Slashdot Log In
Phoenix BIOSOS?
Posted by
timothy
on Thu May 14, 2009 06:47 PM
from the which-layer-does-what dept.
from the which-layer-does-what dept.
jhfry writes "In an interesting development by an unexpected source, Phoenix Technologies is releasing a Linux-based, virtualization-enabled, BIOS-based OS for computers. They implemented a full Linux distro right on the BIOS chips, and by using integrated virtualization technology, it 'allows PCs and laptops to hot-switch between the main operating system, such as Windows, and the HyperSpace environment.' So, essentially, they are 'trying to create a new market using the ideas of a fast-booting, safe platform that people can work in, but remain outside of Windows.'"
Related Stories
[+]
Hardware: The Future Might Be BIOS and Browsers 350 comments
An anonymous reader writes "Few in the open source community have welcomed online applications like Google Docs with open arms, but Keir Thomas claims he's found a way forward — and it's one that involves exclusively open source. He reckons BIOS-based operating systems are the future, because they will alter the way users think about their computers. FTA: 'The key breakthrough is ideological: BIOS-based operating systems demote the operating system to just another function of the hardware. It breaks the old mindset of the operating system being a distinct platform, or an end in itself. The operating system becomes part of the overall computing appliance. This allows the spotlight to focus on online applications.'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Hrm (Score:5, Insightful)
Re:Hrm (Score:5, Interesting)
The Paranoid Conspiracist in me says: "This is an essential step for the trusted computing platform, where a government or corporate owned rootkit could exist on your computer, with little to no ability to be replaced or removed by the owner of the machine."
Parent
Re:Hrm (Score:5, Insightful)
He basically makes the argument that TPM is a dual-use technology: it can be used for good or evil. Problem is, the evil uses could easily be disabled without impairing the good uses... but that hasn't happened.
"Remote attestation" is for DRM, plain and simple. It's evil. There is no reason I'd want my computer to produce a report of what software I'm running without giving me the ability to change that report before it's sent out. That feature is useless for me as a user; it's only useful to third parties that want to restrict the software I'm allowed to run (e.g. by refusing to send me a video stream unless they know I'm using their preferred player).
If they removed remote attestation from the TPM spec, or simply put a switch on the side of the computer so the owner could forge attestations whenever he felt like it, it wouldn't be evil. So the question is, if Trusted Computing is such a boon for users, why does it still have features that only serve to undermine those very users?
Parent
Re:Hrm (Score:5, Insightful)
> So the question is, if Trusted Computing is such a boon for users, why
> does it still have features that only serve to undermine those very users?
Or you might consider a slightly bigger world than your basement and uses for computers besides downloading porn and playing WoW. Remote attestation might not be something you care for, but if you were designing an ATM system you might feel differently about the ability to know, with a pretty high confidence, that the remote terminals are uncorrupted.
You are stuck on the idea that it is YOUR computer and that will always be so, that the person in front of the display owns the machine. But that just isn't true in a great many scenarios. I'd really like a system that allowed me to know if one of the workstations around here had been compromised. All of our machines are 'mine' in the sense I'm the one responsible for them, the employees sitting in front of em just use em.
Even remote attestation can be used for either good or evil. The key is to resist when big media tries to use it for evil. And it's evil because the machines aren't TimeWarner's yet they want to assert ownership over them just because they are displaying their precious IP.
Parent
Re:Hrm (Score:5, Insightful)
Remote attestation might not be something you care for, but if you were designing an ATM system you might feel differently about the ability to know, with a pretty high confidence, that the remote terminals are uncorrupted.
Fair enough. But if I were designing an ATM (or a kiosk, or any other public-facing terminal where remote attestation might have a legitimate use), I could put whatever additional hardware in there I wanted. I'm already adding a keypad, card reader, touch screen, etc. so why not one more thing?
Remote attestation isn't something that needs to be built into the average PC. On a typical user's desktop, remote attestation doesn't really have any legitimate uses, only evil ones.
I'd really like a system that allowed me to know if one of the workstations around here had been compromised. All of our machines are 'mine' in the sense I'm the one responsible for them, the employees sitting in front of em just use em.
If those workstations came with a switch on the side for forging attestations, and you didn't want users doing that, you could simply disable the switch. Just like you can already disable CD-ROM drives, USB ports, or whatever else users might use to compromise the workstations.
Parent
Re:Hrm (Score:4, Interesting)
As a system administrator, I disagree in the strongest possible terms. I'd love to be able to have the domain clients here restricted to an authorized software list. I could let users install things they needed or wanted instead of having to do everything for them, but I could restrict the list of available code to things I'd verified were safe and wouldn't cause system issues, security problems, etc. It'd also offer significant protection against resident malware. It'd be great.
Even being able to detect when a machine had unauthorized software on it would be a huge plus.
The parent poster's point is an excellent one - often the user of the computer isn't the owner, and/or isn't the person responsible for managing and maintaining it. In these cases remote attestation becomes highly attractive.
Parent
Re:Hrm (Score:4, Interesting)
I think you've got a skewed perspective.
I'm assuming here that you're some sort of administrator or something. Based on that assumption I offer this perspective: Your job only exists to enable them to do theirs. You're a meta-worker, they're the workers. Certainly there is some allowance for pride in your work in that it's "your" network or "your" computers, but you're really only there to enable them. Without them, you wouldn't be necessary. As long as you keep that in mind, everyone benefits.
Parent
Re:Hrm (Score:5, Informative)
Its a tool, and can be used for good/ill. I actively build/buy servers and laptops with TPM functionality because it allows me to enable encryption with BitLocker, save the recovery key someplace secure (safe deposit box), and from there on out, the encryption is completely forgotten about. On laptops, I enable the PIN functionality so an intruder would have to have the tech of a chip fab to coax the information needed to grab the HD contents. Even though TPM chips are not hardened against physical attack, few thieves outside of intel agencies have the tech to rip open a chip's package and attach probes to the chip's microscopic pads.
Either way, servers can reboot unattended while the data is encrypted, and laptops are protected against brute force password attacks. If an intruder tries to repeatedly guess a PIN, the TPM will just keep forcing longer and longer delays, if not permanently locking.
All a TPM is, is a cryptographic token that is on the hardware, with two pieces of additional functionality: The ability to validate that the MBR and booting parts of the hard disk have not been tampered with, and remote attestation.
The ability to check for tampering is important because in theory, someone can put a keylogger on the boot sector, then pass the info onto the real preboot authentication system (PGP or TrueCrypt) while saving the boot passphrase for an attacker in some safe area. If someone tries to tamper with the BitLocker subsystem, the TPM won't allow the machine to boot and it will be obvious that something is fishy.
Remote attestation is controversial, but you don't have to turn it on in BIOS. Same with Intel's vPro stuff.
Finally, by the TPM spec, all TPM chips are shipped turned off and disabled by default, so a software maker can't depend on one for DRM reasons.
Parent
Re:Hrm (Score:5, Interesting)
In the fourth case, the core security software grabs input and output from the network and disk to check the data for security threats. In that case, "you won't even really know you are using hyperspace," Hobbs says.
Talk about the setup for the rootkit from hell.
Parent
SplashTop (Score:4, Interesting)
So is this fundamentally different from Asus putting SplashTop on some of their netbooks and motherboards?
Re:SplashTop (Score:5, Interesting)
> So is this fundamentally different from Asus putting SplashTop on some of their netbooks and motherboards?
Very different. What Phoenix is doing is pushing Windows into a VM, permanently. The machine boots Linux from the BIOS and loads Windows into a VM container in the background while you have a basic Linux desktop to browse the web, read email, etc. You can flip between Windows and Linux with a hotkey. But Windows stays in the VM. This offers a hope of eventually containing the menace from Redmond. The question is whether Phoenix will want to go there.
Imagine a real firewall dropped between the virtual NIC in Windows and the real one. Even better, just forget the network in Windows for most uses, use the Firefox on the 'other' more safe system that is a hotkey away. Push this tech a bit more and have seamless Windows(tm) windows running rootless on the X side. Now we don't even need to worry about two different displays. Basically, this tech offers the potential to blur the line between Windows and a real Internet ready system in ways impossible to predict. This could erase enough of Windows' defects to keep it viable or it could remove enough of the reasons to run Windows it hurts it. But Pandora's box is open and it will be interesting.
Parent
Wow! They invented CoreBoot/LinuxBIOS (Score:4, Informative)
Imagine that, a mere 10 years after LinuxBIOS (now CoreBoot) first provided a full linux version on the BIOS (with near-instant booting into the OS of your choice), Phoenix gives us with this remarkable invention (complete with the standard idiotic fawning by Rob Enderle).
Boot time? (Score:5, Insightful)
I hope they won't increase bloat inside BIOS.
It's called DOS, and it was done a long time ago.. (Score:5, Interesting)
DOS was a BIOS based OS. It passed a large number of its calls directly to the BIOS. We all know how well that worked out.
That said, I would rather have a read-only, default, fallback, usable OS in the system firmware. You know, something that could be used for:
The PC is one of the few platforms where the hardware is actually useless to the end user without an installed operating system. Reflashable BIOSes further compound the problem by allowing a software command to render the hardware unbootable and unrecoverable (that is, unless you happen to have a FLASH programmer and another computer lying around...). The PC has perhaps the worst architure and implementation of any major platform, and it's about time they did something to fix that.
In fact, with the falling prices of flash, why not just flash a Linux kernel into the BIOS?
Re:It's called DOS, and it was done a long time ag (Score:5, Informative)
DOS was a BIOS based OS. It passed a large number of its calls directly to the BIOS. We all know how well that worked out.
Let's just call this a gross oversimplification and be done with it, shall we?
Why bother having a separate OS when the kernel could fit on the firmware?
For security reasons. Your firmware OS might have exploitable privilege escalation bugs, so you don't want to run untrusted software under it directly, only in a protected virtual machine environment. That virtual machine environment must have its own OS, and that would be a disk-based OS which is easier (and safer) to update in the event that security holes are found. It's preferable if the whole boot environment is as near to possible as read-only, just to reduce the possibility of malicious exploit. It shouldn't even be possible to re-flash the system without physical intervention (such as changing a jumper).
With kernel drivers *in the hardware itself*, one would never have to worry about getting the correct driver, etc...
This is true for the flash-based OS and the built-in hardware, which is why you can boot into a usable system so long as enough of the hardware is integrated on the motherboard. Don't forget plug-in cards and external peripherals, though. There's no avoiding the need for those drivers, in general.
Parent
Just work on coreboot damnit! (Score:4, Interesting)
It's high time the old unflexible piece of crap BIOS died.
MacGyver didn't need no stinkin' BIOS (obligatory) (Score:5, Funny)
He could boot your OS with a Swiss Army Knife, some duct tape and and old pop top, drawing the electricity needed from a box of old compasses. I guess he's retired from Phoenix by now, though...
Did they publish the source? (Score:4, Interesting)
Does this include Linux code in the BIOS itself, or only load it off disk and use it. If the former, did they publish the source?
That's pretty awesome (Score:4, Interesting)
People will be able to distinguish between "my computer has crashed" and "Windows has crashed" because, when Windows dies, they will be able to hot-key to the still-running BIOS OS.
That's a very nice innovation. I look forward to buying a mobo which can do this.
Great Idea ... M$ will kill it (Score:4, Insightful)
Or at least pee on it and create a wall of FUD. Their mighty and perfect OS usurped by lowly BIOS - and a BIOS running Linux. How totally non-elegant !
Its a great idea and I would actually have a reason - a real reason - to upgrade my hardware. But I can see M$ telling Dell - HP - etc. if you want to put Windows a BIOSOS system ... no OS discount for you !
However I would love to see the industry find a way to shove this down Balmers throat.
Re:Wait (Score:5, Funny)
Parent
Re:yesterdays news (Score:4, Funny)
But if you look at the back of the clock, it always says "MADE IN CHINA."
Parent
Re:If it works . . . (Score:5, Interesting)
Hyperspace is an extremely fast booting (approx 4 seconds) Linux based mini OS. It is available in two flavors. On PCs without the Intel's VT extensions it is just a fast booting OS, but you can only dual boot it.
On PC's with VT, the bios loads a hypervisor which then boots both Hyperspace, and windows. (It may defer starting windows until hyperspace has loaded). The result is that within for seconds you can begin using the computer, doing things like browsing the web while windows. Once Windows is up, users can instantly switch back and forth.
In theory there should be little reason why other OS could not be used instead of windows, although the system may be installing special drivers in windows to help mitigate some issues.
Parent
Re:If it works . . . (Score:5, Interesting)
Parent
Re:If it works . . . (Score:5, Funny)
Stop sounding stupid.
I've tried this with people before, and it never works. Never fear - I have a plan!
sudo Stop sounding stupid.
Parent
Re:If it works . . . (Score:5, Funny)
sudo Stop sounding stupid.
beav007 is not in sudoers file. This incident will be reported.
Parent
Re:The Achilles heel of this... (Score:5, Interesting)
Parent
Re:The Achilles heel of this... (Score:5, Interesting)
I had most of this in the 70s. It was called the Tandy Model I, and the entire OS was on a chip. There were never any driver problems because you couldn't install drivers. It was instant on (and by instant I mean faster than the CRT/TV it was connected to).
We've come so far .... :P
Oh, and 4K of RAM ought to be enough for anybody. ;)
Parent
Re:The Achilles heel of this... (Score:4, Insightful)
Parent
Re:The Achilles heel of this... (Score:5, Insightful)
I'll forgive your lack of experience on this matter but I have to answer your implication that driver absence is a Linux problem.
There is a problem with manufacturers who decide to keep their hardware specs secret and so make it difficult to have device driver support under Linux. It is true. It is a lot less common, but still true.
But this is not a problem that is exclusive to Linux. There are many devices that are older and will never have support for WindowsXP or Vista or Windows 7. The devices are considered old and outdated by these same manufacturers and do not want people using them any longer and so they don't pay to have people write drivers for more current versions of Windows. It happens. This problem also happens with Mac OS X. Recently, I upgraded my wife's machine to OS X 10.5.x and her Canon scanner does not and will not have drivers for 10.5.x even though 10.4.x and prior are still supported. All I could get were weak apologies from support but there is no intention to change from their position. They recommended that I buy some software from a 3rd party that costs twice what the scanner costs today in stores. (It is pretty weak that they actually display the MacOSX compatible logo on the package and it is no longer completely true...)
My point is that when drivers are not open sourced and/or the hardware specs are not openly available, your hardware is limited by the willingness of the hardware maker to support it. This is true of Windows, Mac OSX and Linux alike. This is NOT a Linux problem. It is a Manufacturer-with-their-heads-up-their-asses problem.
Parent
Re:The Achilles heel of this... (Score:5, Insightful)
A driver missing on an OS isn't the OS developers' fault, but it is their problem. There is a difference. They're not responsible for making the drivers, so its not their fault. Users still don't want to use an OS where they can't use their electronics, though, so it is a problem for the OS developers.
The solution to that problem may be intractable in some cases (a manufacturer refuses to divulge drivers under any circumstances, and no-one is willing to put in the effort to reverse engineer). However, Linux has done remarkably well, and things are only getting better driver-side.
But you're right its not a Linux-exclusive problem. My current printer doesn't work with my Mac, and older equipment may not work with newer versions of Windows.
Parent
Re:The Achilles heel of this... (Score:5, Insightful)
How many FOSS drivers must I mention before you admit Linux does have a problem?
More specifically: how many FOSS drivers *which are not maintained in the kernel tree* must I list?
1. MTP008 temperature sensor was removed from 2.6 (was in 2.4).
2. Peracomm USB ethernet (stopped working while in kernel tree)
3. DIB0700 (and many, many other) based DVB cards - the manufacturer helped making the driver but it still (after over 3 years, in 8.10) is not up-to-date/maintained in the kernel tree.
4. Numerous Wifi cards some of which partially work and some not.
5. Webcams (gspca).
Need I go on?
6. EeePCs ... most came with Linux, most drivers still do not work even in 8.10.
Nobody claims this is exclusive to Linux, it is just a lot more pronounced in Linux.
My point is that even when drivers are FOSS and the manufacturer has willingness Linux *users* can and do have problems.
I leave it as an exercise to the reader to find out why and who is to blame.
Parent
Re:The Achilles heel of this... (Score:4, Interesting)
Latest example is a webcam that I pulled out of my spare parts box for a project. Windows demanded the driver disk (which I didn't have) and couldn't find anything when I told it to go searching on the web. Ubuntu recognized it immediately and the driver was already on the system... instant joy. Gave up on Windows... another reason to delete Windows on my last remaining Windows computer.
I also hear lots of stories about WiFi not working but I have installed Linux on about 15 laptops (internal and external WiFi adapters) over the past few years and WiFi has "just worked" on all of them.
Parent
Re:The Achilles heel of this... (Score:5, Insightful)
There are many devices that are older and will never have support for Windows XP or Vista or Windows 7. The devices are considered old and outdated...
In almost every case - they are old and outdated -
at least those devices produced for the home and SOHO markets.
I replaced a old HP printer with a wireless multifunction HP printer-scanner-fax with Vista drivers -
and by old I mean that only the parallel port worked with XP.
The new - refurbished - ink jet cost $99 with a one year HP warranty. It lacks only the color LCD for instant photo printing.
This is NOT a Linux problem. It is a Manufacturer-with-their-heads-up-their-asses problem.
There comes a time when the geek needs to let go. To pull the plug.
Open Source is not a panacea.
Someone still has to sit down and make the decision to write and test a new driver for a fast-fading piece of legacy hardware -
and if he says the hell with it, there is not much you can do.
Parent
What the heck (Score:5, Insightful)
Which is why our landfills are filling up with e-waste faster than they should be. Great example of attitudes in a disposable society.
I'm all for progress and new technology, but why discard something because it just needs a new set of drivers? The reason why manufacturers can get away with this crap is because people don't get pissed off enough and light up their call enters with complaints.
Parent
Re:The Achilles heel of this... (Score:4, Informative)
Parent
Re:The Achilles heel of this... (Score:5, Insightful)
Parent
Re:The Achilles heel of this... (Score:5, Insightful)
If the manufacturers will release the damn specs the geeks write the drivers for them and those drivers get included with every distribution by default.
While that is an interesting argument, there are a few fundamental problems that bother me:
a) The incentive of manufacturers to release said specifications is low. Regardless of money made on the acquisition of a wider user base (often through more hardware sales), such specifications create issues for intellectual property and often serve as an opportunity for any competing manufacturers to digest a well-prepared buffet of the inner workings of hardware and the software that supports it.
b) The incentive of said 'geek' to actually sit down and not only write but actively maintain said drivers is based on demand and free time. This leads to the parent post "now you see it, now you don't" support syndrome.
c) The incentive of a manufacturer to release quality specifications is next to non-existent. In many cases, only the most determined OSS master-mind is capable of both understanding what are often meant as 'internal use only' documents and actually creating a driver. While I have little doubt such people exist, there is only so much time, sweat, blood, and tears that many people are willing to give for results.
Note that I actively contribute to the open source community and use Linux on a regular basis. That said, I don't believe manufacturers are (entirely) to blame.
Parent
Where Open Source Works and where it doesn't (Score:5, Insightful)
This brings up an important point. There is plenty of incentive for someone to write a web server, a database manager, an OS kernel or thousands of other generic bits of software. There is almost NO incentive for someone to write a driver for an obsolete device. The former can be a source of consulting and employment. The latter can actually work against you.
I mean, if a hardware manufacturer finds out you like to write device drivers for obsolete hardware, they're not going to be pleased. All those people keeping their old printers will prevent the manufacturer from profiting by making new ones. And if you really get creative by making the hardware do all sorts of new tricks it never did before, they're probably going to look for some excuse to get rid of you.
They want to sell new product, not keep the old stuff going. I know it's wrong to say this, but that's how the world's economy is configured right now.
Parent
Re:The Achilles heel of this... (Score:4, Insightful)
Parent
Re:The Achilles heel of this... (Score:5, Insightful)
Parent
Re:The Achilles heel of this... (Score:5, Funny)
No no, he said it's "virtually 100% secure", in the same way that I'm virtually a demi-god dwarf thief who destroys his foes by injecting flaming marshmallows up their ass.
Parent
Re:The Achilles heel of this... (Score:4, Interesting)
even mass storage devices can be a pain these days in windows (u3 tools anyone?) and xp doesn't like multiple partitions on a usb stick (had to hack the drivers to make windows think it was a hard drive to be able to access the second partition, even though both partitions were fat32).
Parent
Re:...only if the BIOS chip is replaceable. (Score:5, Informative)
This idea of putting Linux itself into the BIOS is okay if and only if the chip containing the BIOS is replaceable. In other words, the chip should not be soldered to the board.
You're joking, right? Right????
Because if not, read this [wikipedia.org] then flagellate yourself 20 times with an RS232 cable.
Parent
Re:...only if the BIOS chip is replaceable. (Score:5, Insightful)
Parent
Re:Flash memory has a limited number of writes. (Score:4, Informative)
Even the absolute worst flash memory can be written hundreds of times without any issues.
At a reasonable update schedule of once a month, that would be no less than 10 years. You would almoste certainly be able to update once a week for 3-4 years. And this is worst case...I would be surprised if you would really even want to use the computer anymore (due to performance issues) by the time the flash wore out 15-20 years down the road.
Parent
Re:Flash memory has a limited number of writes. (Score:5, Insightful)
... but an unlimited number of morons !!!
Parent
Re:...only if the BIOS chip is replaceable. (Score:5, Funny)
Parent
Re:Hardware (Score:5, Informative)
Parent
Re:GPL'd code available only by request? (Score:4, Informative)
Yup, that's all the GPL says they have to do.
In fact, providing a web form is being generous.. they could accept requests only by dead tree.
Parent