Linux Foundation memo: how to make a computer that doesn't lock out GNU/Linux

UEFI is a new hardware standard nominally aimed at stopping malicious software, but it could also make it illegal to replace Windows or MacOS with GNU/Linux on your computer. The Linux Foundation has written a technical memo for hardware vendors explaining how they can ship PCs that still protect users from malware, without putting them in legal jeopardy for running free operating systems:

The recommendations can be summarized as follows:
All platforms that enable UEFI secure boot should ship in setup mode where the owner has control over which platform key (PK) is installed. It should also be possible for the owner to return a system to setup mode in the future if needed.
• The initial bootstrap of an operating system should detect a platform in the setup mode, install its own key-exchange key (KEK), and install a platform key to enable secure boot.
• A firmware-based mechanism should be established to allow a platform owner to add new key-exchange keys to a system running in secure mode so that dual-boot systems can be set up.
• A firmware-based mechanism for easy booting of removable media.
• At some future time, an operating-system- and vendor-neutral certificate authority should be established to issue KEKs for third-party hardware and software vendors.

Making UEFI Secure Boot Work With Open Platforms (via /.)



  1. I wonder how much good this will do.  Sadly it’s pretty clear that the vendors are largely in Microsoft’s pockets, and unlikely to worry as much about small niche markets like linux.  Hate to see them gain accendency like this, particulary for something that’s a minor problem (viruses) like this.

  2. All of that seems a lot harder (and more expensive) than just adding an option to turn off secure boot in the UEFI settings, which 99% of OEMs would likely have done with or without this stupid debate

    EDIT: Also UEFI with secure boot enabled doesn’t make it “illegal” to do anything, in that it’s not against the law or anything, it just makes that particular computer unable to boot operating systems without proper keys

    1. Actually, as far as I understand (and please correct me if I am wrong), but the act of installing Linux on one of these machines could actually be illegal.
      Let’s say that manufacturers do not cooperate, and machines have UEFI with secure boot enabled. If this cannot be disabled, you are locked into using an approved OS.  If you were to attempt to install Linux on this machine anyways, you would be violating the portion of the DMCA which “criminalizes the act of circumventing an access control”.  People could not write about circumventing secure boot and I suppose that it would be illegal to install Linux on one of these machines.  

      1. Common misconception, anti-circumvention only protects access to works protected under it. Basically it only stops you from circumventing controls that allow you illegal access to movies, music, and software you didn’t pay for. It has no hold over what you install on your computer as long as you paid for it or that software’s copyright allows for it.

  3. The question is WHY are the OEMs subservient to Microsoft?  WHY isn’t there a flourishing market for Linux PCs?  WHY would they be willing to work with Microsoft to shutout Linux, FreeBSD, OpenIndiana and numerous hobby OSes or ReactOS?

    Does Microsoft demand OEMs not sell any alternative or they will pay a higher price for Windows licenses?  That would be collusion–a violation laws.  That should be the focus.  That should be investigated.

    1. The reasons why MS is accedent are many and varied, but here are a couple:
      1)  Windows is easier to use than Linux
      2)  Windows is ubiquotous, meaning they control the mindshare, and everybody knows how to use it.
      3)  MS has paid vendors to NOT offer or support Linux in any way.  Yes there was an investigation, MS was found guilty of monopolistic practices, and the Bush Admin let them off the hook with a slap on the wrist.
      4) Oh, going back to 1 & 2, even if MS had NOT paid off the vendors, nobody could afford to be the only PC vendor without Windows. Instant market death.

        1. “Ubuntu is easier to use than Windows.”

          Well, it was, until they decided to force you to interact with it in a completely new way, whether you like it or not.

        2. Doesn’t that depend on the version of Ubuntu? I recently reinstalled Ubuntu 11.04 because Xubuntu 11.10 has no touchpad support/disable except by installing several add-ons. And I find Gnome 2/Classic easy to use, but Unity was impossible to use, and Gnome 3 is supposed to share the same new features/bugs as Unity.

      1. @flowergardenslayer:twitter: “Windows is easier to use than Linux”

        That was probably true 10 years ago.  But not today.

        Although, asking if Linux is “easy to use” is something akin to asking if books are “easy to read”.  Linux comes in a wide range of flavors.  And on top of Linux is a selection of window managers.  And regardless of which window manager you choose, there is a selection of file managers and email clients and internet browsers.  Linux is freedom of choice.  Linux is freedom.

        The point about Windows being ubiquitous is obviously true.  And it certainly has an grip on the mindshare. But I wonder if fear is part of the reason. I once knew a guy who had been in prison most of his life who told me he had a hard time adjusting to life outside of prison because he had to make his own decisions.  I think many Windows users fear freedom.

        1. “Linux is freedom of choice.  Linux is freedom.”
          Linux is meaningless slogans?
          “I think many Windows users fear freedom.”
          Oh, for fuck’s sake. I’m no fan of Microsoft myself, but this attitude of “anybody who disagrees with my choices is a sheep” is vile and doesn’t make the open source movement any friends. Perhaps people who use Windows have other things to do than giggle at random fortunes in a terminal window just so they can tell others what l33t UniX haXX0rZ they are. Perhaps they want to run programs that aren’t incompetent imitations of existing commercial software. Perhaps they have perfectly valid reasons you haven’t stopped to consider. 

      2. “1)  Windows is easier to use than Linux”

        What?  Have you ever had to install or re-install Windows on any computer, ever?  Tracking down driver software for the sound card, video card, wifi, etc. ad nauseum . . . that alone can take hours.  The actual installation is mind-numbing in its slowness.  Then there’s the fun of registering your product key online.  That’s if you can get enough driver support to get to the internet.  If not, Gods help you, because you’ll have to call Microsoft on the phone.  And wait.  And wait.

        As for getting useful things done, well, you’ll have to install (and quite possibly make a trip to the store to buy) an office suite, graphics program, etc. that don’t suck all the balls that ever were, are, and will be.  So add in more money, and more time.

        Conversely, a typical GNU/Linux distribution comes with GIMP image editor, LibreOffice, KOffice or Gnome Office, music software, a video player, etc., etc.  Ubuntu, to give an example, has ~25,000 digitally signed, free programs downloadable from their own archives.  No money, no trip to the store, and installation is ridiculously simple.

        The only reason people think Windows is “easier to use” is because someone else has done all the work of installing it, installing productivity software, and getting the whole cluster**** to play nice together before said opinion generator ever got their hands on the computer.

        1. I respectfully disagree with nearly everything you just said. I have a feeling you haven’t actually installed Windows since 2000 or so, because it’s a fairly painless experience now, and almost every network card(that isn’t obscure/ancient) has drivers included with Windows. There are a few exceptions to this, but I’ve had even more trouble getting those to work in Linux.

          I’ve always thought Linux was about choice… Yet you praise it for including a suite of software I may very well end up replacing. I’ll admit Windows does this, too, to a degree. Still, even my Windows machines have been customized extensively, using primarily FOSS and zero commercial software.

          Really, I think people think Windows is “easier to use” because they’re scared of the command line. And installing things from source can be quite daunting for neophytes.

          Obligatory disclaimer: I love Linux and run it on several of my machines. However, I can’t recommend it to a friend except in very specific circumstances(servers, low-end hardware, media centers, etc.) due to the stability issues I’ve encountered and the generally low technical ability of most people I know.

    2. “WHY isn’t there a flourishing market for Linux PCs?”

      Because by and large people aren’t interested in running Linux on the desktop? I thought this much would have become evident by now…

      1. And that’s probably simply because Bill got started 20 years before Richard and Linus. Hard to lose with a head start like that.

      2. In the late 90s/early 00s, several major vendors planned to offer their computers dual boot with Windows. Windows would be default, but users could boot into Linux if they wanted to as well. It would be trivially easy to do, and add exactly zero to the cost of the computers – just mirror different drives.

        Microsoft stamped down on it, said that anyone who did this would no longer be a MS certified partner and would have to pay full retail for all of their licenses and couldn’t put that little sticker on the computer.

        THAT is why Linux is not more widely used. That is also the real nut of the anti-trust case against MS, not some bullshit about what software they bundled for free.

  4. Will any of this stop me just buying a computer with windows on the machine and turning it on to use windows?  Because I’m pretty okay with windows? Or will have to kill a man with a beard first?

  5. Good lord, yes. The only thing I miss about windows is the games. I can’t imagine any reason for me to go back to the primitive UI that is Windows. Every time I sit down in front of a Windows machine at work I feel crippled by not having Compiz running.

  6. I could give a crap whether UEFI makes it illegal to replace Windows with Linux.  If it makes it *impossible* to install Linux, then …  THIS SHALL NOT STAND. 

    1. How many systems that shipped with the Mac OS have had it replaced with an open-source alternative OS? 

  7. The malware protection line sound like an obvious cover for a “closed system” scheme. We see this everyday with Apple being a closed system and now it will venture into the realms of disrupting the enjoyment of computer hobbyists : /

  8. “4) Oh, going back to 1 & 2, even if MS had NOT paid off the vendors, nobody could afford to be the only PC vendor without Windows. Instant market death.”

    Actually there are at least three Linux-only PC vendors! I’ve had laptops from two of them: EmperorLinux, ZaReason and System76.

  9. I wouldn’t worry too much. This is going to be like DVD regions — sure enough, it’s always been relatively easy to find unlocked drives, “region zero” etc, despite huge pressure on hardware manufacturers.
    Taiwanese companies don’t give a damn about copyright, security or whatnot, they’ll ship what the market will buy, illegally if necessary… and if they won’t, Chinese manufacturers will. As @google-b33a546c937f65ce7ef0f29ca0f6a84d:disqus  says, there will be an option or a jumper somewhere to bypass “silly-american” rules, and if there isn’t I’ll personally start a company to build just that and make zillions.

  10. Running Linux is a political act. Yes, in some ways it is less convenient. In many ways it is more so. But it is, inherently, a vote for digital freedom.

    Running Windows is saying that you value convenience, ubuquity, and wasting time playing new games over the broader, decades long struggle for freedom of choice and expression. Using Windows, unless for specific applications that cannot be replaced with FOSS, can only be based on cynicism, laziness, or ignorance.

    Apple, sadly, is totally in bed with MS. It’s a much different user experience, but stems from the same philosophy.

    1. Gee… Thanks for letting me know that I have been running Linux for 10 years because I wanted to make political statements. I  honestly didn’t know that. Neither did I know that it doesn’t clash with my categorical refusal to contribute to anything GPL3-related.

      Yours truly *open source* author, contributor and user.

      P.S. I write under dual bsd/artistic (the so called perl-license)

    2. I wonder why you don’t hear more about this from those who are protesting against The System.  It’s backwards, isn’t it? The software/OS “freedom fighters” aren’t 99%, they’re 1%.

    3. Running linux is a choice about efficiency. Want to code? run linux. Want to do CAD work? Probably windows is more effective.

      1. Importantly, this: Want to just use your computer for general computery stuff? Run Linux, it has a cleaner interface and is much more secure.

    4. “Running Linux is a political act.”
      So it’s setting yourself on fire in a public place, and probably more fun.

  11. I always wondered when Microsoft was finally going to mount a frontal assault against Linux, which to my mind is the same as outlawing or restricting ham radio.

    EFF, front and center!

  12. Americans losing again! Harper! Don’t let this happen in Canada! most of us use Ubuntu, can’t afford the $Microsoft “Tax” on computing – Many countries now using Linux systems, Ubuntu in class-rooms, France’s Police departments save a bundle this way! Why allow a dishonest monopoly on computing, world wide? 

  13. Lots of panic about something that isn’t happening. 

    There is no proposal to make running Linux illegal, NONE. Proposals from a source that is peddling false claims need to be considered suspect. Yes I know some folk think that Bill Gate is Baal and he eats babies, but sometimes its the conspiracy theorists who are wrong.

    The proposal for supporting Linux given is completely unworkable and would defeat the whole point of secure boot. For secure boot to work it has to be the default. That is totally non-negotiable.

    To make it possible to run a non-signed O/S has to involve going into console mode and selecting a switch to disable the secure boot. That should be pretty easy for those people who need to do so. Alternatively, permit an additional signing root to be added to the root-store.

    The best solution is of course to distribute a signed version of the Linux executable. But that is not possible because RMS cut everyone’s nose of to spite his face.

    Linux is a large part of the market so obviously BIOS makers are going to make it possible to run Linux. But that does not mean that the Linux community gets to make silly rules and then force the rest of us to accomodate them. 

  14. Many of you don’t understand why it is illegal, which is precisely why you shouldn’t be commenting on this article.

    The “illegality” would be the hacking of your OWN HARDWARE to enable linux to boot. This would mean you violate Digital Rights Managment/Technical Protection Mechanisms protected by US DMCA law and further enshrined in the ACTA agreements and WIPO agreements in order to force UEFI to be ignored or to boot your own OS.

    To do anything else on your computer would require violating DRM/TPM , thus making your installation of illegal because you have circumvent UEFI.

    1.  Wrong, sorry, but you’re just spreading FUD
      quote from the DMCA
      “No person shall circumvent a technological measure that effectively controls access to
      a work protected under this title.”

      Anti-circumvention only applies when your circumventing protections to gain access to copyrighted works (ie. movies, music, the usual) the Digital Millennium COPYRIGHT Act says nothing and really doesn’t care what you install on the hardware as long as said thing isn’t a cracked copy of Windows (thus circumventing protections put to control access to a copyrighted work)

      1. Dear Sir,

        Please read my post again, notice how there were other SCARY words in there as well, such as ACTA and WIPO. Also note the use of the language regarding TECHNICAL PROTECTION MECHANISMS (see Canadian bills C32 and C11). This kind of jargon is what YOUR GOVERNMENT sends to other nations to include into their own copyright laws.

        Also SOFTWARE is copyrighted in your country, thus derivative works and modifications to software are covered under your copyright act. Also why did you quote “No person shall
        circumvent a technological measure that effectively controls access to
        a work protected under this title.” Because it doesn’t seem to care what your intention is, modifying a UEFI against your OEM’s wishes regardless of the access to say WINDOWS or whatever copyrighted software still is circumventing “a technological measure that effectively controls access to a work protected under this title” whether or not it works or not.

        Furthermore if a UEFI breaker could be used to violate the Windows copyright (you do not actually have a right to modify it, did you read the EULA?) then the DMCA bans its sales, distribution and dissemination. What a catch-22.

        But you’re always free to interpret this anyway you want, just as how MS’s lawyers, DOJ’s lawyers and the judge are free to interpret the law as well.

Comments are closed.