Sign in with
Sign up | Sign in

FSF Campaigns Against Windows 8's Secure Boot

By - Source: FSF | B 62 comments

The Free Software Foundation (FSF) has initiated a campaign against the Secure Boot feature in Windows 8.

By design, the feature is intended to keep unwanted and potentially malicious software off a system by preventing unauthorized binaries to load during the boot process. However, the FSF believes that this technology could be abused and simply be used to not allow users to load certain free software.

"We are concerned that Microsoft and hardware manufacturers will implement these boot restrictions in a way that will prevent users from booting anything other than Windows," wrote Matt Lee in a post on the FSF website. "In this case, a better name for the technology might be Restricted Boot, since such a requirement would be a disastrous restriction on computer users and not a security feature at all."

Lee suggests that users should keep their ability to decide whether they want to enable or disable boot restrictions and there should be a way that will allow users to install a free OS.

"Computer owners must not be required to seek external authorization to exercise their freedoms," Lee wrote. If Windows 8 will prevent users from installing a free OS, Lee believes the result may be "complicated and risky measures to circumvent the restrictions", and the " popular trend of reviving old hardware with GNU/Linux would come to an end."

It's a good idea to keep an eye on such new features, but I would think that it is rather unlikely that Microsoft will shut out other OS from its Windows 8 platform. If Microsoft was almost broken up over the integration of IE in Windows, it's fairly easy to imagine the potential antitrust effects if it were to shut out other operating systems.

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 15 Hide
    xenol , October 20, 2011 3:13 PM
    There's an option in BIOS/UEFI to disable this, no? Maybe the main the worry is that some manufacturers will take out that ability. Other than that... how is this more secure? I'm tempted to believe that this is like the key thing with Blu-Ray. It'll only be a matter of time before someone gets a valid key.
  • 12 Hide
    mykem , October 20, 2011 4:02 PM
    Here are the facts:

    There is currently no way to prevent a rootkit from loading before an OS. Since Windows is the most popular OS, most rootkits are written to target it. Since a rootkit loads before the OS, it is free to modify OS files and is able to run in such a way as to remain undetectable.

    To remedy this, the new UEFI bios supports a secure certificate service. This service checks to ensure the OS boot files have not been tampered with before handing the system over to the boot loaders on the hard drive.

    Because the UEFI bios is able to step in before the OS/rootkits are loaded, it can securely ensure the OS has not been tampered with.

    The whole uproar is because Microsoft, as part of their logo requirements, is dictating that this feature be enabled by default on all PCs shipping with Windows 8.

    Since the motherboard manufacturers are responsible for the BIOS implementation, it is up to them as to whether to allow a BIOS setting that enables/disables the secure boot service.

    This is where the Linux folks and FSF take issue.

    The reality is that no motherboard manufacturer in their right mind would leave out the option to disable secure boot, as this would restrict the computer to Windows 8. No previous version of Windows, no versions of Linux... nothing else could be used on that computer. The customer outcry would be deafening. There is no incentive to leave this option out of the BIOS.

    I think the uproar is unwarranted for two reasons. One is that the market reality dictates that this should be a customer choice. The other reason is that if the open source movement were smart, they too would integrate secure boot into Linux, since any OS that doesn't support it is vulnerable to rootkits.
  • 10 Hide
    nordlead , October 20, 2011 3:27 PM
    Actually, there is a very simple solution for this. Add a physical jumper on the motherboard. If the connection is made, then it runs secure boot, if the connection is not made it boots like any current PC. Since it is a physical switch it wouldn't be susceptible to malicious attacks.
Other Comments
    Display all 62 comments.
  • 7 Hide
    spiketheaardvark , October 20, 2011 3:13 PM
    For fear of antitrust Microsoft might be shamed out of this but I could see Apple using this.
  • 15 Hide
    xenol , October 20, 2011 3:13 PM
    There's an option in BIOS/UEFI to disable this, no? Maybe the main the worry is that some manufacturers will take out that ability. Other than that... how is this more secure? I'm tempted to believe that this is like the key thing with Blu-Ray. It'll only be a matter of time before someone gets a valid key.
  • 9 Hide
    xenol , October 20, 2011 3:14 PM
    spiketheaardvarkFor fear of antitrust Microsoft might be shamed out of this but I could see Apple using this.

    Apple does this already. It's a combination of requiring UEFI (which most PCs don't have) and Intel's TPM chip. I think.
  • 0 Hide
    runswindows95 , October 20, 2011 3:19 PM
    Depends on the motherboard, xenol. I can see the OEM's (HP, Dell, etc) not allowing this to be disabled on their motherboards. However, if motherboard manufactures prevents this from being disabled on enthusiasts motherboards, it will make me think twice before installing Windows ever again.
  • -8 Hide
    de5_Roy , October 20, 2011 3:24 PM
    this very uncool. microsoft(and manufacturers) should let users choose which os to boot from.
    this aint secure boot. this is no linux on this pc cuz i r ballmer boot.
    if apple does this already with their pcs then they should sue microsoft for patent infringement and get it disabled/removed, in which case linux/fsf wins. :) 
    on the other hand, apple might be happy since this will make building hackintosh with a windows 8.0 pc harder. :p 
  • 9 Hide
    stm1185 , October 20, 2011 3:24 PM
    I thought MS already came out and stated that you will be able to turn off Secure Boot in the bios. Furthermore what does MS even have to do with it, they do not make motherboards. So why would say Asus and Msi and Gigabyte want to limit the OS their customers can use on the hardware they sell?
  • 10 Hide
    nordlead , October 20, 2011 3:27 PM
    Actually, there is a very simple solution for this. Add a physical jumper on the motherboard. If the connection is made, then it runs secure boot, if the connection is not made it boots like any current PC. Since it is a physical switch it wouldn't be susceptible to malicious attacks.
  • 7 Hide
    70camaross396 , October 20, 2011 3:28 PM
    I dont see think this will be a problem with hardware makers like asus or gigabyte. they will certianly have an option to turn this off. but i can see OEM's like Dell, HP, or Lenovo using this. in fact they may go even further and use it to even prevent OS upgrades. when i worked for an OEM tech support department early in my career, there policy was we only support the orignal OS that shipped on the system. so if you upgraded from 98 to 2k or XP you were SOL. no more support if things went wrong. I can see OEMs using this to restrict upgrades as well.
  • 1 Hide
    Vladislaus , October 20, 2011 3:40 PM
    xenolApple does this already. It's a combination of requiring UEFI (which most PCs don't have) and Intel's TPM chip. I think.

    The differenc is that it's to prevent the Mac OS from being installed in other non-mac computers. I can still install other OSes on mac computers.
  • 3 Hide
    Vladislaus , October 20, 2011 3:43 PM
    amk-aka-phantomGTFO, Linux fanboys... you don't NEED new hardware. You can play around with your toys on a Core 2 Duo. In fact, 11.04 boots on a Core 2 Duo faster than it does than on my Core i7, and it doesn't support Turbo Boost and glitches with my GPU even though the proprietary drivers are there.I think that Linux users are tech-savvy enough to NOT buy prebuilt PCs, and on non-prebuilt there will be an option to disable this.Keep protesting. I'll laugh just like I laughed when Linux users "demanded" Steam. They don't really need any of it, they just want to pretend that someone actually gives a $h!t about them.

    What about laptops?
  • 5 Hide
    ravewulf , October 20, 2011 3:44 PM
    It can be disabled

    http://www.omgubuntu.co.uk/2011/09/microsoft-attempt-address-windows-8-linux-worries/
  • -4 Hide
    zanny , October 20, 2011 3:51 PM
    amk-aka-phantomGTFO, Linux fanboys... you don't NEED new hardware. You can play around with your toys on a Core 2 Duo. In fact, 11.04 boots on a Core 2 Duo faster than it does than on my Core i7, and it doesn't support Turbo Boost and glitches with my GPU even though the proprietary drivers are there.I think that Linux users are tech-savvy enough to NOT buy prebuilt PCs, and on non-prebuilt there will be an option to disable this.Keep protesting. I'll laugh just like I laughed when Linux users "demanded" Steam. They don't really need any of it, they just want to pretend that someone actually gives a $h!t about them.


    I know this is trollbait and all, but I just want everyone else reading this comment thread to know the reason the FSF is protesting this is that it basically does what Apple does with mac hardware, where the bios doesn't allow for any OS except OSX (in this case, windows) to boot, and since M$ is pushing EUFI in Windows 8, and most hardware manufacturers are swapping to it, all it takes is a little illicit pocket change from M$ to get asus msi etc to just take the secure boot toggle out of their BIOSes on preinstalled windows boxes.

    Every linux user now would not care the difference, we could flash the bios and do whatever we wanted, and we wouldn't get a system with Windows preinstalled. But for every Joe Shmoe computer user, this basically removes the ability to OS switch completely. And when it comes to laptops, without a unified component standard like ATX is for desktop we cant custom build laptops so we have to go through 3rd party distributors that M$ can buy out to preinstall windows 8 with secure boot disasbled and it will be a pain to reflash the bios.
  • 1 Hide
    nordlead , October 20, 2011 3:54 PM
    Quote:
    GTFO, Linux fanboys... you don't NEED new hardware. You can play around with your toys on a Core 2 Duo. In fact, 11.04 boots on a Core 2 Duo faster than it does than on my Core i7, and it doesn't support Turbo Boost and glitches with my GPU even though the proprietary drivers are there.

    I think that Linux users are tech-savvy enough to NOT buy prebuilt PCs, and on non-prebuilt there will be an option to disable this.

    Keep protesting. I'll laugh just like I laughed when Linux users "demanded" Steam. They don't really need any of it, they just want to pretend that someone actually gives a $h!t about them.


    I re-purpose discarded computers and laptops (mostly from DELL) for people who can't afford new PCs, but need a word processor and an internet connection. In 10 years I'll be doing it with i7's and whatever else is bleeding edge now. I am savvy enough to not buy prebuilt but I still use them.

    EDIT: I'll also say that as much as I love Windows, Microsoft needs to fix the problem of malicious code running in Windows before they fix a problem that doesn't even exist.
  • -5 Hide
    back_by_demand , October 20, 2011 4:01 PM
    spiketheaardvarkFor fear of antitrust Microsoft might be shamed out of this but I could see Apple using this.

    Apple already does do this.
    It crushed Psystar to death.
    If Linux wants to be able to install on any hardware, how about it ponys up some cash for a change instead of thinking that free software also means free IT industry.
  • 12 Hide
    mykem , October 20, 2011 4:02 PM
    Here are the facts:

    There is currently no way to prevent a rootkit from loading before an OS. Since Windows is the most popular OS, most rootkits are written to target it. Since a rootkit loads before the OS, it is free to modify OS files and is able to run in such a way as to remain undetectable.

    To remedy this, the new UEFI bios supports a secure certificate service. This service checks to ensure the OS boot files have not been tampered with before handing the system over to the boot loaders on the hard drive.

    Because the UEFI bios is able to step in before the OS/rootkits are loaded, it can securely ensure the OS has not been tampered with.

    The whole uproar is because Microsoft, as part of their logo requirements, is dictating that this feature be enabled by default on all PCs shipping with Windows 8.

    Since the motherboard manufacturers are responsible for the BIOS implementation, it is up to them as to whether to allow a BIOS setting that enables/disables the secure boot service.

    This is where the Linux folks and FSF take issue.

    The reality is that no motherboard manufacturer in their right mind would leave out the option to disable secure boot, as this would restrict the computer to Windows 8. No previous version of Windows, no versions of Linux... nothing else could be used on that computer. The customer outcry would be deafening. There is no incentive to leave this option out of the BIOS.

    I think the uproar is unwarranted for two reasons. One is that the market reality dictates that this should be a customer choice. The other reason is that if the open source movement were smart, they too would integrate secure boot into Linux, since any OS that doesn't support it is vulnerable to rootkits.
  • 2 Hide
    Anomalyx , October 20, 2011 4:07 PM
    amk-aka-phantomGTFO, Linux fanboys... you don't NEED new hardware. You can play around with your toys on a Core 2 Duo. In fact, 11.04 boots on a Core 2 Duo faster than it does than on my Core i7, and it doesn't support Turbo Boost and glitches with my GPU even though the proprietary drivers are there.I think that Linux users are tech-savvy enough to NOT buy prebuilt PCs, and on non-prebuilt there will be an option to disable this.Keep protesting. I'll laugh just like I laughed when Linux users "demanded" Steam. They don't really need any of it, they just want to pretend that someone actually gives a $h!t about them.

    So much hate for Linux... Yet most of the world's web servers alone run on some flavor of Linux. Basically, you hate the interwebz!
    =P

    On a more serious note, I use Linux because it's free, and because it's not bloated, and because it doesn't crash every few days. I do have a copy of Windows Server 2008 (saved from my MSDNAA days), and I still prefer running good ol' Ubuntu Server LTS instead. I prefer it over Windows server 2008, despite the fact that I'm a total Linux newb.
  • 4 Hide
    pale paladin , October 20, 2011 4:07 PM
    this feature will not limit the installation of GNU/Linux distributions. Microsoft is hardly worried about legitimate unix distributions and more concerned with hacked versions of their own software and Operating systems. Microsoft will keep things open. don't worry.

  • 2 Hide
    shafe88 , October 20, 2011 4:10 PM
    "It can be disabled" Not on all computers, if OEM manufactures remove the option to disable secure boot and I look for them not to have the option that way they can control certificates for drivers so people haft to buy replacement and upgrade parts from them.
  • 3 Hide
    xenol , October 20, 2011 4:24 PM
    shafe88"It can be disabled" Not on all computers, if OEM manufactures remove the option to disable secure boot and I look for them not to have the option that way they can control certificates for drivers so people haft to buy replacement and upgrade parts from them.


    If that's the case, then their customer base will drop significantly, at least in the desktop sector. However, I think the one sector that will play a major role is the corporate sector. Corporations are slow to adopt a new OS, thus, if the OEMs want the option to provide Windows 8, but need to provide the older OS (Windows 7, in this case) or even Linux, they would be stupid not to include this option and let the company's IT department fiddle with it.
Display more comments