Ubuntu Changes Plans for Windows 8 Secure Boot

CommanderFrank

CommanderFrank

Cat Can't Scratch It
Joined
May 9, 2000
Messages
75,399
Canonical has changed its plans to drop Grub 2 in favor of another bootloader for Windows 8. The shift in the ‘Secure Boot’ plans will return the control of Ubuntu Linux boot system back to the individual users.

So, the bottom line is that GRUB 2 will be used in both Ubuntu 12.10 “Quantal Quetzal” and 12.04.2 by default.
Click to expand...
 
GRUB 2 ftw, Canonical would be foolish to drop it. Smart move on their part to stick with it.
 
I don't like how we went from an 'IBM Compatible PC' to a Microsoft Windows 8 PC. I've always liked the idea of being able to install any OS I want. Microsoft has went too far. I'll enjoying watching hackers get around it.
 
Ashbringer said:
I don't like how we went from an 'IBM Compatible PC' to a Microsoft Windows 8 PC. I've always liked the idea of being able to install any OS I want. Microsoft has went too far. I'll enjoying watching hackers get around it.
Click to expand...

Yes Hackers will have their day when they are able to simply choose not to use Secure Boot in the BIOS. That will show Microsoft!
 
weuntouchable said:
Yes Hackers will have their day when they are able to simply choose not to use Secure Boot in the BIOS. That will show Microsoft!
Click to expand...

The concern is that end users have to go into the bios to turn this feature off. Also, it can't be turned off in ARM devices from what I hear. The idea is to totally bypass the need to even step foot into the BIOS. A grey area that end users don't even know about, let alone would know how to navigate the menu to disable this feature.
 
^ It'll end up being just one extra step for anyone in IT or IS for their clients who won't be using Windows OSes.

Yeah, it was bullshit on MS's part, but oh well, there is always a way around their crap.
 
I'm waiting for the first person to sell me a "PC" that is restricted to only using Secure Boot with Windows 8. At that point, they will have committed fraud.
 
Wait what, did I miss something? Secure boot, bios? Does this mean manufacturers are trying to make it so you can only install windows?
 
Red Squirrel said:
Wait what, did I miss something? Secure boot, bios? Does this mean manufacturers are trying to make it so you can only install windows?
Click to expand...

Windows 8 computers will be fraudulently sold as PCs except that they can only "secure boot" Windows 8. *For now* you are supposed to be able to disable this in the BIOS, but there is no option to secure boot other operating systems as you do not have control over the master keys; the only way to use this security feature with GNU/Linux, for example, is to pay Micro$oft money for keys.

Essentially, what is supposed to be *your* computer will come hardcoded to automatically trust Microsoft software and you cannot change that trust; you can only disable the feature entirely.

It also presents a hassle to users who wish to try out other operating systems.
 
Wow that is seriously scary. It's bad enough that the industry is trying to outright kill the PC, now this. At least it can be disabled though... but for how long, is the question. If MS pays motherboard makers enough money...
 
Red Squirrel said:
Wow that is seriously scary. It's bad enough that the industry is trying to outright kill the PC, now this. At least it can be disabled though... but for how long, is the question. If MS pays motherboard makers enough money...
Click to expand...

That's what always frustrated me about this, Microsoft doesn't own the hardware.
With Apple, it's understandable since it is their proprietary hardware, of which they allow users to run Windows (unsupported though).

This however, is just Microsoft crossing the line since none of this hardware is owned by them.
If the classic "PC" does end up dying, I hope Microsoft goes down in flames with it; guess that's why they are trying to break into the tablet market.

Fuck Microsoft.
 
Microsoft isn't going to pay motherboard makers anything. There's no threat against Windows right now: none whatsoever.
 
Red Falcon said:
With Apple, it's understandable since it is their proprietary hardware, of which they allow users to run Windows (unsupported though).
Click to expand...
Boot Camp is fully supported. They'll walk you through the process over the phone or in store, they just won't deal with anything outside the Boot Camp software itself (you need to contact Microsoft for Windows support, after you pay them whatever it is they charge for that these days).
 
If you think Secure Boot is more of Microsoft locking down Windows RT-based ARM devices, OEM computers-- prebuilt laptops and desktops-- have a BIOS and hardware specific activation much more convoluted than Windows XP, Vista and 7 activation.

It's a lengthy explanation for OA 3 (OEM Activation version 3.0) but I'll summarize as follows: (I will not name the source of the website because it'll probably be against [H] forum's rules.)
  1. OEM computer is built whether with pre-selected parts or customer-selected parts.
  2. Computer is turned on and connected to a central key server that contains a "master" copy of Windows 8.
  3. Key server generates what's called a Microsoft Data Management (MSDM) table for that computer containing a unique key for that specific computer.
  4. The MSDM table is written to the BIOS of that specific computer.
  5. Windows 8 OEM OS is installed on that computer.
  6. After testing of the hardware, a software tool is run on that computer that generates a 128-bit hardware hash. This hardware hash plus the Win 8 OEM product key is sent in a computer build report (CBR) to a reporting server.
  7. The reporting server sends that information to Microsoft, which stores both the 128-bit hardware hash plus product key tied to it. Once received by Microsoft, the CBR is removed from the computer.

    Any hardware changes-- which does not include USB, PCI-E, PCI, and SATA devices-- and Windows 8 OEM is completely invalidated. A new hardware hash must be regenerated and sent to Microsoft with the product key, and the computer must be reactivated.
  8. The same software tool to generate the CBR is used to lock the MSDM table. Once locked, it cannot be changed. It would have to be invalidated, invalidation sent to Microsoft, and rewritten to the BIOS from scratch. This would most likely have to be done at the OEM side.
  9. Activation is done by the customer using a master key. This master key is verified by Microsoft's server which in turn reads the MSDM table from the BIOS for the key generated from the master key server generated by the manufacturer. That second key is sent along with a new hardware hash to Microsoft's server to verify the one already stored there. If both the hash and key match, Windows 8 OEM is activated.
Simple, huh?

For customers that purchase Windows 8, I assume this isn't the case. But, I believe a hardware hash is generated at the time of activation and is included with the product key to be stored on Microsoft's server. I would be thinking that any major hardware changes would require a new hash generated, the old one deleted on the server by a phone call to Microsoft and sent again to Microsoft with the product key to get reactivated. That way if you try to give a friend a copy of Windows 8 retail, he'd have to go through that process again. However, that would automatically deactivate your copy of Windows 8 because now the hardware hash doesn't match the one on the server thanks to your friend activating his copy with his own computer hardware.

That's only my assumption for the retail, non-OEM version at this point seeing how the OEM one has to go through several hoops to get activated.

Got to love Microsoft, right?

(Tinfoil hat on at this point...)

I would not be surprised at all that UEFI BIOS will be required by Windows 9 and higher. That means older computers without UEFI will no longer be compatible with future versions of Windows. That would be something I think Microsoft would do just to piss people off because I think future retail versions will have the hardware hash written to the BIOS for retail copies of Windows after activation. And, every so often, it checks that against what's stored on Microsoft's activation servers to keep your copy of Windows activated.
 
wonderfield said:
Boot Camp is fully supported. They'll walk you through the process over the phone or in store, they just won't deal with anything outside the Boot Camp software itself (you need to contact Microsoft for Windows support, after you pay them whatever it is they charge for that these days).
Click to expand...

That's what I meant, perhaps I should have explained it a little better. :eek:
 
Secure boot isn't an MS only feature, or MS's feature, it's an UEFI, (Intel) feature.

If you get certain prebuilt ubuntu OEM systems, they will have the keys for secure Linux boot (from Canonical or whatever, the Ubuntu guys). Or you can just disable it. It's just limits you to certain digitally signed drivers, which isn't really a yay, or must have feature (i mean, you don't have it now, and no one cares). It's not like it adds extra functions.
 
DeathPrincess said:
Secure boot isn't an MS only feature, or MS's feature, it's an UEFI, (Intel) feature.

If you get certain prebuilt ubuntu OEM systems, they will have the keys for secure Linux boot (from Canonical or whatever, the Ubuntu guys). Or you can just disable it. It's just limits you to certain digitally signed drivers, which isn't really a yay, or must have feature (i mean, you don't have it now, and no one cares). It's not like it adds extra functions.
Click to expand...

But I, as the user, should be able to control that keys in my own computer. I should not have to purchase specific motherboards for specific operating systems; that balkanizes things.
 
damicatz said:
But I, as the user, should be able to control that keys in my own computer. I should not have to purchase specific motherboards for specific operating systems; that balkanizes things.
Click to expand...

So now choice is balkanization?
 
damicatz said:
But I, as the user, should be able to control that keys in my own computer. I should not have to purchase specific motherboards for specific operating systems; that balkanizes things.
Click to expand...

If you weren't dissalowed this feature would you even want it?

You don't have to purchase certain operating systems if you don't want to use a rather useless feature. You can use any motherboard with any OS, just not with secure boot. All secure boot does is lock down the system and stop certain drivers... Which is kind of pointless in an "open system". It's really a total non issue.
 
DeathPrincess said:
You don't have to purchase certain operating systems if you don't want to use a rather useless feature. You can use any motherboard with any OS, just not with secure boot. All secure boot does is lock down the system and stop certain drivers... Which is kind of pointless in an "open system". It's really a total non issue.
Click to expand...

Unless you bought a Windows 8 tablet with an ARM device in it, then secure boot can't be disabled at all. At which point you have to fork over money to MS, or at least circumvent it.

Red Squirrel said:
Wow that is seriously scary. It's bad enough that the industry is trying to outright kill the PC, now this. At least it can be disabled though... but for how long, is the question. If MS pays motherboard makers enough money...
Click to expand...
Retail motherboards will likely not have secure boot, or if it they do then it will be off by default. So if you somehow were able to put together a PC and didn't know how to navigate the bios, secure boot won't be an issue. Just for those that buy a PC's from Dell, HP, Asus, and etc.
 
damicatz said:
there is no option to secure boot other operating systems as you do not have control over the master keys; the only way to use this security feature with GNU/Linux, for example, is to pay Micro$oft money for keys.
Click to expand...

That's not accurate. As it currently stands you do have control over the master keys through something called 'custom mode' or 'user mode.' So you can replace all the MS keys with keys from Ubuntu, another distro, or even your own keys. (Except on ARM devices, as others have mentioned.)
 
The secure boot basically kills the Live CD / Live USB way of demo'ing Linux to non-Linux users. Or giving them utility discs for backup/rescue software based on Linux.

You'll lose a lot of people just from the fact they have to go into their BIOS.
You'll lose most of the rest by telling them to disable something with the work 'secure' or similar in it.

Preventing someone from booting a different OS on a PC at work off a CD or USB could be fixed in the bios by locking booting to the HD and locking out the BIOS.
 
Ashbringer said:
The concern is that end users have to go into the bios to turn this feature off. Also, it can't be turned off in ARM devices from what I hear. The idea is to totally bypass the need to even step foot into the BIOS. A grey area that end users don't even know about, let alone would know how to navigate the menu to disable this feature.
Click to expand...

Except at this point we have no idea if the feature will be turned on or off by default. My guess is that OEMs will turn the feature on, but that retail motherboards will probably have the feature turned off. This feature being on doesn't affect 99% of PC users and is actually a good feature for most people.

If a person is capable of installing Linuz or another OS I think they are capable of going into the BIOS and turning the feature off.
 
If a person is capable of installing Linuz or another OS I think they are capable of going into the BIOS and turning the feature off.
Click to expand...
I should certainly hope so.
If a Linux user can't figure out how to do that, then they should be using Windows or OS X. :p
 
The issue is this is a step towards total control. It's a matter of time till they just lock us into it. The minute MS sees any kind of threat, such as if Linux ends up increasing on the desktop and doing well, they'll pay the motherboard manufacturers to just remove the option to disable it.

Here's hoping the open source community can stay ahead by finding a way to crack it. I hate using the word crack here, because you should not even need to do that on something you own.
 
Red Squirrel said:
The issue is this is a step towards total control. It's a matter of time till they just lock us into it. The minute MS sees any kind of threat, such as if Linux ends up increasing on the desktop and doing well, they'll pay the motherboard manufacturers to just remove the option to disable it.

Here's hoping the open source community can stay ahead by finding a way to crack it. I hate using the word crack here, because you should not even need to do that on something you own.
Click to expand...

If "cracking" a BIOS and removing limits put in place to lock down and ensure any future Windows OS be the only operating system installed on any motherboard, then it would be a necessary evil to crack that BIOS and keep open choices to the consumer than in the hands of a multibillion dollar company like Microsoft.

Even if such locks put in place as a recommendation by Microsoft to motherboard manufacturers is meant to "secure" Windows from malicious attacks, I would not believe such lies at all if its true intentions meant limiting consumer choice.

If Microsoft does this, and the hints are starting to be put in place with Windows 8, Secure Boot, and OEM Activation 3, then there is going to be hell raised up with another anti-trust, anti-competitive, and anti-monopoly lawsuit.
 
Ashbringer said:
I don't like how we went from an 'IBM Compatible PC' to a Microsoft Windows 8 PC. I've always liked the idea of being able to install any OS I want. Microsoft has went too far. I'll enjoying watching hackers get around it.
Click to expand...

You can almost thank Apple for this. They started the trend by using their proprietary form of EFI bios. Why use an industry standard BIOS when you can just dictate that the hardware must have X if you want to use Y OS?
 
techrat said:
You can almost thank Apple for this. They started the trend by using their proprietary form of EFI bios. Why use an industry standard BIOS when you can just dictate that the hardware must have X if you want to use Y OS?
Click to expand...

The difference is that you Apple is using proprietary Apple hardware, this isn't Microsoft hardware.
"PCs" are supposed to be hardware independent, outside of x86 that is.

If Microsoft has to push this for "further security measures", I suggest they take a look at their own craptastic OS before bothering others to change their hardware for Microsoft's purposes.
"Our software/OS is only secure using XXXX hardware"... yeah, it's bullshit.
 
Oh, and another thing.
For those M$ fanboy-die hards who keep bringing up the "secure key" feature, save it for your PR teams, it's utter crap.
 
Red Falcon said:
"PCs" are supposed to be hardware independent, outside of x86 that is.
Click to expand...

The overwhelming majority of people buy PCs because those PC run Windows. There's nothing stopping OEMs to sell machines with other OSes or ever no OS and indeed some OEMs do.
 
Red Falcon said:
I should certainly hope so.
If a Linux user can't figure out how to do that, then they should be using Windows or OS X. :p
Click to expand...

You haven't used linux, lately then. I've had a couple smooth experiences trying it out after several years. It was just install from a USB and done.

Was it as smooth as Windows 7? No. But it was about as smooth as Windows 95. Which means its smooth enough for a lot of people including some that prefer not to mess with their BIOS.
 
jpm100 said:
You haven't used linux, lately then. I've had a couple smooth experiences trying it out after several years. It was just install from a USB and done.

Was it as smooth as Windows 7? No. But it was about as smooth as Windows 95. Which means its smooth enough for a lot of people including some that prefer not to mess with their BIOS.
Click to expand...

I use Linux every day, and far more so than you do with your "couple experiences trying it out". :rolleyes:
Linux isn't the issue, or have you just not been paying attention to the thread.
 
You must log in or register to reply here.
Back
Top