The month of February is a month to remember for the LibreOffice project. LibreOffice, the OpenOffice fork, is a very popular open-source office suite. But, while it has great support from Linux distributors, like openSUSE and Ubuntu, LibreOffice has never had a major corporate backer on the Windows side… until now. Intel is now offering LibreOffice to Windows users via its AppUp application store. I wonder how Microsoft feels about this. (more…)
A big issue right now in the world of operating systems – especially Linux – is Microsoft’s requirement that all Windows 8 machines ship with UEFI’s secure boot enabled, with no requirement that OEMs implement it so users can turn it off. This has caused some concern in the Linux world, and considering Microsoft’s past and current business practices and the incompetence of OEMs, that’s not unwarranted. Dell has stated it’s plans to include the option to turn secure boot off, while HP was a bit more vague about the issue.
You believe OEMs and Microsoft on their blue eyes. After years of abuse and patent troll behaviour, smart people don’t.
Dell confirmed that they have plans to ship Windows 8 machines with the ability to turn secure boot off in UEFI, while HP had no idea what was going on. BIOS maker AMI, meanwhile, has said it will advise OEMs to not remove the option, but adds that they can’t mandate as such.
A Dell spokesperson has stated that “Dell has plans to make SecureBoot an enable/disable option in BIOS setup”. Dell plans to move to UEFI with secure boot in the Windows 8 time frame.
HP, sadly, was less clear. “HP will continue to offer its customers a choice of operating systems,” HP said, “We are working with industry partners to evaluate the options that will best serve our customers.” Nobody at HP was apparently even aware of the issue, which means this is a general PR statement with zero actual value.
Lastly, BIOS maker AMI stated that it “will advise OEMs to provide a default configuration that allows users to enable/disable secure boot, but it remains the choice of the OEM to do (or not do) so”. This is entirely reasonable – AMI just provides a software package, it doesn’t control what OEMs remove and include.
Michael Reed is the latest person to write about “restricted boot” (or UEFI) in a major GNU/Linux Web site. Matthew Garrett, who started a lot of the outcry, calls it a bug and Groklaw helps remind us that “Microsoft’s license provision [was] prohibiting OEMs from modifying the initial boot sequence…” There are several other examples of Microsoft sabotaging Linux adoption through booting complexity [1, 2, 3, 4,5, 6, 7] . The worst thing one can do is assume good faith from Microsoft. The people who run the company are extremely anti-competitive. Don’t blame Microsoft; it’s in their nature.
My biggest fear is that like with BIOS today, every computer – even revisions within the same model – will have its own unique UEFI implementation, some of them broken and/or limited, without any means of telling which features are supported and implemented and which aren’t. Heck, I’ve encountered countless BIOS implementations over the years which only allowed you to change the boot drive order, and nothing else.
All in all, this issue is far from over, and Considering Microsoft’s history of anti-competitive practices, its current patent troll behaviour, and the general incompetence of OEMs, it’s entirely reasonable and smart for us geeks to be on our toes.
Windows 7 is supported til 2020 … most large businesses are only just thinking about moving to it and doing testing … the will probably never move to Windows 8. Windows 7 is going to be around for the next good few years as well as businesses that will use XP forever and ever … will need new hardware.
Secure boot for Windows 8, part of UEFI, will hinder the use of non-signed binaries and operating systems, like Linux, has registered at Redmond as well. The company posted about it on the Building Windows 8 blog - but didn’t take any of the worries away. In fact, Red Hat’s Matthew Garrett, who originally broke this story, has some more information - worst of which is that Red Hat has received confirmation from hardware vendors that some of them will not allow you to disable secure boot.
As written before:
A short recap: if OEMs want to partake in the Windows 8 Logo Program (and they all want to), they will have to implement secure boot on all Windows 8 machines. Secure boot requires signing keys from either Microsoft or the OEMs themselves to be installed into the firmware – any binaries, drivers, or operating systems not signed by one of those signing keys will refuse to work on that machine.
Secure boot is part of UEFI, and in some cases, you will be able to go into UEFI and disable it. However, the fear is that OEMs will not include the option to disable it – there’s enough historical precedence to assume this will be the case. Just look at any of the gazzilion crippled BIOS implementations out there today.
Microsoft tried to address this lingering, but potentially very problematic issue in a blog post today, but sadly, none of our concerns were addressed. Microsoft does not intend to mandate OEMs include the option to turn secure boot off (surprising!), which means OEMs are free to omit this option from their firmware implementations.
And this is exactly what some of them intend to do, according to Red Hat’s Matthew Garrett in a response to Microsoft’s blog post. “Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we’ve already been informed by hardware vendors that some hardware will not have this option,” he notes on his own blog.
Garret explains that Microsoft still dominates the desktop/laptop market. As tough a reality check as it may be, Apple’s worldwide marketshare there is still below 5% (not that they care though – they have a far larger share of the profit) and Linux barely even registers as a rounding error. This means that Microsoft still wields considerable power in this market.
“Why is this a problem? Because there’s no central certification authority for UEFI signing keys,” Garrett explains, “Microsoft can require that hardware vendors include their keys. Their competition can’t. A system that ships with Microsoft’s signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft’s. No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft’s influence here is greater than even Intel’s.”
This could be disastrous for end users. They will lose considerable control over their own hardware if Microsoft gets its way. “The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality,” Garrett details, “The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware.”
This is going from merely potentially maybe kind of problematic into full-on dangerous. From what both Microsoft and Garrett have told so far, this seems like a perfect storm for Microsoft – they will essentially lock people into using Windows without actually doing any of the locking themselves; they’re basically relying on the utter incompetence of OEMs. And let’s face, three things in life are certain: death, taxes, and incompetent OEMs. This is so damn clever and diabolical I just can’t help having some admiration for it.
I’m not really sure what we can do at this point to prevent this from getting really bad. All I can think of is that clever hackers start work right away on cracking the living daylights out of secure boot – you know, just to be prepared.
So in short, when your desktop or laptop blows up, and your data is toast. I, nor will anyone else, will be able to recover your data, unless you use Microsoft’s products.