Robert Pogson

One man, closing all the windows.

ZaReason Speaks On UEFI

technology

ZaReason Speaks On UEFI

UEFI

Cathy at ZaReaon suggests solutions:

  • CoreBoot has some AMD support…
  • Creating keys for FLOSS…
  • Hacking motherboards…
  • Disabling Secureboot…

She starts by pointing out that “SecureBoot” is a brilliant scheme by M$ to extend its control of hardware-suppliers. Eventually, the supply of machines that shipped “7″ without UEFI/Secureboot enabled will dry up and */Linux will have to deal with it. End-users tend not to want to disable a “security” feature. That it’s mostly a “security” feature for M$, not users.

39 Comments

  1. oiaohm

    bw the simple fact is Microsoft privacy terms are not even close to be suitable for safe harbour acceptance.

    Google only has to drop that scanning of client emails for ads to be able to apply for safe harbour acceptance so getting away fro warrentless email scanning completely.

    bw basically if any email server group should be poking fun and everyone else its Yahoo they have done everything right.

  2. oiaohm

    bw
    –The article says that the US government can access mail archives under some law passed by Congress back in the 80′s. It applies to Google, Yahoo, AOL, MSN Hotmail, and any other mail provider. Everyone has to accept that.–

    The law ceases for servers not in the USA. Google is one of the few that do it to letter of law.

    Yahoo has managed to get protection under Safe Harbour provisions that also blocks the USA government from looking without warrant. So you are wrong that it applies to Yahoo you should have read Yahoo privacy policy I provided link to. Congress passed Safe Harbour terms that cut out a lot of snooping.

    The upgrade to Google is Yahoo if you don’t like gmail terms.

    Of course I would wish Google would get Safe Harbour. This also would bring restrictions that most likely would stop google scanning emails. Yes Safe Harbour no snooping in packages without grounds.

    bw Microsoft admits scanning for other reasons. Just not for advertisement.

    bw notice that I pointed out about Outlook.com privacy statement it has more holes than Swiss cheese to give all your data to third parties. Including giving that data to third part vendors for processing.

    Google statement is simple but from the point of view of your data leaking to third parties Google is better.

    The “including the enforcement of our agreements” with who? Microsoft does not list what agreements they have that you are agreeing to be party with.

    bw basically MS privacy policy says they are not doing it. Does not say they cannot make an agreement that lets another party do it.

    bw think how MS uses patent trolls. Then wake up they can do the same with advertising. Basically by MS pricacy agreement we cannot be sure MS is not doing the same as google but hidding the crime in some grubby third party.

    This is the problem bw Microsoft is trying to be clean but don’t have the policy to back it up.

    Well written policy like Yahoo and Googles you do know what they are doing.

  3. bw

    “he has no evidence that M$ does not do the same.”

    All you have to do is Google for it. You get lots of hits for Google doing the scanning, even from Google itself admitting to the deed although they spin it as a service. Do the same for Microsoft and you get nada.

    You say you are not bothered by that and, frankly, I am not bothered either. But that is the sole area where there is any sort of knocking of competitors in Microsoft ads, which was the real issue here. Turns out to be a true claim, though, and that makes it a sales point rather than a disparagement. Nothing illegal about that.

    So people who might take offense at having the content of their mail messages read or scanned and ads provided in response might choose Outlook.Com over Gmail. People who don’t care about that will choose on other factors.

    I am keeping my gmail account, though.

  4. Robert Pogson

    bw wrote, without evidence, “Google sends you ads based on reading your mail”, yet he has no evidence that M$ does not do the same.

    Even if Google aims ads at me, that’s a good thing because they could send random ads and really annoy me and I can always encrypt if I don’t want them reading my mail.

  5. bw

    “they still scan everything you put in there for the USA government…so one read you emails on there servers for advertisement and the other reads you emails on there servers to send you to jail.”

    How stupid can you get? The article says that the US government can access mail archives under some law passed by Congress back in the 80′s. It applies to Google, Yahoo, AOL, MSN Hotmail, and any other mail provider. Everyone has to accept that.

    Google sends you ads based on reading your mail, though, and Microsoft and the others do not, at least as far as anyone seems to be aware.

    Google is being pretty bad about privacy violations, because they have to do that to make any money. You want to give them a pass because they use freebie software to run their business. I think that you all just hate Microsoft because they make more money than you and you are trying to save some face. You are just looking foolish instead with these long-winded and convoluted claims. Go get yourself a better life.

  6. oiaohm

    bw you are a little in the dark.

    Even that microsoft is not using email content for advertisement http://people.howstuffworks.com/stored-email.htm they still scan everything you put in there for the USA government.

    So the party that can throw you in jail can read your private emails without issues anyhow. Heck they don’t even need a warrant any more.

    So if the data is truly something you want to remain secret using USA servers is out. Gmail is about the only one that has refused to host automated USA government scanning software.

    bw so one read you emails on there servers for advertisement and the other reads you emails on there servers to send you to jail.

    As I said you need to look closer. Microsoft is scanning your emails. You are just not seeing the results of it until you have police standing at your door.

    Basically Microsoft is being trying to do one up man ship. Google has been as uncooperative as they can be. Including only handing over data currently stored in USA servers if there is no warrant.

    bw microsoft is not tell you that they don’t scan your emails. They just don’t do it for advertising. That still leaves a huge stack of ways the information can be abused.

    Google privacy agreement yes they can use it for advertising only directly to you from a google server. They in fact cannot farm the data out to third parties to use as they see fit.
    http://www.google.com/intl/en/policies/privacy/ Not too bad.

    Here Microsoft full http://privacy.microsoft.com/en-us/fullnotice.mspx
    bw the line you are looking for is.
    Microsoft
    However, our vendors may use aggregate data for fraud detection to help improve their services. This helps them to more accurately detect fraudulent transactions.
    Microsoft you go to bank to get loan and your credit rating might be shot to hell because you mentioned you had some money problems.

    The next lines after that are even worse.
    We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers or the public.
    Basically this is fairly much make a fancy enough arguement you can release information to anyone. Part (b) is written wrong.

    Google part b equal.
    protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.
    This is not open do what ever I want like the Microsoft one is. This is I have to go law and find a legal reason for breaking privacy. Microsoft does not have to find a legal reason. Just the property rights of Microsoft or its customers has to be breached and they can release. And they only have to believe that.

    Microsoft
    We may also disclose personal information as part of a corporate transaction such as a merger or sale of assets.
    Google
    If Google is involved in a merger, acquisition or asset sale, we will continue to ensure the confidentiality of any personal information and give affected users notice before personal information is transferred or becomes subject to a different privacy policy.
    So if google ever sells gmail you will get a opt out going to the new provider. If MS ever sells there email they don’t have it. In fact MS is that vague any corporate transaction could be used as a excuse to allow access to your personal data and you agreed to it.

    bw really google using it for advertising is about the least painful thing they can do with it.

    Go away read both privacy polices. The least harmful is the google one out of google vs microsoft.

    bw if you are wanting a better quaility policy than google or microsoft it is yahoo’s. http://info.yahoo.com/privacy/us/yahoo/

    The reality you want privacy encrypt.

    bw Apparently you never checked out what MS scans there stored email for. It is far worse than google issue. The information is also simpler to get released to third parties from the Microsoft Privacy policy than the Google one.

    Targeted advertisements is one thing. But the important worry is that the data is not released to third parties without restrictions. Microsoft policy fails that check, Google passes. So pick your devil.

  7. bw

    Apparently Google actually is scanning user’s mail to associate advertising attachments. Microsoft says that they do not do that at all with Outlook.com. Say what you will about either, but I sort of favor Microsoft on this issue.

    Perhaps the reason lies in the notion that Google’s business is a rather oblique service model that depends on selling advertising and Microsoft’s business is selling a product.

    Once Microsoft has your money, they have your money and only have to worry about getting some more later by selling you a new version that you somehow must think to be an improvement over what you bought last time.

    Once Google has your business, however, they still need to figure out how to turn that into money. Selling these “scroogle” hits is one way of doing that.

  8. lpbbear

    “But the question remains. Is what Microsoft says about Google scanning emails true or false? If it is true, Google deserves to be shamed. If false, Microsoft deserves to be prosecuted.”

    Microsoft is the LAST company on this planet to be calling a competitors laundry dirty! Were a competitor to use Microsoft same shitty ad approach there is enough dirty diapers in Microsoft’s laundry bag to keep negative attack commercials against Microsoft going for several years. Just be glad the rest of the world has better things to do than wallow in the pig sty with Microsoft.

  9. oiaohm

    bw “If an add disparages a competitor’s product with false claims, I would expect that it could be prosecuted.”

    Cash for comment here in Australia is where you are paid to say something positive or negative about a party and you don’t clearly state you have been paid. Y party recommends Windows X that is a known paid for thing but is not marked as a perfectly clear advertisement is questionable. Some Microsoft ads of those are percentage off licenses squired not how effective or how many have seen it or any other metric to measure advertisement.

    bw
    –Any advertising is directed at enhancing the sale of your own product and that is always to the detriment of a competitor.–
    Correct and incorrect. There are limits on what is allowed.

    That is the problem items like recommends may not be enhancing product sales other than the money being blackmail. If advertising is not in fact increasing sales is it advertising any more bw.

    Advertising you own product is not always detriment to your competitor. You are forgetting the 1 possibility. The purchaser decides to buy both.

    bw
    –But the question remains. Is what Microsoft says about Google scanning emails true or false? If it is true, Google deserves to be shamed. If false, Microsoft deserves to be prosecuted.–
    There is an old saying. What someone accuses someone else of doing check them for it.

    There is a lot of email checking forced on Google be-cease they are a USA company. This applies to MS live mail and MS exchange services as well.

    So question Microsoft that you accuse Google of scanning exactly what do you do with what you get.

    Yes Microsoft attacks goggle but they don’t adverse what they are doing different and better. Now if they are doing the same as google and they are attacking google they are a hypocrite and its illegal advertising.

    bw every negative campaign should have a mirror positive. Political parties forget this. Doing negative campaigns alone turn you into the bad guy and hated. Does not matter if you are right.

    Good positive advertisement is many times more effective than negative.

  10. bw

    “advertising designed to eliminate competition is illegal”

    Any advertising is directed at enhancing the sale of your own product and that is always to the detriment of a competitor. The only thing that you might complain about being illegal would be deceptive advertising. If an add disparages a competitor’s product with false claims, I would expect that it could be prosecuted.

    But the question remains. Is what Microsoft says about Google scanning emails true or false? If it is true, Google deserves to be shamed. If false, Microsoft deserves to be prosecuted.

  11. Robert Pogson

    bw wrote, “You are suggesting that advertising is illegal or else should be. That borders on being declared crazy in my opinion.”

    Of course advertising is good for everyone. However advertising designed to eliminate competition is illegal. It undermines the value of trademarks etc. M$ went way beyond legal.

    Look at M$’s current “scroogled” campaign. Are they abusing trademark? Are they spreading false news? Why aren’t they content to advertise their own product? It’s because M$ doesn’t get the concept of fair competition.

  12. lpbbear

    “and that is what happened to the point where IBM went out of the business eventually”

    IBM went out of business? Might be news to them!

    http://www.ibm.com/us/en/

    I get that you mean the PC biz, but that really didn’t happen until they sold out their PC business to Lenovo in 2004 which was well after their initial “mistake” in allowing PC clones to become the norm.

    http://www.nbcnews.com/id/6666170/ns/technology_and_science-tech_and_gadgets/t/ibm-sells-pc-business-chinas-lenovo/#.USTzjyC6OOg

    The irony with UEFI and the way Microsoft is attempting to use it as a hindrance to competitors is the fact that Microsoft would now like to close the PC. IBM’s so called “mistake” in leaving the PC open is what helped to create Microsoft in the first place. That happy accident for Microsoft was certainly not due to any genius on Microsoft’s part.

  13. bw

    You are suggesting that advertising is illegal or else should be. That borders on being declared crazy in my opinion. You all seem to like Google because they created Android, but their very existence depends on people advertising with them, including big companies.

    You just don’t seem to understand how things are done. All business partner with distributors and suppliers in order to mutually benefit one another. Dell is in business today only because Microsoft could offer them a completely compatible OS as sold by IBM who was the leading brand. Nobody could copy Apple, but everybody could copy IBM and that is what happened to the point where IBM went out of the business eventually because the copies were cheaper.

    Maybe that was stupid for IBM, but it was smart for Microsoft. Today, Apple still holds onto its business by not sharing with copiers and it keeps iPad as the standard of comparison.

  14. oiaohm

    bw the advertisement system is a form of kick back.

    –Linux companies have the opportunity to do the very same thing in the same way although they are handicapped by the lack of funds that go with the free software model.–

    Redhat and SUSE could do it but does it really make good business sense and is it fair. Like Microsoft pays for a company to write a line that that company recommends X product and only X product. Yes it gets highly stupid on dell web page for ubuntu and you are reading recommends Windows same with the dell page for Redhat servers.

    In fact its questionable if dell recommends windows is legal in Australia or if its like cash for comment.

  15. bw

    “The result is salespeople know all about M$’s stuff and how to sell it ”

    Tooting one’s own horn is hardly a thing to evoke such bile. The Microsoft ads only work in cases where the customer accepts the ad’s premises. Linux companies have the opportunity to do the very same thing in the same way although they are handicapped by the lack of funds that go with the free software model.

  16. Robert Pogson

    Der Balrog, denying the facts, wrote, “nobody is hindering vendors to sell PCs with alternative operating systems. Not Microsoft, not UEFI, not Secure Boot.”

    M$ was convicted in court for eliminating competition. It’s not above them to do that. The “final settlement” restricts what they could do to accomplish that. M$ spends $billions per annum on R&D partly into how to mess with competition. “Secure Boot” is just one of dozens of levers M$ uses to accomplish that. Others include “free” training for salespeople, “free” advertising, etc. where “free” means “if you sell our stuff”. The result is salespeople know all about M$’s stuff and how to sell it and that includes denigrating the competition. People are punished if they do not remain in good standing with M$.
    “As the launch of Windows 7 approaches, Microsoft is distributing literature to American retailers claiming that Linux works with few peripherals or online services, offers limited software capability, affords no authorized support, does not work with games “your customers want,” and cannot use video chat on any of the major IM networks.

    “What most customers want” is Windows, the literature says, not Linux.”
    see The Register

    Here’s part of what’s on one of M$’s sites:
    “If you do not satisfy all of the requirements above, you should exit this Site immediately, and you may not continue to access or use this Site. By continuing to access and use this Site, you agree to be bound by these Terms of Use. IF YOU ARE USING THIS SITE BUT NO LONGER EMPLOYED BY AN AUTHORIZED RETAILER OR OTHERWISE ARE INELIGIBLE TO USE THIS SITE: (I) MICROSOFT MAY IMMEDIATELY DELETE YOUR POINTS ACCOUNT AND TERMINATE YOUR ACCESS TO THE SITE, AND (II) YOU WILL NOT BE PERMITTED TO REDEEM ANY POINTS PREVIOUSLY ACCRUED.”

  17. oiaohm

    Der Balrog
    –Your underlying implication is also that Microsoft would “punish” vendors who dare to offer computers which don’t fulfill the Windows 8 requirements. Like computers intented to be used with Linux.–

    Historically documented that Microsoft does. This can be done by volume licensing alteration in price per unit that is illegal. So Microsoft developed another way to achieve the same thing.

    The other way is using adds like “We recommend windows X”. So putting what ever vendor does not do what MS wants at a disadvantage due to having to pay more than there competition for windows software due to not getting advertising revune and other things to offset Windows cost. Yes MS blackmail. Do what we say or we will not advertise with you or give your competition larger advertising contracts.

    Der Balrog
    –Besides, the mainstream Linux establishment has already accepted Windows 8 PCs with UEFI and Secure Boot enabled as the new reality, hence the creation of Microsoft-signed bootloaders.–

    No they have not. Please note Linux foundation has made the complete set of tools to rebuild the complete key set in a machine. This is inserted with keytool. Microsoft refuses to sign that tool.

    http://blog.hansenpartnership.com/wp-uploads/2013/02/UEFI-Secure-Boot-2013.pdf
    Page 15 notice the method the Linux Foundation loader is using. This is fairly much an override solution to existing UEFI framework so Linux systems can do what ever they so please past that point if they cannot insert there keys into the KEK.

    Result will be one bootloader only signed by Microsoft. This bootloader main job will be to allow Windows 8 machines to be converted.

    Linux world would be happy if there was a simple identical way to insert new key sets into KEK and to remove keys that are not wanted.

    Now if we cannot get this by default. Linux foundation bootloader + keytool fairly much allows us todo it. Of course in time the Linux Foundation bootloader will be duel key. Currently signing a loader with more than 1 key is not supported EFI. Yes the Linux world has put forwards to EFI standard duel and more keys on loaders. Yes the reason for doing this is to be able to break free without risking busting boot too badly.

    Why is duel signing import so that in time you fire up the Linux bootloader go to keytool delete the MS keys and insert new ones and not kill the Linux Bootloader.

    Yes goal is support for full conversion. To take a machine that will boot windows 8. Make it so it can only boot 1 particular OS.

    Of course us Linux guys are smart enough to know if we pull off what we want the machine turning up on the second hard market is going to upset windows users. Linux users will work out how to achieve what they want.

    If EFI by standard had a universal keytool and a universal way to access it Linux would not really have to be bothing about having signed loaders from Microsoft to allow us to attack the system.

    Reality Linux users will crack the system to get it the way they want.

    Der Balrog
    –Thus, again: nobody is hindering vendors to sell PCs with alternative operating systems. Not Microsoft, not UEFI, not Secure Boot.–
    Get this through you thick moron head. Secure Boot is a class of techs. Chromebooks have a coreboot based secure boot that is not UEFI based.

    Yes not UEFI is possible. In the short term future not Secure Boot of some form will not be a valid option. No secure boot of some form is just asking for boot-loader malware. Linux guys universally hate malware.

    Der Balrog
    –Just say no to buying Windows 8 computers, buy from vendors which let you have computers without Windows 8.–
    and this
    Der Balrog
    –Where do you think enterprise and small business get their Linux PCs from? Do you think they build them themselves?–
    Reality you don’t have a clue.

    1)Some Linux PC will be duel boots or more. So machine comes with Windows, Linux added after for development reasons to provide match to server.
    2)Some Linux machines will be new with Linux.
    3)Some will be old windows machines covered possibly stripped of hard-drive to be a thin/thick terminal until it gives up ghost.

    So Linux we don’t have a choice but to have a method to take a Windows 8 machine and convert it. Windows PC are a source location of part of our market share.

    Der Balrog if nothing else gets into your head from this get the Linux worlds objective with UEFI.

    Allow machine owner to lock machine to exactly 1 OS alone if they should choose to. Not machine builder not Microsoft. Machine Owner. Also allow Machine Owner to run as many OS’s as they want.

    These are the objectives. Anything between the Linux people and that will not be tolerated.

    Yes lots of the Linux world is not 100 percent happy about android locked boot loaders either.

    Also I am waiting for next version of windows or sp1 windows 8 and some people scream when they find out some Windows 8 stickered machines are lacking the MS key to update the KEK.

    Der Balrog basically its not just people wanting Linux there are many people with Windows 8 who are up the creek and don’t know it yet.

  18. Der Balrog

    The issue is you cannot at moment add another global key and pass Windows Certification.

    That is NOT the issue, oiaohm.

    Your underlying implication is that Microsoft exerts such power over vendors that they can force them to only offer computers with Windows 8 and the Microsoft key and Secure Boot enabled. Your underlying implication is also that Microsoft would “punish” vendors who dare to offer computers which don’t fulfill the Windows 8 requirements. Like computers intented to be used with Linux.

    It’s all bull.

    Every vendor has the freedom to do what he wants. If, next to computers which fulfill the Windows 8 requirements, a vendor wants to offer computers which don’t and are suitable for installing alternative operating systems, then he can just do that.

    And this is not without precedent. Where do you think enterprise and small business get their Linux PCs from? Do you think they build them themselves?

    Thus, again: nobody is hindering vendors to sell PCs with alternative operating systems. Not Microsoft, not UEFI, not Secure Boot.

    Stop living in the dream world.

    Besides, the mainstream Linux establishment has already accepted Windows 8 PCs with UEFI and Secure Boot enabled as the new reality, hence the creation of Microsoft-signed bootloaders.

    Last but not least, you’re also ignoring that YOU yourselves have the freedom of choice. Just say no to buying Windows 8 computers, buy from vendors which let you have computers without Windows 8. That would be individual political action. But you’re too entangled in your net of conspiracy theories to even consider that.

  19. oiaohm

    ram EFI is most likely going to be OK in time.

    Its that EFI is very young and it causing many issues.

    EFI does solve one problem. No more fighting over the MBR with each OS crushing themselves out of existence.

    Problem is so far there are all ready 2 major versions of EFI. EFI 1.X and EFI 2.x EFI 1.x is basically trash it has issues with every Linux or Windows.

    EFI 2.x stuff secureboot side can be problematic but at least EFI 2.x boards can boot a legacy mode bios without sending them into hell.

    ram the problem is something like UEFI is required by all OS’s in time. Attackers are getting too much in habit of deep rootkiting. This is why anyone saying turn it off is not sane.

    Is UEFI fixable. Most likely yes. Some would require MS to agree to a few things. 1 signing drivers for EFI mode is not something Microsoft signing key is for since its a OS key. Yes a clear split between EFI drivers an EFI OS keys. Someone would require a universal agreement how to manage the kek and other key parts.

    Please note UEFI was basically dumped on the standard body by Microsoft. Its fairly direct its a Microsoft thing. It uses PE format same as windows exe funny enough everything else about EFI does not.

    There is some advantage to the EFI process. Linux developers have truly been able to see what extensions MS is dumping into EFI. Where with bios they were fairly much black box.

    Also EFI gets rid of some historic stupidity. Old BIOS you tell the bios what the OS is and it goes and turns on X features. This resulted in Linux saying to bios hey I am windows so bios would turn on all features. This has nasty downsides if Linux does not support something.

    EFI flips it over. Hey OS I have the following list of features what ones can you handle and I will turn them on.

    Stability of running EFI will be better for Linux. The problem is getting it running. All due to the key system not really being designed right.

    Yes the Linux foundation/redhat loader coming gets insane. Checksums and an extra database call MOK(machine owners keys) taking over the interface EFI uses to load and validate images. To top it off Microsoft is signing that.

    Really it would be just simpler to say hey end user you can add your own keys threw this nice unified interface. Then Linux would not need a loader signed by Microsoft that is basically hacking the heck out the EFI system.

    Hopefully by EFI 3.x common sense will win out.

  20. ram

    The solution to UEFI is not to buy those machines. There are some significant vendors of Linux friendly motherboards and bare bones computers. Shuttle and Intel are two examples. There are others.

    If new hardware is uneconomical for you, there is an active (and growing!) market in pre-UEFI motherboards. I just bought a few myself which I’m housing in new cases with new power supplies and new disk drives. The prices of new parts such as listed above has dramatically fallen since UEFI motherboards are, in fact, not selling.

    During my visit to the computer parts wholesaler I noted that all the customers there that bought motherboards or whole computers bought Linux friendly ones. The UEFI stuff is not moving.

  21. oiaohm

    Der Balrog
    http://mjg59.dreamwidth.org/22028.html
    These are examples of some of the issues coming out.

    Lenovos are funny the secure boot signing check is broken in implementation. So now instead of doing a signing check we do a string compare on what the bootloader calls it self. If you happen to call yourself Microsoft or Redhat everything is golden and we load you. So that computer that you think has booted securely totally has not. The difference between the broken Lenovos with signing on and off is what you can name your boot loaders.

    Der Balrog saying that makers out there don’t want to do Linux is completely bogus when you find some of these hack fixes. If they were only interested in Microsoft, Redhat would not be there as well.

    Der Balrog most of the problem Linux has with old BIOS systems is hack fixes. They broke bios they have Windows load a driver to work around it. Instead of fixing bios. The Linux kernel is full of detect if it this motherboard do this work around. This is why windows machines can be highly unstable if you miss installing the OEM drivers because the MS generic drivers that are to spec may ask the motherboard to go somewhere that is broken that should have been fixed by a firmware update.

    The reality PC hardware is crap unless you choose very careful.

    Most of the existing machines with EFI faults are never going to be fixed. Fairly much when they leave the factory lot of PC motherboard makers disown them.

    lpbbear to be truthful we have better odds of Apple firmware to be done properly than what we have with lots of PC makers. Reason Apple will fix there firmware if there is a bug instead of hacking up drivers to work around it.

  22. oiaohm

    Der Balrog “They can offer Linux(-ready) PCs (with Secure Boot deactivated by default or some sort of global Linux key installed or keys from Linux distributions installed or whatever).”

    There are vendors that want todo redhat and other distributions.

    The issue is you cannot at moment add another global key and pass Windows Certification.

    Linux world does not want secure boot deactivated. Simple reality Linux has the same problem windows does. Attackers getter there code before the kernel.

    Secure boot of some form going forwards is a must. Google is implementing a different form to UEFI. There will be two different secure boot implementations.

    Der Balrog
    –You now want to claim that it’s a problem for Linux-only system vendors if they delete the Windows 8 key?–

    Yes it is. You system can complete fail to boot. UEFI drivers that you need to start the system can be signed by the Microsoft signing keys. So remove the Microsoft signing keys you have just killed the means to boot. In fact it fails that badly the item is basically bricked in one case. UEFI on some system would not load its video card drivers to display EFI configuration menus to turn secure boot off.

    Its not only Linux that need global key options. Nvidia, AMD….. basically everyone who has to make drivers UEFI uses.

    There are very big reasons that the current operational method of UEFI is highly unstable. Too much is going through 1 single point. Making a nice single point of failure.

    UEFI is going to be altered to support firmware driver and loader with multi signing. This is what Linux needs. So that UEFI drivers could be signed by like the driver makers key and the Microsoft key. Currently you have to select 1.

    Issue with multi signing is it will slowdown start up. This is something Matthew Garrett is working on getting into EFI spec. EFI v3 is most likely when it will start to become Linux friendlyish.

    Finally the real killer.
    The Forbidden Signatures Database (dbx). You need an approved key in the system to alter this. This is meant to turn off when you disable secure mode. Not efi implementation do. So if your EFI video card driver has been inserted into there you can be bricked as well.

    The reality that is not in Microsoft requirements. At point blank(direct hardware access) you really do need something physical like a switch/jumper on motherboard to KO all the signing.

    Der Balrog if I told you that you had to get a computer with anti-virus installed you could not remove you would say this is stupid anti-virus have false postive.

    The Forbidden Signatures Database is basically an anti-virus.

    UEFI has major issues in design basically. That will come back and hurt us. Why Linux guys were happy on systems to find they could replace the platform key since this now allowed inserting of keys to control The Forbidden Signatures Database (dbx).

    To get UEFI sane its going to take a lot more bashing it yet. Some samsung laptops are classical. Set too many EFI vars and the laptop bricks.

  23. lpbbear

    “And in UEFI you’ve found merely a new story device for telling everyone how Microsoft supposedly holds vendors and users hostage.”

    Not supposedly at all, but again you try to re-direct the issue without acknowledging the fact that Microsoft is attempting to turn the more open PC architecture into a closed Windows one similar to Apple while leaving the smallest possible excuse for out they could get away with.

    Sure, you Linux guys can also do your thing…you just have to cross the water dunk tank, the alligator pit, the hammer into the mud bog, the tree of vipers…..but no worries….there is the goal post….right over there….just get past all that crap and you’re home free.

    As I said earlier…you’re full of shit.

    AntiTrust issue ahead.

  24. Dr Loser

    Reframing the issue?

    Let’s try this, then.

    UEFI, as it is currently being implemented with Microsoft being solely in control of the signing key process, is an AntiTrust issue.

    Seems to me that the Balrog has hit the issue on the nail.

    The industry-standard (and you’d better believe that other parties were involved) UEFI precisely allows ZaReason and any other hardware OEM to obliterate the Microsoft key (presumably supplied with the firmware) and replace it with a Linux-only one.

    At which point MS would have to beg the OEM for a certificate to run Windows.

    Now, wouldn’t that be “Anti-Trust” too?

    (Cluebat — no, of course it wouldn’t, you fool._

  25. Der Balrog

    Der Ballscrog attempts to re-frame the issue to one of “Independent vendors like ZaReason can uninstall Microsoft’s key and and install their own key”

    It’s morning. You’re waiting for the pedestrian light to turn green. You can see your bus coming. If you cross the street while the light’s still red you’ll catch the bus. If you wait for the green light you’ll miss it.

    A simple situation.

    At least TWO alternatives due to freedom of choice.

    It may be a tad more complicated for vendors but they have essentially the very same freedom of choice.

    They can offer Linux(-ready) PCs (with Secure Boot deactivated by default or some sort of global Linux key installed or keys from Linux distributions installed or whatever).

    Or they can’t.

    Why are you unable to acknowledge this fundamental reality? Because you can’t accept that no major vendor wants to put Linux on its computers. Despite the CEO of Acer and Gabe Newell and Linux haters like Jerkface telling us how bad Windows 8 is.

    And this has nothing to do with any kind of power that Microsoft supposedly exerts over its “slaves”. No vendor hesitated even a second when it came to adopting Android. And that adoption proved to be a PITA for Microsoft. Did any vendor give a crap? Hell, no.

    Vendors are capitalists. They love making money. In a stagnating PC market, they’d love it even more. If Linux allowed them to do that they long would’ve put it on everything they have.

    But it’s much more convenient to believe the fairytale about how the wicked witch Microsoft doesn’t want Snow White to wake up.

    And in UEFI you’ve found merely a new story device for telling everyone how Microsoft supposedly holds vendors and users hostage.

    I wish you sweet dreams.

  26. lpbbear

    Der Ballscrog attempts to re-frame the issue to one of “Independent vendors like ZaReason can uninstall Microsoft’s key and and install their own key”

    That IS NOT the issue at all. The core issue is that Microsoft is using UEFI to defacto take over the entire PC Hardware business in a submarine fashion and as Cathy Malmrose indicated in her talk this is unique since at this time Microsoft has no actual hardware business in the PC arena. Probably why Microsoft is so eager to silently take over Dell.

    This signing key process should have been an open process with Microsoft being only one of the interested parties, not the controlling party. Attempts are already being made to do exactly what Der Ballscrog says is possible, resulting in bricked Samsumg laptops. Microsoft knew these kinds of things would happen and I have no doubt the entire process was purposely made as convoluted as possible leaving an ever so tiny window open as an token excuse to say later exactly what Der Ballscrog is saying when he says “Independent vendors like ZaReason can uninstall Microsoft’s key and and install their own key” Sure they can….after surviving something akin to one of those crazy ass Japanese game shows where the contestants have to run an obstacle course of water traps and giant swinging hammers that push them into vats of mud.

    The real issue is that Microsoft is now attempting to take over the PC hardware business despite the fact that they do not actually own any manufacturing facilities and that they are using UEFI to hamper the ability of competitive products to compete with Microsoft own by destroying the once open PC platform and forcing it to become a “Windows” only platform. The excuse that “Independent vendors like ZaReason can uninstall Microsoft’s key and and install their own key” is a sham token excuse and only serves as a way for Microsoft to claim they aren’t engaging in anything illegal at all.

    They are and it IS an AntiTrust issue despite what scumbag shills like Der Ballscrog claim.

  27. Der Balrog

    The big issue is if ZaReason say for some reason wanted to include like the Linux Foundation signing key as well as the Microsoft signing key. Opps you have a third party signing key you now fail Windows 8 requirements.

    That is the point, you moron. Does ZaReason sell computers with Windows 8? No, they don’t. Therefore they or their customers couldn’t give a crap if said computers violate the Windows 8 requirements.

    You now want to claim that it’s a problem for Linux-only system vendors if they delete the Windows 8 key?

  28. oiaohm

    Der Balrog of course you are an idiot as normal.

    The big issue is if ZaReason say for some reason wanted to include like the Linux Foundation signing key as well as the Microsoft signing key. Opps you have a third party signing key you now fail Windows 8 requirements.

    Yes independent can install there own private keys yes. Own vendor private keys are not that useful. Global keys are useful. Yes sane would be like a Linux foundation master signing key as well.

    Microsoft refused to sign the Linux Foundation keytool. Not that it make much different. Linux Foundation current signed loader allows you to load the keytool anyhow at this stage.

    http://blog.hansenpartnership.com/owning-your-windows-8-uefi-platform/

    Yes the big o my. Keytool replace platform key what is master OEM key. Then end user can put in any combination of keys they like.

    I really do want the right to own the platform key.

    http://technet.microsoft.com/en-us/library/hh824987.aspx

    Here is a nice little problem. UEFI allows you to blacklist. Now I am not running Microsoft Windows exactly why do I want a MS UEFI key in by fireware that could by some error black list my boot-loader.

    Of course with MS requirements this is leading to the super stupid solution. There is work on UEFI to support multi signed loaders. This way Linux Foundation will not have to go to Microsoft to get loader or parts signed and have Microsoft say no you cannot do that. The price is each supporting OEM has to have there own key and the loader could be insanely large and insanely slow to start.

    ZaReason is not primary hardware maker on everything the sell. Remember its the primary hardware maker is holding the platform key that gets to decide what extra keys can go onto a platform. So not all cases will ZaReason be able to set keys.

    Microsoft demands to be issued with a extra key that allows them to insert other keys as well.
    http://technet.microsoft.com/en-us/library/hh824987.aspx

    Der Balrog so what do you think. UEFI makes Microsoft prime target to be hacked. Why the master key to mess with UEFI is sitting in Microsoft.

    I really do hope Microsoft security of there network is up to the job.

    There is a very big reason in UEFI early designs why the platform key stuff did not exist.

    For security you need to be able to only enrol the OS’s you are using. Problem with MS plan you will be able to enrol future ones and if that happens to be buggy. Yes xbox and xbox 360 have had quite a few buggy bootloaders so why not on PC.

    Basically the way MS has done it risks completely voiding what UEFI is attempting to achive.

    Objective of UEFI is to stop attackers being able to load hostile up before OS. Historic solution to MBR viruses bios checksum MBR don’t load it if checksum had changed and warn user.

    Issue with UEFI its going lets not bug user. We want updates to be silent. Silent removes a level of security.

  29. bw

    “Just look at the ads on TV. How many of them denigrate the competition?”

    The only one that I have seen like that is the one touting Outlook.com which seems to be a successor to Hotmail. The claim is that Google’s gmail is scanning your mail to find keywords and then associating them with your email address in order to sell “enriched ore” to advertisers who then presumably spam you with mail designed to appeal to your interests.

    If that is actually what Google is doing, I think it should be stopped and Google should be punished for the scheme. If it is not true, then you are totally correct and Google should sue Microsoft for billions.

    Right now all that seems to be on the table is which free mail service you might want to use, but the tactics are much more significant than the goals.

  30. Der Balrog

    One thing we know for sure….you’re totally full of shit.

    It’s always good going for that route. It lets me know that you don’t have arguments, just pitiful hate. You’ll make a great Pogson.

    Independent vendors like ZaReason can uninstall Microsoft’s key and and install their own key.

    Wanna try again? Or are you as pathetic as your writing suggests?

  31. lpbbear

    “You talk bull again. No surprise there.

    1. Microsoft is not in control of the signing key process. It’s merely that Microsoft requires vendors to include their key in order to pre-activate Secure Boot on Windows 8 PCs. Every vendor is certainly allowed to include oth……blah blah blah…”

    One thing we know for sure….you’re totally full of shit.

  32. Robert Pogson

    Der Balrog on UEFI, “there goes your anti-trust bull”.

    Yes, and 400 distros can phone up every OEM in the world to include their signing-key… There goes you anti-anti-trust bull… Dell says it is too small to sway the world of OEMs. Distros certainly cannot.

  33. ssorbom

    I don’t see them specifically talking about google most of the time. In this particular case, it seems that if such a lawsuit were ever to arise, it would be against the partner company making the claim. Google might be able to show damages for a claim like this, but why bother? It only seems to be important among geeks that android products run the linux kernel. This sort of news doesn’t usually penetrate beyond non technical circles.

  34. Der Balrog

    UEFI, as it is currently being implemented with Microsoft being solely in control of the signing key process, is an AntiTrust issue.

    You talk bull again. No surprise there.

    1. Microsoft is not in control of the signing key process. It’s merely that Microsoft requires vendors to include their key in order to pre-activate Secure Boot on Windows 8 PCs. Every vendor is certainly allowed to include other keys. Not only that: a vendor like ZaReason who pre-installs Linux can remove Microsoft’s key altogether and include its own or some other key which is deemed trustworthy by the “community”. Signing bootloaders with Microsoft’s key is therefore merely a matter of practicability.

    2. Among other companies with a vested interest in Linux Canonical and Red Hat are both contributing UEFI members.

    And there goes your anti-trust bull … out of the window, into the garbage.

  35. Robert Pogson

    ssorbom wrote, “just when I start thinking that Microsoft doesn’t mean us ill will”.

    It’s not paranoia if they are out to get you. M$ is consciously evil. They intend to rule the world of IT by fair means or foul, mostly foul. Just look at the ads on TV. How many of them denigrate the competition? I think Google should sue them for damaging the brand.

    “Section 43(a)(1)(B) is also often used when false or misleading statements are alleged to have hurt a business. A claimant under this section must prove three things: there was a false or misleading statement made, the statement was used in commercial advertising or promotion, and the statement creates a likelihood of harm to the plaintiff.”

    I would think a huge ad campaign would be evidence of likely harm… I wonder what would happen if Google ran a similar campaign trotting out all M$’s transgressions over the last several decades. They could call it news and free speech.

  36. lpbbear

    Absolutely brilliant talk by Cathy Malmrose from ZaReason. Thank you for sharing it. The only thing I would add that she did not touch on is legal remedies. Yes, everything she said I agree with but additionally the entire Linux community of companies, distros, developers, and users needs to also focus on seeking legal remedies for what is an obvious AntiTrust issue. UEFI, as it is currently being implemented with Microsoft being solely in control of the signing key process, is an AntiTrust issue. That absolutely needs to be addressed in the court system along with all of the other ideas she mentioned.

Leave a comment