Discussion in 'Windows 8' started by B8, Oct 14, 2011.
all Windows 8 OEM need UEFI ?
I shall let Yen do the translation of this, Google translate is ok but not as good as a native speaker . However the one thing i did pick from the converstation was that windows will refuse to boot if the bootloader is compromised in any way. Im pretty sure we were all aware of that anyway. The whole process is going to be down to digital signature's and that's no easy process to get around.
So we will emulate uefi instead of bios slic ;c)
If this is true then someone in the linux community will come up with an exploit.
If OEM activation is locked down to UEFI only then older systems using the legacy BIOS won't be able to activate via the OEM channel. It's not something that can be emulated either.
The news posted could be wrong of course because Falck seems to be quoting what he's read online and Kurim just takes a guess
It seems that web site is offline now, but the quoted posts aren't anything new. Windows 8 certified OEM systems will require UEFI and the possibility of secure boot, MS said that at BUILD. Unsigned boot loaders are only prevented if secure boot is enabled, but that's up to the OEM.
No point for MS in going to all this trouble if oem win8 will be permitted to boot without secure boot enabled. So what the OEMs do (provide/not provide switch) may be irrelevant.
You need to login to view this posts content.
It sounds like you are up for the challenge Nononsence. I guess anything that can be done , can be undone or emulated ! We will see soon enough I guess .
Let's not forget DUET, the EDK2 EFI-on-BIOS emulator...
* Removed *
Have MS really managed to lock it down that tight ? Surely KMS will be due for a shake up too ?
one has to wonder if MS have really achieved a secure OS, if so then in all honesty they should be congratulated. However, I find it difficult to believe that there isn't a flaw somewhere ?
As Microsoft already said Secure Boot is a must have with UEFI for OEM's, but the Ability to Disable Secure Boot is not, but it's kind of hard to expect OEM's to add a option to disable it (on Desktops) they might be more open on Laptops as you can not custom build a laptop yourself unlike a Desktop, adding a option might mean for lot of "noobs" that the first thing they do is Disable Secure Boot even though they are not installing Linux or anything else..
Sure it's a loss for the consumer when he wants to install a 3rd party bootloader that isn't signed, but in the end GRUB etc can be Signed no? or does this GPL License not allow software to be digitally signed? ~.~
At least i don't see any real reason for something like Ubuntu to stop working on such PC's where you can not disable Secure Boot, behind Ubuntu is a million dollar company (a rich dude), they easily can afford a digital signature... and heck if GRUB blocks them from doing so they just write their own or use another.
Secure Boot is a UEFI 2.3.1 Standard (too recent), It's not on any Mainboard yet, but when it is then this Secure Boot feature can be used by any OS, Windows will just make use of it.
I'm not exactly sure what's discussed here... cause well you know.. if you buy a PC from a OEM then... there is no reason to even try a Loader or whatever as it's a legit OEM PC.. so what is this talk about?
And on any "DIY" Mobo this feature will be available as well but i doubt it will ever by Activated by default unlike OEM machines which will have this Activated by Default.
For now let's just take it as it comes, cause it still doesn't matter at all, if you can somehow get a slic emulated on UEFI then it can be done in W8 as well if it's still the same Method we have now, just new Algo = new keys/certs
I can tell you exactly what's this talk about:
If OEM_SLP needs a signed boot environment then it means when buying a preinstalled OEM PC you have a either or situation. You cannot dualboot a w8 OEM_SLP license with a unsigned bootloader. To activate w8 via SLP channel you need to mimic the specifications of OA3.0, of course not install a loader on a legit machine.
The problem with grub2 :If grub should become digitally signed the signature key must become public, it's a GPLv3-License
We don't know the specifications of OA3.0 and if secure boot is included. Also remember one thing, Intel EFI has already a signed area. Until now nobody was able to modify (SLIC) such a EFI. (Except with the leaked official tool).
The question will be, is it possible to mimic the situation for OA3.0?
One thing is clear to me already, OA3.0 will be implemented into UEFI only. Also OA will use specifications of the EFI. OA2.x uses ACPI specifications. OA3.0 could check for GPT. To update the UEFI to 2.3.1 is just a BIOS update away.
I have to agree with Daz. The OEM channel can become difficult...
Daz: That is assuming that a TPM will also be a requirement. From what I've heard, it isn't - and a software-based implementation without TPM should be emulatable.
And if a TPM will be required - I bet you can foresee the reaction of consumer groups. See what happened to Vista and Palladium.
If MS is going to force OEMs to enable it by default then the linux community will be angry. But it's sure that they are going to enable it. So maybe they'll add an option to go from windows bootloader (signed) to grub (unsigned) and than to linux. I simple "I trust this bootloader" button could do the trick. When the users trusts the bootloader to activate the system windows can't really say much about the mallware part. Then it's just a matter of encryption and hiding stuff like windows loader does now.
I have read something about a similar possibility: A password to confirm to load an unsigned boot loader if detected.
W8 has detected an unsigned bootloader, make sure you can trust the publisher: W8 loader by Daz. Then enter password to confirm.
The only right 'solution' is to ditch w8