Protecting the pre-OS environment with UEFI
blogs.msdn.com Microsoft is working with our partners to ensure that
secured boot delivers a great security experience for
our customers.
In real life, I came home tonight and my wife had locked the house door on the way out to a dinner meeting. I unlocked the door and went inside my house... I felt secure... But it turns out that I was missing something. I could have had a "great security experience" instead of being merely secure.
Thumbs up to the MS team for taking something that was taken for granted, diluting it, confusing it, simplifying the resulting abomination and declaring that they're delivering a "great security experience". I assume that the writer is a Republican in the Rick Perry mold? (1)
(1) I'm a registered [California] Republican and am mad as hell about the hijacking of my party, so I can make fun of our idiots without irony.
"For Windows customers, Microsoft is using the Windows Certification program to ensure that systems shipping with Windows 8 have secure boot enabled by default, that firmware not allow <b>programmatic control</b> of secure boot (to prevent malware from disabling security policies in firmware), and that OEMs prevent unauthorized attempts at updating firmware that could compromise system integrity."
So an OEM can still be "Windows Certified" if they allow manual disabling of secure boot.
That was never the point. The point is that there will be probably systems which do not allow a modification at all for controlling secure boot as it would be another optional feature. In addition you probably won't be able run Linux without changing the secure boot option for certified systems.
http://mjg59.dreamwidth.org/5552.html provides a good overview about the issue
Snippets from the comments below the article reveal all:
Jose Pedro 22 Sep 2011 4:06 PM # Having in mind that any open source operating system or bootloader would probably have to provide publicly their keys, thus making it hard to have these validated, how could secure boot be made to be compatible with these, or these to be functional with secure boot?
Steven Sinofsky 22 Sep 2011 4:10 PM # How secure boot works with any other operating systems is obviously a question for those OS products :-) We focus our boot loader on Windows and there are a number of alternatives for people who wish to have other sets of functionality.
Drewfus 22 Sep 2011 5:36 PM # @Steven Sinofsky: "How secure boot works with any other operating systems is obviously a question for those OS products :-)" Agreed. It is up to other OS vendors to get their acts together regarding secure boot, and if this causes conflicts with their licensing models, that's their problem. The onus is not on Microsoft to compromise system security to be 'fair' to the GPL, or whatever.
etc.
The original revelatory article was not FUD, Microsoft seem to be trying to 'accidently' lock out un-certified OSs. Ubuntu might go for it, Puppy probably will not. Crap.
See also the previous post "Windows 8 OEM specs may block Linux booting" - http://news.ycombinator.com/item?id=3020459
From this post, written by Microsoft:
> Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows
Yes, thanks, that's a good summary.
Since the conversation from yesterday (with 137 comments) was voted pretty highly, I assumed that this submission was related, and the previous one would offer interesting additional discussion.
I'm sorry if it was inappropriate to link to. By offering it, I was in no way advocating a particular point of view, even though I quoted the title of the HN submission, which does put forth a hypothesis.
If it's appropriate to delete my comment, let me know.
Microsoft responded to accusation: http://www.winrumors.com/microsoft-clears-up-linux-confusion...
I've submitted that link to HN.
That's just a summary of the blog post that this thread is about, and IMO it's inaccurate; to me Sinofsky's post seems to confirm everything Garrett wrote.
tldr: it's up to the OEMs whether or not to provide an (ugly and, considering the implication that other OSes are insecure, scary) option to disable secure boot.