OpenBSD's De Raadt Slams Red Hat, Canonical Over 'Secure' Boot

An anonymous reader writes "OpenBSD founder Theo de Raadt has slammed Red Hat and Canonical for the way they have reacted to Microsoft's introduction of 'secure' boot along with Windows 8, describing both companies as wanting to be the new Microsoft."

A bit over the top

[jmorris42]

We have been hearing various people who should know better that "Redhat is the next MIcrosoft" and variations on that theme now for at least a decade. Guess Ubuntu should take it as a sign that they have 'made it' that the same is now being said of them.

Not saying I agree with either of their solution to the Kobayashi Maru (otherwise known as Secure Boot) problem, but calling them 'traitors' is a bit much. Especially since I can't rightly say I have a better plan and neither does Mr. deRaadt.

Re:A bit over the top

[Hatta]

Especially since I can't rightly say I have a better plan and neither does Mr. deRaadt.

The better plan is to sue Microsoft for abuse of their monopoly.

Re:A bit over the top

[jmorris42]

> The better plan is to sue Microsoft for abuse of their monopoly.

The old consent decree is long since expired. Good luck starting up a new round of lawsuits, Microsoft discovered lobbists after the last round so the DOJ isn't going to be bothering them again. So your plan is do nothing for years while a court case winds its way through the system and more then likely ends up going nowhere. Boy I'd love to take that plan to the stockholders meeting.

Re:A bit over the top

[AdamWill]

"Requiring other OS makers to buy a license from Microsoft is very clear evidence of using their monopoly power to stifle competition"

It certainly would be. The only problem is that they're not doing that at all.

The industry as a whole agreed to ratify the basic Secure Boot mechanism as part of the UEFI standard. Secure Boot as described in the UEFI standard does not say anything at all about who should sign code and issue keys and any of that stuff. All it does is say 'here is a mechanism called Secure Boot by which the system firmware can maintain a list of keys and refuse to run code which is not signed by one of those keys'.

So once that's in the UEFI standard, we have a world where there is this thing called Secure Boot which operating system developers and hardware vendors can *choose* to implement. Or not. The UEFI standard says nothing about whether it ought to be used, what keys ought to be included, or anything like that.

So Microsoft, as an operating system vendor, decides they want to use this Secure Boot thing. They're going to sign their operating system, and require vendors who want to pre-load that operating system on their systems to ship Microsoft's key. So that their operating system will run. This is what the Microsoft Windows 8 certification requirements for x86 state: you have to turn Secure Boot on by default and include our key.

What the certification requirements explicitly do _not_ state is this: 'you can't include any other keys'. They definitely don't say that. They just say 'you have to include Microsoft's key'. There's no restriction at all on shipping any number of other keys. Additionally, the certification requirements explicitly require that the user be able to enrol their own keys, and also disable Secure Boot if they so desire.

So...Microsoft's requirements for OEMs are that they enable Secure Boot by default (but allow it to be disabled) and ship Microsoft's key (but they can also happily ship any number of other keys, if they choose).

It's logically impossible to construe this as "Requiring other OS makers to buy a license from Microsoft". It doesn't do that, at all. Other OS makers can have their OS signed by themselves or anyone else they like, and ask hardware manufacturers to ship that key. Microsoft does nothing to prevent this. Or they can choose not to sign their OS at all, and ask users to disable Secure Boot. Microsoft does nothing to prevent this. Or they can _choose_ to have Microsoft sign their OS so it'll work without them needing to get any other key loaded into firmware; Microsoft didn't _have_ to provide public signing services, but they are doing so to avoid a PR shitstorm. If Microsoft really wanted to be evil, why would it provide public signing services at all? Wouldn't it be more effective just to say 'no, we won't do that'?

I find it highly unlikely that you could build a convincing case of monopoly abuse over Secure Boot for x86, when the actual facts of the matter are taken into account. They just don't support the accusation strongly enough. If Microsoft could be shown to be exerting pressure to prevent alternative signing groups from existing or getting their keys loaded onto hardware, then maybe...but AFAIK no-one has shown such.

(disclaimers: I am not a lawyer and this is not legal advice or a legal opinion. Furthermore, though I work for Red Hat, I am not directly involved in any RH evaluation of this issue, I am not involved in RH legal in any way, and this is entirely a personal opinion and not in any way representative of Red Hat. It is not Red Hat's official position on the issue of the legality or otherwise of Microsoft's actions. I specifically leave open the possibility that Red Hat as an entity might take a completely opposite view of the case.)

Re:A bit over the top

[jonwil]

Microsoft may have discovered lobbyists but their lobbyists didn't save them from EU rulings (Windows N with no media player, the "Browser Choice" screen etc). There is no reason to think the EU wouldn't be interested in investigating other abuses of monopoly power by Microsoft (including anything to do with secure boot)