Microsoft tries to block Linux off Windows 8 PCs

Microsoft tries to block Linux off Windows 8 PCs

Summary: Microsoft may say that Linux isn't enemy number one anymore, but they sure still act like it is.

SHARE:

If this wasn't so sad, it would be funny. After Microsoft recently declared victory over Linux, it turns out that Microsoft appears is still trying to arrange it so that Linux won't even boot on the next generation of PCs that come with Windows 8. Yeah, Linux isn't on your enemy list anymore right Microsoft? Sure.

Matthew Garrett, a Red Hat engineer, gets the credit for spotting Microsoft's latest anti-Linux move. In a blog posting, Garrett explains that Windows 8 logo guidelines require that systems have Unified Extensible Firmware Interface (UEFI) secure boot enabled. This, in turn, would block Linux, or any other operating system, from booting on it.

There's nothing in UEFI that's wrong. Indeed there's a lot of good in UEFI. It's a 21st century replacement for your PC's basic input/output system (BIOS). Its job is to initialize your hardware and then hand over control over to the operating system.

Where the Microsoft sneak attack comes in, Garret writes, is with the UEFI secure boot protocol:

UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.

There is no centralized signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.

This impacts both software and hardware vendors. An OS vendor cannot boot their software on a system unless it's signed with a key that's included in the system firmware. A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware. If you install a new graphics card that either has unsigned drivers, or drivers that are signed with a key that's not in your system firmware, you'll get no graphics support in the firmware.

Microsoft requires (PowerPoint Link) that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.

To sum up: "a system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux."

What does Microsoft have to say about the subject? ZDNet's own Mary Jo Foley asked them and they've got nothing to say about UEFI, Linux and Windows 8. That's reassuring.

Personally, I don't think it's going to happen. I think Microsoft is going to have its hands full getting hardware vendors to buy into Windows 8 in the first place nevermind trying to shove a signed UEFI secure boot protocol down their throats as well. The OEMs know darn well that while not that many companies will switch out Windows for Linux, a lot of them will switch out Windows 8 for Windows 7 or even XP. Will Dell, Lenovo, et. al. Really want to tick off their corporate customers by locking them into Windows 8? I don't think so.

In short, this is 2011, not 1998. Microsoft doesn't get to call the shots to the OEMs anymore. If the OEMs and customers want freedom of operating system choice on their hardware-and they will-Microsoft can't force Windows 8 on them.

Related Stories:

Will Windows 8 block users from dual-booting Linux? Microsoft won't say

The Linux desktop is dead. Long live the Linux desktop.

Linux snickers at Microsoft's victory declaration

Windows' Endgame. Desktop Linux's Failure

What's coming in Ubuntu's new Unity Linux desktop

Topics: Microsoft, Hardware, Linux, Open Source, Operating Systems, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

211 comments
Log in or register to join the discussion
  • I would wager this is oversight

    and not part of a master plan to bring down Linux. It's an issue that needs addressing, but let's not make it more than it is.
    Michael Kelly
    • MSFT is not playing foul here

      Linux is not a big enough threat to warrant such tactics.
      LBiege
      • The restrictions appear to be for Windows 8 logo ...

        @LBiege,

        ... PCs. If a user doesn't want the restrictions, he should not buy a Windows 8 logo PC. That is all. The measure is obviously for security, and OEMs appear to have the option to include signed Linux OSs with Windows 8 logo PCs.

        The only way users are going to get secure Windows PCs, and great user experiences, are if things become buttoned down. There is no other way. So again, if users don't like the signed OS approach, do not buy a Windows 8 logo PC - instead buy a non-Windows logo PC.
        P. Douglas
      • RE: Microsoft tries to block Linux off Windows 8 PCs

        @R. Douglas But this may be like saying "buy a PC without Windows pre-installed". Given Microsoft's monopoly status, it could turn out being near impossible without building one yourself.
        jgm@...
      • THE SKY IS FALLING!!!

        @jgm@ Uh, no ...

        http://www.zdnet.com/blog/open-source/the-top-five-linux-desktop-vendors/9313

        Maybe the desktop Linux vendors can look forward to some growth. And, maybe, their prices will drop a bit.
        Rabid Howler Monkey
      • What's wrong with choice?

        jgm@...,

        I don't understand the problem. If users have the option to buy Windows 8 logo, signed PCs, and also non-Windows 8 logo, unsigned PCs, what is the problem? MS will not be forcing OEMs to build only one type of PC. MS is merely providing a choice.
        P. Douglas
      • RE: Microsoft tries to block Linux off Windows 8 PCs

        <i>Linux is not a big enough threat to warrant such tactics.</i><br><br>But it's a big enough threat to gain a lot of attention around here.<br><br>It's the biggest '1%' in the whole wide western world.
        ScorpioBlue
      • RE: Microsoft tries to block Linux off Windows 8 PCs

        <i>The only way users are going to get secure Windows PCs, and great user experiences, are if things become buttoned down. There is no other way.</i><br><br>But again MS doesn't own the OEMs so things become anti-trust. There's no other way.<br><br><i>So again, if users don't like the signed OS approach, do not buy a Windows 8 logo PC - instead buy a non-Windows logo PC.</i><br><br>And then get held captive when there's proprietary software they can't use because they didn't get the logo. <br><br>I suspect "security" being used as an excuse for "captive audience".
        ScorpioBlue
      • RE: Microsoft tries to block Linux off Windows 8 PCs

        @LBiege @Rabid Howler Monkey
        Linux is free to download and install. How can the price be lower?
        chevere@...
      • RE: Microsoft tries to block Linux off Windows 8 PCs

        @P. Douglas "MS will not be forcing OEMs to build only one type of PC."
        Yes. Yes they will. No one who wants Windows is going to buy a non-certified machine, so the vendors are all going to be cooperating with Microsoft. You know that, I know that. Why are you pretending otherwise?
        "instead buy a non-Windows logo PC. "
        Yes... all 5 of them sold from some guy working out of his garage. No, sorry, that's not acceptable, anymore than 99% of PCs being sold locked into running Linux would be. What is WRONG with people today praising their choices being taken away from them? It's not up to an OS vendor to decide where you can buy software from, and it's not up to an OS vendor or a hardware vendor to decide what OSes you can run on your PC.
        jgm@...
      • RE: Microsoft tries to block Linux off Windows 8 PCs

        @LBiege In the 90s, MS forbade (contractually and / or in back room threats), OEMs from installing BeOS. BeOS was nothing and no one had ever heard of it. There is no threat too small if MS thinks it's a threat.
        daengbo
      • RE: Microsoft tries to block Linux off Windows 8 PCs

        @P. Douglas
        have you ever tried to buy a computer that is NOT ms or mac logo pc?? let me tell you it's not an easy task short of building one yourself
        Jen_Mck
      • RE: Microsoft tries to block Linux off Windows 8 PCs

        @P Douglas

        [i]if users have the option to buy Windows 8 logo, signed PCs, and also non-Windows 8 logo, unsigned PCs[/i]

        This is speculation. It's less profitable to manufacture more types of devices than only a few. It's more likely that an OEM will certify it's whole line than a portion of it, simplifying the process. MS doesn't have to force them. Basic math will suggest it.



        :)
        none none
    • Yeah it's not like theyve been investigated for market abuse in the past

      I don't get it anyway. I'm sure the anti-apple crowd will join us and condemn any hardware lock-in;-)
      Richard Flude
    • RE: Microsoft tries to block Linux off Windows 8 PCs

      @Michael Kelly I don't even think this is an oversight but some Redhat employee shoveling FUD. Microsoft is ensuring that someone who buys a Windows 8 machine gets their full value and remember Vista with drivers that brought the system down or just didn't work over Microsoft's more stable universal drivers. Manufacturers of hardware are going to have to meet standards now as set out by Microsoft and if they don't there drivers won't install. As far as Linux goes, Windows 8 comes with a fully functional virtual machine capability available by default, so Linux can still be run on a Windows 8 machine. Windows 8 has another feature that SJVN has not mentioned is that the security software starts from the post and not the OS, therefore limiting the ability of bootkits and rootkits from being installed.
      Rndmacts
      • In other words...

        Message to OEMs: Do this or we will cut you off and you will die.

        That's really the end result, now isn't it @Rndmacts?

        Nice corporate spin post, btw... ;)
        ScorpioBlue
    • RE: Microsoft tries to block Linux off Windows 8 PCs

      @Michael Kelly I agree, but don't think it needs addressing. This was done purely to secure the computer, not as part of some evil plot. The proof is that Windows 8 will be shipping with Hyper-V. This is a much better way to run Linux on a Windows machine than dual-booting. It's safer, simpler, and far more secure.
      BillDem
  • RE: Microsoft tries to block Linux off Windows 8 PCs

    You make it sound like OEMs can't just...well, not sell it with a Windows logo. Because that's what this is: logo requirements. It's so they can put that Windows 8 sticker on the computers.
    Aerowind
    • RE: Microsoft tries to block Linux off Windows 8 PCs

      @Aerowind Microsoft controls 789% of the OS market. Who's going to sell their PCs without being Win8 certified?
      jgm@...
      • RE: Microsoft tries to block Linux off Windows 8 PCs

        @jgm@...

        I thought Apple's market share has been growing 5 times faster than the rest of the market for years now. Sure, their usage share never seems to increase (on the desktop, OS X not IOS), but it's dead clear MS isn't a monopoly, and never was. Apple has always been a choice.
        rtk