Linux camp has key to Windows 8 boot lockout

Oct 14, 2012 by Nancy Owano report
Linux pinguin

(Phys.org)—Microsoft's rocky reputation with the open source community was not exactly obliterated with hardware news surrounding the upcoming launch of the operating system, Windows 8. Systems will come with Secure Boot enabled in the Unified Extensible Firmware Interface (UEFI). Only operating systems with an appropriate digital signature will be able to boot. The worry was that only Windows 8 will run on these systems. Users would find it hard to boot non-Microsoft operating systems. UEFI stands for Unified Extensible Firmware Interface (UEFI)and it defines a software interface between an operating system and platform firmware.

Numerous PCs designed for the mass market will be labeled with Windows 8 and that in turn set many users to think these are tough times for Linux users to boot their favorite Linux flavors. Some see this as a way for Microsoft simply to ensure security over its machines while others see it as a way for Microsoft to push Linux distributions to the back of the line.

Systems with the Designed for Windows 8 that include the Secure Boot can stop unsigned code such as malware from running during the boot process. Any will also be prevented to run if it doesn't have the approved bootloader.

Open source advocates recognize that UEFI has its security merits. Earlier this year, Olaf Kirch, director of the SUSE Linux Enterprise department in SUSE Engineering, called UEFI Secure Boot a useful technology, as it makes life more difficult for attackers to hide a rootkit in the boot chain. At the same time, he said, the basics of its operation, establishing a single root of trust, "conflict with the principles of Open Source development, which must be independent and distributed to work."

Outside Microsoft, big name vendors have been responding with workarounds. Leading Linux names, Canonical, Red Hat, and SUSE have been working on ways that allow their distributions to boot on Windows 8-certified hardware.

The Linux Foundation, meanwhile, has come up with a plan to bypass the problem presented by Secure Boot to enable users of operating systems to continue to boot on hardware certified for Windows 8. The foundation has announced it will obtain a key from Microsoft and sign a small pre-bootloader. This will allow the booting of any operating system. In a guest post from James Bottomley, Linux Foundation Technical Advisory Board, talked about the 8 move. "In a nutshell, the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system)."

This will be a general purpose solution, not just for Linux. The key would not directly enable booting but instead would transfer control to another bootloader to boot an operating system. As such, the workaround is called the"pre-bootloader." The pre-bootloader goes past the Secure Boot process. A boot-loader such as GRUB2 takes over and handles the OS booting.

According to the Foundation, all the work is left to the real bootloader which "must be installed on the same partition as the pre-bootloader with the known path loader.efi (although the binary may be any bootloader including Grub2)."

Once the pre-bootloader is run, the user can boot any OS without having to worry about Secure Boot lockouts. As for a risk that it will turn out to be a vector for malware, the pre-bootloader can be used to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution. The pre-bootloader will involve a "present user test." Someone must be present at boot time to confirm the user wants a particular OS to run. After the pre-bootloader carries out its work, it will wait for a prompt for a user before continuing The user test removes the fear that it can be used to carry malware.

Explore further: Indonesian graft busters launch anti-corruption app

More information: www.linuxfoundation.org/news-m… t-system-open-source

Related Stories

PC BIOS soon to be replaced by UEFI

Oct 02, 2010

(PhysOrg.com) -- The 25 year old PC BIOS will soon be replaced by UEFI (unified extensible firmware interface) that will enable PC's to boot up in a matter of seconds. In 2011 we will start seeing UEFI dominate ...

Apple's Boot Camp Now Supports Vista

Mar 30, 2007

The Mac maker will now support Microsoft's newest OS, as well as XP, with its Boot Camp software, which allows Windows to run on its Intel-based machines.

Ubuntu 9.10 just released

Oct 29, 2009

(PhysOrg.com) -- Canonical is releasing Ubuntu 9.10, the Karmic Koala, the latest version of its open-source operating system, and it aims to attract business and enterprise users to join the growing numbers ...

Microsoft 'streaming storage' patent maps OS future

Aug 17, 2011

(PhysOrg.com) -- Microsoft might be planning a future where Windows open to something far bigger, the next time you push your power button on. A patent filed by Microsoft points to its plan for an operating system environment ...

New computer does Windows 3,000 times faster

Jun 18, 2008

The most powerful Windows-based computer in Europe is being installed in Sweden's Umeå University. Nicknamed "Akka", the supercomputer incorporates IBM Power microprocessors, Cell Broadband Engines and Intel processors and ...

Recommended for you

Indonesian graft busters launch anti-corruption app

2 hours ago

Indonesia's powerful anti-graft agency said Thursday it had launched a mobile app packed with graphics and games to educate the public and officials about bribery in one of the world's most corrupt countries.

Microsoft skips Windows 9 to emphasize advances

Sep 30, 2014

The next version of Microsoft's flagship operating system will be called Windows 10, as the company skips version 9 to emphasize advances it is making toward a world centered on mobile devices and Internet ...

User comments : 22

Adjust slider to filter visible comments by rank

Display comments: newest first

Bowler_4007
5 / 5 (3) Oct 14, 2012
its about f#*&ing time that something like this was brought into computers/phones but if M$ think they can use it to take control of the phone market i think they will be sorely disappointed
evropej
3.4 / 5 (5) Oct 14, 2012
Windows 8 is already secure, no one will be able to use it with such a horrible interface. PC industry will quickly realize where the user base is and will tailor hardware to meet the masses. I have used windows for a long time but MS is lost in la la land right now and forgot there is users who have their needs.
kochevnik
3.4 / 5 (10) Oct 14, 2012
Every even version of winblows is stillborn. Everything is going according to plan. Then the suits will pine for winblows 9 to fix all the crap and micro$oft will have sold their os twice.
Bowler_4007
Oct 15, 2012
This comment has been removed by a moderator.
VendicarD
1 / 5 (4) Oct 15, 2012
Linux community will obtain a key and write a boot loader that will then be able to boot malware.

That is the solution.
defactoseven
not rated yet Oct 15, 2012
Linux community will obtain a key and write a boot loader that will then be able to boot malware.


Malware that at least won't affect the host, just other MS computers it comes in contact with. :)
YouAreRight
5 / 5 (3) Oct 15, 2012
Any attempt to add a security feature that annoys the hell out of people, is pointless, as it will just be disabled. How many people disabled UAC in Windows Vista/7 because it was a pain?

For workstations and phones the additional security in UEFI should be well received. For Linux servers, it would be a pain in the butt, having to drive all over town, pressing a key on a keyboard, after a power failure causes 50 servers to reboot.

Please excuse my excessive use of comma's.
dtxx
1 / 5 (1) Oct 15, 2012
Why not just use TPM... Sure there are some concerns with TPM such as certain software being locked out that the manufacturer chooses, but that's hypothetical. With secure boot you know for sure MS will try to block at least some software, such as free OSs.
gwrede
1 / 5 (1) Oct 15, 2012
I can't decide whether to ROTFLMAO or to weep. This is both so hilarious and so profoundly pathetic. But hey, not unexpected.

And to top it all, I can just imagine the look on some M$ folks' faces when the FOSS camp simply decided to get a key. I'm still giggling.

But then, I expect M$ to counter with legal gymnastics to the tune of "we don't have to sell them the key", or something about unintended use of hardware that has officially and contractually been restricted to only software (read, OS) from a single vendor. And patents and other land mines thwarting the world.

How about import restrictions to hardware that doesn't contain this W8 thing? Or even blockades of the entire vendors. These are (again) interesting times. But this time for all the wrong reasons.
visual
not rated yet Oct 15, 2012
Having to press a key in order to boot Linux is still not a good solution. Expect mass EFI flashing with versions that (have the option to ?) disable Secure Boot.
Osiris1
3 / 5 (2) Oct 15, 2012
micro$ has tried to ruin Linux many times before. Micro$ was the secret 50& partner of SCO 'unix' when its business model was to sue and sue even its own customers. Did not work then. This 'secure boot model' will by-passing it run the risk of the by-passer being arrested for 'hacking a security system'?
clifty
5 / 5 (2) Oct 15, 2012
who cares. vote with your wallets. i've stopped buying machines with windows preloaded and so should you.
HDMIjason
not rated yet Oct 15, 2012
My concern is once booted into your favorite distro, will you still be able to access files on your Windows 8 drives?
PPihkala
5 / 5 (1) Oct 15, 2012
For Linux servers, it would be a pain in the butt, having to drive all over town, pressing a key on a keyboard, after a power failure causes 50 servers to reboot.

One just needs to buy a new keyboard that after reset will issue any needed keystrokes. Or alternatively other dongle into keyboard cable that does the same thing. Or `fake` keyboard plugged into any free USB port to give those keys after reset. When mass produced such dongles would be inexpensive.
El_Nose
not rated yet Oct 15, 2012
But since Linux is open source an in turn 99% of all the binaries it uses and load -- then this key is essentially in the public domain. So malware needs to load not only a rootkit but a root bootloader based that can load NTFS. It makes for a more sophisticated virus maker. I suspect that this will take only slightly longer than a 5 year trying to read this article. Mind you most 5 year olds have attention span issues, and don't like acronyms or big words.
krundoloss
not rated yet Oct 15, 2012
The cat and mouse game continues. Mainstream computers will NEVER be truly secure, because either the software they run or the users that operate them are flawed and can be circumvented. Its nice to see some attempt at stopping rootkits and MBR viruses. Sadly, malware makers make MONEY, so they will never stop and they will ALWAYS find a way to infect systems, because they get PAID to do it. As far as having difficulty installing linux on a Windows 8 machine, it will be ok, Linux experts will always find a way. And yes, Windows 8 is stupid because you cannot run a tablet OS on a Desktop, just as you wouldnt run a Desktop OS on a Tablet. Get with it, it takes two types of OS's to fit on tablets and desktops.
Bowler_4007
2 / 5 (4) Oct 15, 2012
Every even version of winblows is stillborn. Everything is going according to plan. Then the suits will pine for winblows 9 to fix all the crap and micro$oft will have sold their os twice.

1/5 star for your 'stillborn' metaphor you twisted fuck

8 1 star votes, so everyone thinks it's alright to use the word stillborn out of context and basically as a weapon? I know some people who had stillborns and it's bad enough that people fight on these articles without people using inappropriate and upsetting words like that
PinkElephant
4.5 / 5 (2) Oct 15, 2012
so everyone thinks it's alright to use the word stillborn out of context and basically as a weapon
Your ginned-up objections to weapon-words are stillborn, "you twisted fuck" (not to mention, hypocrite.)

Just because you have some kind of a Pavlovian knee-jerk paroxysm in connection with that word, doesn't mean everyone else should suddenly censor themselves to keep your neurotic psychoses from exploding.

FYI:

http://dictionary...born?s=t

(the word has another definition, in addition to the one you found oh-so-inflammatory, which fits perfectly with the original usage that oh-so-offended your demented sensibilities.)
PinkElephant
not rated yet Oct 15, 2012
On a more relevant note, I find the Linux "solution" to the security threat from malware somehow less than impressive.

So what if the user has to push on a key? How does the user know that the bootloader about to be activated, hasn't been tampered with (or replaced) by malware? After all, the above article explicitly mentions that the "work-around" pre-bootloader will make no signature checks on the thing it's passing control over to.

This "solution" is incredibly naive, in the best tradition of FOSS.

Probably a better approach would have been to hardware-protect the boot sector, so that anything written to it must have been pre-encrypted with a correct private key (and gets auto-decrypted on-write with the correct public key). That way, at hackers would need to have first obtained the secret key before they could overwrite any part of the bootloader.
Bowler_4007
2.5 / 5 (2) Oct 15, 2012
so everyone thinks it's alright to use the word stillborn out of context and basically as a weapon
Your ginned-up objections to weapon-words are stillborn, "you twisted fuck" (not to mention, hypocrite.)

Just because you have some kind of a Pavlovian knee-jerk paroxysm in connection with that word, doesn't mean everyone else should suddenly censor themselves to keep your neurotic psychoses from exploding.

FYI:

http://dictionary...born?s=t

(the word has another definition, in addition to the one you found oh-so-inflammatory, which fits perfectly with the original usage that oh-so-offended your demented sensibilities.)

Any normal person that doesn't know of the words second meaning would feel the same as I did, but point taken, as a comprise kochevnik if you were implying the second meaning then sorry
kochevnik
1 / 5 (1) Oct 16, 2012
@Bowler_4007 ...it's bad enough that people fight on these articles without people using inappropriate and upsetting words like that
If you don't like the word, stop eating meat which encourages large litters where there aren't enough nutrients for all to survive. Also stop eating eggs!
Bowler_4007
1 / 5 (1) Oct 16, 2012
@Bowler_4007 ...it's bad enough that people fight on these articles without people using inappropriate and upsetting words like that
If you don't like the word, stop eating meat which encourages large litters where there aren't enough nutrients for all to survive. Also stop eating eggs!

I have given you a conditional apology and explained my reaction, if you don't like the response you got then don't use such controversial misunderstood words, your latest response only enforces the feeling that you intended the first definition in the earlier link
Bowler_4007
1 / 5 (1) Oct 16, 2012
Btw if you consider the versions in order of release I think you'll find you were wrong 3.1, 3.11 (I never used these two so I dunno), 95 (successful as far as I know), 98 (definitely successful), ME (failed badly), 2000 (successful), Xp (a lot of patches but still successful), Vista (failed), 7 (awesome OS, definitely a success), 8 (dunno yet but due to its multi plarform support it could go either way)... the even versions start at the 2nd release so thats 3.11, 98, 2000 or Me, Xp, 7 oh and to continue further we have to wait till a successor to 8 which makes your original comment redundant and wrong because even though 8 is an even number Windows 8 doesn't take an even numbered place in the release list