Microsoft has finally forked a way to kill its smaller rival, Linux from the PC / desktop segment. Since most PCs are only designed to run Windows, and Windows 8 would be the obvious choice in the future, there is something we need to worry about.
With Windows 8, Microsoft would set certain guidelines to OEMs and PC manufacturers. All Windows 8 machines will need to be have the Unified Extensible Firmware Interface (UEFI) instead of the venerable BIOS firmware layer. BIOS has been pretty much the sole firmware interface for PCs for a long time.
The EFI system has slowly been making headway in recent years, and right now EFI firmware is compatible with Windows supporting the GUID Partition Table (GPT), OS X/Intel, and Linux 2.6 and beyond machines. EFI is seen as a better hardware/software interface than BIOS, since it is platform-agnostic, runs in 32- or 64-bit mode, and GPT machines can handle boot partitions of up to 9.4 zettabytes. (That’s 9.5 billion terabytes.)
Linux supports UEFI, thats is not a problem. The problem is Microsoft‘s other requirement for any Windows 8-certified client: the system must support secure booting. This hardened boot means that “all firmware and software in the boot process must be signed by a trusted Certificate Authority (CA)”.
By locking, Microsoft intends to prevent injection of malware onto Windows PCs, which looks like a justified claim. Linux bootloaders are EFI-ready but none of them are signed, hence they would just not work on PCs.
Bootloader Unlocking?
So what, we would Unlock the bootloader, like we did on Android phones and iPhone. No, it won’t be that easy. If all parts of the chain need to have a CA signature, then swapping out a machine’s signed EFI layer with, say, an unsigned BIOS or EFI would not work. Matthew Garrett from Redhat notes:
“Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.”
So what about Signing Linux Bootloader Distros?
“Firstly, we’d need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It’s a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it’s still necessary to get our keys included by ever OEM.”
What can be done?
We jsut have to rely on Manufacturers & OEMs so that they would include an option in their UEFI firmware to disable the secure booting feature.
Microsoft has finally found a way to tackle Linux, and someone out there has to make the extra effort to save it from the vicious Monopoly!
Update: Microsoft finally clarifies, it could be disabled via BIOS.
We write about Google, Twitter, Security, Open Source, Programming, Web, Apple, iPhone, Android and latest in Tech @geeknizer on Twitter or by subscribing below:
loading...
loading...
Is it not possible that MS is doing this to close the one gaping loophole that allows mass piracy of its windows OS? What other solutions would you have recommended? Security was introduced in UEFI for a reason, are you suggesting the OS not take advantage of it? Perhaps we should dump the advantages UEFI offers all together.
loading...
loading...
Windows CAN’T kill Linux, without Linux there is no such thing as “server”, because many server worldwide using Linux! If server worldwide using Windows, they server will restarted many hundred times!
loading...
loading...
SO VERY TRUE! Besides Most recent microsoft windows 8 computers ship with windows secure boot disabled. They decided not to deal with another law suit and figured dropping secure boot would prevent it. Well SMART Microsoft. NOW LINUX has 5% of Desktop share as of 2013 for reason 1 unlocking of secure boot and 2 the new app store. With a recent win8 update you can only install apps form Microsoft app store and to do that you need a Microsoft account. NO GMAIL YAHOO ONLY Windows Live or other M$ account. Which is why Linux has gained. Cuz you can’t run Firefox Chrome or even steam on windows 8 without microsoft allowing it into the app store. Will they allow anything in? Maybe chrome but highly unlikely. So people go to Linux becuase of this. On windows 8 PEOPLE ARE FORCED TO USE INTERNET EXPLORER! I know this because my mother upgraded and her firefox wouldn’t start and to play media files she had to pay 5 bucks every time. So I tell her, “Mom, you should just abandon Windows and Get Linux.” She said “Compatiblity Craig. I cant open word documents in Linux.” I said yes you can. She said “Okay can I play my movies and media?” “YES you can i said” and she said firefox “yes” and finally she switched to mint and she is happy. So yeah if I can get my mother to switch and she’s trying to get her friends to switch, yep, Linux finally stands a chance.
loading...
loading...
Nop… for start most servers run Unix not necessary a Linux distro.
Also what a server OS (or a server) has to do with a personal computer?
There is no logic to compare a end user OS with a server OS or to think that Microsoft Locked Bootloader will affect servers…
loading...
loading...