Really ? I would be more inclined to think that those behind the scenes at Red Hat probably disagree with the way the UEFI forum is heading, hence their lack of involvement.
Well, in my honest opinion, those people are very wrong. The changing from BIOS to UEFI is a major impact within the IT industry. Eventually this will also have impact on servers. Red Hat sells his product and services to Fortune 500 companies. By being at the UEFI Forum, they can influence what is happening. Also they can reassure the Open Source community. IMHO, it is just like politics, if you do note vote then do not complain about the politicians.
Hi, I'm new. I've read this entire thread and several linked documents. This is what I learned... With the EU rules as they are, there won't be any hard wired Windows only machines. That would require manufactures to make 2 version of every motherboard. Not going to happen. Since Secure Boot can be disabled by the user, the only time that MS can enforce UEFI and Secure Boot is at install time by the OEM. Or more specifically, at the install time of the OEM key. The retail and upgrade versions will be indifferent to Secure Boot and UEFI. TPM costs extra and is primarily aimed at businesses not consumers. Anyone can join the UEFI forum without any cost. MS is only concerned with the Windows boot loader. MS doesn't care about GPL'd boot loaders and Secure Boot, it's their problem.
That's not the point. The point isn't the change from BIOS to UEFI. The point is that Red Hat would have had to vote against the secure boot protocol implementation. It's an odd situation. M$ and Intel and all the other dictators just would argue that there is no valid argument against MORE SECURITY. And everybody would say yes, there is no. Their real intention is not security, it is to control. To sign the bootloader and only to run them, that is the point! These all are measures to eliminate competition. This is also the same arguing to fool the customers. They say now everything will be more secure with UEFI, telling horror stories about malware. In fact they want you, your money. They want you to tie to windows OS. Also the fact that windows even runs with a BIOS. If my honest intention would be security, then I have to care about all licenses! W8 retail as well. But they cannot, w8 retail would then run with UEFI only. Haha money is more important to m$ than your 'security'! I hope the customer is clever enough to say no to a OEM machine which is not able to disable the secure boot protocol. IMHO on a OEM machine which cannot disable the secure boot option there must be a sticker: This is a M$ monopolist machine. You are restricted to use our OS only. Thank you for your stupidity. With stupidity we always have and will make money.
Hi and welcome to MDL. If secure boot can't be disabled, it will be a windows only machine. (grub2 bootloader is open source, means signing key must be public). Just supply 2 different UEFI images for the same motherboard (one can disable, the other cannot), both are individually signed.
Yen, they could have also demanded/asked that the Secure Boot protocol always has the option to be disabled. Thus allowing other operating systems to be installed. But standing on the sideline and then complaining about it, isn't an effective option to use. History has proved that time after time. And yes, secure boot is about control and security. Security in the sense that the boot of any operating system can be safe. At the moment Apple, Microsoft and Unix-versions (under BSD-license) are the one that can benefit from it. Control, ofcourse, controlling that the operating system will start-up as it is made. Thus not allowing anything else to intervene in the boot-proces. But to make sure, I am not a fan of secure boot only for consumers. I do see it as an option for enterprise systems.
I never saw a disable requirement written at a specification paper. But your are right. They should be a member of the UEFI forums. To me secure boot has nothing to do with a signed bootloader. I am sorry. If you sign something there must be someone who is allowed to sign. Who has the right to say something is trustworthy? It can be the PC owner only! The owner can setup his system and then to sign it by himself. Any alternation then would be detected anyway.
If you look at it from the manufactures' point of view - while they can do it, there is no valid reason to make 2 different UEFI images for the same board. It would only cost them money to implement and maintain without any benefit. They must have different boxes, different artwork, different warehouse space... Different enough so that Win only boards don't get accidentally shipped to the EU. As an aside, the board I'm using right now boots up bragging that it's EU compliant. I'm in Nashville Tennessee. maps.google.com/maps?q=Nashville+Tennessee Making a Windows only machine would create negative goodwill for that OEM - which would impact sales. The only reason to make a Win only machine is to protect MS's bottom line. I don't really think that the OEMs care that much about MS and their bottom line. OEMs are interested in increasing their own profit. They achieve this by lowering costs, and increasing sales. A Windows only machine doesn't fit well into that OEM business model. Ok, it's possible, but stupid. This is really a non-issue because the boards and machines that you and I buy will not be Windows only. So, the real questions are: Will we still be able to use custom loaders to load W8? Yes. Will we still be able to authenticate? Yes, although it may take a little time to figger out how. I'm sure that the plethora of people like DAZ are up for the challenge.
It's already common practice. Lenovo for instance has Notebooks which are sold as free OS version and the same model comes with a preinstalled license of windows. To do so costs not much and is easy to realize. The BIOS of such a machine has a ROM hole (zero byte area), exactly of the same size as the marker data. B6h. (The marker is the second part of a valid SLIC.) This means by just applying the standard BIOS, which also comes with any BIOS update is not able to activate windows. The OEMs have created little marker tools (some have been leaked and a are available at MDL) which easily can apply the lacking second part of the SLIC to create a licensed version. The place where the marker is stored resists at any further BIOS update to remain the license after every BIOS update that has been made. So to license only some of the same models is absolutely no problem. Every device must be tested before it can be sold to guarantee functionality and quality. You simply have to add the licensing step, also you simply can add or remove the disable option by setting a flag. I am not sure if it would be a problem to sell windows only OEM machines which come with a preistalled windows. HTC at smart phones has had locked bootloaders as well and the EU didn't complain about. If the customer is informed about and it's clearly declared that on the machine runs w8 only, it should be no problem. Anyway I never would buy such a device. IMHO Regarding OA3.0 I think you are too optimistic. OA3.0 has to have secure boot enabled and will skip any unsigned boot loader (it seems to me, not confirmed, though). If m$ should be clever then they put the license into the UEFI image itself and verifies it there, at a signed area.
Yeah, I suppose applying the SLIC is pretty much the same task as applying the serial number in their mainboard production line, it's not gonna be much effort to have some flashed with SLIC and some without. Lenovo do mess up on mainboard replacements though, I've seen a few Windows-free systems (which came without SLIC) getting a replacement mainboard that included a valid SLIC.
I guess most 'common' users don't notice about that, since they don't know how OEM activation works. Also most don't know that all preinstalled PCs can activate the ultimate version. M$ has started to provide a package to the OEMs. It seems it will become true. OA3.0 uses secure boot.
So when you buy a new system you will have to enter the code to activate it online. No doubt that will also support phone activation too for people who can't get an Internet connection. What's most odd is that it says the OS will be pre-installed to the systems BIOS. If the key was OEM SLP then you could "squirt" that single key into the UEFI firmware and use that firmware on every system that supports it. However, the quote above says that each system will require "individual attention" which suggests that the keys are no longer shared keys that millions of people can use.
We don't yet know everything about OA 3.0 so it's hard to say what checks Windows 8 performs. What we do know is that UEFI can have a loader inject a SLIC which is all good, but if we can't share keys because they'll get blocked by MS then both loaders and BIOS mods are going to be useless. I've already mentioned how I think Windows 8 will get pirated
How the update is being done doesn't really matter. If you update for pirating, something must have changed to the rom file you're flashing, it has to have some extra things that the original one doesn't have. So it's easy then: the hash you get by decrypting the signature with the public key won't match the hash of the actual file (which is the file minus the signature). The nice result is that the existing UEFI will notice this and f**ks you But that made me thinking (again) and there might possibly be a workaround: If you flash from within UEFI (such as asus easy flash stuff) I suppose that the existing UEFI will first check the signature, right? But what happens if UEFI is flashed by an external tool (like winphlash is for bioses), is it UEFI that checks the signature of the flash file or the tool? If it's the tool that checks it than the tool can be hacked to ignore invalid signatures. This opens the door to flashing modded rom images. Next step is that UEFI might check it's own sig during bootup. But can UEFI roms be decompiled? Even asm would be good enough. If uefi checks itself it has to have a public key used to decrypt the signature and get the hash. SO: we make our own public/private keypair, replace the existing public key for the signature check in the UEFI, sign the UEFI with our private key. And abracadabrasimsalabim: modded UEFI boots, finds his own signature signed with our private key, also finds our public key, decrypts the sig with that public key, hashes match -> UEFI is HAPPY! And when we can mod UEFI this way we can add any other key to the bootloader whitelist. Of course you again have to use the hacked tool to go back to official roms now, cause UEFI will now see the official signatures as being invalid, but who cares?? Or am I missing something? This is the weakness of asymmetrical encryption. It relies on the fact that the public key is known by everyone, and one can easily verify he has the correct key. UEFI only knows the key that's somewhere on the machine. If we change that key UEFI gets misled cause it is convinced that our key is the correct one while in fact is isn't.