping malware -- it guarantees in hardware that the kernel has not been compromised. As long as advanced users can turn it off (which they can), I see nothing but good coming out of this effort. Quite honestly, I want unskilled computer users to be subject to secure boot restrictions.

Unlike Intel, secure boot on ARM is indeed an issue of grave concern for Linux users, because there is no way to turn it off. Here, barring an unlikely successful legal challenge, our only option is to win in the marketplace, as you say. Fortunately, against all expectations, this is actually happening: Android is on a majority of devices, and outsells Microsoft on ARM by more than 10 to 1. And also, let's not forget where the true blame belongs: Apple is the company that pioneered lock-in on ARM devices.

That was before the era of virtual machines. You can't run 16-bit DOS programs on 64-bit Windows anymore, for example.

That is true, and perhaps a sign of change. I may have misspoken. What I meant to say is that the hardware-OS interface (e.g. BIOS calls) has enjoyed strong backwards compatibility even to the present day. This is what lets you run DOS on bare metal today. It's why x86-64 processors still boot up in 16-bit real mode. It is true that Microsoft is taking steps to break compatibility at the OS-software interface for old programs. This is in fact a huge change which may signal more to come.

(Log in to post comments)

Tasting the Ice Cream Sandwich

Posted May 20, 2012 18:41 UTC (Sun) by djao (subscriber, #4263) [Link]

Did you read the post to which you are replying? I said in that post that mandatory secure boot on ARM is an issue of grave concern. I also pointed out that Apple, not Microsoft, is largely responsible for the current situation on ARM. I think the distinction between Apple and Microsoft is a significant one. All too often, Linux users are quick to blame Microsoft even when the evidence points elsewhere.

Tasting the Ice Cream Sandwich

Posted May 20, 2012 21:07 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

Nope. It's not Apple's problem.

Do you remember 'Palladium' initiative of Microsoft? No? That's exactly what happens now.

I might also remind you mandatory driver signing starting from Windows Vista - and that was before even the first iPhone. So no, Microsoft is definitely to blame.

Besides, if you don't see the direction PCs are taking then you need to see an optometrist.

Tasting the Ice Cream Sandwich

Posted May 20, 2012 22:23 UTC (Sun) by djao (subscriber, #4263) [Link]

Mandatory driver signing even now does not prevent individual users from loading unsigned drivers. It's only mandatory for manufacturers. Users can disable it. So I think your "sky is falling" rhetoric is excessively hyperbolic.

Meanwhile iOS and OS X are, right now, today, more locked-down than any operating system Microsoft has ever released. Compare the experience of installing Linux on a Mac vs. a PC and tell me which one's easier.

It's really important to get facts straight and not let past biases get in the way. The truth is Microsoft is no longer the biggest threat to Linux today. Fighting the last war wastes resources and helps no one.

Tasting the Ice Cream Sandwich

Posted May 20, 2012 23:40 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

Nope. Users CAN NOT, I repeat CAN NOT disable mandatory driver signing (on 64-bit versions of OSes).

It can be turned off by pressing F8 during startup and booting into "test mode" which disables features like Blu-Ray playback and adds ugly "test mode" labels in each corner of the desktop.

So for all practical purposes, driver signing can't be disabled on Windows.

>Meanwhile iOS and OS X are, right now, today, more locked-down than any operating system Microsoft has ever released.

Only until Windows 8 is released. New 'metro' interface will be accessible only to sandboxed programs, downloaded from the official Microsoft Store. The old environment is now called 'classic', btw.

So direction is quite clear, in a few releases the old classic environment will be confined in a VM with hardware capable only of booting signed Windows.

>Compare the experience of installing Linux on a Mac vs. a PC and tell me which one's easier.
Installing Linux on a Mac. You pop in your Fedora CD and do installation.

Tasting the Ice Cream Sandwich

Posted May 21, 2012 6:48 UTC (Mon) by djao (subscriber, #4263) [Link]

The link that I provided in the comment to which you replied contains exactly a description of how to permanently disable driver signing checks on both 32-bit and 64-bit versions of Windows OSes. Did you bother to read the page that I linked? The whole page?

I think it's hardly fair to blame Microsoft for Blu-ray not working. Does Blu-ray work in Linux? No. Blu-ray is the fault of the entertainment companies.

All I'm proposing is the very modest suggestion that Microsoft is not 100% at fault for absolutely every single one of Linux's problems. Apparently this claim is too radical for some around here.

Tasting the Ice Cream Sandwich

Posted May 21, 2012 9:29 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

>The link that I provided in the comment to which you replied contains exactly a description of how to permanently disable driver signing checks on both 32-bit and 64-bit versions of Windows OSes. Did you bother to read the page that I linked? The whole page?

I can ask you the same. Have YOU read it?

>You can’t permanently disable the use of signed drivers in the 64-bit version of Windows Server 2008 — at least, not using any Microsoft-recognized technique.

And undocumented DDISABLE_INTEGRITY_CHECKS is disabled in final releases of Microsoft OSes (it's enabled in previews). You can try it yourself.

But what do I know? After all, I'm only writing Windows drivers.

Tasting the Ice Cream Sandwich

Posted May 21, 2012 17:40 UTC (Mon) by djao (subscriber, #4263) [Link]

And undocumented DDISABLE_INTEGRITY_CHECKS is disabled in final releases of Microsoft OSes (it's enabled in previews). You can try it yourself.

I did try it, just now, not more than 10 minutes ago, on my retail release version of Windows Server 2008 R2. And here is the result. As you can see, it works. You do not have to press F8 every time you reboot; the screenshot was taken from a clean reboot done without user interaction.

Tasting the Ice Cream Sandwich

Posted May 22, 2012 22:00 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

I don't have 2008 Server right now, but it definitely doesn't work on my up-to-date Windows 7 and Windows Vista. I've just re-checked to be sure I'm not going completely mad.

Google suggests that several Microsoft updates break it:
http://www.microsoft-questions.com/microsoft/Windows-Upda... so your OS is probably not completely up-to-date.

Tasting the Ice Cream Sandwich

Posted May 31, 2012 15:15 UTC (Thu) by nye (guest, #51576) [Link]

I don't know about Windows 7 or Server 2008, but I do have experience of Windows 8 CP.

One of the advanced reboot options is to disable driver signing enforcement for the next boot. You can then install unsigned drivers by clicking through a scary warning as in previous versions of Windows. Once that driver is installed, you can reboot in normal mode and continue using it. I'm not certain if there's a boot flag that can be set *permanently* to keep enforcement disabled, but in practice that's only going to be a problem if you need to install unsigned drivers on a frequent basis, and to be honest I can't really fault MS for not considering that a high-priority use case.

Since the advanced reboot options menu is entirely new to Windows 8, I doubt it is a left-over from old versions that they're planning to remove in the final release; more likely that's how it will work in RTM.

Tasting the Ice Cream Sandwich

Posted May 31, 2012 15:18 UTC (Thu) by nye (guest, #51576) [Link]

>more likely that's how it will work in RTM.

(Except when secure boot is enabled, obviously, since that would entirely defeat the point of secure boot)

Microsoft never sued anyone for purchasing their OS and installing it on 'unapproved' hardware

Posted May 21, 2012 1:23 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]

At least Microsoft has never sued another company for buying their OS and installing it on 'unapproved' hardware the way that Apple has.

Yes, Microsoft is looking at what Apple is doing with envy and trying to copy their amount of control, but Microsoft is also being watched by government anti-trust regulators (both in the US and EU) so they are going to be more limited in what they can get away with doing.

This doesn't mean that you don't have to watch out for Microsoft, but they are going to be able to get away with a lot more if they can point at Apple and say "we're just doing what our competition is doing, users are showing that they want us to do this by buying their products"

Tasting the Ice Cream Sandwich

Posted May 21, 2012 2:18 UTC (Mon) by mjg59 (subscriber, #23239) [Link]

It's not possible to disable driver signing on Windows 8 if the platform has secure boot enabled.

Tasting the Ice Cream Sandwich

Posted May 21, 2012 6:58 UTC (Mon) by djao (subscriber, #4263) [Link]

Right, now go read my post above where I point out, with quotes, the part in the Windows Hardware Certification Requirements where it states that users on Intel PC systems must be able to disable secure boot in order for the system to be compliant with the certification requirements.

Secure boot and driver signing on ARM is a genuine obstacle for Linux, because users can't turn it off. Secure boot and driver signing on Intel PCs is not a problem right now, because users can turn it off. It may become a problem in the future and I will be the first to complain if it does. But at the moment I believe it is a legitimate tradeoff to restrict what unsophisticated computer users can do on PCs in the name of security. I'm sick and tired of dealing with Windows botnets and I can't possibly be the only one.

No one is talking about the benefits side of the cost-benefit equation. Secure boot isn't just purely an antagonistic move on Microsoft's part to screw over Linux users. It has some legitimate benefits to offset its costs, benefits which will be appreciated even by Linux users. The key issue is whether advanced users can turn it off. If they can, then I don't have a problem with it.