If you are a tech nerd, you care about this.
If you just buy and use Micro$oft products and never think about it, you don’t care.
As of Windows 8, MicroSnot is requiring that your hardware only work with their stuff. The boot loader locks you out otherwise. A couple of Linux distributions have signed up with Microsoft signing and paid fees (so Microsoft will let RedHat Linux boot, for example) but if you don’t like the idea of your machine talking to Micorsoft every time it boots up to get permission to run, you are screwed.
As I’m fond of getting old hardware essentially for free and running very fast Linux on it, this will shut off the supply of old hardware reuse (Oh Boy, more old dead computers to the landfill or China Recycle instead of reuse… /sarcoff;)
Microsoft requires UEFI “secure” boot for Windows 8 certified hardware. More security is good, right? Even if it locks out Linux?
Microsoft is requiring Windows 8-certified hardware to ship with UEFI Secure Boot enabled. This prevents installing any other operating systems, or running any live Linux media. There are ways to get around Secure Boot– but why should we, once again, have to jump through Microsoft hoops just to use our own hardware the way we want to?
UEFI was originally EFI, which was developed by Intel as a modern alternative to the PC BIOS. Now it’s supported by a big ole industry consortium populated by pretty much everyone in tech. UEFI is really a little operating system, so it can be programmed to do just about anything: boot fast, play games, allow remote access without starting the operating system, shutdown, Web surf, and all those things that the Linux pre-boot environments promised. It supports both a pretty mouse-driven graphical interface, and a console interface. It has its own networking stack, and supports its own set of device drivers so you can have video, networking, peripherals, and other functions available during pre-boot.
Aside from the fact that this is a 100 MB pig of a boot loader, I don’t really WANT my bootloader to enable things like remote access and networking to who know whom about who knows what… The number of potential security “issues” this has makes my skin crawl. (Can you spell TLA?… Three Letter Agency…)
Microsoft has gone to something called “Signed drivers” so various bits of code have to check in with a signing authority to be validated before they will run. What happens if the signing authority “has issues”?
To deliver some actual security, Secure Boot needs a bulletproof pre-boot environment, and a trusted, secure certificate authority and signing keys. So the second big question, after “Bulletproof? What’s that?” is whose CA and keys? Microsoft already has a CA infrastructure in place for signing drivers.
But haven’t we learned that the root CAs are vulnerable? How many times has Verisign been compromised? Bruce Schneier calls the certificate system “completely broken.” Who hosts Microsoft’s CA? Verisign. Have we already forgotten the Flame malware that spoofs Microsoft’s own CA, takes over Windows Update, and fools Windows computers believing that the malware they’re installing is genuine trusted signed binaries?
To borrow Bruce Schneier’s wonderful phrase, I think this just another piece of security theater that will inconvenience many and benefit no one. Except for whatever value is derived from forcing purchasers of new hardware to be Secure Boot beta testers, and to once again dance to Microsoft’s tune.
OK, so it is sort of useless, really. So what? Surely we are used to fat bloated code with bugs in it, so just run Linux instead and get over it. Right?
Despite all the questions about its safety and actual security benefits, Microsoft requires, as a condition of receiving the official Windows 8 certification, that hardware vendors enable UEFI Secure Boot by default on client systems. They may use their own signing keys, or Microsoft’s. There are financial incentives to getting that official certification, so they’ll all do it. Windows 8 will boot without Secure Boot, and it will install on legacy hardware. But later this year, as the new OEM Windows 8 PCs enter the market, they’re going to ship with UEFI Secure Boot turned on. So everyone who doesn’t want to hassle with Secure Boot will be forced to. Originally Microsoft did not even want a disable option, or to allow users to use their own keys and certificate authorities, but they changed their minds for x86 hardware.
Fedora and Red Hat, wanting to keep their users’ options open, have chosen to pay the $99 fee to be signed with Microsoft’s keys. This will allow Fedora 18 users to use Secure Boot-encumbered systems without disabling it, and eventually Red Hat Enterprise Linux as well. Other distributions are still figuring out what to do.
OK, so they backed off a little bit, for now, for x86 hardware and will let you do the whole “roll your own keys and certificates” and all that crap. I’m sure that as soon as they can swing it, they will go back to their original position of “no changes Windoze only”…
Why do I think that?
Turning it Off– Except on ARM
How to turn it off on your x86 device? That will depend entirely on the hardware vendor’s implementation. Users will have to enter their UEFI interfaces and hunt down the Secure Boot control, which could be called anything and buried anywhere. I have been unimpressed with the quality control that went into the PC BIOS for all these years, so who knows what fun awaits us in messing with UEFI firmware settings.
ARM hardware is another story– Secure Boot is mandatory and cannot be disabled. (See page 122 of the Windows 8 hardware certification.)
So if you have an ARM based computer shipped with Windows 8, Microsoft owns it (and you).
You dance to their tune, they decide what you can run, and when, and that’s that.
The only good news in all this is that generic boards have gotten cheap enough (and fast enough) that nearly no money gets a generic bit of hardware not so afflicted where you can put up a secure (and PRIVATE) Linux environment without it tattling to MicroSnoop and getting permission to use the devices and device drivers.
Guess it’s time to start planning to “Roll your own” computers again…
Why Bigger Isn’t Always Better
This EUFI is really an operating system. It has a BSD (Berkeley Standard Distribution Unix) license. And while I love BSD and it is one of the most robust and well written operating systems; this puts ALL your higher level OS loads et. al. as dependent on ANOTHER operating system. One you can not inspect, nor harden. God knows what’s in it. While the basic BSD has been hardened by generations of college students giving their professors heartburn, and likely has had most of the easy bugs patched; this is a new port and a new version. It WILL have bugs and holes.
Not to mention that a TLA showing up at the vendor can request all sorts of nice little back doors be slid into the code and left inactive, where you won’t notice, until they want a little look around. (TLAs from all sorts of governments… remember that many of these machines will be assembled in China…)
Oh Well. It’s not like I was ever going to buy a Windows 8 machine anyway. At least now more of them will go to the landfill faster.
And I can’t wait for the first time a “bios bug” is announced that lets EVERY ONE OF THEM be completely compromised no matter what you do.
Compromising the signing authority step is a known technique now. It is just a matter of time (and likely not that much of it…)
Windows 8 – Just Say No.