Exclusive: Linux users file EU complaint against Microsoft

(Reuters) - A Spanish association representing open-source software users has filed a complaint against Microsoft Corp to the European Commission, in a new challenge to the Windows developer following a hefty fine earlier this month.

The 8,000-member Hispalinux, which represents users and developers of the Linux operating system in Spain, said Microsoft had made it difficult for users of computers sold with its Windows 8 platform to switch to Linux and other operating systems.

Lawyer and Hispalinux head Jose Maria Lancho said he delivered the complaint to the Madrid office of the European Commission at 0900 GMT (4 a.m. EST) on Tuesday.

In its 14-page complaint, Hispalinux said Windows 8 contained an "obstruction mechanism" called UEFI Secure Boot that controls the start-up of the computer and means users must seek keys from Microsoft to install another operating system.

The group said it was "a de facto technological jail for computer booting systems ... making Microsoft's Windows platform less neutral than ever".

"This is absolutely anti-competitive," Lancho told Reuters. "It's really bad for the user and for the European software industry."

Microsoft said UEFI was an industry standard aimed at improving computer security and the approach had been public for some time.

"We are happy to answer any additional questions but we are confident our approach complies with the law and helps keep customers safe," Microsoft spokesman Robin Koch said in a statement.

A spokesman for EU Competition Chief Joaquin Almunia declined to comment.

But in written comments dated March 4 to a query from an European Parliamentary lawmaker, Almunia said his administration was aware of the Microsoft Windows 8 security requirements.

"The Commission is monitoring the implementation of the Microsoft Windows 8 security requirements. The Commission is however currently not in possession of evidence suggesting that the Windows 8 security requirements would result in practices in violation of EU competition rules," he said in the letter posted on the website of the European Parliament.

The European Commission has fined Microsoft, the global leader in PC operating systems, 2.2 billion euros ($2.83 billion) over the past decade, making it the world's biggest offender of European Union business rules.

Microsoft's relations with the EU executive have been tense since 2004, when the EU found that the company had abused its market leader position by tying Windows Media Player to the Windows software package.

The company took a more conciliatory approach in recent years, settling another antitrust investigation in 2009 related to the choice of a browser in its Windows operating system.

It also lodged its own complaints to the Commission about the business activities of rival Google.

But Microsoft broke its 2009 pledge and was fined 561 million euros by the EU Commission on March 6 for failing to offer users a choice of web browser.

~ Sarah Morris
 

Read More

Shim delivered to allow small Linux distros to boot

Takeaway: Small distributions receive booting option that avoids Microsoft’s US$99 signing fee.

Former Red Hat developer Matthew Garrett has delivered a shim that will allow smaller Linux distributions to boot on a system using Secure Boot without having to deal with Microsoft.

Secure Boot is a Unified Extensible Firmware Interface (UEFI) specification that prevents the loading of drivers or OS loaders that are not signed with an authorised signature, and whose public key is stored in the device’s firmware.

Garrett previously wrote that three options exist to allow non-Microsoft operating systems to boot. The first option is to disable Secure Boot entirely, which negates the benefits of Secure Boot’s trusted boot process. The second option is to remove an existing Platform Key, presumably Microsoft’s key, to allow the user the ability to add a new key. The last option that Garrett highlighted would be to ship a bootloader signed with Microsoft’s public key, which contains its own key store, MokManager, which allows a signed second-stage bootloader to boot.

Garrett’s new shim takes advantage of the third option, all the gory details of which are detailed here.

From a user’s perspective, they would see a 10-second countdown with a menu that contains an option to enroll a key from disk. The user could then browse the filesystem to select the appropriate key and add it into the device’s firmware.

Any operating system that is able to be booted from a GRUB environment can take advantage of this shim.

The one caveat with this system, though, is that MokManager is signed with a key that users and distributions will have to trust Garrett deleted immediately after the build was completed.

“You’ll need to accept my assurance that the private key was deleted immediately after the build was
completed. Other than that, it will only trust any keys that are either present in the system db or installed by the end user,” wrote Garrett. 

The shim can be downloaded from here

~ Chris Duckett

Read More

Fedora to be signed by Microsoft

Takeaway: Fedora’s hand forced in the battle to comply with Secure Boot specifications

Fedora 18 will support UEFI’s Secure Boot feature by using Microsoft’s sysdev signing service, to sign its initial bootloader.

The plan and the reasoning behind it for Fedora’s next release, was detailed in a blog post by Red Hat’s Matthew Garrett. Garrett has provided a running dialogue on the problems faced by Fedora and Red Hat, to operate with the upcoming UEFI Secure Boot enabled hardware.

Garret said that future releases of Fedora will have a bootloader that is signed using Microsoft’s signing key, because there is a very high probability that Microsoft’s key will be bundled will all hardware, to be Secure Boot compatible. Since this option is available to any Linux distribution, it prevents Fedora being in a better position than smaller distributions, due to its backing and mindshare.

The signed bootloader will do nothing more than load a version of Grand Unified Bootloader (GRUB), the standard Linux bootloader, that is signed with a Fedora signing key. This version of GRUB will be prevented from module loading and running arbitrary code at runtime, two features that are unrestricted presently.

Following on from this, the Fedora kernel will now also be signed and will have its command line sanitised, to avoid functionality that would allow an attack to cause a signed kernel to launch arbitrary code.

Fedora will be signing all the modules and drivers that it ships, and restricting access to PCI, which will mean that graphics cards will need kernel drivers; also, user modesetting will be removed.

“Secure boot is built on the idea that all code that can touch the hardware directly, is trusted, and any untrusted code must go through the trusted code. This can be circumvented if users can execute arbitrary code in the kernel. So, we’ll be moving to requiring signed kernel modules and locking down certain aspects of kernel functionality.” wrote Garrett.

“If we produce signed code that can be used to attack other operating systems, then those other operating systems are justified in blacklisting us. That doesn’t seem like a good outcome.”

Users can remove these restrictions by disabling Secure Boot.

Prior to coming to this decision, Fedora explored the possibility of creating a Fedora key and having vendors include that key in their hardware, it was dismissed for two reasons; it would not be possible to get the key into each and every vendor’s hardware, and that it would have put Fedora in a privileged position.

“As one of the larger distributions, we have more opportunity to talk to hardware manufacturers than most distributions do. Systems with a Fedora key would boot Fedora fine, but would they boot Mandriva? Arch? Mint? Mepis? Adopting a distribution-specific key and encouraging hardware companies to adopt it, would have been hostile to other distributions. We want to compete on merit, not because we have better links to OEMs,” Garrett said.

Another alternative was to create a generic signing key for Linux, but this was seen as prohibitively expensive to maintain, and no organisation stepped forward to handle it.

Garrett was at pains to stress that while he is a Red Hat employee, these are only the plans for Fedora, not Red Hat.

~ Chris Duckett

 

Read More