Microsoft blocks Linux and other drivers with UEFI/Windows 8

More details can be found here.

Good grief .

In other news; from next year all new toasters will require that all inserted bread must be officially certified by "TrueBread" technology. Any attempt to use your toaster to eat any other, unlicenced, bread product will cause the toaster to deliberately burn your house down, phone the police, and frame you for arson.

That's if you accept the "Break Bread" license (v.π), which is incompatible with the "Bake Bread" license (v.√2) your oven uses...

Who'd've thought that we'd miss plain old BIOS...

I hope that all this kind of nonsense will eventually drive people towards FOSS. There has to be a tipping point; where the convenience of using a ready-installed Windows OS is negated by the hidden restrictions you are clobbered with later on.

If Windows loses it's ability to just automatically run just about every consumer-oriented application out there, which is by far the main thing it has going for it as far as I can see, then that could well be it imo.

Microsoft has responded on the subject: "Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secured boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems".

Read all about it here.

In other words, they say they won't FORCE the new system.
Nevertheless, I have little doubt that many systems will be enabled by default to run in "secured" mode

Of course, they don't want to get involved in another antitrust case. So officially they don't force anyone, but given the precedents I would assume that they will offer strong 'incentives' to those that implement it (or rather strong disincentives to those that don't).

Will you be OK if you build your own desktop system and run only Linux ?

I think it all depends on the mobo BIOS implementation.

I would imagine that most/all mobo manufacturers that sell mobos for self-build/enthusiasts PCs (as opposed to OEM) will make it possible to disable "secure boot". After all quite a few self-builders/enthusiasts use Linux so they wouldn't want to lose those customers.

I could well be that "secure boot" ends up like TPM, i.e. only implemented on systems targeted at specific markets (for example business PCs).

For the time being I believe this to be an option you can control from the "BIOS"

They might want to remove the off-switch in time, but I doubt that ever will happen. Because if they do, it will be a matter of time before the angry mob will go flash it themselves (I remember the times when I swapped ROMs in my Atari ST for RAMs to upgrade the OS)

Hold on - there's a subtle difference here: for some Atari STs, TOS was entirely in ROM (early ones? late ones? can't remember). That was for storage space v. performance issues. Yes, you could swap TOS 1.x ROMs for TOS 2.x and so on, and if you really knew what you were doing, you could have swapped in a Mac ROM and had a Jackintosh There was no limitation to a given OS on a given platform.

Here we're talking about a "feature" designed to lock down a system entirely - a kill switch. Now, I'm used to such a feature on my lil' green lappy (see the last entry in this list) but there is nothing to prevent me from booting whatever loony OS I can think of just because the H/W and S/W vendors say so.

...except perhaps for the fact that OpenFirmware can't fully emulate BIOS, but that's an architectural reason not a policy decision.

If this plan goes forth (pun unintended), you'll start seeing homebrew-BIOSs (homebrew EFIs?) popping up faster than you can say "jailbreak". Then all hell will break loose because there'll be 57 varieties of BIOS/EFI: If Microsoft refuses to support even one "non-standard" version, then just imagine the chaos within the F/LOSS community when it tries to decide whose low-level [trojan?] horse to back.

...I really hope M$ is just testing the waters.

Hold on - there's a subtle difference here: for some Atari STs, TOS was entirely in ROM (early ones? late ones? can't remember). That was for storage space v. performance issues. Yes, you could swap TOS 1.x ROMs for TOS 2.x and so on, and if you really knew what you were doing, you could have swapped in a Mac ROM and had a Jackintosh There was no limitation to a given OS on a given platform.

Hold on, my remark on the Atari ST was just a reminder of the old days when things were simple and where you do modifications yourself and be special. Not neccesarily meaning something related to the BIOS. Except that I wouldn't be surprised when there will be kits you mount on your mobo to bypass new stuff.

Latest update tells us Windows 8 will block Linux because most manufacturers will not be enabling the "switch off" option. Perhaps because they do nto care but for sure because they want to qualify for Microsofts Logo program. That means that when qualified, you get incentives from Microsoft.

Details can be read here.

One positive aspect is that Red Hat is kicking the bucket.
They have more resources than the average Linux users

Hello redman,

Very depressing news. Please explain what you mean by:-

(The emoticon doesn't seem to indicate anything positive ?)

Are we destined to all (eventually) become Windows users ?

I'm very disappointed to hear about this whole thing. And there is virtually nothing regulators can do about it either, even if they could it would be too late anyway.

If manufacturers are going to start doing this, I'll make sure to steer clear of buying any OEM PC with this feature.

Actually, Microsoft's reply said:
Lock-out security tech can be disabled, if OEMs want.

Read full article here:

In answer to this:
Red Hat engineer renews attack on Windows 8-certified secure boot
Linux lock-out row rumbles on

A senior Red Hat engineer has lashed back at Microsoft's attempt to downplay concerns that upcoming secure boot features will make it impossible to install Linux on Windows 8 certified systems.

UEFI (Unified Extensible Firmware Interface) specifications are designed to offer faster boot times and improved security over current BIOS ROM systems. The secure boot feature of the specification is designed so that only digitally signed OS loaders will load, a security feature that would prevent the installation of generic copies of Linux or FreeBSD as well as preventing rootkits and other boot-time malware from running.

A digitally signed build of Linux would work, but that would mean persuading OEMs to include the keys. Disabling the feature would allow unsigned code to run. However, it is unclear how many OEMs and firmware vendors will follow this route, which isn't required for Windows 8 certification.

The forthcoming secure boot feature has created a huge row with computer scientists, such as Ross Anderson of Cambridge University and open-source developers who accuse Microsoft of pushing lock-in and decreasing consumer choice. Microsoft responded by saying consumers would continue to control their PC and cited the example of one OEM, Samsung, which is including a "disable secure boot" feature on prototype versions of its tablet PC.

Power play
This response has failed to satisfy critics of the technology. Matthew Garrett, power management and mobile Linux developer at Red Hat, who was among the first to flag up concerns over the technology, said that Microsoft's response fails to address his central point that "Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems".

Red Hat, he explains, has been working with Linux suppliers, hardware manufacturers and BIOS developers since becoming aware of the issue in early August.

Garrett said that Windows 8 certification requires that hardware ship with UEFI secure boot enabled. A feature allowing secure boot to be disabled – necessary to run Linux and FreeBSD on certified systems – is not required for certification. "We've already been informed by hardware vendors that some hardware will not have this option", Garrett writes

In addition, Windows 8 certification does not require that the system ship with any keys other than Microsoft's. Such systems will only securely boot Microsoft operating systems.

A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's," Garrett writes. "No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer."

Neither of the two options – the first being to get OEMs to include keys for a digitally signed copy of a particular build of Linux and the second being allowing users to disable secure boot – look likely in most circumstances. The upshot of this, as things stand, is that Linux fans will only be able to run the alternative operating system on a small minority of Windows 8-certified hardware.


Read full article here: