Weekly Edition
Return to the Announcements page
| |||||||||||||
The H Year: 2012's Wins, Fails and Mehs
The H rates
some highlights of 2012. "Win – The Linux community’s reboots Secure Boot – Microsoft’s requirement that OEMs start using UEFI’s Secure Boot function had caused much concern within the Linux community, but when that had died down, developers at Red Hat, SUSE, Canonical and the Linux Foundation worked on a range of solutions for Linux distributions, large and small, to use if they wanted to boot on a machine with Secure Boot enabled and a user not capable of disabling it. Good ideas and information was exchanged, code was written and answers were found; that's how things should work."
(Log in to post comments)
The H Year: 2012's Wins, Fails and Mehs Posted Dec 31, 2012 21:21 UTC (Mon) by donbarry (guest, #10485) [Link]
This is hardly a win -- even the most optimistic appraisal can only call our accommodation of UEFI as bare breakeven.
Why? Because we have preserved, to some extent, the *possibility* of installing GNU+Linux on new systems, but certainly the difficulty level is generally harder -- and the percentage of "broken" systems much greater. And the catch-up time during which these issues are ironed out and distributions gain the ability to install or be run live is filled with impediments which will simply convince many that the pain is not worth it. And each casualty is one less person who can participate in the free software camp.
I spent the better part of a day and a half configuring a new high-end workstation which had a preexisting UEFI Windows install, but which had broken legacy boot in the BIOS. And that by a major manufacturer (HP).
My project of easy live-boot sticks for my students in an astronomical computing class will have to be kept on hold until this situation stabilizes, simply there's no maturity to any solution yet that would promise that it would "just work" on the bulk of the random laptops (including Macs) that my students might bring.
Who wins from this fear, uncertainty, and doubt? That should be obvious.
And that's why they keep playing these games. There will be more.
The H Year: 2012's Wins, Fails and Mehs Posted Dec 31, 2012 22:20 UTC (Mon) by mirabilos (subscriber, #84359) [Link]
Restricted boot is *no* win!
Consider:
① this works on amd64 only, not ARM
② even there: devices are not required to carry the “hardware drivers” key, which is what Microsoft® uses to sign shim with: http://mjg59.dreamwidth.org/21189.html
In my opinion, we should keep a strict stance *against* Restricted Boot in all its forms, *even though* this is a way in… into a handfull of devices… at first… until they take that away…
Article of the day: http://mako.cc/copyrighteous/20121231-00
Secure Boot, No Thanks Posted Jan 1, 2013 1:41 UTC (Tue) by brianomahoney (subscriber, #6206) [Link]
This is another M$ special and, as the Americans were dumb enough to give Obummer '4 more years' don't expect anything until these guys are gone!
Then the cure is an anti-trust suite.
Finally my legal advice, though I am a Swiss Roman Law Lawyer (TINLA CYOL), this isn't a circumvention device in the DMCA sense, so open hackathon.
While I respect Garrett for his work so far, the SHIM is a big distro solution, me, just turn all this crap off in the BIOS and if the mo-bo dosn't work or I don't see a fixer in Zuerich next day they can have 80'000 systems back and a 5 year procurement ban!
More important guys, we have WON, all mobile i-X and Android is Unixish, BYOD destroys corporate IT control, a huge step forward and finally BYOD diversity means that OpenSync (idea, not project) is mandatory.
You tell the CEO, or corporate council (me) he has to use Outlook and have a locked down Exchange server and they will laugh, just before they fire you!
Die besten Wünsche für ein glückliches und erfolgreiches neues Jahr aus der Schweiz, Brian
Secure Boot, No Thanks Posted Jan 1, 2013 3:10 UTC (Tue) by rsidd (subscriber, #2582) [Link]
You think the Republicans would bring an antitrust suit? Really?
The previous antitrust suit against Microsoft (against anyone, I think) was in the Clinton administration. Republicans said the government is picking on an American success story.
Secure Boot, No Thanks Posted Jan 1, 2013 3:20 UTC (Tue) by mirabilos (subscriber, #84359) [Link]
Uh guys, please, I’m not the slightest interested in USA politics.
Please take that part elsewhere.
It also wouldn’t solve the problem for The Rest Of The World™, anyway.
Secure Boot, No Thanks Posted Jan 1, 2013 11:31 UTC (Tue) by efraim (subscriber, #65977) [Link]
But the government WAS picking at Microsoft.
There are plenty of legitimate reason for demonizing Microsoft's behavior, but including the media player and Internet Explorer as a bundle with OS itself? Come on! Everybody does that nowadays. So, turns out, it's not an anti-competitive behavior but rather an innovation, an example to follow (and do Linux distributions follow it!)
I don't believe for a moment that Microsoft won the browser wars because of some monopoly. It won browser wars because IE4 (and then IE5, IE5.5) was lightyears ahead of Netscape 4 in stability and features and when Netscape 6 FINALLY came out it could not really stand any comparison with IE6.
So yes, I don't think Netscape's whining about monopoly was in any way justified. If they could only build a competitive web browser in time...
Secure Boot, No Thanks Posted Jan 1, 2013 12:41 UTC (Tue) by khim (subscriber, #9252) [Link] There are plenty of legitimate reason for demonizing Microsoft's behavior, but including the media player and Internet Explorer as a bundle with OS itself? Come on! The problem was never a bundled browser. The problem were with incentives to have it as the only browser on preinstalled system. You may not like plethora of crapware on newly sold systems but it's important way to give Joe Average a chance to test your product. Microsoft specifically forbidden OEMs to do that (it only promised some marketing $$ if guys will not install Netscape... and OEMs naturally have chosen $$ promised by Microsoft and not smaller amount promised by Netscape). Everybody does that nowadays. So, turns out, it's not an anti-competitive behavior but rather an innovation, an example to follow (and do Linux distributions follow it!) That's quite a statement. Yes, everyone does this but even Android often comes these days with two (or sometimes more) browsers. I don't believe for a moment that Microsoft won the browser wars because of some monopoly. Abuse of monopoly was most certainly a factor if it was deciding factor or not... we'll never know. So yes, I don't think Netscape's whining about monopoly was in any way justified. If they could only build a competitive web browser in time... It's kinda hard to do without money and Microsoft made sure Netscape will not have these money. Of course Netscape mostly did that to themselves (Complete rewrite of million lines long program? Who's crazy idea is that?) but Microsoft used a lot of illegal tricks too. You are basically saying that it's Ok to jab someone couple of times with knife in the back if said someone is on a bridge with a stone tied to the neck. No, it's not Ok to do that even in this case.
Secure Boot, No Thanks Posted Jan 1, 2013 13:23 UTC (Tue) by efraim (subscriber, #65977) [Link]
>> The problem were with incentives to have it as the only browser on preinstalled system.
Notice that Netscape was NOT preinstalled with earlier Microsoft OSes either. Customers had to go and explicitly get it from Netscape (download, or snail mail)
The fact that with Netscape 4 and Internet Explorer 4 they did not bother tells much more about Netscape 4 then it tells about evil Microsoft's plan.
>> You are basically saying that it's Ok to jab someone couple of times with knife in the back if said someone is on a bridge with a stone tied to the neck. No, it's not Ok to do that even in this case.
I am not saying any of that at all. I just do not thing that what Microsoft did was somehow jabbing a knife into Netscape's back. Yes, they wanted to control what their OEMs put on pre-installed systems. In fact, Apple wanted to do it so hard that they eliminated the OEMs altogether. Nobody is crying anti-competitive behavior on them over the fact (or did I miss it?)
Secure Boot, No Thanks Posted Jan 1, 2013 16:36 UTC (Tue) by khim (subscriber, #9252) [Link] Notice that Netscape was NOT preinstalled with earlier Microsoft OSes either. Customers had to go and explicitly get it from Netscape (download, or snail mail) This is where you are wrong. Sure, not all systems had it preinstalled, but enough of them did in 1996-1997. By the 1998 Microsoft managed to squeeze most OEMs and "convinced" then to drop Netscape. Textbook case of monopoly power abuse. In fact, Apple wanted to do it so hard that they eliminated the OEMs altogether. Nobody is crying anti-competitive behavior on them over the fact (or did I miss it?) You are 100% correct, of course. Microsoft is pale imitation of Apple when abuse of power is concerned. But the thing is: Apple was not never big enough PC vendor to warrant antitrust investigations. On the phone side (where it is big enough in certain markets, but not in all of them), oh yeah... Apple gets a lot of attention from different groups. In court and outside of court.
Secure Boot, No Thanks Posted Jan 1, 2013 13:08 UTC (Tue) by paulj (subscriber, #341) [Link]
You seem to be thinking that, if an action is good, or OK if done by /any/ party, then it must also be allowed/OK for a monopolist. However, that's not the way it works.
Monopolists are barred from certain actions NOT because of anything specific to the actions, but because they ARE a monopolist. Monopolists have to have their grip prised from the market, and this requires barring them from taking actions that would be perfectly acceptable, even desirable, from other actors. This is needed to create room for other actors to expand in the market.
Your comment shows a fundamental misunderstanding of the theory behind anti-monopoly law and regulation.
Secure Boot, No Thanks Posted Jan 1, 2013 13:16 UTC (Tue) by efraim (subscriber, #65977) [Link]
Yes, I really do not understand why should customers of said monopolist (BTW, are you ready to claim the same status for Android once it dominates some 90% market of smartphones which is very likely) suffer just because.
If it is OK for Joe Random to give his customers an OS with an integrated web browser, so should it be OK for a world dominating monopoly. Why should I, as a customer, have to go and install such a basic component as a browser, and a media player separately? Just so that Opera Software can be happy?
Secure Boot, No Thanks Posted Jan 2, 2013 4:06 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
> Yes, I really do not understand why should customers of said monopolist (BTW, are you ready to claim the same status for Android once it dominates some 90% market of smartphones which is very likely) suffer just because.
If Android does achieve this sort of market dominance, it will be a Monopoly, and If Google _abuses_ this monopoly to extend their reach into other areas, there will need to be actions taken against them.
However, it may very well be that the fact that Google allows the vendors to customize Android so drastically before shipping it may be enough to avoid this.
This is why Google has to be very careful about the requirements it puts on the vendors to call their product Android.
It may also be that the fact that Google allows companies like Amazon and B&N to take the android source, modify it and ship it without branding (as on the Kindle and Nook Tablets) may be enough to prevent the "Android" branded version which Google controls from hitting a high enough percentage to become a Monopoly
The key thing isn't to make Opera Software happy, it's to prevent a Monopoly in one field (OS) from leveraging this Monopoly to harm competition in other fields (Browser software, Office Software, etc)
A monopoly also indicates a strong barrier to entry for new competitors. This is why calling Google's dominance of Search a "Monopoly" is highly suspect. there's nothing preventing other search engines from starting up, and if they server the users better than Google, it will be very easy for users to switch and forget Google exists (assuming google doesn't improve their version to compete)
A Monopoly is not just the dominance of a field, and there's nothing wrong with being a Monopoly. It's just that if you _are_ a Monopoly, then you are not allowed to "abuse" your Monopoly status to take over other fields.
It's perfectly legitimate for you to use your income from your Monopoly to fund good products in other fields, you just can't do things like selling them at a loss once you are past the R&D stage and into production.
Secure Boot, No Thanks Posted Jan 3, 2013 20:28 UTC (Thu) by efraim (subscriber, #65977) [Link]
>> A Monopoly is not just the dominance of a field, and there's nothing wrong with being a Monopoly. It's just that if you _are_ a Monopoly, then you are not allowed to "abuse" your Monopoly status to take over other fields.
>> It's perfectly legitimate for you to use your income from your Monopoly to fund good products in other fields, you just can't do things like selling them at a loss once you are past the R&D stage and into production.
I understand your position, however I do not agree with it because I feel like many of the terms here are too ill defined to be a matter of law (for instance, what's R&D phase? Is Android in R&D phase? Is GMail? When quality control and brand control become abuse?)
I am not commenting on LWN often and this thread is pretty far from core LWN software topic, so if you feel I am veering off-topic into politics too far please say so.
Action against abuse of monopoly Posted Jan 2, 2013 16:18 UTC (Wed) by jpnp (subscriber, #63341) [Link]
Except the US didn't actually stop MS from shipping IE. And look at the actual remedy imposed by the EU: customers are presented with a browser selection dialog at first boot which allows them to choose from a list of top browsers. If they select a non-IE option then they're sent to download that, but it doesn't remove all IE components from the system, merely selects a default.
Yes this is an extra imposition if you're happy to use MS's default browser, but it's hardly a particularly onerous one. In return the consumer benefits as one company fails to snuff out all competition in the browser market. Look at the performance benefits to us all when healthy competition returned to the browser market; MS had to start investing in browser development again -- something they entirely stopped doing during the period they had a practical browser monopoly.
Action against abuse of monopoly Posted Jan 3, 2013 20:17 UTC (Thu) by efraim (subscriber, #65977) [Link]
I actually don't believe for a moment that the resurgence in IE development we've witnessed has anything to do with EU's efforts.
I think it's unfair to the hard work of Mozilla and later Google Chrome development teams to claim that their achievement is actually a result of some cheap political posturing by EU. What actually made Microsoft develop IE again is the fact that Mozilla has succeeded in delivering a more stable and feature-rich (and easy to use!) web browser for several years. In fact I am afraid that this trend might be reversed now that Mozilla started chasing Chrome in version treadmill. (I have only anecdotal evidence but it seems that plugin compatibility and stability suffered as a result)
Secure Boot, No Thanks Posted Jan 3, 2013 9:38 UTC (Thu) by farnz (guest, #17727) [Link] Because it was OK for Microsoft to give their customers and end-users an OS with an integrated web browser, right up to the point where Microsoft attempted to tell their customers that they couldn't install another browser as the system default browser if they intended to sell the machine to an end-user. Android doesn't currently have this problem - if HTC choose to make the system default browser Firefox Mobile, Google aren't going to stop them using Android. If you go back to the mid-90s, when all this went down, other browser developers were in the business of paying OEMs to preinstall their product as the system default browser; Microsoft used its leverage as provider of the OS to insist that OEMs that did this had to pay much more for the OS (more than the other browser vendors were prepared to pay, so an OEM that shipped Windows and IE only paid less than an OEM that shipped Windows and IE and Netscape, even with Netscape paying the OEM to ship Netscape). Had Microsoft simply bundled IE as a freebie with Windows, and not tried to use that as leverage to block OEMs deals with Netscape, they'd not have got into trouble. It was the attempt to use their ownership of a monopoly operating system to influence the browser market that caused them pain, and a lot of observers noted at the time that IE4 was a better product than the equivalent Netscape browsers. Indeed, it's plausible that if Microsoft had behaved better, they'd probably have still crushed the competition in the web browser market as thoroughly as they did, and would not have faced the anti-trust issues that their monopoly abuse caused.
Secure Boot, No Thanks Posted Jan 7, 2013 19:46 UTC (Mon) by Wol (guest, #4433) [Link]
Don't forget, it was PROVEN in court that Microsoft put a load of code into Windows ?98 whose sole purpose was to cause Netscape to crash.
So the OP's claim that "Netscape couldn't write a decent browser" is wrong - if the underlying OS has been deliberately booby-trapped it's rather difficult to cope! And there's a long trail of MS repeatedly doing that ... "DOS ain't done til Lotus won't run", and the story coming out now about WordPerfect, etc etc.
To the OP - the best definition of "monopoly power" is "the ability to set a price above the marginal cost of production". MS can pretty much name their own price, so they have monopoly power. Google may be very dominant in search, but they can't set their own price. There are other search engines out there, and if Google raise their prices both sorts of customers (the advertisers and the searchers) can easily go elsewhere. Market dynamics currently push them to Google as the best value for money, but if Google changes that dynamic it's easy for them to flee. Thing with Microsoft is it is (and MS deliberately makes it so) very difficult for customers to flee. The harder MS makes it for customers to leave, the more MS can charge before customers consider leaving.
Cheers,
Secure Boot, No Thanks Posted Jan 7, 2013 19:58 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]
> Don't forget, it was PROVEN in court that Microsoft put a load of code into Windows ?98 whose sole purpose was to cause Netscape to crash.
That's a serious accusation. Can you prove it?
As far as I remember, it was proven that MS has put special hooks to make their applications work faster.
Secure Boot, No Thanks Posted Jan 7, 2013 20:57 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
In a different case, it was proven that Microsoft put in hooks to make windows not work when running on DR-DOS
These weren't 'hooks to make it work better on pure microsoft systems' they were tests to detect DR-DOS and fail.
Secure Boot, No Thanks Posted Jan 8, 2013 18:19 UTC (Tue) by nix (subscriber, #2304) [Link]
No, they were (insanely specific) tests to detect {MS|IBM}-DOS and fail if not found. It just so happens that there was only one DOS-compatible competitor to the {MS|IBM}-DOS hegemony... how convenient.
Secure Boot, No Thanks Posted Jan 7, 2013 20:45 UTC (Mon) by raven667 (subscriber, #5198) [Link]
> the best definition of "monopoly power" is "the ability to set a price above the marginal cost of production".
I think it should be clear that this is a quite radical re-interpretation of what monopoly means and is not the definition that is commonly understood or that is used in the law.
Secure Boot, No Thanks Posted Jan 7, 2013 22:17 UTC (Mon) by mpr22 (subscriber, #60784) [Link] To the OP - the best definition of "monopoly power" is "the ability to set a price above the marginal cost of production". This does unuseful things like saying that the Morgan Motor Company has a monopoly, which it doesn't in any meaningful sense.
Secure Boot, No Thanks Posted Jan 7, 2013 22:24 UTC (Mon) by apoelstra (subscriber, #75205) [Link]
>This does unuseful things like saying that the Morgan Motor Company has a monopoly, which it doesn't in any meaningful sense.
Can you elaborate? I've never heard of the Morgan Motor Company, and I thought the definition quite usefully cut through the irrelevant connotations that "monopoly" has.
Secure Boot, No Thanks Posted Jan 8, 2013 0:10 UTC (Tue) by anselm (subscriber, #2796) [Link]
IIRC, the Morgan motor company is a very small outfit that makes fancy cars. They can charge way more than »the marginal cost of production« because the people who buy Morgan cars, even though they would be perfectly able to get something like a Yugo at a cheaper price that would also let them drive from A to B, for whatever reason still prefer a Morgan car, and are happy to pay more than they otherwise would have to if their only interest was to obtain a car (any car).
Secure Boot, No Thanks Posted Jan 1, 2013 7:56 UTC (Tue) by mjg59 (subscriber, #23239) [Link]
Thanks for the respect, but I'm afraid the feeling's not mutual.
Secure Boot, No Thanks Posted Jan 7, 2013 4:25 UTC (Mon) by cmccabe (guest, #60281) [Link]
You apparently haven't been following American politics at all.
George W. Bush ran partly on a platform of dropping the antitrust suit against Microsoft. See http://www.interesting-people.org/archives/interesting-pe...
When he came into power in 2001, the Department of Justice suddenly stopped asking for the breakup of Microsoft, and started suggesting other remedies. There is actually a pretty good chance that Microsoft would have been broken up into a "Windows company" and an "Office company" if Gore instead of Bush had been elected.
Bush was also instrumental in winding down enforcement of the already toothless settlement in 2008. See http://www.bloomberg.com/apps/news?pid=newsarchive&re...
You might also notice that the antitrust case against Google in 2011 also began under a Democrat. (Personally, I think the case against Google was a mistake, but that's another topic...) At the end of the day, the facts are that the Republicans haven't been very interested in antitrust lately.
Concur with other comments re: restricted boot Posted Dec 31, 2012 23:41 UTC (Mon) by dskoll (subscriber, #1630) [Link] Restricted boot is a major loss. Unless/until manufacturers are forced to let users install their own keys (maybe under threat of anti-trust lawsuits), the free software community will be immeasurably harmed by restricted boot.
Concur with other comments re: restricted boot Posted Jan 1, 2013 0:07 UTC (Tue) by Trelane (subscriber, #56877) [Link]
Perhaps people will frickin' finally start buying Linux PCs so that the Linux vendors can gain some leverage back in China over the ODMs so that we can have Good Hardware for Linux like Apple has. That would be a win in my book.
Concur with other comments re: restricted boot Posted Jan 1, 2013 0:16 UTC (Tue) by daniel (subscriber, #3181) [Link]
That's what I do now. Five out of five of my last five machines were bought from Linux PC specialists, or companies that preinstall Linux. I can highly recommend endpcnoise.com and I will let you know how kire.com works out after I get my rebadged laptop from them later this month.
Not to say that antitrust suits should not be launched over restricted boot. I would gladly support that. Sue everybody in sight, especially in Europe where the penalties are likely to be more than token. It's an outrage and yet another embarrassing failure of regulation and business ethics.
Concur with other comments re: restricted boot Posted Jan 1, 2013 0:21 UTC (Tue) by daniel (subscriber, #3181) [Link]
Oh, antitrust suits and FTC action are far from from the only options, stateside. This is just crying out for class action. Microsoft and every one of its toady OEMs playing along willingly or forcibly should be held to account. Looks to me like a profitable project for some hungry law firm.
Concur with other comments re: restricted boot Posted Jan 1, 2013 0:48 UTC (Tue) by khc (subscriber, #45209) [Link]
kire.com is listed for sale, not very reassuring :-)
Concur with other comments re: restricted boot Posted Jan 1, 2013 1:33 UTC (Tue) by Trelane (subscriber, #56877) [Link]
Perhaps http://thelinuxlaptop.com/products_new.php was meant?
Concur with other comments re: restricted boot Posted Jan 1, 2013 1:37 UTC (Tue) by khc (subscriber, #45209) [Link]
did I read that page right? Their laptops are 3-4 inches thick?
Concur with other comments re: restricted boot Posted Jan 2, 2013 11:30 UTC (Wed) by nhippi (subscriber, #34640) [Link]
I have seen some http://www.system76.com/ Linux laptops at a bit over 1" thickness.
I also think restricted boot will be blessing in disguise - It finally opens the market for Linux hardware specialists.
Concur with other comments re: restricted boot Posted Jan 1, 2013 1:35 UTC (Tue) by Trelane (subscriber, #56877) [Link]
Thanks for the vendor info! I'm always on the lookout for good Linux vendors.
Concur with other comments re: restricted boot Posted Jan 1, 2013 17:22 UTC (Tue) by ebirdie (subscriber, #512) [Link]
Excited from the high recommendation toward endpcnoise.com as a Linux vendor I hastily browsed around at the endnoise.com site to find their words about their dedication toward Linux and all the values of freedom associated with it as discussed here. Finally I had to make Google's site-search. The best I could find was this:
http://www.endpcnoise.com/cgi-bin/e/more_info/1111442.html
On the page there is quite hallow asterisk in the end of first clause. Scrolling the page down all the way to bottom you'll get:
"*All systems, including those with Linux or without an operating system installed are built a stress tested under Microsoft Windows. If Linux or no operating system is selected Microsoft Windows will be erased after stress testing has completed successfully. We can only provide limited support Linux operating system problems."
Of course offering Ubuntu as option is better than mainstream of vendors can do, what I can tell, but still I wouldn't call this a Linux hardware vendor offering hardware stress tested as equally or, preferably, better with Linux than with Windows. There isn't any word, whether the components they use in their assemblies are assured to have decent working drivers in Ubuntu as in Windows or do they happily sell you a system with Ubuntu, but they don't make any claims that e.g the graphics card works beyond very basic fb-driver offering only VGA resolutions.
Concur with other comments re: restricted boot Posted Jan 1, 2013 1:04 UTC (Tue) by gregkh (subscriber, #8) [Link]
The Microsoft's UEFI rules _require_ that you be able to install your own keys. I have yet to see a BIOS that does not follow that rule, have you? If so, details please, and I will be glad to resolve the issue.
Concur with other comments re: restricted boot Posted Jan 1, 2013 1:52 UTC (Tue) by dskoll (subscriber, #1630) [Link] Microsoft's UEFI rules may currently require this, but Microsoft should not be in a position to make the rules in the first place. Secure Boot rules need to be maintained by an impartial, not-for-profit standards body that has no vested interest in any particular operating system... maybe something like the IEEE. But definitely not in the hands of Microsoft.
Concur with other comments re: restricted boot Posted Jan 1, 2013 2:25 UTC (Tue) by Trelane (subscriber, #56877) [Link]
And also other keys are worthless since the device firmware (e.g vid card) is signed with only the msft key. So you lose the opportunity to detect hacked firmware.
Concur with other comments re: restricted boot Posted Jan 1, 2013 18:28 UTC (Tue) by gregkh (subscriber, #8) [Link]
Microsoft can make whatever "rules" it wants, it's up to the OEMs if they wish to follow them or not.
It's been this way for over 15 years, this is nothing new at all, Linux has been handling this type of thing (remember the PC99 rules?) and will continue to do so just fine.
The UEFI group has specified what the Secure Boot rules are, and Microsoft, as the signing authority, can do what it wants to do on top of that if it wants to. If you don't like Microsoft's signing authority rules, then work with the OEMs to get your key into the BIOS so that you will not have to worry about anything. But be prepared to work with the OEMs and abide by their requirements, which are very strict.
Concur with other comments re: restricted boot Posted Jan 1, 2013 22:44 UTC (Tue) by dskoll (subscriber, #1630) [Link] Microsoft can make whatever "rules" it wants, it's up to the OEMs if they wish to follow them or not. Translation: Microsoft can make whatever "rules" it wants, it's up to the OEMs to decide whether or not they wish to remain in business. If you don't like Microsoft's signing authority rules, then work with the OEMs to get your key into the BIOS so that you will not have to worry about anything. That's the wrong approach. The right approach is for the UEFI standard to specify a standard way for a computer owner to load keys of his/her choice into the BIOS and indicate that software signed by those keys should be trusted.
Concur with other comments re: restricted boot Posted Jan 1, 2013 22:56 UTC (Tue) by mjg59 (subscriber, #23239) [Link]
UEFI doesn't specify UI.
Concur with other comments re: restricted boot Posted Jan 2, 2013 0:16 UTC (Wed) by dskoll (subscriber, #1630) [Link] I don't understand what you mean by that. Surely someone can write a spec that says something like: "Where a UEFI-enabled motherboard supports optical disk drives or USB mass-storage devices, a certified UEFI BIOS shall provide and document a way to install user-supplied keys in the following standard format from a USB key or optical disk (...)" As long as the key format is documented and the keystrokes / mouse clicks / whatever to get the BIOS to load them are documented, then that should make everyone happy.
Concur with other comments re: restricted boot Posted Jan 2, 2013 0:28 UTC (Wed) by mjg59 (subscriber, #23239) [Link]
How can a firmware spec define the documentation that a system vendor includes?
Concur with other comments re: restricted boot Posted Jan 2, 2013 1:57 UTC (Wed) by dskoll (subscriber, #1630) [Link] How can a firmware spec define the documentation that a system vendor includes? It could work something like this: A disinterested third party owns the trademark to "UEFI" or "Secure Boot" or whatever, and the spec can say that a system vendor cannot claim compliance unless it provides some documented way (that doesn't require permission from a particular vendor) to load user-supplied keys in a standard format. Plenty of specs leave the details up to the specific implementation but still say that there must be some documented way to do something to claim compliance.
Concur with other comments re: restricted boot Posted Jan 2, 2013 2:03 UTC (Wed) by mjg59 (subscriber, #23239) [Link]
UEFI isn't a trademark. The consortium's bylaws do permit the creation and ownership of trademarks, but requires that they be licensed to all members provided that they implement the full set of features or functions. Documentation isn't part of that. Even then, manufacturers would be unlikely to use the trademark and so still wouldn't be bound.
Concur with other comments re: restricted boot Posted Jan 2, 2013 16:25 UTC (Wed) by dskoll (subscriber, #1630) [Link] You are describing what is. I am describing what should be. The only question is how we get from "is" to "should be". Maybe it will take a lawsuit to wrest control away from Microsoft or at least rule that a Windows 8 PC must allow non-secure booting or the ability to install additional signing keys. But something needs to be done to prevent Microsoft from being able to change the Windows 8 PC rules whenever it wants.
Concur with other comments re: restricted boot Posted Jan 2, 2013 16:29 UTC (Wed) by mjg59 (subscriber, #23239) [Link]
That would involve them having actually broken a law. It's not obvious that they have.
Concur with other comments re: restricted boot Posted Jan 2, 2013 16:41 UTC (Wed) by dskoll (subscriber, #1630) [Link] Microsoft probably has not broken any law with their Windows 8 rules. But monopolies can be and are regulated before they break any laws. It just takes political will.
Concur with other comments re: restricted boot Posted Jan 3, 2013 8:43 UTC (Thu) by ebirdie (subscriber, #512) [Link]
Affecting to the political will is very very unpractical mission in this context IMHO. Although I do agree it is a good mission for already established free software organizations to get people and companies aware that monopolies are bad, really bad, for their economy and wellbeing, exception where the monopoly directly feeds them, and make cases, how this particular monopoly affects in various ways. Still it is a long shot and will get heavy countermeasures, which may hold the organizations from the mission in the first place.
Concur with other comments re: restricted boot Posted Jan 3, 2013 9:23 UTC (Thu) by dskoll (subscriber, #1630) [Link] I'm more optimistic than you. This fight only has to be won in one largish jurisdiction. Imagine if a government of a medium-sized country mandated that all systems it purchases (or better, all systems sold in that country) must permit end-users to disable secure boot and/or install their own keys. We'd win everywhere because motherboard manufacturers are not going to make special-case systems for one jurisdiction, nor would they be willing to cede that market to competitors. Yeah, there's no political will in the US, whose government is utterly dysfunctional anyway, but we should press this issue everywhere.
Concur with other comments re: restricted boot Posted Jan 3, 2013 15:42 UTC (Thu) by andrel (subscriber, #5166) [Link]
The US federal legislature is dysfunctional. Many other branches of government within the country are not. In particular, Sacramento probably became a lot more functional after the last election.
As you say, no mobo manufacturer is going to cede the California market.
Concur with other comments re: restricted boot Posted Jan 3, 2013 15:55 UTC (Thu) by gregkh (subscriber, #8) [Link]
Again, all x86 UEFI systems today that ship, already have the ability for a user to disable secure boot and add their own keys to the system to allow them to use secure boot with their own control.
So "mandating" this isn't really going to change anything.
Unless you really care about ARM UEFI systems, and if so, why?
Concur with other comments re: restricted boot Posted Jan 3, 2013 16:44 UTC (Thu) by dskoll (subscriber, #1630) [Link] So "mandating" this isn't really going to change anything. It certainly will:
Microsoft currently sets the rules, but please tell me what the penalty is for "accidentally" selling a system that only boots Windows?
Concur with other comments re: restricted boot Posted Jan 3, 2013 17:04 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
Supposedly, their membership in the certification program is terminated. If you find any examples, let me know and we'll find out.
Concur with other comments re: restricted boot Posted Jan 4, 2013 15:19 UTC (Fri) by dskoll (subscriber, #1630) [Link] Well, did Lenovo fix this bug or have they just not cared?
Concur with other comments re: restricted boot Posted Jan 4, 2013 15:29 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
That's got nothing to do with the shim approach, so it doesn't seem like what Jon's talking about.
Concur with other comments re: restricted boot Posted Jan 4, 2013 14:34 UTC (Fri) by wookey (subscriber, #5501) [Link]
I care about ARM UEFI systems because there are going to be lots of them. Just as many as x86 one day (very probably). It's vital that people have the same rights to install the OS of their choice as on x86.
At the moment OEMs cannot let people install their own keys _and_ enable Windows to run on their hardware (right?). They shouldn't have to make that choice. OEMs and purchasers will have to choose whether they want to make/sell/buy 'ARM hardware for Windows' or 'ARM hardware for everything else'. ARM servers are general-purpose in just the same way x86 ones are (and will look almost identical from the software perspective once both are booted with UEFI). Dominent-vendor rules like these are at best very unhelpful.
Hopefully it will keep both OEMs and pruchasers away from Microsoft until they are forced to change the rules, but it could turn out to just be a massive pain for everyone.
Anyone who says 'It's OK because I can install my keys on x86 - ARM is just for devices where no-one changes the OS' is being very shortsighted.
Concur with other comments re: restricted boot Posted Jan 4, 2013 15:41 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
Microsoft doesn't currently support anything but Windows RT on ARM, so from the server side there's no problem for at least a couple of years yet.
Concur with other comments re: restricted boot Posted Jan 1, 2013 21:47 UTC (Tue) by Lennie (subscriber, #49641) [Link]
"The Microsoft's UEFI rules _require_ that you be able to install your own keys."
No you are wrong, here are the 2 policies for OEMs:
- on ARM: secure boot enabled, Microsoft keys install and NO way to disable secure boot and NO way to install user supplied keys. In practise this means you can't even install Linux, even when signed !, on Windows RT/ARM-device like the "Surface": http://mjg59.dreamwidth.org/21189.html
Concur with other comments re: restricted boot Posted Jan 8, 2013 6:00 UTC (Tue) by Jonno (subscriber, #49613) [Link]
Actually, you are also wrong:
- on x86/AMD64: secure boot enabled by default, Microsoft keys installed and a way to (1) disabled secure boot *OR* (2) install user supplied keys
I predict most consumer motherboards will offer (1) but not (2), while most enterprise motherboards will offer (2) but not (1)...
Concur with other comments re: restricted boot Posted Jan 8, 2013 15:42 UTC (Tue) by mjg59 (subscriber, #23239) [Link]
No, both are required for all x86 systems.
Concur with other comments re: restricted boot Posted Jan 8, 2013 18:23 UTC (Tue) by nix (subscriber, #2304) [Link]
Really? Someone better tell Asus then, because my six-month-old motherboard has UEFI boot and a disableable Secure Boot (off by default), but no way to install your own keys. (That I could determine: both the BIOS screen and the motherboard manual are the typical Asus near-incomprehensible scrambled pseudo-English, so I may have overlooked something, only they never use the words 'secure boot' in the manual at all, so they're being very subtle in their docs if so...)
(This is the same motherboard that uses a custom sensor chip built for Asus only, where both Asus and the chip manufacturer refuse to provide any documentation on the grounds that they are prohibited from doing so by an NDA with the other party. Neat trick.)
Concur with other comments re: restricted boot Posted Jan 8, 2013 18:26 UTC (Tue) by mjg59 (subscriber, #23239) [Link]
It depends on how they implement "disable" - if it handles it by just clearing the platform key, the user can then install keys using the standard SetVariable() calls. But if it's 6 months old, it's probably also not Windows 8 certified.
Concur with other comments re: restricted boot Posted Jan 9, 2013 18:51 UTC (Wed) by nix (subscriber, #2304) [Link]
Since disabling is an operation you can undo, it's probably not done by clearing anything (though it might be a temporary removal).
More likely, it's just not Windows 8 certified as you suggest. That does rather suggest that 'all x86 platforms' will do whatever the hell ugly hacks their BIOS/mobo vendors want, though. Asus is not a small mobo vendor...
Concur with other comments re: restricted boot Posted Jan 9, 2013 20:12 UTC (Wed) by mjg59 (subscriber, #23239) [Link]
Enable may just be restoring the default keys. Alternatively, enable may enable it without installing any keys, leaving that up to the end user. This is why we ended up going with a solution that doesn't depend on the motherboard offering any specific set of options.
Concur with other comments re: restricted boot Posted Jan 1, 2013 2:05 UTC (Tue) by brianomahoney (subscriber, #6206) [Link]
If you are in Europe write to Commissioner Joaquín Almunia, European Competition Commissioner, 1049 Bruxelles/Brussel,BELGIQUE/BELGIË, Fax: +32 02 29 80 999, who succeeded Frau Nellie Kroes as Competition Commissioner, they already have new process against M$, and draconian powers like 10% world wide earnings per day for non-compliance.
BTW, dont worry about ARM, M$ has almost 0 market share in the ARM marketplace and is unlikely to get any any time soon ... its a whole different ball game, If you are a 86-ish mo-bo vendor and piss M$ off you are in a world of hurt, in the mobile/pad/ESPECIALLY automobile (20-25% of the embedded market, entertainment especially multi-seat ... think planes (the A380 has 500+ seats/plane) and they are much more worried about FAA/EU type approval than anythin g M$ can do.
Die besten Wünsche für ein glückliches und erfolgreiches neues Jahr aus der Schweiz, Brian
Concur with other comments re: restricted boot Posted Jan 2, 2013 2:09 UTC (Wed) by salimma (subscriber, #34460) [Link]
The worry about ARM is not Restricted Boot per se, it's that most other vendors implement similar or even more draconian boot lockdowns.
And the most open widely-deployed platform (Android) let manufacturers do what they want regarding this -- it'd be nice if they standardize this but require a greater degree of openness -- similar to what the Nexus devices currently offer.
Concur with other comments re: restricted boot Posted Jan 1, 2013 7:54 UTC (Tue) by mjg59 (subscriber, #23239) [Link]
Well, thank fuck x86 PC manufacturers are being forced to implement key management by the same invisible hand that's forcing them to implement this security measure in the first place.
The H Year: 2012's Wins, Fails and Mehs Posted Jan 1, 2013 6:21 UTC (Tue) by gmaxwell (subscriber, #30048) [Link]
It's kinda sad that we have a name for the negative behavior ('Restricted Boot') but no real name for the use of secureboot in ways which which are purely user positive.
'BootFreedom' perhaps, but that sounds like a even broader thing than not being RestrictedBoot.
This lack is unfortunate because along with encouraging makers to not restrict their users we should encourage them to market the fact that they don't— so that not restricting users becomes something manufactures compete on.
The H Year: 2012's Wins, Fails and Mehs Posted Jan 1, 2013 7:56 UTC (Tue) by pabs (subscriber, #43278) [Link]
How about "user freedom"?
The H Year: 2012's Wins, Fails and Mehs Posted Jan 1, 2013 8:34 UTC (Tue) by gmaxwell (subscriber, #30048) [Link]
Good essay, though perhaps "user" has some of the problems we have when taking about "content" (e.g. art, music, movies) and "consumers" of it in that it automatically places the thing we're talking about in a narrow box. Someone who practices the freedom to change software is surely a developer— in the language of people-in-boxes— not a user. Why care about user's freedom to do something they don't do by definition?
I guess that talking about 'freedom' without great care runs into the problem that suggesting to someone that they are being oppressed is a quite uphill battle: (imagine a Monty python sketch) "See here! you're being oppressed!" "Uh. No I'm not" "Yes you are!" "If _I_ were being oppressed you can be sure I'd already know it!" "No sir, you can only be free if you stand on one leg!" "One leg you say? Well that doesn't sound free at all! It sounds bloody inconvenient!" "maybe a little, but if you use both then you have to buy two shoes!" "but everyone buys two shoes!" "now you see how insidious the oppression is!" […]
I wonder if more effective when we talk about abstract freedom in terms of what _other people_ should have a right to while the _personal_ discussion should center more on the concrete things they can and can't do ('Can you change the OS on your computer?', 'can a third party evaluate this system for spyware?'). Though maybe I'm falling into the trap of 'open source'— but I don't think so, I suggest this not because of any discomfort in talking about freedom, but rather because people just seem unwilling to believe they don't have it ("I'm quite free, I can facetime with any Apple approved device I want!") but more willing to believe that other people are being deprived it.
On further contemplation I wonder if my suggestion that there be a name for secureboot-freedom-as-a-feature isn't actually a bad one. The line between a restriction and a missing functionality can be blurry to people: Many people seem unaware of restrictions on their ebook devices because without an obvious copy button that tells them "no" the inability to copy just seems like one of an infinite number of benignly non-implemented features. Promoting freedom as a feature runs the risk of making non-freedom sound like a regrettable but perhaps forgivable omission rather than a hostile act of control.
The H Year: 2012's Wins, Fails and Mehs Posted Jan 1, 2013 13:01 UTC (Tue) by khim (subscriber, #9252) [Link] I think all these talks are look so crazy to Joe Average because they miss the mark and use exaggerative hyperbole. Guys, please. Can we stop with this "your freedom" nonsense? This is not problem of freedom (nobody holds the gun and forces you to buy the Microsoft Surface, right?), but it's still a problem of deception. People are "buying" things and they often feel they own them after said fact, but in reality they are mere renters if something like undisableable Secure Boot is used: real owner (Microsoft if that's the only entity who can sign the keys) can remotely disable the device at any point. This distinction was already discussed and I think it's better to drop this "slavery" analogue as totally flawed. If we'll start talking about "devices which are sold to you but which you don't really own" then people will understand you much better: most Joe Averages already had some experience when they wanted to have something and were unable to have it because real owner refused to cooperate (be it desktop-style applications on Microsoft Surface or Google Voice on an iPhone) and they understand how the devices they supposedly "own" sometimes restrict them because real owner wants to do that.
|
|||||||||||||