[Windows_uefi & BIOS] Detailed relationship between Secure boot and winows 8 and UEFI boot

I. Call of the Free Software Foundation

Last week, near the end of 2012, The Free Software Foundation (FSF) called for people to continue to support the anti-secure boot monopoly, hoping that the signers would reach 50,000 (currently 40,000).

I think this appeal is very important. If we don't support it, we won't be able to use the hardware and install the software we want in the future.

This is no exaggeration. And since this event is directly related to the Windows 8 operating system, it means that everything is imminent.

Below, I am based on my understanding, to talk about what is going on. If you are a Linux enthusiast, or prefer to install your own operating system, the following content is directly related to you.

Second, BIOS and UEFI

When all computers start, they run the BIOS program to initialize the hardware.

It has been so since the birth of a personal computer. For the past 30 years we have been using similar images to set hardware parameters. Needless to say, the BIOS has become increasingly unsuitable.

In 1998, Intel led the development of a new generation of bios with leading manufacturers such as AMD, AMI, Apple, Dell, HP, IBM, Lenovo, Microsoft and Phoenix. This project is called "Unified Extensible Fixed Interface" (Unified extensible Firmware Interface), which is referred to as UEFI. The release of version 1.1 in 2005 is currently 2.3.

In the future, the computer will not run the BIOS, but the UEFI bios. Wait for it to run and then load the operating system.

Third, Microsoft's attitude

Uefi is a very advanced, future-oriented specification. But it was not possible to promote it for a long time because Microsoft was not active.

The Windows operating system is the mainstream of the desktop market, and if it does not promote UEFI, no hardware vendor will follow. So the average consumer knows very little about this new specification.

Unexpected changes, which appeared in September 2011, were suddenly announced by Microsoft without warning that Windows 8 would enable UEFI.

It would have been a good thing. However, the problem is that Microsoft is not interested in the entire UEFI, but rather a sub-spec secure Boot for UEFI. It is forced to deploy secure Boot.

Four, Secure Boot

Secure Boot is just one part of UEFI. The relationship between the two is the relationship between the local and the whole.

The purpose of Secure boot is to prevent malware intrusion. It does this by using a key. Uefi stipulates that when the motherboard is shipped from the factory, some reliable public keys can be built in. Then, any operating system or hardware driver that you want to load on this motherboard must be certified by these public keys. In other words, the software must be signed with the corresponding private key, otherwise the motherboard refuses to load. Since malware cannot be certified, there is no way to infect boot.

The idea is good. However, UEFI does not dictate which public keys are reliable or who is responsible for issuing the public keys, leaving it to the hardware vendor to decide.

Now, Microsoft is asking for motherboard vendors to have Windows 8 public keys built in.

V. Windows 8

First, it is clear that Windows 8 can be installed without secure boot turned on. This is no different than installing a previous version of Windows.

However, Microsoft requires that all vendors preinstalled with Windows 8 (that is, OEMs) must have secure Boot turned on. Therefore, it is not possible for a consumer to purchase a desktop or notebook preinstalled with Windows 8, and to install another operating system (including a previous version of Windows) on it, unless secure Boot is turned off, or another operating system is certified by the Windows 8 public key.

If you choose to turn secure Root off, pre-installed Windows 8 will not work and needs to be reinstalled.

Vi. Example: MSI motherboard

Itwire's reporter, Sam Varghese, did an experiment to find out how to install the operating system on the motherboard where secure boot was opened.

The experimental object is MSI company Z77A-G41 Motherboard. It has the secure boot feature, which is turned off by default.

First, press the DELETE key after powering on, enter the BIOS, and select the Windows 8 configuration option.

The second step is to select the Last secure boot option.

Third, open the Secure boot feature and select the Last key Management (Key Management) option.

Fourth, enter the public key provided by the vendor, which is the public key of Windows 8 (currently, no other operating system has such a public key.) ）

Class fifth, after installing Windows 8, enter the Confirm-securebootuefi command at the command line interface, and the result is true, indicating that the Secureboot function is turned on.

Depending on the Sam Varghese test, after you open secure boot and then install another operating system (including previous versions of Windows), you are all rejected by the motherboard.

Vii. impact on Linux

The intent of the Secure boot specification is to allow the operating system vendor to choose the public key and pass the authentication. But in fact, only Microsoft has the ability to let the motherboard vendor built its public key, which no other company has.

Therefore, if you are installing a Linux system on a motherboard that opens secure boot, the system must be certified to Windows 8.

Currently, Microsoft has outsourced the digital signature of Windows 8 to VeriSign. Operating system vendors who want to pass the certification must spend $99 to buy a digital certificate from VeriSign, embedded in their own operating system.

The latest news is that Ubuntu has purchased digital certificates from various distributions in Linux, and Fedora and SuSE are planning to buy, and other distributions have not yet decided.

Therefore, the best practice for installing Linux (or other operating systems) on a PC preinstalled with Windows 8 is to enter the BIOS and close secure Boot. However, this means that Windows 8 you pay for will not be available.

Viii. Why is the public key of Windows 8 unacceptable?

At the moment, Linux's purchase of a digital certificate for Windows 8 is the only viable and relatively easy solution right now. However, this approach is unacceptable.

First, the system's public key is controlled by Microsoft and the consequences are unpredictable. If Microsoft decides to replace and revoke the public key, Linux will be forced to follow up.

Second, the Linux boot Manager grub is the GPL license, the License (third edition) expressly prohibits the software from using key Mate hardware to block the use of a subset of users, and therefore uses a non-GPL-licensed boot manager instead.

Again, only a few larger Linux distributions have the ability to purchase digital certificates, and smaller distributions and user-customized versions ultimately need their own public key.

Ix. about mobile devices

Secure Boot has a more serious impact on mobile devices than PCs.

Microsoft expressly stipulates that all PC motherboards must have the option to turn secure boot off. This is not because of Microsoft's goodwill, but because if it does not, it is bound to face antitrust charges.

However, in mobile devices, Microsoft does not dominate, so it has no concern that all installed Windows Mobile device secure boot must be turned on, and there is no option to turn off.

Microsoft's tablet surface RT is one of the best examples. Its secure boot is open and cannot be closed, and Microsoft uses a public key different from the desktop Windows 8 operating system and does not provide a way to obtain a digital certificate. Therefore, in theory, it is not possible for users to install other operating systems on surface Rt.

It is also reported that smartphones using the Windows Phone 8 operating system will do the same. Then, it is impossible for users to install other operating systems on the Windows Phone.

X. Concluding remarks

Secure Boot's original intention is to ensure system security, but now seems to be a manufacturer to protect the market monopoly, a means to hinder competition.

In addition to Microsoft, Apple also has this tendency. Installing other operating systems on the next generation of iphones and ipads seems impossible.

The Free Software Foundation calls for an anti-secure boot monopoly, which is based on the consideration that users should have the freedom to use hardware and software, and that the operating system should be open, not closed.

As a specification, the Free Software Foundation does not object to secure Boot, it simply requires the convenience of hardware vendors, making it easier for users to install and manage public keys, and to keep all operating systems (and device drivers) open using hardware platforms.

In my opinion, this is a perfectly reasonable requirement, which is extremely important to ensure the freedom of users and the healthy ecology of the industry. Let us support this initiative (signature and donation) and keep a close eye on the next step of the situation.

Finish

[Windows_uefi & BIOS] Detailed the relationship between Secure boot and winows 8 and UEFI boot