EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

12.02.12

Guest Post: UEFI’s Effects on the User

Posted in Antitrust, Microsoft, Vista 8 at 10:08 am by Dr. Roy Schestowitz

Windows 8 book

Summary: A contributor’s take and set of thoughts about Microsoft’s latest anti-competitive tactic

Did you know, Microsoft Press (A Division of Microsoft Corporation) has published a Windows 8 book as PDF, titled “Inside Out Windows 8”. The ultimate, in-depth reference Hundreds of timesaving solutions Supremely organized, packed with expert advice Companion eBook (744 pages 34.2 MB)

However, the one and only section (page 25) on UEFI “Secure Boot” doesn’t mention how it functions, works or operates, how to access it or any interoperability. No mention on how to even disable Secure Boot at all.

Such as the undocumented steps below;

1. Boot machine while pressing F10

2. Find Secure Boot in the menu tree, ignore warnings

3. Disable Secure Boot feature

4. Enable legacy boot options

5. Enable specific legacy devices, such as USB devices

6. Save and reboot while holding down F9

Book shot

(No mention in Chapter 27!)

I want to point out there is NO such thing as “Windows Hardware” because Microsoft does NOT manufacture Lenovo, Sony, Toshiba, Acer, Asus, MSI, VIA, HP, Dell, Celvo, Sager, etc…

This is Microsoft extending its own brand (software) upon firmware, claiming it’s their platform. Why do the manufactures accept this theft of their hardware product?

Why doesn’t someone write to the European Court of Justice and file a complaint?

Regarding how UEFI Secure Boot has the side effect of preventing interoperability against competitors and open society by preventing unauthorized firmware, operating systems, or UEFI drivers from running at boot time unless they bear a cryptographic signature by Microsoft, the manufacturer or an UEFI signing key vendor ($99 for an UEFI signing key) for any software that modifies the bootloader that enforces the UEFI secure boot protocol.

Basically, the bootloader is the place where the PC hardware reads instructions to boot up an operating system or program. Windows installs those instructions in the bootloader, just as another operating system like Linux. By making the process proprietary without full documentation, competitors are at a huge disadvantage.

Microsoft has basically inserted themselves as the UEFI gatekeeper for installing not just their software, but any software that modifies the bootloader on a potentially huge number of devices globally around the world.

The main issue with the UEFI secure protocol is that it excludes out ALL other operating systems, for the right of sharing (educational), giving (philanthropy), renting, loaning, and borrowing on other W8 PC system/s hardware to run boxed copies of Windows or Linux on Windows logo hardware, and also impossible to install new versions of Windows or Linux unless your OEM provided a new UEFI digitally signed key. A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.

Not to mention, Windows 8 PC owners won’t be able to replace their OS with another like Windows 7, unless they obtain a digitally signed Secure Boot version for their system.

One of the few shortcomings in the UEFI model (and it is a deliberate omission because of the complexity of running a certification system) is that there’s no designated root of trust in the current version 2.3.1. for a centralized vendor-neutral signing authority to provide UEFI keys.

The Windows 8 PC you buy in 2013 will be permanently locked into Windows 8 if Microsoft gets away with their plan. Windows 8 certification does not require that the user be able to disable UEFI secure boot, and hardware vendors have reported already that on some hardware will not have this option available.

Of course, Windows 8 certification does not require that the PC system come with any keys other than Microsoft’s. A system that ships with UEFI secure boot enabled and only includes Microsoft’s signing keys will only securely boot Microsoft operating systems.

Think how this gives great power to Microsoft, for every manufacturer that wants to sell hardware for the Windows 8 PC, needs a UEFI digital signed key, from Microsoft!

Disabling UEFI Secure Boot is NOT offered on ARM systems like Windows 8 RT (Tablets).

The PC user using x64 or x86 systems is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The PC user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognize their hard drive in the firmware. Of course, UEFI doesn’t provide the means to generate your own UEFI keys either. Just where does that leave the PC user?

The truth is that UEFI using the Secure Boot Protocol v2.3.1 makes it more difficult to run anything other than Windows 8. UEFI secure boot is a valuable and worthwhile feature that Microsoft is misusing to gain tighter control over the market.

As it stands now Microsoft is saying OEMs don’t have to do it. They just have to do it if they want to sell PCs with Windows on them.

Links:

  • http://www.uefi.org/specs/download/UEFI_2_3_1_Errata_A.zip “UEFI Specification 2.3.1″ (2,139 pages)
  • http://download.microsoft.com/download/A/D/F/ADF5BEDE-C0FB-4CC0-A3E1-B38093F50BA1/windows8-hardware-cert-requirements-system.pdf (291 pages)

Note: you can obtain the source PDF as Microsoft PDF ebook “Windows 8 Inside Out by Tony Northrup (Nov 23, 2012)”

Library of Congress Control Number: 2012950441

ISBN: 978-0-7356-6381-7

Amazon.com: http://www.amazon.com/Windows-Inside-Out-Tony-Northrup/dp/0735663815/ref=sr_1_1?s=books&ie=UTF8&qid=1354458846&sr=1-1&keywords=9780735663817

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. Tony Northrup said,

    December 14, 2012 at 4:28 pm

    Gravatar

    Hi. I’m the author of Windows 8 Inside Out.

    Regarding the book, you’re right that the coverage of Secure Boot is brief, and perhaps too brief. However, since the book is about Windows 8 and Windows 8 users shouldn’t ever need to configure Secure Boot, it seemed sufficient for my audience.

    Also note that there’s no single process for turning off Secure Boot, because it must be done within the UEFI firmware, and that can be different for every PC (or at least, every UEFI implementation). So, providing step-by-step instructions for that would have been impossible. The lack of a consistent user interface is actually one of the biggest drawbacks to Secure Boot; if users want to turn it off, they need to read the manual, and you know how that goes…

    There’s plenty of information out there about how it works, and in fact I’m in the process of writing a much longer whitepaper for IT audiences.

    People are concerned about Secure Boot because all PCs that get the Windows 8 logo certification MUST support Secure Boot and have it turned on by default. However, that same certification process also requires PCs to:
    * Allow the user to add their own keys, so they can trust any bootloader/OS they want.
    * Completely disable Secure Boot, so the PC operates will load anything (including a bootkit).

    Just wanted to clarify that the concern isn’t, “Users can’t run Linux!” it’s, “Users have to follow potentially confusing steps to change their Secure Boot settings if their favorite Linux distro doesn’t have a certified boot loader.”

    There is a certified shim that Linux distros can use, though I know none of them are especially happy about having to get a cert from Microsoft: http://mjg59.dreamwidth.org/20303.html

    My understanding is that these statements are now incorrect:

    “Windows 8 certification does not require that the user be able to disable UEFI secure boot” and “The PC user using x64 or x86 systems is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice.” The certification does require users to be able to disable Secure Boot, as well as trusting any bootloader they choose.

    However, this statement is true:

    “Disabling UEFI Secure Boot is NOT offered on ARM systems like Windows 8 RT (Tablets).”

    Of course, it’s also true of just about every mobile device (iPhones, iPads, Kindle Fires, most Android devices, etc). Personally, I wish they would just let people load their own software, but the security guy in me understands the risks and the support guy in me knows the headaches.

What Else is New


  1. Links 31/7/2014: Zorin OS Educational 9, Android Nearing 90% Share

    Links for the day



  2. Microsoft-Linked Codenomicon and Bluebox in the Business of Smearing FOSS/Linux/Android

    odenomicon and Bluebox, two companies with strong Microsoft links, fill the media with negative articles about Android



  3. Is Microsoft Being Raided Not Just for Anti-Competitive Reasons but for Bribes and Back Doors?

    News about raids in Microsoft China mostly lacking when it comes to background, context, and information about Microsoft's crimes in China



  4. Former Microsoft Engineer Working on Windows BitLocker Confirms Government Asks Microsoft for Back Doors

    Recalling the times when even Microsoft staff spoke about secret government collaborations and back doors



  5. Ruling Against 'Abstract' Software Patents is Already Derailing Patent Attacks on Linux and Free Software

    Patent litigation against Android/Linux impeded by the introduction of arguments that cite the Supreme Court



  6. Links 30/7/2014: Chris Beard as CEO of Mozilla

    Links for the day



  7. New Optimism in the Age of Doubt Over Software Patents

    As the tide turns against software patents, even in their country of origin, their opponents come out of the woodwork to celebrate



  8. Links 28/7/2014: New Linux RC, Plasma 5 Live in Kubuntu

    Links for the day



  9. Links 27/7/2014: KDE 4.14 Beta 3, KDE 4.14 Beta 3 Released

    Links for the day



  10. Apple and Microsoft Are Proprietary Software Companies and the Media Should Stop Openwashing Them

    New examples where proprietary software giants are characterised as FOSS-embracing and FOSS-friendly by gullible or dishonest 'journalists'



  11. Bloomberg's Microsoft Propaganda

    Bloomberg delivers 'damage control' and PR ahead of the layoffs announcement; Microsoft uses Nokia to hide it and Bloomberg helps Microsoft by radically modifying headlines



  12. Frequency of Browser Back Doors in Microsoft Windows is Doubling

    The vulnerabilities which Microsoft tells the NSA about (before these are patched) are significantly growing in terms of their numbers



  13. FUD Entities Entering the FOSS World

    Symantec enters the AllSeen Alliance and Sonatype is once again trying to claim great insecurity in FOSS due to software licensing



  14. Groklaw Back in the Wake of ODF in the UK?

    Renewed activity in FOSS-leaning legal site Groklaw amid numerous victories for FOSS



  15. Links 26/7/2014: New Wine, Chromebooks Strong Sales

    Links for the day



  16. Links 25/7/2014: GOG With GNU/Linux, Ubuntu 14.04.1 LTS

    Links for the day



  17. Links 24/7/2014: Oracle Linux 7; Fedora Delays

    Links for the day



  18. Valerie Strauss Explains Why Gates Foundation's Lobbying for 'Common Core' (Privatisation) is a Swindle That Makes Microsoft Richer

    Continued criticism of the Gates Foundation's lobbying and masquerading, with more journalists brave enough to highlight the corruption



  19. USPTO Officially Sets New Guidelines to Limit Scope of Software Patents in the United States

    Even patent lawyers finally acknowledge that the incentive to file software patent applications has been reduced, as the scope of patents on software has been noticeably narrowed and they are harder to acquire, let alone enforce in a courtroom



  20. UK Government Adopts OpenDocument Format (ODF) and Microsoft Already Attacks the Government Over It, Showing Absolutely No Commitment to Open Standards

    Only "Microsoft as the standard" is the 'standard' Microsoft is willing to accept, as its response to the Cabinet Office's judgment reveals



  21. Microsoft Layoffs of 2014

    Another quick look at Microsoft's horrible state of affairs and why it has virtually nothing to do with Nokia



  22. Links 22/7/2014: Linux 3.16 RC 6, New UberStudent

    Links for the day



  23. Links 20/7/2014: Jolla in India, Mega Censored in Italy

    Links for the day



  24. Longtime Mono Booster Joins Microsoft-linked Xamarin

    Jo Shields almost joins Microsoft, settling instead for its proxy, Xamarin



  25. Linux Foundation Welcomes Patent Aggressor Red Bend Software

    The Linux Foundation's AllSeen Alliance welcomes as a member a company that uses software patents to sue Free/Open Source software



  26. Matt Levy From Patent Progress (and CCIA) Does Not Really Want Patent Progress

    Matthew ('Matt') Levy moved into a foe of patent progress last year, but he still runs a site calls Patent Progress, in which he diverts all attention to patent trolls (as large corporations such as Microsoft like to do)



  27. Attacking FOSS by Ignoring/Overlooking Issues With Proprietary Software

    The biasing strategy which continues to be used to demonise Free/Open Source software (FOSS) along with some new examples



  28. Links 19/7/2014: CRUX 3.1 is Out, CyanogenMod Competes With Google Now

    Links for the day



  29. Microsoft's Massive Layoffs Go Far Beyond Nokia; Nokia's Android Phones Axed by Microsoft's Elop

    Microsoft's rapid demise and permanent exit from Nokia's last remaining Linux platform (after Microsoft had killed two more)



  30. Patents on Software Already Being Invalidated in Courts Owing to SCOTUS Ruling on 'Abstract' Patents

    The Federal Circuit Appeals Court has just "invalidated a software patent for being overly abstract," says a patents expert


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts