Australian Users Petitioning Against Windows 8 Secure Boot

In his first accepted submission, lukemartinez sends in an excerpt from a ZDNet article on continuing developments about Microsoft's UEFI secure boot requirements: "The Linux Australia community began petitioning the ACCC this week after Microsoft aired plans to mandate the enabling of Unified Extensible Firmware Interface's secure boot feature for devices bearing the 'Designed for Windows 8' logo. This means that any software or hardware that is to run on the firmware will need to be signed by Microsoft or the original equipment manufacturer (OEM) to be able to execute. This would make it impossible to install alternative operating systems like Linux..." Delimeter has further information on the petititions, and Matthew Garret recently posted a follow-up to Microsoft's response to the concerns about secure boot, calling them out on their misinformation.

Petition to ignorance

[Manip]

This petition and the signers of it just show that they're ignorant of the technology and the implementation of it. Unfortunately you might have government bodies thinking there is no smoke without fire, and making threats about this or that. But truth is this is a manufactured story that really has yet to cause anyone any problems.

Let me ask you this: Who has built a system with a UEFI subsystem which doesn't allow Secure Boot to be disabled by the user? Answer: Nobody.

Europeans

[sg_oneill]

I'd strongly implore europeans to look at similar moves. The EU courts have proven time again to have backbone when it comes to anti-competitive behaviour in the IT industry, and right now this is Microsoft playing the checkmate card its been threatening for a long long time.

Re:honestly...so what?

[Chrisq]

Really though...who buys a vendor PC then slaps Linux on it? We build our PC's..

I did just that with my laptop

Re:Petition to ignorance

[karolbe]

It is just a matter of time when such systems will start appearing. I bought a laptop some time ago, and to my big surprise it had VT-x (Hardware Virtualization) flag disabled, enabling it by the vendor was just a matter of setting one bit in some processor registry, but still they decided to release BIOS without such option. You could buy similar laptop with VT-x enabled but it cost more. I expect that in 3 years time we will have to pay extra just to have Secure Boot option configurable. After all that feature will be purely for "experts" (that is Linux users) and they can afford paying more...

This issue isn't Microsoft's...

[neokushan]

..It's the OEM's. Nowhere does Microsoft mandate that OEMs must remove the option to disable UEFI secure boot, only that it's enabled by default.
For someone that's supposedly calling Microsoft out for misinformation, Matthew Garret does a great job of it himself. Here's a few points I noticed:

Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.

Which hardware vendors? Who? What hardware? Why? And what has that got to do with Microsoft?

Windows 8 certification does not require that the system ship with any keys other than Microsoft's.

And why shouldn't it? It also doesn't state that you can only ship Microsoft's keys. Why is it Microsoft's responsibility to get keys other than its own installed?

A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems.

Exactly, however a system that ships with UEFI secure boot and only includes a linux distribution's signing keys will only securely boot that linux distribution. Why is the latter ok, but the former not? Oh wait, because Microsoft is the big, bad buy? Once again - Microsoft doesn't mandate that UEFI secure boot be forced, its the OEM's decision to remove the option to disable it.

Vendors who choose not to follow the certification requirements will be at a disadvantage in the marketplace. So while it's up to vendors to choose whether or not to follow the certification requirements, Microsoft's dominant position means that they'd be losing sales by doing so.

Of course, this fails to mention (again) that OEMs are in no way forced to remove UEFI secure boot and by doing so, they'll be at a disadvantage in the marketplace and lose sales from people like this very writer....

Why is this a problem? Because there's no central certification authority for UEFI signing keys. Microsoft can require that hardware vendors include their keys. Their competition can't. A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's. No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft's influence here is greater than even Intel's.

In short: Because Nobody else can have secure boot, why should Microsoft get to have it? Apparently that's bad for even the likes of AMD and Intel.
Nevermind that 99.99% of malware targets windows, that most "zombies" on the internet are Windows machines, that most spam is sent from windows machines, which affects everyone. In that instance, giving Windows machines that extra blip of security by default hardly seems like a bad thing.

What does this mean for the end user? Microsoft claim that the customer is in control of their PC. That's true, if by "customer" they mean "hardware manufacturer". The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware.

Woah woah woah! Didn't you just say that Microsoft were the only ones capable of forcing Manufacturers to include their signing keys? That the likes of AMD,

Re:Hunting...

[Bengie]

In other news, users petition to have Firewalls disabled, Microsoft force all users to have admin privs, and the removal of passwords.

When interviewing these users they had these things to say: "I love malware, someone has to" and "Pressing F12 at boot and disabling secure boot is too much work, I would rather troll every forum on the internet to sign petitions"

If you want to stand up for the rights of malware and rootkit creators everywhere, please help support this cause. Because.. "Someone has to love them"

Signing off, Bengie

1) Certs can be managed if your OEM doesn't suck. eg. Sign your own custom Linux kernel if you want
2) Win8 doesn't require secure boot to work, it just requires secure boot to put the logo on the PC
3) Secure boot can be disabled, again assuming your OEM doesn't suck
4) IT would have a shit storm if they couldn't manage this
5) Server admins would have a shit storm if they couldn't manage this
6) Someone would lose a job at Dell/HP/Gateway/etc if the end user couldn't manage this
7) This effectively makes it impossible, with current malware, to ever take over a PC

I have yet to hear a logical argument against secure boot, just lots of emo and fud.

Re:Petition to ignorance

[gstoddart]

If you don't like the product. Do not buy the product. That is what Free Enterprise is all about. Let the market, not the courts decide.

Blah blah blah.

The free market never reaches optimal conditions. The free market allows the big players to change the rules and fuck us all over. The free market is an abstraction that doesn't exist.

If we let the markets decide, we'd all be running Microsoft operating systems on closed hardware, and it would spy on us. And we'd probably be driving cars which explode on contact.

Oh, and most of us wouldn't have survived to adulthood because companies would have replaces melamine for protein powder or other toxic shortcuts.

Your market does nothing more than look out for its own interests. It's incapable of doing the things you ascribe to it ... mostly it's just the rich eating the poor.

Re:This issue isn't Microsoft's...

[Microlith]

..It's the OEM's. Nowhere does Microsoft mandate that OEMs must remove the option to disable UEFI secure boot, only that it's enabled by default.

Which is a great dodge. Then they can apply quiet, behind the scenes pressure to remove the option. Some vendors omit options regardless (like disabling VT-x.)

It also doesn't state that you can only ship Microsoft's keys. Why is it Microsoft's responsibility to get keys other than its own installed?

Yep, we're heading into THOSE days where only a select handful of operating systems are allowed to boot. If we're lucky, we'll be able to boot Fedora and Ubuntu. Gentoo users? Fuck you.

This whole thing stinks of misinformation and FUD. The OEMs are the ones you want to pressure, not Microsoft.

Do you seriously think that users can pressure OEMs harder than MS can? MS can kill their business overnight, and I don't doubt they've learned a LOT about how to act in unethical manner even under the eye of the DoJ. No, this is MS pursuing something and, much like Apple, hoping the inertia of the masses who don't care can overwhelm the complaints of the minority that understand why such unilateral, non-disablable lock down is bad.

People are fighting so aggressively to defend MS, but in a few years we may wish for the day when we didn't have to violate the DMCA and ACTA to run whatever OS we choose on our systems.

Re:This issue isn't Microsoft's...

[neokushan]

Some vendors omit options regardless (like disabling VT-x.)

Which is why I say we should pressure OEMs. This decision has nothing to do with Microsoft so people are ignoring it, despite the fact that it is still an issue that people should be concerned with.

Yep, we're heading into THOSE days where only a select handful of operating systems are allowed to boot. If we're lucky, we'll be able to boot Fedora and Ubuntu. Gentoo users? Fuck you.

No, we're not. The thing to keep in mind is that there's a distinction between simply booting and secure booting. Right now, no operating system can secure boot (as far as I'm aware, anyway - if there is hardware+software out there that can utilise this, please let me know) and Microsoft wants to push it for Windows 8. It would be nice if we can also utilise this for other operating systems as well (or rather, other boot loaders, like GRUB), however that task lies with the OEMs and their willingness to let us add our own keys. Like I said before - this is the OEM decision, not Microsoft's.

Do you seriously think that users can pressure OEMs harder than MS can? MS can kill their business overnight, and I don't doubt they've learned a LOT about how to act in unethical manner even under the eye of the DoJ. No, this is MS pursuing something and, much like Apple, hoping the inertia of the masses who don't care can overwhelm the complaints of the minority that understand why such unilateral, non-disablable lock down is bad.

And there it is again! The assumption that you won't be able to disable secure boot. This assumption lies squarely with OEMs and not Microsoft.
Consumers don't need to pressure OEMs more than Microsoft, they just need to pressure them. Microsoft is pushing to enable secure boot by default, while us users should be pressuring OEMs to give us control over secure boot. They are two entirely different things.
Even if Microsoft changed their mind on the secure boot by default thing, we should still pressure OEMs to give us this control as it's a very useful security feature to have.

Now, of course there's that idea that Microsoft might be in the background pressuring OEMs to remove the option to disable it, but so far this is based entirely on conjecture and speculation. If Microsoft does try it, they'll be liable for a massive class-action lawsuit, something that would cost them a lot more than the 1-2% of the marketshare they could possibly gain by blocking Linux. Until that happens, it's a non-issue. Rather than moaning at Microsoft, we should be moaning at the OEMs because they're the ones that will be taking these options from us.

In the technology world, we shouldn't let the "maybes" get in the way of innovation. Secure boot would outrightly kill a lot of malware attacks, something that plagues windows a lot more than it does Linux.

Re:Hunting...

[segedunum]

In other news, users petition to have Firewalls disabled, Microsoft force all users to have admin privs, and the removal of passwords.

These things can be controlled for obvious reasons. What's being discussed here is what you can actually run on your computer from the start. An entirely different ball game.

When interviewing these users they had these things to say: "I love malware, someone has to"

Right.............

"Pressing F12 at boot and disabling secure boot is too much work

If you'd done some reading then you'd know that this F12 option will not always be there, nor is there any guarantee that it won't be removed.

If you want to stand up for the rights of malware and rootkit creators everywhere, please help support this cause. Because.. "Someone has to love them"

This will not help prevent malware or rootkits in any way over and above what is already done. Stop hiding behind the security reasoning, because it's crap. It still won't prevent vulnerabilities in the OS once it is running, which is where it is all happening anyway.

Certs can be managed if your OEM doesn't suck.

They will all suck. The EFI spec does not currently allow you to add your own keys. It's Microsoft or the OEM.

Win8 doesn't require secure boot to work

Future versions will once the hardware is widespread. This argument always makes me chuckle.

Secure boot can be disabled, again assuming your OEM doesn't suck

They will suck. See above.

IT would have a shit storm if they couldn't manage this

They will accept what they've been given, as always.

Server admins would have a shit storm if they couldn't manage this

See above.

Someone would lose a job at Dell/HP/Gateway/etc if the end user couldn't manage this

Utter crap.

This effectively makes it impossible, with current malware, to ever take over a PC

No, that is not the case because there will still be vulnerabilities in the OS. However, in order to do that we want it to make sure you cannot install anything but Windows? Interesting. We haven't even got into the ramifications for virtualisation, or how this might work in terms of individual hardware working on a motherboard in the future.......... It's a right mess.

This got modded insightful? Jesus.............

Re:Only affects OEM stuff?

[AJH16]

No, what the previous poster is stating is that it only impacts manufacturers that do not offer an option to disable the setting. I do not see how this is a MS issue. Microsoft is trying to make the boot process more secure. The only way to do that is to have something like Secure UEFI validate that malware isn't hijacking the system before the OS loads. If your hardware manufacturer isn't giving you the option to disable the feature if you want, then you should take that up with them, not MS. There is absolutely nothing wrong with requiring that OEMs provide the hardware necessary to provide a secure system to end users, because honestly, the largest portion of users have no idea what a root kit is or why they need to be protected from it.

It isn't like you must have secure boot enabled to use Windows 8 and it isn't like they are requiring that manufacturers don't allow it to be turned off. MS isn't doing anything wrong. If a hardware vendor is too cheap to include a switch in the system configuration to turn off Secure UEFI, then don't use that manufacturer. It's that simple. We will never get to the point where we can't do what we want with our hardware because some manufacturer will always realize there is a killing to be made supporting those who want hardware they control. The only risk would be if it was to become a legal requirement, but I don't see that happening any time soon and certainly this has nothing to do with trying to make that happen.