Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> Microsoft blocks Linux and other drivers with UEFI/Windows 8
redman
 Posted: Sep 21 2011, 01:06 PM
Quote Post


SLF Admin
********

Group: Admins
Posts: 1401
Member No.: 2
Joined: 8-April 11









QUOTE
The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.

There is no centralised signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.

This impacts both software and hardware vendors. An OS vendor cannot boot their software on a system unless it's signed with a key that's included in the system firmware. A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware. If you install a new graphics card that either has unsigned drivers, or drivers that are signed with a key that's not in your system firmware, you'll get no graphics support in the firmware.

Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.

A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.


More details can be found here.


--------------------
What is SL? - Forum Rules - Info on 3rd Party Repos

Desktop: ASUS P5QPL-AM, Intel Dual-Core E6500, 4GB DDR2, ASUS GeForce GT 430 1GB, SL6.6 x86_64
Build server: HP Proliant ML350 G5, 1x Intel Xeon Quad-Core E5410, 9GB ECC DDR2 FB-DIMM, ASUS GeForce GT 730 1GB, SL6.6 x86_64
PM
^
spoovy
 Posted: Sep 22 2011, 05:33 AM
Quote Post


SLF Moderator
****

Group: Moderators
Posts: 196
Member No.: 5
Joined: 8-April 11









Good grief mad.gif.

In other news; from next year all new toasters will require that all inserted bread must be officially certified by "TrueBread" technology. Any attempt to use your toaster to eat any other, unlicenced, bread product will cause the toaster to deliberately burn your house down, phone the police, and frame you for arson.


--------------------
PM
^
NeoAmsterdam
 Posted: Sep 22 2011, 04:41 PM
Quote Post


SLF Member
***

Group: Members
Posts: 92
Member No.: 181
Joined: 16-May 11









QUOTE (spoovy @ Sep 22 2011, 05:33 AM)
Good grief  mad.gif.
 
In other news; from next year all new toasters will require that all inserted bread must be officially certified by "TrueBread" technology.

That's if you accept the "Break Bread" license (v.π), which is incompatible with the "Bake Bread" license (v.√2) your oven uses...

http://www.htmlcenter.nl/images/smilies/facepalm2.gif Who'd've thought that we'd miss plain old BIOS...
PM
^
spoovy
 Posted: Sep 25 2011, 05:10 AM
Quote Post


SLF Moderator
****

Group: Moderators
Posts: 196
Member No.: 5
Joined: 8-April 11









I hope that all this kind of nonsense will eventually drive people towards FOSS. There has to be a tipping point; where the convenience of using a ready-installed Windows OS is negated by the hidden restrictions you are clobbered with later on.

If Windows loses it's ability to just automatically run just about every consumer-oriented application out there, which is by far the main thing it has going for it as far as I can see, then that could well be it imo.


--------------------
PM
^
redman
 Posted: Sep 25 2011, 06:39 AM
Quote Post


SLF Admin
********

Group: Admins
Posts: 1401
Member No.: 2
Joined: 8-April 11









Microsoft has responded on the subject: "Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secured boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems".

Read all about it here.

In other words, they say they won't FORCE the new system.
Nevertheless, I have little doubt that many systems will be enabled by default to run in "secured" mode mad.gif


--------------------
What is SL? - Forum Rules - Info on 3rd Party Repos

Desktop: ASUS P5QPL-AM, Intel Dual-Core E6500, 4GB DDR2, ASUS GeForce GT 430 1GB, SL6.6 x86_64
Build server: HP Proliant ML350 G5, 1x Intel Xeon Quad-Core E5410, 9GB ECC DDR2 FB-DIMM, ASUS GeForce GT 730 1GB, SL6.6 x86_64
PM
^
tux99
 Posted: Sep 25 2011, 07:51 AM
Quote Post


SLF Guru
********

Group: Members
Posts: 1218
Member No.: 224
Joined: 28-May 11









QUOTE (redman @ Sep 25 2011, 07:39 AM)

In other words, they say they won't FORCE the new system.


Of course, they don't want to get involved in another antitrust case. So officially they don't force anyone, but given the precedents I would assume that they will offer strong 'incentives' to those that implement it (or rather strong disincentives to those that don't).


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
U308
 Posted: Sep 25 2011, 08:53 AM
Quote Post


SLF Advocate
*****

Group: Members
Posts: 481
Member No.: 32
Joined: 11-April 11









Will you be OK if you build your own desktop system and run only Linux ?
PM
^
tux99
 Posted: Sep 25 2011, 10:31 AM
Quote Post


SLF Guru
********

Group: Members
Posts: 1218
Member No.: 224
Joined: 28-May 11









QUOTE (U308 @ Sep 25 2011, 09:53 AM)
Will you be OK if you build your own desktop system and run only Linux ?


I think it all depends on the mobo BIOS implementation.

I would imagine that most/all mobo manufacturers that sell mobos for self-build/enthusiasts PCs (as opposed to OEM) will make it possible to disable "secure boot". After all quite a few self-builders/enthusiasts use Linux so they wouldn't want to lose those customers.

I could well be that "secure boot" ends up like TPM, i.e. only implemented on systems targeted at specific markets (for example business PCs).


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
redman
 Posted: Sep 25 2011, 10:40 AM
Quote Post


SLF Admin
********

Group: Admins
Posts: 1401
Member No.: 2
Joined: 8-April 11









For the time being I believe this to be an option you can control from the "BIOS" wink.gif

They might want to remove the off-switch in time, but I doubt that ever will happen. Because if they do, it will be a matter of time before the angry mob will go flash it themselves (I remember the times when I swapped ROMs in my Atari ST for RAMs to upgrade the OS)


--------------------
What is SL? - Forum Rules - Info on 3rd Party Repos

Desktop: ASUS P5QPL-AM, Intel Dual-Core E6500, 4GB DDR2, ASUS GeForce GT 430 1GB, SL6.6 x86_64
Build server: HP Proliant ML350 G5, 1x Intel Xeon Quad-Core E5410, 9GB ECC DDR2 FB-DIMM, ASUS GeForce GT 730 1GB, SL6.6 x86_64
PM
^
NeoAmsterdam
 Posted: Sep 25 2011, 06:58 PM
Quote Post


SLF Member
***

Group: Members
Posts: 92
Member No.: 181
Joined: 16-May 11









QUOTE (redman @ Sep 25 2011, 10:40 AM)
For the time being I believe this to be an option you can control from the "BIOS"  wink.gif

They might want to remove the off-switch in time, but I doubt that ever will happen. Because if they do, it will be a matter of time before the angry mob will go flash it themselves (I remember the times when I swapped ROMs in my Atari ST for RAMs to upgrade the OS)

Hold on - there's a subtle difference here: for some Atari STs, TOS was entirely in ROM (early ones? late ones? can't remember). That was for storage space v. performance issues. Yes, you could swap TOS 1.x ROMs for TOS 2.x and so on, and if you really knew what you were doing, you could have swapped in a Mac ROM and had a Jackintosh http://th166.photobucket.com/albums/u117/rdshear/Smiley%20Faces/th_smiley-face-thumbs-up.gif There was no limitation to a given OS on a given platform.

Here we're talking about a "feature" designed to lock down a system entirely - a kill switch. Now, I'm used to such a feature on my lil' green lappy (see the last entry in this list) but there is nothing to prevent me from booting whatever loony OS I can think of just because the H/W and S/W vendors say so.

...except perhaps for the fact that OpenFirmware can't fully emulate BIOS, but that's an architectural reason not a policy decision.

If this plan goes forth (pun unintended), you'll start seeing homebrew-BIOSs (homebrew EFIs?) popping up faster than you can say "jailbreak". Then all hell will break loose because there'll be 57 varieties of BIOS/EFI: If Microsoft refuses to support even one "non-standard" version, then just imagine the chaos within the F/LOSS community when it tries to decide whose low-level [trojan?] horse to back. dry.gif

...I really hope M$ is just testing the waters.
PM
^
redman
 Posted: Sep 25 2011, 07:44 PM
Quote Post


SLF Admin
********

Group: Admins
Posts: 1401
Member No.: 2
Joined: 8-April 11









QUOTE (NeoAmsterdam @ Sep 25 2011, 08:58 PM)
QUOTE (redman @ Sep 25 2011, 10:40 AM)
For the time being I believe this to be an option you can control from the "BIOS"  wink.gif

They might want to remove the off-switch in time, but I doubt that ever will happen. Because if they do, it will be a matter of time before the angry mob will go flash it themselves (I remember the times when I swapped ROMs in my Atari ST for RAMs to upgrade the OS)

Hold on - there's a subtle difference here: for some Atari STs, TOS was entirely in ROM (early ones? late ones? can't remember). That was for storage space v. performance issues. Yes, you could swap TOS 1.x ROMs for TOS 2.x and so on, and if you really knew what you were doing, you could have swapped in a Mac ROM and had a Jackintosh http://th166.photobucket.com/albums/u117/rdshear/Smiley%20Faces/th_smiley-face-thumbs-up.gif There was no limitation to a given OS on a given platform.



Hold on, my remark on the Atari ST was just a reminder of the old days when things were simple and where you do modifications yourself and be special. Not neccesarily meaning something related to the BIOS. Except that I wouldn't be surprised when there will be kits you mount on your mobo to bypass new stuff.


--------------------
What is SL? - Forum Rules - Info on 3rd Party Repos

Desktop: ASUS P5QPL-AM, Intel Dual-Core E6500, 4GB DDR2, ASUS GeForce GT 430 1GB, SL6.6 x86_64
Build server: HP Proliant ML350 G5, 1x Intel Xeon Quad-Core E5410, 9GB ECC DDR2 FB-DIMM, ASUS GeForce GT 730 1GB, SL6.6 x86_64
PM
^
redman
 Posted: Sep 26 2011, 01:16 PM
Quote Post


SLF Admin
********

Group: Admins
Posts: 1401
Member No.: 2
Joined: 8-April 11









Latest update tells us Windows 8 will block Linux because most manufacturers will not be enabling the "switch off" option. Perhaps because they do nto care but for sure because they want to qualify for Microsofts Logo program. That means that when qualified, you get incentives from Microsoft.

Details can be read here.

One positive aspect is that Red Hat is kicking the bucket.
They have more resources than the average Linux users sad.gif


--------------------
What is SL? - Forum Rules - Info on 3rd Party Repos

Desktop: ASUS P5QPL-AM, Intel Dual-Core E6500, 4GB DDR2, ASUS GeForce GT 430 1GB, SL6.6 x86_64
Build server: HP Proliant ML350 G5, 1x Intel Xeon Quad-Core E5410, 9GB ECC DDR2 FB-DIMM, ASUS GeForce GT 730 1GB, SL6.6 x86_64
PM
^
U308
 Posted: Sep 26 2011, 01:49 PM
Quote Post


SLF Advocate
*****

Group: Members
Posts: 481
Member No.: 32
Joined: 11-April 11









Hello redman,

Very depressing news. Please explain what you mean by:-

QUOTE (redman @ Sep 26 2011, 03:16 PM)

One positive aspect is that Red Hat is kicking the bucket.
They have more resources than the average Linux users  sad.gif


(The emoticon doesn't seem to indicate anything positive ?)

Are we destined to all (eventually) become Windows users ?

PM
^
Jcink
 Posted: Sep 26 2011, 07:29 PM
Quote Post


SLF IRC Team
****

Group: Members
Posts: 166
Member No.: 15
Joined: 10-April 11









I'm very disappointed to hear about this whole thing. And there is virtually nothing regulators can do about it either, even if they could it would be too late anyway.

If manufacturers are going to start doing this, I'll make sure to steer clear of buying any OEM PC with this feature.
PMUsers Website
^
mulderx
 Posted: Sep 26 2011, 09:02 PM
Quote Post


SLF Rookie
*

Group: Members
Posts: 22
Member No.: 292
Joined: 14-June 11









Actually, Microsoft's reply said:
Lock-out security tech can be disabled, if OEMs want.

Read full article here:
CODE
http://www.theregister.co.uk/2011/09/23/ms_denies_uefi_lock_in/


In answer to this:
Red Hat engineer renews attack on Windows 8-certified secure boot
Linux lock-out row rumbles on

A senior Red Hat engineer has lashed back at Microsoft's attempt to downplay concerns that upcoming secure boot features will make it impossible to install Linux on Windows 8 certified systems.

UEFI (Unified Extensible Firmware Interface) specifications are designed to offer faster boot times and improved security over current BIOS ROM systems. The secure boot feature of the specification is designed so that only digitally signed OS loaders will load, a security feature that would prevent the installation of generic copies of Linux or FreeBSD as well as preventing rootkits and other boot-time malware from running.

A digitally signed build of Linux would work, but that would mean persuading OEMs to include the keys. Disabling the feature would allow unsigned code to run. However, it is unclear how many OEMs and firmware vendors will follow this route, which isn't required for Windows 8 certification.

The forthcoming secure boot feature has created a huge row with computer scientists, such as Ross Anderson of Cambridge University and open-source developers who accuse Microsoft of pushing lock-in and decreasing consumer choice. Microsoft responded by saying consumers would continue to control their PC and cited the example of one OEM, Samsung, which is including a "disable secure boot" feature on prototype versions of its tablet PC.

Power play
This response has failed to satisfy critics of the technology. Matthew Garrett, power management and mobile Linux developer at Red Hat, who was among the first to flag up concerns over the technology, said that Microsoft's response fails to address his central point that "Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems".

Red Hat, he explains, has been working with Linux suppliers, hardware manufacturers and BIOS developers since becoming aware of the issue in early August.

Garrett said that Windows 8 certification requires that hardware ship with UEFI secure boot enabled. A feature allowing secure boot to be disabled – necessary to run Linux and FreeBSD on certified systems – is not required for certification. "We've already been informed by hardware vendors that some hardware will not have this option", Garrett writes

In addition, Windows 8 certification does not require that the system ship with any keys other than Microsoft's. Such systems will only securely boot Microsoft operating systems.

A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's," Garrett writes. "No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer."

Neither of the two options – the first being to get OEMs to include keys for a digitally signed copy of a particular build of Linux and the second being allowing users to disable secure boot – look likely in most circumstances. The upshot of this, as things stand, is that Linux fans will only be able to run the alternative operating system on a small minority of Windows 8-certified hardware.


Read full article here:
CODE
http://www.theregister.co.uk/2011/09/26/uefi_linux_lock_out_row_latest/

PM
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll