Forgot your password?
typodupeerror
Microsoft Red Hat Software Windows Linux Hardware

Red Hat Will Pay Microsoft To Get Past UEFI Restrictions 809

Posted by timothy
from the one-low-low-price-but-still dept.
ToriaUru writes "Fedora is going to pay Microsoft to let them distribute a PC operating system. Microsoft is about to move from effectively owning the PC hardware platform to literally owning it. Once Windows 8 is released, hardware manufacturers will be forced to ship machines that refuse to run any software that is not explicitly approved by Microsoft — and that includes competing operating systems like Linux. Technically Fedora didn't have to go down this path. But, as this article explains, they are between a rock and a hard place: if they didn't pay Microsoft to let them onto the PC platform, they would have to explain to their potential users how to mess with firmware settings just to install the OS. How long before circumventing the secure boot mechanism is considered a DMCA violation and a felony?" Note that the author says this is likely, but that the entire plan is not yet "set in stone."
This discussion has been archived. No new comments can be posted.

Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

Comments Filter:
  • by Anonymous Coward on Thursday May 31, 2012 @03:16PM (#40170979)

    This has nothing to do with PCs. Nothing. Not one thing.
    This is all in reference to UEFI on ARM tablets that Microsoft has partnered up with OEMs to produce to their specs SPECIFICALLY FOR: Windows 8.

    Nothing has changed here, nearly all ARM systems are locked down today by OEMs.
    Do any of you expect Microsoft to produce one that isn't (zune: locked down xbox: locked down)?

  • $99 bucks (Score:2, Informative)

    by Anonymous Coward on Thursday May 31, 2012 @03:18PM (#40171013)

    Wait - Is this article saying they paid a whole $99 bucks to get their bootloader signed?

  • by Anonymous Coward on Thursday May 31, 2012 @03:19PM (#40171021)

    Good thing Microsoft's way includes a required option in the UEFI setup to turn off secure boot. This whole story is horribly misleading.

  • Re:That's it... (Score:5, Informative)

    by Burdell (228580) on Thursday May 31, 2012 @03:24PM (#40171091)

    Red Hat Linux started on x86; it was never "only available for the DEC Alpha" (it didn't get ported to Alpha for several years).

    They are doing this so that Fedora can be installed without end users having to disable Secure Boot in their UEFI firmware settings. If you want to disable Secure Boot, Fedora will run equally well. Fedora is also going to have signing tools, so you put your own key in the firmware and then sign your own loader and kernel (giving you more control, not less). If you switch to another distribution or OS that doesn't have a signed boot-loader, you'll also have to disable Secure Boot.

    This "feature" exists because malware that affects the boot loader and kernel is a real and growing problem, and there isn't really any other technical means to block it. Setting up an independent CA to sign keys for loaders and then trying to get vendors to include the CA key would be highly expensive and would still result in Fedora having a key that you don't have. As long as Microsoft will sign things cheap, it is much better to go that route (if they were to stop signing, then this would obviously change).

    The alternative is to tell users that want to run Fedora to not buy hardware that has the Secure Boot functionality, but that is going to become scarce once Windows 8 ships. Here in the real world, I'd like to continue running Fedora on new hardware.

  • by Anonymous Coward on Thursday May 31, 2012 @03:25PM (#40171111)

    You say that, but Apple implemented EFI years ago, and then even helped users who wanted to install Windows or other operating systems via BootCamp.

  • by zill (1690130) on Thursday May 31, 2012 @03:25PM (#40171119)
    Microsoft isn't scared of the DOJ. In the last anti-trust case [wikipedia.org] Microsoft was found to have committed monopolization and tying and yet they paid exactly 0 dollars and 0 cents in fines.
  • by DAldredge (2353) <SlashdotEmail@GMail.Com> on Thursday May 31, 2012 @03:25PM (#40171121) Journal
    Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access), but it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions. If there are better options then we haven't found them. So, in all probability, this is the approach we'll take. Our first stage bootloader will be signed with a Microsoft key.
  • by Anonymous Coward on Thursday May 31, 2012 @03:29PM (#40171171)

    I'm going to go ahead and guess the computer you are using now boots through BIOS. The non-secure UEFI is practically the same as BIOS (doesn't require a signed boot loader). We dealt with it for a couple decades now, it can't be that bad.

  • Sure thing hoss (Score:3, Informative)

    by Tailhook (98486) on Thursday May 31, 2012 @03:29PM (#40171177)

    Entry no. 3 [opensecrets.org], in between all the banks, content owners, universities and trail lawyers.

  • by liquiddark (719647) on Thursday May 31, 2012 @03:33PM (#40171241)

    So they must turn off secure booting in order to run another operating system.

    From TFA:

    While Microsoft have modified their original position and all x86 Windows machines will be required to have a firmware option to disable this or to permit users to enrol their own keys

    If they know what they're doing they're ok. Fedora is doing this for the rest of their users.

  • Wow (Score:5, Informative)

    by a90Tj2P7 (1533853) on Thursday May 31, 2012 @03:33PM (#40171243)
    I'd blame the drama over this just on the article, but the summary's definitely got some FUD to it as well. For x86 systems, all you need to do is turn off the feature [arstechnica.com]. And that's if you insist on running unsigned software - it's not like there isn't an open and inexpensive process to get signed.
  • Re:$99 bucks (Score:4, Informative)

    by Anonymous Coward on Thursday May 31, 2012 @03:35PM (#40171285)

    It's not $99 per pc , it's a one-time $99 dollar fee for access to the dev portal. But that is beside the point, Why should they have to pay MS anything? Why is it only MS that has the certificate for UEFI?

  • by EdZ (755139) on Thursday May 31, 2012 @03:38PM (#40171345)
    Because you can :
    a - Choose not to use Secure Boot, and run whatever the hell you want (i.e. the current situation with regular BIOS and UEFI)
    b - Add your own key to the mobo, and sign your distro with it.

    Both of these are predicated on buying a motherboard or pre-built that allows you to do so. The onus is on the manufacturer to allow you to do stuff with Secure Boot, the microsoft requirements (for non-ARM architectures) do not require Secure Boot be fully locked, only that the default setting is "boot Windows 8 securely".
  • by Missing.Matter (1845576) on Thursday May 31, 2012 @03:39PM (#40171355)

    I am pretty sure that if a hardware manufacturer like Dell locks out Linux operating systems

    If Dell wants Windows Certification it better not do this. Per the Windows Certification Requirements [microsoft.com], page 122:

    MANDATORY. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:

    a) It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx) which will put the system into setup mode.

    b) If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system will be operating in Setup Mode with SecureBoot turned off.

    c) The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults.

  • by swalve (1980968) on Thursday May 31, 2012 @03:42PM (#40171403)
    I think the whole point of UEFI security to to prevent software from doing just that. You HAVE to go into the BIOS (or the UEFI environment, more technically) to make changes like that.
  • by spongman (182339) on Thursday May 31, 2012 @04:11PM (#40171877)

    Microsoft was found to have committed

    remember that the Jackson ruling was overturned in appeal and the two sides settled out of court.

  • by Korin43 (881732) on Thursday May 31, 2012 @04:27PM (#40172149) Homepage

    Maybe I should have quoted the paragraph before that too:

    We explored the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it, but turned it down for a couple of reasons. First, while we had a surprisingly positive response from the vendors, there was no realistic chance that we could get all of them to carry it. That would mean going back to the bad old days of scouring compatibility lists before buying hardware, and that's fundamentally user-hostile. Secondly, it would put Fedora in a privileged position. As one of the larger distributions, we have more opportunity to talk to hardware manufacturers than most distributions do. Systems with a Fedora key would boot Fedora fine, but would they boot Mandriva? Arch? Mint? Mepis? Adopting a distribution-specific key and encouraging hardware companies to adopt it would have been hostile to other distributions. We want to compete on merit, not because we have better links to OEMs.

    So yes, Red Hat could have got (some) OEM vendors to carry their key, but they chose not to. Part of the reason is that they couldn't get all of them to do it, but a big part is that very few Linux vendors could do the same (probably only SUSE and Ubuntu). Whether this is just trying to make themselves look good after finding out that the other solution wasn't workable is up to interpretation, but they're right -- getting every Linux vendors' key into the BIOS is unworkable for small (or free) distros.

    Of course there won't be a generic Linux key. The entire point of a secure boot system (even a honest one) is to not run whatever some random person put up toghether on the street. That does not makes it impossible for Red Hat to have a private key.

    There's no reason you couldn't create a generic Linux key, and then only sign code that meets certain standards (basically do the same thing that Microsoft is doing with their signing program). The big problem is that verifying things is complicated and expensive, so no one (except Microsoft) wants to do it.

    I agree that it would be preferable for a non-Microsoft entity to be signing the Linux keys, but such an entity does not exist right now. I hope one of Red Hat's priorities is to set one up, sometimes you have to just work with what you have.

    And the reason Red Had had to pay Microsoft is that the MS's proposal only permits one key, so the hardware manufacturers can either permit RH's key or MS's key, not both.

    One key per signature -- as in, I can't sign a bootloader with both MS's key and Red Hat's key. I can have both keys and sign one bootloader with one and the other bootloader with the other. They can -- and some vendors are willing to -- allow both MS and Red Hat's keys. The real problem that the one-key-per-signature (or one-signature-per-binary if you prefer) situation is that you can't use secure boot without trusting the MS key, since all of the included components are signed with it.

  • by mcl630 (1839996) on Thursday May 31, 2012 @04:30PM (#40172183)

    According to TFA, the money actually goes to Verisign, not Microsoft.

  • by jader3rd (2222716) on Thursday May 31, 2012 @04:32PM (#40172219)

    You have to do it MS's way or they won't let you sell hardware with Windows on it.

    OEM's can sell Windows 8 without secure boot. They can't put the sticker on the box that says "Windows 8 certified" without secure boot.

  • by Anonymous Coward on Thursday May 31, 2012 @04:44PM (#40172387)

    MS doesn't control the keys; it's just that they're the ones driving the requirement so no OEM has a reason to ship a system with security enabled and not have the MS key.

    The requirements for x86 hardware are that the system must ship with restrictions enabled, but the user must be allowed to disable the restrictions or add their own keys. In other words, there is nothing preventing you (the owner) from doing whatever you want with the machine. If you don't want the restrictions, simply turn them off and install whatever code you like.

    The only issue is that machines with the Windows 8 logo will be required to ship with the restrictions enabled and RedHat doesn't want installation instructions that start with "disable UEFI security" or "enroll the RedHat public key".

    Other options they rejected are:

    1. Get all manufacturers to ship with RedHat's key in the firmware (in addition to MS's). The manufacturers had no problem with this, but there's no way they could possibly find every OEM to get them to do it, and they didn't want to be in a privileged position ("install RedHat because it's trusted by your OEM").

    2. Get all Linux distros to coordinate on a single Linux key and have the OEMs add it to their hardware. This is undesirable because nobody wants to be responsible for maintaining the One True Key, and even then there would still be OEMs who don't ship with it.

    In the end, the easiest thing is to pay a one-time fee of $99 to MS and have them sign a mini-bootloader that can start up grub. That doesn't sound like such a big deal to me.

    Note that the issue with having only one signature on a file is unrelated. That just means a user can't realistically remove the MS key from their system because lots of drivers will be signed with it. Allowing multiple signatures on a file would not change RedHat's position.

    dom

  • by Miamicanes (730264) on Thursday May 31, 2012 @05:11PM (#40172773)

    > You're right, this boneheaded move by Microsoft is the best help they could possibly give for Linux on the desktop.
    > Of course, that just not let Microsoft off the hook for antitrust violations, specifically abusing its market power.
    > I can smell a new EU action on the the way, at the very least.

    Unless I'm misunderstanding UEFI, that's not quite right. Contrary to the headline-hype, I believe Microsoft's OTHER explicit requirement for certification is that end users must be furnished with a way to disable it that's impossible to do by mistake, but entirely possible to do voluntarily. For example, flip a DIP switch, place or pull a jumper, enter a 32-character encryption code printed on a tiny sticker permanently affixed to the motherboard, etc.

    Put another way, the UEFI rules won't stop a single Slashdot user from using Linux. Redhat is paying Microsoft for explicit approval so it can sell Redhat Linux to the OTHER potential Linux users who don't WANT to go through that much trouble to unlock their PC.

    I'm sure Microsoft's motives with UEFI aren't entirely pure & MUST be scrutinized constantly, but so far, they've played everything by the book. They've guaranteed that we'll get a copy of the keys to our own systems, even if we'll have to get our hands slightly dirty to actually USE them.

    Truth be told, I fear Microsoft less than the possibility of TiVO-ized Linux. God forbid, if someone decided to start giving away free laptops that are bootloader-locked to an Ubuntu variant and have advertising & "analytics" baked into the kernel & network stack, and eventually induce others to do the same thing, we're screwed. By 2020, we'll be in a position where a "free" PC hardwired to ad-supported Linux is "free", but a "non-free" "unlocked" PC costs $2,000... and can't play rented movies, run half the commercial applications out there, or access some paranoid bank web sites because it it's "untrusted". *THAT* is the scenario we have to fight like crazy and ensure never happens.

    For the most part, Microsoft DOES behave itself in public. It might be grudgingly-good behavior, and it probably has plenty of impure thoughts, but as long as the EU and US are keeping an eye on it, it's unlikely to try anything blatant that would give it a permanent "hard" monopoly over x86 computing architecture.

    As long as anybody can download Ubuntu and install it over a "free" copy of Windows, Microsoft is legally off the hook (in the US, at least), regardless of how few people actually *do* it. Microsoft would have to be completely *insane* to give up that magic "See, we aren't a real monopoly after all because end users can theoretically install Linux!" get-out-of-jail-free card. Linux is USEFUL to them. In the phone arena, Linux is practically a cash cow for Microsoft... they make more in royalties from the sale of an Android phone than they do in licensing fees when a phone running Windows gets sold.

  • by Lord_Jeremy (1612839) on Thursday May 31, 2012 @05:45PM (#40173159)
    You are so immensely full of shit...
    To prove that you CAN edit files in /etc using the TextWrangler downloaded from the Mac App Store I have recorded a video of me doing JUST THAT! I even opened TextWrangler using sudo to show that I can write to a config file.
    http://www.youtube.com/watch?v=tWAKQjJWJvk [youtube.com]
    http://www.youtube.com/watch?v=dvULnO52RY0 [youtube.com]
    I suspect that you didn't notice the Enable: All TextWrangler Documents drop down menu. Don't ask me why that's necessary, but changing it to everything made all the .conf files selectable. So yeah, you're full of shit and yet you've been modded +5 insightful...
  • by AdamWill (604569) on Thursday May 31, 2012 @06:43PM (#40173817) Homepage

    Erm...except it does. Try reading the article, not the badly misleading summary. SecureBoot allows the user to add new keys as trusted keys. It will be perfectly possible to generate your own key, add it to your UEFI firmware, sign your OS bootloader with that key, and ditch the Microsoft key, if you don't want to boot Windows. pjones is in fact already working on tools to help you do this.

  • by Missing.Matter (1845576) on Thursday May 31, 2012 @07:06PM (#40174039)
    Except TFA says it's a one-off $99 fee. And the money goes to Verisign, not even Microsoft. How is your crazy ranting rated +4 Insightful?
  • by hairyfeet (841228) <bassbeast1968@NOsPAM.gmail.com> on Thursday May 31, 2012 @08:02PM (#40174607) Journal

    And as I replied o another poster AMD has decided to go with Coreboot and has been using it since brazos so there is NO slippery slop here. if you don't like the Wintel UEFI you can buy AMD and use Coreboot which supports the 4 freedoms so if it doesn't do what you want you can simply download the source and reflash the chip.

    I SERIOUSLY doubt MSFT is gonna risk another antitrust by blocking AMD systems from running Win 9, don't you? So this is simply a case of voting with your wallet, don't like UEFI and Secureboot? Buy AMD and go Coreboot. Its REALLY that simple. I've been building AMD exclusively for a couple of years now and I can tell you X86 is so overpowered that there isn't hardly any job a normal user can come up with that is gonna stress even a low end AMD dual and since they've opened their specs Linux users would be wise to support them anyway.

    So no slope friend, just good old fashioned FUD, just not being cranked out by MSFT for once.

Some people have a great ambition: to build something that will last, at least until they've finished building it.

Working...