However, that decision does seem to refer specifically to *contracts*. As in, "Mr. and Mrs. Conception entered into a cellular telephone contract". An EULA is not a contract.
Read the original post. At first the high level of JS-disabled 'users' was just a cause for suspicion, they went into more detailed analysis and verified that those 'users' really were bots.
"can I simply reflash the OEM placed SecureBoot with another non-SecureBoot BIOS?"
Not easily. UEFI implementations with Secure Boot support are supposed to only be flashable with signed images, to prevent exactly this kind of workaround being done transparently by malware.
Of course, at least _some_ implementations are highly likely to be cracked, as locked bootloaders on phones often are.
They have to include it to get Windows 8 certification, which they need if they want to buy their copies of Windows 8 from Microsoft at OEM discount prices.
If they don't want to pre-load Windows, or they're happy buying copies at retail prices, there's no particular reason they have to include Secure Boot support, unless they feel it's a selling point.
Yeah, I know. Instead of posting nothing but useless snarks, like a nice guy like you does, I spend several hours of my leisure time in here providing useful factual information to people, with occasional snark-y language in the middle.
If they have to play nice to avoid accusations of monopoly practices now, why would they not attract accusations of monopoly practices if they cease to play nice in future?
"What's a signed bootloader, where De Raadt et al would be contractually forbidden from releasing the signing key required for end users to build it for themselves, if not a binary blob?"
All packages for Fedora and Ubuntu, and I'd be massively surprised if the case wasn't the same for OpenBSD, are signed with a project key. Obviously, that private key isn't released to end users. You can't precisely duplicate a Fedora, Ubuntu or (probably) OpenBSD binary package, technically, because you can't sign it with the same key.
No-one before has said this constitutes an issue with freedom or openness. Why is a bootloader binary built from completely free and reproducible source code, but signed, different?
"Canonical is NOT using Microsoft, they are running their own signing service, and so can any other vendor."
Canonical are self-signing OEM preloads (if you go and buy a system from an approved vendor with Ubuntu pre-installed...as, really, not many people do). The regular Ubuntu images you can download from the Ubuntu site, for end-user installation on an existing PC that likely shipped with Windows, will be signed with a Microsoft/Verisign key.
It's a plausible argument. I'm not sure it's really strong enough for legal proof, though. I'm not a lawyer, so I couldn't really say further than that.
"Cananonical and red hat could negotiate similar advantages directly for example with dell/hp/best-buy... it's probably not worth their while."
Well, for us (RH) it really isn't, because that's not really what we do - we don't sell consumer OSes in retail. Canonical has more ambition in that direction. They do actually have a plan to self-sign for OEM preloads of Ubuntu; only the 'normal' downloadable Ubuntu images, intended for end-user installation onto systems that shipped with Windows, will be signed with Microsoft's key. If you actually go buy a system with Ubuntu pre-installed from a Canonical-approved reseller, so their plan goes, you'll get a copy of Ubuntu that's pre-signed with a Canonical key.
The analogy just doesn't work at all. A signing key isn't some kind of product for which there is a market, in the ordinary sense, like a web browser is. The reason the IE situation was monopoly abuse is that it involved Microsoft leveraging their monopoly on desktop operating systems to artificially elevate themselves into a monopoly position in a separate, pre-existing market - the market for web browser software. Signing keys for bootloaders aren't a pre-existing product with a pre-existing market. They're a technical detail of the boot process.
" There will be no rooting your Win 8 phone/tablet."
You mean 'Windows RT phone/tablet'.
This sounds like nitpicking, but it's really not, because using the correct names is important: if you take care to use them correctly, then things are clear. 'Windows 8' is for the traditional PC architecture - x86/x86_64. 'Windows RT' is for ARM. I'm always careful of this distinction - when I say 'Windows 8' I mean specifically Windows 8, not Windows RT. i.e., I'm not talking about ARM.
That's...not an accurate analogy at all. That was problematic under the concept of bundling - Microsoft using its monopoly on _desktop operating systems_ to, in effect, force the creation of a monopoly in _web browsers_.
'Signing keys in the system firmware' is not a 'market', it's a boring technical detail. The analogy just doesn't apply at all. It doesn't make any sense to say 'Microsoft is abusing its monopoly in desktop operating systems to create a monopoly in signing keys'. It's just a silly sentence.
Not 'period', in precisely the case I explained above. If the whole point of what they're saying is 'X is an asshole and therefore I refuse to associate with X', complaining that it's an ad hominem argument is utterly missing the point. The point being that not everything is, in fact, formal logic. It doesn't make sense to apply the rules and standards of formal logic to every statement any person makes. OP was not attempting to demonstrate a fact via formal logic, he was expressing his personal opinion that he doesn't like Theo. Trying to apply the rules of formal logic to such a statement is ridiculous.
You might want to learn what the hell UEFI is before sounding ridiculous.
UEFI is not a 'BIOS extension'. BIOS and UEFI are completely different standards for firmware for PCs. UEFI is intended to _replace_ BIOS.
UEFI is also not the same thing as Secure Boot. Secure Boot is one feature of recent versions of the UEFI specification.
"From what I understand, Windows 8 will run on most contemporary hardware. I installed it on a 3.8GHz P4 system and it ran fine."
Windows 8 does not require Secure Boot to be enabled to run, indeed, or else it wouldn't work on old hardware.
"But it looks like if you want Microsoft Certification, then you need a BIOS that contains the UEFI code. But what if a manufacturer doesn't care about Microsoft Certification and elects to install Windows 8 on a PC with a UEFI BIOS?"
This section is completely incomprehensible. I can't even begin to guess at what you were trying to say. But...the certification requirements do require a UEFI firmware with Secure Boot included and enabled by default. It's difficult for a manufacturer to 'not care about' certification because they have to compy with the certification requirements in order to buy copies of Windows from Microsoft at OEM discount prices. If they don't comply their only option is to buy copies from resellers at retail prices, which obviously hinders their ability to compete with manufacturers paying OEM rates. I highly doubt any major manufacturer will sell systems pre-loaded with Windows 8 but without complying with the Microsoft certification requirements.
"Sadly, MS has the power to take control of our computers away from us --and with secureboot they're doing exactly that."
By...specifically requiring that you have the ability to turn Secure Boot off, and enrol your own keys?
The Microsoft Windows 8 certification requirements specifically require both these things. The UEFI spec does not. A manufacturer who complies only with the UEFI spec has *more* freedom to restrict your ability to control the hardware than a manufacturer who also complies with the Windows 8 certification requirements.
"He is not "begging user to turn off secure boot", because, and this is the point, we will not be able to, the way things are going. "
What's 'the way things are going'? What support do you have for this assertion? Microsoft's Windows 8 compliance requirements specifically state that the user of a system must be able to disable Secure Boot. Microsoft are actually _requiring_ OEMs make it possible to disable Secure Boot.
People like to throw 'ad hominem' around way too much, because it sounds all clever, I guess. It doesn't work all the time.
An 'ad hominem argument' is an error when you're formally debating a specific argument with another person, and you try to win by attacking the person. 'You say that this apple is green, but I say that you smell and your mother is French, therefore the apple is red and I win!' That's a true case of an 'ad hominem argument' which is flawed.
You can't just go around yelling 'ad hominem' every time anyone says something bad about another person, though. AC's whole point, such as it is, is that he stopped being involved with OpenBSD because he thinks Theo is a dick, and he encourages other people not to get involved in OpenBSD because he thinks Theo is a dick. You can't really lob 'ad hominem' at someone, as if it means something, when their entire _point_ is that a person is being a dick. You have to actually engage with the argument that the person is a dick, and try to contradict it.
"That's a nice 3-page essay (double-space I presume), but it doesn't change the fact Canonical and Redhat were forced to buy a license *from Microsoft* or else their OSes would not run."
That's still not a fact. We were not forced to buy a license. We had several options, which Matthew outlined way back at the start of this whole saga, in this blog post:
Specifically, the paragraph headlined "Getting the machine booted". It mentions the other options, including "the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it" and "producing some sort of overall Linux key". There is also the obvious negative possibility of simply not signing anything at all; this would require users to disable Secure Boot in the firmware before installing Linux, but it doesn't prevent them from doing so.
Both Fedora (note, Fedora, not RH; RH does not necessarily always follow what Fedora does) and Ubuntu had several choices and _chose_ to go with the Microsoft signing service as the 'least bad' option (well, Ubuntu will also be self-signing, for OEM preloads). The fact that we are _choosing_ to get our releases signed with the Microsoft/Verisign key does not imply that we were _forced_ to do so. We _choose_ to do so on the basis that it'll provide the maximum possible success rate of Fedora installs with the minimum amount of work. We could have chosen to self-sign, or not to sign at all, and ask users to disable Secure Boot or import our key. We decided not to do so.
"Problem si that peope like YOU seem to think corproatuions never od anything wrong"
This is an absurd stretch. You appear to be implying that anyone who suggests that a corporation might ever do anything at all that is _not_ wrong, must therefore believe that a corporation can _never_ do anything wrong. This is clearly ridiculous and false. You also mistake my opinion that Microsoft's actions are _not illegal_ for an opinion that they're _right_. These are not the same thing at all. I have carefully refrained from stating in public any personal opinion on the Rightness or Wrongness, from an ethical/moral standpoint, of Microsoft's actions. This is intentional. What I have said several times is that I don't believe the actions can successfully be characterized as _illegal_. Not everything that's wrong is also illegal. But if something is wrong/bad but not illegal, then you can't defeat that something through the courts. This sub-thread was prompted by someone saying that RH and Canonical should have chosen to prosecute or sue Microsoft. My point is that this is hardly a viable option if the suit would fail.
Yes. Either the UEFI spec or the Microsoft requirements (I forget which) state that if the user removes all keys, the machine should go to 'secure boot disabled' state. So if the specs are actually followed, you should be able to remove the Microsoft key from any hardware you buy and that will automatically kick the system into 'secure boot disabled' state. Or you could just disable it directly.
Yeah, that's why I limited my post specifically to x86. The ARM requirements are much stricter: Secure Boot must be enabled and must not be disable-able, and the user must not be able to enrol their own keys. I don't believe the requirements reject the possibility of other keys being preloaded, but in practice I doubt we'll see that.
As other responders have pointed out, though, there's a different problem with alleging monopoly abuse when it comes to Windows RT / ARM, which is that Microsoft doesn't have any kind of monopoly on any kind of ARM client device. It doesn't have a tablet or phone monopoly. Consumer ARM devices are often sold heavily locked down; Microsoft isn't doing anything new there. (Most Android phones / tablets, and all Apple ones, are locked down in similar fashion).
"Requiring other OS makers to buy a license from Microsoft is very clear evidence of using their monopoly power to stifle competition"
It certainly would be. The only problem is that they're not doing that at all.
The industry as a whole agreed to ratify the basic Secure Boot mechanism as part of the UEFI standard. Secure Boot as described in the UEFI standard does not say anything at all about who should sign code and issue keys and any of that stuff. All it does is say 'here is a mechanism called Secure Boot by which the system firmware can maintain a list of keys and refuse to run code which is not signed by one of those keys'.
So once that's in the UEFI standard, we have a world where there is this thing called Secure Boot which operating system developers and hardware vendors can *choose* to implement. Or not. The UEFI standard says nothing about whether it ought to be used, what keys ought to be included, or anything like that.
So Microsoft, as an operating system vendor, decides they want to use this Secure Boot thing. They're going to sign their operating system, and require vendors who want to pre-load that operating system on their systems to ship Microsoft's key. So that their operating system will run. This is what the Microsoft Windows 8 certification requirements for x86 state: you have to turn Secure Boot on by default and include our key.
What the certification requirements explicitly do _not_ state is this: 'you can't include any other keys'. They definitely don't say that. They just say 'you have to include Microsoft's key'. There's no restriction at all on shipping any number of other keys. Additionally, the certification requirements explicitly require that the user be able to enrol their own keys, and also disable Secure Boot if they so desire.
So...Microsoft's requirements for OEMs are that they enable Secure Boot by default (but allow it to be disabled) and ship Microsoft's key (but they can also happily ship any number of other keys, if they choose).
It's logically impossible to construe this as "Requiring other OS makers to buy a license from Microsoft". It doesn't do that, at all. Other OS makers can have their OS signed by themselves or anyone else they like, and ask hardware manufacturers to ship that key. Microsoft does nothing to prevent this. Or they can choose not to sign their OS at all, and ask users to disable Secure Boot. Microsoft does nothing to prevent this. Or they can _choose_ to have Microsoft sign their OS so it'll work without them needing to get any other key loaded into firmware; Microsoft didn't _have_ to provide public signing services, but they are doing so to avoid a PR shitstorm. If Microsoft really wanted to be evil, why would it provide public signing services at all? Wouldn't it be more effective just to say 'no, we won't do that'?
I find it highly unlikely that you could build a convincing case of monopoly abuse over Secure Boot for x86, when the actual facts of the matter are taken into account. They just don't support the accusation strongly enough. If Microsoft could be shown to be exerting pressure to prevent alternative signing groups from existing or getting their keys loaded onto hardware, then maybe...but AFAIK no-one has shown such.
(disclaimers: I am not a lawyer and this is not legal advice or a legal opinion. Furthermore, though I work for Red Hat, I am not directly involved in any RH evaluation of this issue, I am not involved in RH legal in any way, and this is entirely a personal opinion and not in any way representative of Red Hat. It is not Red Hat's official position on the issue of the legality or otherwise of Microsoft's actions. I specifically leave open the possibility that Red Hat as an entity might take a completely opposite view of the case.)
Slashdot Mirror
Wow, you have some terrible laws.
However, that decision does seem to refer specifically to *contracts*. As in, "Mr. and Mrs. Conception entered into a cellular telephone contract". An EULA is not a contract.
Read the original post. At first the high level of JS-disabled 'users' was just a cause for suspicion, they went into more detailed analysis and verified that those 'users' really were bots.
"This isn't analogous to the Secure Boot fiasco where it's significantly harder for end users to get their own signing keys"
No, it isn't. It'll be trivial for anyone to generate a key and sign some code with it. mjg59 is working on tools to do this even now.
What you might find trickier is to get other people to trust your key, but that's just the same with packages, isn't it?
You will be able to build a bootloader chain and sign it with a key you control, just as you can build a package and sign it with a key you control.
"can I simply reflash the OEM placed SecureBoot with another non-SecureBoot BIOS?"
Not easily. UEFI implementations with Secure Boot support are supposed to only be flashable with signed images, to prevent exactly this kind of workaround being done transparently by malware.
Of course, at least _some_ implementations are highly likely to be cracked, as locked bootloaders on phones often are.
They have to include it to get Windows 8 certification, which they need if they want to buy their copies of Windows 8 from Microsoft at OEM discount prices.
If they don't want to pre-load Windows, or they're happy buying copies at retail prices, there's no particular reason they have to include Secure Boot support, unless they feel it's a selling point.
Yeah, I know. Instead of posting nothing but useless snarks, like a nice guy like you does, I spend several hours of my leisure time in here providing useful factual information to people, with occasional snark-y language in the middle.
Boy, I'm such a giant douche.
If they have to play nice to avoid accusations of monopoly practices now, why would they not attract accusations of monopoly practices if they cease to play nice in future?
"What's a signed bootloader, where De Raadt et al would be contractually forbidden from releasing the signing key required for end users to build it for themselves, if not a binary blob?"
All packages for Fedora and Ubuntu, and I'd be massively surprised if the case wasn't the same for OpenBSD, are signed with a project key. Obviously, that private key isn't released to end users. You can't precisely duplicate a Fedora, Ubuntu or (probably) OpenBSD binary package, technically, because you can't sign it with the same key.
No-one before has said this constitutes an issue with freedom or openness. Why is a bootloader binary built from completely free and reproducible source code, but signed, different?
"Canonical is NOT using Microsoft, they are running their own signing service, and so can any other vendor."
Canonical are self-signing OEM preloads (if you go and buy a system from an approved vendor with Ubuntu pre-installed...as, really, not many people do). The regular Ubuntu images you can download from the Ubuntu site, for end-user installation on an existing PC that likely shipped with Windows, will be signed with a Microsoft/Verisign key.
It's a plausible argument. I'm not sure it's really strong enough for legal proof, though. I'm not a lawyer, so I couldn't really say further than that.
"Cananonical and red hat could negotiate similar advantages directly for example with dell/hp/best-buy ... it's probably not worth their while."
Well, for us (RH) it really isn't, because that's not really what we do - we don't sell consumer OSes in retail. Canonical has more ambition in that direction. They do actually have a plan to self-sign for OEM preloads of Ubuntu; only the 'normal' downloadable Ubuntu images, intended for end-user installation onto systems that shipped with Windows, will be signed with Microsoft's key. If you actually go buy a system with Ubuntu pre-installed from a Canonical-approved reseller, so their plan goes, you'll get a copy of Ubuntu that's pre-signed with a Canonical key.
The analogy just doesn't work at all. A signing key isn't some kind of product for which there is a market, in the ordinary sense, like a web browser is. The reason the IE situation was monopoly abuse is that it involved Microsoft leveraging their monopoly on desktop operating systems to artificially elevate themselves into a monopoly position in a separate, pre-existing market - the market for web browser software. Signing keys for bootloaders aren't a pre-existing product with a pre-existing market. They're a technical detail of the boot process.
" There will be no rooting your Win 8 phone/tablet."
You mean 'Windows RT phone/tablet'.
This sounds like nitpicking, but it's really not, because using the correct names is important: if you take care to use them correctly, then things are clear. 'Windows 8' is for the traditional PC architecture - x86/x86_64. 'Windows RT' is for ARM. I'm always careful of this distinction - when I say 'Windows 8' I mean specifically Windows 8, not Windows RT. i.e., I'm not talking about ARM.
That's...not an accurate analogy at all. That was problematic under the concept of bundling - Microsoft using its monopoly on _desktop operating systems_ to, in effect, force the creation of a monopoly in _web browsers_.
'Signing keys in the system firmware' is not a 'market', it's a boring technical detail. The analogy just doesn't apply at all. It doesn't make any sense to say 'Microsoft is abusing its monopoly in desktop operating systems to create a monopoly in signing keys'. It's just a silly sentence.
It's possible. All things are possible. But it seems unwarranted to assume it as a foregone conclusion.
Not 'period', in precisely the case I explained above. If the whole point of what they're saying is 'X is an asshole and therefore I refuse to associate with X', complaining that it's an ad hominem argument is utterly missing the point. The point being that not everything is, in fact, formal logic. It doesn't make sense to apply the rules and standards of formal logic to every statement any person makes. OP was not attempting to demonstrate a fact via formal logic, he was expressing his personal opinion that he doesn't like Theo. Trying to apply the rules of formal logic to such a statement is ridiculous.
Please stop confusing UEFI and Secure Boot. It makes it impossible to communicate with you.
You might want to learn what the hell UEFI is before sounding ridiculous.
UEFI is not a 'BIOS extension'. BIOS and UEFI are completely different standards for firmware for PCs. UEFI is intended to _replace_ BIOS.
UEFI is also not the same thing as Secure Boot. Secure Boot is one feature of recent versions of the UEFI specification.
"From what I understand, Windows 8 will run on most contemporary hardware. I installed it on a 3.8GHz P4 system and it ran fine."
Windows 8 does not require Secure Boot to be enabled to run, indeed, or else it wouldn't work on old hardware.
"But it looks like if you want Microsoft Certification, then you need a BIOS that contains the UEFI code. But what if a manufacturer doesn't care about Microsoft Certification and elects to install Windows 8 on a PC with a UEFI BIOS?"
This section is completely incomprehensible. I can't even begin to guess at what you were trying to say. But...the certification requirements do require a UEFI firmware with Secure Boot included and enabled by default. It's difficult for a manufacturer to 'not care about' certification because they have to compy with the certification requirements in order to buy copies of Windows from Microsoft at OEM discount prices. If they don't comply their only option is to buy copies from resellers at retail prices, which obviously hinders their ability to compete with manufacturers paying OEM rates. I highly doubt any major manufacturer will sell systems pre-loaded with Windows 8 but without complying with the Microsoft certification requirements.
"Sadly, MS has the power to take control of our computers away from us --and with secureboot they're doing exactly that."
By...specifically requiring that you have the ability to turn Secure Boot off, and enrol your own keys?
The Microsoft Windows 8 certification requirements specifically require both these things. The UEFI spec does not. A manufacturer who complies only with the UEFI spec has *more* freedom to restrict your ability to control the hardware than a manufacturer who also complies with the Windows 8 certification requirements.
"He is not "begging user to turn off secure boot", because, and this is the point, we will not be able to, the way things are going. "
What's 'the way things are going'? What support do you have for this assertion? Microsoft's Windows 8 compliance requirements specifically state that the user of a system must be able to disable Secure Boot. Microsoft are actually _requiring_ OEMs make it possible to disable Secure Boot.
People like to throw 'ad hominem' around way too much, because it sounds all clever, I guess. It doesn't work all the time.
An 'ad hominem argument' is an error when you're formally debating a specific argument with another person, and you try to win by attacking the person. 'You say that this apple is green, but I say that you smell and your mother is French, therefore the apple is red and I win!' That's a true case of an 'ad hominem argument' which is flawed.
You can't just go around yelling 'ad hominem' every time anyone says something bad about another person, though. AC's whole point, such as it is, is that he stopped being involved with OpenBSD because he thinks Theo is a dick, and he encourages other people not to get involved in OpenBSD because he thinks Theo is a dick. You can't really lob 'ad hominem' at someone, as if it means something, when their entire _point_ is that a person is being a dick. You have to actually engage with the argument that the person is a dick, and try to contradict it.
"That's a nice 3-page essay (double-space I presume), but it doesn't change the fact Canonical and Redhat were forced to buy a license *from Microsoft* or else their OSes would not run."
That's still not a fact. We were not forced to buy a license. We had several options, which Matthew outlined way back at the start of this whole saga, in this blog post:
http://mjg59.dreamwidth.org/12368.html
Specifically, the paragraph headlined "Getting the machine booted". It mentions the other options, including "the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it" and "producing some sort of overall Linux key". There is also the obvious negative possibility of simply not signing anything at all; this would require users to disable Secure Boot in the firmware before installing Linux, but it doesn't prevent them from doing so.
Both Fedora (note, Fedora, not RH; RH does not necessarily always follow what Fedora does) and Ubuntu had several choices and _chose_ to go with the Microsoft signing service as the 'least bad' option (well, Ubuntu will also be self-signing, for OEM preloads). The fact that we are _choosing_ to get our releases signed with the Microsoft/Verisign key does not imply that we were _forced_ to do so. We _choose_ to do so on the basis that it'll provide the maximum possible success rate of Fedora installs with the minimum amount of work. We could have chosen to self-sign, or not to sign at all, and ask users to disable Secure Boot or import our key. We decided not to do so.
"Problem si that peope like YOU seem to think corproatuions never od anything wrong"
This is an absurd stretch. You appear to be implying that anyone who suggests that a corporation might ever do anything at all that is _not_ wrong, must therefore believe that a corporation can _never_ do anything wrong. This is clearly ridiculous and false. You also mistake my opinion that Microsoft's actions are _not illegal_ for an opinion that they're _right_. These are not the same thing at all. I have carefully refrained from stating in public any personal opinion on the Rightness or Wrongness, from an ethical/moral standpoint, of Microsoft's actions. This is intentional. What I have said several times is that I don't believe the actions can successfully be characterized as _illegal_. Not everything that's wrong is also illegal. But if something is wrong/bad but not illegal, then you can't defeat that something through the courts. This sub-thread was prompted by someone saying that RH and Canonical should have chosen to prosecute or sue Microsoft. My point is that this is hardly a viable option if the suit would fail.
Yes. Either the UEFI spec or the Microsoft requirements (I forget which) state that if the user removes all keys, the machine should go to 'secure boot disabled' state. So if the specs are actually followed, you should be able to remove the Microsoft key from any hardware you buy and that will automatically kick the system into 'secure boot disabled' state. Or you could just disable it directly.
Yeah, that's why I limited my post specifically to x86. The ARM requirements are much stricter: Secure Boot must be enabled and must not be disable-able, and the user must not be able to enrol their own keys. I don't believe the requirements reject the possibility of other keys being preloaded, but in practice I doubt we'll see that.
As other responders have pointed out, though, there's a different problem with alleging monopoly abuse when it comes to Windows RT / ARM, which is that Microsoft doesn't have any kind of monopoly on any kind of ARM client device. It doesn't have a tablet or phone monopoly. Consumer ARM devices are often sold heavily locked down; Microsoft isn't doing anything new there. (Most Android phones / tablets, and all Apple ones, are locked down in similar fashion).
"Requiring other OS makers to buy a license from Microsoft is very clear evidence of using their monopoly power to stifle competition"
It certainly would be. The only problem is that they're not doing that at all.
The industry as a whole agreed to ratify the basic Secure Boot mechanism as part of the UEFI standard. Secure Boot as described in the UEFI standard does not say anything at all about who should sign code and issue keys and any of that stuff. All it does is say 'here is a mechanism called Secure Boot by which the system firmware can maintain a list of keys and refuse to run code which is not signed by one of those keys'.
So once that's in the UEFI standard, we have a world where there is this thing called Secure Boot which operating system developers and hardware vendors can *choose* to implement. Or not. The UEFI standard says nothing about whether it ought to be used, what keys ought to be included, or anything like that.
So Microsoft, as an operating system vendor, decides they want to use this Secure Boot thing. They're going to sign their operating system, and require vendors who want to pre-load that operating system on their systems to ship Microsoft's key. So that their operating system will run. This is what the Microsoft Windows 8 certification requirements for x86 state: you have to turn Secure Boot on by default and include our key.
What the certification requirements explicitly do _not_ state is this: 'you can't include any other keys'. They definitely don't say that. They just say 'you have to include Microsoft's key'. There's no restriction at all on shipping any number of other keys. Additionally, the certification requirements explicitly require that the user be able to enrol their own keys, and also disable Secure Boot if they so desire.
So...Microsoft's requirements for OEMs are that they enable Secure Boot by default (but allow it to be disabled) and ship Microsoft's key (but they can also happily ship any number of other keys, if they choose).
It's logically impossible to construe this as "Requiring other OS makers to buy a license from Microsoft". It doesn't do that, at all. Other OS makers can have their OS signed by themselves or anyone else they like, and ask hardware manufacturers to ship that key. Microsoft does nothing to prevent this. Or they can choose not to sign their OS at all, and ask users to disable Secure Boot. Microsoft does nothing to prevent this. Or they can _choose_ to have Microsoft sign their OS so it'll work without them needing to get any other key loaded into firmware; Microsoft didn't _have_ to provide public signing services, but they are doing so to avoid a PR shitstorm. If Microsoft really wanted to be evil, why would it provide public signing services at all? Wouldn't it be more effective just to say 'no, we won't do that'?
I find it highly unlikely that you could build a convincing case of monopoly abuse over Secure Boot for x86, when the actual facts of the matter are taken into account. They just don't support the accusation strongly enough. If Microsoft could be shown to be exerting pressure to prevent alternative signing groups from existing or getting their keys loaded onto hardware, then maybe...but AFAIK no-one has shown such.
(disclaimers: I am not a lawyer and this is not legal advice or a legal opinion. Furthermore, though I work for Red Hat, I am not directly involved in any RH evaluation of this issue, I am not involved in RH legal in any way, and this is entirely a personal opinion and not in any way representative of Red Hat. It is not Red Hat's official position on the issue of the legality or otherwise of Microsoft's actions. I specifically leave open the possibility that Red Hat as an entity might take a completely opposite view of the case.)
It's in the first article. Seven seconds per action.