Unless I'm misunderstanding something, this is silly FUD. Microsoft isnt stupid enough (or evil enough, despite what some like to believe) to attempt to force PC oems to effectively block all OSes except Windows. They know this wouldn't work, and there'd be no point in trying to force it.
Supporting hardened boot is not the same as requiring it. Microsoft already utilizes this for BitLocker. You can still install Linux on a machine that supports hardened booting and signed images. You just can't enable hardened boot unless you use signed images.
> Microsoft isnt stupid enough (or evil enough, despite what some like to believe) to attempt to force PC oems to effectively block all OSes except Windows.
There's a rather large difference between contractually forbidding PC OEMs from selling Windows machines bundled with BeOS and technologically blocking non-Windows OSes from executing. It's one thing to say "you can't bundle another OS with mine". It's another thing entirely to say "your hardware can never run any OS except mine".
They both result from signing an agreement between said parties, and basically provide the same benefits to both parties (given that most people won't install an operating system themselves).
Except one leaves a choice to the end user, and the other doesn't.
+1, hardened boot is something we will address eventually with MBR and BIOS viruses on the rise again. Makes sense for MS to push In this direction and Intel/AMD aren't going to lock down that hardware to anything else.
Your $200 Dell from Best Buy might, but that will be part of the subsidy from MS. Meh.
Presumably you have to sign a pkek key with the firmware key. Even then, you don't actually have full control of your OS's kernel, so it may not be easy to insert a key.
"After years of trying to cut off Linux growth as a desktop platform on x86 and x64 PCs, Microsoft may have actually figured out a way to stop Linux deployments on client PCs dead in their tracks."
I'm quite certain Microsoft has (A) not put any significant effort into cutting off growth as a desktop platform, and (B) If they had, they were almost completely successful, and characterizing it as "trying" implies that they had limited success.
Shhh, not so loud! Such thoughts would destabilize Slashdot if they got out!
Seriously, this seems especially short-sighted, as the perception is that MS is getting thrashed by Apple in the consumer market. I think its more about preventing malware from getting ahold of the boot process, side effects be damned.
As much as I don't like Apple/OS X, most of my friends do. Everyone got Mac _because_ of OS X.
One got it because of low latency, and because he was "sure it won't hang up for a moment because of some background job". He uses it to make music.
Others got it for its (OS X's) usability.
That's a chilling thing IMHO when we rely on a single corporation to protect us. As far as the /. like rhetoric, you're using the parent's opinion that MS hasn't been trying, and is indeed seeing a steady increasing competition in desktop screen space (which I've seen in two different Fortune 500 companies first hand within the last 6 years), so if that isn't true, then the rhetoric isn't just rhetoric.
I doubt any major vendor will do this. First off, they don't want to be locked into selling Microsoft-only machines. If they can't pretend Linux is an option, Microsoft can charge them $1000 for a Windows license and there's nothing they can do about it. If they have Linux hanging over Microsoft's head, though, they'll get better pricing on Windows. (Think this won't happen? It already did with XP on netbooks. When Microsoft realized that everyone was happy to get $100 off the price of their laptop to run Firefox under Linux instead of under Windows, they had no choice but to make it nearly free.)
If that doesn't work, the need for booting non-standard Windows images will save us. I've never worked for any company that ran a stock Windows install -- everyone rolls their own. If new machines won't boot this image, guess what, that new machine is bought from some vendor that doesn't do this to them. And the only reason most people use Windows at home is because they use Windows at work. If big companies started migrating away from Windows, Microsoft could be in serious trouble. (Yup, Microsoft Word is much nicer than LibreOffice Writer or AbiWord. But you don't know that if you've never used it. Or, you don't care, because you're writing a memo, not a book. And that's $600 Microsoft loses right there.)
Next, we're forgetting the all-important server market. Nobody uses Windows as a server OS, so all those servers are going to have to be able to run Grub. Since servers are what make the OEMs money (they actually need that quad core chip, you don't), keeping users of that market happy will be the hardware companies' biggest concern. If Intel chips stop booting Linux, guess what, AMD is the new king of the market.
Finally, many of these companies are in markets other than consumer computers, and they won't want to alienate their other partners. If, say, Samsung says "our hardware will only run Windows", then they won't be manufacturing Android phones or Chromebooks anymore. And that's a big deal, because they won't be manufacturing iPhones either, and that means they're out of the mobile market. (Have you ever seen anyone without MVP certification anywhere near a Windows Phone? I didn't think so.)
Basically, Windows is important, but not so important that anyone would want to be the first to go Windows-only in hardware. Hardware companies want to provide nice computers at a nice price. End users mostly want to browse the web. This puts Microsoft in a position to do exactly what the market wants, not what it thinks it can bear. When you're at the top, the only place to go is down. And that is where Microsoft is going.
> If that doesn't work, the need for booting non-standard Windows images will save us. I've never worked for any company that ran a stock Windows install -- everyone rolls their own. If new machines won't boot this image, guess what, that new machine is bought from some vendor that doesn't do this to them.
That's not how this works. It doesn't expect that the entire OS install is signed. It expects that the kernel is signed. "Non-standard" Windows installs don't generally futz with the Kernel. If you work for a company that uses a hacked kernel internally, please let me know, so I can make sure I'm not invested.
> Nobody uses Windows as a server OS
Microsoft's server product(along with its related tools and products) is massively successful. The Internet darlings may not run Windows Server, but many, many companies do.
> If, say, Samsung says "our hardware will only run Windows", then they won't be manufacturing Android phones or Chromebooks anymore.
Why would anyone do that? Even if Samsung sold some hardware that was locked down to only Windows, why would they suddenly stop selling other hardware? There's just no point. They already sell devices that are effectively locked down to Android, but that doesn't preclude them continuing to sell Windows laptops.
> Microsoft's server product(along with its related tools and products) is massively successful. The Internet darlings may not run Windows Server, but many, many companies do.
Yes, and Linux as a server is massively successful. And the internet darlings are one of the biggest customers. If a machine can't boot linux because of the signed kernel requirements enforced at the firmware, those internet darlings would move to machines that can. That isn't a risk intel el al. are going to take, especially with AMD breathing down its back.
Implementing secure boot is a risk that Intel et al are going to take. They've already taken a similar risk to support BitLocker with TPM hardware. None of this will stop Internet darlings from running Linux if they want, though.
Where do you see the requirement that the kernel has to be signed? I only see them mentioning the boot loader, which should be something entirely different (both on Windows and Linux, as far as I'm aware. I admit that my knowledge about the Windows boot process is incomplete).
If I'm correct (?) your whole reply to that point was a bit over the top, especially the 'tell me where you work so that I can ignore you' part.
Edit: Reading the original source (I recommend it!) confuses me. It says 'unsigned binaries will not load', but still: I'm still reading that as 'will not be loaded by the UEFI firmware' - which should only need to load the bootloader (+ relevant drivers) as far as I understand it?
I think the idea behind the signed bootloader is that the kernel that the bootloader loads will then be trusted as well. In this way the chain of trust moves up the boot stack and the risk of an early-boot / kernel rootkit can be minimized, especially if the kernel also tries to verify the authenticity of all modules it loads into kernel space (which Windows already does and has for quite some time - please note that I specified "tries").
I don't think this will affect corporate Windows installations as you'd presumably be installing a signed kernel and signed drivers - as the post above yours states, it's very rare to use a non-Microsoft-supplied kernel and unsigned drivers in the corporate environment today.
Signing a Linux bootloader could be perceived as a potential breach of this trusted boot process, as Windows could then potentially be loading in an emulated environment created by a malicious GRUB module or the like. Chances are, nobody subscribing to Trusted Boot will ruin their marketability by either a) not providing a way to disable the trust verification or b) not signing a Linux bootloader. However, that possibility is what has the rash of speculative "Linux won't run anymore!!!" articles running around the internet this week.
More solid info on the trusted boot process can be derived from:
You're probably correct. I was just saying that there's no need for the entire Windows installation to be signed, as jrockway implied. Such a requirement would be nearly impossible (and would require scanning the entire OS at startup to verify the signature).
Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed.
No PC OEM has a rational fear of MS doing bad by them, regardless of lock-in. Firstly, MS has no good reason to do that since it would just put the retail price of the PCs too high to sell well, and MS is a volume business and knows it. They're smart enough to know to avoid hurting their own sales. They already know who and how to charge ridiculously high prices per client for software and its not OEMs or retail consumers. Secondly, the OEMs so affected would likely run to the FTC immediately and file complaints of unfair trade practices, and then MS would find itself in a fecal-tornado of bad press and government action that it would surely not enjoy. Thirdly, OEM licenses can only go so high, as then OEMs could just buy and install retail copies of Windows on their machines. In short, this whole fantastical scenario goes against everything that MS has done as a business and everything that MS has done as part of creating and maintaining relationships with OEMs over the past 3 decades, it makes no sense.
As far as the server market, those machines are almost invariably different hardware than commodity PCs. I don't think it's likely that PC component makers or OEMs will opt for Windows-only systems, but I don't think you've put forward a sufficient argument on why that should be the case.
> No PC OEM has a rational fear of MS doing bad by them, regardless of lock-in. Firstly, MS has no good reason to do that since it would just put the retail price of the PCs too high to sell well, and MS is a volume business and knows it.
Microsoft already prices it differently for different OEMs. They are already in mortal fear than Microsoft will change it, even without the technology to enforce it.
Can't find a link now, but in one of the big computer trade shows, in the morning Asus said they'll be promoting linux on the recent 9" eee. Afternoon, they apologized and said they will only promote Windows, and will in fact redesign it to better fit windows. The difference was apparently made by a call from Microsoft that threatened their volume licensing deal.
> MS would find itself in a fecal-tornado of bad press and government action that it would surely not enjoy.
The government works for Microsoft. MS had some fear of antitrust back in the late 90s, but they've since become one of the largest lobbyists, buying politicians on both sides. They are not touchable by antitrust or any other government action in the foreseeable future.
Here in India, Microsoft is famous only because the pirated version is freely available from anywhere, thorough anyone at anytime.That's the only reason why everybody uses it all the time.
Take away the free option, and the non industry consumers will just dump their OS. What is stopping Linux from ruling the Desktop market is a awesome UI.
Now, I decide to buy a netbook for browsing and light development. I can save upto 1500 rupees on the OS if I go in for a pre loaded freeDOS version. So this is what I have decided, to buy a good HP netbook which comes close to 15000 rupees. Install Ubuntu LTS version on it. Remain hassle free for the next two years. And spend the saved 1500 rupees on buying a good headphone to listen to music.
I don't see any reason why I must remotely feel the need to use Windows anymore. Unless ofcourse I need to work on a word document. Most of the times OpenOffice is sufficient, if it isn't I just walk upto the next DTP store around my place, pay the guy 20 bucks and get the work done in an hour.
Which is why my employer really doesn't use Outlook/Exchange for email, or Sharepoint for the intranet, or IIS for the public website, or ActiveDirectory to manage logins and whatever else it does, or ....
Maybe you mean, "nobody uses only Windows as a server OS"? But even tho that would work for my employer (we also have Linux and AIX) and probably all large companies (including Microsoft?), I'm sure there are a ton of smaller ones it doesn't apply to.
> Which is why my employer really doesn't use Outlook/Exchange for email, or Sharepoint for the intranet, or IIS for the public website, or ActiveDirectory to manage logins and whatever else it does, or ....
If you really have to live with all that stuff, I'm deeply sorry for you. I use Exchange and AD and it's bad enough.
Oh come on, seriously? I'm not saying it's the best thing ever, but it works well enough for the majority of small businesses. There is nobody who is really inconvenienced by having to use AD (it's not like most people would even notice). At least it provides a default and standard authentication system, unlike the hacks I've seen where people use rsync to distribute /etc/passwd and /etc/shadow to all machines (and don't get me started on that piece of junk OpenLDAP, I have yet to meet the first person who could build a complete and working centralized auth environment with it.)
I doubt any major vendor will do this. First off, they don't want to be locked into selling Microsoft-only machines. If they can't pretend Linux is an option, Microsoft can charge them $1000 for a Windows license and there's nothing they can do about it.
I doubt that secure boot is a factor in this, since it would be easy for vendors to disable by default in the factory if they wanted to install Linux.
The point of the article isn't that the machines will be Windows-only, but that dual booting may no longer be possible. It makes a point of emphasizing that secure booting will likely be easy for the user to disable, although that will disable Windows 8 as well.
> The point of the article isn't that the machines will be Windows-only, but that dual booting may no longer be possible. It makes a point of emphasizing that secure booting will likely be easy for the user to disable, although that will disable Windows 8 as well.
Never going to happen. Win8 will install on machines built for Win7.
Win 8 is not going to refuse to boot on machines that have boot signing disabled.
That's not what we're talking about. We're talking about the Windows 8 Logo Program, which is basically that sticker on a new PC that says it is certified to run Windows 8.
I think we're actually talking about some paranoid hype written about a blog post written about a slide deck.
Maybe Microsoft will require OEMs to support secure boot to be certified for Win8 (fine by me). That doesn't mean that the user won't be able to disable it if they want, and it definitely doesn't mean Win8 won't run when it's turned off.
Right, but Windows 8 should still happily boot on a Windows 8 Logo'd PC which has had signed boot disabled by the user for the same reason that it happily boots on non-Logo'd PCs.
Ha! That's the first thing I always do with a new computer: remove all those stickers. Some Vista stickers are extremely hard to remove. That being said, my Air came with absolutely no stickers on it.
> Yup, Microsoft Word is much nicer than LibreOffice Writer or AbiWord. But you don't know that if you've never used it. Or, you don't care, because you're writing a memo, not a book. And that's $600 Microsoft loses right there.
The very last thing for which I'd consider using MS Word (or any WYSIWYG processor, for that matter) would be writing a book (or any prolonged text which concentrates on the content). Seriously, if you do this you've never even thought about the fact that there are alternatives which are vastly superior for such tasks (one of which being plaintext. Yes, plaintext). I don't get why you would even consider writing a book in a document processor - save for LyX, but that's not exactly a standard word processor.
Sorry for the rant, I mostly agree with you. The general development still scares me though.
Estimates of between 40-75% of all servers are Windows based. While Linux is ahead in Web servers (71% market share), they aren't the only type of server going around...
These stats are hard to measure as they can't really account for people who just install free linux distros, but in terms of sold Linux based licenses, Microsoft is ahead. At the very least it shows the that the assertion "no one uses Windows as a server OS" is far from the truth. 5-6 billion dollars revenue a quarter is hardly 'no one'.
they don't want to be locked into selling Microsoft-only machines.
True to some extent, but they can always create Linux models that just don't include the MS public key.
the need for booting non-standard Windows images will save us.
Customized Windows images should have the same signature since the signed components (kernel, drivers, etc.) will be the same.
the all-important server market
This either doesn't apply to servers or the vendors will just create Linux models.
If Intel chips stop booting Linux
To be clear, that is not what we're talking about. This is an optional firmware feature (and I assume it will apply to all logoed PCs regardless of processor type).
I've actually never heard that, I've heard more like "no one will support it" until RedHat came around, then it was "no one knows how to use it" until I saw IBM use it, then I heard "but there's no software" until I saw Oracle make software for it. That was just in Non-IT businesses. In IT-industry businesses, I never heard Windows discussed too seriously outside of "well, we had to unfortunately because of a client..."
Why should I learn a new toolchain when I already have one that's just as good but has been around for 30+ years? It's fun to reinvent the wheel, but as a user, sometimes enough is enough. Just give me bash and the coreutils, kthx.
PS is just a piece of the puzzle. In fact, if I were to automate things on Windows, I would pick perl/python/ruby(on linux, I use shell scripts only for jobs which are less than 50 lines).
The major question is does the objects which are to be automated lend themselves to automation?
Here is one of the results I found while looking for 'sql server automate'
nix DBA’s used shell scripts as their primary management tool, but the SQL Server of that day was not scriptable. Would those DBA’s accept the use of GUI tools?
So it looks like it used to be the case that it wasn't scriptable, but it is now.
I make it short:
1. Of course
2. You write a script. Or simply use something out of the Systems Management Product Family (awesome btw)
3. WMI or Powershell should do the job.
You rarely write custom code when scripting....most use cases a covered by a huge library MS offers. The rest is available through google :)
We have run large Windows Server Farms at my past company (SaaS Business) and maybe 3-4 Linux Servers...the ones causing the most trouble where the Linux ones. One reason: Every dummy can administrate a Windows machine....not so a Linux machine! That fact forced the Ops team to get rid of the Linux machines as quick as the could.
Every dummy can administrate a Windows machine....not so a Linux machine! That fact forced the Ops team to get rid of the Linux machines as quick as the could.
So you choose a inferior mediocre alternative just because you can hire mediocre folks to handle it(you mentioned 'dummy'). Ultimately having sufficient technical debt to make your miserable for the next decade.
Linux command line isn't very upfront friendly for sure, but its strength lies in automating as much as you can, programatically. When you talk of administration things go beyond cleaning up files and giving access to users. You must have abilities/tools to quickly hack up solutions to programming problems while problems in operations. That's why bash/sed/awk/perl and other Unix text processing utilities are so big on the server side. Unix forms a complete programming ecosystem in itself apart from being an OS.Windows command line is not just weak but literally useless in this area.
Its like saying just because anybody can use notepad, Emacs is useless.
> they sort of winced and said "Linux... ehhh... it's hard to get Linux doing what you want."
I'd say the company you work for has a humongous and probably incurable HR problem. If this is the kind of IT folks they hire, my best advice would be to run away and stay as far from it as possible.
You can also write a very fun book with the stories you probably witness. I'd buy it.
> This is the problem with getting tech news only from HN.
Most of us have worked one or more tech jobs, and HN isn't the source for the assumption that nobody uses Windows as servers. That nobody is far fetched - of course .net shops will most probably be deploying on Windows; for some reasons most of the Java shop do so as well.
But outside that, Linux or BSD is the favored deployment platform. And the OP's argument basically boils down to server vendors can't afford to not boot Linux, not when Linux has a significant market share.
This could block Linux from booting, but realistically speaking, does anyone believe that will happen? It seems very, very unlikely to me that you won't be able to disable signing restrictions at the firmware level.
Investors are savvier than you'd think. Even on a rumor that the vendor is doing an exclusive lock-in with MS, I'm sure you'd see the stock price dip. Investors spend all their time looking at news reports in their target industry, so I'm sure they'll notice something as big as this.
But what product will they be putting the lock-in on? It may not matter, as we've seen with mobile OSes which, from the perspective of the median buyer, are locked in.
It makes somewhat some sense that MS will do this especially since Hyper-V (VM Hypervisor) is now built-in to Windows8. "Want Linux? You need Windows too..."
This is overblown. However, if this means secure boot hardware is even more widely available, it is a win -- if the keys are under control of the user or his organization, it is a huge security win.
I've long thought that the only place where I allow Windows is in a virtual machine. This seems to hint in that direction: buy a machine that isn't broken (can boot Linux) and do your Windows duties under VirtualBox or something.
It won't happen, and if it does happen, it won't matter.
Can you imagine the Anti-Trust problems this would create? Microsoft is still a big fat target for anti-trust lawsuits and this one is pretty blatant.
And if it does happen, while we're waiting for the Justice Department to end it I'm pretty sure the Linux hackers will find a way around it. When there is a will, there is a way.
chromeos has similar thing, with a developer switch at back basically turns off the signature validation in firmware. what they should worry about is, which CA root to put in there.
> The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or
Does it have to be directly signed by that key, or does it work like the CA system that web browsers use?
> A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux. [ from the blog post rather than the article ]
Which tells us that either systems will not ship with only those keys, or there will be a simple way to disable this ("Press F2 for setup"), or somebody will be getting sued on antitrust grounds (which maybe would be ignored again in the US, but not the rest of the world) and forced to provide a workaround.
No one seems to have mentioned the impact this will have on Live systems. I'm frequently called on by Windows users to recover lost data on corrupted systems, which I do using a Live Linux distribution (especially when they have discarded their installation media & access keys, and have no interest in investing money in continuing using Windows if I can give them a free alternative to getting online). How will I be able to do that for people with Windows 8 computers?
I'm sure I'll be able to find unsigned hardware for my personal use, but it's the interoperability that concerns me.
It certainly won't get easier to install a Linux dual-boot. It is already difficult enough as it is:
* Windows PCs without installation medium
* Windows installation with a full partitition table (four primary partitions)
* (intentionally?) corrupted partition tables
I.e. installing GNU/Linux requires you to resize partitions with a potentially corrupted NTFS file system and/or delete backup partitions. Alternatively the user uses a Windows image file as Linux file system (Wubi) which is slower and a more fragile solution.
Linux (on the desktop) is probably of little or no concern to Microsoft at this point. They've got bigger problems to worry about. If they want to focus on making computers sold with Windows offer the best possible experience it will benefit the most people. Possibly it will make things harder for Linux users but from Microsoft's perspective if the OEM is shipping Windows there's no reason to consider Linux as part of the equation.
My personal opinion is that it is indeed little concern, but a little concern to many parts of MS, which compared to many other companies may well look like a dedicated anti-linux corporation that outnumbers them.
But what is "Linux"? If it were a package you could buy in a box from the store, the manufacturer would just sign a contract with OEMs to have a suitable key present in all manufactured computers, but Linux isn't like that. What if I want to compile my own kernel in order to try out an experimental feature, or help test a driver? What if I need to upgrade my boot-loader?
The only alternative to 'blocking Linux' is 'allowing anything to run', and if manufacturers were happy to allow that, they wouldn't bother with these features in the first place.
I'm sure there'll still be lots of computers that are capable of running Linux - multi-thousand dollar servers and high-end workstations; the kind of computers you buy through your account manager. It seems pretty sensible to block unauthorised OSs on low-end computers — the kind that ship with OS X or Windows Basic, the kind where minimizing support costs is vitally important.
Unfortunately, that's the same market segment where I and everybody I know got their start: taking over an old Windows box and putting Linux to see what the fuss was all about.
Could it be that the "fear-mongering" and subsequent outrage is a major reason why we didn't have this kind of lock-down 5-10 years ago?
I thing mjg's wait-and-see approach is good to do. Not panic yet. But certainly not to forget either - keep an eye out, see how it develops, and be prepared to oppose lock-down through various channels should it come (and hopefully before it is to late).
If this makes it into real hardware I expect the EU to reopen their case against Microsoft fairly quickly on anti-competitive grounds. There are to many governmental institutions and businesses dependent on linux for their day to day work for this to go unchallenged.
There was a time when Windows Logo was considered prestigious, respectable and trendy thing.
With such a practice Microsoft is quickly approaching a time when Windows Logo will be perceived like a hot-iron branding of robbers and other criminals in the medieval era.
Does this effect dual booting OS X? I doubt the side-effect of blocking Linux boots was anything but a coincidence. But could Microsoft be fearful of Hackintoshes becoming more popular and a increase of OS X running on non-Apple hardware?
> Does this effect dual booting OS X? I doubt the side-effect of blocking Linux boots was anything but a coincidence. But could Microsoft be fearful of Hackintoshes becoming more popular and a increase of OS X running on non-Apple hardware?
I doubt it. Whilst I don't mean to belittle the hard work that goes into the hackintosh projects out there, we're talking about a tiny, tiny group of people that probably have an imperceptible impact on MSFT's bottom line.
Hackintoshes a threat to Windows? No offense, but that's laughable. It's been awhile since I put together one but it's such a huge pain in the ass that even most people capable of putting OS X on ordinary hardware won't bother.
If the UEFI could be made to handle multiple keys, and allow the owner to enter them into the firmware, then this could work. One more step in the setup but a more secure system overall.
But even if this was true, there is still ways around this right? I mean rEFIt does a pretty good job booting up Linux in Mac, so wouldn't this be possible in those PC's as well?
Wouldn't this draw anti-trust battles? Since complying with EFI signing is against the license of one of the only other major alternatives to Windows, this would not bode well for Microsoft.
Could be -- it sounds like a possible "tie-out" (a variation on tie-in). AFAIK There haven't been many tie-out cases, but as antitrust litigator George Gordon [1] put it a few years back, "The term “tie out” is often used to refer to arrangements in which a license prohibits a licensee from dealing in and/or developing competing, noninfringing technologies. [Footnote omitted] Such arrangements have been found to be intellectual property misuse and could form the basis for an antitrust claim as well." [2]
If MS were to do something like this, I imagine Gary Reback [3], its nemesis in previous antitrust battles, would be all over it ....
> Wouldn't this draw anti-trust battles? Since complying with EFI signing is against the license of one of the only other major alternatives to Windows, this would not bode well for Microsoft.
And who do you expect to pursue this anti-trust?
The US government?
Oh, I didn't realize you were joking! ha ha, funny.
The US government is owned by big corps, MS being one of them. Something really weird has to happen for them to turn against their corporate masters. (And don't compare it to the previous anti-trust case - at the time, microsoft wasn't lobbying and paying, sorry, donating to, politicians from both parties)
Summary : Machines that have the "Windows 8" logo must have UEFI, which means the bootloader must be signed with a key that's in the BIOS. Additionally the OS can use the keys to check other signed code : device drivers etc.
My conclusion : A smart vendor will include a signed program that will manage said keys in the BIOS.
Like I suspected, this entire thread has been turned by zealots into a Microsoft-bashing exercise.
I genuinely dispair for people who spend their entire time platform bashing and don't add something constructive to the discussion or tar and feather a side religiously. It paints a very bad picture of the "startup culture" amongst more established organisations.
I use ubuntu but surely my harddrive is full of malware (boot system compromised). Linux is for hacker playing with backdoors. I like free software and linux, but if I need a secure system, I should have to pay the prize of using windows 8.
Supporting hardened boot is not the same as requiring it. Microsoft already utilizes this for BitLocker. You can still install Linux on a machine that supports hardened booting and signed images. You just can't enable hardened boot unless you use signed images.