Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Microsoft Red Hat Software Windows Linux Hardware

Red Hat Will Pay Microsoft To Get Past UEFI Restrictions 809

ToriaUru writes "Fedora is going to pay Microsoft to let them distribute a PC operating system. Microsoft is about to move from effectively owning the PC hardware platform to literally owning it. Once Windows 8 is released, hardware manufacturers will be forced to ship machines that refuse to run any software that is not explicitly approved by Microsoft — and that includes competing operating systems like Linux. Technically Fedora didn't have to go down this path. But, as this article explains, they are between a rock and a hard place: if they didn't pay Microsoft to let them onto the PC platform, they would have to explain to their potential users how to mess with firmware settings just to install the OS. How long before circumventing the secure boot mechanism is considered a DMCA violation and a felony?" Note that the author says this is likely, but that the entire plan is not yet "set in stone."
This discussion has been archived. No new comments can be posted.

Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

Comments Filter:
  • by nurb432 ( 527695 ) on Thursday May 31, 2012 @03:09PM (#40170853) Homepage Journal

    How can this be legal and not an abuse of their monopoly power?

    Aside from the fact you can turn it off ( for now ) it still sounds like a clear case of abuse to me and someone should be talking to an attorney about this.

    • by Anonymous Coward on Thursday May 31, 2012 @03:15PM (#40170947)

      Yeah, if this isn't "monopolistic action in restraint of trade" I'm not sure what is. MS is probably greedy enough to try something like this, but I don't think they're stupid enough to think they can get away with it.

    • by ZeroSumHappiness ( 1710320 ) on Thursday May 31, 2012 @03:22PM (#40171055)

      I particularly like how the UEFI signing format only allows one key to sign it and that signature being (apparently) on the hardware. Yeah, this isn't a clear way of entrenching a monopolistic interest at all. I mean, I understand why someone would want secured, signed hardware all the way up the stack (assuming, of course that no one breaks the scheme), but it's entirely obvious how this makes it harder for the little man to get ahead in the game.

      • by sjames ( 1099 ) on Thursday May 31, 2012 @03:37PM (#40171323) Homepage Journal

        Any proper system would have the end user hold the root key for the system and they could choose (or not) to bless certs from various vendors (or just directly sign the bootloader). Of course, MS doesn't want a proper system, they want lock-in.

        • by Anonymous Coward on Thursday May 31, 2012 @04:44PM (#40172387)

          MS doesn't control the keys; it's just that they're the ones driving the requirement so no OEM has a reason to ship a system with security enabled and not have the MS key.

          The requirements for x86 hardware are that the system must ship with restrictions enabled, but the user must be allowed to disable the restrictions or add their own keys. In other words, there is nothing preventing you (the owner) from doing whatever you want with the machine. If you don't want the restrictions, simply turn them off and install whatever code you like.

          The only issue is that machines with the Windows 8 logo will be required to ship with the restrictions enabled and RedHat doesn't want installation instructions that start with "disable UEFI security" or "enroll the RedHat public key".

          Other options they rejected are:

          1. Get all manufacturers to ship with RedHat's key in the firmware (in addition to MS's). The manufacturers had no problem with this, but there's no way they could possibly find every OEM to get them to do it, and they didn't want to be in a privileged position ("install RedHat because it's trusted by your OEM").

          2. Get all Linux distros to coordinate on a single Linux key and have the OEMs add it to their hardware. This is undesirable because nobody wants to be responsible for maintaining the One True Key, and even then there would still be OEMs who don't ship with it.

          In the end, the easiest thing is to pay a one-time fee of $99 to MS and have them sign a mini-bootloader that can start up grub. That doesn't sound like such a big deal to me.

          Note that the issue with having only one signature on a file is unrelated. That just means a user can't realistically remove the MS key from their system because lots of drivers will be signed with it. Allowing multiple signatures on a file would not change RedHat's position.


          • by sl4shd0rk ( 755837 ) on Thursday May 31, 2012 @05:19PM (#40172861)

            In the end, the easiest thing is to pay a one-time fee of $99 to MS and have them sign a mini-bootloader that can start up grub. That doesn't sound like such a big deal to me.

            Aaaaaand... this is precisely where the control of the keys lies. No, $99 is not a big deal for Redhat. Trusting M$ won't "Ooops, lol.. guess we borked your key sign just before you had that big competing product release. Gee, sorry. We'll get that fixed right away."

    • by zill ( 1690130 ) on Thursday May 31, 2012 @03:25PM (#40171119)
      Microsoft isn't scared of the DOJ. In the last anti-trust case [] Microsoft was found to have committed monopolization and tying and yet they paid exactly 0 dollars and 0 cents in fines.
    • by Penguinisto ( 415985 ) on Thursday May 31, 2012 @03:26PM (#40171135) Journal

      Maybe that's why Microsoft was so eager to drop in that 'no class action' thing into their EULA.

    • by IamTheRealMike ( 537420 ) on Thursday May 31, 2012 @03:34PM (#40171259)

      Because charging Red Hat, a billion dollar company, $99 for access to signing services is not "monopoly abuse"? The author of TFA already pointed out that nothing stops somebody from providing the same services to the Linux community, but it's difficult and expensive and they can't be bothered, so it's easier to pay Microsoft to do it for them. As can anyone else.

      Secure boots and trusted computing are fundamentally a good idea. Having OEMs provide a set of root keys to control what boots is a good idea. The problem is the creator of BobLinux who wants to have thousands of random users install his random kernel is indistinguishable technically from the creator of some boot sector malware who wants to have thousands of users permanently rooted. It becomes distinguishable once you have people who check out what the software is and signs it, which is the service Microsoft are providing - for very little, actually. As I said, apparently others don't feel like offering similar services when it's expensive to do and Microsoft are offering to do it cheaply. But they could.

      • by ZeroSumHappiness ( 1710320 ) on Thursday May 31, 2012 @03:42PM (#40171409)

        Uhm, this is exactly monopoly abuse.

        Industry: We should support code signing to ensure a trusted compute path.
        Microsoft: I agree. Let's use this scheme that makes it impossible for drivers to be signed with multiple keys simultaneously. And if you want to work on Windows (the most popular OS out there) you need to use Microsoft keys, so we have to sign it. And this all has to be turned on by default.
        The Rest: Wait, wouldn't that make it really hard for anyone else to get a large amount of buy-in resulting in installation of a non-Microsoft OS very difficult?
        Microsoft: *Trollface*

  • by eagee ( 1308589 ) on Thursday May 31, 2012 @03:09PM (#40170857) about the only thing that might turn me into an Apple user.
    • This is exactly the same as what Apple does. I am totally embarrassed and full of pity when reading your comment.
      • by Macrat ( 638047 )

        This is exactly the same as what Apple does. I am totally embarrassed and full of pity when reading your comment.

        Apple doesn't prevent users from installing other OSes on Mac hardware.

  • by EmagGeek ( 574360 ) <(gterich) (at) (> on Thursday May 31, 2012 @03:11PM (#40170899) Journal

    ... how the FUCK this passes the slightest hint of anti-trust scrutiny?

    • Sure thing hoss (Score:3, Informative)

      by Tailhook ( 98486 )

      Entry no. 3 [], in between all the banks, content owners, universities and trail lawyers.

    • by EdZ ( 755139 ) on Thursday May 31, 2012 @03:38PM (#40171345)
      Because you can :
      a - Choose not to use Secure Boot, and run whatever the hell you want (i.e. the current situation with regular BIOS and UEFI)
      b - Add your own key to the mobo, and sign your distro with it.

      Both of these are predicated on buying a motherboard or pre-built that allows you to do so. The onus is on the manufacturer to allow you to do stuff with Secure Boot, the microsoft requirements (for non-ARM architectures) do not require Secure Boot be fully locked, only that the default setting is "boot Windows 8 securely".
    • Because there were several other paths they could have chosen to work with secure boot, but this was the most efficient? Because Microsoft is making a whole $99 to handle verification and signing for them? Seriously, this is sad. Microsoft will sign a boot loader for them for basically no money. This isn't a "Microsoft tax" situation - Microsoft will undoubtedly lose money on the arrangement, even if it's $99 every time Red Hat wants to update their "pre-grub" bootloader, and not the one-time registrati
      • Because there were several other paths they could have chosen to work with secure boot, but this was the most efficient?

        Most efficient? Hardly.

        One thing MS could have done was ensured, for the sake of not appearing totally anti-competitive, was to put a 3rd party in charge of the process, include guidelines in UEFI for how keys could automatically be installed safely, and specify a minimum functionality set for "custom mode" so using Linux and Windows securely on the same machine isn't a binary choice.

        It is

  • by MickyTheIdiot ( 1032226 ) on Thursday May 31, 2012 @03:14PM (#40170945) Homepage Journal

    I am pretty sure that if a hardware manufacturer like Dell locks out Linux operating systems that quite a number of large institutions like Universities will refuse to buy from them. I am not 100% sure because there are a lot of unis with microsoft-centric IT departments. Institutions with hard sciences depend quite heavily on different flavors of Unix and Linux to get work done.

    Anyway... this is a disgrace and it's bound to blow up in quite a number of people's faces.

    • by Missing.Matter ( 1845576 ) on Thursday May 31, 2012 @03:39PM (#40171355)

      I am pretty sure that if a hardware manufacturer like Dell locks out Linux operating systems

      If Dell wants Windows Certification it better not do this. Per the Windows Certification Requirements [], page 122:

      MANDATORY. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:

      a) It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx) which will put the system into setup mode.

      b) If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system will be operating in Setup Mode with SecureBoot turned off.

      c) The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults.

      • Re: (Score:3, Insightful)

        by 0123456 ( 636235 )

        If Dell wants Windows Certification it better not do this. Per the Windows Certification Requirements [], page 122:

        Of course for Windows 9, blocking non-Windows operating systems will become mandatory on all devices.

        You don't get the 'slippery slope' thing, do you? Or are you one of those 'slippery slopes don't exist' bozos?

        • Slippery slopes tend to be less slippery when there's a wall of legal text already established to prevent the slope in question from being greased too liberally.
    • by vux984 ( 928602 ) on Thursday May 31, 2012 @04:39PM (#40172311)

      I am pretty sure that if a hardware manufacturer like Dell locks out Linux operating systems

      That is not the case AT all.

      Its REALLY simple; linux is not being locked out of desktops.
      x86 hardware shipping with win8 pre installed needs to have:
      a) secure boot functionality
      b) windows 8 boot signing keys
      c) secure boot functionality turned on
      d) and it must be possible to disable secure boot
      e) and it must be possible to load additional boot signing keys

      So, linux users buying dell pcs (x86) will be able to exercise option d) and disable secure boot.

      They can also exercise option e) and install a linux signing key, and leave secure boot enabled.

      Linux users are NOT locked out at all.

      However, if I want to try Linux for the first time, I'd like stick in a live CD and boot it... I might be intimidated by having to go into bios first to disable secure boot. I'm very likely to be intimidated by having to install a signing key into bios first.

      Redhat wants linux to "just work" without the user having to jump through those hoops so the ideal option would be to coordinate with all the oem manufacturers to get a "redhat" or at least "linux" signing key into the bios, so that the linux bootloaders can be signed against that. (The OEMs were fine with this, even enthusiastic... but the cost to do this is extremely high, and there would still likely be several cases where the redhat key was missing, leaving us with an inconsistent and annoying situation.

      The other option was to just sign the bootloader with the microsoft key; microsoft is already working with all the OEMs, and already has all the infrastructure in place. Fedora decided to piggy-back on the microsoft key and pay to get the bootloader signed by microsoft.

      Is it ideal? No. But in terms of what it does for the users of linux? Its a great thing. Fedora will "just boot" in secure boot mode. Users don't have to disable secure boot to use linux, which is a good thing. Users don't HAVE to manually install a linux key into bios to use secure boot (although they still can if they prefer not to use the microsoft signed version).

      The x86 ecosystem remains truly open (in that users can manage boot signing keys themselves if they wish), and trying out linux is remains easy because it will boot with the default installed microsoft keys.

      Overall its a good compromise.

      Note that on arm tablets the situation is entirely different. option d and e are not available, and fedora isn't getting the software signed for that platform... if you buy a windows 8 arm device you'll have to crack it to put linux on it.

  • $99 (Score:5, Interesting)

    by Greger47 ( 516305 ) on Thursday May 31, 2012 @03:22PM (#40171061)

    What the sensationalist headline and summary forgot to mention is that RedHat is paying a whopping $99 to Microsoft.

    What is more worrisome and more headline worthy is that Microsoft has now become the de facto gatekeeper of your computer BIOS. Without their signature you operating system will not run.


    • by scharkalvin ( 72228 ) on Thursday May 31, 2012 @04:38PM (#40172303) Homepage

      Actually (if you read the article) M$ does not get any of that $99. The fee goes to Verisoft. Microsoft is acting as the gatekeeper for the signup process.

      Now I will be VERY pissed if I buy a new motherboard to build my own computer and it won't boot Linux unless I have to buy a key for $99. In such a case I would return the MB as being defective. I hope Asus and other MB makers will give me a choice of bios options when I buy a new MB.

  • Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access), but it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions. If there are better options then we haven't found them. So, in all probability, this is the approach we'll take. Our first stage bootloader will be signed with a Microsoft key.
  • Wow (Score:5, Informative)

    by a90Tj2P7 ( 1533853 ) on Thursday May 31, 2012 @03:33PM (#40171243)
    I'd blame the drama over this just on the article, but the summary's definitely got some FUD to it as well. For x86 systems, all you need to do is turn off the feature []. And that's if you insist on running unsigned software - it's not like there isn't an open and inexpensive process to get signed.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson