Windows-Linux community afraid "Verdongelung"

Windows-Linux community afraid "Verdongelung"

Windows 8 brings new functionality including the Secure Boot , blocked on the PC motherboards and notebook computers with the latest versions from 2.3.1 to UEFI boot unsigned bootloader. Secure Boot is active, can be started so no Linux, if it does not bring the necessary signatures, and the owner or administrator of each computer explicitly allowed for the device was.

This is precisely the intention of Secure Boot: The system should be protected from access by other operating systems, so that is not about spying a thief data by booting from a stolen PC, for example a USB stick. In addition to Secure Boot also detect tampering of the operating system code in order to reveal infection with malware. Secure boat requires that all firmware and software that is needed for the boot process - ie non-boot loaders as well as UEFI drivers for onboard components and cards - a trusted certificate signatures Auhthorities (trusted CAs) to pay.

The Linux developer Matthew Garrett is concerned, however, that UEFI Boot Secure prevents the installation of Linux on to protected systems. He sees the one hand, difficulties in the fact that not all PC makers are actually willing to deposit keys signed for Linux software in the UEFI firmware of their products. On the other hand, he expected problems already at the GRUB 2: This is under the GPLv3 license, which expressly require that such keys are released. Presumably, however, would also have the Linux kernel to be signed, what is required for custom compiled kernel large additional expense.

With reference  on a presentation (PowerPoint pptx) file, which was shown on the Windows developer conference build goes Garrett assumes that all client systems - desktop PCs, notebooks, tablet - with Windows-8 UEFI logo must support Secure Boot and this feature must be activated. At least the second requirement follows from this presentation but not necessarily: it could also be provided so that the function can be explicitly enabled by the owner or administrator of the computer needs. Also assumed that most UEFI-capable systems, they have come to invite at least optionally a Compatibility Support Module (CSM), which enables the start of operating systems in BIOS mode, if only because this is a mandatory requirement for the installation of 32-bit Windows: In the UEFI mode allows only the x64 versions of Windows since Vista install. Microsoft refers to systems that can alternatively start the UEFI and BIOS mode, Class 2 (Class 2) systems, those without CSM belong to the class 3

However, it is not clear under what conditions, multiple operating systems, some of them in the UEFI and start other in BIOS mode, install it on the same hard drive - that might complicate the parallel installation on notebooks, tablets and other devices with only one mass storage device. At least the announced Windows Mobile-8 computer with ARM SoCs it ever will exist only in 3-class versions. In these devices, Microsoft plans to increase the security of the platform by the fact that there is provision under the Metro-surface excluding the installation of tested and signed apps from the App Store.

Another difficulty for the launch of alternative operating systems could result from the full encryption of hard disks with TCG Opal or BitLocker, bring if the boot loader functions are required to self-encrypting drives (Self-Encrypting Drives / SEDs) to be a key.