Open Ballot: Will "secure boot" hinder Linux adoption?

TuxRadar

By the end of the decade, you might not be able to install Linux on a random, off-the-shelf PC. At least, not easily. This is because the UEFI "secure boot" system is being pushed by Microsoft, and could restrict the installation of other operating systems. You see, in order to boot an OS, the bootloader will need to be signed with special keys, which causes complications for totally open, free-as-in-freedom GPLed software. There may be ways around it, but it'll be fiddly.

So as we crank-start the engines for our next podcast recording, we want to hear your views: will these complications hinder the adoption of Linux? Will the necessity of fiddling with UEFI options to disable "safe boot" put people off trying the OS? Indeed, could some PC makers force "safe boot" to be the only option, effectively tying machines to Windows 8? Let us know your thoughts, and we'll read out the most interesting in our upcoming podcast.

You should follow us on Identi.ca or Twitter


Your comments

Worried for the future

M$ knows exactly what it's doing. It can keep us out and make it look like they're doing the world a favour in the process.

I'm concerned as unless we can stop this legally, OEMs will be forced to comply and we might not be in a position to stay as open as we'd like if we are to keep going.

Tied down hardware

There are of course trying to find ways to keep their market share. No doubt the "discount" on W8 would vanish if the OEMs don't lock their hardware.

They are already under pressure, possibly by Android in the tablet field ahead of Linux proper, but locking it all up to Windows would prevent a lot of people even being able to try alternatives.

Saying that, given their track record, W8 will be a complete dog like Vista was and drive people from the dark side.

Yer But Windows 9 won't require "secure boot".

And no one will won't Windows 8.

Why Would a hardware vendors Support this travesty?

This is a "nail in the coffin" for Microsoft.

Agreed! W8 sounds like the new Windows Vista.
In many ways Microsoft would be advised to develop there own Pc hardware and make it shit hot. It worked for Apple.

Anti-Competitive

It's a shame Microsoft don't make a secure Operating System like the Unix types and thus avoid many of its security woes. It then wouldn't then need to invoke this particular feature which would lock out any other Operating System. (Or at least make it very difficult to use a secondary system.)

To my mind, in Microsoft's shoes, I would do the same. It may be anti-competitive but we are doing it in the name of security!

I just hope the Legal Eagles spot this ruse and jump down on them with a heavy legal stick and bludgeon them to pulp.

IT'S ANTI-COMPETITIVE pure and simple. Anyway, how are the Techies going to get into the system when Window 8 goes belly up?

Perhaps

It would probably help if we had a better view of why people moved to our system.

It appears to me that there are two groups -- those who will find GNU+Linux naturally and will be drawn to it through curiosity, and those who do not. The first group, probably wont be deterred by warnings of a 'less secure boot'. But as far as the latter goes, we must ask 'would they even consider going into the BIOS in the first place?'. Even after so many years it still has the same spartan look which gives off a sense of 'this is important and dangerous to mess with'. Because of this, I would be lead to believe that in most cases, the members of the second group are introduced through others.

Because locking stuff down ALWAYS works...

Locking stuff down ALWAYS works... just look at the success of DRM on mp3's, DVD, etc.

The hardware manufacturers will eventually put a stop to this one, though. Most tech-repair shops use Open Source software to remove viruses and fix hardware glitches via a bootable flash-drive (let's hear to for KNOPPIX). Without said tools, a machine has to go back to the manufacturer for repair. Once Sony, HP, or Samsung sees how much Secure Boot is costing them on the back end, it's done.

I should also point out that when Vista was still "Longhorn," there were a many wonderful features (a built-in anti-virus, a next generation file system, the ability to remove grease from fatty-foods...) that never made it into the package for by the ship date, and never made it into the OS via the many online updates or service packs either. Hopefully, someone will quietly 'forget' to include Secure Boot this time.

Off topic

How DOES one get verified?

Freedom should not be stopped!

In my honest opinion this will indeed hinder Linux adoption (if it ever happens to go on market).

However, as a side note a cannot think of a better attack on free software! This is completely outrageous. For the price you pay for hardware nowadays you should be free to install whatever you want. Even if it didn't cost you one cent you should be able to install anything you want. Once payed the hardware is yours not MS's. There is no nobleness in this "move".

This is not about install my ever so favorite operating system (Linux), it's about what I can do with my hardware and my money.

Is it really necessary?

Is secure boot really required? Surely this could only ever be an effective measure against crackers with physical access to a system. Thus users of other OSes suggesting this is a move to lock them out.

I would echo the point made by Ray Wood above, this would not be necessary if Windows were more secure. Hence this appears to have the hallmarks of a desperate, headline-grabbing action.

I would also echo the point made by merelyjim above, re DRM on digital media files. What if malware or a cracker were to corrupt the signature of the boot loader, therefore breaking the system? And how could such as system be rescued? Linux distros are well known on the light side as a means to rescue broken Windows installations. This may actually introduce a new attack site into the Windows OS.

Finally, what hardware initialiser are system vendors going to be moving onto anyway? UEFI or coreboot?

PS. As an aside, this might make a nice article for the mag, what technologies are out there that aspire to supercede the BIOS? How do they work and who is behind them? I know coreboot was covered in LXF 147, but what else is out there?

what needs to be 'verified' ...

... to satisfy requirements of UEFI? Is it the Linux Kernel itself - or is it just GRUB, LILO or other bootloader software that Linux requires?

Perhaps I am displaying my lack of technical knowledge here. However, if it is 'just' the bootloader, is there any possibility of a major commercial player in the Linux software world - say Red Hat - creating the appropriate signed package and distributing it freely to all Linux users who want it? Surely it would be in their interest to do so?

What a cynical approach....

I hope that the OEMs tell them where to get off on that one! Why would they want to limit their sales because Microsoft have decided that we should only be able to run Windows on the hardware that we've paid for.

That has to be anti-competition of the highest order! Mind you, when you look at the debarcle that is software patents I suppose even the craziest ideas get though!

It will be a dark day if they are able to pull the rug out from underneath all non-Windows 8 operating systems. Looks like George Orwell may have been a few years out!

Another genious idea from the people who brought us Windows ME

I really do wish Microsoft would make their minds up when it comes to open source software. Calling it a cancer, then coming out and saying that its a good thing and they embrace it, well, anyone can clearly see this is a genius plan to give them complete market dominance - ever more so than they already do on the desktop.

I really can't see this being allowed to happen within the EU as it is clearly anti-competitive against open source software. Commercially backed projects may be able to get signed but as for free ones, who knows!

At the end of the day, I believe that you should be able to do whatever you want to do with your hardware. Large companies should not be able to put these kind of restrictions on us.

Linux Secure-Boot

Surely Redhat/ Canonical / Attachmate et al will have their own secure boot compatible distro's? Also windows 8 will include hyper-V and I am pretty sure all virtualisation vendors will also update to use similar secure boot mechanisms - thus giving you a way to run any OS you want.

Also - from what I have seen with the windows 8 (with the developer preview), the adoption on desktops might be a long way away. Its more designed for tablets and convertibles and linux based android, chromeOS already have a huge headstart on those form factors and there is no reason why I would get a windows 8 tablet against a android tablet.

Linux is more an enabling platform and as you see with Kindle Fire tablet, its the services that are going to make or break new products. In terms of adoption, linux is going to end with far more adoption (without anyone really realising its linux).

Yikes

Yikes - many's the time I've rescued files from a broken Windows machine using an Ubuntu USB installation. This sounds like it might make these rescue operations much more tricky. I hope it doesn't get adopted - I'll keep my eye out and try to recommend friends don't buy machines with Secure Boot (as this is likely to make repair and rescue trickier), but I can well believe it would be one of those things that we only find out about after the event.

Not going to happen

How can it be fair that if someone wants a new to buy a new PC, that they have to be tied into the software (that they may not want), just because that's what happens to come with it? Surely it would be seen as anti-competition and unfair to the user?

Personally I think this will go the same way as the web browser issue. We will be given the option at first boot or something along those lines.

Little impact

OEMs won't be keen on this, they'll do as little as possible to satisfy whatever MS requires to allow them to stick those annoying badges on everything.

Consumers will either not like this and know how to get around it or not care/know/understand. And that latter group are unlikely to install Linux themselves anyway, they'll usually have one of the former group do it for them.

So yeah, bit of a dent maybe but not much.

If only little 'ready for linux' badges were as coveted by manufacturers.

Having said that, it really is a truly despicable thing for MS to do and they're doing it under entirely false pretences. I very much hope it gets challenged legally.

It may hinder it, but it won't stop.

Computer users will never let themselves be tied down to one OS, and even if Microsoft CAN tie down many computers with their "Secure Boot", simply the fact that Linux, *BSD, and Minix are still around proves that many users are not going to be satisfied with Windows. RedHat, a Billion dollar company, will not allow itself to be without work due to hardware restrictions. I'm predicting that the Linux community will either:
1. Find a way to (without too much hackery) put Linux on a Secure Boot System
2. Start making their own hardware that has no such restrictions.

Still, that being said, if it works out like we think it will it WILL hurt Linux and it will further the idea that Linux is not "standard" and not reliable in the business enviornment. We've been predicting the next blow to Open Source from Microsoft, here it is.

--jarubyh

Duh?!

So in our brave new world MS are going to make computers safer by ensuring that they can only run Windows?
Who says body-odour-fest Ballmer hasn't got a sense of humour? ;)

Potentially yes...

Unfortunately, Linux on the desktop is still a geek only project, and 99% of all buyers care more about a "certified for Windows 8" sticker than about the possibility to run operating systems they don't even know. Let's hope the EU will be on the case quickly - the commission has been more than sceptical about MS's anti-competitive behaviour in the past - and that the European Court of Justice won't listen to Ballmer playing the security card.

No idea if there is a way to hack this, but a legal solution would be preferable - we really don't need another thing making Linux installation more difficult or scary ("enter your BIOS, select 'Install other OS' and confirm that you understand that you are doing this on your own risk and that you are violating your warranty").

Traning the next generation of Hackers

How long until they realize that raising the bar to do what you want to do drives people to investigate and learn about other options?

Locked down android phones have already gone a long way towards training the next generation of hackers. I now have a dozen semi-computer saavy relatives that understand what Linux, root, and boot loaders all mean because friends or coworkers helped them install Cyogenmod on their phones.

This will just take that one step further. Instead of only us multi-OS geeks understanding how to configure multi-boot. It will drive a whole new population to learn about how their PC loads an operating system.

RE: Potentially yes...

@Tobi

I certainly think that the idea of voiding your warranty for this type of thing would be ridiculous. Sure they may try, but if hardware fails, which it does, under warranty then surely you could just system restore and send it back to them!?

It prevents me from running unapproved WIndows?

Great! I'll never install Windows on a PC anyway.

FUD

It looks to me like another case of FUD; will I, won't I, be able to do what I like with my brand new, shiny Windows? MS has in any case denied an intention to lock Linux out.

From a Linux point of view, we have had EFI for five years but no one has implemented it because it would shut Windows out.

We also have GPT which is a much better bet for 2Tb+ hard drives - but it needs Grub2 and it plays well with UEFI.

If this bit of FUD turns Linux developers to implementing UEFI, Grub2 and GPT, I might even get round to thanking MS for something for once in my life.

Secure Boot May Even Help Enterprise Distributions

I'm also worried about the negative impact Microsoft's initiative with signed OS and binaries will have for Open Source operating systems in general. But enterprise distributions like Red Hat, Oracle and SLES could take advantage from this step. I guess they wouldn't have too much trouble getting their signed keys onto the mainboards of OEMs. And their customers might actually appreciate the added security secure boot might offer them. I just cannot see these Linux companies lobby hard on behalf of community-maintained distributions like Debian or Fedora, even if they profit mightily from their efforts. Probably only enterprise grade hardware will remain open to Linux and other alternative OS, as business customers demand that. My worry is that Linux will become an option only for those able to afford enterprise grade hardware. What a pity that would be!

What

merelyjim said :D

Hmmm... unlikely to be universally implemented

We've seen this already with Trusted Computing. Ideas like this are never adopted across the board so consumers have the choice to buy it or not. Hardware manufacturers will want to hedge their bets and won't force something on their customers if they think it will hurt their sales.

If it isn't a feature that everyday computer users are aware of and decide they want then it is unlikely to take off.

The interesting thing would be if it was widely implemented. We might finally see a reaction from the general populace who are fed up of being told how to use something they have bought and paid for.

the other side of the coin

Up to now now one knows the percentage of computers sold use which use Linux becuase its not commercial. It's somewhere between one and five percent depending on who you listen to. This could give solid numbers on computers running linux if the vendors don't bother to implement the off switch for secure bootloaders. With the poor economy and thin profits margins, someone will see the business opertunity in providing working machines. Or system76 will suddenly have huge boast in customers.

Microsoft fighting fire with gasoline.

I say bring it on. Everything's crack-able and it will only be a matter of time before this "protection" is made redundant. There are so many people that support dualbooting - most of them technologically savvy developers and other individuals. Once Microsoft releases the firmware and it gets subverted within a month of it's debut, the joke will be on them. Life for penguin lovers and hackintoshers alike will go on hitch-free and not one care will be given.

Soon after, the good hardware manufacturers will notice their locked down boards aren't being bought and revert back to the open platform we all know and love. Freedom keeps moving forward. THE END.

Palladium Revisited

Another case of FUD, and there's no lock that can't be unpicked given time. In any case, I think some mobo manufacturers will see a business opportunity and provide the unlock option. However, I can see that companies would like locked-down systems as it's not a hobby for them.

It should be politics & law

It should be politics & law that stops this outrageous thing. And they won't, just like they do not stop other crazy things.

In my opinion the open source community should reply by including into GPL that no software might be executed on systems that have this feature turned on _by default_. (If a user chooses to turn this on, that is his choice, but he should understand what he is doing). I am not sure that every windows user would be happy being stuck with IE and Office. Sysadmins would surely go crazy. Even java could be kept back from windows 8 on these grounds. WHether it is possible to include such a term into GPL, I have no idea.

Things aren't what they seem.

First of all, this was never going to affect servers. RedHat isn't going to come in like white knights and save us because they care about people installing on severs not desktops. No corporate entity filling up a server rack gives two hoots if they have the windows sticker, especially if they are buying them with Linux installed anyways.

Second, only the major vendors are going to comply with this. The ad on my page right now is for system76. They aren't going to do it. It's not like you won't be able to buy consumer hardware without it.

Third, even the major vendors are likely to include the advertised feature of turning it off in the bios. I suspect only cheap low-end netbook type models will come with no choice.

Fourth, will everybody stop claiming this is over false pretenses please? You think they care more about stopping people from installing a FLOSS OS on their hardware than they do about the perceived public perception that Windows has a lot of viruses and Mac doesn't? This sounds exactly like the kind of security solution that would come from the minds of the people who design Windows. Garbage in, Garbage out.

Fifth, I'd like to address this quote from another poster.

"This is a "nail in the coffin" for Microsoft." ... and other such comments.

No it isn't. Microsoft is masterful at the lock-in game when it comes to the corporate and government desktop and the average consumer is an idiot who doesn't know better and doesn't care. There are no nails in the coffin and no magic bullets either. Also, there isn't going to be an uprising and computer repair centers because the one competent geek squad member can't use Knoppix.

I'm actually kind of embarrassed by the amount of delusion and ignorance floating around here.

@hammeh

I agree with you, and wouldn't think for a second whether I confirm that I am doing this on my own risk, violate my warranty (which would probably not be the case, but computer salesman will help spread the MS FUD) or potentially blow up the computer. Neither would you or anyone else listening to this computer.

But if we want Linux to ever become a success on the desktop (I certainly do), we need to be able to say "Just pop a CD in your drive and try it out!". Explaining for 15 minutes which BIOS submenu to go to, which switches to trigger and which security warning to ignore is not going to help.

I am sure there will be a way around "Secure Boot for Windows 8 (TM)" within hours of the first computer with it sold, but it will be a significant hurdle to Linux desktop adoption.

Warranty

Just to clarify on my warranty point: I don't believe that switching this function off would void the warranty for hardware failures. But this will be part of the FUD coming with it.

It is the same as rooting Android phones - I don't think any court in the EU would actually deny your right to a replacement for a defunct battery just because you installed Cyanogenmod, but I am quite sure that 99 % of the phone salesmen in the EU would claim that you lose any warranty by doing so.

And that scares people. Not us, but the vast majority of computer users - the people for whom something like Linux Mint would be the ideal OS!

YES and it will be backed up

YES and it will be backed up by DRM. It will be illegal to install linux in some computers in some jurisdictions. Bet on it.

@Ferd

Based on what exactly? Besides, your point doesn't even make sense. Secure boot is a form of DRM so what do you mean "backed up by DRM"? Also, is the sky going to fall as well?

Physicaly won't, juridicaly probably

Well UEFI won't be popular because of one little reason: Windows 8 is new vista. They thrown up new UI, demote very own development standards: it seems that even Microsoft learned something from Gnome and Unity developers.

On the other hand it may be somehow illegal two write second OS with Bios firmware.
For new low-tech Linux users this might be really big problem.

Fed up consumer

This is exactly that type of MS FUD that made my linux decision over 5 years ago. MS doesn't want to lose their customer base(money) .Since they can't make an excellent product, they are going to "force" MS purchases by intimidating the consumer.

I hope the consumer can see through this MS facade and not be intimidated by this corporation attempt for total monetary control of the computer industry.

Win 8 is not the new Vista

Win 8 is a reworking of the Win 7 code, with a new shell. And people love Win 7. Win 8 is more comparable (if you want to imply that it's going to flop) with Win ME. It's not going to be bad so much as unnecessary and confused.

It's MS trying to get into tablets, really. I mean MS have trying to get their OS on tablets for decades and nobody cared because they were rubbish. Then iOS and Android come along and everyone loves tablets. So MS, with a little tear in their eye and a quivering lower lip, rush out this (in their eyes) tablet-friendly respin of Win 7 to try to get a slice of that pie they've been drooling over for so long.

I don't think it'll work, MS just aren't good at that stuff. Metro looks alright as an application launcher, that bit's fine. But the task switching and general interaction are awful.

And, as I understand it, any pre-windows-8 code (including the windows-7-like-desktop-app-thing will run virtualised, which is just weird.

So yeah, I'd be surprised if Win8 does well. It's not (based on the pre-release) a very good tablet OS. And it's not a very good home-desktop OS and I can't see enterprise people liking the idea of a new, untested MS file system either.

But dismissing it out of hand is stupid. This stuff won't go away. The UI/usability ideas from ME ended up in the ultra-popular XP, on top of a more stable core. Vista became the very popular Win7. MS aren't going to keel over and disappear just because Win8 fails to sell and imagining otherwise is dangerous. Linux needs to capitalise on these opportunities but a big part of doing so is realising that these things move very fast and need responding to quickly and cohesively which... doesn't happen, sadly. The only body really capable of doing that is Cannonical and they've kinda painted themselves into a corner with Unity.

Is this not an opportunity

Is this not an opportunity to get sorted out and push into the desktop market more? Or perhaps vendors to revisit open hardware standards?

clerk

Secure boot has it's place. Otherwise, you could just go up to any computer, insert a cd or thumb, and scoop up all the data, or wipe it out!

But it should be bios controlled, with a secure password. That leaves the user in complete control.

@Sonfianitz

Yes, secure booting is needed. I have GRUB passwords on all my current machines.
But the average user doesn't know enough to set a boot loader password, I guess in MS's eyes they are doing security a favor by forcing a secure booting procedure. I don't really care if they do, providing there is an easy way to turn it off!

What about the EULA?

So what happens if I buy a new computer with secure boot, get it home, plug it in, etc. and read through the Windows 8 EULA and decide I don't accept the terms? Unless a copy is provided for me to read before purchase, I should be able to return the PC to the store from which I bought it for a refund: otherwise, customers would be having to commit to a contract they haven't even seen for their computers to work as 'expected' after purchase. I don't think either retailers or manufacturers would be happy with that! Surely, there are trading standards issues that would make secure boot a liability for manufacturers.

Um, yea, right...

This is a NON issue. What self- respecting Linux user would buy an off-the-shelf computer? ;)

Anyway, I am certain there will be a workaround. There always is...

no big deal

I would be surprised if a workable hack isn't figured out within a few minutes and a couple more days until it's transparent to people that are new to linux.

My MEP has just...

been emailed a link to this page. I'd suggest others that have commented with concerns about this MS stunt do similar. I reckon it's a pretty decent demonstration that ordinary users are worried about how this will impact their right to use their computer hardware as they see fit. Also, it's clearly going to have competitive implications as far as the home user computer market is concerned.

Secure boot.

O, I always knew MS was like that.
They always did business in this crime-culture.
Hi EU-Neelie Smit...!

I intended to try Windows again dual with Linux after a pause of 8 years. But no fu**ing way now.
I'l use other then Windows now until I pass away.

Just more corporate waste.

I've been running linux since 94. Honestly used to worry about linux. Especially when IE had over 90% market share.

This may or may not slow linux down on the desktop. But its not going to change the commoditization of OSs/Desktops/Office. The issue that matters, is that a larger number of those machines will end up in the trash after windows gets a virus.

Yes some people will crack the security. But there will be a higher bar to reusing the hardware. Which means less recycling. Bad for the environment. Bad for the poor who get PCs at thrift stores or from the local good hearted red neck geek (don't be offended I consider myself one). Good for Hardware manufactures and MS.

D:

Dont buy walmart computers? LENOVO ALL THE WAY!!!! and whatnot you get the point just order online if its that big of an issue, this really UPSETS me and many others D:

@ Andrew Cole

OK so what I meant was it will be backed up by anti drm legislation. Sky still there I guess but more and more people are becoming 'criminals' as a result of all these processes.

The ability to disable secure boot has to be made obligatory

The ability to disable secure boot has to be made a legal requirement. It's so clearly anticompetitive, that it should be stopped outright. Just like you can murder and do other wicked things in the name of a loving god, you can wreck havoc in the name of security (and murder Linux in the process). It's the highest time the law should intervene - before it's too late.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

CAPTCHA
We can't accept links (unless you obfuscate them). You also need to negotiate the following CAPTCHA...

Username:   Password:
Create Account | About TuxRadar