Secure Boot complaint filed against Microsoft

[tiagosilva29]

Hispalinux[1], an 8,000 strong Spanish association of Linux users and developers, has filed a complaint with the Madrid office of the European Commission claiming, according to a Reuters[2] report, that Windows 8 contains an "obstruction mechanism" called UEFI Secure Boot. This mechanism, it says, controls the system boot up and means users must seek keys from Microsoft to install another operating system.

Hispalinux head, lawyer Jos? Maria Lancho, told the news agency that it was "absolutely anti-competitive" and a "de facto technological jail for computer booting systems". The complaint[3] says that although Microsoft says UEFI Secure Boot is a security measure, its implementation would not mean the end of malware and viruses.

The complaint comes just over three weeks after the EU Competition Chief Joaqu?n Almunia said, in a written answer[4] to parliamentary questions, that the "Commission is monitoring the implementation of the Microsoft Windows 8 security requirements. The Commission is however currently not in possession of evidence suggesting that the Windows 8 security requirements would result in practices in violation of EU competition rules".

UEFI Secure Boot is a mechanism that was added to the UEFI firmware and uses keys registered in firmware to check a digital signature on any operating system's bootloader and kernel to ensure that they have not been tampered with. The idea is to avoid situations where malware modifies the operating system or boot process itself as part of its camouflage mechanisms. Microsoft requires that machines sold with Windows 8 pre-installed are configured to use this mechanism to validate the operating system. This means that machines with Windows 8 have Microsoft's key registered in the firmware and, with no other operating system vendor offering a similar key, it is the only key that comes on most of these machines.

Booting another operating system on these machines would, therefore, mean disabling secure boot, adding a key for validation of the other operating system to the firmware, or getting the bootloader for the operating system signed by Microsoft. The first two options are paths that Microsoft requires vendors implement on x86-based systems, although there are no common or standard ways of implementing the features.

Therefore, Linux vendors such as Red Hat, SUSE and Canonical, and the Linux Foundation all looked at approaches where a bootloader or pre-bootloader was signed by Microsoft and would go on to load Linux once booted and verified. This would, the vendors believed, give users an easier way to install Linux on any arbitrary Windows 8 pre-installed PC system.

These solutions require Microsoft to sign the bootloader and have reinforced the Free Software Foundation's objections[5] to what it has dubbed "Restricted Boot". The Hispalinux complaint appears to follow the FSF's reasoning and seems to request a simple way for consumers to disable or override Secure Boot. But, as the Commissioner notes: "In particular, on the basis of the information currently available to the Commission it appears that the OEMs are required to give end users the option to disable the UEFI secure boot". It may be that this case will hinge on whether the Commission continues to feel that this is sufficient.

URL of this Article:

http://www.h-online.com/open/news/item/Secure-Boot-complaint-filed-against-Microsoft-1830714.html

Links in this Article:

[1] http://www.hispalinux.es/

[2] http://www.reuters.com/article/2013/03/26/us-microsoft-eu-idUSBRE92P0E120130326

[3] http://www.hispalinux.es/node/758

[4] http://www.europarl.europa.eu/sides/getAllAnswers.do?reference=E-2013-000162&language=EN

[5] http://www.h-online.com/news/item/FSF-warns-of-Windows-8-Secure-Boot-1363531.html

Couldn't find any forums search entries on this, so posting it here.

[MikeChipshop]

Actually posted on the front page... http://www.neowin.net/news/linux-group-complains-to-eu-says-microsoft-actions-are-absolutely-anti-competitive

[tiagosilva29]

That's why I couldn't find it. Thanks!

[Dot Matrix]

Holds no water.

[MikeChipshop]

That's why I couldn't find it. Thanks!

No problem, i just happened to be reading it at the same time!

[HawkMan]

For the supposed self proclaimed computer elite. Linux users keep coming off as inept computer illiterates....

[+LostCat]

For the supposed self proclaimed computer elite. Linux users keep coming off as inept computer illiterates....

Even the knowledgeable ones (Timothy Lottes for one example) seem to believe MS did it just to block competition. I'm really not sure what to think of these people.

[HawkMan]

Their whole argument is that secure boot isn't a silver bullet that stops all malware, but just one piece of a big system. But since every little piece of security is just that, why don't we remove all of them... Oh wait... Then you're unprotected. Every little brick helps.

[MDboyz]

While people are crying about how unsecure Windows OS, but then still cry when they try to implement something to make it more secure.

It is only unfair if they buy the computer without any OS, and still can't install Linux because of UEFI Secure Boot. However, the computer is sold as computer with pre-installed Windows OS.

Stop crying and buy a Linux computer instead.

[+LostCat]

Stop crying and buy a Linux computer instead.

It's kind of irrelevant when you can install Linux fine now.

Which is what I told people would happen. MS can't afford another huge run in with the DoJ and it's bloody unlikely they'd go out of their way to **** off the EU either.

[Detection]

Only a matter of time until the bootloader/UEFI is bypassed/hacked

The ASUS Transformers have ether SBK1 or SBK2 models, the SBK1 models key was leaked so we could use NVFlash to flash custom ROMs, SBK2 key was never leaked, but eventually the guys at XDA found a way around it and now both models can flash whatever OS/Recovery they want on them

[Eric]

Is there some reason that companies like RedHat and Canonical can't get a bootloader signed?

[chrisj1968]

Is there some reason that companies like RedHat and Canonical can't get a bootloader signed?

Probably because theoretically, They are knocking at the door and microsoft is behind the locked door giggling while Linux users scratch their heads.

[remixedcat]

linux zealouts or whatever you wanna call em are *SMACK* as wack

[Growled]

Is there some reason that companies like RedHat and Canonical can't get a bootloader signed?

I think most people who are upset are upset over the fact that Microsoft holds all the keys. Those keys should be held by a third party for all.

[nub]

I think most people who are upset are upset over the fact that Microsoft holds all the keys. Those keys should be held by a third party for all.

Fairly certain you can use secure boot without Microsoft at all. Fedora and some others opted to use the Microsoft key because it was easier.

[Stoffel]

I think most people who are upset are upset over the fact that Microsoft holds all the keys. Those keys should be held by a third party for all.

I don't think MS holds all the keys, I believe they are held by VeriSign.

Secure Boot is not a MS technology. They are just using it and I believe they also had to buy a key to use Secure Boot.

Other companies could also buy a key and use that in combination with Secure Boot.

[123456789A]

I think most people who are upset are upset over the fact that Microsoft holds all the keys. Those keys should be held by a third party for all.

We all know what happens when keys are given to Linux.

[remixedcat]

I think Verisign has the keys

[Mr. Gibs]

Is there some reason that companies like RedHat and Canonical can't get a bootloader signed?

I think RedHat already implemented it in Fedora.

It costs $99 from Verisign:

The last option wasn't hugely attractive, but is probably the least worst. Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access edit: The $99 goes to Verisign, not Microsoft - further edit: once paid you can sign as many binaries as you want), but it's cheaper than any realistic alternative would have been.

http://mjg59.dreamwidth.org/12368.html?style=light

Plus you can just disable secure boot, it isn't that hard and since you'll be installing a new OS chances are you already know how to.

Pathetic lawsuit to try and earn money, that's really all it is.

[+Red King]

Things like this is why no one likes Linux and Linux users.

[articuno1au]

I think you'll find a lot of us like Linux..

There's also a cross-party bootloader that's been signed. The idea being that it can load up any distro you want.

The complaint is pretty pants on head.. Especially given Microsoft submitted a patch Linux could use (which was ****, but they did it) and Linus Torvalds booted it out.

I think Linus made the right call on that one, but it does rather defeat the "anti-competitive" argument >.>

[redvamp128]

Things like this is why no one likes Linux and Linux users.

No this has nothing to do with LINUX not being good but Microsoft forcing Windows 8 on you....

I mean let me take Linux out of the equation for you.

Windows 8 runs like a snail or you just don't like it and you decide you want to buy and install Windows 7 instead

Whoops Not GOING TO ALLOW IT...

. you can't because the only OS your computer thinks is a Valid install is Windows 8.

And in some of the OEM's there is no bios option to remove or disable this check.

The easy way to edit this is allow the OEM's to have a bios that can be downloaded to allow people to turn it off.

What this boils down to is Allow the user the choice.

I mean what if people buy a PC with Windows 8 and decide they don't like it at all... and they want to install the following.

Windows 7

Linux

Hackintosh

But their computer won't allow them to do this.

This is as they are trying to show is the same option as Microsoft locking people into having IE installed by default.

-snip-

However, the computer is sold as computer with pre-installed Windows OS.

Stop crying and buy a Linux computer instead.

The other thing to look at is -- people say "BUY a Linux Computer" well that limits the choices and those choices are not very strong computers.

Other than -

https://www.system76.com

But still there are not a lot of options- They don't even offer any AMD chip-sets.

Some of these people don't mind paying for a computer with Windows but also like the CHOICE to have a dual boot as well.

I mean would you want a computer where you can't even choose which OS you want on it?

Side note-
And for my Wife that is a necessity to be able to boot to a USB key that has Suse for her work.  

The is what her company uses as it's business OS.

So for her it is that she get a computer that is not so new than?
[/CODE]

That is the complaint in an easy nutshell. Where they claimed to secure an OS but it has side effect and that is limiting the choices people can have with their computers.

[+LostCat]

That is the complaint in an easy nutshell. Where they claimed to secure an OS but it has side effect and that is limiting the choices people can have with their computers.

Every security solution has side effects. You don't like Secure Boot? TURN IT OFF. Then you can install whatever OS you like. Some claim some OEMs disable this, but I've never actually seen an example.

The difference between UEFI providing an option to secure your computer and MS locking down said computer should be fairly obvious. That some people don't see the distinction does no credit to their logic.

[redvamp128]

Every security solution has side effects. You don't like Secure Boot? TURN IT OFF. Then you can install whatever OS you like. Some claim some OEMs disable this, but I've never actually seen an example.

The difference between UEFI providing an option to secure your computer and MS locking down said computer should be fairly obvious. That some people don't see the distinction does no credit to their logic.

Acer- Emachine - Gateway to name a few... There is no option to disable it at all-- it is missing.

The logic is there but the point is -- locking out user choice.

I personally like to dual boot either with WUBI or a true Dual boot.

And such like my wife needs for her work the newer systems don't allow it. (namely SUSE her job uses)