Red Hat Will Pay Microsoft To Get Past UEFI Restrictions 809
ToriaUru writes "Fedora is going to pay Microsoft to let them distribute a PC operating system. Microsoft is about to move from effectively owning the PC hardware platform to literally owning it. Once Windows 8 is released, hardware manufacturers will be forced to ship machines that refuse to run any software that is not explicitly approved by Microsoft — and that includes competing operating systems like Linux. Technically Fedora didn't have to go down this path. But, as this article explains, they are between a rock and a hard place: if they didn't pay Microsoft to let them onto the PC platform, they would have to explain to their potential users how to mess with firmware settings just to install the OS. How long before circumventing the secure boot mechanism is considered a DMCA violation and a felony?" Note that the author says this is likely, but that the entire plan is not yet "set in stone."
If microsoft controls the 'keys' (Score:5, Insightful)
How can this be legal and not an abuse of their monopoly power?
Aside from the fact you can turn it off ( for now ) it still sounds like a clear case of abuse to me and someone should be talking to an attorney about this.
PCs turning into a closed platform... (Score:5, Insightful)
Re:That's it... (Score:3, Insightful)
RTFA. Then comment.
Would someone please explain to me... (Score:4, Insightful)
... how the FUCK this passes the slightest hint of anti-trust scrutiny?
Re:Why not hardware manufacturers? (Score:5, Insightful)
I don't understand how Microsoft is as fault here. Isn't it the hardware manufacturers that are locking out everyone but Microsoft? Shouldn't the hw people be the ones to make the platform open?
You have to do it MS's way or they won't let you sell hardware with Windows on it. MS controls the certificates used in the secure UEFI boot process. You either do it MS's way or you do it your own way ... without any MS products to pre-install.
Re:Why not hardware manufacturers? (Score:5, Insightful)
MS is probably strongarming them.
Re:That's it... (Score:0, Insightful)
How does this make you mad at RHEL/Fedora and not Microsoft? Admittedly, Red Hat is negotiating with terrorists here, and that may not be the best option for the ecosystem, but I can see how they would choose that path given that their business--one that helps the linux ecosystem tremendously--is in risk.
Re:If microsoft controls the 'keys' (Score:4, Insightful)
Yeah, if this isn't "monopolistic action in restraint of trade" I'm not sure what is. MS is probably greedy enough to try something like this, but I don't think they're stupid enough to think they can get away with it.
Re:That's it... (Score:5, Insightful)
Re:That's it... (Score:5, Insightful)
Microsoft doesn't have the right to "license" hard ware. It's not their hardware, it's not even their design.
This is Microsoft forcing vendors in the corner with their O.S. once again. This is non-competitive behavior once again.
If they have such a great O.S. there is no need for locking out others. It's weak and it's sick.
Re:If microsoft controls the 'keys' (Score:5, Insightful)
I particularly like how the UEFI signing format only allows one key to sign it and that signature being (apparently) on the hardware. Yeah, this isn't a clear way of entrenching a monopolistic interest at all. I mean, I understand why someone would want secured, signed hardware all the way up the stack (assuming, of course that no one breaks the scheme), but it's entirely obvious how this makes it harder for the little man to get ahead in the game.
Re:Why not hardware manufacturers? (Score:3, Insightful)
I'm just wondering why Fedora doesn't include a small boot ISO that starts up, presents a simple menu, and takes the pain of unlocking the UEFI chip out of the equation.
I agree perfectly that they shouldn't have to do that, but the tech is certainly there, and most folks are sufficiently apt enough to do it (see also jailbreaking phones, etc).
Re:Lawsuit (Score:3, Insightful)
EU will have a field day with this in court. MS, of course, will be the ones having a bad day in court.
Re:Why not hardware manufacturers? (Score:5, Insightful)
Good thing Microsoft's way includes a required option in the UEFI setup to turn off secure boot. This whole story is horribly misleading.
So they must turn off secure booting in order to run another operating system. The DMCA implications aside, I'm not sure which is worse for the consumer: a 'secure boot' of Windows or a 'non-secure' boot of any other operating system?
Re:Would someone please explain to me... (Score:5, Insightful)
http://www.opensecrets.org/orgs/summary.php?id=d000000115 [opensecrets.org]
Re:Why not hardware manufacturers? (Score:3, Insightful)
Why can't I just be in control of my own damn property without being at the mercy of manufacturers?
No more dane-geld! (Score:1, Insightful)
Well, time to check Red Hat off my list of distros. Any company willing to pay essentially blackmail money does not deserve my business.
For those mystified by the comment subject [poetryloverspage.com]
Re:If microsoft controls the 'keys' (Score:5, Insightful)
Because charging Red Hat, a billion dollar company, $99 for access to signing services is not "monopoly abuse"? The author of TFA already pointed out that nothing stops somebody from providing the same services to the Linux community, but it's difficult and expensive and they can't be bothered, so it's easier to pay Microsoft to do it for them. As can anyone else.
Secure boots and trusted computing are fundamentally a good idea. Having OEMs provide a set of root keys to control what boots is a good idea. The problem is the creator of BobLinux who wants to have thousands of random users install his random kernel is indistinguishable technically from the creator of some boot sector malware who wants to have thousands of users permanently rooted. It becomes distinguishable once you have people who check out what the software is and signs it, which is the service Microsoft are providing - for very little, actually. As I said, apparently others don't feel like offering similar services when it's expensive to do and Microsoft are offering to do it cheaply. But they could.
Re:Why not hardware manufacturers? (Score:5, Insightful)
Good thing Microsoft's way includes a required option in the UEFI setup to turn off secure boot. This whole story is horribly misleading.
G'uhgh.... once again geeks confusing a technical capability with a real-world practicality. Turning off secure boot sounds bad and raises the barrier to entry for non-Microsoft OS'es. It also complicates the newbie install experience, which is something that Ubuntu, Debian, and many others have worked for years to simplify. And now they are using their monopoly position to extort tribute from a competitor.
Re:If microsoft controls the 'keys' (Score:5, Insightful)
Any proper system would have the end user hold the root key for the system and they could choose (or not) to bless certs from various vendors (or just directly sign the bootloader). Of course, MS doesn't want a proper system, they want lock-in.
Re:Why not hardware manufacturers? (Score:1, Insightful)
A whole $99 one time. Ain't that a bitch.
Re:The article is wrong. (Score:5, Insightful)
This has nothing to do with PCs. Nothing. Not one thing.
This is all in reference to UEFI on ARM tablets that Microsoft has partnered up with OEMs to produce to their specs SPECIFICALLY FOR: Windows 8.
Nothing has changed here, nearly all ARM systems are locked down today by OEMs.
Do any of you expect Microsoft to produce one that isn't (zune: locked down xbox: locked down)?
You are completely wrong-- what you say is the opposite of true.
This is referring to x86, not ARM. Fedora is not going to play Microsoft's game on ARM where Microsoft has little influence. But they are going to pay Microsoft a fee to get their bootloader signed for the x86 platform so they can run in the Windows8 world.
Re:If microsoft controls the 'keys' (Score:4, Insightful)
Uhm, this is exactly monopoly abuse.
Industry: We should support code signing to ensure a trusted compute path.
Microsoft: I agree. Let's use this scheme that makes it impossible for drivers to be signed with multiple keys simultaneously. And if you want to work on Windows (the most popular OS out there) you need to use Microsoft keys, so we have to sign it. And this all has to be turned on by default.
The Rest: Wait, wouldn't that make it really hard for anyone else to get a large amount of buy-in resulting in installation of a non-Microsoft OS very difficult?
Microsoft: *Trollface*
Re:"Literally" (Score:5, Insightful)
Yes.
How is "controlling a system and getting money in exchange for licenses" not literally owning?
Up to now, their figurative owning is an "effective" ownership, as in "there are effectively no competitors in this space." However, should you know what you're doing, you could get something else with little effort. With this change, they are actually getting paid for compettitors to be allowed into their space. That is de facto, or literal, ownership.
Re:rock meets hard place (Score:3, Insightful)
If Dell wants Windows Certification it better not do this. Per the Windows Certification Requirements [microsoft.com], page 122:
Of course for Windows 9, blocking non-Windows operating systems will become mandatory on all devices.
You don't get the 'slippery slope' thing, do you? Or are you one of those 'slippery slopes don't exist' bozos?
Re:Microsoft Pledges to Sell More Macs for Apple (Score:2, Insightful)
> Overwhelmingly, if you wanted to look like you knew why-the-fuck you ought to be on stage, in front of 8,000 people, you went Mac.
Translation: If you want to look like you've got money to burn, then you show off overpriced Apple products.
The "BMW" comparison is very apt really, including the crap quality.
Seeing is decieving...
Re:Why not hardware manufacturers? (Score:4, Insightful)
Interesting then that Microsoft provide a way for others to sign their software... which is what Fedora is doing.
Exactly - by paying Microsoft for that right. Isn't that what this whole thread has been about?
Re:Why not hardware manufacturers? (Score:5, Insightful)
Re:$99 (Score:5, Insightful)
Or you could... you know, turn on custom mode so that you can run any OS you like.
Or you could, you know, not allow the monopoly PC OS vendor to control the keys that allow the system to boot competing OS's.
Regardless of whether or not you _can_ turn off the secure boot, when you consider what the _majority_ of end users feel comfortable and competent in doing, what kind of barrier to entry does this raise? Would your parents know how to tweak this setting on their own, or feel comfortable doing so? I for one would not even bother attempting to ask my parents, or even some of my siblings, to go and change such an option.
Are the instructions to change this setting even consistent across hardware so that they can be easily published by alternative OS vendors?
RedHat should not have to pay a dime to MS for this IMO, and neither should anyone else. Why couldn't MS have made an option to turn on secure boot by user prompt when they first start their new computers, and require some method provided as standard in the BIOS that allows turning it on only?
Re:Why not hardware manufacturers? (Score:2, Insightful)
Um.... that's as it should be.
If you're running something at the OS level unintentionally that can be really fucking bad for your computer can't it? If you want to install linux this isn't a particularly difficult problem to solve.
The vast vast vast vast majority of users have no idea what the hell is going on on their computers. But they're on the network with the rest of us. Should we take away anti lock brakes because professional drivers can use regular brakes better than anti lock brakes? I think not. There is a way to circumvent UEFI if you definitely know you want to. If you don't know you want to, you don't want to, and should be protected from some malicious application doing it for you.
The vast majority of consumers aren't going to run, or want to run anything on this particular computer they are buying other than windows. I know that's not a popular concept around here, but it's reality. Making it easier for them to be more secure significantly trumps the relatively minor inconvenience suffered by people who know stuff about computers having to use that knowledge and their ability to read.
Re:Why not hardware manufacturers? (Score:2, Insightful)
Re:Microsoft Pledges to Sell More Macs for Apple (Score:5, Insightful)
Not really. Apple machines are a PITA with weird hardware for Linux users too. All it means is Linux users will go back to building their own PCs. Box shifters will simply do a parallel line for server sales.
You're right, this boneheaded move by Microsoft is the best help they could possibly give for Linux on the desktop. Of course, that just not let Microsoft off the hook for antitrust violations, specifically abusing its market power. I can smell a new EU action on the the way, at the very least.
Re:$99 ... 'Defective' Motherboards (Score:4, Insightful)
Actually (if you read the article) M$ does not get any of that $99. The fee goes to Verisoft. Microsoft is acting as the gatekeeper for the signup process.
Now I will be VERY pissed if I buy a new motherboard to build my own computer and it won't boot Linux unless I have to buy a key for $99. In such a case I would return the MB as being defective. I hope Asus and other MB makers will give me a choice of bios options when I buy a new MB.
Re:rock meets hard place (Score:5, Insightful)
I am pretty sure that if a hardware manufacturer like Dell locks out Linux operating systems
That is not the case AT all.
Its REALLY simple; linux is not being locked out of desktops.
x86 hardware shipping with win8 pre installed needs to have:
a) secure boot functionality
b) windows 8 boot signing keys
c) secure boot functionality turned on
d) and it must be possible to disable secure boot
e) and it must be possible to load additional boot signing keys
So, linux users buying dell pcs (x86) will be able to exercise option d) and disable secure boot.
They can also exercise option e) and install a linux signing key, and leave secure boot enabled.
Linux users are NOT locked out at all.
However, if I want to try Linux for the first time, I'd like stick in a live CD and boot it... I might be intimidated by having to go into bios first to disable secure boot. I'm very likely to be intimidated by having to install a signing key into bios first.
Redhat wants linux to "just work" without the user having to jump through those hoops so the ideal option would be to coordinate with all the oem manufacturers to get a "redhat" or at least "linux" signing key into the bios, so that the linux bootloaders can be signed against that. (The OEMs were fine with this, even enthusiastic... but the cost to do this is extremely high, and there would still likely be several cases where the redhat key was missing, leaving us with an inconsistent and annoying situation.
The other option was to just sign the bootloader with the microsoft key; microsoft is already working with all the OEMs, and already has all the infrastructure in place. Fedora decided to piggy-back on the microsoft key and pay to get the bootloader signed by microsoft.
Is it ideal? No. But in terms of what it does for the users of linux? Its a great thing. Fedora will "just boot" in secure boot mode. Users don't have to disable secure boot to use linux, which is a good thing. Users don't HAVE to manually install a linux key into bios to use secure boot (although they still can if they prefer not to use the microsoft signed version).
The x86 ecosystem remains truly open (in that users can manage boot signing keys themselves if they wish), and trying out linux is remains easy because it will boot with the default installed microsoft keys.
Overall its a good compromise.
Note that on arm tablets the situation is entirely different. option d and e are not available, and fedora isn't getting the software signed for that platform... if you buy a windows 8 arm device you'll have to crack it to put linux on it.
Re:Microsoft Pledges to Sell More Macs for Apple (Score:4, Insightful)
I'm an engineer. I use a MacBook. It works great - the only desktop Unix to date done right. Great quality hardware, too.
By the way, does your bitterness cause you physical pain?
Re:If microsoft controls the 'keys' (Score:5, Insightful)
In the end, the easiest thing is to pay a one-time fee of $99 to MS and have them sign a mini-bootloader that can start up grub. That doesn't sound like such a big deal to me.
Aaaaaand... this is precisely where the control of the keys lies. No, $99 is not a big deal for Redhat. Trusting M$ won't "Ooops, lol.. guess we borked your key sign just before you had that big competing product release. Gee, sorry. We'll get that fixed right away."
Re:If microsoft controls the 'keys' (Score:4, Insightful)
Re:Why not hardware manufacturers? (Score:5, Insightful)
because this does nothing to improve windows security. the purpose is to be a barrier to entry (installation) for non-microsoft operating systems. it doesn't have to be 100% effective, it just has to make it more difficult for non-experts to try out linux (or freebsd or whatever) or to use special-purpose linux-based boot CDs like clonezilla or gparted.
Also, there's no guarantee at all that disabling will be "as simple as flipping a single setting in BIOS". on some machines, it might be. on others, it won't.
Re:Congratulations. (Score:5, Insightful)
Congratulations, you are now a 'grown up'.
Sigh.
All we're saying is that it was considered a Pretty Good Thing when the mainframe era was brought down by the PC. Now, people like you are standing around cheering while the monster reassembles itself.
People older than you remember the way IBM dominated both the hardware and software sectors for many years. They held their customers hostage in every sense but the literal one. They used every technical and legal tool available to suppress third-party innovation. Eventually, people like Ross Perot, Jobs and Wozniak, and finally Bill Gates barged into the room and threw their proverbial hammers at the screen.
Fast forward to 2012. Steve Ballmer is pulling underhanded, abusive shit that would have earned him a fistbump from T. J. Watson. The rebels who once sponsored the '1984' commercial are now working feverishly to put the pieces of the telescreen back together... only this time, they're using Gorilla Glass.
Some of us are old enough to understand that this is not how things were supposed to go. If you're not so old or wise, that's fine... but by calling people who disagree with you "children," your post only shows your own lack of awareness and conscience.