In association with heise online

26 March 2013, 22:21

Secure Boot complaint filed against Microsoft

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Europe stars

HispalinuxSpanish language link, an 8,000 strong Spanish association of Linux users and developers, has filed a complaint with the Madrid office of the European Commission claiming, according to a Reuters report, that Windows 8 contains an "obstruction mechanism" called UEFI Secure Boot. This mechanism, it says, controls the system boot up and means users must seek keys from Microsoft to install another operating system.

Hispalinux head, lawyer Jose Maria Lancho, told the news agency that it was "absolutely anti-competitive" and a "de facto technological jail for computer booting systems". The complaintSpanish language link says that although Microsoft says UEFI Secure Boot is a security measure, its implementation would not mean the end of malware and viruses.

The complaint comes just over three weeks after the EU Competition Chief Joaquin Almunia said, in a written answer to parliamentary questions, that the "Commission is monitoring the implementation of the Microsoft Windows 8 security requirements. The Commission is however currently not in possession of evidence suggesting that the Windows 8 security requirements would result in practices in violation of EU competition rules".

UEFI Secure Boot is a mechanism that was added to the UEFI firmware and uses keys registered in firmware to check a digital signature on any operating system's bootloader and kernel to ensure that they have not been tampered with. The idea is to avoid situations where malware modifies the operating system or boot process itself as part of its camouflage mechanisms. Microsoft requires that machines sold with Windows 8 pre-installed are configured to use this mechanism to validate the operating system. This means that machines with Windows 8 have Microsoft's key registered in the firmware and, with no other operating system vendor offering a similar key, it is the only key that comes on most of these machines.

Booting another operating system on these machines would, therefore, mean disabling secure boot, adding a key for validation of the other operating system to the firmware, or getting the bootloader for the operating system signed by Microsoft. The first two options are paths that Microsoft requires vendors implement on x86-based systems, although there are no common or standard ways of implementing the features.

Therefore, Linux vendors such as Red Hat, SUSE and Canonical, and the Linux Foundation all looked at approaches where a bootloader or pre-bootloader was signed by Microsoft and would go on to load Linux once booted and verified. This would, the vendors believed, give users an easier way to install Linux on any arbitrary Windows 8 pre-installed PC system.

These solutions require Microsoft to sign the bootloader and have reinforced the Free Software Foundation's objections to what it has dubbed "Restricted Boot". The Hispalinux complaint appears to follow the FSF's reasoning and seems to request a simple way for consumers to disable or override Secure Boot. But, as the Commissioner notes: "In particular, on the basis of the information currently available to the Commission it appears that the OEMs are required to give end users the option to disable the UEFI secure boot". It may be that this case will hinge on whether the Commission continues to feel that this is sufficient.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit