Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers

A quiet announcement from the Fedora Linux community signals a titanic shift in the way that the computer market will work from now on, and a major threat to free/open operating systems. Microsoft and several PC vendors have teamed up to ensure that only operating systems bearing Microsoft's cryptographic signature will be able to boot on their hardware, meaning that unless Microsoft has blessed your favorite flavor of GNU/Linux or BSD, you won't be able to just install it on your machine, or boot to it from a USB stick or CD to try it out. There is a work-around for some systems involving a finicky and highly technical override process, but all that means is that installing proprietary software is easy and installing free/open software is hard.

This is a major reversal. For many years now, free/open OSes have been by far the easiest to install on most hardware. For example, I have installed Ubuntu on a variety of machines by just sticking in a USB stick and turning them on. Because the OS and its apps are free, and because there are no finicky vendor relationships to manage, it Just Works. On some of those machines, installing a Windows OS fresh from a shrinkwrapped box was literally impossible -- you had to order a special manufacturer's version with all the right drivers to handle external CD drives or docking stations or what-have-you. And the free/open drivers also handled things like 3G USB adapters better than the official drivers (not least because they didn't insist on drawing a huge "WELCOME TO $SOME_STUPID_PHONE_COMPANY" box on the screen every time you connected to the Internet.)

At issue is a new facility called UEFI, which allows a computer's bootloader to distinguish between different operating systems by examining their cryptographic signatures. In theory, this can be used to alert you if malicious software has modified your OS, putting you at risk of having your passwords harvested, your video and sound secretly captured, and your files plundered. But rather than simply alerting users to unsigned ("I have found an unknown operating system and I can't tell if it has dangerous software in it, continue? [Y/N]") or changed OSes ("Your computer has been modified since the last time it was turned on, and now has a version of Windows that can't be verified") Microsoft and its partners have elected to require a very complex and intimidating process that -- by design or accident -- is certain to scare off most unsophisticated users.

Fedora has opted to solve this problem by paying to receive Microsoft's blessing, so that UEFI-locked computers will boot Fedora without requiring any special steps. The payment is comparatively small ($99). When you multiply $99 by all the different versions and flavors of free/open operating systems, it adds up to a substantial revenue stream for Microsoft cost to, and drag upon the free/open software world.

What's more, free/open OSes that don't pay the $99 Microsoft tax will not boot at all on Microsoft-certified ARM-based computers, because Microsoft has forbidden it partners from booting an OS that hasn't been signed by Microsoft, even if the user takes some affirmative step to install a competing system.

This is a tremor before an earthquake: the hardware vendors and the flagging proprietary software vendors of yesteryear are teaming up to limit competition from robust, elegant and free alternatives.

Here's Fedora's Matthew Garrett explaining their decision:

We've been working on this for months. This isn't an attractive solution, but it is a workable one. We came to the conclusion that every other approach was unworkable. The cause of free software isn't furthered by making it difficult or impossible for unskilled users to run Linux, and while this approach does have its downsides it does also avoid us ending up where we were in the 90s. Users will retain the freedom to run modified software and we wouldn't have accepted any solution that made that impossible.

But is this a compromise? Of course. There's already inequalities between Fedora and users - trademarks prevent the distribution of the Fedora artwork with modified distributions, and much of the Fedora infrastructure is licensed such that some people have more power than others. This adds to that inequality. It's not the ideal outcome for anyone, and I'm genuinely sorry that we weren't able to come up with a solution that was better. This isn't as bad as I feared it would be, but nor is it as good as I hoped it would be.

What about ARM

Microsoft's certification requirements for ARM machines forbid vendors from offering the ability to disable secure boot or enrol user keys. While we could support secure boot in the same way as we plan to on x86, it would prevent users from running modified software unless they paid money for a signing key. We don't find that acceptable and so have no plans to support it.

Thankfully this shouldn't be anywhere near as much of a problem as it would be in the x86 world. Microsoft have far less influence over the ARM market, and the only machines affected by this will be the ones explicitly designed to support Windows. If you want to run Linux on ARM then there'll be no shortage of hardware available to you.

Implementing UEFI Secure Boot in Fedora (Thanks, Deborah!)


  1. As someone who makes technology choices for my company, any device we purchase that comes with secure boot enabled by default will be immediately returned as defective.

    1. Be prepared to do a lot of returns after this fall or so, because any Windows certified PC will be required to have the UEFI turned on by default.

      1.  It’s only consumer hardware this applies to, server hardware is exempt because they knew they couldn’t make it stick there.

      2.  Then so be it.  Microsoft does not set the pace of the industry anymore.  They are no longer capable of that.  They are acting against their own self interest and they will pay dearly.

    2.  God forbid anyone installing an OS should be asked “complex and intimidating” questions. People who get intimidated by questions should keep their grubby paws off of the OS and get a small child to help them with the install.

      1. Except that at least two OSs out there never needs to be installed by their users (unless something goes badly wrong), as they can get computers with them preinstalled.

        1. There was a time when you could easily get a computer with Linux pre-installed: at the start of the netbook craze. Turns out most people don’t really want them. Those who actually know what Linux is and why they would want such a thing are smart enough to install it themselves or get someone qualified to do it for them.

          1. Yeah, I don’t think you got what UEFI means. It doesn’t matter if you are “qualified” or not. You won’t be able to install it until the OS maker pays Microsoft for the key. Get it?

          2. It could be claimed that netbooks vanished when they became slightly bigger and just turned into normal laptops.

            Meanwhile the heirs of netbooks are the tablets, and they often run iOS or some version of Android.

          3. warcaster: I don’t think you know what UEFI means, either.

            UEFI is just firmware. Nothing that restricts you in the base version.

            UEFI Secure Boot, however, is what you’re talking about.

            UEFI Secure Boot on x86 will be required to have a switch to disable it. So, you can find that switch, and then you’re back to today.

            UEFI Secure Boot on ARM, however, is where the problem is. That said, the ARM devices will most likely flop hard, so just buy an Android tablet that has an unlocked bootloader.

          4. The whole netbook thing was weird. They started out as very special devices, small screens, minimal sized keyboards, small SSD and Linux. The nearest right now are Asus Transformers (funny how Asus started the whole Netbook thing with their EEEPC 701) running Android, and Google Chromebooks.

            But HP and Dell sat out the party while ASUS, Acer and MSI duked it out in early period. The MSI model was a messy entry tho, as their SUSE bundle was missing vital drivers and was used as a basis for rebrands sold via big name chains.

            Only with MS putting XP on life support and creating very specific hardware requirements (that made netbooks in general bland) did HP and Dell enter the fray. And when they did, we got things like Dell putting a mail in rebate on the high spec Windows model that made it no more expensive than the Linux model (the lowest spec-ed variant of the range).

            In the end i do not know if people cared either way, they just went with what was familiar and on the shelves. and the shops were happy to push them as by now they had become so similar to laptops (Windows basically forced the use of HDDs as it could not be made to fit on the SSDs used in the early models) that they could push the old boxed standbys like Norton security.

            Basically netbooks went from a kind of Linux based web/net terminal to what amounted to a underpowered ultra-portable laptop.

      2. The typical setup options will be as complex as “Secure Boot: Enable/Disable” If disabled, then the signing isn’t enforced.

      3. You FOSS techno-elitists still exist?  I thought Ubuntu pretty much wiped y’all out around 2005.

      4.  There is a gradient of difficulty here. While performing a working linux install used to be somewhere around the same difficulty level as getting a working install of windows, this kind of thing should push it down to somewhere between getting a working Plan9 install and getting a working LFS install. This is not to say it brings it down to the difficulty level of writing your own posix-compliant OS (though that’s nowhere near the OS installation difficulty level upper asymptote), but it certainly takes linux away from the “where’s the power button on this thing”/”how do I internet” crowd, whereas previously it was entirely viable.

    3.  This secure boot is supposed to stop boot viruses right? Your office will be more secure. You wouldn’t get boot viruses anymore.

      My question is, what about the other kinds of viruses?

      1. It’s not supposed to stop all viruses, it is supposed to stop boot sector viruses, which are the single most common way to bypass all of Windows x64’s security features. Mebroot, Rustock, TDSS, etc. All major families of malware which were the most sophisticated in the wild before stuxnet was on the scene. All can *not* be locked out in the consumer context without secure boot. They can be *detected*, but not locked out, in corporate contexts if you use a TPM, but of course you’re afeard of the magic TPM voodoo box which is going to undermine your liberty so that’s right out. They can and have been detected for home users with MS’s free anti-virus, but that’s signature based and therefore a losing game when compared to secure boot. Oh and it’s MS’s free AV so it’s probably evil too right?

        1.  Windows x64 has security features? Are they actually starting to become sensible? I have a distrust for the security-consciousness of any software franchise that refused to use proper memory protection in consumer units until 2001.

    4. Same as above, we will only purchase Linux Certified Hardware. Once our capability to manufacture is up, we will avoid this uncompetative and monopolistic feautre.

      1.  LOL! What the hell are you smoking? There is no Linux Certified Hardware. Truth be told, UEFI is not owned, controlled, or created by Microsoft. The OEMs control that. If you don’t want a UEFI Windows 8 PC, just order one without the Microsoft signature.

        1. ” If you don’t want a UEFI Windows 8 PC, just order one without the Microsoft signature.” – Did you even read the article?

          “because Microsoft has forbidden it partners from booting an OS that hasn’t been signed by Microsoft, even if the user takes some affirmative step to install a competing system.”

          I’m sure it will be super easy to buy a box without UEFI and then just install Windows 8 without the signature.  Surely with Microsoft’s puny resources, they won’t bother to check if you’re running on a system that is not complying with their monopolstic worldview.

  2. “When you multiply $99 by all the different versions and flavors of free/open operating systems, it adds up to a substantial revenue stream for Microsoft.”

    What, seriously? Let’s see. Microsoft’s 2011 revenue was $70 billion. Let’s arbitrarily say that in order to consider a revenue stream “substantial” it must amount to 1/100 of 1% of a company’s overall revenue. That works out to $7 million. At $100 per license, that works out to 70,000 “different versions and flavors” that would all have to be paying toll.

    I’m totally down with hating on UEFI, but “substantial revenue stream” doesn’t cut it. It’s sloppy and undermines the rest of the argument by its presence.

      1. It does open the door to a potentially substantial revenue stream however.   What MS has to manage is the precedent of getting everyone to pay them a tax.  Once it’s in place, they can raise it as they like.

        1. Kinda like how sneaky working on contracts in the past resulted in MS being payed by PC shipped, independent of the OS actually on the HDD?

        2. Also, it doesn’t have to be a revenue stream. It is better as a deterrent to other operating systems being installed. Maybe their intent is not to get a ‘tax’ from all these other OS’s, but to squeeze them back into obscurity. 

      2. Cory — Are you sure you have the $$ stuff correct? As I understand it, the $99 goes to Verisign to get an ID. The per-signing cost from the Microsoft portal is %0. It looks like it goes to MS because of the fact that you can access it from the MS portal, but read the fine print: “To receive the VeriSign promotional pricing, complete all of required fields, and then click Continue. The type of code signing certificate (Organization or Individual) to be issued will depend on the option that you select: Corporation or Individual.” That certificate is used to sign your code submissions. If you go to the Verisign website you will see the same set of options available.

        1. Tim is correct. Cory didn’t RTFA since it says right in the article that the money goes to verisign. If Corey RTFA he would also realize that this wasn’t about some vendors conspiring against Red Hat. This is about Red Hat *making the choice* that they didn’t want to try to work with vendors to include their keys, since they didn’t want to be in a privileged position over other Linuxes. This was about Red Hat *making the choice* to not ask users to disable secure boot. Secure boot is a demonstrably good thing in response to demonstrably difficult malware problem (which I happen to be a researcher on). We don’t need more FUD, but I’ve come to expect it from Cory (I just read him still to keep abreast of the misinformation being spread.) I’m all for open access and open systems, but not when that means we can’t shut out malware even if we want to.

    1.  Anyone who hates on UEFI is an idiot, or an ignorant Microsoft hater who wrongfully thinks Microsoft owns or controls UEFI.

      1. Can I be both? Actually I’ve always preferred ‘wiseacre’ but whatever works for you.

    2.  There are indeed more than seventy thousand linux distros. Most of their maintainers are not going to be willing to pay microsoft ninety nine dollars for anything.

  3. $99 for each different revision never adds up to a “substantial revenue stream” for Microsoft. I would even wager that the cost of development of the site and the manpower to run the program/verify the accounts is never returned by the revenue of the program.
    This does not make the UEFI situation right, but do not spin it like a revenue stream that has 60 billion dollars in yearly revenue.

    1. I don’t see why they wouldn’t embed it in the motherboard. There would be a huge demand from custom build vendors that would drive it. I wouldn’t expect this to stay restricted to DELL/HP, I’ll bet it will be on the boards/ bios soon enough.

  4. Why are the vendors going along with this? What do they have to gain, here? If they’re just doing what Microsoft tells them to do because they have to, isn’t that, like, illegal?

    1. Well they can opt to not sell computers with Windows preinstalled. Should make them a lot of customers…

      Never mind that MS has long been providing some pretty hefty (tho NDAed) volume discounts for big names like Dell, HP and Acer. If MS was to say they can’t have that discount any longer, their relative product price would jump accordingly (or the companies would have to eat the cost, cutting into their already thin margins).

  5. Microsoft lost an antitrust suit when it tried to bundle IE with Windows.  Now they are going to bundle Windows with hardware?  Seriously?

      1.  This has the makings of a new lawsuit. FSF, are you listening? ‘Cause Fedora ain’t.

        1. I trust the Fedora peeps garnished the shit sandwich the best they could.

          Prolly take some pretty deep pockets to get this ball rolling…

          1. I’m glad you posted that. Did you read it? Because if you did then what you’re showing people is that the desired and advocated for conditions are clearly already met by MS’s implementation. Users can enroll their own keys and users can install whatever the hell they want. It was a non-issue when it first hit the blogowebs and it’s a non-issue now.

      2. It’s not illegal because it’s a completely inaccurate appraisal of the situation. Go RTFA and come back and describe exactly what you think is illegal. Because it’s not illegal for someone to say “If you want to sell my software, you need to turn on the security so that my software can’t be completely owned by malware from before my software even boots.” It’s not illegal because anyone and everyone can just turn off the security and install whatever they want. But yeah, you’re probably right. “ZOMG MS is abusing its monopoly to make it so that people who sell their software have to turn on security. Do no evil!”

        1. Yeah well, after looking into it a bit more, it doesn’t seem like such a big deal.

          My WTF was in reaction to the sensationalised and highly inaccurate reportage above; I’d assumed we could rely on a higher standard of journalism from BB than that.

    1. The vast majority of computers have an OS bundled. Bundling is not the issue here.

      It’s the not being allowed to install something else that’s the issue.

      1.  What are you talking about? You can install whatever you want by turning off the security. Besides, if you don’t want a Windows PC, why they hell would you be upset at this? If you wanted to install something other than Windows, don’t buy a Windows PC.

  6. This question is so obvious to me, I’m surprised other people aren’t harping on it:  Isn’t this a clear abuse of Microsoft’s monopoly power?  I.e., an antitrust lawsuit just begging to be filed?

    1. Let’s be clear here. An OEM can install any number of certificates in the firmware at the time when the machine is built and subsequently when installing an OS. And the number of certificates can be updated later. The problem Fedora has is that they don’t have the relationship with the vendors to influence them to carry their key also. If they did, Fedora would be just as “in” as Microsoft. So rather than try to fight that fight, Fedora just signs their boot loader with the MS cert. They pay $0 to sign each boot loader from now until MS changes their key (and MS wants their boot loaders to work on older machines also).

    2.  Yes, this is a clear abuse of monopoly power.  If the FTC were functional this would not be allowed.  Someone should contact the EU competition commission.

  7. I remember similar alarm being expressed during the advent of Apple’s iOS devices. And during the proliferation of DRM technologies. And, before that, when telephones and picture radios invaded our living rooms. And yet, somehow, the earth continues to revolve, unabated. I think this may also turn out to be a non-issue.

    1. Pff, vigilance fail.

      Faith in some sort of status quo regarding our ability to control our own computers (which are nothing like ‘picture radios’ at all in that sense) is severely misplaced.

      What law of nature do you imagine exists to prevent corporate scumbags killing the general-purpose computer? They’d be all too happy to provide nothing but locked-down devices tailored to rape us all.

      The only thing standing in the way of this madness is the highly endangered principle of collectivism.

    2.  Because the people who use open source or write open source just ignore Apples tiny piece of the pie.

    3.  It depends what you mean by “non-issue”. If you’re talking about it affecting the revolution of the earth, then, yes, I agree. It is always possible to ignore any amount of pain that you encounter if that is your standard. Many people on this planet make their living picking through trash for saleable scraps. Somehow, the earth continues to revolve.

  8. This has been around for a while now in the server market….

    HP server hardware (G7 & G8 and possibly G6) will not allow you to install Windows 2003 server below 2003R2

    1.  Damn, that doesn’t make as much sense when Boing Boing screws up the ‘reply’ and drops it at the bottom of the page.

      1. To be fair, it’s a Discus screw-up.

        Hasn’t happened to me yet… but I got sick of all the extra line breaks when quoting someone (blockquote is the tag, folks), and realised the fix is to paste into and copy from Notepad or some such.

        Actually, you could use that tag to insert the comment you’re replying to in your post with an edit.

  9. I didn’t make this clear originally, so I appreciate how this could be misconstrued, but the $99 goes to Verisign rather than Microsoft. The process actually costs more than that with Microsoft subsidising the difference, so for now at least the only kind of revenue stream it’ll be is one leading away from Microsoft. 

  10. After reading the hyperbole I guess the meat of the story is that you will only be able to run Windows RT on “Microsoft-certified ARM-based computers” aka the new Windows 8 tablets. So what ? There’s no shortage of actual full fledged ARM boards out there to run Linux and frankly these tablets aren’t meant to be multi-purpose computers, they’re meant to be just Windows tablets. It’s not like MS is going to be selling a lot of these anyway.

  11. The relative freedom we’ve all enjoyed with our computers and computer using electronics was an aberration that only existed because the technology wasn’t sophisticated enough or popular enough for the big companies to be able to easily keep their customers on a leash. Now that they are able to, I suspect things like this will be very common in the near future.

    1. Seriously? Computers weren’t “popular enough” until now? That may have been true in the 1980s, but not for a long time. You’re positing a conspiracy theory that doesn’t make any sense.

      In any case, read Weintraub’s comment below. This whole post is alarmist as the problem only applies to a small subset of ARM-based PCs that don’t exist yet.

      1. I’m talking about how, since their average customer is no longer the technically minded geek who enjoys poking, prodding, and playing with every feature of these devices, the companies who make them have slowly started to realize that they can get away with locking things down. Plus the ubiquity of devices with a constant connection to the internet means that they retain control of your property and can disable or change things at will through mandatory patches.

        1. “since their average customer is no longer the technically minded geek who enjoys poking, prodding, and playing with every feature of these devices”

          Uhm, those geeks haven’t been the “average customer” since at least the mid 80s. The C64 alone sold over 20 million units, and most of them in (western) Europe. There weren’t that many geeks at the time.

  12. This “any Windows certified PC will be required to have the UEFI turned on by default.” is about the little “designed for – insert current windows version” stickers they stick on pc’s/laptops, no ?

    no, if UEFI turned off by default the brand cannot add this little sticker on the pc?

    that’s it?

    So what is then stopping dell/lenovo/etc of offering on version with the sticker and one (cheaper – without windoz tax- maybe linux pre-installed?) version of the same hardware?

    All it will result in for M$ is people will buy the cheaper one and ask the family guru to plunge a illegal windows version on it (unless they are happy with Linux or so )?

    1. You make two assumptions here:

      1) The average PC user knows anything about any OS other than Windows (hence ‘Monopoly’)
      2) Distribution and popularity of illegal copies is extremely high

      The big problem what happens if the whole EUFI/Win8/SecureBoot scenario is kept in play for long enough (say a couple of years)…

      Most current users of Linux were Windows users before they ‘found’ Linux. Most Linux users were introduced by a friend, family, colleague handing them a USB/CD and saying ‘hey, try this – if all you do is email and browse the web this will be a lot faster and you won’t get all those nasty viruses’. Microsoft wants to block this ‘infection’ of their user pool. With SecureBoot, if you are given a Linux USB/CD and try to boot it, the PC will flash up a big red warning screen – Linux will no longer ‘Just Work’ and it’s ability to present itself as an easy to use OS will be lost.

      So in two years time, even if SecureBoot goes away (because it wont’t do what Microsoft is pretending is the reason for it’s use), Linux will be set back 10 years. If you give a Linux USB/CD to a friend and say ‘here, try Linux’ they will say ‘Oh, I’ve had so many people tell me it’s a waste of time and that it won’t run, etc, etc.)

      1. This is the best summary and explanation of this draconian firmware that I’ve seen here.  The purpose is to slow and halt new installations of Linux by making it harder and scarier.

      2. Yes, because Linux on the desktop is *such* a threat to Microsoft! Look at the enormous market gains in the last 10 years… er.

        In the real world, what started as just another anti-piracy and anti-virus feature (Secure Boot) was then morphed by Ballmer’s gang into a another bout of Apple wannabe-ism (“our ARM tablets will be locked down like *their* tablets, because *that*’s how they make so much money!”). Effects on the Linux world are just collateral damage, albeit certainly not unwelcome. 

        As a Linux user, I’m not scared by UEFI. General-purpose devices (laptops, desktops etc) will have the usual switch in boot menu (and whoever says that accessing the boot menu is technically hardcore is seriously misguided — even people in their fifties by now know what it is and how to access it). 

        Tablets will be locked down only because Apple taught us it’s how it should be, by Jobs!, and MS execs are so clueless that they’ll do whatever they can to mimic that. So you wanna blame somebody? Blame Apple, blame Steve.

  13. I’m not sure where to begin. Calling “$99 per OS a significant revenue stream for Microsoft”, or even calling it a revenue stream. The money goes to the root certificate providers (in Fedora’s case, Verisign).

    Standard desktop PCs running the x86 chipset are required to have the ability to turn off the secure boot feature, and have the ability to accept other signatures. Fedora did what they did because it was the easiest way to ensure that all PCs will boot Fedora without having to do a thing. Most commercial Linux distributors have already done this. Other Linux distress will require you to go into the Firmware and either turn off the SecureBoot or install generated boot keys. If you know enough to install a roll your own distro, you can do this.

    ARM is another story all together. ARM PCs with Windows RT on them will have secure boot turned on with no way to turn it off. Considering the market share of Windows 7 Phone, I can’t see this being a major issue. You can get quite a few ARM based computers with no locked down boot loader, or select from several Android computers that also have unlocked boot loaders, or let you unlock the boot loader.

    Why is this going on? Because malware is getting more and more clever. Windows 8 will sign almost all major parts of the OS including all libraries. It will become almost impossible for malware to install itself on Windows.

    That is, unless it can get into the boot loader and turn off Windows checking for digital signing on its libraries and executables. That’s why the boot loader is being signed.

    Yes, for those who like to hack, it does make things harder. However, the vast majority of computer users aren’t hackers. You can call them all sorts of unpleasant names, but they too buy computers and want to be able to use them without worry. I too am tired of the constant battle to secure my computer, and I’m pretty technical.

    So, if you want to roll your own OS, buy any x86 PC and turn off the secure boot. If you want a ARM PC, buy an Android model which will probably outsell Windows RT computers for the foreseeable future. (I don’t have much hope for Windows RT — not when every time you browse the Web, you go back to the old 1995 inspired Windows desktop.)

    For more information take a look at Ars Technica’s excellent article on the matter: http://arstechnica.com/information-technology/2012/01/windows-8s-locked-bootloaders-much-ado-about-nothing-or-the-end-of-the-world-as-we-know-it/

    1. “Why is this going on? Because malware is getting more and more clever. Windows 8 will sign almost all major parts of the OS including all libraries. It will become almost impossible for malware to install itself on Windows.”

      HAHAHAHAHAHA – Wrong!

      So there will be no need for anti-virus software in Win8?

      So in 5 years, all the anti-virus vendors will be out of business?

      Anyone remember what happened to the ‘hack-proof’ Playstation 3?

      I give it 6-months tops before a good Win8 virus goes wild.

      1.  Windows IS malware.  Signing with keys from an incompetent and untrusted source, such as Microsoft, doesn’t provide any protection against malware whatsoever.

    2. “Other Linux distress will require you to go into the Firmware and either turn off the SecureBoot or install generated boot keys. If you know enough to install a roll your own distro, you can do this.”

      I had a call from a friend about a week after he installed GNU/Linux asking if it was case sensitive. It takes less knowledge to install GNU/Linux than Windows, and this is an extra step for some distributions. I’m guessing it may also make dual boot operation complicated, which is the usual stepping stone.

      I agree it will probably become a “non-issue” for the big distros, but it may discourage folks from fiddling and experimenting, which is a shame as boot is one area where more progress should be made because frankly it is a pathetic experience in all major general purposes operating systems to sit watch the Bios do something daft with bespoke options and key sequences, then have a boot loader do something, then have the operating system try and detect everything the BIOS has found and look around for a load of hardware that has never been plugged in…

  14. Isn’t the “finicky and highly technical override process” going into the BIOS and deselecting an option? I’m pretty sure that’s what I read – that it’s a CMOS option. If you aren’t capable of doing that (and I’d guess around 99% of computer users aren’t), then maybe it’s best you let Microsoft decide what programs you can run.

    I’m not at all a fan of Microsoft, and I do worry that this is a slippery slope we’re on, but as long as you can change a BIOS setting to fix the problem, I don’t see a problem.

    1. Changing bios settings is not hard, your computer tells you what key to press to get to the settings, and then, at least in intel bios, you get a description of what each setting does. In addition to that, I’ve even seen a bios that was mouse driven, no kidding. And on top of all that, if an inexperienced user is going to try this, they’ll be following instructions put together by people who do know what they’re doing.

    1. Why? I am a lawyer and don’t really see much of a problem.

      People need to think rather than react. None of this stuff applies in any way – even to ARM-based products – unless you want to sell a computer with a “Designed for Windows 8″ sticker. There will still be zillions of computers in circulation that don’t have UEFI so can’t do secure boot even if they wanted to and I’m sure that if they are capable of running Windows Vista or Windows 7 they are almost certainly going to run Windows 8.

      There is potentially a problem if ZYX Corp decides to make a ARM-based device and only sell it with a “Designed for Windows 8″ sticker. They won’t run anything apart from Windows 8 but that may be appropriate for their market. Not many people complain that you can’t install Linux (or anything else for that matter) on an iPad.

      I’m sure that any manufacturer who sees a market for ARM-based products not running Windows 8 will ship a version that will boot other software and which does not come with the magic “Designed for Windows 8″ sticker.

  15. “For example, I have installed Ubuntu on a variety of machines by just sticking in a USB stick and turning them on”

    I’m not so sure that’s an unqualified positive feature. I mean, s/Ubuntu/malware/ and read it again.

    1.  Useful if you are a thug trying to get anyone that uses a computer to pay you a tax.

  16. I just realised something…

    Kaspersky have a rescue disk to rescue Windows PC which uses Linux. So, if you shiny Win8 PC does get infected, your kinda naffed.

    Don’t be fooled into thinking the ‘secure boot’ is going to, in any way shape or form, protect you from viruses/malware. Everyone sipping from that coolaide can is going to feel rather silly in a few months when the first Win8 virus goes wild

    1. I don’t think Microsoft is claiming this will stop viruses, indeed their other antivirus stuff in Windows 8 suggests they don’t think so either, this is more about preventing malware loading too early in the boot process. e.g. Before Microsoft Software.  Thus it should allow Microsoft to start their own tools and anti-malware efforts before other software. In theory this should make the system recoverable – think safe mode on steroids – where you can be reasonably sure if you pick “safe mode” that the system is behaving correctly (of course if the virus/malware modifies any of the files needed for booting I guess the system won’t boot till you stick in a certified recovery disk or some such.

      I don’t think this is a good approach, I’ve rescued too many Windows boxes by booting from cheap and tacky 3rd party rescue disks that book various minor Linux distros, not least some of the old DELL CDs and Floppies for rescuing were like this. They’ll presumably be usable if you flick a switch in the BIOS but we all know how easy and reliable BIOS software has been to use over the years.

  17. Build your own.

    Buy a bunch of parts, plug them into each other the only way they fit, and do whatever the hell you want.

    Bite my ass, Dell! I haven’t bought a preassembled computer in 25 years.

      1. I was going to mention what Eric said but he beat me to it. No OS or CPU either. It isn’t quite DIY but it is sans OS and you put what you want on it. There’s another possibility as well — persistent rumors in the past two weeks that Office is being prepared for Android. I was a little surprised by that — why wouldn’t they tie it to Windows 8? But it makes a certain amount of sense. Office has always made more money than Windows. Making sure everyone always uses Office is why it has always existed on Macs, even when they were a negligible share of the market, as well as a large part of the reason why Linux won’t take off. So it does make a certain amount of business sense. If it does come to pass, forget the whole idea of a laptop. Buy an Asus transformer and join the open source world.

  18. This is criminal behavior on the part of Microsoft and they and their co-conspirators at the hardware companies all need to go to jail!

  19.  It’s still a monopolistic practice.  They *can* do it, but it’s the sort of thing that ought to get them seriously slapped if somebody tries it out in court.

    Of course, it’s gonna take somebody willing to try it, and by the time the court actually does something about it, the world will have moved on and it will be absolutely no more meaningful than the antitrust wristslap that Microsoft got over IE bundling.  (Does anybody remember that any more?)

  20. Wouldn’t it be great if car manufacturers and oil companies got together.  You buy a ford and can only fuel up at ESSO stations.  Esso charges 10.00 gallon, too bad, nothing else will work…..

  21. The article and comments keep criticizing UEFI. UEFI is not the same thing as secure boot. UEFI is a firmware that is meant to be a modern replacement for PC BIOS/OFW/etc. Secure boot is an extension that can be added to implementations of UEFI. Most implementations of UEFI in existence today do not include “secure boot”. There are many implementations of “secure boot” systems that don’t use UEFI.

    A “secure boot” system could be done regardless of the underlying BIOS/firmware in use and it’s kind of unfair to UEFI to blame it for all of this.

  22. I suspect that the reason Microsoft REQUIRES that the user be able to disable secure boot or install their own keys on x86, but FORBIDS it for ARM has to do with device subsidies.

    For ARM tablets and phones, iOS and Android dominate the market. A fairly standard strategy when entering a market that is dominated like that is to offer subsidies on hardware running your software. I suspect that Microsoft will do this–you’ll be able to buy a Windows 8 tablet for significantly less than you will be able to buy an Android tablet with near identical hardware.

    The lock down is the price you pay for that discount, as (quite reasonably) Microsoft has no interest in subsidizing people who want to buy Android tablets. If you don’t want the lock down, buy the tablet that comes with Android instead of the one that comes with Windows.

  23. Google did something like this with their chromebooks.

    Big difference here is they also included ways you could disable secure boot. So far I don’t know the process that will be needed to disable secure boot on a Windows 8 box.

  24. I’m pretty sure when the whole secure boot thing came up I raised questions about what MS would do next… and people told me they would do no such thing, people would be up in arms…
    It seems that MS got exactly what they wanted, forced adoption of their system.
    People wanting to try other OS’s will find themselves screwed, because this will not be a simple little switch in the bios.  If you can change it in the bios so can the virii writers, we can’t let consumers face these horrors!!!
    I wonder how this will play out for those people who build their own systems when confronted with locked systems that require way to many hoops to get past.

  25. Surely there is a technical fix that means you can have distroX pay the $99 and then all distroX does is replace itself with any of the other linux distributions? I mean, what exactly is being prevented here? Is it just writing to the MBR, are they just having to sign grub? If it’s everything in /boot we may have an issue, as we would presumably require microsoft to sign off every fix required to the linux kernal. They wouldn’t want to be doing that surely?

    1. With crap like this going on, I may have to get my friends to finish their work on the “quantum-computing” hardware which would break every one-way cipher.  It has its downside, but it clearly has its upside too.

  26. I think that the Open Source community should make a fist towards de OEM’s and enforce to be included on the hardware level! This seems to be another anti trust case looming… 

  27. I wonder how Microsoft would respond if Linux heavyweights got together to partner with one or more hardware manufacturers to produce hardware that could only run Linux based operating systems.

  28. I have contacted my Local MP, and included this page as a in my e-mail (well a link to it)  i suggest others do the same. 

  29. The only thing that will happen is that someone will sue, while others will simply use brand X hardware as it will run anything they want. Then the vendor will dump microsoft, or provide a patch to enable / disable os installs at the bios level.  Plus how long will it be before key cipher X is in the wild and the open source community just all mysteriously feigns being Fedora.

  30. DLL Injection and API hooking are still going to work on any and all system API’s, so malware is still going to be a problem.

  31. Is Microsoft so afraid that Windows 8 will be a disaster? The open hostility towards Metro was brought home to me at a recent IT event promoting Windows 8.

    With all I have read and heard lately educated customers will most likely avoid Win 8 at first. This will be a great way to force some customers to use the OS.

    I wonder if older versions of Windows will be certified. Will we or the vendors have the option to install older versions?

  32. I can trust Microsoft to try to screw me, and that is ALL I can trust them to do. The hardware manufacturers are wimps, especially when they hold the cards. Oh, and the new Windows 8 license has the end user unable to join in any class action suits against Microsoft, I guess they forsee lots of potential for that kind of thing given that they are the ones behind UEFI.

  33. Might as well call this lockdown the WiMPI – the Windows Malware Protection Interface.  MS, in its typically heavyhanded way, thinks the best way to prevent bootkits is to control the competition entirely.

    No matter to me, as long as it can be disabled on “real” computers.  Windows ARM will not run “real” Windows programs, so I have no use for it.  I will spend my e-appliance money devices which run a leaner, lighter, open O/S.

  34. Night now, no one knows how big the Linux install base really is. It’s all speculation since most people install Linux on a machine that originally had Windows.
    With this change, we may actually be able to get real numbers.

    1. Nope – that’s not $99 per installed instance of an OS, it’s $99 per distinct version of an OS, regardless of installed base of that version.

      1.  I get that @dragonfrog:disqus I’m more thinking that we can also look at how many machines are purchased without this new feature since that would pretty much be only non-MS installs.

  35. So will Bill Gates offset all the lost money that won’t go to charities because of all the small business owners this hurts?

    (CowTip: Small business gives vastly more money to charity than large corporations do)

  36. The general public should be informed about this! If they don’t care about it Microsoft can do what they want. But if they buy a Windows 8 (boxy blocks) and don’t like it they are stuck with it, not even “downgrading” to Windows 7 or upgrading to Linux is an option. They should now that.. 

    1.  Do you know how I know you have no idea at all what you’re talking about, similar to most of the commenters?

      1. No i’m so stupid and you are so smart…

        It’s just very easy for the OEM’s to lock the “BIOS” and the average user will not even no how to unlock if the EFI is accessible. So those people are stuck with Windows 8..

  37. This has got to be illegal on Microsoft & the PC Manufacturer’s parts.
    I could see if the UEFI were managed by an independent open organization that could permit any legit request.
    But Microsoft holding the keys … that’s just wrong and got to be some sort of Monopolistic issue someone has got to take to court.

    1. Microsoft is not holding all the keys, but if the only keys on a Windows 8 box are those from Microsoft than people are stuck.. And the OEM will be lazy, since they care about sales and not about users. Since the average user is ignorant about this they only will discover when it’s too late.

  38. I advice all Open Source advocates WorldWide just to migrate as many family members and friends to Linux or the more open OS X and ChromeOs… That could make a difference..

  39. Jesus. The fact that you can decide you “hate” me or even know what “people like me” are like (not to mention making absurdly wrong guesses about my politics) based on two brief sentences I wrote, is kind of horrifying. I’d like to think BB readers are a bit more thoughtful or tolerant than that.

    If you want a little bit more perspective on what I meant, consider that the statement I quoted didn’t specify whether or not he owned (or had permission to do stuff to) those machines. I don’t want it to be impossible to change the OS on a computer, I just think having it be an easy one-click drive-by is a bit insecure.

  40. Invalid argument there buddy. ” I don’t want it to be impossible to change the OS on a computer, I just think having it be an easy one-click drive-by is a bit insecure.”

    Installing an OS by booting from a USB stick is not a one-click drive by. 

    And you need to learn one of the most basic rules of computer security: Physical access to a machine implies root level access and complete control of that machine. 

    You can disable booting from thumb drives etc. in the BIOS and then password protect the BIOS on many machines. But no computer that you can gain physical access to will ever be secure FROM you. That’s why server cases have locks, server cabinets have locks, computer rooms have locks and data centers have locks. 

  41. The trick is, Microsoft needs to keep machines secure from idiot users who have no business owning a computer, and really need an internet appliance.

    IMO, the correct answer is to have a jumper inside the case that allows the installation of OSes signed by someone who isn’t currently in the key store. That way, if you want to install something, you can break out the screwdriver and change a jumper, but still get all of the security benefits of Secure Boot.

  42. “And you need to learn one of the most basic rules of computer security: Physical access to a machine implies root level access and complete control of that machine.”

    Yep.  This is why all this “secure boot” crap is just crap.

Comments are closed.