Linux won't be locked out of Windows 8 PCs, but FUD continues

Linux won't be locked out of Windows 8 PCs, but FUD continues

Summary: A new draft of Microsoft's Windows 8 hardware certification specs confirms what we already knew: the new Secure Boot feature won't lock out Linux on hundreds of millions of new PCs. But Linux backers are demanding the right to hack a new class of devices that doesn't yet exist.

SHARE:

Lawyers have an old saying: If the facts are on your side, pound the facts. If the law is on your side, pound the law. If neither is on your side, pound the table.

A tiny but vocal minority of Linux fanatics are pounding the table today over a new security feature called Secure Boot that will be introduced in Windows 8, shrilly accusing Microsoft once again of a conspiracy to "lock out" Linux.

They are pounding the table because the facts are not on their side. Very large market forces are not on their side. Any prospective Windows 8 user should not be on their side.

So what's really going on?

Related posts:

Back in September, the Linux community expressed dire fears that Microsoft was plotting to lock out Linux in new PCs sold with Windows 8. The reality has now emerged, in the form of a detailed document from Microsoft that outlines requirements for Windows 8 certification on hardware. That document proves those fears were completely unfounded.

Indeed, if you read the latest headlines, you need to pay careful attention to the Orwellian changes in wording to see just how absurd the current arguments are.

Here's the headline from my colleague Steven J. Vaughan-Nichols' post on September 23, 2011:

Microsoft to stop Linux, older Windows, from running on Windows 8 PCs

And here's the headline from his January 13, 2012 update:

Microsoft to lock out other operating systems from Windows 8 ARM PCs & devices

See how "Windows 8 PCs" turned into "Windows 8 ARM PCs and devices"? That's a huge difference. For one thing, there's no such thing as a "Windows 8 ARM PC." The initial wave of ARM-based devices running Windows 8 will be tablets that run a subset of the full Windows 8 operating system, compiled for a completely different architecture. Even if later models add keyboards and trackpads, they will still not be PCs, any more than an iPad is a PC.

And they don't exist yet.

Now let's talk about Windows 8 PCs. The new specifications make it very clear:

All versions of Windows 8 shall be UEFI-compatible ...

All client systems must support UEFI Secure boot ...

MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv [the private key that supports Secure Boot].

"Non-ARM systems" means the classic x86 PC design. Roughly 400 million of these devices will be sold this year, and probably an equivalent number will be sold in the first year that Windows 8 is available. Every single one of those PCs will have the ability to run older versions of Windows, Linux, or a new operating system you create yourself. To do so, you will simply have to flip a bit in the system's setup screen.

Sorry, conspiracy theorists. This does not represent "Microsoft’s latest attempt to abuse their PC monopoly power ." Quite the opposite. In the general-purpose PC segment, where small vestiges of Microsoft's one-time monopoly still exist, this new security feature will be enabled by default, but the option to disable it will be mandatory. No lock-out for Linux.

In other words, Linux community, your fears were unfounded. So why the dire new headlines?

Ah, because those same certification guidelines from Microsoft include this phrase: "Disabling Secure [Boot] MUST NOT be possible on ARM systems."

Windows 8 ARM systems do not yet exist. When they do ship, late this year or early next year, they will consist exclusively of tablets designed to run Metro-style apps. They will not run x86 software. They represent a close collaboration between a small number of hardware makers and Microsoft to build a secure, high-performance system that will be starting fresh in a market dominated by iPads and Android tablets.

If a PC maker decides to build an ARM-based system and install something other than Windows 8 on it, they can tell Microsoft to drop dead and design the firmware any way they want. The Secure Boot requirements apply only to OEMs who sell an ARM-based device and Windows 8 as a complete package.

If you disable Secure Boot on a Windows 8 ARM tablet, you have effectively bricked it. No other currently available operating systems, including any version of Windows, will run on it. No currently shipping version of Linux or Android will run on it.

This feature is indeed designed to make the next generation of PCs more secure by design, by making it impossible for malware authors to coerce users into installing rootkits that take over a machine before the operating system has a chance to boot. That's a very good thing.

Microsoft has done the right thing by making this feature user-configurable on general-purpose PCs that use the x86 standard. That preserves freedom of choice, even at a slight cost in security.

But on the new, built-from-scratch ARM-based platforms, the Linux community is literally asking Microsoft to compromise user security so that they can hack a new platform.

The correct answer to that request, in my opinion, is a firm no.

Of course, hackers will figure out a way to defeat UEFI-based protections in ARM-based Windows tablets, just as they have figured out how to mod Android tablets and jailbreak iPads. They could even work with PC manufacturers to create a mechanism by which the signatures for Linux bootloaders are included in new UEFI-based ARM systems.

But apparently it's much more fun to pound the table.

Topics: Software, Hardware, Linux, Microsoft, Open Source, Operating Systems, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

347 comments
Log in or register to join the discussion
  • Really, Linux doesn't run on ARM tablets?

    Linux has been on working on ARM devices for years. Sure, it might not run on the forthcoming Windows 8 tablets as it is now, because of variations in how boot works and other minor hardware differences; but you can bet that, if there was no secure boot requirement, people would have it up and running quite soon after they were to become available.

    I understand the benefits of secure boot, and I am all for having it enabled by default on all new machines shipping with Windows 8. But I also think that you should be allowed to choose the software that runs on hardware that you own. The option to disable secure boot should be allowed, as it is on x86 hardware; or, a possibly better option would be the ability to add your own trusted keys to the secure boot mechanism so that Linux and other OS's could take advantage of the secure boot functionality.

    Of course, it remains to be seen how successful Windows 8 ARM devices will be in the market. This may turn out to be a non-issue.
    aaron44126
    • Microsoft is doing a good thing

      @aaron44126 I am sick of users installing Linux just say they want to try it out only to run back to me begging to get rid of it and reinstall Windows.
      adacosta38
      • How is it...

        @adacosta38

        That users are technically competent enough to install Linux by themselves, but need [b]you[/b] to reinstall Windows? All of the users that I've had to install Windows for lack the necessary skills to install any OS, even Windows.
        Letophoro
      • RE: Linux won't be locked out of Windows 8 PCs, but FUD continues

        @adacosta38
        that's the main reason legal action is required:
        http://techrights.org/2012/01/16/strong-arm/
        The Linux Geek
      • RE: Linux won't be locked out of Windows 8 PCs, but FUD continues

        @adacosta38

        The reason they need to beg you to reinstall Windows is because they don't have the needed key to the kingdom.

        Microsoft business model since the day it opened it's doors was to create barriers to make changing OS difficult or impossible. It is standard practice but no one did it better than Microsoft.

        I think people are concerned about secure boot because they do not trust Microsoft. Microsoft can say whatever they want. It will be difficult to overcome a well earned reputation.
        richardgarrick
      • RE: Linux won't be locked out of Windows 8 PCs, but FUD continues

        [i]@aaron44126 I am sick of users installing Linux just say they want to try it out only to run back to me begging to get rid of it and reinstall Windows.[/i]

        What @Letophoro said, which makes your statement I quoted here a bunch of FUD.

        Now if it's a matter of the original key that came with the machine (the sticker on the side or underside) not working, then that's Microsoft's fault, not the end user's fault.
        ScorpioBlue
      • Not sure I understand your point...

        @richardgarrick There is no barrier to changing OS's. You can pop your Linux DVD in the drive, boot from it, and install Linux. There is nothing about the fact that the system originally came with Windows on it that prevents you from doing that.

        What do you mean by "the key to the kingdom"? If you mean the Windows product key, if the system came with Windows on it in the first place, there will be a sticker on the box somewhere that has the OEM product key on it. What's the issue?

        As far as how hard it is to go back to Windows if you decide you want to, that's more up to the OEM that sold you the computer than it is to Microsoft. If you are lucky enough to have a system that came with a real Windows install CD it's not any more difficult than installing Linux in that you just boot from the CD and answer a few prompts and thats it. The difficulty arises because so many times these days the OEM doesn't give you an actual Windows CD and you had to create your own recovery media when you got the system. I suspect the people wanting expert help getting Windows back were people who 1) did not have a Windows CD, 2) Did not create or did not keep recovery media when the bought the system and 3) wiped their drive as part of the linux install.

        Assuming you have a Windows CD, the main difference between a Linux install and a Windows install is that with Linux you usually get things like your office suite etc as part of the OS install where with Windows you have to do a separate install of that after the fact. There are pluses and minuses of both approaches
        cornpie
      • RE: Linux won't be locked out of Windows 8 PCs, but FUD continues

        @adacosta38

        So you are saying that people who can install Linux are not able to install windows. Well, that tells something about user friendliness of Windows.
        dheerajnagpal
      • MicroSoft can do what they want - they are no longer needed

        @adacosta38
        That is funny. From my experience, very few would want it uninstalled.
        xambassador
      • It's the other way round ...

        @adacosta38 <br>for me when someone installs and tries Ubuntu and then tells me their Win 7 is much better but to come back several months later and then cries about how their Win 7 OS is crawling ever more slowly and producing all kinds of errors while I solve their immediate problem by performing their problem task using Ubuntu on my computer.<br><br>Then, they mumble something like "... I think I'll get an external hard disk and boot Ubuntu from it."
        orionds
      • RE: Linux won't be locked out of Windows 8 PCs, but FUD continues

        @adacosta38

        I agree completely.

        99% of users have never installed an OS. That Linux install was usually their first and often their first foray into "playing" with their PC.
        Many hours later they had a working operating system but couldn't find the tools they were looking for. Their machine seemed to be fast but they hadn't yet installed the packages they needed, they'd no idea what a package was and when they found some, which version of Linux each was for.
        Once running correctly they admired the OS greatly, even enjoyed it, and boy is it faster than those rubbish Win OS netbooks the kids have got ....

        And yet they still end up at my desk wanting me to reinstall Windows.
        Why? Because actually they miss the apps they're used too. The lamented Windows netbooks are great for the kids to create and share info easily and their partners work laptop also runs Windows so she can teach the kids how to "use a computer".
        The thing is they could easily reinstall Windows themselves, they've still got the boot disks or an image partition they've never investigated. It's just that Linux install took days of 2-3hrs on a bunch of work nights to get right. As that was the only OS install they'd ever tried their false assumption is a Windows install will be the same.
        It's much easier to chat to your friendly sysadmin, offer a beer or two, and spend a night at home relaxing. Next day a working, still <<insert negative but livable Windows issue>>, but familiar Windows is back.

        Finally they promise themselves they'll look at Linux again, one day, not realising it's in their PVR, TV, i-devices and a whole gamut of other toys and gadgets.

        Fundamentally users have finite time and choose not to use it "fixing" computers.
        Mad Mole
      • RE: Linux won't be locked out of Windows 8 PCs, but FUD continues

        @adacosta38 - what - they can install Linux but need you to install Windows? Really? uhm...
        kyleamadio
      • RE: Linux won't be locked out of Windows 8 PCs, but FUD continues

        @Mad Mole

        I have spent entire days doing nothing but install various operating systems on virtual machines. Over and over again.

        Why? Because I was BORED. I've pretty much memorized every Windows installer, and several Linux installers.

        Guess which ones are the easiest and quickest? Linux. Windows is actually more difficult to install, and takes more time, than Linux.

        Ubuntu in particular is great and easy. Fedora is ok, but I had troubles with real hardware (but not virtual machines). SuSE had a horrendous time on my virtual machines, but worked great on real hardware. Debian was nice if you already know what you're doing. CentOS was like Fedora (ok).

        Windows? Heh. You have to answer more questions, it doesn't streamline the process, you have to do at least one reboot (at least with older versions), and overall it had to copy over more files and it took much MUCH longer.

        And you know what? Maybe it's just me, but the overall number of features (Office suite, other pre-installed apps, eyecandy, etc.) and general ease of use was ALSO higher on Linux. I admit that part is entirely personal preference, but I in particular find the package management features in Debian/Ubuntu to be lightyears ahead of anything Windows has or ever will have.

        However, there was one BIG exception.

        It took me 2 days straight to install Gentoo. But, that's Gentoo. You can't expect anything better than that from them.

        Edit: What makes Ubuntu installs really nice, is that it asks you stuff like username/password, and other trivial stuff, while it's already installing the system. So it's already going while you answer the rest of the questions.

        Also, about 'ease of use' and especially 'Desktop polish': Linux is somewhat behind in this. Ease of use, debatable... It's got a lot of nice usability features going for it. But polish? Yeah. On nVidia cards, resizing windows while using Compiz is horrendously slow and buggy, unless you cheat and use those resize methods that draw a simple rectangle or something. In KDE, there are numerous and frequent little graphical glitches in the Plasma desktop system - particularly with drawing buttons, and in handling the animations in (and to/from for windows) the taskbar.

        KDE 4.x basically was a rewrite of KDE, initially leaving out many features and now making it lack basic use polish - particularly graphically. Gnome 3 was a complete redesign of the desktop platform - making it absolutely horrible to learn, and very keyboard shortcut dependent. I personally like Unity, but it inherits Compiz' problems, and has a little bit of the graphical issues KDE is also having, particularly in it's "Unity Bar" on the left side - also, Unity is not yet very easily customized, but the Ubuntu developers say they are working on a customization utility. Also, the lack of hierarchal menus is a little jarring at first, but the 'filters' thing actually basically mimics this functionality well enough, and the search works nicely (though can use a little help, which they're working on).

        I guess overall, I see problems and flaws in the basic way Windows works, and right now, NEEDS to work. And I see so much more potential in the Linux platform for greatness, that can go far beyond what Windows can ever achieve in it's limited way of doing things.

        Yes, things may be a little rough around the edges (not in installation though - Ubuntu's perfected that, pretty much), but the potential is astounding.
        Tynach
      • RE: Linux won't be locked out of Windows 8 PCs, but FUD continues

        @adacosta38

        Well, Linux is much easier to install than Windows and takes about half the time to do it!
        JuggerNaut_z
    • RE: Linux won't be locked out of Windows 8 PCs, but FUD continues

      @aaron44126 [i] or, [b]a possibly better option would be the ability to add your own trusted keys to the secure boot mechanism[/b] so that Linux and other OS's could take advantage of the secure boot functionality.[/i]

      From SJVN's post....

      "Between these two requirements, any ARM device that ships with Windows 8 will never run another operating system [b]unless it is signed with a preloaded key[/b] or a security exploit is found that enables users to circumvent secure boot."

      Sounds like the Linux community would need to work with OEMs to provide a key.
      Badgered
      • Gee what a novel concept, no table pounding required

        but then they would have to admit that this is a non conspiracy.
        Johnny Vegas
      • RE: Linux won't be locked out of Windows 8 PCs, but FUD continues

        @Badgered
        If community provide key it would have to be made public... So anyone could use it.... So any malicious software could use it.... And if someone keep key for them selfs (oh like single linux distro vendor) then there are hundred of others who would not benefit.
        przemoli
      • RE: Linux won't be locked out of Windows 8 PCs, but FUD continues

        @przemoli [i]If community provide key it would have to be made public... So anyone could use it.... So any malicious software could use it...[/i]

        This again sounds like an issue for the Linux community to figure out. The burden of fixing Linux insecurity should not rest on Microsoft's shoulders any more than fixing any Windows issue should rest on Linux shoulders.
        Badgered
      • RE: Linux won't be locked out of Windows 8 PCs, but FUD continues

        [i]This again sounds like an issue for the Linux community to figure out. The burden of fixing Linux insecurity should not rest on Microsoft's shoulders any more than fixing any Windows issue should rest on Linux shoulders.[/i]

        If they're locking out one's choice to put another OS on there, then yes it is the burden of Microsoft and we will hold them accountable.
        ScorpioBlue
      • RE: Linux won't be locked out of Windows 8 PCs, but FUD continues

        @ScorpioBlue [i]If they're locking out one's choice to put another OS on there, then yes it is the burden of Microsoft and we will hold them accountable.[/i]

        Why?

        Take a few moments to think about this one. If a tablet came out pre-installed with some version of Linux, but for some reason the OEM decided to lock out the device so that you couldn't run Windows on it... Would you be this upset?

        I'm betting the "honest" answer is No. Because after all, this is Microsoft we're talking about.
        Badgered