[Ubuntu-be] Win8 will block dual-boot?

[Jan Claeys]

Op donderdag 22-09-2011 om 12:51 uur [tijdzone +0200], schreef Pierre
Buyle:
> It doesn't seems that Microsoft disallow the installation or booing of
> non-MS OSes, or even only Linux-based ones, on a Windows 8 machines.
> What seems to be the case, is that Windows 8 might require a security
> measure on these machine that may be practically incompatible with
> Linux and FOSS in general.

This security measure is not necessarily incompatible with linux, but
that's depending on the particular implementation of the SecureBoot
specification in your hardware.

Hardware manufacturers that want to sell PC's with Windows 8 OEM *and*
the "Designed for Windows 8" logo must have SecureBoot enabled by
default in UEFI.  If they don't care about the logo, they can do
whatever they want.

If it's enabled, can't be disabled, and you can't add your own trusted
keys, that would make that hardware more or less incompatible with linux
(except for linux versions that get signed by one of the already trusted
keys of course, but that might be illegal).

If you can't add your own key, but you can disable it, you would be able
to use Windows & linux without problems, but you would loose the
security feature (it protects against rootkits, for example).

Of course if you can add your own key there won't be any other problem
than making installing a new OS a little bit more work.

> I didn't dig the details, but the idea is
> that any software involved in the boot process will have to be
> digitally signed by a trusted Certification Authority (CA). Some
> distributions may be able to provides signed binaries in their
> package, but if the user cannot be its own trusted CA, then it will be
> impossible for a home-compiled software to be involved in the boot
> process unless a workaround (or "hack") allow it to bypass this
> security measure.

Technically, you can boot everything you want once you have a signed
copy of a bootloader that can boot it.  ;)

> PS: Note that the trust in "trusted CA" doesn't apply to who or what
> the user trust, but rather who the software and hardware vendors chose
> to trust to protect their very own interests. 

Actually, the "trust" is what the SecureBoot module implementation in
the UEFI firmware of the hardware chooses to trust.  It's perfectly
possible to allow adding additional (including your own) signing key(s)
to SecureBoot, but some people are afraid that hardware vendors won't
implement an interface for that (some OEM's might think: "why implement
extra features that 99% of our customers won't use?").

I'm pretty sure the major OEM's that target business users (e.g. Dell,
HP, Lenovo) will add the necessary features to the UEFI config to make &
keep sysadmins happy, even if only because many of their customers
routinely re-image all the PC's they buy with whatever OS & software
versions they are currently standardized on (and it's unlikely that many
companies will standardize on Windows 8 before it's at least 1 or 2
years old).  The situation is more likely to become a problem with cheap
consumer PC's, but even then not allowing unsigned OS'es is likely to
result in a lot of support questions, complaints, returned hardware,
etc.--all costing a lot for the manufacturer and/or reseller, so they
will probably try to avoid them.


Matthew Garrett has more info: http://mjg59.dreamwidth.org/5552.html


-- 
Jan Claeys