the Microsoft UEFI rules for getting a Windows 8 Logo REQUIRES UEFI setup to provide to a physically present user the option to turn off secure boot and add/delete your own keys.
Can you please provide an authoritative link for this? The only thing I turned up was this "Secure Boot Overview" updated a few weeks ago:
[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]
[A]fter final firmware validation and testing, the OEM locks the firmware from editing, except for updates that are signed with the correct key or updates by a physically present user who is using firmware menus, and then generates a platform key (PK). The PK can be used to sign updates to the KEK or to turn off Secure Boot.
EDIT: Just found this (tl;dr - disabling Secure Boot is mandatory for x86 and forbidden for ARM):
17. MANDATORY. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:
a) It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx) which will put the system into setup mode.
b) If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system will be operating in Setup Mode with SecureBoot turned off.
c) The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults.
On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enabled.
Ahh, I went to the trouble of finding that and had it in my clipboard :)
Took me a few mins and was really hard to find on Google and was buried amongst all the noise generated by these FUD stories and discussions about UEFI secure boot. It's almost as if it was Google-Bombed.
Sorry about that, recoiledsnake. Thanks for the followup. Do you not consider Secure Boot and the prohibition against disabling it on ARM devices a slippery slope?
>Do you not consider Secure Boot and the prohibition against disabling it on ARM devices a slippery slope?
Yes, it definitely is. But the seeds for that were planted by Apple which can't keep their devices in stock, so when I see the ragefest directed towards Windows RT and Microsoft evil dominance with nary a mention of Apple(see Mozilla's FSF, and EFF's(?) blog posts about UEFI Secure Boot and almost all the discussions on HN and other sites) it feels like people are actively trying to avoid mention of Apple since it undermines the point they're making about Microsoft.
And many of these folks call it an antitrust issue because Microsoft was previously declared a monopoly on the PC and had successful antitrust suits against it.
But forcing MS to open up Windows RT while leaving the iPad alone(which has tremendous marketshare and profitshare in tablets) will only leave Windows RT weaker against the iPad(because they can't subsidize them with the app and media sales on Windows RT, see XBox). And every time I mention this, I hear crickets as people move on to other threads to continue piling on MS and ignore Apple.
I am in complete agreement with you on this. It is very sad to see the direction Apple has taken computing devices in, the blind acceptance by the public, and perhaps most disturbingly, the thunderous silence of the geeks. (Downvotes away! (assuming anyone is reading this far in.))
I think the major difference is that Microsoft is able to strongarm 99% of PC manufacturers due to their dependence on Windows, whereas Apple can only control their own hardware.
A more apt comparison would be if Dell decided to enforce UEFI secureboot (with no way of disabling it). The users wanting to run linux would be able to simply not buy from Dell anymore, just as right now you can still choose not to buy an iPad.
But the concern here is that Microsoft will control ALL PCs (minus the small minority of computer manufacturers willing to stand up to them), meaning a Linux user's options are to pay more for "unlocked" hardware or jailbreak a Windows 8 machine.
would changes to the windows kernel by the update require user action? will it end up being the "press OK to allow administrator rights to this application" but at boot time. or if it's the same signature it just updates silently?
Can you please provide an authoritative link for this? The only thing I turned up was this "Secure Boot Overview" updated a few weeks ago:
http://technet.microsoft.com/library/hh824987.aspx
[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]
[A]fter final firmware validation and testing, the OEM locks the firmware from editing, except for updates that are signed with the correct key or updates by a physically present user who is using firmware menus, and then generates a platform key (PK). The PK can be used to sign updates to the KEK or to turn off Secure Boot.
EDIT: Just found this (tl;dr - disabling Secure Boot is mandatory for x86 and forbidden for ARM):
Windows Hardware Certification Requirements http://download.microsoft.com/download/a/d/f/adf5bede-c0fb-4...
17. MANDATORY. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following: a) It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx) which will put the system into setup mode. b) If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system will be operating in Setup Mode with SecureBoot turned off. c) The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults. On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enabled.