I think the real issue with this is that it stops manufacturers from bundling Windows RT with Android. Take Asus for example. They've just made their "big" announcement which everyone thought it would be a dual-booting Windows RT/Android machine, and it turns out it's just Windows with the Bluestacks program that can make it run Android apps inside Windows.
I find that pretty silly, and I don't see a real reason why they didn't just make the machine dual-boot both Windows and Android. If users want Android apps inside Windows, they can download Bluestacks themselves. So the only explanation is that Microsoft is coercing manufacturers into not allowing Android or other OS's alongside Windows.
If they are doing this now, and more Linux vendors start asking for Microsoft's "permission" to boot their OS on the Windows machines with UEFI, what's to stop Microsoft from denying a UEFI license to someone who's starting to become a "real" competitor to Windows (like Android is, in some cases)? What if Ubuntu gets to 10% market share in the next 5 years, and keeps growing? Will they keep giving Canonical the UEFI license? What's guaranteeing that they will, if they are already banning Android from the Windows RT machines?
You're absolutely right. This announcement is all about money more than OS religion.
The expectation and Microsoft's fear was that manufacturers would take the marketing money (i.e. the Win8 subsidy) that Microsoft is paying out the wazoo and hedge OS bets by also including Android. Acer and Asus don't care what OS they run so long as it keeps them in the race against Apple. They're happy to let Microsoft pay them money to market their devices if it means they have to include "apps" (and in this case app := OS).
Microsoft wasn't willing to subsidize devices that run Android because it views Android as a competitor rather than an enemy-of-my-enemy. Given Apple's clear cost advantage, it would have been interesting to see such a Android+Win8+subsidy bet play out. Microsoft might have been able to dislodge marketshare enough during the year that Microsoft comes out ahead next year with SP1. Alas, the business case will slightly less interesting.
>I think the real issue with this is that it stops manufacturers from bundling Windows RT with Android. Take Asus for example. They've just made their "big" announcement which everyone thought it would be a dual-booting Windows RT/Android machine, and it turns out it's just Windows with the Bluestacks program that can make it run Android apps inside Windows.
Everyone thought something that everyone else knew wouldn't happen from about 6 months? That article you submitted is from January.
Also, do you have any references to everyone thinking Asus's big announcement will be an Windows RT/Android hybrid?
The quotations say nothing of the sort. A vendor could provide a dual-boot device providing they have an Android bootloader signed with Microsoft's signing key, which is a service that Microsoft will be providing.
A more open question is whether any of the existing Linux vendors will be doing this. Fedora is willing to use Microsoft's signing service for x86 because users will be able to disable the feature or enrol their own keys. We're not willing to do that for ARM because users won't have that freedom and so wouldn't be able to replace components like the kernel.
>"A more open question is whether any of the existing Linux vendors will be doing this."
The Market Economics Fairy predicts that they will not given the limited number of people who are interested in dual booting a tablet and the diversity of device configurations likely to be manufactured.
edit: I'm sorry to see the child comment downvoted. I am under the impression that user key enrollment is disallowed, but I'm actually not seeing an mechanism by which Microsoft can prevent the signature of ARM based bootloaders.
That having been said, I don't completely understand ARM devices to know if it's plausible to sign an ARM bootloader with the MS key.
edit2: The person y'all downvoted is the guy who wrote the blogpost outlining the Fedora way of handling this issue: http://mjg59.dreamwidth.org/12368.html
I've said this before and I'll say it again: Microsoft isn't doing this to ban Ubuntu / Linux in general, but to prevent Android from spreading. With ICS being a great OS, many (tech) folks would simply dual-boot ICS on their WinRT devices.
Along with their apparent restriction of the 'desktop' on arm, this is the reason I lost interest in windows8 on arm. So far a linux + android solution (like ubuntu have demonstrated) seems more powerful and very will also have more apps to start (way to go throw away windows' advantage #1).
It seems quite short-sighted, too, as I see ARM as being a viable laptop platform in the life of windows 8, but MS are restricting it to 'device' status.
Maybe it is the right time to make all this rage converge into contributions to coreboot [1]. A free working alternative is the only practical way out of this future kind of subjection.
Google has already contributed core for some current Ivy Bridge chipsets. It would be nice if coreboot received more testing and development from a broader audience.
Coreboot is a good thing, but it's going to be hard to succeed without hardware vendor support, and that will be hard to build unless people actually want the product.
I work for a VAR. Our preferred vendor was one of the first to market with motherboards that expressly supported Coreboot. We're supporters of OSS, and so are our customers, so we figured that they'd be popular.
We sold only a handful over about two years. Our competitors didn't seem to have much more success, as our vendor didn't continue the experiment into the following motherboard generations.
The problem is not the availability of a free alternative. Hardware vendors could already simply choose not to implement secure boot - the default policy is a single configurable switch during the build. The problem is that vendors believe they can make more money by selling hardware that meets Microsoft's requirements. Coreboot doesn't do anything to help there.
We've yet to see any mobile device where running another OS than the bundled one have been anything but a nightmare. This is done everywhere, android manufacturers constantly try to lock users in their own android shell, not to mention apple.
These devices are not multipurpose devices, they are built for a specific purpose and tailormade for that and nothing else. It is not in any sense equivalent to desktop/laptop-computers. Which is kind of apparent considering the limitations that Windows Phone, Android and iOS amount to.
Since Microsoft have expressed that secure boot must be optional on x86 it is quite easy to justify this rationally without resorting to the popular "typical evil Microsoft tactics" argument.
These devices have chips which can run any algorithm you write. They are not hammers, or even calculators. They are computers. They also have GPS, motion sensors, cameras, and microphones. They are multipurpose enough to make phone calls, play games, run maps, and even power satellites: http://www.nasa.gov/mission_pages/station/main/spheres_smart...
>> Since Microsoft have expressed that secure boot must be optional on x86 it is quite easy to justify this rationally...
Why does doing the right thing in once place give them license to do the wrong thing in another?
I appreciate the security value of secure boot, but ONLY as far as its purpose is to serve the customer. Which means the customer must be able to disable it.
>This is done everywhere, android manufacturers constantly try to lock users in their own android shell, not to mention apple.
And people still jailbreak/root their devices for numerous reasons. If you buy something, you should be able to do what you want with it. Just because it's designed for one thing doesn't mean it can't do others.
Unlike on x86 where windows dominates on ARM there is a different story and linux dominates on ARM, they can lose some market share because of this policy but it seems that microsoft only cares to keep their old strategies no matter what times they live in.
I really don't care about the restrictions on tablets. I figure every OS will have a tablet or two available.
What really bothers me is that ARM-based laptops come under this crud. I have really wanted a modern day replacement for the Psion. Something that gets great battery life and has a decent keyboard. I also want to run a BSD (probably Open), so that is really going to make it a pain.
What's the difference between tablets and laptops? I don't see any differences when it comes to the ability to dual boot. The ASUS Transformer line has been around for a while now, showing that the line between tablet and laptop is blurring. Also, Canonical/Ubuntu seems to be gunning for tablet market share in the future. Do you think they'll have their own hardware?
I don't see any reason to separate out tablets and laptops when talking about dual booting, OS concerns, etc. A tablet is just a laptop with a touch screen and optional rather than mandatory keyboard.
You don't have to buy these machines. If you choose to buy it, you've bought a Windows 8 machine and have paid for it. It's not like MS promised you a dual-bootable machine and sold you a single-bootable machine. You know what you're getting, and you can choose whether or not it fits your needs.
Upshot: If you don't care that your hardware is certified, you don't have to implement secure boot in the way Microsoft requires for certification. You will probably have a few technical challenges, however.
Please take a moment to reflect on the current situation before launching the "corporate overlord" and related snark.
Many existing customers effectively do not own what they already have; their systems have been infested with malware and crapplications.
Locked-down bootstraps are the least-bad of a very bad lot of approaches available for dealing with the changes in the user base, and with the increasingly less-experienced and less-DIY users for modern systems.
Security attacks are only getting more subtle, complex and sophisticated. The Microsoft Terminal Server-derived Microsoft code-signing digital certificates is a recent example of the complexity of the environment.
How do you deal with these changes in attacks and with the changes in the user base otherwise, given the numbers of systems out there, and the changes in the knowledge and experience of the user base?
Do any of us like these locked-down bootstraps? Emphatically, no. So figure out another way to ensure this security, get yourself patent or three (and yes, software patents are issued for far too many years) and get yourself rich by solving this problem.
I personally don't see many bootloader attacks these days. Consider that SecureBoot only protects from attacks like this, after bootstraping it is upto the OS to ensure security. So purely from this, I don't think the tradeoffs are worth it. Once you have infastructure like this, it isn't hard for it to be misused (even with good intentions).
Anything that cannot boot from USB, SD card, or some externally connected media, should be approached with caution.
If you can boot from external media, then generally you can dual boot. Someone may have to show you how to prepare media for booting, but it's quite easy once you have been shown. Today's PC's all seem to have good support for booting from external media. Are we going to see this removed in ARM devices?
You do not have to shop for devices that have an "open" bootloader. You have to shop for devices that can boot from external media. (For today's PC's, that's quite easy.) If you have a device that can boot from external media, we can show how to do the rest.
Because the iOS policy is unethical (the machine belongs to the user, not apple), and now Microsoft is (attempting) to do it too.
The only way to stop unethical behavior is to punish them. The Library of Congress already ruled that this behavior is unethical, now manufacturers need to be pressured.
I would love to see an open bootloader for iDevices. However, I do think that there is a difference between Apple, a company who makes their own hardware and have chosen this strategy, and Microsoft, a company who tries to impose their strategy on others (device makers).
I assume Microsoft will want to have secure booting devices that ship with Windows, because Hollywood and other content producers require a secure OS so their DRM is safer. If they would allow non-secure boot, it might be difficult or impossible to get video and music content licensed from the major producers on the platform.
The real problem with that is that if Metro is successful on Windows 8, that also means that people will have to use only the Windows 8 store in the future, which also means that you won't be able to install apps from websites anymore, just from Microsoft's store. Then, they can just delete whatever apps they don't like or the apps RIAA and MPAA doesn't like.
It should be noted Secure Boot is not a DRM device in itself, it merely allows you to enforce a chain of trust for an OS to boot. The OS still needs to provide DRM functions itself.
Seems possible that there could be 2 options, a Windows option and an unlocked option. You'd think the Windows option would be more expensive. How many vendors are really set up for that?
Windows really took off because of this practice. Vendors would license it based upon total PCs sold, regardless of if they even had windows installed or the customers wanted it. It was so effective that the competition dried up and died in a remarkably short time. This was competition from IBM, you could lump some others in with it BeOS and maybe some early Linux but Big Blue had their ass handed to them which was remarkable. At the time there are a lot more (maybe, maybe not, it seemed like there were a lot more) tier 2 type vendors: name companies with support and such.
I'd argue MS doesn't know how to build market share other than with subsidies or lock-ins and that's what this is. If devs don't pick up Win8 pretty quickly, that ARM tablet isn't going to look so great, why wouldn't you want to try Android with its piles of apps? Then it puts the vendors in a very interesting bind, you have to pick which platform to support, a market leader (Android) or a product from a market leader in a different market. I don't remember the results of the anti-trust but I could see how this is designed to do the same thing but is different enough.
A handful of motherboards now come with 2 BIOS, I think I have an Asus mb with one that you can "tweak" and overclock and then like a failsafe backup. Something like that, maybe with a hardware jumper setting seems like the real solution for your vendors, but that adds some cost. Either that or Win8 just flops, industry wide, that seems like it might be the better solution. There will be win8 tablets at Walmart and Target and such though and million of less technical folks will buy them. I suspect dual boot is dead forever unless someone certifies some sort of kexec like application.
My speculation is so that ARM devices which take advantage of the Microsoft stack are suitable for a wider range of enterprise customers. Think HIPAA rather than "hip."
The article is much more complex than what it would look like from the title, but it is a good idea to keep the pressure on on Microsoft so that they might "soften their position", as is stated in the article.
The really troubling part of this is UEFI being used as a strong arm scam that depends on MS good will... how did things get to this point. On another point, they can "ban" whatever they want. They also didn't support Windows Phone 7 or allow Android and Ubuntu on my old trusty HTC HD2 and look at it go.
Plus, it is just like saying to a child that she cannot have the piece of cake in front of her, if it looks tasty it's going to be munched. Meaning, if the hardware will be good someone somewhere is going to shoe horn it independent of what MS wants.
[+] [-] mtgx|14 years ago|reply
I find that pretty silly, and I don't see a real reason why they didn't just make the machine dual-boot both Windows and Android. If users want Android apps inside Windows, they can download Bluestacks themselves. So the only explanation is that Microsoft is coercing manufacturers into not allowing Android or other OS's alongside Windows.
If they are doing this now, and more Linux vendors start asking for Microsoft's "permission" to boot their OS on the Windows machines with UEFI, what's to stop Microsoft from denying a UEFI license to someone who's starting to become a "real" competitor to Windows (like Android is, in some cases)? What if Ubuntu gets to 10% market share in the next 5 years, and keeps growing? Will they keep giving Canonical the UEFI license? What's guaranteeing that they will, if they are already banning Android from the Windows RT machines?
[+] [-] yajoe|14 years ago|reply
The expectation and Microsoft's fear was that manufacturers would take the marketing money (i.e. the Win8 subsidy) that Microsoft is paying out the wazoo and hedge OS bets by also including Android. Acer and Asus don't care what OS they run so long as it keeps them in the race against Apple. They're happy to let Microsoft pay them money to market their devices if it means they have to include "apps" (and in this case app := OS).
Microsoft wasn't willing to subsidize devices that run Android because it views Android as a competitor rather than an enemy-of-my-enemy. Given Apple's clear cost advantage, it would have been interesting to see such a Android+Win8+subsidy bet play out. Microsoft might have been able to dislodge marketshare enough during the year that Microsoft comes out ahead next year with SP1. Alas, the business case will slightly less interesting.
[+] [-] recoiledsnake|14 years ago|reply
Everyone thought something that everyone else knew wouldn't happen from about 6 months? That article you submitted is from January.
Also, do you have any references to everyone thinking Asus's big announcement will be an Windows RT/Android hybrid?
[+] [-] mjg59|14 years ago|reply
A more open question is whether any of the existing Linux vendors will be doing this. Fedora is willing to use Microsoft's signing service for x86 because users will be able to disable the feature or enrol their own keys. We're not willing to do that for ARM because users won't have that freedom and so wouldn't be able to replace components like the kernel.
[+] [-] derrida|14 years ago|reply
[+] [-] brudgers|14 years ago|reply
The Market Economics Fairy predicts that they will not given the limited number of people who are interested in dual booting a tablet and the diversity of device configurations likely to be manufactured.
[+] [-] drivebyacct2|14 years ago|reply
edit: I'm sorry to see the child comment downvoted. I am under the impression that user key enrollment is disallowed, but I'm actually not seeing an mechanism by which Microsoft can prevent the signature of ARM based bootloaders.
That having been said, I don't completely understand ARM devices to know if it's plausible to sign an ARM bootloader with the MS key.
edit2: The person y'all downvoted is the guy who wrote the blogpost outlining the Fedora way of handling this issue: http://mjg59.dreamwidth.org/12368.html
[+] [-] ivanbernat|14 years ago|reply
[+] [-] beedogs|14 years ago|reply
I don't see the point in these decisions to expend likely a lot of time, effort, and money eliminating edge cases.
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] silon3|14 years ago|reply
[+] [-] polshaw|14 years ago|reply
It seems quite short-sighted, too, as I see ARM as being a viable laptop platform in the life of windows 8, but MS are restricting it to 'device' status.
Also, we've known this for a long time now.
[+] [-] rbanffy|14 years ago|reply
The only apps that will be cross-platform will be WinRT/Metro based ones.
[+] [-] gioele|14 years ago|reply
Google has already contributed core for some current Ivy Bridge chipsets. It would be nice if coreboot received more testing and development from a broader audience.
[1] http://coreboot.org
[+] [-] McGlockenshire|14 years ago|reply
I work for a VAR. Our preferred vendor was one of the first to market with motherboards that expressly supported Coreboot. We're supporters of OSS, and so are our customers, so we figured that they'd be popular.
We sold only a handful over about two years. Our competitors didn't seem to have much more success, as our vendor didn't continue the experiment into the following motherboard generations.
[+] [-] mjg59|14 years ago|reply
[+] [-] tjoff|14 years ago|reply
These devices are not multipurpose devices, they are built for a specific purpose and tailormade for that and nothing else. It is not in any sense equivalent to desktop/laptop-computers. Which is kind of apparent considering the limitations that Windows Phone, Android and iOS amount to.
Since Microsoft have expressed that secure boot must be optional on x86 it is quite easy to justify this rationally without resorting to the popular "typical evil Microsoft tactics" argument.
[+] [-] nathan_long|14 years ago|reply
>> "These devices are not multipurpose devices".
These devices have chips which can run any algorithm you write. They are not hammers, or even calculators. They are computers. They also have GPS, motion sensors, cameras, and microphones. They are multipurpose enough to make phone calls, play games, run maps, and even power satellites: http://www.nasa.gov/mission_pages/station/main/spheres_smart...
>> Since Microsoft have expressed that secure boot must be optional on x86 it is quite easy to justify this rationally...
Why does doing the right thing in once place give them license to do the wrong thing in another?
I appreciate the security value of secure boot, but ONLY as far as its purpose is to serve the customer. Which means the customer must be able to disable it.
[+] [-] PerryCox|14 years ago|reply
And people still jailbreak/root their devices for numerous reasons. If you buy something, you should be able to do what you want with it. Just because it's designed for one thing doesn't mean it can't do others.
[+] [-] liquidsnake|14 years ago|reply
[+] [-] givan|14 years ago|reply
[+] [-] protomyth|14 years ago|reply
What really bothers me is that ARM-based laptops come under this crud. I have really wanted a modern day replacement for the Psion. Something that gets great battery life and has a decent keyboard. I also want to run a BSD (probably Open), so that is really going to make it a pain.
[+] [-] cryptoz|14 years ago|reply
I don't see any reason to separate out tablets and laptops when talking about dual booting, OS concerns, etc. A tablet is just a laptop with a touch screen and optional rather than mandatory keyboard.
[+] [-] ck2|14 years ago|reply
[+] [-] pooriaazimi|14 years ago|reply
[+] [-] bni|14 years ago|reply
This is not true, I have Ubuntu on my MacBook Pro.
[+] [-] brudgers|14 years ago|reply
Topic discussed previously on Hacker News:
http://news.ycombinator.com/item?id=3458679
http://news.ycombinator.com/item?id=3567448
Upshot: If you don't care that your hardware is certified, you don't have to implement secure boot in the way Microsoft requires for certification. You will probably have a few technical challenges, however.
[+] [-] air|14 years ago|reply
No, upshot is that for ARM you can't get Windows at all (certified or not) if you allow other operating systems to boot.
[+] [-] Hoff|14 years ago|reply
Many existing customers effectively do not own what they already have; their systems have been infested with malware and crapplications.
Locked-down bootstraps are the least-bad of a very bad lot of approaches available for dealing with the changes in the user base, and with the increasingly less-experienced and less-DIY users for modern systems.
Security attacks are only getting more subtle, complex and sophisticated. The Microsoft Terminal Server-derived Microsoft code-signing digital certificates is a recent example of the complexity of the environment.
How do you deal with these changes in attacks and with the changes in the user base otherwise, given the numbers of systems out there, and the changes in the knowledge and experience of the user base?
Do any of us like these locked-down bootstraps? Emphatically, no. So figure out another way to ensure this security, get yourself patent or three (and yes, software patents are issued for far too many years) and get yourself rich by solving this problem.
[+] [-] keeperofdakeys|14 years ago|reply
[+] [-] darkarmani|14 years ago|reply
[+] [-] CUR10US|14 years ago|reply
If you can boot from external media, then generally you can dual boot. Someone may have to show you how to prepare media for booting, but it's quite easy once you have been shown. Today's PC's all seem to have good support for booting from external media. Are we going to see this removed in ARM devices?
You do not have to shop for devices that have an "open" bootloader. You have to shop for devices that can boot from external media. (For today's PC's, that's quite easy.) If you have a device that can boot from external media, we can show how to do the rest.
[+] [-] gouranga|14 years ago|reply
[+] [-] ars|14 years ago|reply
The only way to stop unethical behavior is to punish them. The Library of Congress already ruled that this behavior is unethical, now manufacturers need to be pressured.
[+] [-] wkz|14 years ago|reply
[+] [-] nathan_long|14 years ago|reply
[+] [-] esolyt|14 years ago|reply
[+] [-] exDM69|14 years ago|reply
[+] [-] mtgx|14 years ago|reply
[+] [-] fpgeek|14 years ago|reply
[+] [-] keeperofdakeys|14 years ago|reply
[+] [-] tzs|14 years ago|reply
[+] [-] Nelson69|14 years ago|reply
Windows really took off because of this practice. Vendors would license it based upon total PCs sold, regardless of if they even had windows installed or the customers wanted it. It was so effective that the competition dried up and died in a remarkably short time. This was competition from IBM, you could lump some others in with it BeOS and maybe some early Linux but Big Blue had their ass handed to them which was remarkable. At the time there are a lot more (maybe, maybe not, it seemed like there were a lot more) tier 2 type vendors: name companies with support and such.
I'd argue MS doesn't know how to build market share other than with subsidies or lock-ins and that's what this is. If devs don't pick up Win8 pretty quickly, that ARM tablet isn't going to look so great, why wouldn't you want to try Android with its piles of apps? Then it puts the vendors in a very interesting bind, you have to pick which platform to support, a market leader (Android) or a product from a market leader in a different market. I don't remember the results of the anti-trust but I could see how this is designed to do the same thing but is different enough.
A handful of motherboards now come with 2 BIOS, I think I have an Asus mb with one that you can "tweak" and overclock and then like a failsafe backup. Something like that, maybe with a hardware jumper setting seems like the real solution for your vendors, but that adds some cost. Either that or Win8 just flops, industry wide, that seems like it might be the better solution. There will be win8 tablets at Walmart and Target and such though and million of less technical folks will buy them. I suspect dual boot is dead forever unless someone certifies some sort of kexec like application.
[+] [-] brudgers|14 years ago|reply
[+] [-] darkarmani|14 years ago|reply
[+] [-] fpgeek|14 years ago|reply
[+] [-] danmaz74|14 years ago|reply
[+] [-] novalis|14 years ago|reply
[+] [-] showwayer|14 years ago|reply