As is said in church...
Let us pray.
A Spanish open source software users' association has filed an antitrust complaint against Microsoft with the European Commission, claiming that the company's implementation of UEFI Secure Boot stifles competition. Hispalinux, an 8,000-member organization that advocates for and facilitates Linux use in Spain, filed the …
Let us pray.
The "implementation of UEFI Secure Boot" may have been an attempt, by Microsoft, to stifle competition, but it's just so damned difficult to stifle Linux. Pray as much as you like, however, and I hope Hispalinux does not invest any money in this rather unnecessary effort.
They really don't get it.
If I had a house with a top of the range burglar alarm system, I wouldn't expect to have to remove it because certain visitors didn't like it. I also wouldn't expect to have to disable it at the control panel every time I had a new visitor. Linux needs to get it's act together to leverage what is a very useful security gateway.
This isn't a Microsoft issue at all. What Microsoft have done is for the potential benefit of all of us. Well, except maybe VXers and Malware writers.
"If I had a house with a top of the range burglar alarm system,"
And that's where your argument falls apart. "Secure Boot" only provides security in name. It doesn't solve any existing problem. Virtually no malware goes through the boot process today. It used to be a problem way back in the age of Parity Boot B. Today it is much easier to exploit Flash or Java holes. Tomorrow people might exploit bugs in UEFI, but once you are able to change the boot process, you are already root and can do anything you like on that system.
It's about proving who created something.
Some Linux repositories have signed packages, if the idea was so flawed they wouldn't do that would they? same with checksums for official releases of Apache etc.
". Virtually no malware goes through the boot process today. " - You were convincing up until you just demonstrated you have zero knowledge about the subject. A number of recent Windows root kits corrupt the boot process and the signed driver model.
Actually, Secure Boot is a useful thing ... *when it is user-manageable*. The MS way of doing Secure Boot is locking the stupid thing with an MS provided master key, so only MS signed stuff will work. A truly secure system would have me being able to add my own master keys, or those from Fedora, Ubuntu, whatever.
Most if not all PKI systems have this ability, so should all "Secure Boot" systems have it.
Seems really unfounded....up to the manufacturer how they want to provide secure boot ( could support any number of keys ) and is completely allowable to be able to turn off secure boot. Microsoft is just saying that it must be turned on for a default windows 8 installed system. Which is logical. Its up to the user then if they want to turn it off and be exposed to any associated risks.
All of our new cars will come with aldulterated gasoline detection systems. The 'oil company approved' gasoline has chemical tags in it, and the cars won't start or run if the sensors detect 'unsafe' fuel. I can turn that off, with the proper key from the manufacturer ... but they strongly advise against it. It will void the warranty and expose me as a reckless consumer. Oh, dear! Should I complain to the car makers, or the monopolistic oil company that forced this up0n us? But I do feel SO much safer ... !
Sort of, but MS designed Windows 8 (and the Recovery images made from a Win8 install) to not work with UEFI turned off after the fact. So, yes you can turn off UEFI in most new computers and install Linux, however, most of the time you will have to turn it back on to run Windows again. Yes, you can blow away all your GPT partitions (if you have the tools and know why you need to) and re-install Windows 8 (you'll have no disc and no physical key most of the time though) and then Linux, but be prepared to lose any factory recovery partitions (which also don't work if they were made with UEFI switched on when they were created (ala Sony)).
So yes, you can turn off UEFI, but it is not really just a matter of toggling a setting.
@MacGyver - Windows 8's boot security wouldn't be very effective if it did allow itself to be installed in a secureboot environment and then boot if secureboot was turned off, would it?
Besides, you can install, off the top of my head, Red Hat, Fedora, CentOS and Ubuntu with secureboot, so what's the problem?
@AC, I'm not sure why not? If a virus or something is able to flip settings in your NVRAM to turn on/off the secure state without you knowing (your proposal), then what would stop it from (in the future after someone is able to create their own keys, and this all becomes just another bother for legitimate users) injecting keys that match the boot changes it could make?
All I'm saying is that if a human is turning it off, then why wouldn't they at least allow that human the choice. We're not talking full drive encryption here, it would be trivial to allow the user to just run the recovery disk and move the install in legacy mode, but they have locked out that possible outlet (artificially I'm guessing).
The issue is that Hispalinux doesn't have keys, not those mainstream ones you listed. Hell from what I remember even Linus thinks that begging Microsoft for keys is wrong.
The potential problem is that Microsoft owns the key used to sign the shim/bootloader for other OSes and can, should it have a mind to, revoke that key.
Let's suppose that once booted, the Linux installation you have just added in doesn't force driver signing. That means that it could be possible for the Windows installation to be manipulated to run unsecure components despite still having secure boot enabled. Microsoft could decide that this is a security risk they won't accept and go into the procedure for notifying the Linux bootloader writers that they are giving notice of revocation unless the vulnerability is fixed.
Now, since Linus, among others, is pretty unhappy with some proposals to put extra stuff into the kernel to reduce or remove this attack method, it could end up that it isn't possible to fix the problem in a way that Microsoft can accept.
At that point, people with SB enabled UEFI dual boot Win8/Linux systems are no longer able to boot their Linux installations because Windows has updated the valid keys in the UEFI storage and the shim bootloader no longer has a valid signature.
I'm not saying that this will happen, but since the Linux community is beholden to MS/Verisign for the key(s) it needs then it could happen.
@MacGyver - The whole point of secure boot is to stop end users installing software or modifying the system to allow it to run malware. If you can get round this by entering a presumably non-password protected UEFI and switching off secureboot, I would wager quite a lot of money that it won't be long before there is malware that instructs users to do this. And it will work.
As for the keys - the UEFI spec requires and Microsoft require that you are able to add non-MS keys. The reason that MS have been signing bootloaders for some of the distros is that the distributers don't want to go to verisign directly (or whoever) in order to buy keys.
Given the size of Linux and the community, surely they can create a rival platform to x86 with UEFI?
I think you seriously underestimate the amount of work, inter company co-operation, money and time that is required to design and build a system.
Linux would be, frankly, fucked if you needed special hardware to run it on. The strength of linux is that it's a free, open source operating system which can run on commodity hardware. Who would seriously go out and buy a proprietary computer in order to run linux?
"but MS designed Windows 8 (and the Recovery images made from a Win8 install) to not work with UEFI turned off after the fact"
Complete rubbish. Windows 8 still boots with secure boot disabled. You also clearly don't understand the different between secure boot and UEFI.
"Windows 8's boot security wouldn't be very effective if it did allow itself to be installed in a secureboot environment and then boot if secureboot was turned off, would it?"
Why wouldn't it? It's up to the user to decide if they want that level of protection or not. It doesn't make it any less secure if the user does decide to use Secure Boot. It is Microsoft that insist that it can be disabled by the user for a PC to be Windows 8 certified, so that the user has the choice.
"since the Linux community is beholden to MS/Verisign for the key(s) it needs then it could happen." - the Linux community has had many months to sort out alternative arrangements - and has declined to do so.
"Given the size of Linux and the community" - well presumably 1% market share isn't enough as it hasn't happened.
"The Free Software Foundation, which has lobbied OEMs to turn off the system by default and has urged consumers to boycott Windows 8 PCs."
Seems to me that Microsoft are doing a fine enough job of keeping People off of Windows 8 themselves, and don't need any further endorsements from the FSF spousing the same.
"Regarding UEFI, MS could easily have cooperated with 3rrd parties to make "secure boot" a mutually agreeable system, but they did not. You need a key from Microsoft now to install an OS on a commodity PC."
Absolute bullshit Eadon, UEFI is a partnership with AMD, Intel, Apple, Dell, HP, IBM Lenovo, Microsoft and many others involved - so yeah, Microsoft "have cooperated with 3rrd parties to make "secure boot" a mutually agreeable system"
And no one has to go to Microsoft to create a key, you can create your own and upload it into UEFI. It's only if you want to leverage Microsoft signing, then yeah, you'll have to deal with Microsoft - makes sense to the logical mind.
"Regarding UEFI, MS could easily have cooperated with 3rrd parties to make "secure boot" a mutually agreeable system, but they did not. You need a key from Microsoft now to install an OS on a commodity PC."
Erm, but UEFI isn't a Microsoft only created standard. Lots of other companies have buy-in and approved this including AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde Software, Intel, Lenovo, and Phoenix Technologies. And Microsoft HAVE created other 'mutually agreeable' options including offering to sign Linux keys, if Linux manufacturers can't get their shit together and agree a key signing solution to take to the OEMs...Which some Linux manufacturers have leveraged.
You missed canonical and Red Hat off that list. If only they were vendors of an OS relevant to the discussion...
...and it grew out of the Intel designed EFI "standard", which was handed over to the UEFI group for their further development.
So, if there is anyone to sue here.........
No court in its right mind could blame MS for this one. Bringing a court case based solely on the mindless witterings of flaming 'tards on the internet only serves to move cash from your wallet to your lawyers'.
"You missed canonical and Red Hat off that list. If only they were vendors of an OS relevant to the discussion..."
Ah, I guess that's why last week I installed Ubuntu 12.04 64-bit from a USB stick onto a Windows 8 computer without having to go into the BIOS even so much as to change the boot order, let alone switch off "secure boot".
(It didn't understand what the Windows partitions were, but I wanted to wipe them anyway.)
Yes, I also have a *buntu box which is running with secure boot on, I didn't even realise until I had to enter the uEFI for something unrelated.
EFI is on all Intel Macs, I had no problem at all installing a Linux OS on my Macbook.
To be fair, Intel Macs don't yet have uEFI, so no secureboot, but I suspect you'll have absolutely no trouble installing Linux after they go uEFI either way. That said, I strongly suspect Apple will sign their own bootloaders, so you will be relying upon them to let you switch it off or enter your own keys, I strongly suspect they will though.
Yes they would. It's not the UEFI per se that is the issue. The issue is Microsoft's monopoly position in the desktop computer market, and their leveraging that to further increase barriers to entry into the market.
"...it appears that the OEMs can decide to give the end users the option to disable the UEFI secure boot..."
Exactly. OEMS *can decide* to give the users the option. Not "The OEMs have to give the end users the options". So, how many OEMs do you think will want to make their UEFI more complex by adding such an option if they don't have to?
"Exactly. OEMS *can decide* to give the users the option. Not "The OEMs have to give the end users the options". So, how many OEMs do you think will want to make their UEFI more complex by adding such an option if they don't have to?"
No, it's actually a REQUIREMENT for Microsoft Windows 8 certification that you can disable Secure Boot.
"No, it's actually a REQUIREMENT for Microsoft Windows 8 certification that you can disable Secure Boot."
Actually, it's a REQUIREMENT for Windows on ARM certification that you *CAN'T* disable Secure Boot. On PCs, they hastily added "user should be able to disable Secure Boot" after word got out of the Linux-disabling feature, and even then that was because MS knows they can't pull that off on x86 hardware without getting antitrust lawsuits in their face.
Nope, Win8 certification always required "Secure Boot must be switchable" even in the early discussions.
Win/RT != Win8 just as iOS != MacOS
If Linux advocates spent one tenth of the hours that they spend whinging about Microsoft on forums actually coding, not only would we have seen the year of the Linux desktop, we may have reached the Technological Singularity.
Alas rather than trawl open source code for bugs and stuff, having a whinge about Microsoft and Apple is what counts as a meaningful contribution these days.
I'll summarize the extensive discussions that have taken place before as follows.
A) Secure boot has to be enabled by default for Windows 8 certification
B) Secure boot must be able to be switched off on all x86 devices for Windows 8 certification
C) The UEFI firmware specification is a collaborative effort that includes all the major PC manufacturers
Its almost as if Microsoft knew what would be fired at them with that when they specified point b. In basic terms thought there are so many other, better, things to lambast Microsoft for (their incompetent implementation of the browser choice screen, the car crash that is/was Metro). That's where penguinistas should be firing their volleys... Not this
P.s. Based on recommendations from here I am diving back into Linux this weekend after a long absence with Mint and cinnamon, yes, my Easter weekend looks like that
What is it with Linux users? Does their moaning never stop.
It's because they know Linux apps run better on FreeBSD than they do on Linux. They simply can't live it down.
@Eadon - You're in luck then, you have two options:
1) Enter your own key into the UEFI
2) Switch off secure boot.
If you're not technical enough to do that and feel that you have to make out "it's a conspiracy", you should probably stop accusing others of not being technical enough to frequent these forums.
Nobody is saying you need to ask permission to "install whatever we like on computers without having to ask permission from the manufacturer".
The manufacturer provides an option to turn off Secure Boot. If you can't manage to change your own BIOS you probably shouldn't be installing whatever you like!
Switch off secure boot.
1) This might not be possible at times despite MS' requirement.
2) the way to do it varies from OEM to OEM without any documentation you can access when buying a machine
say, with Acer, yo have to set up a bios/efi password to make it work, Asus has another option to turn off.
3) the real reasons are to complicate the process of trying and installing other than MS operating systems
if you're not technical enough...
I knew it, if you're not technical enough, shut up and eat what the highly benevolent , extremely technical Microsoft and have cooked for you, simply relax and enjoy it!
1) It's highly recommended by the EFI manufacturers that companies commissioning software from them allow it to be turned off. If they don't, don't buy their hardware, ever. I can hardly see this coming up though.
2) Big deal, lots of things vary from manufacturer to manufacturer, if their documentation isn't online, don't buy their hardware, ever.
3) The real reasons are not a conspiracy, secureboot wasn't MS' idea, it is simply to stop bootloaders being compromised.
I don't think that MS are some sort of benevolent organisation, just that the conspiracy whinging about secureboot is so very tedious. Also, if you don't think they're technical why is there a computer on your desk? Seriously, if you think it would be there without MS, guess again.
Under normal circumstances the UEFI would be a conspiracy. The problem that MS is occupying approx 90% of the PC market using some non-transparent means, like non-disclosure agreements with OEMs, that are supposed to be independent entities. Those non-disclosure for the public addenda might contain something that could be qualified as an abuse of the monopoly.
Another sign is a constant evolution of the Microsoft Windows EULA. With XP it was possible to get a refund for an unwanted copy, later on it became pretty hard due the increased OEM's reluctance to cooperate. The EULA as an agreement has finally gone extinct and became an ultimatum. One cannot decline it anymore, there is no simply an option for it.
Also, if you don't think they're technical why is there a computer on your desk?
O, right, I remember that a computer with a binary logic was invented by the microsoftie John von Neumann. If it wasn't for Microsoft, life wouldn't be possible on this planet, I am sure.
What I know for sure is that if it wasn't for Microsoft, IT industry would be a lot more efficient and competent than what it is today.
The few GPL only apps worth using run better on EVERY OS, even more so on Windows. After all a Lada runs smother on a german autobahn than on a russian mudtrail as well
Neither IBM nor (initially - may have changed after the loan) Apple nor Acorn nor SUN had OEM deals with MS. They all had the in-house hardware and software. And two of them where "big players" offering the whole range of systems (IBM, Sun), had a good name and good contacts in the industrie while Acorn was a household name in GB and had mighty fine hardware in it's Archie.
None of them made it on the desktop market. None of them attracted companies to writing software for their systems (and fine systems they had) that would get a large part of the market. And they all started before MS became THE player, they all where on the market when the market was still deciding and some long dead players where there as well (Commodore Amiga, Atari ST/TT, Sinclairs QL...)
The success of MS is based on the failure of the others and nothing else. MS knew how to create a market, knew what business wanted and was willing to land in Normandy with a M4A1 Sherman instead of waiting for the Panther-F or E50. THAT is why 90+ percent of the desktops run MS.
Stuff like Atari and Commodore dropping the ball on their UNIX boxes (TT/X was never sold, Commodore refused Suns offer) when the schools/universities where interested in those units (And Commodore a well respected school supplier in germany). And damned they where fine maschines back then (got to stress test a "showroom" TT/X at the Atari fair - sturdy and SVID compatible)
IBM not getting software houses to write for OS/2 AND initially restricting it to their own PS/2 boxes. Smart idea! Really smart! Software companies, even more so in the early 90s when the market was a LOT smaller, go for the biggest platform, MUST go for that platform
Apple not developing the MacOS for almost a decade until OS/X finally came along made it a niche product considered "dying" by many. MS actually had to help them financially!
Linux kernel devs having an attitude that makes it hard to develop kernel drivers for your hardware. And (as the ATI drivers show) not having the manpower to do it themselves. Other Unix systems provide long term stable API/ABI for drivers so worst case you adapt them once every 5-10 years not yearly and they run. Without the kernel screaming stuff like "tainted" or some FOSS-Fanatics talking about banning your work. Making Linux hardware difficult to order, making big suppliers reluctant to offer, making them less likely to show up in the big chains and the offices
And so on... MS isn't the greatest company. But like the M4 Sherman it is easy to get, it is easily fixable and it does the job reliably and steadily. While the others (Panter(1)) look good on paper but end up with burned out engines and broken steering breaks
(1) Okay, Linux is obviously a T34/76 - crude work from a communist system
Without MS - the world
re is my experience of UEFI. Let me know If you would find this something you would be happy about.
I use linux to repair malfunctioning windows machines. I boot them via network PXE boot and then work on them with Windows essentially offline.
The new UEFI standard means on HP laptops I have to.
1. Find the magic key get into the bios
2. Diable secureboot and be told that this will likely make my system inoperable
3. Activate legacy boot options and enable
4. Enter a random generated pin to get the secureboot options off.
5. Reboot and press magic key #2 to get the legacy boot options to work at all, otherwise it boots stright into windows
6. Go and choose the network to boot from, even knowing I set it to be the defult boot option within the bios
7. Allow the machine to boot
(from this point if I want network boot I must repeat steps 5,6,7)
vs before UEFI
1. Find the magic key to get into the bios
2. Set the default boot device to be network,
3. often enable PXE rom in the bios
(From this point boot OS is determined via dhcp options)
Now if to boot windows you had to
1. Go and set an option that tells you that it will destroy your computer
2. Enter a code to show that you really want to destroy your computer
then for each time you boot
3. press a key that is not normally displayed
4. Actually select that you wanted to boot windows not (linux ICK!)
Would you be happy?
Would you send the bloody stupid thing back cause its not fit for purpose?
Now as a consumer you cannot buy an alternative, because a behemoth company, used financial inducements to influence what you can buy.
Is the average lay person going to try a live CD when they are told that this will destroy their PC? This goes a little beyond a choice of browser. Unfortunately this is probably better describe as an anti competitive cartel. Action needs to be brought against the manufacturers. Otherwise Microsoft will just say it was up to the manufacturers if they wanted discounts for adopting a standard.
If MS loose a few billion. Nothing will change. If the manufacturers do, as well.....
Things will really change.
> The success of MS is based on the failure of the others and nothing else.
I suggest you go and learn some industry history.
Yes, there were some reasons that weren't to do with MS, but you forget that at one time MS was just one of many options. They did "fairly well" but but didn't gain their stranglehold on the industry before they employed downright illegal tactics to lock out other players. They *DID* break the law, they were convicted of doing so.
Take OS/2 for example. It was a bit ahead of it's time in that it needed more resources than were typically available, but it was technically well ahead of MS. It may well have remained a competitor if MS hadn't (effectively) made Windows free to the end user.
At the time, OS/2 cost money, but a user would struggle to buy a PC without Windows pre-installed - or at least to save any money by doing so. Thus the competition changed from being "Windows @ $x vs OS/2 @ $y", to "Windows free vs OS/2 @ $Y" for most purchasers. Yes, some technically savvy users till bought OS/2, but the market was significantly distorted against OS/2 - smaller sales figures, smaller installed base, hence less interest from developers, and it all goes round in a vicious circle.
All this was done by effectively strong arming PC manufacturers. The deal was simple, you buy a "white label" licence for DOS and Windows for *EVERY* PC you sell, or you don't get to buy it at anything like the price your competitors are paying. Thus every manufacturer (if they wanted to be competitive) had to pay MS for Windows even if they shipped a PC with OS/2. This is not supposition - MS were found guilty.
Same with Internet Explorer. Netscape was doing "OK" until Microsoft gave IE away for free. It's hard to compete with free if you don't have a source of income to cross subsidise the product with - with MS, they just included it in the price of Windows. Again, MS were eventually found guilty (both in the USA and Europe), but not before they'd screwed the market (and internet standards) to such an extent that we've still not fully recovered year later.
And in between they did dirty tricks to exclude non-Windows servers from their networks, and once Windows servers were in, to exclude non-Windows clients from Windows server networks. They were found guilty for that as well, see the settlement where they were forced to hand over interoperability data to (for example) the Samba dev teams.
In short, MS got where they are now by dirty tricks. In the early days they did indeed have some good stuff and innovation. But they got greedy, and just like Standard Oil and IBM before them, resorted to criminal activity to distort the market in their favour.
You are partly right. The "Unix wars" really didn't help. Had the differing factions co-operated a bit then they'd probably have held on to a decent slice of the market - but instead they were too busy fighting over slices of the pie to realise that they would be better off sharing and building a bigger pie.
And so on.
But the key thing is that MS still had to fight by "being better" until they managed to illegally distort the market.
But this latest secure boot malarkey is another example of them being "disingenious". Yes, it is true that third parties can get a bootloader signed. Yes it's true that the user can turn off secure boot. Yes it's true that you can load extra keys.
But, to the "average man in the street", they get their computer - and to boot "this funny other OS that their mate recommends" have to go through some steps, at least one of which will be labelled in terms which to a non-technical user mean "do you really want to f*ck up your computer ?" - then that will definitely put a lot of people off trying Linux. Even though several distros have (from reading the comments) gone down this route - it's meant that everyone else has had to jump through hoops to pander to MSs wishes.
Coming next - at some point they'll silently drop the requirement to allow other OSs or non-secure boot. This current shambles is but the thin edge of the wedge - once it's in and accepted, they just have to tap it in a bit at a time.