Linux group complains to EU, says Microsoft actions are "absolutely anti-competitive"

Earlier this month, Microsoft found itself in hot water with the European Union, following a violation of its antitrust agreement there relating to its web browser ballot screen, dating back to 2009. The incident – which Microsoft acknowledged and apologised for – resulted in a fine amounting to $732m, the latest in a long line of penalties that the EU has imposed on the company; indeed, Microsoft has handed over $3.04bn in fines to the EU since 2004.

EU officials may well be rubbing their hands with glee once more, having received a new complaint against Microsoft alleging anti-competitive behaviour, this time from a Spanish association representing the Linux community.

How the EU probably sees Microsoft; if history has taught us anything.

As Reuters reports, Hispalinux – which has around 8,000 members – has filed a complaint with the European Commission against Microsoft, alleging that the company has imposed restrictions that make it unnecessarily difficult for users to boot Windows 8 computers to another operating system.

The complaint relates to the UEFI Secure Boot start-up feature, which Hispalinux refers to as an “obstruction mechanism” that impedes the ability of users to easily boot a PC sold with Windows 8 to an alternative OS such as Linux. According to Hispalinux, it establishes a “de facto technological jail for computer booting systems… making Microsoft’s Windows platform less neutral than ever”.

Microsoft saw this one coming a long time ago. In September 2011, when Windows 8 was still in pre-launch development, former Windows chief Steven Sinofsky and Tony Mangefeste from the company’s Ecosystem team, sought to explain how Secure Boot was not intended to ‘lock out’ other operating systems, but was introduced as “part of [the] Windows 8 secured boot architecture”.


Graphic via 'Building Windows 8' blog, September 22, 2011

Mangefeste said at the time that “complete control over the PC continues to be available” to users, adding that “secure boot is a UEFI protocol, not a Windows 8 feature” and that “Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows”. He also said that “OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform”.

Hispalinux evidently disagrees. The head of the organisation, Jose Maria Lancho, told Reuters that Microsoft’s implementation of UEFI Secure Boot “is absolutely anti-competitive. It’s really bad for the user and for the European software industry.” 

Source: Reuters

Report a problem with article
Previous Story

Windows Blue lowers Modern app snap view resolution to 1024x768

Next Story

Windows Blue leaked build has hidden "slide to shut down" feature

86 Comments

Commenting is disabled on this article.

Linux zealots making themselves look like whining idiots. Seriously, Microsoft have been incredibly open about this, made part of the spec to get their own accreditation logo the ability to turn off this feature, giving out free certs... And these zealots still cry foul.

Every year we hear "The year of Linux", and it would come a lot sooner if a small but vocal percentage didn't constantly play the underdog card! There's a lot of things that Microsoft can be held to task over, but this is not one of them.

But hey, let's see if we can squeeze the EU to impose more sanctions against MS because they are such an easy touch it's a joke. That will help us, right. That's competitive behavior - when it suits us, right?

wtf how is it Microsoft's fault for a UEFI standard? Microsoft demands that Windows 8 hardware must have secure boot activated and OEMs on x86 hardware must provide a option to turn it off and ARM hardware could not ; it's up to the OEMs to give the access to the certificates for the OS (Window, Red Hat, etc.) and provide a mean to turn this feature off only on x86 hardware. If i want to install Linux on a Windows 8 computer with Secure Boot i can only install the distros that have a valid certificate or i disable Secure Boot and i can install whatever i want.

I thought all Windows 8 computers with UEFI are required to have an option in the bios allowing disabling of it? Whats the problem?

Milton_Fine said,
I thought all Windows 8 computers with UEFI are required to have an option in the bios allowing disabling of it? Whats the problem?

For an OEM to get the Windows certification, they need to include a way to disable secure boot.
So no problem at all

Why does this keep coming up?
It has been explained a million times already.
It's an UEFI feature, not a Windows 8 feature.
MS just bought a cert. Other OS's can do the same.

How is this anti competitive at all?
Anybody care to explain?

Actually, they don't - they require it to be available on Windows 8 LOGO (OEM) systems - not both available and ENABLED (the ENABLED requirement is specific to WindowsRT and Android, and predates RT in fact). BYO has NO such requirement - even for motherboards shipping with UEFI. Does Windows 8 support non-UEFI systems? Of course it does - how else would upgrades even work? Is this a straw-man argument *yet again*?

Aww butt hurt linux users. Next they'll be complaining that Microsoft is anti-competitive because it more apps or that people just want to use windows rather than the mess Linux is.

HSoft said
Aww butt hurt linux users. Next they'll be complaining that Microsoft is anti-competitive because it more apps or that people just want to use windows rather than the mess Linux is.

Yea, that's what they do anyways, they just pretend they are complaining about something realish, like secure boot that can be disabled in one button click, or MS telling OEMs to include an IE icon on the desktop, because that makes a freakin difference to anything.

for one installing linux or using linux is not an every day computer user task... If your going to install and use it you are most likely someone knowledgeable in computers and can easily not have issues with the UEFI. Also I thought Apple used UEFI? If so shouldn't Apple also be mentioned in the complaint? Or is Microsoft's actions limited because of their market share?

Apple uses their own interpretation of UEFI.
Also Apple isn't a monopoly in any market. Microsoft still completely owns the desktop market. And outside the USA the laptop market. (Apple isn't that popular on this side of the big pond).

If MS actions are anti-competitive, then so is Apples.... be fair to both of them, Apple uses a secure boot loader also

recursive said,
Apple sell the hardware. M$ don't.

How is that relevant I wonder. The licenses being discussed are oem licenses. All consumers purchase these licenses from the OEM, the very same one that supplies the hardware. Microsoft does not even have a relationship with these customers. Microsoft requires OEM's to enable secure boot AND they require the OEM's to offer their consumers the ability to disable secure boot. It is pretty clear there is no case here.

recursive said,
Apple sell the hardware. M$ don't.

huh, that's funny last time I checked MS sold the Surface tablet that they designed.... imagine that MS sells hardware.... which is locked with secure boot also.... amazing....

neufuse said,

huh, that's funny last time I checked MS sold the Surface tablet that they designed.... imagine that MS sells hardware.... which is locked with secure boot also.... amazing....


This isn't about tablets. Besides that's a Windows RT specification to lock down the system entirely. And if the Linux evangelists go after MS for Windows RT.... Mozilla and Google already tried, doubt a few random fanboys can do better.

recursive said,
Here's hoping the EU fine M$ into bankrupcy.

Nah, the way things are going, MS could probably buy the EU for pocket change

Let's hope the EU does not fall dor this one, and imposes a fine on the spanish Linux brothers. In fact, it is time Linux steps into the year 2012 and supports secure boot, which is a UEFI standard and increases security. Witnessed by the large number of webservers running Linux being pwnd right left and center, any security measure is certainly not a luxury for Linux..


So, if a hobbyist assembles their own PC, selecting a mortherboard that supports UEFI and secure boot, will their Linux distro require a cert?

AFAIK, when you purchase a retail system with a Microsoft OS preinstalled, there is an agreement with both the OEM and Microsoft about the integrity of the system. Modifications to the system, including adding dual boot features is a breach of that agreement by the Customer.

Personally the thought of a hardware platform secured by design sounds a lot more appealing than whether or not I can dual boot into a Linux distro.


I echo, how is this a Microsoft issue?

deadonthefloor said,
So, if a hobbyist assembles their own PC, selecting a mortherboard that supports UEFI and secure boot, will their Linux distro require a cert?

Only if you want Secure Boot to remain enabled. Secure Boot, a UEFI feature, requires a signed cert. So all the installed OSes need to support the feature with a signed cert, or you simply turn it off.

Such a non-issue.

Unnecessarily difficult to boot into linux? That is the most ridiculous statement i have ever heard. Even the most retarded users know how to put a dvd into dvd rom and install an os. If you dont like windows install linux. What is microsoft has to do with thos? I thought they were saying linux users are more clever. I tell you what? If you dont know how to boot into linux then better stick with windows because its much more user friendly

Except Secure Boot is not a Microsoft feature, it's a UEFI standard. If you want to install Linux, simply turn it off. Not really a problem.

Microsoft promised:
-Signed applications are more secure.
-Signed drivers are more secure and stable.

And now, Microsoft is promising the signed boot is more secure.

Silly question: how is it more secure?. AFAIK, It is only protect against boot sector viruses and other non-authorized OS. However, boot sector virus are not a real threat since a decade ago (because most bios have the option to protect the boot sector).

Brony said,
Microsoft promised:
-Signed applications are more secure.
-Signed drivers are more secure and stable.

And now, Microsoft is promising the signed boot is more secure.

Silly question: how is it more secure?. AFAIK, It is only protect against boot sector viruses and other non-authorized OS. However, boot sector virus are not a real threat since a decade ago (because most bios have the option to protect the boot sector).

Malware is getting more sophisticated as time goes on, there are some that hook into the boot sector and install root kits before Windows and AVs load, so they can hide from AVs. Because of the modular tinker toy like nature of many malware, it's only a matter of time until many more malware use this technique. Nipping this in the bud, is a good idea. And for once, the industry addresses it before it's affecting hundreds of millions of users, which is also good.
Disabling UEFI is very simple, the complaints about MS 'forcing' (with no details how they would legally do this or get away with it) UEFI Secure boot so poor liddle Linux can't boot on all 10 of it's user's machines, is poorly designed fud, the real goal of these people is to have less security, because they know that will affect MS more than Linux. And when people switch to Linux and have the same issues eventually, the Linux community will do what it always does; tell them 'stfu noob'.

Old behavior : Virus are unable to write or modify the boot sector.
New behaviour : Virus are able to write the boot sector. However, the computer will be unable to start because the boot sector was modified.

:-/

Brony said,
Old behavior : Virus are unable to write or modify the boot sector.
New behaviour : Virus are able to write the boot sector. However, the computer will be unable to start because the boot sector was modified.

:-/


How is it possible that the old behavior was that the boot sector couldn't be written to, yet it was possible to install an OS ever? You are a complete idiot.

Secure Boot also protects write-able roms (in the GPU, HDs, SSDs, network cards, etc.) and the BIOS itself by verifying these items load signed code only. There are some theoretical (and maybe real world) attacks that utilize these to keep the machine infected through an OS re-install. Particularly nasty for noobs. And Secure Boot protects OS files that load early. Basically everything that loads, ROMs, MBR, Boot Sector, System files, AV (using Windows 8 early launch Anti-Malware) are protected from tampering, so the user is assured the system is root kit free, from my understanding.

NoPanShabuShabu said,

How is it possible that the old behavior was that the boot sector couldn't be written to, yet it was possible to install an OS ever? You are a complete idiot.

Silly, silly, you can disable it when you are installing it the system. In fact, it is explained in the FAQ of installation of almost every OS since the 90's.

J_R_G said,
Secure Boot also protects write-able roms (in the GPU, HDs, SSDs, network cards, etc.) and the BIOS itself by verifying these items load signed code only. There are some theoretical (and maybe real world) attacks that utilize these to keep the machine infected through an OS re-install. Particularly nasty for noobs. And Secure Boot protects OS files that load early. Basically everything that loads, ROMs, MBR, Boot Sector, System files, AV (using Windows 8 early launch Anti-Malware) are protected from tampering, so the user is assured the system is root kit free, from my understanding.

In theory is true. However, most of the time, it is hardware specific so, the propagation of it is close to zero. For boot sector (in fact, for the partition), existed a virus for windows 95/98 but it was patched a decade ago.

And for rootkit, Microsoft is fooling us. Rootkit could be easily patched. For example, for the "invisible registry", Microsoft could have patched the windows api that write in the registry to not to allow to write "invisible values" or Microsoft could have patches the regedit to allow to view "invisible values".

Brony said,

Silly, silly, you can disable it when you are installing it the system. In fact, it is explained in the FAQ of installation of almost every OS since the 90's.

In theory is true. However, most of the time, it is hardware specific so, the propagation of it is close to zero. For boot sector (in fact, for the partition), existed a virus for windows 95/98 but it was patched a decade ago.

And for rootkit, Microsoft is fooling us. Rootkit could be easily patched. For example, for the "invisible registry", Microsoft could have patched the windows api that write in the registry to not to allow to write "invisible values" or Microsoft could have patches the regedit to allow to view "invisible values".


You seriously think you can outsmart the security folks that do the programming on Windows?
Don't you think they already looked into those things?
And allot of applications, often business/cooperation ones use the API wrong and often use things they shouldn't and still do. MS changing this is breaking their love for backwards compatibility I'm sure.

So let me understand this.

Windows 8 devices (the ones with the Windows 8 logo) have Secure Boot enabled.

To install Linux, you just add one more step to your own list of things to do: disable Secure Boot.

And that's it, yeah?

So what's the fuss about?

Microsoft uses a UEFI feature. Wow.

If your Linux distro is so poor it can't take advantage of a UEFI feature (one that can be turned off anyway) then it's the fault of the Linux distro.

There is no fuss. This is some local distro who can't gain traction. Other, bigger, distros have no problems, they might not like it fully but they are working on it. Also one thing that people get wrong is that they think Microsoft is dealing with the keys, no they are not, it's Verisign who is dealing with them.

testman said,
So let me understand this.

Windows 8 devices (the ones with the Windows 8 logo) have Secure Boot enabled.

To install Linux, you just add one more step to your own list of things to do: disable Secure Boot.

And that's it, yeah?

Yes but for how long. And, what will happen if some OEM (by "mistake") forget to add the option to disable the security boot?.

Brony said,

Yes but for how long. And, what will happen if some OEM (by "mistake") forget to add the option to disable the security boot?.

And how is that Microsoft's fault? UEFI Secure Boot is a UEFI standard!

It's sad because most people don't understand Secure Boot is just a feature of the UEFI set, it's not something Microsoft made up - they're just utilizing a security mechanism in hardware (and *anyone* can get a certificate, just like Microsoft, so that their OS will boot securely):
http://en.wikipedia.org/wiki/U...mware_Interface#Secure_boot

Even major Linux distributions have signed on and will have (if they don't already) releases that work with SecureBoot. Anyone still crying foul over this has an agenda (and it isn't making sure end user machines are secure, which is of course the irony).

So why are people blaming Microsoft? It's not even their tech, but they're using it?

Do Ford get railed on for delivering your car locked but with a key to you? A key that you use to unlock it to let others use the car?

Do credit card companies get railed on for delivering a credit card to you locked with a PIN? A PIN that you could give to your loved ones so they can also use the card?

No?

So what's the problem here?

It's not about money, it's about being able to compete fairly. Microsoft wasn't fined by the EU for the abusive practices it used to promote Internet Explorer - it was fined because it refused to comply with a legally binding agreement it entered into with the EC. If Microsoft had complied it would escaped a fine altogether.

Microsoft has been found guilty of anti-competitive business practices in many territories - including the US, EU, South Korea, Israel and more. There is no doubt that Microsoft has abused its market position to unfairly and illegally disadvantage the competition.

theyarecomingforyou said,
It's not about money, it's about being able to compete fairly. Microsoft wasn't fined by the EU for the abusive practices it used to promote Internet Explorer - it was fined because it refused to comply with a legally binding agreement it entered into with the EC. If Microsoft had complied it would escaped a fine altogether.

Microsoft has been found guilty of anti-competitive business practices in many territories - including the US, EU, South Korea, Israel and more. There is no doubt that Microsoft has abused its market position to unfairly and illegally disadvantage the competition.

Certainly, allthough good legal practices would dictate that the term "once a thief, always a thief" is a big nono. In fact, the EU is wrong when it comes to the browser ballot, where it imposed a silly measure on Microsoft, yet did not impose the same measure on Apple, that had a defacto Monopoly in the tablet space about two years ago, yet that company wasn't forced to provide a browser ballot, in fact, that company is allowed to dictate which third party software is allowed on their systems, and to this day does not allow a third party to release a different browser engine on IOS.

The case of the Spanish Linux brothers is too ludicous to even discuss, and they should get a slap on the wrist for wasting EU tax payers money.

sjaak327 said,
In fact, the EU is wrong when it comes to the browser ballot, where it imposed a silly measure on Microsoft, yet did not impose the same measure on Apple

You don't understand the purpose of the BCS. It was a temporary punitive measure to address the anti-competitive business practices Microsoft used to increase and maintain its market share - the BCS was issued in lieu of a fine. It was effectively a slap on the wrist. It was actually quite a lenient punishment.

theyarecomingforyou said,

You don't understand the purpose of the BCS. It was a temporary punitive measure to address the anti-competitive business practices Microsoft used to increase and maintain its market share - the BCS was issued in lieu of a fine. It was effectively a slap on the wrist. It was actually quite a lenient punishment.

As far as I know, MS was also fined for the IE matter. That of course does not explain away the double standards that are being applied by the folks in Brussels. One would have to assume that the EU should know a thing or two about equal justice.

One thing is for sure, they are not doing the citizens of the EU any favours, as such fines always end up in the price of the goods.

By the way, poor Microsoft is still selling the N sku, you know the version of Windows without WMP, I actually wonder if they actually sold any.


sjaak327 said,
One thing is for sure, they are not doing the citizens of the EU any favours, as such fines always end up in the price of the goods.

And allowing businesses to go unpunished for engaging in anti-competitive, anti-consumer practices is better how exactly?

If Microsoft increases its prices then consumers will move to competing products and services, providing that there is adequate competition (which is the point of such measures by the EC).

theyarecomingforyou said,

And allowing businesses to go unpunished for engaging in anti-competitive, anti-consumer practices is better how exactly?

If Microsoft increases its prices then consumers will move to competing products and services, providing that there is adequate competition (which is the point of such measures by the EC).

How is supplying a browser into an operating system being anti competitive and anti consumer. You could argue that supplying no browser would be anti consumer. The fact is that ALL competitors are doing the exact same thing and some (Apple in IOS, Google in Chrome OS) take it one step further and do not allow third party browsers with their own enigines. In light of these facts, it is clear that the EU has it wrong here and it is the EU that is being anti competitive as they do punish some companies for doing exactly the same as all other competitors are doing. To deny this to one party, and allow it for all others is THE definition of being anti competitive.

sjaak327 said,
How is supplying a browser into an operating system being anti competitive and anti consumer.

It isn't. The issue was that Microsoft abused its dominant position in the market place, as outlined in the SoO the EC sent to Microsoft: http://europa.eu/rapid/press-r...MEMO-09-15_en.htm?locale=en

Microsoft made Internet Explorer the default browser without giving the user any option to change or remove it and without informing them that there were other ways to access the internet - many users thought it was the only way to access the internet. The bundling of Internet Explorer was found to have "hindered innovation in the market and created artificial incentives for software developers and content providers to design their products or web sites primarily for Internet Explorer". Microsoft also applied pressure on OEMs in order to stop them installing competing browsers, which is obviously anti-competitive.

In response Microsoft entered into a legally binding agreement with the EC to provide the BCS (Browser Choice Screen) for a period of five years: http://europa.eu/rapid/press-r...IP-09-1941_en.htm?locale=en

theyarecomingforyou said,

It isn't. The issue was that Microsoft abused its dominant position in the market place, as outlined in the SoO the EC sent to Microsoft: http://europa.eu/rapid/press-r...MEMO-09-15_en.htm?locale=en

Microsoft made Internet Explorer the default browser without giving the user any option to change or remove it and without informing them that there were other ways to access the internet - many users thought it was the only way to access the internet. The bundling of Internet Explorer was found to have "hindered innovation in the market and created artificial incentives for software developers and content providers to design their products or web sites primarily for Internet Explorer". Microsoft also applied pressure on OEMs in order to stop them installing competing browsers, which is obviously anti-competitive.

In response Microsoft entered into a legally binding agreement with the EC to provide the BCS (Browser Choice Screen) for a period of five years: http://europa.eu/rapid/press-r...IP-09-1941_en.htm?locale=en

Two years ago I got an Ipad, at the time Apple's marketshare in the tablet space was equal or at least quite close to the market share Microsoft enjoys in the Desktop market.

Yet on IOS, Safari is the default browser, there is no option to remove it, or to select another default browser (which would be utterly useless, as Apple dictates that any third party browser has to use Safari's rendering engine) and it didn't inform me that there were other ways to access the internet on the ipad (you can't make this stuff up !!!).

This indeed has led to many mobile sites being developed for the webkit engine primairily (leaving trident and gecko among others in the cold as they don't employ some of webkit's non standard custom extensions).

Yet Apple has not even received as much as a slap on the wrist.

As said, the EU has made a complete fool out of itself and has demonstrated that Fair competition and equal justice is not on their agenda, even though they claim it is.

This is ridiculous. Don't these idiots know you can simply turn off Secure Boot? Anti-competitive my ass. This is why we can't have nice things. A good new security feature is introduced and just because users have to flip a switch to load up another OS, people get all riled up about it. It just goes to show how ignorant so many users are.

Fist of all, it was the Linux community complaining that Windows wasn't secure, Microsoft did something on that, and it's not good, again. Beside, if someone buys a PC, they pay for Windows, not for another OS... I can't install (easy) Linux on a Mac either...

I guess because you buy the wrong computer. You should go and buy the one with Linux OS.

recursive said,
Right, because the one I already have came free with the copy of Windows..

Can someone name a SINGLE OEM that has enabled Secure Boot in UEFI by default? (Anywhere - and especially in Spain.) Support for Secure Boot isn't even a requirement - let alone it being mandatory with Windows 8. I I think Hispalinux has been drinking the Haterade.

PGHammer said,
Can someone name a SINGLE OEM that has enabled Secure Boot in UEFI by default? (Anywhere - and especially in Spain.) Support for Secure Boot isn't even a requirement - let alone it being mandatory with Windows 8. I I think Hispalinux has been drinking the Haterade.

Lenovo did on my T530.

PGHammer said,
Can someone name a SINGLE OEM that has enabled Secure Boot in UEFI by default? (Anywhere - and especially in Spain.) Support for Secure Boot isn't even a requirement - let alone it being mandatory with Windows 8. I I think Hispalinux has been drinking the Haterade.

Secureboot is a Windows 8 logo requirement but so is the other requirement for user accessible way to turn it off.

BajiRav said,

but so is the other requirement for user accessible way to turn it off.

but the other less mentioned is:
MS want hardware Vendor to manage the secure boot-key, and NOT the hardware Owner.

Therefore its up to the hardware Owner to determine which OS that their hardware can run, that was the sugestion found in tthe white paper issued by linux folk.
But Microsoft seems to disagree as MS only want hardware Vendor or OEM that may change the Keys, why?

Probably because MS has deals with OEM so new computer can only shipped with Microsoft's OS and not the other OS.

I wish they would stop with this. Anyone who is installing this chances are they are building their system. And then they act as if you cant run linux in a VM. If anything its more competitive because the pro version comes with hyper-v which allows you to run other OSes.

Gotenks98 said,
I wish they would stop with this. Anyone who is installing this chances are they are building their system.

So how can one build his own notebook?

Gotenks98 said,

And then they act as if you cant run linux in a VM.

Why should they have to use a VM, when they don't want or need Windows?

Holy crap! Not this again.
The bloody secure boot thing can be disabled in the BIOS OR they can just request a cert so that it can built into Linux.
Bloody whiners.

Tyler R. said,
We want Linux AND secure boot at the same time. Why can't people understand this?

What?
OR they can just request a cert so that it can built into Linux.

He said that, Microsoft provided certs for all the major Linux distro's and other distro's could simply request one (not sure MS still hands the certs out for free though).

Microsoft has been everything BUT anti-competitive in this matter, yet you evangelists still make it look like Microsoft is the evil ******. And sure they are plenty of times, but not in this case.

Tyler R. said,
We want Linux AND secure boot at the same time. Why can't people understand this?
Then Linux users/devs can get a cert, just like Microsoft have done for Windows.

Really simple.

testman said,
Then Linux users/devs can get a cert, just like Microsoft have done for Windows.

Really simple.


Better yet, Microsoft took care of the costs of these certs and provided them FREE OF CHARGE to all mayor distro's and not sure if they still can, but other distro's could request a cert free of charge as well.

Tyler R. said,
We want Linux AND secure boot at the same time. Why can't people understand this?


I understand, so in that case it isn't Microsoft that should be blamed, as Microsoft does not develop release and maintain any of the GNU/Linix distros and it does not release the kernel either.

Tyler R. said,
We want Linux AND secure boot at the same time. Why can't people understand this?

If you want secure boot, and I honestly don't know why- you always boast about there being no serious malware for it, get some bloody free secure boot keys. I honestly can't believe you are complaining about this when you NEVER had it before. There was no difference between Windows 7 and Windows 8 with this, only that OEMs have implemented secure boot and also a mandatory disabling function.

Shadowzz said,
these certs and provided them FREE OF CHARGE to all

free certs would just defeat the alleged 'secure-ness',
i claim that i an OS developers, when i got those certs, i could simply 'leak''em to malware makers, and viola, secure-boot are now useless.

Torolol said,

free certs would just defeat the alleged 'secure-ness',
i claim that i an OS developers, when i got those certs, i could simply 'leak''em to malware makers, and viola, secure-boot are now useless.

They are free of charge to Distro's with a few minimum requirements (having a userbase and such).
Not every random dude can request a certificate and get it.