Summary: The drumbeat from Linux advocates about a key security feature in Microsoft’s forthcoming Windows 8 is getting louder. They call it an anti-Linux plot. But the two leading PC makers disagree with them. I’ve got exclusive details.
The campaign to spread FUD about Windows 8 is picking up momentum. In the past week, high-profile Linux advocates have tried to add fear, uncertainty, and doubt into what should be a smooth process for implementing a new next-generation security feature. They’ve succeeded in creating controversy, but they’ve also, unfortunately, muddled many of the underlying technical issues.
As I noted last month, the crux of their argument is that Microsoft is deliberately requiring a change in PC hardware that will make it impossible to wipe off a Windows installation and install Linux. The Free Software Foundation even launched an online petition demanding that PC makers “respect user freedom.”
Maybe they should be speaking with the companies that actually build those systems.
That’s what I did yesterday, when I spoke with representatives of the two largest PC makers in the world.
In an e-mail exchange and a follow-up phone conversation, a Dell spokesperson told me, “Dell has plans to make SecureBoot an enable/disable option in BIOS setup.” (That’s exactly what the FSF is demanding.) Dell plans to move to the UEFI version that includes Secure Boot in the Windows 8 timeframe, although the spokesperson told me it’s far too soon to provide any further details about the company’s plans for Windows 8 PCs.
I also contacted HP’s PC division, where a spokesperson had to scramble to find anyone within the organization who was even familiar with the issue. Although engineers are busy working on Windows 8 plans, product managers and senior executives are still focused on building and selling the tens of millions of PCs that will be sold with Windows 7 in the next year.
The spokesperson confirmed for me that HP has no plans to participate in any conspiracy against a non-Windows OS: “HP will continue to offer its customers a choice of operating systems. We are working with industry partners to evaluate the options that will best serve our customers.”
Those comments are on top of a statement from a spokesperson for leading BIOS maker AMI, who told me last month that ”AMI will advise OEMs to provide a default configuration that allows users to enable / disable secure boot, but it remains the choice of the OEM to do (or not do) so.”
In fact, the closer you look at the movement against the Secure Boot feature, the more apparent it becomes that this is about propaganda, not technology.
Last week, the Linux Foundation published a white paper, Making UEFI Secure Boot Work With Open Platforms. It’s written in apparently neutral language, until you begin looking at it more closely.
For example, on page 3 of the white paper, under the heading “Booting Closed Operating Systems,” the authors call out Microsoft’s Windows chief by name:
Obviously, a closed operating system could be booted identically to an open one above and still retain all its secure features … However, Steven Sinofsky has suggested in his blog posting “Protecting the pre-OS environment with UEFI”:
that the average platform owner might wish to give up control of the PK (and with it control of the signature database) to Microsoft and the OEM suppliers of the platform.
First of all, that’s factually in error: the blog post in question was written by Microsoft’s Tony Mangefeste, who works on the Ecosystem team that in turn coordinates with PC hardware makers. More importantly, note the use of the term “suggested” and the absence of any direct quote from the linked blog post. There is in fact nothing in that Microsoft blog post that says any such thing. The exact opposite is true. Here’s what the blog post says:
Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows …
Who is in control?
At the end of the day, the customer is in control of their PC. Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility.
The Linux Foundation white paper makes some interesting suggestions about how PC hardware makers can implement the new UEFI standard on systems they ship next year. They should probably be sending the white paper to Dell, HP, Lenovo, Toshiba, and other leading PC OEMs, as well as to companies like AMI that make the UEFI firmware. There’s plenty of time for those suggestions to be incorporated in PCs that will be shipped with Windows 8 in roughly a year.
But one of the suggestions is an absolute non-starter:
To enable proper operation with open systems, all UEFI secure boot platforms should ship in setup mode, with no Platform Key installed. This enables the Platform Owner to take control of the platform securely by installing their own platform key or allowing the Operating System install process to do so.
That’s not going to happen. The overwhelming majority of PCs ship with Windows preinstalled. Among consumers, only a tiny percentage of enthusiasts want to replace the preinstalled operating system. Both Microsoft and the hardware makers have a rational desire to make the out-of-box experience as simple as possible. Asking consumers with no technical background to opt in to the Secure Boot process and manually install a certificate during their initial setup of the PC adds needless complexity to the process.
No, the real goal of the campaign against Secure Boot is to whip up antipathy toward Microsoft and its hardware partners. And it’s already working.
On Google+, Jan Wildeboer, who lists his occupation as an evangelist for Linux vendor Red Hat, recently posted a link with the inflammatory text: “The Lock-in with “secure’ boot is reality. Read here. HP, please fix ASAP.”
The shared link, from another Open Source advocate, contains still more inflammatory text about “disturbing news on the UEFI/Secure Boot situation. Evidently, we don’t have to wait until the release of Windows 8 to find GRUB locked out of the boot sector on new computers.”
That Google+ post ultimately leads to this blog post: UEFI Headaches Begin For Linux Users. It contains a secondhand account from an unidentified person in Oregon, who writes:
My friend recently got an HP s5-1110 with Win 7 installed. UEFI has prevented the installation of GRUB on this machine.
Got it? A Red Hat evangelist links to a Google+ post from some guy, who links to a blog post from some other guy, who quotes an unidentified person who tells a story about “a friend.”
I am not making this up.
The PC in question is an HP Slimline. Here are its specs. It’s a small-form-factor consumer PC that ships with Windows 7. It doesn’t include the Secure Boot feature in its firmware. (To my knowledge, the only PC that currently includes that feature is the prototype Samsung device that was given to attendees at Microsoft’s BUILD conference in September.)
The person who complained about being unable to install Linux on that machine needs to go take a course in how to boot a PC using optical media. The blog post and its comments are filled with laughable inaccuracies.
And yet an employee of Red Hat is spreading this story as an example of why Linux users need to rise up and demand their rights.
That, ladies and gentlemen, is how a FUD campaign works.