Tag Archives: drm

Microsoft using Secureboot to lock down ARM

Leave a reply

Thanks to a tip from a colleague – Anshu, I found out further confirmation that the Secureboot issue, that I blogged about earlier, is going to bite us badly just as we expected.

According to this post of the Software Freedom Law Center, Microsoft has recently revised it’s Windows 8 Hardware Certification requirements to lock out all alternative OSes from the ARM-based mobile devices that it ships on.

The Certification Requirements define (on page 116) a “custom” secure boot mode, in which a physically present user can add signatures for alternative operating systems to the system’s signature database, allowing the system to boot those operating systems. But for ARM devices, Custom Mode is prohibited: “On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enable.” [sic] Nor will users have the choice to simply disable secure boot, as they will on non-ARM systems: “Disabling Secure [Boot] MUST NOT be possible on ARM systems.” [sic] Between these two requirements, any ARM device that ships with Windows 8 will never run another operating system, unless it is signed with a preloaded key or a security exploit is found that enables users to circumvent secure boot.

Upcoming devices running Windows 8 mobile including the increasingly popular tablets are soon going to be Windows only – that is, for example, you will not be able to run Android on them without an exploit.

But just yesterday, Qualcomm announced plans to produce Windows 8 tablets and ultrabook-style laptops built around its ARM-based Snapdragon processors. Unless Microsoft changes its policy, these may be the first PCs ever produced that can never run anything but Windows, no matter how Qualcomm feels about limiting its customers’ choices.

While someone may very well point out that because this is only restricted to mobile devices and since most folks, even most technically savvy ones rarely change the OS on their phone, the problem is the precedent this sets. Given some time of locking down the mobile platform to only run Windows, Microsoft can very well make a case to extend Secureboot to desktops that you buy as well, by giving the mobile platform experience as a “standard technical security procedure” to justify this to get around anti-trust issues.

And to reiterate this again, this will badly hurts the hardcore Windows users as well.

Microsoft’s idea is to control the OS running on the desktop, including which of their own OS will run on new hardware. So if you were not a fan of Vista and wanted to stay with Windows XP, like in the past, you will not have a choice in a similar situation in the future. For example, even if there is some widespread concern about a new Windows version in the future, Microsoft can arm-twist the hardware manufacturers to program the new desktops in the market to only work with the new OS of theirs, forcing all of their users to upgrade.

The incoming Secureboot/Restrictedboot war

1 Reply

For those who aren’t aware of this, FSF (Free Software Foundation) has been running a campaign for the last few months about Microsoft’s malicious Secureboot initiative (which FSF calls restricted boot). Given the mostly Microsoft friendly corporate IT environments out there, I think this is one topic on which most employees should be very aware.

A nice summary of the issue can be read up at:
http://www.theregister.co.uk/2011/10/18/fsf_windows_8_campaign/

Apparently, Microsoft is practically arm-twisting OEM manufacturers to implement Secureboot to be able to install Windows 8 on their systems – it is a Windows 8 requirement. And most Windows loving IT departments around the world are only too eager to go ahead with this just to be able to install the “latest and greatest” from Microsoft. Combine this with a decree … umm … “security” policy to never remove Secureboot from office laptops, and you can be rest assured that Linux will never be found on business laptops ever. (Speaking on security policies, how come these IT folks never admit that Windows itself is their biggest internal security threat, is something I could never understand )

This would be a good time for you to send this message to similarly interested friends working out there, so that they can encourage their IT departments to not fall for this DRM/anti-Linux trap.

Here is the official FSF campaign page:
http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/

If you read carefully, you will find that FSF’s main issue is not just the secureboot spec itself, but rather how it gives OS/manufacturers a way to lock you out of your own hardware.

If this becomes mandatory, you will never be able to install Linux and other FOSS OS on even computers you buy yourself. You will never be able to reuse old computers for barebones Linux server installs and the like.