Dual Boot Not Trusted, Rejected By Vista SP1 525
Alsee writes "Welcome to our first real taste of Trusted Computing: With Vista Enterprise and Vista Ultimate, Service Pack 1 refuses to install on dual boot systems. Trusted Computing is one of the many things that got cut from Vista, but traces of it remain in BitLocker, and that is the problem. The Service Pack patch to your system will invalidate your Trust chain if you are not running the Microsoft-approved Microsoft-trusted boot loader, or if you make other similar unapproved modifications to your system.
The Trust chip (the TPM) will then refuse to give you your key to unlock your own hard drive. If you are not running BitLocker then a workaround is available: Switch back to Microsoft's Vista-only boot mode, install the Service Pack, then reapply your dual boot loader. If you are running BitLocker, or if Microsoft resumes implementing Trusted Computing, then you are S.O.L."
Re:But what if... (Score:2, Insightful)
I would guess you can't enable the encryption.
Re:You can use the Vista boot loader (Score:5, Insightful)
Re:But what if... (Score:2, Insightful)
There's no TPM module to establish trust, so I would assume that it would not create this new failure condition. If, it does fail out anyway, common sense would say it is there for the purpose of limiting consumer choice.
Re:But what if... (Score:5, Insightful)
Of course, the article says the problem exists even if you don't have the encryption enabled.... However it looks like what happens in that case is the same as what's always happened when a windows update contains a MBR change: It overwrites your third party bootloader. (Or in this latest case, forces you to do it yourself manually).
I'm failing to see why this is a big deal. Software is in place to check for a piece of third party code intercepting your encryption key... It successfully detects GRUB as such software, and stops. So what?
Linux under windows = untrusted too (Score:5, Insightful)
In which case you can no longer trust linux.
It has a bootloader update. (Score:5, Insightful)
So... yeah. Anyone technical enough to change their bootloader should know how to put it back temporarily so it can get updated.
If you are running BitLocker, or if Microsoft resumes implementing Trusted Computing, then you are S.O.L.
I thought that was the entire point of BitLocker - don't unlock things unless you know that you're not running on top of some evil VM.
hi2u, article from March... (Score:3, Insightful)
Are so few people dual booting Vista and Linux that this story hasn't hit Slashdot until now? Is it even still applicable?
How is this news? (Score:5, Insightful)
Vista's security chain works as designed and intended, preventing from you to inject an untrusted bootloader into the bootstrap. Isn't that what we -want- from our security systems? This isnt' a case of "Microsoft" holding our data hostage, this is a case of our own security policies WORKING.
If I were to be running Linux, with equivalent protection, I'd be right pissed if it could be trivially rootkitted/bypassed by swapping in a malicious bootloader.
The ONLY flaw I see in the entire Vista/TPM system is that users don't seem to have a way of manually trusting things they genuinely want to trust. If it hasn't been blessed by MS its not trusted -- that's a fine policy for general users, but if I, as the hardware want to trust a specific bit of code (e.g. the linux boot loader) then I should be able to manually sign it somehow, and add my personal key to my personal install of Vista. And then the grub bootloader I signed will be trusted on my (and only my) PC.
All the 'chatter on the internets' is currently centered around how to disable UAC, how to disable driver signing, how to go back to running windows as insecurely as possible. i would prefer to see the discussion take a more intelligent direction -- how to obtain keys/certificates, how to add them to Vista's chain of trust on a per PC or per domain basis, and how how sign code with them.
Signed drivers are a FANTASTIC idea. not being able to sign drivers myself for my own hardware is EVIL. But MS --does-- have programs in place to let you sign code with 'development drivers' which are designed to only be valid on your PC... its just that most of the discussion surround the issue is how to disable it, and how evil MS for deciding what is blessed and what is not.
I mean, take Stallman, even -he- who wrote the GPLv3 in part to counter DRM isn't against code signing. He just requires that the keys necessary to sign code be included, so the owner of the hardware and user of GPLv3 code can sign it, and thereby be free to make modifications and excercise all the freedoms intended by the gpl.
Re:But what if... (Score:3, Insightful)
No. Common sense would say it's a bug. Tin-foil-hat sense would say, "it is there for the purpose of limiting consumer choice."
Re:Not trusted for a reason (Score:5, Insightful)
That's great...
Except for the fact that it happens on any system that CAN run BitLocker, rather than any system ACTUALLY running BitLocker.
So if you're trying to dual-boot between Linux and Vista Business/Ultimate and you have a TPM-capable machine, forget it: you're locked out until you restore the Vista bootloader.
Even if you're not using BitLocker.
Even if you've never even installed BitLocker.
you can trust Microsoft. to screw you up. (Score:2, Insightful)
come a long, long way from the dos, WFW, and 95 days, when you had control of your own computer.
which is why I'm not depending on them any more.
Re:But what if... (Score:4, Insightful)
When you don't have the choice to disable this "option", it IS a big deal.
Re:You can use the Vista boot loader (Score:3, Insightful)
Because most new machines come with Vista preinstalled. Not XP.
Re:Not trusted for a reason (Score:5, Insightful)
That being said, there should be a way to register other trusted signature keys in Vista to allow 3rd party boot loaders. I don't know if there is or not, but there should be.
That's exactly what's wrong with the Trusted Computing initiative that the major players (Microsoft, Intel, etc) are implementing: they don't trust YOU to make those kinds of decisions to trust 3rd parties.
http://www.againsttcpa.com/ [againsttcpa.com]
Re:Not trusted for a reason (Score:1, Insightful)
I trust bootloaders that are open source and can have their code reviewed by anyone instead of closed source code that MS can put a back doors in. That's a bootloader _I_ trust instead of a bootloader MS trusts.
Re:You can use the Vista boot loader (Score:5, Insightful)
Put windows on the first hard drive, then install linux on the second hard drive. Setup grub so it chainloads the windows boot record (for one of the options), and finally make your bios boot off the second hard drive.
Then Windows is happy and ignorant of its true surroundings.
Thats how my dualboot desktop at home is setup.
Re:How is this news? (Score:5, Insightful)
I mean, take Stallman, even -he- who wrote the GPLv3 in part to counter DRM isn't against code signing. He just requires that the keys necessary to sign code be included, so the owner of the hardware and user of GPLv3 code can sign it, and thereby be free to make modifications and excercise all the freedoms intended by the gpl.
Right which is the antithesis of what "trusted computing" is all about. Trusted computing is all about allowing vendors like microsoft to trust the computer to work in thier partners interests rather than the users.
Re:You can use the Vista boot loader (Score:1, Insightful)
Re:You can use the Vista boot loader (Score:3, Insightful)
Re:But what if... (Score:5, Insightful)
Re:Affects crack? (Score:5, Insightful)
You know, I had to use that crack to get my copy of Vista reinstalled (all the partitions got wiped out, including the OEM one), because it refused to use my OEM key without the OEM partition, and simply wouldn't active. So, I had to crack my already-paid-for copy of Vista. Oh, sure, I could have gone and sent it back (to Acer, yeah right), or called Microsoft, but isn't it funny that I get a better "customer service experience" from cracked software?
Posting anonymous for the above reasons.
Re:That's why I don't use Vista (Score:5, Insightful)
No, they just disagree who the owner is :)
It is by design... (Score:5, Insightful)
This is by design. If you are into the secure boot stuff you'll know why.
This is not about DRM and such (but may be) but about *your* data encrypted by BitLocker (the DRM is about protecting *somebody else's* data from you - that is why it is flawed concept).
Right now there are some kinds of attacks that let you compromise the entire system right from boot (using other than approved bootloader and unsecure boot proces) puting it into hypervisor and thus being able to retrive keys and such directly from memory.
In fact I don't see any other option as to control entire boot proces. And if you wish to control it you need to use tools that support it.
So in fact it is not a Bad Thing. It could be a bad thing if you are casual-security user - but this 'casual security' is not so secure isn't it?
I bet BitLocker documentation covers that. But why bother checking? It is better to set the "secure" option to "on" and dumbly belive it.
Re:Not trusted for a reason (Score:2, Insightful)
Re:You can use the Vista boot loader (Score:3, Insightful)
Because, like the parent said, you've already bought Vista when you bought the machine. Why buy another copy of Windows?
Re:You can use the Vista boot loader (Score:2, Insightful)
Does it prevent you from reinstalling? Then your system is bricked. If not, please quit misusing the term.
Re:How is this news? (Score:5, Insightful)
Vista's security chain works as designed and intended, preventing from you to inject an untrusted bootloader into the bootstrap. Isn't that what we -want- from our security systems? This isnt' a case of "Microsoft" holding our data hostage, this is a case of our own security policies WORKING.
If I were to be running Linux, with equivalent protection, I'd be right pissed if it could be trivially rootkitted/bypassed by swapping in a malicious bootloader.
If the attacker can install a bootloader, that means you were rooted and your precious data can be grabbed from the memory of the program that happens to be using it.
If the bootloader is installed while the OS is not running, that means you do not have adequate physical security.
Re:Not trusted for a reason (Score:2, Insightful)
That's why you would virtualize the whole thing and run it in vmware. That will make it secure, yessirreee!
Yes, I know about the tpm chip - I wonder if vmware exposes it.
Re:Who cares? (Score:3, Insightful)
Hardware is cheap, so build more than one box for specialized tasks.
"Cheap" is very relative. If we go by what I consider cheap, I'll say that people would rather dual-boot than build a second box using garbage hardware. For myself, building the second box just never happens because there's always more upgrades that need to be done to my primary box that take up the extra funds available for system upgrades. If your secondary box for "specialized tasks" can do with hardware that's 2-3 years old, sure then you just use old hardware from the main box after you upgrade. I think it's pretty safe to assume though that for those people dual-booting, this is not the case.
Then there's also the issues of where to put the second box, getting all the peripherals for the second box (or shelling out still more money for a not-cheap KVM switch that reliably works every time), etc. etc.
In the end it's pretty easy to see why people just dual-boot.
Re:You can use the Vista boot loader (Score:5, Insightful)
That's nice. The Windows idea of supporting it is "go look on technet" versus
the Linux version where it's already built-in and configuration is done for
you automatically.
This precisely the stupidity that Windows trolls like to accuse Linux of
subjecting the end user to.
Re:But what if... (Score:5, Insightful)
Re:Only a problem if you have TPM? (Score:5, Insightful)
> Never Trust Trustworthy computing. it hasn't earned it.
Trusted Computing.
There's a big difference between Trusted and Trustworthy. As this update proves.
why can i do it? (Score:3, Insightful)
right now, im running windows vista sp1 ultimate and gentoo 2008.0, booting via grub (chainloader for vista) and it works perfectly well...
why hasnt the information in this article been checked for that thing called... the truth?
Re:Not trusted for a reason (Score:3, Insightful)
And if TrueCrypt does interface with TPM then it is going to run into similar issues as BitLocker.
Re:How is this news? (Score:3, Insightful)
That is not the attitude I've seen inside Microsoft. The goal is to allow you to trust that your computer has not been compromised by a third party. Does your system have a rootkit installed on it? How do you know?
Re:How is this news? (Score:3, Insightful)
rpm -Va
There.
And i forget how to do it with dpkg, but it works the same way.
Re:But what if... (Score:5, Insightful)
[...]they'll either use rubber hose cryptanalysis[...]
So that's just DoJ thugs coming to your house and whipping you with a rubber hose until you tell them the password, right?
I'm so glad we torture now. I feel so much safer knowing we've got that weapon at our disposal.
Right.. (Score:1, Insightful)
Some people might take 2 or three days to go all Linux but games. Assuming it can convert everyone overnight is a bit overoptimitic :)
Re:Affects crack? (Score:3, Insightful)
Patch the code that checks the MBR. The code that checks whether the code has been patched has been patched already, evidently. With that out of the way, you're good to patch some more.
The question is, why would you want to run Vista?
Re:How is this news? (Score:1, Insightful)
But MS --does-- have programs in place to let you sign code with 'development drivers' which are designed to only be valid on your PC
This also means that if hardware maker 'A' releases a driver that MS does not like, they will simply refuse to sign it.
Reasons for not 'liking' a driver go beyond just being unstable. For example, if the company provides Linux native drivers you will have a lot of trouble getting a signed Windows driver for that hardware.
The problem with Vista's UAC is this: I have an admin account, under which I should have full control and access to the system. Restricted access should only happen in a standard user account.
You say that the only flaw is that users don't have a way of manually trusting things they want-- this is the major issue which breeds the hatred of UAC and most of the 'chatter on the internets' you speak of.
People seem to be missing the point (Score:4, Insightful)
Software like Vista Ultimate with BitLocker is aimed at the corporate environment. If I'm a network admin, I don't want some jack hole dual-booting anything on my network. He doesn't need a Linux partition on his workstation. I might want laptops with TPM and BitLocker for the sales staff so that when they get drunk and lose their laptops with the customer list on it, I can rest relatively soundly knowing that the data is secure.
It is obvious that Microsoft does not care about the individual end user who wants complete control over their computer. That is okay with me. Maybe I've been drinking too much of the Kool Aid but I'm happy with HP hardware running a Microsoft OS. I like the fact that they make it a complete PITA for the end user to do anything to their workstation. It makes my job easier. 95% of the corporate computing world can get by with an office suite, a web browser and access to a couple of custom apps (financial, inventory, manufacturing, and what not). They don't need to be playing stolen mp3s that they got from Pirate Bay, watching DVDs on their lunch breaks, or dual-booting their damn desktops.
Where are all the gripes about how Server 2003 sucks? How about the gripes about IIS6 getting owned all over the place? They aren't there because Microsoft is focusing their attention where they need to focus it... on the administrators responsible for hundreds and thousands of workstations and servers. Does anyone really think that the folks at Microsoft stay up late at night wringing their hands over corporation versions of their workstation software not dual-booting a third party OS? Seriously guys... what portion of the Vista Ultimate/Enterprise user base do you think is negatively impacted by the change? 1%? 3%? I'm not talking about the developers who need ten thousand OSes on their machines "for development purposes." I'm talking about the cubicle drones who work 8-5 running a couple of applications.
Re:But what if... (Score:5, Insightful)
MOST Microsoft customers will be perfectly happy with that level of intrusive control, and won't even realize it's there. It's only that lunatic fringe that thinks that they actually *own* the computer that they paid money for, and want to dual-boot, that will realize that something is amiss at the Circle K.
Re:How is this news? (Score:3, Insightful)
Ironic, really, that the whole point of Trusted Computing is that the person doing the computing cannot be trusted...
Re:How is this news? (Score:3, Insightful)
I think you're missing the point. If I can install an arbitrary bootloader, then the RIAA and MPAA can't trust Microsoft's DRM implementation not to get swapped out for a dummy version. This doesn't have anything to do with protecting my data.
The big deal is ... (Score:3, Insightful)
I can find no way to get my application X added to a trust chain and thereby be trusted and usable. If Microsoft has a trust chain, then since they are a monopoly they should be required to accept trust requests and add them if they meet valid requirements for trust.
In other words the GRUB developers should be able to get a trust certificate so that windows boot loader accepts it as trusted, but I can't find out how to even get one.
Re:Affects crack? (Score:3, Insightful)
If you'll pardon my saying so, that seems like a rather foolish decision. I've called Microsoft's product activation support before, and I seriously doubt you'd have found it to be more of a hassle than finding a crack.
When I've called them it's never been for anything that required them to issue a new key, so maybe you have a case here where they'd be more difficult to deal with, but you've opted to trust some warez site to modify your operating system and not root you while it's at it, without even bothering to try the support avenues available to you.
The product activation in XP and Vista is certainly unnecessary and obnoxious, but I think it falls well short of being *so* obnoxious that blindly executing untrustworthy code would seem like a reasonable response.
Re:How is this news? (Score:2, Insightful)
Re:But what if... (Score:3, Insightful)
Re:The big deal is ... (Score:1, Insightful)
Never mind GRUB. The user ought to be able to (relatively) easily add such trust.
Re:But what if... (Score:2, Insightful)
I say it ought to still work, even with a third party boot loader, provided that the user has elected to run a small MS utility to cryptographically sign the boot loader and add it to the chain of trust. Ideally, this utility and information about it would be easily available to anybody who needed it.
Re:People seem to be missing the point (Score:3, Insightful)
But that's just it - the vast majority of people don't even know that you can dual-boot, let alone want to. In addition, this only affects Vista Enterprise and Ultimate - most people will be using either Home Basic, Home Premium or maybe Business.
This really does affect a tiny proportion of a small proportion of users.
Re:How is this news? (Score:3, Insightful)
That aspect is fundamentally designed into the hardware chip itself.
The chip is designed to secure the system against the owner.
The "owner" or the "end-user"? Those are two extremely different situations. As the *owner*, I want the chip to secure the system against the user. The user may be clueless, the user may be malicious, etc. And as the owner I want to protect my systems.
The chip says the owner has no control, except the control to "opt-in" to a given pair of handcuffs or to "opt-out" and the chip locks you out.
I disagree. The chip says the -end user- has no control. He who defines the handcuffs owns the system.
And **Someone** has to define what those handcuffs are. **SOMEONE** is in control. To me, that person is the *OWNER*.
The chip "design" is not at fault here. If we give the *appropriate* person the right to be that "someone" -- ie the physical hardware owner, then the system isn't evil in the least.
Its only evil, if we assign Microsoft to be the "owner" or "the one who sets the rules"... or the RIAA, or the BSA. But that assingment isn't implicit in the chip design. There is nothing in the design of the chip that prevents us from assigning those rights to the guy or gal or enterprise who buys the hardware.
There is no basic fix to make this Not-Evil by just having Microsoft or any other particular person/organization Not-Be-Evil with this stuff. The evil aspect is in the chip design itself, handing those lockdown powers to whomever wrote the un-modifiable software you were given.
The basic fix is to assign those powers to the physical owner of the hardware.