> If that doesn't work, the need for booting non-standard Windows images will save us. I've never worked for any company that ran a stock Windows install -- everyone rolls their own. If new machines won't boot this image, guess what, that new machine is bought from some vendor that doesn't do this to them.
That's not how this works. It doesn't expect that the entire OS install is signed. It expects that the kernel is signed. "Non-standard" Windows installs don't generally futz with the Kernel. If you work for a company that uses a hacked kernel internally, please let me know, so I can make sure I'm not invested.
> Nobody uses Windows as a server OS
Microsoft's server product(along with its related tools and products) is massively successful. The Internet darlings may not run Windows Server, but many, many companies do.
> If, say, Samsung says "our hardware will only run Windows", then they won't be manufacturing Android phones or Chromebooks anymore.
Why would anyone do that? Even if Samsung sold some hardware that was locked down to only Windows, why would they suddenly stop selling other hardware? There's just no point. They already sell devices that are effectively locked down to Android, but that doesn't preclude them continuing to sell Windows laptops.
> Microsoft's server product(along with its related tools and products) is massively successful. The Internet darlings may not run Windows Server, but many, many companies do.
Yes, and Linux as a server is massively successful. And the internet darlings are one of the biggest customers. If a machine can't boot linux because of the signed kernel requirements enforced at the firmware, those internet darlings would move to machines that can. That isn't a risk intel el al. are going to take, especially with AMD breathing down its back.
Implementing secure boot is a risk that Intel et al are going to take. They've already taken a similar risk to support BitLocker with TPM hardware. None of this will stop Internet darlings from running Linux if they want, though.
Where do you see the requirement that the kernel has to be signed? I only see them mentioning the boot loader, which should be something entirely different (both on Windows and Linux, as far as I'm aware. I admit that my knowledge about the Windows boot process is incomplete).
If I'm correct (?) your whole reply to that point was a bit over the top, especially the 'tell me where you work so that I can ignore you' part.
Edit: Reading the original source (I recommend it!) confuses me. It says 'unsigned binaries will not load', but still: I'm still reading that as 'will not be loaded by the UEFI firmware' - which should only need to load the bootloader (+ relevant drivers) as far as I understand it?
I think the idea behind the signed bootloader is that the kernel that the bootloader loads will then be trusted as well. In this way the chain of trust moves up the boot stack and the risk of an early-boot / kernel rootkit can be minimized, especially if the kernel also tries to verify the authenticity of all modules it loads into kernel space (which Windows already does and has for quite some time - please note that I specified "tries").
I don't think this will affect corporate Windows installations as you'd presumably be installing a signed kernel and signed drivers - as the post above yours states, it's very rare to use a non-Microsoft-supplied kernel and unsigned drivers in the corporate environment today.
Signing a Linux bootloader could be perceived as a potential breach of this trusted boot process, as Windows could then potentially be loading in an emulated environment created by a malicious GRUB module or the like. Chances are, nobody subscribing to Trusted Boot will ruin their marketability by either a) not providing a way to disable the trust verification or b) not signing a Linux bootloader. However, that possibility is what has the rash of speculative "Linux won't run anymore!!!" articles running around the internet this week.
More solid info on the trusted boot process can be derived from:
You're probably correct. I was just saying that there's no need for the entire Windows installation to be signed, as jrockway implied. Such a requirement would be nearly impossible (and would require scanning the entire OS at startup to verify the signature).
Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed.
That's not how this works. It doesn't expect that the entire OS install is signed. It expects that the kernel is signed. "Non-standard" Windows installs don't generally futz with the Kernel. If you work for a company that uses a hacked kernel internally, please let me know, so I can make sure I'm not invested.
> Nobody uses Windows as a server OS
Microsoft's server product(along with its related tools and products) is massively successful. The Internet darlings may not run Windows Server, but many, many companies do.
> If, say, Samsung says "our hardware will only run Windows", then they won't be manufacturing Android phones or Chromebooks anymore.
Why would anyone do that? Even if Samsung sold some hardware that was locked down to only Windows, why would they suddenly stop selling other hardware? There's just no point. They already sell devices that are effectively locked down to Android, but that doesn't preclude them continuing to sell Windows laptops.