Spanish Linux group runs to teacher, complains about Microsoft’s Secure Boot

Spanish open source association Hispalinux, reports Reuters, has officially complained to the European Commission about the Windows 8 Secure Boot system.

Hispalinux, which describes itself with the tagline "towards a society where knowledge is free" (though presumably with those freedoms strictly regulated in the style of the GNU Public License, or GPL), has objected to what some in the free software community consider the “obstruction mechanism” enforced in the bootstrap process of new PCs.

Apple Macs left the old-school BIOS-style bootstrap behind years ago in favour of the Extensible Firmware Interface (EFI, now the Universal EFI), which is perhaps best, if simplistically, described as a miniature operating system for operating systems.

The BIOS is just a proprietary blob of code that runs from ROM or Flash RAM when your computer first powers up, and has the hard-wired functionality of blindly reading a known sector off disk and executing it at a fixed memory location (0x7C00, if you are interested).

UEFI is much more 21st century, supporting filing systems accessed by compiled executable modules that are written to a standardised programming interface and compiled into a standardised format (the PE format, as used in Windows, if you are interested).

PCs stuck to the happy-go-lucky BIOS "standard" for years, and only broadly embraced UEFI when Microsoft announced its intention to require it for computers certified for Windows 8.

In a perhaps-unsurprising twist, Microsoft also announced that Windows 8 PCs would be required to support Secure Boot, which allows the firmware to be locked down so that only cryptographically signed boot-time software can run.

Part of the motivation was entirely noble: to inhibit a low-level flavour of malware known as a rootkit, or bootkit, that loads before the operating system.

In the BIOS world, there is no well-defined way (indeed, there is no ill-defined way) to enforce any sort of security during bootup: no execution protection, no memory protection, no disk protection, and no cryptographic verification of what you’re loading.

As a result, the final run-time security of any BIOS-loaded operating system depends on a completely insecure initial boot stage.

And the cybercrooks worked out how to use bootkit malware, loaded at the very outset of the bootstrap, to subvert the security of the operating system itself.

→ Reading in operating system code via the INT 13h BIOS disk interface, which a BIOS bootloader needs to do, means that you can use coding tricks from 1980s-era boot viruses to watch for sectors that contain trusted code, and patch it even before it loads. UEFI aims to remove this untrusted layer from the bootstrap process.

It wasn’t all about malware, of course.

Part of Microsoft’s motivation was operational: to lock down a Windows 8 computer so that it restricted not only malware, but also any other, unapproved, operating systems.

You might consider this restrictive, yet unexceptional: after all, many mobile phones and tablet vendors (notably, and unyieldingly, Apple) have been locking down their bootloaders for years.

But a mobile-phone-style lockdown didn’t fly in world of Intel-based PC manufacturers, and although PCs need to support Secure Boot to be Windows 8 certified, they aren’t permanently locked down.

You can turn Secure Boot off, allowing you to load anything you want (though, admittedly, without the intended boot-time protection), or you can upload your own Platform Key, making you the cryptographic master of your own device.

Nevertheless, doing so isn’t a piece of cake, so many users probably won’t be willing to mess with the cryptographic keys loaded into the UEFI key database.

One solution to let other operating systems into the tent without replacing Microsoft’s master key has been to get Microsoft to sign a generic bootloader that can then load anything you want.

But even that’s not perfect, at least to the uncompromisingly open parts of the open source world, and this seems to be where Hispalinux is coming from.

Also, the EC seems to have it in for Microsoft recently, having recently fined Redmond about $1.50 for every man, woman and child within the European Union for not giving them a carefully-randomised choice of browsers when they installed Windows 7 SP1.

No matter that EU Windows users could have installed any number of alternative browsers later on, and that no-one in Europe (and certainly not in the EC) seemed to notice the omission for a year or more: Microsoft was told to pay up.

Perhaps Hispalinux hopes that the vigour with which the European Commissioners dealt with the Mystery of the Missing Browser Chooser will inspire them to wave some sort of regulatory wand over the UEFI Secure Boot process.

I look forward to Hispalinux’s success with bated breath.

After all, once the issue is dealt with for Intel-based PCs, we can surely hope to see the EC forcing Apple to unlock its iDevices, forcing Microsoft to unlock its ARM-based tablets and phones, forcing gaming station vendors to let us load Linux on their consoles, and forcing every mobile phone supplier in the world (well, Europe) to remove any sort of lock that limits our choice of carrier, network or handset configuration.

Better yet, we’ll get free air travel too! (Just hitch a ride on the back of one of the pigs!)