Secure Boot (was Sparrow OS)

[SparrowOS]

What do you guys know about Win8 and secure boot? Are we all going to be running out of virtual machines?

[~]

I don't see why it couldn't be possible to just install Linux in a partition, then Windows in another, and leave the boot of that disk unaltered.

Then use GRUB from a CD/DVD or flash drive to boot up that Linux.

In fact it would seem more comfortable to me in most situations because that means that I would not need to alter the machine that much (and I would learn to boot Linux, or another system, from another media).

And it looks like there is Ubuntu (and the "older" Topologilinux 7) running under Windows itself, using (if I understand correctly) the paravirtualization of coLinux:

Wubi (Ubuntu installer)

There are several others too.

I personally still use DOS and Win9x, and in my main machine Windows XP SP3, 32-bit (to run and learn from 16-bit demos like those in Programmer's Heaven).

I would like to see what the secure boot is exactly about, but I don't see myself using Windows 7/8 (specially 64-bit versions) formally, but instead bare-metal machines, Linux, Windows XP, coLinux distros under Windows and emulators (even very simple ones written by myself eventually, so I can do and learn whatever I want and can afford to understand, including OS development projects).

See also this:
http://www.colinux.org/
http://en.wikipedia.org/wiki/Colinux
http://en.wikipedia.org/wiki/Paravirtualization

[Brendan]

Hi,

What do you guys know about Win8 and secure boot? Are we all going to be running out of virtual machines?

As far as I know; Windows 8 is capable of using UEFI secure boot and capable of booting on systems without secure boot; and Microsoft's "Windows 8 compatibility" logo program requires hardware to support it and ship with secure boot enabled. Microsoft has also asked hardware manufacturers to provide a way to disable secure boot (for alternative OSs like ours, and older OSs like Windows 7). Firmware tends to be "cut and pasted" from one machine to the next with minimal changes, so it's very likely that "secure boot that can be disabled" will become a de-facto standard in future.

The end result is that to install a different OSs the user will simply need to disable secure boot; which makes it a little more complicated for people that don't know what they're doing to install a different OS (unless that alternative OS also supports secure boot).

Of course this only applies to 80x86, where the hardware and the software are designed as separate products.

For ARM systems (smartphones, tablets, etc) where the computer and the software are typically designed and sold as a single product, I don't think you'll be able to disable secure boot on ARM systems designed for Windows, and I don't think UEFI or secure boot will exist on ARM systems that aren't designed for Windows.

If an alternative OS supports secure boot (either with it's own support, or by relying on some sort of common boot loader that supports secure boot) then; if the alternative OS uses Microsoft's key (which is what Debain and probably Ubuntu are doing) then the OS can be installed without disabling secure boot or finding a way to add a new key; and if the alternative OS uses a different key then it's likely that the hardware won't recognise the key and that end users will need to use some sort of utility to add the key before installing the OS. Of course this also only applies to 80x86. For ARM systems designed for Windows, I doubt there will be any way to install an alternative OS regardless of whether the alternative OS supports secure boot (and uses Microsoft's key) or not.


Cheers,

Brendan

[SparrowOS]

Intel and Microsoft have conspired so Win8 only works on machines which ban other operating systems. They issue codes. All of you guys will need to get a code from Microsoft and with a nondisclosure agreement put that code in code.

http://arstechnica.com/information-tech ... conundrum/

Brendan loves secure boot, isn't that right stoolie?

[Brendan]

Hi,

I don't see why it couldn't be possible to just install Linux in a partition, then Windows in another, and leave the boot of that disk unaltered.

Then use GRUB from a CD/DVD or flash drive to boot up that Linux.

For UEFI systems with secure boot; the version of GRUB on the CD will need to be signed with a key that is recognised by the firmware or the CD won't boot.

I would like to see what the secure boot is exactly about, but I don't see myself using Windows 7/8 (specially 64-bit versions) formally, but instead bare-metal machines, Linux, Windows XP, coLinux distros under Windows and emulators (even very simple ones written by myself eventually, so I can do and learn whatever I want and can afford to understand, including OS development projects).

The basic idea of secure boot is to prevent malicious code (e.g. a virus) from tampering with an OS's boot code (and UEFI applications, UEFI drivers, etc). For an example, without secure boot, a virus could replace an OS's boot loader with a root kit that starts the real OS's boot loader (and for modern 80x86 machines, the root kit could use virtualisation and run the OS inside the virtual machine, which can make the root kit impossible to detect or remove).


Cheers,

Brendan

[Griwes]

The way I see it is that when you install Windows when Secure Boot (SB) enabled (and that's the case with preinstalled Win8), then it will refuse to boot with SB disabled; but, if you install it with SB disabled, it will have no problems with booting with SB disabled.

I emphasize the part "the way I see it" - I have no SB machine, so I'm not capable of testing that assumption, but if I'm right, then SB is nothing more than little, not really important obstacle when installing other OSes, as I tend to purge the preinstalled version of Windows on every new computer I get anyway, to get rid of manufacturer's crap preinstalled with it.

[SparrowOS]

http://mjg59.dreamwidth.org/20187.html

Secure boot has one purpose -- kill other operating systems. You are with the enemy.

[Brendan]

Hi,

The way I see it is that when you install Windows when Secure Boot (SB) enabled (and that's the case with preinstalled Win8), then it will refuse to boot with SB disabled; but, if you install it with SB disabled, it will have no problems with booting with SB disabled.

I emphasize the part "the way I see it" - I have no SB machine, so I'm not capable of testing that assumption, but if I'm right, then SB is nothing more than little, not really important obstacle when installing other OSes, as I tend to purge the preinstalled version of Windows on every new computer I get anyway, to get rid of manufacturer's crap preinstalled with it.

I expect that it'll just be a simple enable/disable option in the firmware configuration screen.

http://arstechnica.com/information-tech ... conundrum/

Thanks for that link - it's a good example of "relying on some sort of common boot loader that supports secure boot".

Brendan loves secure boot, isn't that right stoolie?

Without secure boot (or something like it), UEFI is as secure as a wet paper bag - anyone can do anything to anything without any restriction. This is bad for obvious reasons. Secure boot fixes that.

The problem with secure boot isn't secure boot itself. The problem with secure boot is how hardware/firmware manufacturers decide to implement it. For example, if the firmware sees a boot loader that has a key it doesn't recognise, then firmware could ask the user if they want to add the new key to the firmware's list and continue booting if the user gives permission (or cancel booting if the user suspects something is wrong).


Cheers,

Brendan

[SparrowOS]

Get used to this. I bought my last PC a few days ago, while Win7 is still available.

http://www.lemon64.com/

This website will be just as pathetic. Why are you so happy about Win8 Brendan?

I wrote a CD-ROM boot-loader and a HD boot-loader. UEFI has elf. I made my own compiler with my own binary format.

[Griwes]

The way I see it is that when you install Windows when Secure Boot (SB) enabled (and that's the case with preinstalled Win8), then it will refuse to boot with SB disabled; but, if you install it with SB disabled, it will have no problems with booting with SB disabled.

I emphasize the part "the way I see it" - I have no SB machine, so I'm not capable of testing that assumption, but if I'm right, then SB is nothing more than little, not really important obstacle when installing other OSes, as I tend to purge the preinstalled version of Windows on every new computer I get anyway, to get rid of manufacturer's crap preinstalled with it.

I expect that it'll just be a simple enable/disable option in the firmware configuration screen.

Well, I just remember that either someone told me so, or I read that somewhere, that "Windows 8 will fail to boot with SB disabled, as long as it was installed with it *enabled*", but I cannot remember who/where that was.

[Brendan]

Hi,

The way I see it is that when you install Windows when Secure Boot (SB) enabled (and that's the case with preinstalled Win8), then it will refuse to boot with SB disabled; but, if you install it with SB disabled, it will have no problems with booting with SB disabled.

I emphasize the part "the way I see it" - I have no SB machine, so I'm not capable of testing that assumption, but if I'm right, then SB is nothing more than little, not really important obstacle when installing other OSes, as I tend to purge the preinstalled version of Windows on every new computer I get anyway, to get rid of manufacturer's crap preinstalled with it.

I expect that it'll just be a simple enable/disable option in the firmware configuration screen.

Well, I just remember that either someone told me so, or I read that somewhere, that "Windows 8 will fail to boot with SB disabled, as long as it was installed with it *enabled*", but I cannot remember who/where that was.

I think I misread your previous post - "when you install Windows when Secure Boot (SB) enabled, then it (UEFI) will refuse to boot with SB disabled" rather than "when you install Windows when Secure Boot (SB) enabled, then it (Windows) will refuse to boot with SB disabled".

You're probably right. E.g. if Windows was installed with SB enabled, then the user can disable SB and install/boot another OS, but would have to enable SB again before booting Windows again.


Cheers,

Brendan

[SparrowOS]

Do you guys want to file a class action anti-monopoly suit?

[Brendan]

Hi,

Do you guys want to file a class action anti-monopoly suit?

For ARM systems, Microsoft doesn't have a monopoly and can therefore do anything.

For 80x86, you'd have to show that Microsoft themselves have used their monopoly to prevent competition. Please note that Microsoft can show that they have helped other OSs support secure boot (e.g. by providing a service that allows Linux/Debain/Redhat to use Microsoft's digital signature) and have requested that hardware manufacturers make sure secure boot can be disabled (so that other OSs that don't support secure boot aren't locked out).

Basically; you'd have to prove that Microsoft (who don't make 80x86 hardware or firmware themselves) have coerced 80x86 hardware manufacturer/s into preventing competing OSs from working. This would include proving that any hardware manufacturers that have prevented other competing OSs from working didn't do it voluntarily.


Cheers,

Brendan

[Brendan]

Hi,

Why are you so happy about Win8 Brendan?

I'm happy about the new "Metro" user interface in Windows8, because I don't think desktop/laptop users will like it and these people will be more likely to try alternative OSs. I'm also happy about the new "Windows Store" because some people won't like that either. In addition, I'm happy about the confusion that "Windows RT" (Windows 8 for ARM) is going to cause, because when people realise they can't run normal/existing (80x86) Windows software on ARM they're going to start wondering why they chose (a version of) Windows in the first place.

For secure boot, I'm justifiably sceptical. I would like to use it to ensure that my own OS is secure, partly because I don't trust Windows (for example, without secure boot a virus running on Windows could infect my OS's boot code). Unfortunately I don't know how hardware/firmware manufacturers will implement secure boot and therefore don't know if supporting it will be easy or if it'll be a massive nightmare. I suspect it will be a pain in the neck, but if OS development was easy it would bore me and I'd probably start writing OpenGL games instead.


Cheers,

Brendan

[bluemoon]

Sue Microsoft? come on, that's crazy talk. Law is their core business.