Microsoft has become locked in a dispute over whether the boot process in Windows 8 will block Linux from running on hardware designed for the next version of its flagship platform.
Windows 8 secure boot uses pre-OS boot checks, as well as third-party software checks, to ensure that users PCs remain healthy. Photo credit: Microsoft
Matthew Garrett, a power management and mobile Linux developer at Red Hat, raised questions in a blog post on Tuesday about dual-booting of Linux in Windows 8. He argued the use of Public Key Infrastructure (PKI)-based secure boot means either Windows 8 will be signed with a Microsoft key, with the public part of the key included on the system; or the hardware maker could use their own key and sign the pre-installed Windows.
"The second approach would make it impossible to run boxed copies of
Windows on Windows logo hardware, and also impossible to install new
versions of Windows unless your OEM [original equipment manufacturer] provided a new signed copy. The
former seems more likely," Garrett said.
"A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux," he concluded.
Microsoft response
On Thursday, Tony Mangefeste, a member of the Windows Ecosystem team, responded to the suggestions in a blog post that detailed what the secure boot system means for running alternative operating systems.
– Matthew Garrett
Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors.
Unlike Windows 7, Windows 8 uses the Unified Extensible Firmware Interface (UEFI) secure boot protocol.
This allows manufacturers to set up a security policy for the hardware
that prevents people from running loaders for operating systems and
software it does not recognise. Ultimately, the protocol is designed to
make the computer safer from pre-OS boot attacks or malware.
The approach being taken by Microsoft is to provide the "best experience" first, Mangefeste said, by setting things up initially so most people will be protected against boot-loader attacks. After that, people can change the setting, if hardware makers give them the choice.
"At the end of the day, the customer is in control of their PC... For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision," Mangefeste said.
Manufacturers have final decision
Secure boot is a UEFI protocol and not a Windows-specific feature, and hardware makers have the option of customising their firmware to specify the level of certificate and policy management, Mangefeste said. This means that the final decision will lie with them on whether to allow or disallow the disabling of secure boot.
"Secure boot doesn't 'lock out' operating system loaders, but is a policy that allows firmware to validate authenticity of components," Mangefeste said.
"Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows," he added.
However, in a subsequent blog post on Friday, Garrett claimed that Microsoft had not contradicted any of the points he had made, and that the situation he had described remained the same.
"Microsoft's rebuttal is entirely factually accurate. But it's also misleading," Garrett said. "The truth is that Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors. The truth is that it makes it more difficult to run anything other than Windows."
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Talkback
This post has been removed by a moderator.
It would be a matter of time before the programming community writes a piece of software to circumvent the UEFI Boot issue - allowing users for multiple OS boot options again.
Developers and users in the IT sector would be most affected with the new Windows 8 Boot structure - most home/business users can barely use their machines with the software already installed in their machines, much less be concerned about multiple boot options. In fact, as long as it doesn't affect their ability to log into facebook or tweeter, they wouldn't even know what a Boot Policy is.
I'm not a fan of Linux(its not my cup of tea) but is this really needed ? seems like a wast of time and money!.
Tony Mangefeste? Great name!
'The approach being taken by Microsoft is to provide the "best experience" first' - in that case, they wouldn't bother putting Windows on the PC in the first place! :)
This whole situation is complete rubbish, as usual. Microsoft's excuse of: "Ultimately, the protocol is designed to make the computer safer from pre-OS boot attacks or malware." doesn't cut it. When was the last time we've seen any sort of pre-OS boot attack? Most if not all of the malware is within Windows itself. However, with all this said, in the end I'm sure a workaround will be found so that dual booting will be possible with non-Microsoft operating systems. It's unfortunate that Microsoft has such a large hand in the market. It continues to allow them to make moves like this, that in my opinion hurt the consumers time and time again.
And, Garrett's statement: "The truth is that Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors. The truth is that it makes it more difficult to run anything other than Windows." is spot on. UEFI gives Microsoft and the PC vendors more control over your PC, plain and simple.
Every time I read articles with news like this, I am even happier that I've migrated away from Microsoft's garbage software. It makes GNU/Linux even more free (as in freedom) than ever.
"For the enthusiast who wants to run older operating systems" I find that insulting, some distibutions of linux are merely 1 month old - thus newer than windows 7.
It also makes it sound like theres only a few of us, its widely used in business and theres millions of home users as well, we are certainly not a niche of "enthusiasts".
Any vendor would be making a big commercial mistake if they dismiss linux users, and as recession bites, its something im confident vendors will realise.
This post has been removed by a moderator.
For the records, boot-level malware does exist. The latest incarnation is called TDL-4:
http://www.julianevansblog.com/2011/04/the-windows-64-bit-tdl4-rootkit-malware-threat.html
Re: ApexWM
"When was the last time we've seen any sort of pre-OS boot attack?"
I seem to recall many years ago (about 10 possibly even 15 years ago??) there was viruses that used to re-write the boot information on a PC to infect it.
Of course now the main way a virus intercepts a PC is installing itself into System Restore folder. Maybe Microsoft want to fix that major hole before trying to fix something else that isn't broken. System Restore is great for viruses 'cos when they install Windows kindly installs there files into System Restore, which is a place where no virus killer can touch any of the files - isn't that good!
Most viruses now come from people who are using Windows, and not before boot up, this just seems to be Microsoft's way of locking the user to their software whether you want it or not.
Plus this is going to put the user at a serious disadvantage if they Windows software is corrupted in anyway. You won't be able to get your data back if Windows gets itself in a state it can't boot, unlike at the present time you just boot off a Linux Live CD and copy the stuff over.
Right, well....
For me, i bought windows 95, 98se, Millenium, Xp....vista...
i feel so burned by the whole sistuation of ms only creating a few good stable OS's
XP and 7 that im no longer going to pay for windows. i think that this move is to stop boot loaders...
which ulitmaly alow you to tirck windows in to thinking it is a legit "dell" or whichever brand...
ahh well, like people say it will only be time before its worked around.
Why wait for someone to fix a work around.
Just say...."WE DON'T WANT IT!"
Tired of these jokers always waiting for someone else to fix their problems or work around a problem.. the word is PROBLEM! MICROSOFT! read it my friends
"For the enthusiast who wants to run older operating systems"
How utterly patronising and elitist. Remember Betamax anyone? FAR superior to VHS ie Market Share or mainstream acceptance does NOT mean a better system.
God Bless Linux and all who sail in her :)
No one has mentioned that Microsoft has, apparently, excluded all other OS providers from any discussions, development or negotiation with the computer industry, or indeed from any information at all. It would seem that this can only be construed one way, and I wasn't thinking of arrogant, although it is.
Not just a security measure then, but also an attack on alternative OSs. It's also suggested that we will be stuck with the actual Windows version provided by the OEMs. Where does that leave Linux and other OSs and self build?
As I understand, it's not only dual boot that might be a problem but any alternative OS (including alternative Microsoft products) to the installed OS. Nevertheless, common sense would dictate that there must be a way to turn off or work around the feature so that developers can develop.
Even Mary Jo Foley is frustrated by the lack of information. It does make one wonder what game Microsoft is playing. Are they deliberately courting controversy or has the cat escaped from the bag prematurely and caught them unprepared. It's all very worrying since the anti-trust oversight is coming to an end.
No word of an *independant* CA managing the scheme either.
This is all news to me - still trying to get and handle on my PC's hardware status with regard to perhaps being able to run Win 7.
With McAfee and Microsoft Security slogging it out and leaving me with very little room to do anything on my Win XP machine, perhaps it's time to bale out and go the linux route instead.
Strange indeed to be seeing Win 7 as the middle-man needing to be cut out !
As it happens, I've got some downloaded Red Hat stuff, but it was downloaded long ago, the comments posted indicate I might be able to get linux installations that are newer than Windows 7. I suspect there's at least one linux distro that's likely to give me a less bumpy ride than the XP-to-Windows 7 transition is said to be: I have a seriously messed up and unremovable Microsoft Office 2010 installation on my machine and would need to start again from scratch to be able to use that software ever again. And now at least one sales site says you can't do a clean install of Windows 7, you can only run an update. I might try to do a complete rebuild of my XP installation - the bits that work, that is.
If that failed and I had to revert to the backup of my present installation, supposing the full restore worked, it would mean that even if I did subsequently buy into Windows 7, I would have a PC with zero Microsoft Office capability forever. In some eyes devoutly to be wished !
I'm getting quite fond of Wordpad !
Open Office Writer has fuller functions, including *some* good typography and picture handling, but it's sooo much slower getting going, and in comparison with MS Word is really quirky over visual elements pasted in from web sites, because it *always* tries to save the web addresses of ".gif" files instead of the images. Anyone know how to stop it doing this ?
I suspect it would (actually really should !) also behave like this if I were to try running under a linux distro.
And where's the Open Office DTP we've all been promised ?
Moley: "*independant* CA managing the scheme " ?? Because Bill Gates appears to think he invented the PC, the company he created equally seems to think it can do whatever it likes with the PC and **** to the lot of us.
JLYate
"And now at least one sales site says you can't do a clean install of Windows 7, you can only run an update."
Not quite sure what that means.
You can certainly install the full retail version of Windows 7 on a freshly formatted hard drive (I installed it on a new PC with no OS installed). This may help:
http://windows.microsoft.com/en-US/windows7/Installing-and-reinstalling-Windows-7
best comment of the year---
'The approach being taken by Microsoft is to provide the "best experience" first' - in that case, they wouldn't bother putting Windows on the PC in the first place! :)
another example of commercial bullying..what happened to freedom of choice ..wont this just open up the "window" for rival os's to pave the way remember apple taking on board the Intel chips so users could embrace windows ...looks like Microsoft are taking their ball home
Buy a mac, simples....
then boot from a separate drive with linux on
and wait for Microsoft to plead for it customers back
:) job done
if this was a new apple OS, noone would be batting an eyelid.
@Mark Chapman
> if this was a new apple OS, noone would be batting an eyelid.
If this were a new Apple OS then we would be talking *exclusively* about Macs, and not every other piece of desktop or notebook hardware on the market.
What people dont realize is that if there are
programs Windows does not wont you to use.
you will be block’t from using it!
you will only be able to use programs Windows lets you.
Linux operating systems are use’d as much as Windows.
I use Ubuntu. it is very easy to use Now.
it can use most of the windows programs.
and it is Free. and unlike windows,
that is made for them to spy on you.
which is why it is easy for spy and virus programs to get to it.
Linux is hardly effected by spy and virus programs.
you can try Ubuntu from a CD disk at boot up.
it boot from the CD and you dont new to install any thing.
so if you dont like it. just take out the CD
and restart your PC and nothing is change.
if you like it just install it with windows.
or make a fresh install.
You've all missed a point here.
MS are saying it is down to the OEM whether they lock it and what to. So an OEM COULD decide to lock the machine to a specific OS that only they provide, which does not have to be Windows.
MS are trying to be clever and say that it is up to the OEM - or designer of THAT PARTICULAR instance of UEFI - what OS it allows to load. This is passing the buck to the marketing people who will tell the OEMs that they can only have a discount IF they lock the machine to Windows 8.
Or the OEM can (try to) make the machine one use only and lock out the resale market.
very very many good points. @ all. but that last one really struck me Burn-IT. wow i can see that happening. wow.
rEFIt will prolly blitz this, with Red Hat Canonical and such's needs riding on it.
rEFIt are Linux's answer to Apples EFI, so i guess, they guys will be the top 'go to' guys to get this sorted.
i've seen one of the devs on Ubuntu Forums on my travels and he really seems to know his stuff.
i appreciate the work grub did. thank you. brava!. but now it's EFI time and if we can make drivers on our own, if we can get DE's on our own, I think the guys at rEFIt can do it.
on another note...its back to old M$ for them.
there are three things Linux does not provide that i need. 1. a way to flash the bios..oh wait! 2. bluray playing.. oh wait they did that in the 3.0 kernel didn't they? 3 garageband. rakarrack is good buuut ..ah one day :9
Dava.
There is one very large ray of hope in all of this that I haven't seen mentioned yet. If Microsoft is going to be writing the code to implement this, you can pretty well guarantee that it will be hacked and bypassed within a few days of its release. Or earlier. So, no worries.
jw
JLYate I've done more clean installs of Windows 7 then I care to remember. Use a key viewer such as MS key viewer plus (freeware) to retrieve your product key for office. Then all you need is the disk or the set up files......just pop in to your local computer fix it place and ask them for a copy of the OEM disk for office and they'll burn you off a copy. That is your copy of office for life, don't throw it away.
Steven Shearing, can you explain what you mean when you refer to Linux as a waste of money?
I think he was referring to Windows 8 as a waste of time and money!
I have been reading about this here and elsewhere. One thing is clear and that is that the situation is very far from clear, which is in itself highly unsatisfactory. Red Hat are expressing grave concerns having been liaising with manufacturers, and much reference has been made to Microsoft's leverage with OEMs. There is the underlying suggestion that Microsoft is trying to create the PC as a Microsoft only product using 'Windows 8 Certification', with strings attached, as a de facto standard and thereby creating a consumer product.
In the arguments and counter arguments, in the absence of any real facts, it is clear that laptops might well be the particular product which is most vulnerable to a total lock down - what you see is what get, take it or leave it.
The Unified EFI Forum comprises of a range of major commercial IT companies, AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde Software, Intel, Lenovo, Microsoft, and Phoenix Technologies, in which Microsoft could be seen as a dominant player and Free Software is not apparently represented at all. There is no independent over sight so far as I know.
So again, in the absence of facts and an independent body, there seems to be a great deal to worry about.
This surely can't be true and MS must be doing something about it. A lot of times when MS Windows falls over people use bootable utilities to recover it. Some times that is the only way. MS you moro.. are you Apple or what!!
This post has been removed by the author.
This COULD be implemented in a vendor-neutral way...
Users login from another registered device to their account at Microsoft, the computer manufacturer or any other entity they have keys registered with, and download a new key.
After a multi-step authentication process that includes an email-reply verification and optional phone callback, a user or System Administrator downloads new keys for one or more of the registered machines and copies it to a storage device, usually a memory card or flashdrive. The downside of having to physically be at the computer remains for large data centers, but life would be better than what we've been envisioning. At the computer, Secure Boot looks for new keys on the first boot device during powerup. (Anybody remember floppy drives and serial dongles used like this? No? Never mind...) Since the Unified Extensible Firmware Interface (UEFI) software in conjunction with a Trusted Platform Module (TPM) allows multiple, equally valid keys to exist on a "keyring", the new key can just be added and full access restored.
robert
softwarerevisions.net
@RCWatson
Then why are we not hearing anything but a deafening silence, punctuated by a few prevarications?
Microsoft's onslaught and secret deals on Android and other Linux devices hardly bodes well.
This post has been removed by a moderator.
Moley, Why would MS include any other OS providers? It is not in their business interest and it is honestly up the hardware vendors to drive the discussion. Your suggestion is like saying Apple should include other vendors on its OS design and hardware requirements.
Besides if other OS’s had any impact on the market they would be able to lead the HW guys around by the nose rather than letting MS have their way.
Apexwm, sure Linux is free, free from nice user interfaces, free from commonly used software, free form compatibility and most of all free from being able to do anything easily.
Don’t get me wrong I use Linux frequently and generally like it but not for an average user.
"sure Linux is free, free from nice user interfaces, free from commonly used software, free form compatibility and most of all free from being able to do anything easily."
Hopelessly wrong, you say you use Linux, well not properly or recently by the sound of it, Gnome 2 or Gnome 2 classic with Compiz/Emerald looks far nicer and more customisable than Metro, loads of extremely good stable software, you're probably the type of user that goes screaming back to windows after one bad programme, just uninstall it and find an alternative, I do agree it's not for everyone you need a bit more know-how, back on topic don't have any doubts Microsoft are trying to make things awkward for Linux, I've already had issues with major Windows 7 updates failing because I have grub installed.