Garrett: UEFI secure booting [LWN.net]

Matthew Garrett has posted an article about the UEFI "secure boot" feature and its potential impact on Linux.

Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.

A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.

As he notes, it is not time to panic yet, but it is worth being concerned about. Those who are interested in learning more about Microsoft's plans may want to watch this video which describes them in detail.

to post comments

Simple solution

Posted Sep 20, 2011 19:16 UTC (Tue) by dskoll (subscriber, #1630) [Link] (47 responses)

Don't buy systems that forbid you from either disabling the feature or inserting your own trusted signing key.

Every attempt to lock down the PC in the past has failed because of market pressure. This won't be different.

Simple solution

Posted Sep 20, 2011 19:49 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (45 responses)

Hello?

Ever heard about this thing called "Apple App Store"?

And how Windows 8 will only accept Metro-style applications only from Windows Store?

Simple solution

Posted Sep 20, 2011 20:25 UTC (Tue) by dskoll (subscriber, #1630) [Link] (44 responses)

Ever heard about this thing called "Apple App Store"?

That was not an "attempt to lock down the PC". The Apple App store is a designed-from-the-ground-up walled garden that appeals to a certain segment of the population.

Simple solution

Posted Sep 20, 2011 20:28 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (43 responses)

It's one small step away from a 'locked-down PC'.

All you need is to lock-down Mac OS X and that's it.

Simple solution

Posted Sep 20, 2011 20:30 UTC (Tue) by dskoll (subscriber, #1630) [Link] (42 responses)

Sorry, by "PC" I meant the standard Wintel PC which (despite all the bad things I think about MSFT) has traditionally been relatively open compared to Apple's products.

I do not believe the standard Wintel PC market will tolerate locked-down systems that cannot be unlocked. Maybe I'm too optimistic... I hope not, but I guess we'll see.

Simple solution

Posted Sep 20, 2011 20:48 UTC (Tue) by martinfick (subscriber, #4455) [Link] (40 responses)

It may. But it also could just be another nail in its coffin. The Wintel PC has a limited life expectancy at this point. While it may not become completely irrelevant soon, I wouldn't be surprised if it got to the point sooner than later, where people will say things like they used to say about IBM and mainframes: "Did you know that Windows PCs aren't really dead? In fact, MS and Intel sell more of them now then ever!" ;) Of course, since everyone will have at least 5-10 personal computing ARM devices, it just won't seem like much. PCs will be relegated to things like offices to run legacy office applications while ARM (mostly android) devices will be used everywhere else. Children will grow up soon without being exposed to word docs, or other strange office proprietary formats, they will have no desire for a "legacy office" machine at home anymore.

Simple solution

Posted Sep 20, 2011 20:58 UTC (Tue) by dlang (guest, #313) [Link] (34 responses)

sure, kids will type their homework reports completely on their phone.

somehow I don't think that will happen. phones are great for some things, as are tablets, but without a full size screen and keyboard there are many things that they are just horrible for.

now, the computer of the future may be a handheld device that plugs into a full size screen and keyboard, but when used in that mode it's a desktop, and the mindset of a mobile device doesn't work as well in that mode (and the apps are seriously lacking for current mobile OSs)

Simple solution

Posted Sep 20, 2011 21:19 UTC (Tue) by martinfick (subscriber, #4455) [Link] (25 responses)

> sure, kids will type their homework reports completely on their phone.

Most homework is not a report. How many of those did you write in your ~12 years of primary education? I suspect you could count them on your fingers.

Most other homework will be (is already) web apps, with very little typing.

> now, the computer of the future may be a handheld device that plugs into a full size screen and keyboard, but when used in that mode it's a desktop

You may perhaps call it a desktop at that point, but it isn't a "legacy office PC", and this mode will be the non standard way to use a device (it is already for me).

> (and the apps are seriously lacking for current mobile OSs)

As for apps? I thought the whole reason for apps is because your phone was too small to display a full web page (oops, did I say that out loud? I hope the app producers didn't hear me!), or for games. Really, why do I need apps on a tablet, so I can pay $5K for a picture of a diamond? The most common apps will all be (are) free open source utilities that come with the devices.

Simple solution

Posted Sep 20, 2011 22:47 UTC (Tue) by rgmoore (✭ supporter ✭, #75) [Link]

Most homework is not a report. How many of those did you write in your ~12 years of primary education? I suspect you could count them on your fingers.

Only because I finger count in binary. I doubt I did more than 1023 reports in my primary education, but there were some classes where we had multi-paragraph essays as fairly routine homework. I don't think I'd want to type those using an on-screen keyboard.

You may perhaps call it a desktop at that point, but it isn't a "legacy office PC", and this mode will be the non standard way to use a device (it is already for me).

The first point is fair- though I bet Microsoft tries their best to make mobile windows machines as much like legacy PCs as possible when they're connected to a dock- but I think it's a mistake to predict too far in advance. I expect that mobile computing is the future. Just as many people now have replaced their desktop machines with laptops, I expect many people to replace their laptops with mobile computers. This will require some change in infrastructure and programming practice, but I expect it to be common practice soon enough.

Simple solution

Posted Sep 21, 2011 0:22 UTC (Wed) by dskoll (subscriber, #1630) [Link] (23 responses)

Most other homework will be (is already) web apps, with very little typing.

I don't know where your kids go to school, but that does not in any way describe my kids' homework. They have to produce many reports, essays, labs, etc. that require a lot of text.

Simple solution

Posted Sep 21, 2011 17:40 UTC (Wed) by rahvin (guest, #16953) [Link] (19 responses)

The OP might be from a country other than the US. People outside the US fail to realize how much homework busywork and torture is fostered on US children. I believe it's a conspiracy to make education be viewed badly by the majority.

Simple solution

Posted Sep 21, 2011 20:25 UTC (Wed) by jackb (guest, #41909) [Link] (17 responses)

I believe it's a conspiracy to make education be viewed badly by the majority.

It's more of a design feature than a conspiracy. You can't call it a conspiracy when the alleged conspirators wrote and published books describing exactly what they were doing and why.

It's sad that you're probably serious

Posted Sep 21, 2011 22:32 UTC (Wed) by tialaramex (subscriber, #21167) [Link] (16 responses)

When someone writes this...

"we know almost everyone learns to drive well in a few hours"

... about one of the leading causes of preventable death in their country, you know they're past the point where they care if what they're saying is true.

It's sad that you're probably serious

Posted Sep 21, 2011 23:14 UTC (Wed) by martinfick (subscriber, #4455) [Link] (14 responses)

I am trying to understand what you are saying is preventable? Are you suggesting that one of the leading causes of preventable death in some country is "people driving only hours after they learned to drive", and that if those people were prevented from driving that the death rate in that country would be greatly affected compared to what it is today? Strange thought, do you have any evidence to back this up?

It's sad that you're probably serious

Posted Sep 22, 2011 0:34 UTC (Thu) by tialaramex (subscriber, #21167) [Link] (13 responses)

RTAs are a preventable cause of death. The main reason they occur is that people aren't actually any good at driving. Basically the author has it upside down, instead of the situation being that anyone with a few hours on their hands can learn to be a good driver and therefore everyone gets to drive a car, the reality is that society decided everyone gets to drive a car, and so even though most of us are _bad_ drivers, that has to suffice.

Collective arrogance doesn't help, most drivers believe they're better than average, and although many have been in at least one accident of some kind, very few believe they were even partly to blame...

It's sad that you're probably serious

Posted Sep 22, 2011 5:29 UTC (Thu) by jackb (guest, #41909) [Link] (12 responses)

The main reason they occur is that people aren't actually any good at driving.

Rather that rely on subjective judgments of "good" and "bad" I find it helpful to refer to objective facts instead.

At least in the United States the data on the number of miles driven per year is publicly available as is the number of automobile accidents per year and the number of automobile-related deaths per year.

The last time I looked at those statistics the average number miles driven before an accident is 500,000 and the average number of miles driven between fatalities is 80 million.

I can't measure "good driving" but the data tells me that the average driver in the US has a 0.0002% failure rate when measured on a per-mile basis and the fatality rate is nearly two orders of magnitude lower.

If you have another way of measuring "not good at driving" besides the objective outcomes of accidents and fatalities I'd be interested in hearing it.

It's sad that you're probably serious

Posted Sep 22, 2011 9:49 UTC (Thu) by tialaramex (subscriber, #21167) [Link] (11 responses)

This has gone very far off topic.

They're bad drivers because they drive badly. They make unsafe manoeuvres, they drive at unsafe speed, they create distracting environments, they disobey or don't even notice traffic signals, they drive while unfit, and so on.

The accidents are the _result_ no matter how you try to diminish them. The US record on motor car fatalities is particularly horrendous, as much as ten times worse per person than other economically similar countries in the same year. Many factors have a role to play, it's hard to untangle lax driver standards from the mix but they're in there.

On the ground civil agencies just work with the reality of society's decision. Bad drivers will be put behind the wheel of several tonnes of rolling metal, they will be too distracted to look where they're going for a few vital seconds and they will hit a truck. So we have to design the car and the truck so that when (not if) this happens the accident is as survivable as possible. That's why death rates have gradually fallen, the drivers remain just as bad, but their mistakes cost less lives. But it's a gross mis-statement to pretend that since we've re-shaped our whole society around this decision therefore people are good drivers.

It's sad that you're probably serious

Posted Sep 22, 2011 16:19 UTC (Thu) by rahvin (guest, #16953) [Link] (2 responses)

Agreed that this is very off topic, but I can't let what you said stand without response as this is my field of expertise. Every human makes mistakes every single day. It doesn't make someone a bad driver because they make a mistake. The single most important factor in accidents happening isn't the quality of the driver, but whether two drivers make simultaneous mistakes. In the vast majority of cases an accident will only occur when one driver makes a mistake followed by the subsequent mistake by a second driver that allows the accident to happen.

There are exceptions to this rule such as a driver running a red light where a single driver can cause an accident without time for the other party to react but in general accidents happen because someone makes a mistake and the second party in the accident makes a mistake in responding or not responding to the first mistake. As an example, a driver speeding (maybe they are late to work and in a hurry so they don't get fired), most of the time there is no hazard in doing this and the majority of people do it, but it IS a mistake. Then a second driver makes a mistake and cuts off the speeder without time for the speeder to react causing an accident.

But if you want to see the truth in this watch more closely the drivers around you for a few days. See the mistakes that are made (applying hard braking for no reason, speeding, looking at scenery, etc) and simply ask yourself what mistake another driver would have to make to cause an immediate accident with the first driver.

Oh don't get me wrong, there are bad drivers, they just aren't the majority like some people make out.

It's sad that you're probably serious

Posted Sep 23, 2011 3:33 UTC (Fri) by JEDIDIAH (guest, #14504) [Link] (1 responses)

The whole problem with the "but everyone makes mistakes" mentality is that some people actively tempt fate on a constant ongoing basis. They aren't just making mistakes. They demonstrate a pervasive pattern of recklessness. They aren't just "screwing up occasionally". They are screwing up constantly and it's only because of the vigilance of other drivers that there aren't even more accidents and fatalities.

It's similar to how some companies approach how their products are engineered.

It's sad that you're probably serious

Posted Sep 23, 2011 17:05 UTC (Fri) by Wol (subscriber, #4433) [Link]

And you've missed the point another person made. The MAJORITY of drivers believe they are BETTER than average. In other words, a lot of them just have to be fooling themselves. And it's a well-known psychological phenomenon that, given poor feedback (which is inevitable given that most drivers ride solo most of the time), people over-estimate their abilities.

Make EVERYONE attend a training school every couple of years, where they are scored on a statistical deviation basis (like IQ - average is 100, SD is 15, results massaged to fit) and driving standards would probably improve dramatically. Just by telling people the results - no coercion required!

Cheers,
Wol

It's sad that you're probably serious

Posted Sep 22, 2011 16:45 UTC (Thu) by jackb (guest, #41909) [Link] (7 responses)

The accidents are the _result_ no matter how you try to diminish them. The US record on motor car fatalities is particularly horrendous, as much as ten times worse per person than other economically similar countries in the same year. Many factors have a role to play, it's hard to untangle lax driver standards from the mix but they're in there.

Which countries have accident rates less than 1 per every 5 million miles (8 million km) driven?

It's sad that you're probably serious

Posted Sep 23, 2011 6:59 UTC (Fri) by niner (guest, #26151) [Link] (6 responses)

According to http://en.wikipedia.org/wiki/File:Traffic_related_deaths_... countries with lower accident rate than the US include the UK, Sweden, Finnland, Switzerland and Australia. Unfortunately for most countries there's no data. Accident rate is usually given in accidents per capita.

It's sad that you're probably serious

Posted Sep 23, 2011 11:05 UTC (Fri) by Trelane (guest, #56877) [Link] (5 responses)

The units aren't the same (per capita vs per base length driven).

Per capita clearly (to first order) is going to trend lower with lower per capita levels of car ownership, and I'd guess that the us has much higher rates of car ownership than those countries. Per length is murkier; it would be lower with longer unpopulated distance, but driver effects like highway hypnosis and driver fatigue would counter that.

It's sad that you're probably serious

Posted Sep 23, 2011 18:40 UTC (Fri) by dlang (guest, #313) [Link] (4 responses)

I doubt if most people realize how much driving is common in the US. In all but a very small handful of cities, things tend to be _very_ spread out and as a result the number of miles driven is very high. This is the case even in 'urban' environments.

I agree that per mile stats are a far better picture of real risk than per capita stats.

This is a large part of the reason why public transportation doesn't work well in the US.

Public transportation works well if you have a very dense population center that you can saturate with public transportation. New York City is a great example of this with it's subway grid.

It also works well if you have a major work area with an outlying population and can have radial feeds into the downtown areas. Cities that grew up around a single major factory complex or who have a huge amount of downtown business skyscrapers meet this criteria.

but everywhere else, the cost of building public transportation Infrastructure (and then running it) that would be able to get everyone where they need to go with both a decentralized worker pool and a decentralized work area is so high that it is impractical. And as soon as people start needing to have their own care to get to some of the places they need to go routinely, the marginal cost of using that car to go elsewhere is small. As a result it becomes more cost effective to upgrade the road grid than to build enough public transportation to eliminate it.

It's sad that you're probably serious

Posted Sep 23, 2011 18:55 UTC (Fri) by martinfick (subscriber, #4455) [Link] (3 responses)

> As a result it becomes more cost effective to upgrade the road grid than to build enough public transportation to eliminate it.

I doubt this is actually true. I think most people underestimate the real recurring costs of roads and cars put together. In fact, I suspect that is the real reason they are the primary transportation mechanism in the US: more expensive roads and the need for cars / gas makes more businesses dipping into the pie needed to support this infrastructure. This in turn means more political clout. It's a pretty safe bet in the US (not ruling anywhere else out here) that any solution to any problem which costs more will likely be adopted by political parties (and pushed by businesses/interest groups).

It's sad that you're probably serious

Posted Sep 23, 2011 19:14 UTC (Fri) by dlang (guest, #313) [Link] (2 responses)

don't forget the large ongoing cost for public transportation in terms of both labor costs and maintenance cost for the rolling equipment.

railroads are very expensive to build, but (on a per-ton-mile basis) very cheap to operate.

but if you don't have a lot of cargo/people to transport the ongoing savings won't catch up with the initial infrastructure costs.

bus transportation is cheaper in that it can use the same road infrastructure as cars do, but you have to pay the driver and vehicle maintenance even if you don't have any riders. Bus service is also significantly slower than personal car transportation.

I lived in the greater Los Angeles area for a little over 6 years without having a car. During this time I lived pretty close to bus routes (within two blocks of both north/south and east/west routes). It can be done, but it's very inconvenient.

It's sad that you're probably serious

Posted Sep 23, 2011 19:34 UTC (Fri) by martinfick (subscriber, #4455) [Link] (1 responses)

> railroads are very expensive to build

I don't even buy that. They utilize way less land than roads do. Even a massive high speed rail is thinner than a small neighborhood road. The steel is likely the only really high ticket item.

You have to also think about what you are comparing. It is not fair to compare RRs designed for interstate freight traffic to local roads. If RRs were to be used for more local transportation, they would have scaled down by now to something that would not be recognizable as normal RRs. There would be much lighter weight rails than what is even considered light weight today. We would be using very small gauge rails to run through our neighborhoods. The cost of these would be significantly less than those of major RR lines today.

Oh, and it really doesn't help to use he word "public" in any of this conversation. Roads are just as public (or not) as rails/buses/trains. All are mostly funded by taxes. It is not a good differentiator when comparing transportation modes.

It's sad that you're probably serious

Posted Sep 24, 2011 2:16 UTC (Sat) by dlang (guest, #313) [Link]

railroads are far more sensitive to grade and unevenness than roads are.

don't discount the cost of the rails, over miles that really amounts to a large amount

also, all the control points where other traffic needs to get stopped to let the railroad go through cost

then you have the need to engineer specific places where the traffic can be redirected (switches, etc)

what makes railroads efficient to run is that they have very low friction, and as a result you can pull the same load with less power. As a result of having lower power for a given weight (and less friction with the tracks), trains accelerate slower than normal vehicles. due to less friction, they decelerate slower as well. As a result you want to avoid having the train make speed changes as much as possible

if you are going to stop frequently (and don't have a huge volume of passengers that need to fit in each vehicle), then dedicated busways (2 lane roads usable only by buses, with railroad like crossing guards) are actually cheaper, and the buses can leave the busways and use normal streets as well.

It's sad that you're probably serious

Posted Sep 22, 2011 7:13 UTC (Thu) by wichert (guest, #7115) [Link]

That depends on how they interpret 'driving'. The technical aspect of driving (starting your car, steering, etc.) is quite simple and can easily be learned in a few hours. There is a huge number of other skills that are harder to learn: knowing the rules, being aware of what is happening around you at all times, reacting properly if someone unexpected happens, etc. In my experience (The Netherlands) driving lessons and exams are only 10% about technicalities and 90% about everything else.

Simple solution

Posted Sep 22, 2011 14:37 UTC (Thu) by dskoll (subscriber, #1630) [Link]

I am from Canada. While it's true that my kids get a lot more homework than I remember getting, I don't think it's all (or even mostly) busy-work. The occasional time my kids came home with useless homework, I just wrote a note to the teacher saying I told the kids not to do it, and that was the end of it.

Simple solution

Posted Sep 23, 2011 22:50 UTC (Fri) by bronson (subscriber, #4806) [Link] (2 responses)

Typing has already been solved! Seen all the keyboard cases for the ipad? At less than $100 they're very affordable.

http://www.zagg.com/accessories/logitech-ipad-2-keyboard-...

http://www.newegg.com/Product/Product.aspx?Item=N82E16858...

(I'd link directly to the Kensington site but their idiotic "click on your region of the world" feature makes that impossible)

I got to play with the Kensington today... it's actually surprisingly nice! Only downside is now your thin ipad2 is now as thick as a netbook... That's easily fixed: just slide the ipad out of the case when you don't need the keyboard. Also, it would be nice if they used some Velcro to make the stack more stable when the tablet is in vertical mode.

I'm looking forward to playing with the Asus Transformer too.

Simple solution

Posted Sep 30, 2011 19:25 UTC (Fri) by Baylink (guest, #755) [Link] (1 responses)

What's the over/under on Unicomp coming out with a rechargable bluetooth Model M with a slot in the top to hold your tablet?

(Does anyone here know anyone at Unicomp? :-)

Simple solution

Posted Oct 1, 2011 1:37 UTC (Sat) by bronson (subscriber, #4806) [Link]

Oooo, want!

Simple solution

Posted Sep 20, 2011 23:37 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (7 responses)

Why not? Turn on a bluetooth keyboard, connect an external HDMI display and off you go - it's already possible and I have actually done exactly this (typed large amounts of text on a phone connected to a HDTV and bluetooth keyboard) a few times.

Simple solution

Posted Sep 20, 2011 23:46 UTC (Tue) by dlang (guest, #313) [Link] (6 responses)

you missed where I said that it may be connected to a full size monitor and real keyboard. that's exactly what you have done.

I expect this to happen a lot, but I don't expect it to work very well with an OS optimized for a small touchscreen.

yes, it may be an 80% solution (do 80% of the work people want to do) where they only want one app visible at a time and that app full screen.

but even the people to you say do this all the time routinely pop up a separate window for a calculator that they want to have visible in front of the document they are viewing.

current OS builds designed for mobile use can't do this.

Simple solution

Posted Sep 20, 2011 23:53 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

Heh.

Check the features of upcoming Android IceCream. For one thing, it supports my usage scenario explicitly.

There'll be no more tablet/phone split and a single application can be designed to work on the whole spectrum of screen sizes. With some nice helper features for application developers.

So it should already be possible to seamlessly switch application mode if an external display is plugged in.

Simple solution

Posted Sep 21, 2011 16:17 UTC (Wed) by JEDIDIAH (guest, #14504) [Link] (3 responses)

The ability of any "tablet" device to fully exploit a more conventional approach to inputs and displays will be hampered by how locked down the platform is. If you can't freely install apps, what makes you think there will be a suitable desktop style app when you want it?

The apps of your choosing simply won't be available. They won't be available due to the same underlying issue: hardware lockdown.

Simple solution

Posted Sep 21, 2011 17:14 UTC (Wed) by bronson (subscriber, #4806) [Link] (2 responses)

They'll be available if customers demand them. A locked-down device that doesn't serve the needs of its users won't exist for long.

Simple solution

Posted Sep 23, 2011 3:35 UTC (Fri) by JEDIDIAH (guest, #14504) [Link] (1 responses)

Your post was unintentionally funny.

We're already seeing the rise of the crippled machines. That's why a certain contingent here is so worried about the subject of this thread.

Simple solution

Posted Sep 23, 2011 5:07 UTC (Fri) by bronson (subscriber, #4806) [Link]

And why are crippled machines on the rise? Because customers demand them. Do you disagree?

Guess my post was funny but true.

Simple solution

Posted Sep 30, 2011 19:30 UTC (Fri) by Baylink (guest, #755) [Link]

> where they only want one app visible at a time and that app full screen

That's how 95% of users should be doing 95% of their work, windowed operating environment or not.

Simple solution

Posted Sep 20, 2011 21:18 UTC (Tue) by dskoll (subscriber, #1630) [Link] (4 responses)

The Wintel PC has a limited life expectancy at this point

I don't agree. There are still many tasks for which a desktop or laptop computer is far more suitable than a portable device. Especially in business settings, I think desktop/laptop computers are going to be around for a very long time.

As for Windows, part of what keeps the Windows ecosystem going are the thousands (if not millions) of strange and specialized applications ranging from veterinary practice suites to niche scientific tools and so on. Those vendors will howl bloody murder if MSFT attempts to force them to sell through an app store. (Time for them to start porting to Linux now so they have leverage, I guess. :))

Simple solution

Posted Sep 21, 2011 7:15 UTC (Wed) by butlerm (subscriber, #13312) [Link] (3 responses)

Porting to Linux? For the majority of these vendors, porting to something like ReactOS would be far more practical. It would be hard to devise a more effective strategy to promote competition in the Windows compatible OS market than this one.

Simple solution

Posted Sep 21, 2011 11:11 UTC (Wed) by dvandeun (guest, #24273) [Link] (1 responses)

Or routinely testing software under Wine and putting a "Wine Compliant" sticker on it.

Simple solution

Posted Sep 21, 2011 14:15 UTC (Wed) by dskoll (subscriber, #1630) [Link]

Writing against winelib is a perfectly good porting strategy in many cases, so sure!

ReactOS? Really?

Posted Sep 22, 2011 16:22 UTC (Thu) by jmorris42 (guest, #2203) [Link]

And what, pray tell would one run ReactOS on? Has it ever been booted on real hardware? If Microsoft allows emulated operating systems to run on the future version of Windows that tightens the chains to the point it won't run Win32 apps anymore people would simply run Windows (N-1) in the emulator and achieve a near 100% compatibility vs the 1% compatibility ReactOS offers more than a decade after beginning the project.

Hint: If they ever clamp the chains, emulation will become an enterprise feature, and on the enterprise versions Win32 apps will still run anyway. Microsoft is evil, and although not geniuses they also aren't stupid.

Simple solution

Posted Sep 20, 2011 21:02 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

There have not yet been really aggressive pushes to lock down Wintel PCs.

For one thing, a secure OS with memory protection has become mainstream only 10 years (WinXP) and prior to this any attempt to lock down PC had been an exercise in futility. Besides, at that time users had not yet been conditioned by Apple that walled gardens are acceptable and good (remember outcry about Palladium).

Then there's a question of signed kernel-mode code and privileged processes - it has been successfully solved by Vista and Win7. EFI or BIOS with TPM support already allow to have completely trusted boot chain.

So the only small component is to forbid running of unsigned userspace code. That's what Microsoft is going to do.

Simple solution

Posted Sep 20, 2011 19:52 UTC (Tue) by jbicha (subscriber, #75043) [Link]

I think there is pressure for Windows to be even more secure. Chromebooks have a similar locked-down mode but I believe vendors are supposed to include a hidden override for those who do want to play outside the sandbox.

Jailbreak

Posted Sep 20, 2011 19:49 UTC (Tue) by cesarb (subscriber, #6266) [Link]

If this happens, I wonder how long until people start having to jailbreak their own computer.

Garrett: UEFI secure booting

Posted Sep 20, 2011 20:01 UTC (Tue) by jhhaller (guest, #56103) [Link] (1 responses)

If I were designing a BIOS, I would include the Microsoft key and my own key, and provide software signed by my key which could sign other software and install a key. That ensures that one can't update the list of keys except with signed software. Assuming that any signed software doesn't maliciously add new keys, its a reasonable security model.

Of course, the first thing that will happen is that someone will crack Windows, and, since it is trusted, add their own signature for the rootkit they are installing to make the machine a zombie. The second thing is that someone will start cracking UEFI boot, since security is where people start attacking. Given some of the comments about BIOS authors, I'm not sure they are the people with which one wants to entrust security.

How to make a sane BIOS

Posted Sep 22, 2011 16:30 UTC (Thu) by jmorris42 (guest, #2203) [Link]

Nope, I'd skip all that foolishness if I were designing a Free Software friendly firmware. It is this this simple:

Boot into the firmware with the install media inserted in the optical drive or USB port. Pick an option that says "I want to install from this media." It gives a warning asking if you trust this media abd then it looks on the media for a well publicised filename containing a public key and imports that to it's trusted key store and then proceeds to boot the signed installer.

That is simple, safe and allows any Linux distro to enjoy the benefits of secure booting without any centralized key authority beyond the distro's key management to add remove keys post install. So you would still need a method to add/revoke keys from within a secure OS.

Garrett: UEFI secure booting

Posted Sep 20, 2011 20:11 UTC (Tue) by kleptog (subscriber, #1183) [Link] (7 responses)

If this had been ready ten years ago it would have been dangerous. Now Linux is big enough that it will merely be worrysome.

I think it would be worthwhile thinking about what an acceptable solution would look like. As long as it becomes easy to add more keys I think it's not a big deal. I'm honestly not clear how we would expect this to work. Just disabling would be ok, but what if I want to use trusted boot myself?

Garrett: UEFI secure booting

Posted Sep 20, 2011 20:37 UTC (Tue) by cesarb (subscriber, #6266) [Link] (6 responses)

> I think it would be worthwhile thinking about what an acceptable solution would look like.

Make it easy to temporarily allow anything to both boot and add new keys to the trusted store. For instance, the same key combination you already have to use to boot from the install DVD could do this. Then it is a simple matter of changing the OS installer to add its key to the trusted store (either a fixed one or a new one generated on the fly). This keeps the install of a new operating system almost as easy as it currently is (it would only break Windows-based OS installers), while completely blocking software-only malware (the only way to bypass would be with hardware pretending to be an USB keyboard).

It could also have a disable switch on the firmware setup screen, much like the on every system I have seen so far with a TPM (but that is much less discoverable for users who just want to install from a DVD).

> Now Linux is big enough that it will merely be worrysome.

Linux might be big enough, but Linux hardware OEMs are not that big AFAIK. With the exception of Asus netbooks, every Linux desktop/laptop computer I have personally seen either originally had Windows installed by the OEM or was built from components (including a blank HD). And when the big OEMs have a Linux option, it is as far as I have seen only on lower-end hardware (as if the only reason to use Linux were lower prices!), or on servers.

That is, most people end up buying a computer with Windows preinstalled, even if they end up using Linux. If this makes it impossible to install Linux on these computers, it would for instance make it much harder for new people to try Linux.

In this particular case it's good thing :-)

Posted Sep 20, 2011 22:36 UTC (Tue) by khim (subscriber, #9252) [Link] (5 responses)

Linux might be big enough, but Linux hardware OEMs are not that big AFAIK.

Right - but in this particular case it's good thing.

With the exception of Asus netbooks, every Linux desktop/laptop computer I have personally seen either originally had Windows installed by the OEM or was built from components (including a blank HD).

Right. That's because big companies have no interest in such an offers. They buy a lot of computers (groups of 100 or so) and then selectively install Windows or Linux on them. For that to work they need system with Windows preinstalled (yes, even if you install your own "Corporate" version of Windows you still need computer with Windows pre-installed). Microsoft forbids dual-use models, and pure Linux system is pretty useless for said companies.

What does it mean? Few things.
1. Systems where you can only use pre-installed OEM version of Windows will not fly.
2. Systems where you can not install Linux will not fare much better.

And when the big OEMs have a Linux option, it is as far as I have seen only on lower-end hardware (as if the only reason to use Linux were lower prices!), or on servers.

It's not the only reason, but only people who are conting every penny buy these "Linux options". Everyone else just pays the "Microsoft tax" for their Linux computers (see above).

In this particular case it's good thing :-)

Posted Sep 21, 2011 1:11 UTC (Wed) by Trelane (guest, #56877) [Link] (1 responses)

> Everyone else just pays the "Microsoft tax" for their Linux computers (see above).

And they're the reason we can't have nice things. I swear, some days it seems like the smartest thing Apple ever did was make it so you could only install OSX on known-good computers.

In this particular case it's good thing :-)

Posted Sep 21, 2011 1:12 UTC (Wed) by Trelane (guest, #56877) [Link]

I find it amusing that, as perhaps pointed out above, locking down *everything else* is equivalent to locking down Linux (namely, if you can't use Linux on it, you're forced to buy Linux PCs to run Linux). :)

In this particular case it's good thing :-)

Posted Sep 21, 2011 1:15 UTC (Wed) by Trelane (guest, #56877) [Link]

Just realized something else:
Consumer and Business computers are not the same now; there's no reason to expect that this will cease to be the case.

In this particular case it's good thing :-)

Posted Sep 22, 2011 3:20 UTC (Thu) by dps (guest, #5725) [Link]

My office has dual uses boxes---they come with windows but the first thing that happens is replacing it with Linux. In some circumstances we will run windows via kvm, and a windows licence maybe useful for doing this.

The boxes are not strictly dual boot---the BIOS always loads ubuntu. Nobody ever runs windows on the bare metal, except perhaps a separate (and lower spec) windows laptop.

Trying Linux

Posted Sep 22, 2011 11:10 UTC (Thu) by NRArnot (subscriber, #3033) [Link]

Actually, the best way to try Linux on a Windows system these days is to run it as a VM under Windows. If you are doing this for a friend, colleague or casual acquiantance, it also has the advanatage that you don't have to do anything like repartitioning the disk, that might break Windows or lose their data, and make them very unhappy with you.

Download VMware player (free beer).

Download a ready-to-go trial Linux image, or install the Linux of your choice into a new VM.

I'm assuming that the machine has enough RAM. These days, most do, and many of the rest or older systems are upgradeable for peanuts (which will also make Windows run faster).

There's a significant class of users who won't ever break away from Windows, because they are tied to some piece of Windows-only software by their employer (for example a VPN "solution"), their professional body, their kids' school, their choice of hobby, etc. etc. Running Linux as a VM is superior to dual-boot for anyone in this situation. The other option is running Windows in a VM under Linux.

Garrett: UEFI secure booting

Posted Sep 20, 2011 20:12 UTC (Tue) by dfsmith (guest, #20302) [Link] (1 responses)

I just hope there will be (at least) a motherboard jumper to disable it. On by default is okay (and perhaps the dist guys could publish their own certificates for inclusion in the BIOS).

Garrett: UEFI secure booting

Posted Sep 22, 2011 5:12 UTC (Thu) by ringerc (subscriber, #3071) [Link]

Jumpers cost money and are unsuitable for compact PCs, laptops, etc.

Expect a BIOS/UEFI setup option to turn it off, with optional password protection to keep those pesky corporate users from installing their "hide my facebook activity" nasties even when they have physical access.

So long as I can turn it off, I'll be *happy* to see this out there. Anything that improves Windows security without preventing me from controlling the hardware I own is just fine by me. As a bonus, being able to add my own keys would let me roll out signed kernels for my servers, which would be just lovely.

Garrett: UEFI secure booting

Posted Sep 20, 2011 20:15 UTC (Tue) by fw (subscriber, #26023) [Link]

So the end effect will be that Windows-based devices are as closed as most Linux-based devices using Android? That's not a positive development, but was perhaps inevitable.

Garrett: UEFI secure booting

Posted Sep 20, 2011 21:09 UTC (Tue) by augustl (guest, #75060) [Link] (4 responses)

My wish for the future was that I can buy a smartphone and install Windows Phone 7, Android, MeeGo, or something else, on it. Just like I can buy a PC and install a different OS than the bundled one. This seems to be the exact opposite, PCs gets to be locked down like smartphones.

I hope this never happens, and I'm glad LWN puts focus on it so we can start working against it asap.

Garrett: UEFI secure booting

Posted Sep 20, 2011 21:31 UTC (Tue) by martinfick (subscriber, #4455) [Link] (3 responses)

> I hope this never happens, and I'm glad LWN puts focus on it so we can start working against it asap.

If you have to "work against it", you have already lost. The only way to prevent such things is if consumers (including businesses, which will be the most impacted by this, so I suspect they might) vote with their $.

working against

Posted Sep 21, 2011 9:40 UTC (Wed) by pdundas (guest, #15203) [Link] (1 responses)

> If you have to "work against it", you have already lost.
> The only way to prevent such things is if consumers
> (including businesses... ) vote with their $.

EU and other anti-competition authorities MAY be persuaded to look askance at such a move.

The chance of this could be increased if Consumer Organisations and alternate O/S vendors (RHEL, OEL, etc) point out that this is anti-competetive lock-in, and that MS have significant market share, as the phrase goes, and that they used this market position to hugely increase the proportion of a PC's cost that goes on Windows over the past decade or two...

The MS move will harm Apple or any other potential MS competitor (and Linux is a competitor with economic importance in server space).

So, if regulatory capture can be avoided, that is one slow and unreliable route to oppose this MS abuse.

One solution could be to demand that purchasors of hardware (or o/s suppliers) be permitted to enable any other O/S they please, without charge, either on a case-by-case basis (with keys/signatures) or by turning off this "security". The former route would address the (transparently bogus) security rationale for the change - by preventing modified O/S from running WITHOUT permission.

working against

Posted Sep 22, 2011 16:15 UTC (Thu) by martinfick (subscriber, #4455) [Link]

If you have to resort to regulating someone else's behavior in order to not voluntarily purchase something you don't want, you have already lost, against yourself.

Garrett: UEFI secure booting

Posted Sep 27, 2011 12:29 UTC (Tue) by ekj (guest, #1524) [Link]

The problem with "vote with your $" is that it implies one dollar, one vote.

Which is a fair cry from the ideals of "one man, one vote".

And fundamental aspects of our computing and network-infrastructure is no less important than, say, our electricity and road-infrastructure.

These things are *political* problems. They should be discussed and handled at a *political* level. Leaving them for the market to sort out (which is what you implicitly suggest with "vote with your $", isn't going to cut it.

Granted, on the political spectrum people with more cash (or otherwise more resources) are also more influential, but not quite to the same degree. (it's a trend we should fight there too - especially since current trends is that the middle-class gets reduced while the mega-rich turn into ultra-rich)

Deciding who gets to do what with which data, is a political question. Reducing it to a purely economical question, will ensure that the solution is one that benefits those with the largest purely economical interests.

Garrett: UEFI secure booting

Posted Sep 20, 2011 22:08 UTC (Tue) by Lennie (subscriber, #49641) [Link] (1 responses)

There is an other video as well:

http://channel9.msdn.com/Events/BUILD/BUILD2011/HW-462T

Haven't had time to watch it yet, so I don't know if it does explain more.

MS: Full of fail

Posted Sep 21, 2011 11:33 UTC (Wed) by kragilkragil2 (guest, #76172) [Link]

UEFI and MS suck as bad as their German:
"Ihrem PC lief in ein Problem, die er behandelt konnte nicht, und muss es neu zu starten. Es werden im neu starten: 1 Sek."

That's not really German, but more likely Google translate than Bing ;-)

Garrett: UEFI secure booting

Posted Sep 20, 2011 23:27 UTC (Tue) by tialaramex (subscriber, #21167) [Link] (2 responses)

The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.

I don't agree, this second option seems more likely for some and maybe even the majority of vendors.

Every time the new version of Windows doesn't work with their printer, scanner, etc. many people go to the store and buy a brand new one. Doing this repeatedly hasn't hurt these vendors, on the contrary.

Utterly disabling second hand resale value and crippling long term usefulness of your product is an _excellent_ strategy for consumer products. Ethically dubious, but not technically criminal and certainly profitable, what's not to like?

Garrett: UEFI secure booting

Posted Sep 22, 2011 11:37 UTC (Thu) by NRArnot (subscriber, #3033) [Link]

In the clueless drooling-consumer market, hardware locked to Windows may gain a place in the market, just as phones locked to a particular network don't deter many sales. (If the word gets out that unlocking is *impossible* it may deter a few more, but there again, they buy Apple stuff! )

In the business arena, I think it will get the hardware onto a blacklist in many environments. The entire science and engineering faculty of any university, for example, wouldn't touch anything that couldn't run Linux by design with a bargepole. Probably the same for any commercial engineering R&D, any film studio, any bioscience facility.

Where I work, Dell has lost our (science faculty) business because we couldn't rely on them to supply hardware exactly as specified (and tested to work with Linux). Their attitude was that the wrong hardware was part of their "ongoing improvement process". It might have been for Windows users, but if it stopped us booting out pre-built Linux images, it meant their hardware was slightly less useful than a heap of rubble. So we found another supplier, where if we ordered a system with a particular tested and acceptable motherboard and graphics card, that's what we got - no substitutes except with explicit permission.

Hypervisors?

Posted Sep 22, 2011 11:46 UTC (Thu) by NRArnot (subscriber, #3033) [Link]

Another reason for businesses to object is that if a machine is locked Windows-only, it won't be able to boot a hypervisor any more than it will be able to boot Linux.

Of course, it's possible that VMware (say) will throw their commercial hat into the lock-down arena and decide to collect a VMware tax on systems shipped with their hypervisor locked in. However, even that wouldn't be nearly as bad as a Windows-only future.

In a future where Gbits of network bandwidth become effectively free, I'd expect hypervisors on the business desktop to become quite popular.

Garrett: UEFI secure booting

Posted Sep 21, 2011 17:00 UTC (Wed) by imgx64 (guest, #78590) [Link] (9 responses)

I'm not really sure what's the point of this; it sounds more like a solution looking for a problem. What was the last significant malware that targeted the boot process? (I remember MBR viruses in the DOS days, are there any of those today?)

Admittedly, I don't have time to watch a 1-hour video by Microsoft engineers, so I apologize if this was already discussed.

Garrett: UEFI secure booting

Posted Sep 22, 2011 1:51 UTC (Thu) by kevinb (subscriber, #80386) [Link] (8 responses)

The boot process is a common target. This is a recent example, that takes it one step further and gets into the BIOS:

http://it.slashdot.org/story/11/09/14/1621230/New-BIOS-Ex...

Garrett: UEFI secure booting

Posted Sep 22, 2011 4:14 UTC (Thu) by imgx64 (guest, #78590) [Link] (6 responses)

> that takes it one step further and gets into the BIOS

Technically speaking, this is not a step further, but a step *back* in the boot process. This malware modifies the BIOS (or in the future, UEFI), so UEFI checking the OS for a signature is too late to stop it.

The only way to stop the above malware is to disable the ability to flash the ROM from inside the OS (a misfeature that was added, like most other misfeatures, for "convenience").

Garrett: UEFI secure booting

Posted Sep 22, 2011 10:47 UTC (Thu) by etienne (guest, #25256) [Link] (5 responses)

I wonder if standard Linux boot-loader should in some way check the BIOS FLASH content, like displaying/saving the last CRC32 of that FLASH.
It is very difficult to lie (i.e. intercept requests) to a boot-loader running in real mode, using only physical addresses, and it is easy to detect that you are in fact in virtual mode instead or real mode.
The problem is that this CRC32 may change when the user changes BIOS options, probably some of them are not stored in the RTC battery backed RAM anymore because of size problems.
Also determining the size and location of the FLASH for whatever PC may be difficult.

Garrett: UEFI secure booting

Posted Sep 23, 2011 1:27 UTC (Fri) by hamish (guest, #6282) [Link] (4 responses)

This just means that the malware would run the boot-loader in an emulation and only show it what it expected to see.

Garrett: UEFI secure booting

Posted Sep 23, 2011 10:20 UTC (Fri) by etienne (guest, #25256) [Link] (3 responses)

You can't "emulate" real mode with 4 Gbytes segments (which is needed to read that FLASH) with any x86 processor, even with SMM.
It is quite easy to detect that you are on real hardware, and I would say quite difficult to write the real-mode software so that it also runs inside a simulation.

Garrett: UEFI secure booting

Posted Sep 30, 2011 9:00 UTC (Fri) by robbe (guest, #16131) [Link] (2 responses)

As I understand it EFI does away with real mode as well. So your bootloader would run in protected or long mode, both of which can be virtual.

Garrett: UEFI secure booting

Posted Oct 3, 2011 11:14 UTC (Mon) by etienne (guest, #25256) [Link] (1 responses)

I was speaking of "standard Linux boot-loader", they will not work in protected or long mode, without extensive modifications.
For instance, even if Gujin can work in an emulation (i.e. DOS running EMM386 virtual memory management) it has to load the kernel at a physical memory address and uses HIMEM services for that, knowing that HIMEM has to use physical addresses because it was used by some old drivers to manage DMA buffers. It has also to detect it is not running in real mode and disable trying to access VESA2 video memory directly (disable 4 Gb segments).
Also, LOADLIN could be used with EMM386 memory, but had to have a hook just after entering protected mode to relocate each kernel/initrd page.
Basically, BIOS bootloader are mostly dealing with physical addresses and assume they own all memory over 1 Mbyte, loading the kernel just after that boundary and the initrd just before the end of memory. As such they could do a checksum/SHA of at least the first Mbyte of the FLASH if it were always located at 0xFFF00000, but newer PC probably have more FLASH than that.
IHMO EFI mostly solves Windows problems, I fail to see which Linux problem is solved.

Garrett: UEFI secure booting

Posted Oct 3, 2011 18:05 UTC (Mon) by raven667 (subscriber, #5198) [Link]

IHMO EFI mostly solves Windows problems, I fail to see which Linux problem is solved.

That's kind of amusing since AFAIK EFI has been mostly used for and presumably designed for booting UNIX systems, HPUX and then MacOSX, with Windows support being a distant afterthought.

Garrett: UEFI secure booting

Posted Sep 27, 2011 6:47 UTC (Tue) by ssmith32 (subscriber, #72404) [Link]

No, it's not that common. Not at all.

Mebroot or whatever name you use is the only one that has come out in _years_ ... but it is a scary.

Mebroot was done in a fairly professional manner (with an update system, and even, I believe, a tracking system to let them trace crashes, etc), and then most likely sold on the underground market to other malware authors. And I believe the most common payload it delivers is bank account stealers, and it does well to stay under the radar (as in, it does a good job, and it's good that it does that - from the perspective of the bad guys, at least ;) ).

OTOH, most A/V vendors detect this (there are ways), and there are no signs this is a growing trend (no new malware is coming out and installing in the MBR).

In the end, MBR malware doesn't buy you that much more than a normal kernel-level rootkit. It's a little harder to deal with, but it can be dealt with. And it's gonna be much harder to write, and write well (Even Mebroot hewed pretty closely to the eEye PoC, early on). Even Mebroot moved away from depending on the MBR as it's only infection vector, I believe..

So I would say Microsoft's whole thing about doing it to block malware is a bunch of BS. There are no trends that indicate that this is growing threat.. the cost/benefit trade off for malware authors going to the MBR is just not there. Keep in mind, you want your malware to spread, and (I think) MBR code can be fairly specific to some hardware at times..

Although, given that there is actual malware out there, it's not quite the smoke and mirrors as the blue pill was ;)

Yay! my first not so trollish post. I'm learning ;)

Provide feedback!

Posted Sep 22, 2011 14:44 UTC (Thu) by dskoll (subscriber, #1630) [Link]

If this concerns you, please visit this video page and also this one and post comments supporting my "NOTE TO HARDWARE VENDORS" comment.

The more feedback to vendors, the better.

Garrett: UEFI secure booting

Posted Sep 30, 2011 19:20 UTC (Fri) by Baylink (guest, #755) [Link] (1 responses)

It is, in fact, time to panic, and it was actually time to panic when the *first* approach that sounded like this came out ("Palladium", wasn't it?), over a decade ago.

Y'know: when we *told you* to start panicking.

They've tried the boiling-frog approach.

It would be best not to let them get away with it.

We are definitely still in Ghandicon 3, not 4.

Garrett: UEFI secure booting

Posted Oct 4, 2011 12:15 UTC (Tue) by mpr22 (subscriber, #60784) [Link]

Time to take positive defensive action? Certainly, and well past. But time to panic? Certainly not. It is never time to panic, and it is most especially not time to panic when people tell you it's "time to panic". Panic clouds perception and disrupts coherent thought.