Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spanish Open Source Group Files Complaint Over Microsoft Use of UEFI Secure Boot

Posted by Soulskill on from the saga-continues dept.

sl4shd0rk writes "Hispalinux, which represents Spanish Open Source developers and users, has filed a complaint against Microsoft with the European Commission. 14 pages of grief cited Windows 8 as an 'obstruction mechanism' calling UEFI Secure Boot a 'de facto technological jail for computer booting systems... making Microsoft's Windows platform less neutral than ever.' On March 6 of 2012 the Commission fined Microsoft 561 million Euros for failing to offer users a choice of web browser, and there was also a 2004 ruling which found the company had abused its market position by tying Windows Media Player to Windows itself. Relations appear to remain more tense towards Windows in Europe, so there may be some hope of making UEFI more Linux-friendly. UEFI has been implicated in the death of Samsung laptops running Linux."

34 of 154 comments (clear)

  1. I hope they make the right decision.... by Anonymous Coward · · Score: 5, Insightful

    ... and that is, to keep secure boot around, but ban the practice of not allowing users to enter their own BIOS keys, or disable it in the BIOS.

    I like secure boot from a security perspective, and we actually use it to lock down some embedded Linux products I've worked on. As long as savvy users can disable/override/change keys, we get the best of both worlds.

    1. Re:I hope they make the right decision.... by aaaaaaargh! · · Score: 5, Insightful

      What is most important is that the user must perform the same steps for activating secure boot of an operating system regardless of which operating system is being installed. No extra fiddling in the UEFI for non-Microsoft operating systems and no dependence of other OS makers on Microsoft for anything in this process.

    2. Re:I hope they make the right decision.... by 0123456 · · Score: 4, Interesting

      As long as savvy users can disable/override/change keys, we get the best of both worlds.

      What about 'unsavvy' users, who can currently put a CD in their drive and install the OS, but in the glorious 'secure' future will have to fiddling in the BIOS instead, if the hardware even allows it?

    3. Re:I hope they make the right decision.... by Anonymous Coward · · Score: 5, Interesting

      Linux installation had gotten to the point that it is even easy for not so computer savvy people. In fact, installing Mint was a lot easier and
      trouble free than installing windows. Until Windows 8 and UEFI. Yes, you can turn of secure boot, but it took knowing that it should be possible
      and much searching to find out how: The option was not (visible) unless you set an UEFI administrator password. Even with secure boot turned off, it did
      not boot from CDROM. It did boot from USB key, but did not read data from it, ...
      Of course much of this is laptop specific; this is precisely the problem. There is no easy generic recipe, and the not so savvy users are going to give up, and think this Linux thing is too difficult.
      It is not acceptable that one (monopoly) os vendor has the keys to ypur hardware. Secure boot should at least be turned off or in setup mode by default, and it should be easy to install extra/your own keys.

    4. Re:I hope they make the right decision.... by vux984 · · Score: 2, Insightful

      That's just absurd. If I buy a computer with an operating system pre-installed then I expect any relevant UEFI configuration done when I get it.

      If I want to install something else, then disabling UEFI secure boot or installing approriate keys for my alternate choice should be on me.

      And if I buy a boxed motherboard at retail, the selection of preinstalled keys should just be another differentiating factor between models and vendors. I am fully prepared for a real world where everything ships with the microsoft bit already installed and that I need to do some extra work if I want something else.

      But the GP is right, I the end user should have the right to disable secure boot and/or install my own keys on any hardware I buy.

      And not just on on computers, but also on tablets and phones, even consoles. But some of those battles are maybe for another day.

    5. Re:I hope they make the right decision.... by Teun · · Score: 3, Insightful
      So then, what is absurd?

      Off course a pre-installed computer should come with UEFI secure boot enabled.

      But it should not be a hindrance like we see now to later or right away install the OS of choice.
      Even when keys are a necessity they should still be available to the rightful owner of the hardware, not some outsider like Microsoft.
      You bought a computer with secure boot, disabling it is the wrong option.

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    6. Re:I hope they make the right decision.... by vux984 · · Score: 2, Interesting

      Off course a pre-installed computer should come with UEFI secure boot enabled.

      Right. So if it comes pre-installed with windows, then UEFI secure boot will be enabled and the signing key for windows will be loaded.

      If I want to reinstall windows, uefi isn't going to interfere or be a factor at all.

      If I want to install any other operating system, then its going to be extra effort, im going to have to load a signing key for the OS I want to install, and that means "extra fiddling".

      It is absurd to suggest otherwise.

      But it should not be a hindrance like we see now to later or right away install the OS of choice.

      There is no real hindrance now on x86 systems.

      Even when keys are a necessity they should still be available to the rightful owner of the hardware, not some outsider like Microsoft.

      Yes, the ability to go into UEFI and load whatever keys one likes absolutely should be the right of the rightful owner of the hardware.

      However Microsoft doesn't control the keys, so I don't know what you are talking about. The end user can load whatever keys they want on x86 hardware.

      The current mess is NOT because I can't avoid using microsoft's keys to use linux, or that there is a dependency on Microsoft.

      The current mess is because some linuxes, as a convenience to their users are signing their systems with microsoft keys because those keys are already loaded, so users don't have to go through the trouble of loading a key. But that doesn't give MS control.

      You can even sign a distro with your own key, and load that key into UEFI. No dependency on Microsoft. No dependency even on the distro. But its a bit more extra fiddling for you.

      You bought a computer with secure boot, disabling it is the wrong option.

      I agree, but in general the ability to boot random live CDs, something you compiled yourself from source, and what have you will be simpler if you can turn secure boot off rather than having to sign it and load the key first.

    7. Re:I hope they make the right decision.... by jhol13 · · Score: 3, Interesting

      There is NO security in "secure boot"

      1. What does it secure against? Viruses in (pre)bootloader, nothing else.
      2. How does it secure? By DoS (disabling the boot).

      1. Hugely better way would be the disk controller to disable writing to the first sector of any drive.
      2. That would prevent viruses from writing into the disk in the first place.

      This would work as follows: the (pre)bootloader would set an uncleareble security bit in the disk controller which prevents writing to the sector 0. If the boot is from USB (or a key was pressed, etc.) then it would not set the bit, thus allowing OS installers to write the sector 0.

    8. Re:I hope they make the right decision.... by jhol13 · · Score: 4, Interesting

      The problem is that there is no advantage to anyone to have "secure boot".

      The "secure boot" does not prevent viruses from writing to the (pre)bootloader, it just notices if it has happened. Then the "notification" or "failure mode" is DoS, your computer won't boot. I'd rather boot with a virus than not boot.

      How about a better solution, something that *prevents* viruses from writing over the prebootloader? Something which will not brick your computer at an important meeting?

      Solution: There is an unclearable security bit in the disk controller which prevents writing to sector 0. The (pre)bootloader would set the bit in the boot, unless the boot is from USB (or a key was pressed), thus allowing OS installers to write the sector 0. All the advantages of "secure boot" and none of the disadvantages.

    9. Re:I hope they make the right decision.... by mathew7 · · Score: 2

      My experice comes from Lenovo with Win8 consumer preview.
      Used win7 (from lenovo) and debian, both through UEFI.
      Installed win8 CP over win7. 1st problem: i could no longer change the boot order. I could boot both OSes, but I could not boot linux without boot menu.
      So I used the UEFI tool from debian to change the order.....debian booted by default...but win8 refused to boot.
      No option to disable secure boot.

      So my opinion, MS is to blame only for forcing secure-boot, leading to OEM delivering incomplete implementations.

    10. Re:I hope they make the right decision.... by mathew7 · · Score: 3, Informative

      That kind of virus protection was present in older BIOS implementations, while win9x/ME was still present. With Win2K/XP, no such protections work (for MBR booting) because other drivers are accessing the HW directly (and you cannot enforce on HW because that would prevent repartitioning).
      For UEFI-booting, the UEFI firmware has a complete path to a partition+file. There is no way to protect a single file with a compromised OS.

    11. Re:I hope they make the right decision.... by mabhatter654 · · Score: 2

      The issue is that they pulled a page out of the "Halloween Documents" in that the spec is "open" but OEMs only have to MATCH Microsoft's implementation as a minimum to boot Windows... There was never any "QA" to follow the other parts of the spec.... ... Oops! Imagine that happening?

      The goal is not to "lock out" everybody... But to make 5% of customers that want to use the freature have to beg and hassle manufactures for every. single. model... Individual apathy at each manufacturer will keep it relatively locked down, or perpetually six month behind...

      Ironically, the EFI bios in Macs has few problems now booting most Linux Live CDs...

  2. Radical by Anonymous Coward · · Score: 3, Interesting

    I would like to see something radical happen which promotes actual technological innovation and hinders all this IP bullshit. If you want to make money you will actually need to produce good products, not create all these ugly "services" and lock-in mechanisms. The only purpose of them is to NOT have to innovate but make money anyway.

    1. Re:Radical by ackthpt · · Score: 4, Insightful

      I would like to see something radical happen which promotes actual technological innovation and hinders all this IP bullshit. If you want to make money you will actually need to produce good products, not create all these ugly "services" and lock-in mechanisms. The only purpose of them is to NOT have to innovate but make money anyway.

      The problem is Microsoft does make good products. They don't make great products, though. To prevent you from having freedom to choose and companies to offer better technology applications/plug-ins they still cling tenaciously to their strategy to lock you into their technology or kill competitors with bundling.

      Imagine only being able to buy the petrol for your automobile at specified stations, where the mixture won't result in a burned out engine. There were businesses once who considered or undertook such business models. (some still do, but not to that extent) Microsoft continues to flirt with this strategy -- once in their kingdom you can only get your water from their well.

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:Radical by whoever57 · · Score: 4, Insightful

      The problem is Microsoft does make good products. They don't make great products, though.

      I don't think that is accurate. For the most part, Microsoft makes products that are barely good enough, combined with the fact that Microsoft's monopoly position made it such that most buyers of computers were simply unaware of what was possible. For example, BSODs are rare now, but Microsft was able to convince a generation of buyers that random BSODs were acceptable when competing products did not suffer the same problems.

      The fact is that we don't know how far the industry would have progressed without the illegal anti-trust violations which resulted in the supression of competition.

      --
      The real "Libtards" are the Libertarians!
    3. Re:Radical by girlintraining · · Score: 5, Insightful

      I would like to see something radical happen which promotes actual technological innovation and hinders all this IP bullshit.

      Many moons ago, now long-forgotten to most of the younger crowd that's moving into spaces like this, there was an informal ideology known as the hacker ethic. One of them, was that knowledge is power, and so it should be shared freely. The right to learn, and the duty to teach, went hand in hand in our community. It didn't matter what laws they passed telling us we couldn't speak, we couldn't teach, couldn't learn -- which is what intellectual property is fundamentally about. We did it anyway. And they called us criminals, they passed laws, they tried to delete us from the network we built, and loved, and replace it with paid shills, corporations, and tons and tons of advertising. And none of that gave a damn about learning, or teaching -- it was about consumption.

      And today, kids these days, they think that consuming their content, their pre-processed and devoid of flavor "knowledge", is what learning is today. And us, those who were here first... it's painful to watch. Sometimes so much so, we have to turn away from our hobbies for awhile, get up, go outside, because the saddest words ever said are "What might have been!" We failed you. The next generation. But we tried. Oh damn, we tried... We thought it would be enough. Nobody could control the internet!

      We never thought that every government in the world, even traditional enemies, would ally themselves with one goal: Destroy this new vessel of human freedom.

      We never thought it would become the tool of your oppression.

      --
      #fuckbeta #iamslashdot #dicemustdie
    4. Re:Radical by symbolset · · Score: 3, Insightful

      Take a look at mobile for a clue how that would turn out. Without Microsoft's - and their partners' "leadership" the pace of progress has been... astounding.

      --
      Help stamp out iliturcy.
    5. Re:Radical by drkstr1 · · Score: 2

      My biggest complaint with Visual Studio is its lack of interoperability.

      --
      Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
    6. Re:Radical by Arker · · Score: 2

      In lieu of that, then, I will ask: how often have you encountered a BSOD that wasn't caused by an incompetent third party, or some kind of hardware failure? Microsoft maintains an extremely complex operating system that provides decades of backwards compatibility (of note, a lot of their most idiotic design choices stem from this). Neither the Linux community nor Apple provide the same.

      First case - plenty of times. MS seems to have some issues with race conditions and has for many years. Most BSODs today do track back to the causes you mention - but certainly not all, and historically that was much less true. I have seen GPFs occur even for example under DOS where those explanations were impossible or ruled out. Both linux and apple maintain extremely complicated systems with backward compatibility for code from circa 1968, MS isnt even the same ballpark in terms of backwards compatiblity.

      --
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Friends don't let friends enable ecmascript.
  3. "Implicated" by girlintraining · · Score: 2

    "UEFI has been implicated in the death of Samsung laptops running Linux."

    Yes, it was seen shortly after the murder skipping down the road giggling, its hands covered in blood, counting the money Microsoft had given it to silence the rival gang members.

    --
    #fuckbeta #iamslashdot #dicemustdie
  4. Making UEFI more Linux friendly by volkerdi · · Score: 3, Insightful

    "so there may be some hope of making UEFI more Linux-friendly"

    The only hope is to make Linux distributions more UEFI friendly. UEFI and Secure Boot is certainly here to stay.

    1. Re:Making UEFI more Linux friendly by GigaplexNZ · · Score: 2

      I agree. Also, I'm tired of hearing the lock in complaint with secure boot - Microsoft requires x86 machines to be unlockable, only ARM is locked down. Where's their EU complaint regarding locked bootloaders for competing tablets?

    2. Re:Making UEFI more Linux friendly by Anonymous Coward · · Score: 2, Insightful

      'Secure Boot' is designed to prevent alternate OSs from running on that hardware. That's its fundamental purpose.

      The hardware has to be made more Linux-friendly, not the other way around.

    3. Re:Making UEFI more Linux friendly by Anonymous Coward · · Score: 2, Insightful

      I would LOVE to see a distribution which signed the kernel, bootloader and all of its packages and required the user to import a key into the UEFI BIOS to make everything work. That would be progress!

    4. Re:Making UEFI more Linux friendly by Anonymous Coward · · Score: 2, Insightful

      All it needs to do is require the ability to add MY keys to load MY kernel on MY hardware... and allow me to remove keys I don't trust.

      What is so hard about that?

      Of course MS won't allow it...

    5. Re:Making UEFI more Linux friendly by Ynot_82 · · Score: 2

      The issues here is one of PR and perception by non-technical users

      Microsoft requires x86 machines to be unlockable

      But it's not called "Locked boot", is it?
      It's called "Secure boot"
      and disabling "secure boot" is surely, by definition, insecure.

      Asking new users to disable secure boot is not what distros want to do.

    6. Re:Making UEFI more Linux friendly by r_a_trip · · Score: 2

      Fine piece of invective, but your third point is FUD itself. Secure Boot only verifies the boot process, not if malware is running on a system. As long as malware doesn't alter the boot-sequence and manages to hide from malware detectors, then then all of your horrid scenario still takes place (on Windows, Linux, Mac OS X, *BSD, the type of OS doesn't matter), while Secure Boot will never tell you that anything is amiss.

      Secure Boot is just one tiny security measure in a whole arsenal and it isn't even the most crucial one. Bootsector-based malware is rare. The vast majority of malware out there uses holes in the OS or applications or just plain makes use of the weakest link in the system and tricks the user with social engineering.

      --
      # touch universe # chmod +rwx universe # ./universe
  5. Samsung laptops by iYk6 · · Score: 5, Informative

    UEFI has been implicated in the death of Samsung laptops running Linux.

    That had nothing to do with Linux, and UEFI had no fault in that. The problem is that Samsung wrote a serious bug into their UEFI implementation that causes the laptop to brick if the user does X, Y, and Z under any operating system.

    1. Re:Samsung laptops by KingMotley · · Score: 2

      Many windows machines got bricked too, but all the crying is from the tin-foil hat wearers.

  6. Security perspective? by Anonymous Coward · · Score: 2, Insightful

    If savvy users can disable/override/change keys then so can savvy crackers intent on bypassing your security perspective.

    Security isn't about adding 'another hoop' to someone's day. And giving MS the keys to your security is just asking for it.

    Hmmm... crackers....

    1. Re:Security perspective? by c0lo · · Score: 2

      Security isn't about adding 'another hoop' to someone's day. And giving MS the keys to your security is just asking for it.

      Yes, it is! security is a matter of trade off: between the value of the protected resources and the cost of protection. And this trade off need to be considered twice, from the PoV of attacked and attacker:
      1. value for you (what do you have to lose if resource is "stolen" or damaged) vs the cost required for you to protect it
      2. value for the attacker (what the attacker stands to gain by stealing/damaging the resource) vs the cost required to do it

      --
      Questions raise, answers kill. Raise questions to stay alive.
  7. Re:Basic questions by Kaenneth · · Score: 2

    There is a prohibition in the US constitution against ex-post-facto laws; I don't know if there is one in the EU charter.

  8. Re:Linux and UEFI by ozmanjusri · · Score: 2, Informative

    The troubles that are faced by Linux users (for example, the bricking of Samsung laptops)

    That had nothing to do with Linux or SecureBoot. It was a Samsung bug that also affected Windows.

    It was just first detected by Linux users.

    --
    "I've got more toys than Teruhisa Kitahara."
  9. Re:Want to know why my post is downmoded? by Zontar+The+Mindless · · Score: 4, Insightful

    Your post got downmodded because you're a nutjob gone off his meds.

    --
    Il n'y a pas de Planet B.