Microsoft UEFI Secure Boot Petition

[EphesiaNZ]

Well it had to happen - I said it would

Investigate Microsoft's requirement of the SecureBoot UEFI interface as anti-competitive

The petition page hits it on the nail. SecureBoot totally inhibits a user to choose how they use their new computer. SecureBoot would not be needed if Microsoft Windows 8 was as secure as they tell consumers.

If you're in the US I urge you to view the petition and for consumer freedom I would put your weight behind it just like Obama is currently with unlocking jailed mobile phones devices to allow greater freedom of choice for users.

 

[adrianmonk]

Actually, the page does not quite hit it on the nail. SecureBoot by itself is not a bad thing.
The main issue is that for Windows RT, Microsoft does not allow replacement of the signing keys with your own key, or another vendors' key or be able to turn it off.

For the x86/amd64 platforms, the specification does allow you to use your own key or allow you to turn it off.

Search google for FSF and Secureboot, their position on the issue is much clearer.

 

[EphesiaNZ]

Actually, the page does not quite hit it on the nail. SecureBoot by itself is not a bad thing.
The main issue is that for Windows RT, Microsoft does not allow replacement of the signing keys with your own key, or another vendors' key or be able to turn it off.

If SecureBoot had come via some independent authority or organisation then I may be more willing to adopt it but unfortunately this has been forced on us by Microsoft for no other reason than to stifle competitive operating systems. And the key signing authority, who is it? - yes none other than Microsoft themselves, it's kinda like a conflict of interest. I liken it to a car manufacturer telling its customers that you can only fill up their cars at certain authorised gas stations! Originally, MS said that they will provide keys for users of Linux and BSD's etc for $99 per machine - another way for MS to make revenue off non-MS platforms. I smell a rat, don't you?

For the x86/amd64 platforms, the specification does allow you to use your own key or allow you to turn it off.

Ah yes, you didn't mention ARM architecture - Microsoft have made it that SecureBoot is on by default and cannot be disabled on this platform...

Search google for FSF and Secureboot, their position on the issue is much clearer.

I'm not really interested about their position to be honest. The Linux Foundation have a workaround thankfully but as I have read, Microsoft have two master keys, one for Windows 8 and one for other operating systems. Now as I see it, they could revoke the non-Windows 8 key and leave everyone stranded again.

Don't you think it's ironic that non-Windows8 operating systems need a key to boot on new motherboards but Windows 8 can boot on non-SecureBoot boards? Why didn't MS just build their own secure boot feature into Windows 8 and tell users that they cannot boot Windows 8 on non-UEFI SecureBoot machines just like Apple do - the reason is?

Money, that's the reason, all that lost OS upgrade revenue.

SecureBoot is not about security, it's about limiting freedom of choice and increasing revenue streams.

 

[adrianmonk]

If SecureBoot had come via some independent authority or organisation then I may be more willing to adopt it but unfortunately this has been forced on us by Microsoft for no other reason than to stifle competitive operating systems. And the key signing authority, who is it? - yes none other than Microsoft themselves, it's kinda like a conflict of interest.

Secure Boot is part of the UEFI 2.2 specification which is controlled by the Unified EFI forum. It was originally developed by Intel.

It only became news because of the Win8 Requirement. Initially even x86 had to be locked down, but it does not need to be anymore (though I think this will change and hardware becomes more locked down). Right now the spec says that you, the customer MUST be able to turn SecureBoot off.

I liken it to a car manufacturer telling its customers that you can only fill up their cars at certain authorised gas stations! Originally, MS said that they will provide keys for users of Linux and BSD's etc for $99 per machine - another way for MS to make revenue off non-MS platforms. I smell a rat, don't you?

MS will provide keys to distributions who will then sign their distro for you. So if you use Ubuntu or Suse and don't roll out your own kernel, you don't need to pay MS.

I personally would like to be able to sign my own builds and remove the MS key from the chain if possible and replace it with my signing key for MY hardware.

I tend to stay away from car analogies since software manufacturing and distribution is nothing like automobile manufacturing or gasoline production.

Ah yes, you didn't mention ARM architecture - Microsoft have made it that SecureBoot is on by default and cannot be disabled on this platform...

Most ARM platforms are restricted. The ARM licensing terms allow them to do so. There are many choices if you want an ARM machine which have no restrictions. Not being able to install linux on a _windows branded_ laptop does not infringe your freedom.

I'm not really interested about their position to be honest. The Linux Foundation have a workaround thankfully but as I have read, Microsoft have two master keys, one for Windows 8 and one for other operating systems. Now as I see it, they could revoke the non-Windows 8 key and leave everyone stranded again.

Hence why I prefer to replace that key with my own. SecureBoot where you control the keys is more secure and the way it should be. Hopefully they make the process of signing a distribution with your own key, and replacing the manufacturer supplied key easy. But for most people out there , being able to pop in a cd and install an OS should be easy. Whether it means using the MS key or maybe a key used by the major distributions to sign their releases.

Don't you think it's ironic that non-Windows8 operating systems need a key to boot on new motherboards but Windows 8 can boot on non-SecureBoot boards? Why didn't MS just build their own secure boot feature into Windows 8 and tell users that they cannot boot Windows 8 on non-UEFI SecureBoot machines just like Apple do - the reason is?

Apple restricts installing OSX on non Mac machines because they make hardware. The OS sells the hardware. They don't care what you do with the Mac, as long as you buy it.

The UEFI spec was not created by Microsoft, nor is it controlled by Microsoft. The hardware is not made by Microsoft. If they wanted to enforce UEFI Secureboot for Windows 8, it would mean that people with older motherboards will not be able to buy Windows 8. Windows 9 may be more restricted.

You can turn SecureBoot off. That is also in the spec. The spec states that the users MUST be able to turn off SecureBoot. Whether manufacturers follow it is another issue entirely.

 

[EphesiaNZ]

Secure Boot is part of the UEFI 2.2 specification which is controlled by the Unified EFI forum. It was originally developed by Intel.

...though I think this will change and hardware becomes more locked down). Right now the spec says that you, the customer MUST be able to turn SecureBoot off.

Yes, the Wintel duopoly that wants to rule the world, hardware to become more locked down - there goes more freedom...

MS will provide keys to distributions who will then sign their distro for you. So if you use Ubuntu or Suse and don't roll out your own kernel, you don't need to pay MS.

I tend to stay away from car analogies since software manufacturing and distribution is nothing like automobile manufacturing or gasoline production.

Again, secure boot fails and limits freedom of choice. Well you choose some other analogy then if you wish, software/hardware/vehicle scenario is all the same to the end customer that has to pay the hard earned money for these products.

Not being able to install linux on a _windows branded_ laptop does not infringe your freedom.

Why not?

If they wanted to enforce UEFI Secureboot for Windows 8, it would mean that people with older motherboards will not be able to buy Windows 8. Windows 9 may be more restricted.

Here's the irony, "SecureBoot" which is non-secure on older (non Win8 approved) motherboards. On one hand they want to lock things down, on the other they allow users to install on older systems - $o $ecure...

You can turn SecureBoot off. That is also in the spec. The spec states that the users MUST be able to turn off SecureBoot. Whether manufacturers follow it is another issue entirely.

But, secure boot is turned on by default on systems - except server hardware, is that for a sales reason?

 

[adrianmonk]

Yes, the Wintel duopoly that wants to rule the world, hardware to become more locked down - there goes more freedom...

Actually AMD, IBM and a few other companies are also members of the UEFI forum who controls the spec. Manufacturers are free to implement UEFI without secureboot or implement secureboot without microsoft keys. I am not sure how this translates to taking away your freedom. Even Richard Stallman admits this.

Again, secure boot fails and limits freedom of choice. Well you choose some other analogy then if you wish, software/hardware/vehicle scenario is all the same to the end customer that has to pay the hard earned money for these products.

Again I am not sure how being able to turn off SecureBoot, or being able to add your own keys to SecureBoot limits your freedom.

How is this for an analogy? You buy a house which comes with a door. The door has a lock which has a key. You are complaining that the house is locked, even though you are free to keep it unlocked, or replace the lock and key with one of your own choice.

Why not?

Because you have a choice in the hardware you buy. If you want an ARM computer get a Raspberry Pi. No lockdowns, install whatever you want. As ARM becomes more popular, you will have more choices. There are computers with MIPS compatible chips you can get instead of ARM if you choose.

Here's the irony, "SecureBoot" which is non-secure on older (non Win8 approved) motherboards. On one hand they want to lock things down, on the other they allow users to install on older systems - $o $ecure...

You are welcome to purchase a board with UEFI with Secureboot and be able to enforce trusted binary execution. Once the bootloaders for linux are released, you can do this there as well. Or you can turn SecureBoot off and run whatever you want.

But, secure boot is turned on by default on systems - except server hardware, is that for a sales reason?

SecureBoot can be turned on by default on both desktops and servers from manufacturers who support it. The manufacturer has to allow you to turn SecureBoot off. It is up to them. If a manufacturer does not do this, vote with your wallet and buy from someone else.

Like I said in my previous post, I will purchase hardware from a manufacturer who, in addition to allowing me to turn SecureBoot off, will also allow me to keep it on but replace the keys.

If the Microsoft signing key was my only choice, then I would be a bit upset. But since the spec allows me to define that key (provided I sign my os and binaries myself), then I am ok with it.

The reason red hat, canonical etc are using the Microsoft key is to make installation of their distributions easier.

I do roll out custom distros for specific projects. For my personal projects, I would prefer rolling my own signing key.

 

[EphesiaNZ]

How is this for an analogy? You buy a house which comes with a door. The door has a lock which has a key. You are complaining that the house is locked, even though you are free to keep it unlocked, or replace the lock and key with one of your own choice.

I guess I can go through the windows - they are probably broken anyway

SecureBoot can be turned on by default on both desktops and servers from manufacturers who support it. The manufacturer has to allow you to turn SecureBoot off. It is up to them. If a manufacturer does not do this, vote with your wallet and buy from someone else.

Windows 8 certification requires SecureBoot turned on by default if I'm not mistaken, so you actually have to turn it off, not on. And I also hear that MS are offering substantially lower Win8 licensing to those OEM's that don't offer an on/off option.

I do roll out custom distros for specific projects. For my personal projects, I would prefer rolling my own signing key.

Likewise, i roll out custom built distros to friends et al. I would prefer not to bother with any keys, boot options or any other hack that gets in the way of booting an OS.

How long before SecureBoot becomes unsecure - it's just a matter of time.We see SSL authorities getting compromised often these days, the whole secure boot scenario is no different.

For me, the whole thing is "Did we ask for this?" - my answer is NO.

We don't need secure booting, we need secure operating operating systems.

We will have to agree to disagree on the SecureBoot issue possibly. Meanwhile I wait for the class action lawsuit...

 

[adrianmonk]

And I also hear that MS are offering substantially lower Win8 licensing to those OEM's that don't offer an on/off option.

This may be true, but it also opens up MS to another legal fiasco in Europe, possibly in the US as well. The DOJ action in the late 90s was specifically for preferential pricing to OEMs. Additionally some manufacturers may just opt not to follow the spec and offer a way to turn it off. Vote with your wallet and don't buy their products.

How long before SecureBoot becomes unsecure - it's just a matter of time.We see SSL authorities getting compromised often these days, the whole secure boot scenario is no different.

If you are able to replace the keys with your own signing key, then this issue becomes moot. Unless you cannot trust yourself.

For me, the whole thing is "Did we ask for this?" - my answer is NO.

We don't need secure booting, we need secure operating operating systems.

We will have to agree to disagree on the SecureBoot issue possibly. Meanwhile I wait for the class action lawsuit...

SecureBoot is really not a bad idea. The only bad component (if allowed) is trusting a single authority. As long as the option exists to turn it off, it's not a big deal and is probably even beneficial. This is the main reason that many distributions are trying to find ways to enable secureboot in Linux.

Security is a process, not a product. SecureBoot is just one of the options.

 

[EphesiaNZ]

Well it looks like the backlash begins,

[Phoronix] Linux Group Files Complaint With EU Over SecureBoot