Sunday, December 23, 2012

Windows 8 war on Linux: how "secure boot" stops you from running Linux on some new PCs

CNET reports that a new feature included in the operating system in the name of security may also effectively make it impossible to load Linux on officially Windows 8-certified hardware.
The problem derives from Microsoft's decision to use a hardware-based secure boot protocol known as Unified Extensible Firmware Interface (UEFI) in Windows 8 rather than the traditional BIOS we're all familiar with...  
     Essentially, the technology is designed to protect against rootkits and other low-level attacks by preventing executables and drivers from being loaded unless they bear a cryptographic signature conferred by a dedicated UEFI signing key.
     “There is no centralised signing authority for these UEFI keys,” Garrett explained. “If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.”     Microsoft has said it will require that Windows 8 logo machines ship with secure boot enabled.
Microsoft claims that Linux infringes 235 of its patents and has recently made Casio obtain licenses to run the open source operating system.
In the last four years, the software giant has been quietly threatening legal action for any Linux-using company that refuses to sign patent deals with it. Amazon, Novell, Linspire, TurboLinux and Xandros have all put their X on the dotted line. Others, like satnav maker TomTom, ended up in court, but eventually settled.
     Microsoft has also used the Linux-related patents, among others, to target Google's Android, already succeeding in getting HTC, Acer, Viewsonic and two small hardware manufacturers – Onkyo and Velocity Micro – into licensing agreements.
Brad Linder of Liliputing explains how PC buyers should shop for a Windows 8-certified PC to keep their Linux options open:
Before a computer boots Windows, OS X, Linux, or any other operating system it loads system-level firmware. For the past few decades most PCs have used something called BIOS to recognize your hardware and load the appropriate operating system. But there’s a new kid in town called UEFI, (which is what Macs have been using for the past few years)...
     In fact, in order to qualify for the Windows Certification program, a computer will have to use UEFI 2.3.1 or newer and have “secure boot” enabled by default. This feature is designed to prevent malware from infecting your bootloader by preventing unuathorized code from running when you first boot your computer.
     ...If the feature is turned on you may not be able to replace Windows 8 with the operating system of your choice or create a dual boot setup.
     ...In order to slap a Windows logo on a Windows 8 PC, hardware makers will have to ensure that secure boot is turned on by default. But there’s absolutely nothing preventing PC makers from giving customers the option to turn off that setting.
     Of course, there’s also nothing requiring them to do so… and so it’s possible that some companies won’t bother to make sure the UEFI included with their prebuilt computer systems include an option to disable secure boot... we won’t really know if there’s a problem for Linux users until Windows 8 computers start to ship — or you can just build a computer yourself using components that are known to work with the operating system you choose to use.

No comments:

Post a Comment