Stand up for your freedom to install free software

[mmix]

Drop dead MS UEFI. there is many other alternative methods.
see MS winphone, even they didn't give a chance to update wp7 to wp8, ms is just such a $-company.

https://www.fsf.org/campaigns/secure...boot/statement

Quote:

Microsoft has announced that if computer makers wish to distribute machines with the Windows 8 compatibility logo, they will have to implement a measure called "Secure Boot." However, it is currently up for grabs whether this technology will live up to its name, or will instead earn the name Restricted Boot.

When done correctly, "Secure Boot" is designed to protect against malware by preventing computers from loading unauthorized binary programs when booting. In practice, this means that computers implementing it won't boot unauthorized operating systems -- including initially authorized systems that have been modified without being re-approved.

This could be a feature deserving of the name, as long as the user is able to authorize the programs she wants to use, so she can run free software written and modified by herself or people she trusts. However, we are concerned that Microsoft and hardware manufacturers will implement these boot restrictions in a way that will prevent users from booting anything other than Windows. In this case, we are better off calling the technology Restricted Boot, since such a requirement would be a disastrous restriction on computer users and not a security feature at all.

Please add your name to the following statement, to show computer manufacturers, governments, and Microsoft that you care about this freedom and will work to protect it.

We, the undersigned, urge all computer makers implementing UEFI's so-called "Secure Boot" to do it in a way that allows free software operating systems to be installed. To respect user freedom and truly protect user security, manufacturers must either allow computer owners to disable the boot restrictions, or provide a sure-fire way for them to install and run a free software operating system of their choice. We commit that we will neither purchase nor recommend computers that strip users of this critical freedom, and we will actively urge people in our communities to avoid such jailed systems.

Another lame thread

http://forums.fedoraforum.org/showthread.php?t=280369

http://forums.fedoraforum.org/showthread.php?t=276484

http://forums.fedoraforum.org/showthread.php?t=272668

http://forums.fedoraforum.org/showthread.php?t=269947

http://forums.fedoraforum.org/showthread.php?t=275533

[mmix]

yes, lamer thread microshaft story. heh

But, you know, i don't even want to be here, just staring at fedora next move.


https://www.softwarefreedom.org/blog...ocks-down-ARM/

Quote:

Microsoft confirms UEFI fears, locks down ARM devices
By Aaron Williamson | January 12, 2012

At the beginning of December, we warned the Copyright Office that operating system vendors would use UEFI secure boot anticompetitively, by colluding with hardware partners to exclude alternative operating systems. As Glyn Moody points out, Microsoft has wasted no time in revising its Windows Hardware Certification Requirements to effectively ban most alternative operating systems on ARM-based devices that ship with Windows 8.

The Certification Requirements define (on page 116) a "custom" secure boot mode, in which a physically present user can add signatures for alternative operating systems to the system's signature database, allowing the system to boot those operating systems. But for ARM devices, Custom Mode is prohibited: "On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enable." [sic] Nor will users have the choice to simply disable secure boot, as they will on non-ARM systems: "Disabling Secure [Boot] MUST NOT be possible on ARM systems." [sic] Between these two requirements, any ARM device that ships with Windows 8 will never run another operating system, unless it is signed with a preloaded key or a security exploit is found that enables users to circumvent secure boot.

While UEFI secure boot is ostensibly about protecting user security, these non-standard restrictions have nothing to do with security. For non-ARM systems, Microsoft requires that Custom Mode be enabled—a perverse demand if Custom Mode is a security threat. But the ARM market is different for Microsoft in three important respects:

Microsoft's hardware partners are different for ARM. ARM is of interest to Microsoft primarily for one reason: all of the handsets running the Windows Phone operating system are ARM-based. By contrast, Intel rules the PC world. There, Microsoft's secure boot requirements—which allow users to add signatures in Custom Mode or disable secure boot entirely—track very closely to the recommendations of the UEFI Forum, of which Intel is a founding member.
Microsoft doesn't need to support legacy Windows versions on ARM. If Microsoft locked unsigned operating systems out of new PCs, it would risk angering its own customers who prefer Windows XP or Windows 7 (or, hypothetically, Vista). With no legacy versions to support on ARM, Microsoft is eager to lock users out.
Microsoft doesn't control sufficient market share on mobile devices to raise antitrust concerns. While Microsoft doesn't command quite the monopoly on PCs that it did in 1998, when it was prosecuted for antitrust violations, it still controls around 90% of the PC operating system market—enough to be concerned that banning non-Windows operating systems from Windows 8 PCs will bring regulators knocking. Its tiny stake in the mobile market may not be a business strategy, but for now it may provide a buffer for its anticompetitive behavior there. (However, as ARM-based "ultrabooks" gain market share, this may change.)

The new policy betrays the cynicism of Microsoft's initial response to concerns over Windows 8's secure boot requirement. When kernel hacker Matthew Garrett expressed his concern that PCs shipped with Windows 8 might prevent the installation of GNU/Linux and other free operating systems, Microsoft's Tony Mangefeste replied, "Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves." It is clear now that opportunism, not philosophy, is guiding Microsoft's secure boot policy.

Before this week, this policy might have concerned only Windows Phone customers. But just yesterday, Qualcomm announced plans to produce Windows 8 tablets and ultrabook-style laptops built around its ARM-based Snapdragon processors. Unless Microsoft changes its policy, these may be the first PCs ever produced that can never run anything but Windows, no matter how Qualcomm feels about limiting its customers' choices. SFLC predicted in our comments to the Copyright Office that misuse of UEFI secure boot would bring such restrictions, already common on smartphones, to PCs. Between Microsoft's new ARM secure boot policy and Qualcomm's announcement, this worst-case scenario is beginning to look inevitable.

[Gareth Jones]

Quote:

Originally Posted by Yellowman

Another lame thread

Not really. Petitions may be completely useless, but the link may be of interest to those of us who are concerned about FOSS/UEFI interoperability (which frankly, anyone using a FOSS OS should be). It's quite possible to be concerned without being irrational about it...

[glennzo]

OK then. Leave the thread open or close it? Sort of flogging a dead horse here.

[bob]

And it's high time that we created another sub-forum for dead horse flogging! I know there are plenty of other floggers our there. (G'mornin' Glenn!)

[glennzo]

Howdy there Bob!!!

[DBelton]

Microsoft and secure in the same sentence??

Anyone else see an oxymoron there?

[srs5694]

One reason to keep the thread open is that people are still woefully ill-informed about certain basics, such as:

• UEFI is not equivalent to Secure Boot -- UEFI is a firmware standard that's been around for about a decade (albeit originally under the name "EFI"). Secure Boot is just one feature of UEFI, and it's a very recent feature. Most computers currently on the market support UEFI, but most of these don't yet support Secure Boot. Please don't conflate the two.
• Secure Boot can be disabled (at least on x86-64 hardware) -- Microsoft's certification requirements include a requirement that secure boot can be disabled, or keys added to the firmware. This means that x86-64 systems with Secure Boot and the Windows 8 logo will not be locked down. At worst, it'll be a little harder to install certain OSes. The real danger is in the possibility that Microsoft will change its requirements for its next version of Windows, or that ARM devices (for which Microsoft's requirements are different and much nastier) may become more popular as general-purpose computing.
• Companies can buy signatures from Verisign that use Microsoft's key -- Fedora 18 will be using this mechanism to ensure it can be installed easily. There are limits to this approach, but it will certainly help keep Fedora installation easy for less technically-savvy users. Other major distributions will likely use this method, too, but some distributions might not, either because they're one-person operations for whom the $99 fee is onerous or because they don't want to support Secure Boot on moral grounds.

Make no mistake, Secure Boot could become a serious threat. Right now it's not, though, and attempts to whip up a frenzy over the issue right now could backfire in the future, since this could become a "boy who cries wolf" situation -- people may ignore future warnings if they see too much doom-saying today with no corresponding doom in the near future. Right now, we as a community need to remain vigilant. More importantly, right now companies with an interest in open source and enough clout in the industry (such as Red Hat) need to work with standards bodies like the UEFI Consortion to get the standards revised in a way that will head off future problems.

[mmix]

it kind of sad..

i dont know fedora internal state, i hope fedora new head is not elop..
https://en.wikipedia.org/wiki/Stephen_Elop

BTW, now i am using mageia, i am not sure another distros gonna fight against MS UEFI thing.
when the time is come, maybe i have to make another choice.

---------- Post added at 06:12 PM ---------- Previous post was at 02:56 PM ----------

Quote:

Originally Posted by DBelton

Microsoft and secure in the same sentence??

Anyone else see an oxymoron there? :D

Well said! :)

i doubt the win32.flame malware come from security-flawed environment like close-source software.
they dont want show their source, m$ should open their source BEFORE enforce UEFI thing.

but then, they wouldńt. i see their scum intention

[srs5694]

Quote:

Originally Posted by mmix

BTW, now i am using mageia, i am not sure another distros gonna fight against MS UEFI thing.

EFI was created by Intel, not Microsoft. Microsoft is on the board of the UEFI Forum, which controls UEFI's development, but they're one of at least eleven companies that are members of the Forum. (See the UEFI Forum's "About UEFI" page.) Please also review my earlier post -- your fears are centered around Secure Boot, not (U)EFI as a whole.

Quote:

when the time is come, maybe i have to make another choice.

Please review my earlier post. Unless you want to buy an ARM device with Microsoft certification, there will be nothing preventing you from running Linux on it. At least some distributions, including Fedora, will install as easily as it would install to a non-Secure-Boot computer with similar specs. At worst, you'll need to change one firmware option to disable Secure Boot.

[stevea]

Quote:

Originally Posted by srs5694

One reason to keep the thread open is that people are still woefully ill-informed about certain basics, such as:

• Secure Boot can be disabled (at least on x86-64 hardware) -- Microsoft's certification requirements include a requirement that secure boot can be disabled, or keys added to the firmware. This means that x86-64 systems with Secure Boot and the Windows 8 logo will not be locked down. At worst, it'll be a little harder to install certain OSes. The real danger is in the possibility that Microsoft will change its requirements for its next version of Windows, or that ARM devices (for which Microsoft's requirements are different and much nastier) may become more popular as general-purpose computing.
• Companies can buy signatures from Verisign that use Microsoft's key -- Fedora 18 will be using this mechanism to ensure it can be installed easily. There are limits to this approach, but it will certainly help keep Fedora installation easy for less technically-savvy users. Other major distributions will likely use this method, too, but some distributions might not, either because they're one-person operations for whom the $99 fee is onerous or because they don't want to support Secure Boot on moral grounds.

...

Wow that really missed the issue -

MS confirmed that first concept, potentially disable by EOMs (not necessarily end users) only on a blog. Has there been an official statement ? The Win8 cert does not require 'enable'. That's not the same as requiring 'disable'.

ARM will be locked down for MS boot only and currently a majority of arm system run Linux - or it's sibling android. here are already arm tablets and plenty of >1Ghz multicore arm chips. Yes arm will penetrate the higher end mobile market. So say you buy a WinRT tablet in the future. The bad news is that you have vendor lock-in and cannot boot anything else.

Yes companies can buy signatures from MS via Verisign, as Fedora has done. The fedora approach assists newb who cant/won't disable secure boot.
Ubuntu has plans to generate their own key pairs to obtain secure boot to a ?custom? bootloader ? That may be a good approach.

None of this addresses what hoops an end-user compiling his own kernel will need to make it bootable w/o removing the secure boot.

So you might be able to dual-boot win8 and F18, but perhaps no other end-user Linux.

Also a disable-able secure boot is fundamentally insecure, which suggests this is not M$ final position.

[mmix]

Quote:

At worst, you'll need to change one firmware option to disable Secure Boot.

it doesn´t matter which could be turned on/off, why should i have to do? why enforce it?
i am pretty sure win32.flamer/stuxnet creator is big company´s friend. good guy/bad guy tactics..
if it is about boot virus/rootkit problem, there is so many another answer already,
but evil company prepared Trusted Computing.

https://en.wikipedia.org/wiki/Trusted_Computing

and remember this

Quote:

All of Microsoft's 'partners' have been screwed over. No exceptions.

[stevea]

This is reputedly text from the december 2011 Win8 cert ....

Quote:

"21. MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems."

So enable/disable is required for non ARM.

[Magickman]

The hell with them. Don't buy a commercial PC, buld your own, you get a much better computer for a lot less money. I think this could easily be worked around anyway by clearing the BIOS.
M$ wants to run the entire computer world, no big secret there.