Spanish Linux group runs to teacher, complains about Microsoft's Secure Boot

Filed Under: Featured, Microsoft

Spanish open source association Hispalinux, reports Reuters, has officially complained to the European Commission about the Windows 8 Secure Boot system.

Hispalinux, which describes itself with the tagline "towards a society where knowledge is free" (though presumably with those freedoms strictly regulated in the style of the GNU Public License, or GPL), has objected to what some in the free software community consider the "obstruction mechanism" enforced in the bootstrap process of new PCs.

Apple Macs left the old-school BIOS-style bootstrap behind years ago in favour of the Extensible Firmware Interface (EFI, now the Universal EFI), which is perhaps best, if simplistically, described as a miniature operating system for operating systems.

The BIOS is just a proprietary blob of code that runs from ROM or Flash RAM when your computer first powers up, and has the hard-wired functionality of blindly reading a known sector off disk and executing it at a fixed memory location (0x7C00, if you are interested).

UEFI is much more 21st century, supporting filing systems accessed by compiled executable modules that are written to a standardised programming interface and compiled into a standardised format (the PE format, as used in Windows, if you are interested).

PCs stuck to the happy-go-lucky BIOS "standard" for years, and only broadly embraced UEFI when Microsoft announced its intention to require it for computers certified for Windows 8.

In a perhaps-unsurprising twist, Microsoft also announced that Windows 8 PCs would be required to support Secure Boot, which allows the firmware to be locked down so that only cryptographically signed boot-time software can run.

Part of the motivation was entirely noble: to inhibit a low-level flavour of malware known as a rootkit, or bootkit, that loads before the operating system.

In the BIOS world, there is no well-defined way (indeed, there is no ill-defined way) to enforce any sort of security during bootup: no execution protection, no memory protection, no disk protection, and no cryptographic verification of what you're loading.

As a result, the final run-time security of any BIOS-loaded operating system depends on a completely insecure initial boot stage.

And the cybercrooks worked out how to use bootkit malware, loaded at the very outset of the bootstrap, to subvert the security of the operating system itself.

→ Reading in operating system code via the INT 13h BIOS disk interface, which a BIOS bootloader needs to do, means that you can use coding tricks from 1980s-era boot viruses to watch for sectors that contain trusted code, and patch it even before it loads. UEFI aims to remove this untrusted layer from the bootstrap process.

It wasn't all about malware, of course.

Part of Microsoft's motivation was operational: to lock down a Windows 8 computer so that it restricted not only malware, but also any other, unapproved, operating systems.

You might consider this restrictive, yet unexceptional: after all, many mobile phones and tablet vendors (notably, and unyieldingly, Apple) have been locking down their bootloaders for years.

But a mobile-phone-style lockdown didn't fly in world of Intel-based PC manufacturers, and although PCs need to support Secure Boot to be Windows 8 certified, they aren't permanently locked down.

You can turn Secure Boot off, allowing you to load anything you want (though, admittedly, without the intended boot-time protection), or you can upload your own Platform Key, making you the cryptographic master of your own device.

Nevertheless, doing so isn't a piece of cake, so many users probably won't be willing to mess with the cryptographic keys loaded into the UEFI key database.

One solution to let other operating systems into the tent without replacing Microsoft's master key has been to get Microsoft to sign a generic bootloader that can then load anything you want.

But even that's not perfect, at least to the uncompromisingly open parts of the open source world, and this seems to be where Hispalinux is coming from.

Also, the EC seems to have it in for Microsoft recently, having recently fined Redmond about $1.50 for every man, woman and child within the European Union for not giving them a carefully-randomised choice of browsers when they installed Windows 7 SP1.

No matter that EU Windows users could have installed any number of alternative browsers later on, and that no-one in Europe (and certainly not in the EC) seemed to notice the omission for a year or more: Microsoft was told to pay up.

Perhaps Hispalinux hopes that the vigour with which the European Commissioners dealt with the Mystery of the Missing Browser Chooser will inspire them to wave some sort of regulatory wand over the UEFI Secure Boot process.

I look forward to Hispalinux's success with bated breath.

After all, once the issue is dealt with for Intel-based PCs, we can surely hope to see the EC forcing Apple to unlock its iDevices, forcing Microsoft to unlock its ARM-based tablets and phones, forcing gaming station vendors to let us load Linux on their consoles, and forcing every mobile phone supplier in the world (well, Europe) to remove any sort of lock that limits our choice of carrier, network or handset configuration.

Better yet, we'll get free air travel too! (Just hitch a ride on the back of one of the pigs!)

, , , , , , , , , ,

You might like

27 Responses to Spanish Linux group runs to teacher, complains about Microsoft's Secure Boot

  1. guest457 · 926 days ago

    A good, thorough article fizzes out at the end with eurobashing, while forgetting that on the other hand we have a convicted monopolist who was told before their "mistake" that in event of such an event they would be fined heavily.. Just like any other criminal, the sentences get tougher the more often you're in front of a judge.


    • shigorin · 799 days ago

      It was neither good nor thorough right from the title in the first place, IMNSHO.

  2. John Stumbles · 926 days ago

    Totally agree with securing the boot process. I think the issue is that purchasers' choice should not be restricted by vendors' monopoly. I think it's pretty well accepted that Microsoft should not be allowed to use its market position to dictate that we can, say, only run Internet Explorer and not Firefox or Chrome on Windows. Likewise it shouldn't be able to use its market position to insist that PC manufacturers make their machines able to run only Windows.
    The position with Apple is different in that they make their own hardware so arguably have a right to decide what software one may run on it, though I think even that might reasonably be challenged as being unfairly bundling things together. (If you paid British Gas to install a boiler would it be fair to be tied to buying gas from BG too?)

  3. Jim Sands · 925 days ago

    Actually it is about time someone did this. At the moment, if you have an old PC there is nothing to stop you from trashing Windows and installing a Linux flavour. Under UEFI, this varies between difficult and impossible. If I have bought a bit of hardware I fundamentally object to Microsoft telling me what I may or may not run on it. It's called a monopoly.

    • Paul Ducklin · 925 days ago

      Not sure whether I got lucky, but it wasn't terribly hard to install Linux on my Windows 8 laptop.

      (I tried Windows 8, honest, and I quite liked it if the truth be told. But it's a "beach laptop" - one that is just about good enough to do real work but not so expensive as to be banned from going along on leisure activities - so Windows 8 didn't last. The laptop is just that bit more fluid and usable for me with a minimalist Linux.)

      Turn on power. Press [Esc]. Go to the Secure Boot option. Choose "Disabled." Install Linux.

      Far from impossible, and nowhere near difficult.

      Now I used to have an iPad, and it definitely wasn't easy to install Linux on *that* :-)

  4. Nigel · 925 days ago

    "Hispalinux...describes itself with the tagline "towards a society where knowledge is free"..."

    Meh. One wonders how long it will take the human species to finally abandon the superstition that "knowledge is free". Knowledge has never been free (as in "beer"). It always costs something to transmit, receive, process, interpret, and assimilate information. It's a thermodynamic cost, if nothing else. (Read physicist Leon Brillouin's 1950 papers on Information and Entropy) Maxwell's Demon cannot operate. There's no free lunch.

    What's more, knowledge shouldn't be free (as in "unrestricted"). The implication that it should is tantamount to saying that everyone should be able to know everything about everyone else's business. What nonsense. Are the advocates of "knowledge should be free" advocating zero privacy for their own information?

    Ah...that's different. When they say the want "a society where knowledge is free", they mean FOR THEM. They're special, you see. Different rules apply to everyone else.

  5. Chris · 925 days ago

    "Runs to teacher"?

    Dismissive remarks about the GPL?

    I'd take this article more seriously if the inherent bias wasn't quite so obvious. Not what I expect from Naked Security!

    • Paul Ducklin · 925 days ago

      Ahem! Where do I "dismiss" the GPL?

      I thought that the observation that your GPL software freedoms are "strictly regulated" by the licence itself was one of the least controversial parts of the whole piece. Isn't the whole point of the GPL that it has to be firm to be fair?

      As for "runs to teacher," I think that falls under "satire/joke/piquant remark." :-)

      I'm not against Hispalinux. (Indeed, I expressly said "I look forward to their success." Did you see that bit?)

      But help me here...why is a non-compulsory boot lock on Windows 8 PCs apparently attracting more FLOSS opprobrium than the *compulsory* boot lock on many tablets and phones, including Microsoft's own?

      *That* seems to be a bias to me. (I am not saying it's an objectionable bias, just that I don't understand it.)

      • Chris · 925 days ago

        OK, maybe "dismissive" on my part was slightly OTT, but in comparison with yer average big vendor EULA, I'd say the GPL wasn't all that bad ;)

        I think the problem is that the Windows 8 secure boot requirement places a restriction on hardware manufactured by multiple suppliers. If Apple or Microsoft want to restrict what runs on devices they make, that's their prerogative and prospective buyers either go along with that or they don't. But this cuts across the whole vast PC market. So, not the same thing at all! Yes, the boot lock is non compulsory, but as you point out, it is "not a piece of cake" to overcome, and I would expect it to discourage all but the most adventurous.

        Anyway, I too look forward to Hispalinux's success and also to the free porcine aviation. (I am a realist, above all else.) Keep up the good work!

      • John Stumbles · 925 days ago

        why is a non-compulsory boot lock on Windows 8 PCs apparently attracting more FLOSS opprobrium than the *compulsory* boot lock on many tablets and phones, including Microsoft's own?

        On the one hand you have a new class of devices coming to market which are locked (FLOSS comunity sighs, rolls eyes, gets hacking...), on the other an existing class of devices which have always been open which Evil Empire is attempting to lock them out of (FLOSS community collects bottles, buys petrol...)

      • Pierce Randall · 922 days ago

        I definitely agree that the wording of the headline is tendentious. Even worse if that wasn't the intent of the author.

        The difference between mobile devices and Windows 8 is that Microsoft is engaging in anticompetitive activity when it uses its existing market share to prevent the adoption of other operating systems. Apple does not do that with their market share of mobile devices.

  6. Mark · 925 days ago

    Looool so much sarcasm! ^_^
    Love your articles Paul :D

  7. I recently found, in an iMac I purchased in 2010, that Apple locked-down the UEFI to allow booting via USB from only Apple and Windows images.

    As this machine contained an internal DVD drive I was able to install Ubuntu 12.10 (completely replacing OS X), albeit a version mastered expressly to work-around the UEFI by using the BIOS-emulation mode.

    A Mac Mini purchased last year, which does *not* contain an internal DVD drive, will absolutely not boot anything but Apple or Windows images.

    I've no issue with Microsoft intent as they do allow the UEFI to be disabled.

    I *do* have an issue with the Apple lockdown of their hardware - which ceases to become *their hardware* after I legally removed it from their store.

    Although I like the overall quality of their hardware, I'll never purchase another Apple product.

  8. Steve · 925 days ago

    For the sake of completeness, here are the thoughts of the man who's put in significant effort to allowing Linux users to take advantage of Secure Boot:

    For what it's worth, I agree with him & Paul- the lockdown on tablets & phones is more concerning, since that's were the market is heading.

  9. Ed Carter · 924 days ago

    Here here.

  10. 1011 · 924 days ago

    Is UEFI really not that easy to disable? The UEFI menus I've looked through (from manufacturers like Asrock and Acer) show that it's just a matter of clicking a few buttons.

  11. 1011 · 924 days ago

    Sorry, I meant secure boot.

  12. radenok · 924 days ago

    It is derogatory texts like this that make me regret not being able to express my self properly in English -- because, you, Duckling, really deserve some telling off:

    1. you dismiss open source community by comparing them to some whining kids,

    2. and you dismiss gnu as some false attempt that ended as 'freedom restriction', with one pejorative "though presumably with those freedoms strictly regulated in the style of the... GPL",

    3. and you dedicated three passages to WHINING about EC finning MicroSoft for 'petty crime' of not shuffling choice-of-browsers properly, but forget to mention (as proper journalist of Reuters did!) that "The European Commission has fined Microsoft, the global leader in PC operating systems, 2.2 billion euros ($2.83 billion)over the past decade, making it the world's biggest offender of European Union business rules".

    4. how comes there are only "like" and "recommend" options available to readers of this 'jewel' -- how about "dislike" and "not recommend"?

    • Paul Ducklin · 924 days ago

      Errr, if you dislike the article that much, you could always leave a rude and aggressive comment loaded with over-the-top accusations (sorry, I simply do NOT get how suggesting the GPL imposes "strict regulations" is an attempt to "dismiss gnu as some false attempt" at anything) and wait until the author of the article approves it.

      (Yes, calling me "Duckling" *is* an insult, though it's one I haven't heard since I was at primary school - a whining kid surrounding by whining kids.)

      As for Microsoft's fine for browser choice...I'm not taking sides. If they broke that law and the law says to fine them $750m, then sobeit.

      The point of the article, however, is, "Why pick on Microsoft and Secure Boot on the Intel plaftform when so many other platforms, *including one from Microsoft*, are locked down even tighter?"

      • John Stumbles · 923 days ago

        Paul Ducklin:

        The point of the article, however, is, "Why pick on Microsoft and Secure Boot on the Intel plaftform when so many other platforms, *including one from Microsoft*, are locked down even tighter?"

        Because the other platforms are those owned[1] by the people doing the locking down, whereas the PC is a platform which has historically been de facto open[2] but M$ is attempting to use its monopolistic market position to strong-arm OEMs into making it M$-proprietary. We've seen this before then M$ used its muscle to make OEMs bundle (and charge purchasers for) a copy of windows on each machine even if they wanted to run another OS.

        Come on Paul, this is a blatant abuse of corporate power by a big player using market share rather than technical merit to sell its products. As an employee of an organisation that's extremely vulnerable to abuses of that power that have demonstrably happened in the past to people just such as you lot (remember drivespace/doublespace?) you must surely be uncomfortably aware of this. I don't think you're as craven as to be brown-nosing Redmond[4] but I fail to understand your sympathy to Microsoft[5] in this case.

        [1] in the sense of IP[3] - designed and manufactured to their specifications for them

        [2] though not intended to be so: I gather IBM just considered the original PC to be a glorified executive toy and cba to protect their ip in it until it took off, at which point they realised their mistake and attempted to lock the stable door with their ip-protected PS/2 which flopped because the ISA had already bolted

        [3] Intellectual Property not Internet Protocol!

        [4] I don't suppose they'd give a toss either way: that would be a personal matter and like the mafia they're interested in business

        [5] exemplified by your characterising the EC (who they?) as "having it in for Microsoft" for actually acting to uphold clearly-stated rules which Redmond flouted with an excuse about as plausible as their dog ate their homework. Perhaps rolling over and letting M$ walk over them would have been more reasonable?

        • Paul Ducklin · 922 days ago

          It didn't work, though, did it? The blatant abuse of corporate power?

          The UEFI platform on Intel PCs certified for Windows 8 isn't locked down.

          And my point in saying that 'the EU seems to have it in for MS" was not to criticise the EU for fining MS, but to suggest that perhaps Hispalinux are onto a winner.

          After all, if you can attract a $750,000,000 fine for making 15,000,000 users wait until after they've installed your OS before they get to download or install a non-IE browser, whether they minded or not, you can surely get into trouble for making European Unionians go into a boot-time configuration screen before they can unlock their bootloaders?

  13. James Bottomley · 924 days ago

    Your conclusion from my blog isn't correct:

    > Nevertheless, doing so isn't a piece of cake, and replacing the Platform Key means you can't run the Windows 8 bootloader any more.

    I believe you *can* replace the PK and still run windows (thus taking effective control of the platform). I can't see how this could be untrue, because the Win 8 logo requirements say that the OEM not Microsoft must own the PK, so windows cannot check it. Unfortunately, no-one has tested this yet. I believe you can also add to the KEK and db. As long as you don't *remove* the MS keys, Windows should still boot up just fine.

    • Paul Ducklin · 924 days ago

      I'll remove the offending text, just leaving it as "isn't a piece of cake."

      Thanks for taking the time to review the article!

  14. Gnar · 923 days ago

    Author Ducklin asserts, "In the BIOS world, there is no well-defined way (indeed, there is no ill-defined way) to enforce any sort of security during bootup: no execution protection, no memory protection, no disk protection, and no cryptographic verification of what you're loading."

    This is nonsense. GRUB bootloaders used with Linux and similar distros (both legacy grub and v2) offer a "lock" config in boot/grub/menu.lst (legacy ver) which prevents any early stage boot activity without the encrypted passphrase being entered. This also allows the lock feature to be required before entering Single-User mode, rescue mode, grub command-line or any shell commands. These do have to be configured manually but they are there for the using. Full-disk encryption is also an option on install of any decent linux distro.

    • Paul Ducklin · 922 days ago

      My observation isn't at odds with yours.

      GRUB, indeed, can and does include various GRUB-time security features, and full-disk encryption (readily available for most OSes including Linux, Windows and OS X) does *almost* exactly what it says (it doesn't actually encrypt the entire disk, of course - neither the bootloader itself nor the crypto drivers that serve to unravel the encrypted "almost-full-disk" are encrypted).

      And there's the rub.

      In the BIOS world, there is no well-defined way for the firmware to regulate or enforce that *your* version of GRUB gets loaded, or that *your* version of the password-entry and disk-decryption code gets used.

  15. Kliment · 922 days ago

    Haha, this TOTALLY wasn't written with a slant.

  16. With the excuse of viruses Microsoft had locked the BIOS, but the Penguin I am sure will always prevail !

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog