Slashdot Mirror
Red Hat Will Pay Microsoft To Get Past UEFI Restrictions
ToriaUru writes "Fedora is going to pay Microsoft to let them distribute a PC operating system. Microsoft is about to move from effectively owning the PC hardware platform to literally owning it. Once Windows 8 is released, hardware manufacturers will be forced to ship machines that refuse to run any software that is not explicitly approved by Microsoft — and that includes competing operating systems like Linux. Technically Fedora didn't have to go down this path. But, as this article explains, they are between a rock and a hard place: if they didn't pay Microsoft to let them onto the PC platform, they would have to explain to their potential users how to mess with firmware settings just to install the OS. How long before circumventing the secure boot mechanism is considered a DMCA violation and a felony?" Note that the author says this is likely, but that the entire plan is not yet "set in stone."
How can this be legal and not an abuse of their monopoly power?
Aside from the fact you can turn it off ( for now ) it still sounds like a clear case of abuse to me and someone should be talking to an attorney about this.
---- Booth was a patriot ----
...is about the only thing that might turn me into an Apple user.
I literally flew off my chair, steam coming out of my ears, when I read this!
"Flyin' in just a sweet place,
Never been known to fail..."
RTFA. Then comment.
... how the FUCK this passes the slightest hint of anti-trust scrutiny?
I don't understand how Microsoft is as fault here. Isn't it the hardware manufacturers that are locking out everyone but Microsoft? Shouldn't the hw people be the ones to make the platform open?
You have to do it MS's way or they won't let you sell hardware with Windows on it. MS controls the certificates used in the secure UEFI boot process. You either do it MS's way or you do it your own way ... without any MS products to pre-install.
MS is probably strongarming them.
I am pretty sure that if a hardware manufacturer like Dell locks out Linux operating systems that quite a number of large institutions like Universities will refuse to buy from them. I am not 100% sure because there are a lot of unis with microsoft-centric IT departments. Institutions with hard sciences depend quite heavily on different flavors of Unix and Linux to get work done.
Anyway... this is a disgrace and it's bound to blow up in quite a number of people's faces.
Red Hat is willing to pay to be licensed to be able to run on the new hardware. They are going out of their way so you can run Fedora on the new hardware. And you want to ditch them because of it? Remind me never to buy you a beer.
This has nothing to do with PCs. Nothing. Not one thing.
This is all in reference to UEFI on ARM tablets that Microsoft has partnered up with OEMs to produce to their specs SPECIFICALLY FOR: Windows 8.
Nothing has changed here, nearly all ARM systems are locked down today by OEMs.
Do any of you expect Microsoft to produce one that isn't (zune: locked down xbox: locked down)?
Wait - Is this article saying they paid a whole $99 bucks to get their bootloader signed?
Microsoft doesn't have the right to "license" hard ware. It's not their hardware, it's not even their design.
This is Microsoft forcing vendors in the corner with their O.S. once again. This is non-competitive behavior once again.
If they have such a great O.S. there is no need for locking out others. It's weak and it's sick.
Good thing Microsoft's way includes a required option in the UEFI setup to turn off secure boot. This whole story is horribly misleading.
I was at 2 major industry tech conferences last month.
In every keynote and all-hands session, Apple hardware was center and present. Nothing special was made of this - just every damn computer used to demo solutions or held by a GM, VP or C-Level was a MacBook. Desktops were non-existant. Every time an iPad could be used, it was. There were a couple of minor Android appearances - demonstrating multi-platform support, or what not.
There were a few odds: The HP guys had their own gear, and the IBMers had Lenovos. Some brilliant man from SAP was sadly dragging a 'book of non-descript, perhaps Dell sourced, black plastic...
Overwhelmingly, if you wanted to look like you knew why-the-fuck you ought to be on stage, in front of 8,000 people, you went Mac.
"Flyin' in just a sweet place,
Never been known to fail..."
What the sensationalist headline and summary forgot to mention is that RedHat is paying a whopping $99 to Microsoft.
What is more worrisome and more headline worthy is that Microsoft has now become the de facto gatekeeper of your computer BIOS. Without their signature you operating system will not run.
/greger
You are correct, but MS is using its dominance to control hardware vendors. A 'licensed' secure boot certificate - licensed from MS - is what will allow Fedora to boot using the secure UEFI boot mechanism.
Red Hat Linux started on x86; it was never "only available for the DEC Alpha" (it didn't get ported to Alpha for several years).
They are doing this so that Fedora can be installed without end users having to disable Secure Boot in their UEFI firmware settings. If you want to disable Secure Boot, Fedora will run equally well. Fedora is also going to have signing tools, so you put your own key in the firmware and then sign your own loader and kernel (giving you more control, not less). If you switch to another distribution or OS that doesn't have a signed boot-loader, you'll also have to disable Secure Boot.
This "feature" exists because malware that affects the boot loader and kernel is a real and growing problem, and there isn't really any other technical means to block it. Setting up an independent CA to sign keys for loaders and then trying to get vendors to include the CA key would be highly expensive and would still result in Fedora having a key that you don't have. As long as Microsoft will sign things cheap, it is much better to go that route (if they were to stop signing, then this would obviously change).
The alternative is to tell users that want to run Fedora to not buy hardware that has the Secure Boot functionality, but that is going to become scarce once Windows 8 ships. Here in the real world, I'd like to continue running Fedora on new hardware.
I'm just wondering why Fedora doesn't include a small boot ISO that starts up, presents a simple menu, and takes the pain of unlocking the UEFI chip out of the equation.
I agree perfectly that they shouldn't have to do that, but the tech is certainly there, and most folks are sufficiently apt enough to do it (see also jailbreaking phones, etc).
Quo usque tandem abutere, Nimbus, patientia nostra?
EU will have a field day with this in court. MS, of course, will be the ones having a bad day in court.
Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access), but it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions. If there are better options then we haven't found them. So, in all probability, this is the approach we'll take. Our first stage bootloader will be signed with a Microsoft key.
Good thing Microsoft's way includes a required option in the UEFI setup to turn off secure boot. This whole story is horribly misleading.
So they must turn off secure booting in order to run another operating system. The DMCA implications aside, I'm not sure which is worse for the consumer: a 'secure boot' of Windows or a 'non-secure' boot of any other operating system?
I'm going to go ahead and guess the computer you are using now boots through BIOS. The non-secure UEFI is practically the same as BIOS (doesn't require a signed boot loader). We dealt with it for a couple decades now, it can't be that bad.
Entry no. 3, in between all the banks, content owners, universities and trail lawyers.
Maw! Fire up the karma burner!
Why can't I just be in control of my own damn property without being at the mercy of manufacturers?
There's plenty of fault to go around. MS is strong-arming the HW guys and the hw guys aren't even demanding lube. Meanwhile, the DOJ should be standing in the corner twirling a pair of handcuffs rather than sucking at Ballmer's ass.
I boot through EFI, which isn't this new fangled 'secure' UEFI ... and yes, it's secure enough. My comment was targeted at the marketing mindset that MS will be pushing to try to convince non-Windows users that without MS's blessing your OS is no longer 'secure'.
So they must turn off secure booting in order to run another operating system.
From TFA:
While Microsoft have modified their original position and all x86 Windows machines will be required to have a firmware option to disable this or to permit users to enrol their own keys
If they know what they're doing they're ok. Fedora is doing this for the rest of their users.
I'd blame the drama over this just on the article, but the summary's definitely got some FUD to it as well. For x86 systems, all you need to do is turn off the feature. And that's if you insist on running unsigned software - it's not like there isn't an open and inexpensive process to get signed.
Good thing Microsoft's way includes a required option in the UEFI setup to turn off secure boot. This whole story is horribly misleading.
G'uhgh.... once again geeks confusing a technical capability with a real-world practicality. Turning off secure boot sounds bad and raises the barrier to entry for non-Microsoft OS'es. It also complicates the newbie install experience, which is something that Ubuntu, Debian, and many others have worked for years to simplify. And now they are using their monopoly position to extort tribute from a competitor.
-1, Too Many Layers Of Abstraction
Non-secure is the same as what we have now, but it isn't all that great.
I'd love to be able to tell my computer to only boot an OS that I assign, so that I know that it can't get corrupted by viruses/etc. I could boot from a signed rescue disk if something goes wrong.
The problem is that the standard won't give the consumer choice over which OSes are trusted. The choices will be MS, or no secure boot at all.
They are going out of their way so you can run Fedora on the new hardware. And you want to ditch them because of it? Remind me never to buy you a beer.
They went out of their way to avoid exploiting Red Hat's privileged position with OEMS to gain an advantage over other Linux distros:
We explored the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it, but turned it down for a couple of reasons. First, while we had a surprisingly positive response from the vendors, there was no realistic chance that we could get all of them to carry it. That would mean going back to the bad old days of scouring compatibility lists before buying hardware, and that's fundamentally user-hostile. Secondly, it would put Fedora in a privileged position. As one of the larger distributions, we have more opportunity to talk to hardware manufacturers than most distributions do. Systems with a Fedora key would boot Fedora fine, but would they boot Mandriva? Arch? Mint? Mepis? Adopting a distribution-specific key and encouraging hardware companies to adopt it would have been hostile to other distributions. We want to compete on merit, not because we have better links to OEMs.
Implementing UEFI Secure Boot in Fedora
I think the whole point of UEFI security to to prevent software from doing just that. You HAVE to go into the BIOS (or the UEFI environment, more technically) to make changes like that.
Yes.
How is "controlling a system and getting money in exchange for licenses" not literally owning?
Up to now, their figurative owning is an "effective" ownership, as in "there are effectively no competitors in this space." However, should you know what you're doing, you could get something else with little effort. With this change, they are actually getting paid for compettitors to be allowed into their space. That is de facto, or literal, ownership.
What you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.
Someone call Digikey and order 600 million transistors!
rather than sucking at Ballmer's ass.
I'm not sure I can tell which end that is anymore...
sarcasm-on
You dam geeks with wires really think your pc is your property? pc manufactures build it, we write the software. All you do is pay for it. That makes it more ours than yours. You geeks simply can't be trusted to do things in ways that ensure our profits, so we will do it for you.
now shut up and go back to playing with your wires... Leave the big decisions to us..
sarcasm-off
But why? StrongARM processors are SOOO last decade. Besides, Windows 8 for ARM probably won't run on anything earlier than ARMv7 architecture.
Interesting then that Microsoft provide a way for others to sign their software... which is what Fedora is doing.
Exactly - by paying Microsoft for that right. Isn't that what this whole thread has been about?
They probably have no real choice; if they locked out everyone else they would essentially be monopolizing the PC market and I don't think they want to go through that court circus again.
Pain is merely failure leaving the body
Yes, if you pay enough you can get a key. Microsoft is following in Apple's evil footstep by requiring developer registration and, I assume software distribution only through valid Microsoft channels. Do you like any software that you didn't pay for? Well, you'd better find a substitute. Microsoft is tired of FOSS and legacy software cutting into their profits.
Support SETI@home
This is nonsense, the editorial on this article is gibberish.
First, secure boot is a legitimate concern. If you can guarantee a specific boot loader, you have a trust base to build a more secure system.
Second, you can install any OS you want. Just turn off secure boot, it's perfectly valid to do so. Just understand that now your boot foundations are untrusted, just like they are now on almost all PCs.
And what kind of person is going to install Fedora but can't be bothered how to boot into their BIOS and click "Yes, allow me to install other operating systems [X]"? Generally you can even install your keys, just like you can with SSL certs that you might trust.
Finally, Microsoft is doing Fedora a _favor_ here. Fedora is, as actual author indicated, totally free to get their own keys added. Microsoft isn't the problem here, but as usual the breathless, bloviating editorial text tries to make them out to be.
I wish I could believe that. The EU is distracted with other things right now.
Support SETI@home
On the other hand, the Common Joe (that can't handle messing with the UEFI) shouldn't install anything in his computer at first place.
The problem here is that the average knowledge level of the computer users are dropping meteor style: fast and speculatively. This kind of user should not be expected to be able to install a Operating System - not mention trying to install a O.S. on hostile environment (i.e., a Windows computer - I don't have to mention all the little artificial problems MS caused in the past and still causes nowadays - my Win7 box committed suicide last time I installed Linux).
You can't expect to dumb down everything.
Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
According to TFA, the money actually goes to Verisign, not Microsoft.
You have to do it MS's way or they won't let you sell hardware with Windows on it.
OEM's can sell Windows 8 without secure boot. They can't put the sticker on the box that says "Windows 8 certified" without secure boot.
The amount doesn't matter. If someone wouldn't let you into your car unless you paid them a dollar, it would be the same thing as if they forced you to pay 99 dollars. It's still immoral to lock someone out of something they own. It's also still immoral to lock out one particular brand of gasoline.
Actually (if you read the article) M$ does not get any of that $99. The fee goes to Verisoft. Microsoft is acting as the gatekeeper for the signup process.
Now I will be VERY pissed if I buy a new motherboard to build my own computer and it won't boot Linux unless I have to buy a key for $99. In such a case I would return the MB as being defective. I hope Asus and other MB makers will give me a choice of bios options when I buy a new MB.
I'd get right on that, but I'm too busy with this Gibson that needs hacking...
My sig can beat up your sig.
The UEFI spec (which Microsoft has a HUGE hand in writing these days) explicitly denies the ability to automatically install keys. They could have made it possible to do so, say by requiring it happen from read-only media, but they didn't.
It's left vague enough that it's virtually guaranteed to be an enormous pain in the ass to enable secure boot for any platform not explicitly blessed by Microsoft.
This exactly is my concern. Why? ARM brings a lot to the table, so if MS can lock ARM devices to being Windows only, they will have gained immensely:
1: ARM based servers are being worked on. For tasks like DNS, DHCP, and other fairly static items, they are hard to beat. In general, ARM CPUs use significantly less power than x86, so the amount of MIPS per watt can be a game changer, especially when businesses are under constant attack about having eco-friendly data centers.
2: ARM based desktops for businesses will be a useful market. Because of the non-x86 architecture, games and "unauthorized" software won't work. However, Office and Outlook will. This will be a major boon for low level IT desktop support. I can see this selling like hotcakes in the enterprise because it keeps support costs down, guarantees a Windows foothold, and helps ensure that only authorized stuff will run. A new architecture means that virus and malware writers are sent to the drawing board as well.
I'm sorry but its FUD. The simple fact is all X86 machines are required to allow bypassing secure boot which is as simple as flipping a single setting in BIOS, that's it, that's all. No harder than telling a PC to choose CD as first boot (which one is gonna have to do to install an OS anyway) so this is just FUD. Are they SERIOUSLY saying Fedora users wouldn't have enough common sense to flip a single switch in UEFI? Really? because i find that pretty much impossible to believe. This IS Fedora we are talking about here, an OS so bleeding edge its CDs have stigmata and not the kind of thing Joe Dumbass would be trying for shits and giggles. They even admit in the very first paragraph that ALL X86 are required to allow the simple bypass of secure boot!
So I'm sorry but FUD is FUD and this is FUD. there is no way in hell someone that is intelligent enough to 1.-Know what Fedora is, 2.-Knows how to download and burn an ISO will be 3.-Too stupid to push Del at boot and choose "Turn off Secure Boot" which is only being turned on by default because rootkits are still a serious problem. Isn't it the Linux community that is always bitching about windows security? why aren't you cheering that they are doing something about it?
Surely to God the geeks here are seriously fucking dumb enough to believe that a person who would know what Linux is and download and burn an ISO would be too fucking retarded to flip a setting in UEFI, surely not. Hell if they are THAT fucking stupid how would they be expected to even run Linux? Especially a bleeding edge alpha distro like Fedora where being able to do forum lookups and Google their way past problems and do bug reports is the order of the day? There is simply no way in hell to have a user smart enough to do that but too retarded to flip a switch, no fucking way. Its FUD, pure and simple FUD.
ACs don't waste your time replying, your posts are never seen by me.
Microsoft is tired of FOSS and legacy software cutting into their profits.
The last I heard, FOSS users (I'm one) are a mere blip compared to the installed base of commercial offerings. They're not forgoing much by us not coming over to the dark side. I'd say MS ought to be a lot more resentful of the vast number of NT, XP and Vista users who've so far refused to upgrade.
Please, don't add to the FUD. There's enough of it out there already. I think UEFI stinks and I'm sorry Fedora thinks they need to accomodate it, but as long as I can turn it off as easily as going into the BIOS, I'll be satisfied.
On the other hand, if UEFI can do something to make up for all the horrible things MS's lousy security model have enabled over the years (malware, botnets, ...), it could be a good thing.
"Tongue tied and twisted, just an Earth bound misfit
So I'm sorry but FUD is FUD and this is FUD
No, this is a classic slippery slope. In the UEFI version that supports Windows 9, only secure boot is supported. You can't turn it off, but you can still enter a key manually when installing an Untrusted Non-Microsoft OS (UNMOS). The key is 256 characters long, and looks like a ROT13-encoded Perl script.
The version that supports Windows 10 also supports secure boot only, and still requires key entry. This time, though, UNMOSes are now called IOSes (Insecure Operating Systems.) They will run under a Microsoft-supplied hypervisor that includes mandatory hardware packet filtering.
And wait'll you see the third-party OS support strategy for PCs approved for Windows 11, code-named "Overton." The plan for Overton is that third-party OSes called PDOSes, or Potentially Defective Operating Systems, can still be run, but not on your local hardware. They will run only on cloud-hosted secure platforms over VNC.
All of this will happen because someone noticed that people will cheerfully bend over and accept restrictions in each generation that would not have been tolerated in the previous one. Evidence of this claim? Look at the history of Trusted Computing. Starting with the innocent-sounding idea of TPMs with unique CPU ID stamps, which were fought heroically by users until the next season of American Idol came on and everybody kinda forgot about it, the people behind the curtain have gotten everything they wanted over time. All they had to do was demand a little more "compromise" than they could get at any one stage of development.
In short, everything old is new again. We are all IBM customers now.
I can see that there will be a flurry of unencumbered Free/Open Source BIOS/firware software being developed.
Perhaps for large corporate deployments, the manufacturer could be persuaded to to the BIOS configuration for you, or be paid to install something like OpenBIOS?
If I'd been 10 years younger I'd have been all indignant and worried, but these things have a habit of sorting themselves out.
Stick Men
Erm...except it does. Try reading the article, not the badly misleading summary. SecureBoot allows the user to add new keys as trusted keys. It will be perfectly possible to generate your own key, add it to your UEFI firmware, sign your OS bootloader with that key, and ditch the Microsoft key, if you don't want to boot Windows. pjones is in fact already working on tools to help you do this.
Oh, of course, but having to enable/disable secure boot (which Windows won't boot without) each time you switch OS's (on a dual-boot setup) is going to be a royal PAIN IN THE ASS. Also note that less-technical distros (arch, debian, Mint, and probably even Ubuntu) will be affected by this.
because this does nothing to improve windows security. the purpose is to be a barrier to entry (installation) for non-microsoft operating systems. it doesn't have to be 100% effective, it just has to make it more difficult for non-experts to try out linux (or freebsd or whatever) or to use special-purpose linux-based boot CDs like clonezilla or gparted.
Also, there's no guarantee at all that disabling will be "as simple as flipping a single setting in BIOS". on some machines, it might be. on others, it won't.
Except TFA says it's a one-off $99 fee. And the money goes to Verisign, not even Microsoft. How is your crazy ranting rated +4 Insightful?
Congratulations, you are now a 'grown up'.
Sigh.
All we're saying is that it was considered a Pretty Good Thing when the mainframe era was brought down by the PC. Now, people like you are standing around cheering while the monster reassembles itself.
People older than you remember the way IBM dominated both the hardware and software sectors for many years. They held their customers hostage in every sense but the literal one. They used every technical and legal tool available to suppress third-party innovation. Eventually, people like Ross Perot, Jobs and Wozniak, and finally Bill Gates barged into the room and threw their proverbial hammers at the screen.
Fast forward to 2012. Steve Ballmer is pulling underhanded, abusive shit that would have earned him a fistbump from T. J. Watson. The rebels who once sponsored the '1984' commercial are now working feverishly to put the pieces of the telescreen back together... only this time, they're using Gorilla Glass.
Some of us are old enough to understand that this is not how things were supposed to go. If you're not so old or wise, that's fine... but by calling people who disagree with you "children," your post only shows your own lack of awareness and conscience.
And as I replied o another poster AMD has decided to go with Coreboot and has been using it since brazos so there is NO slippery slop here. if you don't like the Wintel UEFI you can buy AMD and use Coreboot which supports the 4 freedoms so if it doesn't do what you want you can simply download the source and reflash the chip.
I SERIOUSLY doubt MSFT is gonna risk another antitrust by blocking AMD systems from running Win 9, don't you? So this is simply a case of voting with your wallet, don't like UEFI and Secureboot? Buy AMD and go Coreboot. Its REALLY that simple. I've been building AMD exclusively for a couple of years now and I can tell you X86 is so overpowered that there isn't hardly any job a normal user can come up with that is gonna stress even a low end AMD dual and since they've opened their specs Linux users would be wise to support them anyway.
So no slope friend, just good old fashioned FUD, just not being cranked out by MSFT for once.
ACs don't waste your time replying, your posts are never seen by me.
No they're not. Symantec/Verisign is. Microsoft doesn't issue certificates, and this entire fucking article is flat out wrong.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
The key is 256 characters long, and looks like a ROT13-encoded Perl scrip
Oh, so it's just a regular sentence? That doesn't seem so bad...