FreeBSD Team Begins Work On Booting On UEFI-Enabled Systems 248
An anonymous reader writes "The FreeBSD project has begun the process of making it possible for the operating system to run alongside Windows 8 on a computer which has secure boot enabled." Linux distros have taken to using a minimal loader, signed by Microsoft, to enable booting on UEFI systems with secure boot. "Indeed we will likely take the Linux shim loader, put our own key in it, and then ask Microsoft to sign it," says developer Marshall McKusick in the linked IT Wire article. "Since Microsoft will have already vetted the shim loader code, we hope that there will be little trouble getting them to sign our version for us."
Well I'll be... (Score:3, Informative)
I did not know Microsoft won that battle.
Re:Well I'll be... (Score:4, Funny)
Won what battle? There is no battle. They just managed to get their key into the hardware manufacturers and happen to conveniently sell access to that. Nothing stops anyone else from doing the same.
Re: (Score:3, Insightful)
Hahahahaha. The rich and poor are equally prohibited from sleeping under bridges... Free-market ideology induced brain damage at its best. Or was this sarcasm? Then I am sorry.
Re: (Score:2)
Well that's how the CA business work; just that in this case it's about hardware manufacturers, not browser/OS vendors. I don't think it's a good idea from a security perspective since it trusts things by default, and can have really bad consequences when a CA is compromised. But that's how it work for now.
Re: (Score:2)
Of course you can suggest whatever you want. Just don't expect them to do something which is impossible to do (well, at least until strong AI is developed).
Can we get that strong AI to write comments too? It would really boost the signal to noise ratio.
Re: (Score:3)
If the UEFI firmware is implemented correctly, it offers an option for someone with physical access to the machine to see a list of the keys, add and (probably) remove keys at will.
Actually, if I'm not mistaken Microsoft demands this for machines to get the Windows 8-Logo.
Re: (Score:2)
Re: (Score:2)
$99
Re: (Score:2)
Technically they sign your key.
Re: (Score:2)
Re: (Score:2)
I did not know Microsoft won that battle.
well.. won and won.. they kind of lost if they had to start accepting shim loaders. kind of defeats the whole point.
Re: (Score:3)
For now.
They dont 'have' to accept shim loaders. They are doing so for now, to minimise the backlash. There's no assurance they'll continue to do so in future, or (more likely) that they won't start imposing onerous requirements in the name of 'security' like mandating that any qualifying bootloader be incapable of loading an OS that allows unsigned drivers.
Re: (Score:2)
Microsoft wants to stop root kits. They want to be able to offer secure environments for DRM content. Microsoft doesn't care about people who want to boot Linux at all. So they are fine signing those because that customer base will self support on root kits. Where is the conflict? That only defeats the point if you start by assuming that Microsoft was lying about their intentions. If you start by assuming that everyone was telling the truth and there is no big conspiracy then it is perfectly fine.
Re:Well I'll be... (Score:5, Informative)
No it defeats no point, and Microsoft is free to accept or deny just about anything. Properly implemented secure boot increases your security by letting you decide what the machine should boot and prevent it from booting unknown or potentially malware infected operating system. That is a good feature. It has nothing to do with preventing competition.
Deciding that one, and only one company can sign shims, can't be considered anything but anticompetitive.
Then, forcing that company to sign boot shims from Linux and FreeBsd to avoid illegal restraint of trade charges, pretty well eliminates any benefit the plan might have had. Is Microsoft going to sign every backroom version of Linux and every clone of FreeBsd, ot did the just pare down the competition teo a few major distros?
Re:Well I'll be... (Score:4, Insightful)
You could start a signing company now, and if people trust you, they will add your keys, and you may even get traction from the OEMs. Nothing in secure boot prevents that except that no one wants to create a signing organization because they don't want to be bothered. In face Secure Boot MS Spec requires OEMs to enable users to add their own keys or even remove Microsoft's if they don't trust it.
Re: (Score:3, Insightful)
And whoops, you just lost your license to distribute OEM Windows copies. How unfortunate. But that would never ever happen, right?
Re: (Score:2)
Re:Well I'll be... (Score:5, Insightful)
you just lost your license to distribute OEM Windows copies.
No you didn't...
..you just lost Windows Certification.
Another way to lose Windows Certification is not allowing the end user to disable Secure Boot.
In other words, Windows Certification actually protects your rights.
Re: (Score:3)
[AC wrote] you just lost your license to distribute OEM Windows copies.
[Rockoon wrote] No you didn't... ..you just lost Windows Certification.
Amounts to the same thing. With the exception of a tiny niche market, OEMs cannot make a living by selling PCs without Windows at its bulk discounted price, nor without a Windows certification sticker on it. While it would not bother me, Joe Public just won't buy a PC unless they see "Designed for Windows" on it.. Withdrawing either of those priviledges are weapons Microsoft has to control the market.
Re: (Score:3)
OEMs cannot make a living by selling PCs without Windows at its bulk discounted price, nor without a Windows certification sticker on it.
The only consumers that care about Windows Certification are enterprise customers...
Seriously.. do you think your grandmother makes sure that the laptop has Windows Certification before she buys it?
Translation: You really havent thought about this at all, but have just jumped at a shallow poorly considered excuse to hate at Microsoft again.
Re: (Score:2)
OEMs cannot make a living by selling PCs without Windows at its bulk discounted price, nor without a Windows certification sticker on it.
The only consumers that care about Windows Certification are enterprise customers... Seriously.. do you think your grandmother makes sure that the laptop has Windows Certification before she buys it?
Yes. Possible scene in PCWorld :-
..."
...."
Grandmother/JoePublic : "Nice colour, but does it run Windows?"
Salesman : "Of course it does madam/sir, they all do!"
GM/JP : "So why doesnt it have that 'Designed for Windows' sticker on it like those others do?"
Salesman : "Just a detail madam/sir, Microsoft are very strict, just one minor thing, nothing to worry
GM/JP : "Not sure about that then"
Salesman : "You mentioned those others, that's a nice one over there
Re: (Score:2)
GM/JP : "So why doesnt it have that 'Designed for Windows' sticker on it like those others do?"
Your grandmother is not asking that question, and doesnt even know that such a sticker exists.
You are stretching farther and farther into an absurd reality in order to hate Microsoft on this one. With all the valid reasons to hate Microsoft, why are you so intent on manufacturing a fantasy in order to create another one out of vapor?
Re: (Score:2)
99.999% of real conversations in PC World:
GM/JP: Can I check my e-mail on it?
Salesman : Yes.
GM/JP: Can I watch cat videos on it?
Salesman : Yes.
GM/JP: Shut up and take my money!
Re: (Score:3)
> In other words, Windows Certification actually protects your rights.
Only because it's currently in Microsoft's interests.
And that come from the anri-competition fines from the EU.
So you should thank the European Commission.
http://en.wikipedia.org/wiki/European_Union_Microsoft_competition_case [wikipedia.org]
Re: (Score:2)
No. If the END USER disables the Microsoft signing key, it's not the fault of the OEM.
Also, neither of these two would know that I or you disabled the Microsoft key.
Re: (Score:2)
It is completely up to the hardware manufacturers which keys they want to preinstall. My preference would be none, and let the user install it. Here Microsoft acts as a CA, just like any other CA do. Anyone else can sign, but Microsoft was one of the few with the operation in place to go out and deal with many of the vendors.
Re: (Score:2)
My preference would be none, and let the user install it.
No keys pre-installed would mean that 95% of the systems would run without secure boot, as most people couldn't be bothered to go into the UEFI setup to add a ... "whatchacallit? Key? A few letters and numbers? What good is that?"
pardon me but the shim.. (Score:2)
pardon me but, can't you pretty much boot anything with the shim? thus defeating the purpose.
from what I can see freebsd could just use the linux shim as well. which is what makes i a shim, that there is no necessity to sign with microsoft everything you boot.
http://mjg59.dreamwidth.org/20303.html [dreamwidth.org]
Re: (Score:2)
No they are going to sign a few version of boot loaders and then not care about the rest.
Re: (Score:3)
Properly implemented secure boot increases your security by letting you decide what the machine should boot
Exactly. Secure boot is not properly implemented. A proper implementation would allow you to install anything you like after flipping a manual switch.
Re: (Score:3)
Exactly. Secure boot is not properly implemented.
Its properly implemented. you are just putting an undue amount of weight to the hand wavers that don't really have an argument:
Te get windows certification, the end user must be able to:
a) disable secure boot
b) install their own keys
What extra implementation restriction did you have in mind?
Re: (Score:3)
Why do the different Linux distributions need to get MS to accept those shims again ?
They don't, but you can't put a price on convenience.
Re: (Score:2)
b) install their own keys
Sooo.... Why do the different Linux distributions need to get MS to accept those shims again ? I mean, they do not go that troublesome way for nothing.
Because they don't want to go to each and every mainboard and OEM manufacturer and convince them to add their key to the list.
They could, if they wanted.
Re:Well I'll be... (Score:4, Informative)
Why do the different Linux distributions need to get MS to accept those shims again ?
To make it easier to install the OS without having to require that people install keys. Since there would be a variety of interfaces in the different motherboards, it would make it difficult to write generic documentation to tell lay people what to do. That hardly makes for a plug-n-play experience, and brings us back to the good-old-days of overly complicated operating system installations.
Re: (Score:2)
Because they want to be able to boot on systems that haven't disabled secure boot and haven't installed another key.
Re: (Score:2)
can ms revoke the signing on the shim that you can use to boot arbitrary code you want?
this is what I was referring as defeating the whole point.
Re: (Score:2)
In other words, you do not seem to actually understand very much. The certificate authority is UEFI, not some server on the internet.
Re: (Score:2)
Re: (Score:2)
How is revocation handled?
I don't believe it can be. Nothing outside the machine is checked at boot time.
This looks like CSS over again. half baked security that ultimately trusts people who screw up a lot.
Re: (Score:2)
Maybe an update to the UEFI firmware could revoke/add keys?
We had BIOS updates add/remove functionality for years, so I would guess that the same is possible for UEFI updates.
Re: (Score:2)
There is no revocation. Once code is signed to a particular key, it is signed forever.
Re: (Score:2)
If the system is rigged in such a way you have to trust any Microsoft code then it's a terrible system.
There is nothing secure about UEFI as implemented. Let me set my own keys without having to trust any vendor and I'll consider it secure.
Re: (Score:2)
You can install your own keys.
Re: (Score:2)
Well it works more or less the same as the https thing in the web browser. Everything is exploitable, but properly managed can at least minimize the risk.
Re: (Score:2, Troll)
Too bad the user can't manage his own hardware now. We're at the mercy of the mobo manufacturers, as they decide who's keys are trusted by default (ie microsoft ONLY). If I have to go to microsoft in order to be allowed to boot BSD on my own motherboard, then my property rights are being violated. I'm not leasing or borrowing my mobo, I've bought it. That means nobody else has a right to tell me I can't do whatever I want with it (within legal limits).
The only feature of UEFI so far is to wrest control
Re:Well I'll be... (Score:4, Informative)
Too bad the user can't manage his own hardware now. We're at the mercy of the mobo manufacturers, as they decide who's keys are trusted by default (ie microsoft ONLY). If I have to go to microsoft in order to be allowed to boot BSD on my own motherboard, then my property rights are being violated.
You can deactivate secure boot.
You can add other signing keys to the list used by the UEFI firmware.
You can remove the Microsoft key.
So what's your problem?
Actually, Microsoft DEMANDS all these things from an OEM before they can put the niftly little 'designed for Windows 8' stickers on their machines.
Re: (Score:2)
UEFI so far is only a bad thing. I currently own a motherboard that claims to have "dual uefi" whatever that means, and I still can't disable secureboot even with a manual.
I haven't seen a motherboard yet without the option for disabling secureboot and managing the uefi with a shell. Maybe you could mention which board this is so the rest of us can avoid it.
Re: (Score:2)
Well it works more or less the same as the https thing in the web browser. Everything is exploitable, but properly managed can at least minimize the risk.
The CAs behind 'https' can't be trusted one little bit. The only protection in using https instead of http is from casual packet sniffing.
The only way to fix it is to have a trustworthy CA run in a country that doesn't spy on everything and run by incorruptible people. It's not going to happen.
Re: (Score:2)
Re: (Score:2)
If MS wants to change their standards and the OEMs agree, nobody else has any say in the matter. (Ooh, let's watch the libertarians here break out in hives.)
I thought companies bullying the consumer with anti-competitive behavior was "freedom" and supported by the Slashdot libertarians.
Re: (Score:2)
The battle is to fix that.
I believe Linux now runs on far more servers than Windows does, will any hardware manufacturer give up their share of the huge Linux market to their competition?
Why not promote motherboard manufacturers (Score:2, Interesting)
who dont have or build motherboards that can disable EUFI. Seems to me like there's a great market for non EUFI mother boards that can target Linux/Unix users.
Re: (Score:2)
Well you can just turn the feature off, if your board has it and it happens to be turned on.
Re: (Score:2, Informative)
Try all the F# Keys. It might take a while, as they might have set the pause for FKeys to be something braindead stupid like 1/3rd of a second or some bullshit like that. so try all of them: F1 Through F12. If none of them work, and neither Delete nor Escape, nor the Space Bar works, then I gotta say you've wasted your money.
Although, there might be a jumper on the mobo (literally a couple of prongs bridged with a piece of plastic holding some foil) that you can break and refit that can reset your bios s
Re: (Score:2)
Re:Why not promote motherboard manufacturers (Score:5, Insightful)
Conceptually, if the user has access physical access to the computer and the ability to plug shit in, your security is already gone.
Conceptually, 99.99% of computer users don't even need this kind of security in the first place, so why is it being forced on 100% of the new computers?
Conceptually UEFI won't stop a single virus which 100% of computer users face daily, and that IS a problem.
UEFI serves one and only one purpose. It makes it 'easier' to just continue using Windows and more difficult to use any other system.
Linux doesn't need UEFI. Nobody needs UEFI.
Stopped shilling lipstick on a pig.
Re: (Score:2)
Replace "UEFI" with "Secure Boot" (there is a difference... EFI alone is not a major problem) and I agree 100% with you. While I'm not so sure UEFI is much better than the BIOS aside from a few limits lifted, the real problem is Microsoft's Secure Boot, which is an optional part of UEFI and being forced onto all ARM machines (thanks dicks, I mean Microsoft). Eventually, it will probably make its way to anything else Windows touches with no way to turn it off (x86?).
Re: (Score:3)
Nobody needs UEFI
That's bullshit. I need UEFI. BIOS only allows a very limited set of space (384K) for hardware device BIOSes. I've hit that limit, as does most server admins because high performance devices use that space up very quickly. There is numerous other advantages to UEFI, but you'd need to take off your tin foil hat and actually learn about it for you to understand it. That or build a server. Then you'll be crying about why stuff doesn't work and how stupid BIOS really is and why there isn't something bette
Re: (Score:2)
Conceptually would be for secure locations that normal PC access is restricted, and do not want uncontrolled software booted to bypass their existing OS security, gaining access to the network and so fourth.
Well, good luck with your rescue CD if it doesn't boot!
Conceptually, the purpose of secure boot is to keep unwanted operating system software secure from the user (rather than keeping the user safe from malicious software) and preserve a quasi-monopoly for Microsoft. Hopfeully, there will be EU rulings that prohibit current practise.
Re:Why not promote motherboard manufacturers (Score:5, Interesting)
It's UEFI, the Unified Extensible Firmware interface. EUFI is ExtraUterine Fetal Incubation. Very different things.
The motherboards they are shipping now have a simple disable. So there is no immediate fear of being unable to run Linux on the things. BUT you have to go in and disable it in BIOS which is just completely over the head of most computer users these days. You dont have to make it impossible to deter most people from using it, just a tiny hurdle will divert the herd.
Right now they are signing the certificates without a problem. But what will they do in a year or five or a decade? Building a business that relies on getting certs signed by MS doesnt seem wise long term. Of course no one thinks long term anymore... a small change in the law here, an easily fabricated incident using a signed bootloader to compromise a business there, and they could easily revoke these keys.
The other problem is that UEFI is actually really cool tech, we dont want to get rid of it. We want to be able to use it. I should be able to install my own key on my own motherboard so it will only load code that I sign personally. Rather than simply trusting MicroSoft or turning off a great security component that I already paid for and theoretically own.
Re: (Score:2)
I do. I am not find UEFI a "cool tech". I find UEFI the same as the old BIOS: totally useless.
When a computer starts it should just bring up the very basic stuff and then handle the boot process to the Operating System. Nothing more. The computer should stay in a state of the BIOS for about 500ms (the quicker the better) after that the Kernel of the System takes over.
Please tell me what I get with UEFI what the current Linux Kernel does not offer.
Re: (Score:2)
no we want to get ridnof secure boot. uefi lets you boot to a harddrive over 3 Tb in size. I wish coreboot was more developed.
Re: (Score:2)
Let me rewrite that for you:
No, we want to Secure Boot to be strictly opt-in. UEFI on its own brings many good advantages over the ancient 16-bit BIOS boot process, that we DO want to keep. Just because someone put a lock in it and didn't give you the key doesn't make the existing technology bad.
Re:Why not promote motherboard manufacturers (Score:5, Informative)
There is no reason that a traditional PC BIOS can't boot a 3TB drive. The bios just reads the first sector of the drive and runs the code, it doesn't need to care what type of partition table is used. So the 2TB limit of the DOS style partition table is irrelevent to the first stage of booting a PC. AIUI grub2 has no problems being booted by a traditional PC bios and then going on to read a GPT partition table and load linux from it.
The inability to boot windows on a 3TB GPT drive with a traditional PC bios is entirely microsoft's fault.
Re: (Score:2)
Re: (Score:2)
You already do - via these wonderful programs called Boot Loaders. You should read up about them sometime, you never know, you may even get a clue.
Re: (Score:2)
The parent said he wanted secure boot to be able to decide what boots on his machine. My point was you don't need secure boot to be able to do that. He's obviously drunk the MS kool aid. You however should learn to read.
Re: (Score:2)
Re:Why not promote motherboard manufacturers (Score:5, Informative)
Just to clarify: UEFI is not the problem. It's just a replacement for the old BIOS system which addresses the decades of accumulated legacy bodging that is the PC. Secure Boot is a feature that UEFI enables. You can have UEFI without Secure Boot.
Re: (Score:2)
Or you can have a BIOS that addresses the decades of accumulated legacy bodging that is the PC, without UEFI.
Just put a BIOS that removes all the old cruft of the old BIOS, adds some new features, but is totally minimalistic.
Because in 10 or 20 years UEFI will be like the old BIOS. It will do totally old stuff that nobody wants, and it will not allow new stuff, because of the same reasons of the that the old BIOS have.
The only remedy is to have a totally minimalistic BIOS that puts control as fast as possib
Re:Why not promote motherboard manufacturers (Score:4, Interesting)
Or you can have a BIOS that addresses the decades of accumulated legacy bodging that is the PC, without UEFI.
Just put a BIOS that removes all the old cruft of the old BIOS, adds some new features, but is totally minimalistic.
That's what UEFI is - it drops old cruft (mainly ISA, AGP and such, IIRC), ups the minimum requirements (UEFI can assume some level of graphics support, so no more MDA text mode; likewise, it no longer runs in 16-bit mode), and extends functionality (booting off 2TB+ drives). They broke compatibility in a few places, but they did so, in part, to speed up boot times by moving functionality from the BIOS/UEFI to the OS.
UEFI, itself, is a big step forward. The only problem is the "Secure Boot", and honestly, the problem is currently theoretical (at least on x86 - ARM is a different story). Secure Boot itself is fine - as long as the user is allowed to add and remove keys, and can enable/disable it, it's at worst unneeded functionality.
Re: (Score:3)
No it can't. Servers will still be restricted to text mode, because out-of-band management is commonly through IPMIv2, which supports text only, not graphics.
It's ironic that Microsoft is getting on-board with text-mode OS for their servers, while at the same time, Linux distros are going the wrong way and forcing GUI installers, using a pointless graphical splash screen for the bootloader, and other nonsense that helps no-one, but scr
Re: (Score:2)
Because in 10 or 20 years UEFI will be like the old BIOS. It will do totally old stuff that nobody wants, and it will not allow new stuff, because of the same reasons of the that the old BIOS have.
Of course that's true, but the E in UEFI is an attempt to make it last as long as possible. I'm not sure what's so objectionable about UEFI, though. It is, essentially, "a BIOS that addresses the decades of accumulated legacy bodging that is the PC."
Hmm... (Score:2)
...what is the point of secure boot again? Do we still have problems with MBR viruses?
Re: (Score:2)
It's supposed to be a protection against bootloader-infecting rootkits. No-one questions that it can do this, but bootloader-infecting rootkits are incredibly rare things to encounter, and given Microsoft's long history of anticompetative business tactics it isn't hard to imagine their ulterior motive for pushing the technology.
Re:Hmm... (Score:5, Informative)
Re: (Score:2)
And that attack vector can completely be negated by having the BIOS read-only by default, while only enabling updates when the user toggles a physical switch when the BIOS needs an update.
At the end of
Re: (Score:2)
The BIOS calls are intercepted by a little program that gets run off your media device (USB, Hard Disk, CD-ROM, whatever). Setting the BIOS to read only doesn't defeat that.
Windows has been using BSD code for over a decade. (Score:2)
Signing their key is the least Microsoft can do for using large parts of the FeeBSD TCP/IP stack in Windows.
https://lwn.net/Articles/245805/ [lwn.net]
Re:Windows has been using BSD code for over a deca (Score:5, Insightful)
MS has the LICENSE to use BSD code.
They don't owe BSD anything.
Next time you're thinking of whether to license YOUR code using GPL or using something
that allows MS to use your stuff and give nothing back in return... remember this.
Ehud
Re: (Score:3)
You assume BSD is unhappy with this result. They are not...and the problem isn't MS using BSD's "stuff" and not giving anything back to BSD in return, it's not giving anything to YOU in return. BSD got precisely what they wanted in that transaction, you didn't.
Re: (Score:2)
Social conventions like owed favors do not exist in the world of business. When billions of dollars are at stake, there is no room to be 'nice.' That's why contracts were invented.
Re: (Score:2)
Windows doesn't use any of the FreeBSD TCP/IP stack anymore. It did at one time pre-Windows XP, but it was completely rewritten from the ground up prior to Windows XP, but many of the settings (registry settings) remained the same for compatibility.
Re: (Score:2)
Sorry, I just double checked, it was rewritten for Windows NT 3.5, and then carried over to Windows 95. So the FreeBSD stack hasn't been in use for nearly 10 years. Some of the ancillary utilities however, were never rewritten for some time and might have used some FreeBSD code in them. They carried the "Some parts... blah blah...Berkely... blah blah" messages in them.
Loophole (Score:5, Interesting)
My bet would be that Microsoft refuses to sign the loader, saying that they can only sign if the loader's coded to only load binaries signed by a trusted authority (ie. Microsoft) and that allowing a loader that can load untrusted (ie. unsigned or not signed by Microsoft) binaries compromises the security of the boot process.
Re: (Score:2)
It doesn't work that way. Canonical's shim is signed with Microsoft's key but will only load a Linux kernel signed by Canonical with full boot-time privileges. If the kernel is unsigned it doesn't get access to some UEFI features, they are disabled before starting it. This prevents people from writing "kernels" that are just rootkits which load the Windows 8 kernel up afterwards.
So in fact Microsoft has already signed a shim that can load untrusted code, but on the condition that it does it in a safe way th
Re: (Score:2)
Why bother re-signing? (Score:2)
Re: (Score:2)
Microsoft won't sign a blob that can simply load any kernal, because doing so would defeat the purpose of Secure Boot: An attacker could simply load the linux signed loader with their malicious rootkit and use that.
needs a new installer..still (Score:3)
I've tried both the newest PC-BSD and bsdinstall installers...and they leave a lot to be desired. :/
Surface Pro and Secure Boot (Score:2)
UEFI -> Secure Boot -> Measured Boot (requires TPM)
Re: (Score:2)
Absolutely and that's how secure boot is supposed to work all along. Anything else is a bug.
Re: (Score:2)
I can sell you such insurance if you like.
Re: (Score:2)
No, they'll just ship machines carrying both the Microsoft and their own key. Apple are no fans of linux - just look at all the hoops you have to jump through to get it running on the new retina macbook pro. They've never officially supported it, and there's no reason they would.
In the PC area, Apple are dependant upon OSX to be their identity and differentiator. Without OSX, they are just another maker of high-end PCs - and it'd be very hard to sell Apple PCs if they were interchangeable with the one-third
Re:haven't (Score:5, Insightful)
Absolutely. Both Apple and Microsoft have long recognized that free operating systems are the biggest threat to their business models. Operating systems do not offer enough ways to stay ahead of competition by innovation, once the basic needs are fulfilled new features become mere gimmicks that might be nice to have but are not essential (see history of OS X).
Both Apple and Microsoft have a well-recorded history of anti-competitive business behavior and have in the past tried by all means to keep the application barrier up. In the 90s Java and Web-browsers were the biggest threats and they successfully averted these by tricky anti-competitive behavior. SCO tried to sue free operating systems out of existence and failed (so far, bogus patent law can change that and new law suits are in the drawer), now GNU/Linux has matured so well that it has become intolerable to Microsoft and Apple. Bear in mind that you can run many Windows programs in Wine already and that GNU/Linux has reached a certain usability threshold putting it roughly on a par with Windows XP in terms of software that end-consumers actually need (and GNU/Linux is much more stable).
The sole and only purpose of the current secure boot specification is to be the entry ticket to completely locked-down machines with completely locked-down whitelisted software that is only runnable and distributable by obtaining a key from Microsoft or Apple respectively and only with their blessings. That's the long-term goal.
The current, more modest goal is to make it hard for end-users to install another OS and hard to set up dual boot systems. Microsoft will then urge (=blackmail) hardware makers to produce more consumer boards that can run only Windows, and Apple will start to make their manufacturers produce OSX-only boards, while at the meantime urging manufacturers to sell more expensive motherboards that are not locked down so they can still claim they allow competition. For Microsoft, this is particularly important, because they need to make money with Windows and the "windows tax" is annoying more and more people. So they want to make sure that a board that runs GNU/Linux or BSD systems is more expensive (a 'pro feature', so to say) than a consumer board that only runs Windows plus the OEM fee for Windows. Microsoft is very desperate to keep their huge share of the dwindling desktop market, because they have already lost the mobile market.
This might all sound exaggerated to you now, but the fact is that these companies plan far more ahead than some people might think.
Re: (Score:2)
This might all sound exaggerated to you now, but the fact is that these companies plan far more ahead than some people might think.
When certain geeks saw the long-term implications for Microsoft's "Palladium" technology ten years ago, they were often laughed at for being overly paranoid and assured that such a thing could never and would never happen. There's no way to lock down a computer like that since we'll always be able to remove the TPM or bypass the BIOS, and not even Microsoft would be stupid enough to produce an operating system that would only boot on "authorised" hardware! Right?
http://en.wikipedia.org/wiki/Next-Generation_ [wikipedia.org]
Re: (Score:2)
That's not Apple's fault. They aren't doing anything unusual. That's the fault of Linux for not keeping up with spec hardware.
Re: (Score:2)
I think you are wrong. Apple likes their machines to be able to boot Microsoft OSes it is a selling point for them. So Microsoft will be one of the keys installed. They might pay the $99 to get their OSX versions signed or have their own key.
The FSF should just create a key and start signing distributions.
Re: (Score:3)
Apple uses parts of the FreeBSD user land in OS X, and actual parts that works with the hardware and UEFI is not related to it.
Re:Useless EFI (Score:5, Insightful)
I don't see much of a problem - it only affects people who wants to dual boot and that is totally last century. Boot Linux and run Windows in a VM.
It is not to do with dual boot, it is to do with booting anything at all. This is a motherboard chip feature. Booting from a live CD will be impossible, and even if you wipe your HD, trying to install anything else will be impossible - if Secure Boot is enabled.
You can disable Secure Boot (FTTB, but I suspect MS will hope to clobber even that in the not too distant future), and I will myself. But it will deter people from trying out Linux tentatively and perhaps liking it. That's how I started, and MS hate people doing that.