LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Tasting the Ice Cream Sandwich

Tasting the Ice Cream Sandwich

Posted May 20, 2012 18:19 UTC (Sun) by Cyberax (✭ supporter ✭, #52523)
In reply to: Tasting the Ice Cream Sandwich by djao
Parent article: Tasting the Ice Cream Sandwich

Yet Microsoft mandates for ARM devices that secure boot must be mandatory, without possibility to turn it off.

How long do you think the generic PC market will have unsecured PCs? 10 years? I bet it won't take more than 15 years for all computers to be locked.

"Right to read", here we go...

(Log in to post comments)

Tasting the Ice Cream Sandwich

Posted May 20, 2012 18:41 UTC (Sun) by djao (guest, #4263) [Link]

Did you read the post to which you are replying? I said in that post that mandatory secure boot on ARM is an issue of grave concern. I also pointed out that Apple, not Microsoft, is largely responsible for the current situation on ARM. I think the distinction between Apple and Microsoft is a significant one. All too often, Linux users are quick to blame Microsoft even when the evidence points elsewhere.

Tasting the Ice Cream Sandwich

Posted May 20, 2012 21:07 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

Nope. It's not Apple's problem.

Do you remember 'Palladium' initiative of Microsoft? No? That's exactly what happens now.

I might also remind you mandatory driver signing starting from Windows Vista - and that was before even the first iPhone. So no, Microsoft is definitely to blame.

Besides, if you don't see the direction PCs are taking then you need to see an optometrist.

Tasting the Ice Cream Sandwich

Posted May 20, 2012 22:23 UTC (Sun) by djao (guest, #4263) [Link]

Mandatory driver signing even now does not prevent individual users from loading unsigned drivers. It's only mandatory for manufacturers. Users can disable it. So I think your "sky is falling" rhetoric is excessively hyperbolic.

Meanwhile iOS and OS X are, right now, today, more locked-down than any operating system Microsoft has ever released. Compare the experience of installing Linux on a Mac vs. a PC and tell me which one's easier.

It's really important to get facts straight and not let past biases get in the way. The truth is Microsoft is no longer the biggest threat to Linux today. Fighting the last war wastes resources and helps no one.

Tasting the Ice Cream Sandwich

Posted May 20, 2012 23:40 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

Nope. Users CAN NOT, I repeat CAN NOT disable mandatory driver signing (on 64-bit versions of OSes).

It can be turned off by pressing F8 during startup and booting into "test mode" which disables features like Blu-Ray playback and adds ugly "test mode" labels in each corner of the desktop.

So for all practical purposes, driver signing can't be disabled on Windows.

>Meanwhile iOS and OS X are, right now, today, more locked-down than any operating system Microsoft has ever released.

Only until Windows 8 is released. New 'metro' interface will be accessible only to sandboxed programs, downloaded from the official Microsoft Store. The old environment is now called 'classic', btw.

So direction is quite clear, in a few releases the old classic environment will be confined in a VM with hardware capable only of booting signed Windows.

>Compare the experience of installing Linux on a Mac vs. a PC and tell me which one's easier.
Installing Linux on a Mac. You pop in your Fedora CD and do installation.

Tasting the Ice Cream Sandwich

Posted May 21, 2012 6:48 UTC (Mon) by djao (guest, #4263) [Link]

The link that I provided in the comment to which you replied contains exactly a description of how to permanently disable driver signing checks on both 32-bit and 64-bit versions of Windows OSes. Did you bother to read the page that I linked? The whole page?

I think it's hardly fair to blame Microsoft for Blu-ray not working. Does Blu-ray work in Linux? No. Blu-ray is the fault of the entertainment companies.

All I'm proposing is the very modest suggestion that Microsoft is not 100% at fault for absolutely every single one of Linux's problems. Apparently this claim is too radical for some around here.

Tasting the Ice Cream Sandwich

Posted May 21, 2012 9:29 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

>The link that I provided in the comment to which you replied contains exactly a description of how to permanently disable driver signing checks on both 32-bit and 64-bit versions of Windows OSes. Did you bother to read the page that I linked? The whole page?

I can ask you the same. Have YOU read it?

>You can’t permanently disable the use of signed drivers in the 64-bit version of Windows Server 2008 — at least, not using any Microsoft-recognized technique.

And undocumented DDISABLE_INTEGRITY_CHECKS is disabled in final releases of Microsoft OSes (it's enabled in previews). You can try it yourself.

But what do I know? After all, I'm only writing Windows drivers.

Tasting the Ice Cream Sandwich

Posted May 21, 2012 17:40 UTC (Mon) by djao (guest, #4263) [Link]

And undocumented DDISABLE_INTEGRITY_CHECKS is disabled in final releases of Microsoft OSes (it's enabled in previews). You can try it yourself.
I did try it, just now, not more than 10 minutes ago, on my retail release version of Windows Server 2008 R2. And here is the result. As you can see, it works. You do not have to press F8 every time you reboot; the screenshot was taken from a clean reboot done without user interaction.

Tasting the Ice Cream Sandwich

Posted May 22, 2012 22:00 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

I don't have 2008 Server right now, but it definitely doesn't work on my up-to-date Windows 7 and Windows Vista. I've just re-checked to be sure I'm not going completely mad.

Google suggests that several Microsoft updates break it:
http://www.microsoft-questions.com/microsoft/Windows-Upda... so your OS is probably not completely up-to-date.

Tasting the Ice Cream Sandwich

Posted May 31, 2012 15:15 UTC (Thu) by nye (guest, #51576) [Link]

I don't know about Windows 7 or Server 2008, but I do have experience of Windows 8 CP.

One of the advanced reboot options is to disable driver signing enforcement for the next boot. You can then install unsigned drivers by clicking through a scary warning as in previous versions of Windows. Once that driver is installed, you can reboot in normal mode and continue using it. I'm not certain if there's a boot flag that can be set *permanently* to keep enforcement disabled, but in practice that's only going to be a problem if you need to install unsigned drivers on a frequent basis, and to be honest I can't really fault MS for not considering that a high-priority use case.

Since the advanced reboot options menu is entirely new to Windows 8, I doubt it is a left-over from old versions that they're planning to remove in the final release; more likely that's how it will work in RTM.

Tasting the Ice Cream Sandwich

Posted May 31, 2012 15:18 UTC (Thu) by nye (guest, #51576) [Link]

>more likely that's how it will work in RTM.

(Except when secure boot is enabled, obviously, since that would entirely defeat the point of secure boot)

Microsoft never sued anyone for purchasing their OS and installing it on 'unapproved' hardware

Posted May 21, 2012 1:23 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]

At least Microsoft has never sued another company for buying their OS and installing it on 'unapproved' hardware the way that Apple has.

Yes, Microsoft is looking at what Apple is doing with envy and trying to copy their amount of control, but Microsoft is also being watched by government anti-trust regulators (both in the US and EU) so they are going to be more limited in what they can get away with doing.

This doesn't mean that you don't have to watch out for Microsoft, but they are going to be able to get away with a lot more if they can point at Apple and say "we're just doing what our competition is doing, users are showing that they want us to do this by buying their products"

Tasting the Ice Cream Sandwich

Posted May 21, 2012 2:18 UTC (Mon) by mjg59 (subscriber, #23239) [Link]

It's not possible to disable driver signing on Windows 8 if the platform has secure boot enabled.

Tasting the Ice Cream Sandwich

Posted May 21, 2012 6:58 UTC (Mon) by djao (guest, #4263) [Link]

Right, now go read my post above where I point out, with quotes, the part in the Windows Hardware Certification Requirements where it states that users on Intel PC systems must be able to disable secure boot in order for the system to be compliant with the certification requirements.

Secure boot and driver signing on ARM is a genuine obstacle for Linux, because users can't turn it off. Secure boot and driver signing on Intel PCs is not a problem right now, because users can turn it off. It may become a problem in the future and I will be the first to complain if it does. But at the moment I believe it is a legitimate tradeoff to restrict what unsophisticated computer users can do on PCs in the name of security. I'm sick and tired of dealing with Windows botnets and I can't possibly be the only one.

No one is talking about the benefits side of the cost-benefit equation. Secure boot isn't just purely an antagonistic move on Microsoft's part to screw over Linux users. It has some legitimate benefits to offset its costs, benefits which will be appreciated even by Linux users. The key issue is whether advanced users can turn it off. If they can, then I don't have a problem with it.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds