# What about new locked UEFI?



## sk8harddiefast (Jun 9, 2012)

Reading on the Internet I found a lot of forums that say that Microsoft opens a war on opensource and asks from mobo companies to preinstall a digital key for windows 8 on new UEFI motherboards without having the possibility to disable the secure boot option.

If this will be done, that means theoretically that without paying Microsoft $99 it's impossible to boot any other OS except windows 8.

What about this news?


----------



## Crivens (Jun 10, 2012)

That is old wine in new bottles. They tried it again, and now with everyone jumping on the A-Train (A as in ARM), the bar is set lower because you have to buy new HW/SW anyway so you would not mind being incompatible with your old gear, right? So now is the right time to do it again. And after a forking of flame or some related thing is knocking out huge numbers of windows PCs, there will be the next chance to lobby for it.

There is also a thread about this here in the forum,


----------



## throAU (Jun 11, 2012)

They will not ship boards without the ability to turn this off, or at least install new keys.


The $99 is the cost for a code-signing certificate that the vendor of an OS could pay to get a digital certificate to sign their code with.


----------



## Crivens (Jun 11, 2012)

throAU said:
			
		

> They will not ship boards without the ability to turn this off, or at least install new keys.
> 
> 
> The $99 is the cost for a code-signing certificate that the vendor of an OS could pay to get a digital certificate to sign their code with.



You are sure about the boards? And the key management software will be part of the firmware and not a windows-8 only addon? Again, my black crystal ball is the only one working right now to stare in.

And AFAIK, the $99 will be for signing something, not a certificate. So you need to open your wallet each time you recompile the kernel.


----------



## kpedersen (Jun 11, 2012)

Surely it will just be the bootloader? So unless BTX changes regularly (I am not sure? Perhaps it does!) then I don't really see it as a problem. Surely a bootloader, bootloader could be made which never gets changed and just runs the new bootloader?

This is all a little faffy, but (looking at Windows) Microsoft is good at that.


----------



## Morte (Jun 11, 2012)

Crivens said:
			
		

> You are sure about the boards?


I believe it's actually in the specification that it can be turned off. By default it may be turned on, but the user can always turn it off (probably per jumper or some other setting). Whether this remains true in the future is hard to say.


----------



## kpedersen (Jun 11, 2012)

For the Windows (arm) tablets, Microsoft have stated that it is a requirement that it *cannot* be turned off.

For the x86 market, Microsoft have allowed it to be turned off, (probably because there would be too many complaints).

So it seems like the main outcome is yet still no real selection of touchpads capable of running Linux/BSD.


----------



## drhowarddrfine (Jun 11, 2012)

The $99 would be paid one time by the OS vendor to obtain a signing key, not per installation. 

I filed a complaint with the US Justice department anti-trust division.


----------



## Morte (Jun 11, 2012)

kpedersen said:
			
		

> For the Windows (arm) tablets, Microsoft have stated that it is a requirement that it *cannot* be turned off.



You are correct. I was referring to x86 machines only, although it's just something I read so I could be mistaken about that too. I think this is probably more about "securing" specialty devices (xbox, tablets) than generic PCs. Microsoft can't please multimedia corporations without the assurance that their machine "can't be hacked".


----------



## Crivens (Jun 11, 2012)

@Morte,kpedersen


> ... believe it's actually in the specification that it can be turned off.



I have this nagging feeling that somewhere in the future there is a "for now" waiting to drop into these sentences. Hope I am wrong, but am preparing for it.

The thing is that there would be of course still machines being made which do not adhere to these rules, but they will not be targeted at consumers, and so would the pricetag.



			
				drhowarddrfine said:
			
		

> The $99 would be paid one time by the OS vendor to obtain a signing key, not per installation.
> 
> I filed a complaint with the US Justice department anti-trust division.


Yes, that information got updated on the redhat page also. Seems better, but still ...
W.R.T. the complaint you filed, please keep us posted.

One thing crossed my mind just now. This firmware would need to keep track of revoked keys, would it not? Does UEFI phone home for those updates? Anyone knows how many keys that DB can hold before it may start to behave a little strange? Just curious...


----------



## drhowarddrfine (Jun 11, 2012)

Crivens said:
			
		

> W.R.T. the complaint you filed, please keep us posted.


I filed it last week and got an acknowledgement from them. I don't suppose I'll ever hear anything back from them. At least not for quite a while but I feel as if I help bring it to their attention and let them know every day citizens are concerned.

Any other US citizens who can also supply facts and concerns and knowledge can file a complaint here.


----------



## drhowarddrfine (Jun 14, 2012)

FWIW, I got a reply from a trial attorney at the Antitrust Division:


> Thank you for your e-mail to the Antitrust Division regarding certain recent conduct by Microsoft regarding internet browsers and the companyâ€™s â€œsecure bootâ€ initiative.  It is always useful for us to learn about these practices, and we will carefully consider the issues you raise.  If we have any questions, we will certainly be in touch.
> 
> Thank you again for your time and for the information.
> 
> ...



EDIT: Ooh! Looks like Mr. Hoag has dealt with Microsoft in the past:
http://www.pcworld.com/article/129842/microsoft_criticized_for_slow_antitrust_compliance.html


----------



## throAU (Jun 15, 2012)

I think there is a little more paranoia here than is justified.

Without a chain of trust starting before the boot loader, it is impossible to verify that installed boot code is actually from a trusted source and has not been modified in transit or in production, post install via OS exploit.

The past 30 years has proven that writing secure code is a hard problem.  No one has managed to write a 100% secure commercial (or free) OS thus far.

So, we assume the OS can (one way or another) be compromised.

If we can manage to write a secure bootstrap process (which, being much smaller should be easier to achieve) that can validate boot code has not been tampered with via code signing, we at least (in theory) have a secure platform to boot from.


This isn't about Microsoft attempting to get a monopoly on operating systems.  They've already been sued for abusing their monopoly OS position.  You think making x86/x64 machines boot only microsoft signed code would fly anti-trust wise?  Of course not.  It will be switched off.


This is about ensuring the security of the OS is not compromised before it is even booted via pre-boot malware.  Linux, BSD, etc. could benefit from this as well if someone is willing to officially bless/sign the boot code.  How do you think all those Vista activation hacks worked? - subverting the OS pre-boot...

There's currently little to stop someone putting out a new Linux/BSD bootloader that roots your system, other than peer code review, but even then, an exploit in the OS could lead to malware being installed to the boot sector post OS install.

If the EFI can detect unsigned code in the boot sector, you'll know about it.  If it can't the OS has no way of detecting such a compromise (other than boot from confirmed clean media - which again you can't confirm has not been tampered with close to 100% without code signing), as any attempts to detect can be subverted by the pre-OS-boot code.


IMHO this is a much needed option for securing your machine(s).  I'd rather see the alternative platforms take advantage of it, than the idea being crippled via lawsuits...



To establish a chain of trust pre-boot, there's no other way MS or the PC industry could do this.  Having it turned on by default is a refreshing "secure by default" strategy.  If you want to run unsigned code, so be it, turn the option off.  However, if you're wanting to do that you're more cluey than the 99% of users out there who this will protect - and should have no problem doing so.

And yes, I suspect that to modify the EFI keys, you'll need to boot the machine in some sort of read/write EFI mode.  Having the keys modifiable by an exploitable OS at run time would be retarded.  Once the (signed) bootloader has finished, the keys should become read-only (but i'm not sure if this is what they've done) - similar to the way kernel securelevels work.


----------



## drhowarddrfine (Jun 15, 2012)

> They've already been sued for abusing their monopoly OS position.


Part of that was their blocking other browsers from working on Windows. On the new ARM systems, other browsers are locked out so that judgement, which just expired last year or the year before, hasn't meant anything to them. 

I don't think anyone believes secure boot isn't a good idea. The point is that Microsoft is in control of that and makes it easier for Windows to use it than anyone else and that non-Windows users have to go through a convolution to do so.


----------



## drhowarddrfine (Jun 25, 2012)

A third response. This time from my Congressman:


> Thank you for contacting me regarding the Department of Justiceâ€™s oversight of Microsoftâ€™s anti-trust violations. It is good to hear from you, and I appreciate the opportunity to respond.
> 
> As you may know, there is a possibility that Microsoft 8 on ARM processors are not compatible with browsers other than Internet Explorer.  Representatives from Mozilla Firefox are working with Microsoft in attempt to change their decision and are not seeking legal action at this time.  Microsoft has said that they have a good reason for not allowing other browsers that relate back to the new chips being used and their need for security and power features.
> 
> Many people are concerned that Microsoft is attempting to limit browser competition and secure the dominance of Internet Explorer, which is denied by the company. In 2001 a settlement between the Department of Justice and Microsoft required the company to share its interface with third party vendors to allow competition for web-browsers and operating systems.  Regulation of the company recently expired and some worry that Microsoft 8 is a sign of the company returning to its predatory practices.


Unfortunately he isn't on the committees that look into this but, from that email, he and others are very aware of what's going on.


----------



## throAU (Jun 26, 2012)

drhowarddrfine said:
			
		

> I don't think anyone believes secure boot isn't a good idea. The point is that Microsoft is in control of that and makes it easier for Windows to use it than anyone else and that non-Windows users have to go through a convolution to do so.




Well if you buy a PC with Windows, it would be better to be secure by default, no?  Because no one is going to bother to turn this on, other than those who are also cluey enough to turn it off if they need to.

The alternative, turned off by default will just maintain the status quo of insecure installs that we have today.


I don't see this (secure boot) as an attempt to lock users out.  It is simply being secure out of the box.

As far as the arm tablet situation goes - MS don't have a monopoly in that space...  I don't agree with them blocking other browsers, but as far as Windows 8 on tablets goes, I think it is pretty much irrelevant:

ARM Windows 8 = no compatibility with existing software = If you lose software compatibility, why not buy android/ipad (which has a massive software library already)?

x86 Windows 8 tablet = compatibility with all the PC malware out there = no longer a hassle free device = why bother.  This is the reason most tablet users buy a tablet.


----------

