Skip to main content

Windows 8 Secure Boot Sparks Linux Furor, and a Microsoft Response

Windows-8A new security measure introduced with Windows 8 requiring so-called secure boot keys could make it more difficult for consumers to load other operating systems including Linux on OEM Microsoft-certified machines pre-loaded with the software.

Depending on whom you talk to, this is a massive violation of consumer freedom that might (or should) draw anti-trust scrutiny from authorities such as the EU — or it is a desirable defense against malware that just so happens to coincidentally inconvenience a small, if vocal, group of power users.

The issue was flagged this week by a blogger and Red Hat Linux developer, Matthew Garrett, who laid out the problem and suggested that the jury was still out on whether this constitutes bad behavior, but urged the software community to at least pay attention.

“It’s probably not worth panicking yet. But it is worth being concerned,” he wrote on Tuesday.
Microsoft has tried for years to lock down Windows to prevent unauthorized changes to its security keys that would allow untrusted software from working on a machine, for example, through its controversial work with the Trusted Computing Group and Next-Generation Secure Computing Base initiatives.

At issue in this week’s debate is the Unified Extensible Firmware Interface (UEFI) for secure boot, a protocol that requires users to provide a cryptographic key in order to install and run any software on a machine. This key is held by the manufacturer, which could prevent malicious software from infecting a computer; but it could at the same time prevent consumers who buy locked devices from voluntarily changing the manufacturer-installed OS or choosing to run untrusted software of any kind.

“Because there’s no central certification authority for UEFI signing keys,” Garrett said in another post on his blog after the debate gained steam. “Microsoft can require that hardware vendors include their keys. Their competition can’t. A system that ships with Microsoft’s signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft’s. No other vendor has the same position of power over the hardware vendors.”

Garrett accused the software giant of effectively forcing users to use Windows 8 on pre-installed boxes, which would leave them “no longer in control of their PC.” Machines operating with certified Windows 8 would be unable able to run other operating systems, such as Linux, install additional OS’s, or replace Windows all together and boot securely, Garrett said on Tuesday.

This would be a problem that would only affect those who want to run multiple operating systems on the Windows 8, including previous versions of Windows. For the vast majority of users that simply want to start Windows 8 securely, this change should have little affect.

Even still, din on the blogosphere about the changes climbed to such a volume that Microsoft’s Windows President Steven Sinofsky responded with a post on the Windows 8 developer’s blog on Thursday.
 
The impetus behind the secure boot change, according to Microsoft, is nothing more than security. Without the right certification key, malware will be unable to disable security policies in the firmware.
“There have been some comments about how Microsoft implemented secure boot,” he said, “and unfortunately these seemed to synthesize scenarios that are not the case.”

Tony Mangefeste of the Microsoft Ecosystem team added later in the post: “Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secure boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems.”

However, Garrett contends this affects both hardware and software makers because unless their products are signed in with the key included in the system firmware, they’ll be useless. For example, if you install a new graphics card that has unsigned drivers or drivers with a key not in the firmware, the card won’t be supported in Windows 8.

Sinofsky somewhat implied this would be the case in the comments section when a reader asked if Windows 8 without secure boot.

“Of course,” he said, but then added, “How secure boot works with any other operating systems is obviously a question for those OS products,” complete with emoticon smiley face.

Reactions to the controversy among the Linux community were mixed, with some crying foul over what they perceive as a clear an unwarranted intrusion on their freedom to tinker. But others took a more measured stance.

“Remember Palladium? Then NGSCB and Trusted Computing? Microsoft has been trying to solve this ‘problem’ for many years,” wrote one anonymous poster on Garrett’s blog. “Through TPMs and Intel’s TXT, it is finally becoming a reality for them. That it makes loading Linux difficult is just a beneficial side effect for them.”
Steven-Sinofsky-Build-Windows

 
If you liked this article, subscribe to the feed by clicking the image below to keep informed about new contents of the blog:
windows_xp

Comments

Popular posts from this blog

How to change the size of the touch and on-screen keyboard in Windows 10

Windows 10 PCs come with two keyboard apps, one is the OnScreen Keyboard , and the other is the Touch Keyboard . Basically, you don't need a touch screen to use the on-screen keyboard. It displays a virtual keyboard on the screen and you can use the mouse to select and press the keys. Although the on-screen keyboard app is very useful when we don't have a physical keyboard, its size is always a problem for users. You can move or enlarge the virtual keyboard from the icons in the upper right corner. If you want, you can also easily resize it. Changing the size of the on-screen keyboard is very easy. Type On-Screen Keyboard in your Windows search and run the desktop app, or you can also go via Settings > Ease of Access > Keyboard> Turn on the On-screen keyboard.   To change the size of the on-screen keyboard, move the cursor to the corner and drag it to the desired size. Resizing the touch keyboard is as simple as doing it! Just drag it and resize it us

Designing the Windows 8 touch keyboard.

When we began planning how touch and new types of PCs might work on Windows 8, we recognized the need to provide an effective method for text entry on tablets and other touch screen PCs. Since Windows XP SP1, which had Tablet PC features built in, Windows has included a touchable on-screen keyboard. But those features were designed as extensions to the desktop experience.  For Windows 8, we set out to improve on that model and introduce text input support that meets people’s needs, matches our design principles, and works well with the form factors we see today and expect to see in the future. I’m writing this blog post on our Windows 8 touch keyboard using the standard QWERTY layout in English. As I look at it, the keyboard seems very simple and sort of obvious. This comes partly from having worked on it for a while, but also because keyboards are familiar to us. But there is more here than meets the eye (or, fingertips). We started planning this feature area with no preconcei

How to install offline .NET Framework 3.5 on Windows 10 using DISM.

Windows 10 comes with .NET framework 4.5 pre-installed, but many apps developed in Vista and Windows 7 era require the .NET framework v3.5 installed along with 4.5. These apps will not run unless you will install the required version. When you try to run any such app, Windows 10 will prompt you to download and install .NET framework 3.5 from the Internet. However, this will take a lot of time. You can save your time and install .NET Framework 3.5 from the Windows 10 installation media. This method is much faster and does not even require an Internet connection. Here is how to install it. How to install offline .NET Framework 3.5 on Windows 10 using DISM. Contents: [ hide ] How to install offline .NET Framework 3.5 on Windows 10 using DISM. To install .NET Framework 3.5 in Windows 10, do the following: Insert your Windows 10 DVD, or double click its ISO image, or insert your bootable flash drive with Windows 10, depending on what you have. Open 'This PC' in File