Microsoft Windows 8 UEFI Secure Boot complaint: The case for and against

Microsoft Windows 8 UEFI Secure Boot complaint: The case for and against

Summary: A Linux user group filed a complaint with the European Commission alleging Microsoft's UEFI practices violate antitrust laws. Does the complaint have legs?


Earlier this week Hispalinux, a Spanish group which represents 8,000 Linux users, filed a complaint with the European Commission over the UEFI Secure Boot required for Windows 8 hardware, labelling it an "obstruction mechanism" that limited consumers' choice of operating system.

The group argued UEFI placed that choice between Microsoft, which it says holds a dominant market position, and hardware manufacturers.

"As Linux users and professionals, we find it deeply disturbing that, to be able to boot a Linux operating system, or any other operating system for that matter, on a computer configured with Microsoft's UEFI Secure Boot keys," Hispalinux spokesperson Paul Brown told ZDNet, adding that 90 percent of the machines on the market are configured this way.

"An individual, group of developers or company has to ask Microsoft for permission, wait for them to answer, and live with the threat that said permission can be revoked unilaterally by Microsoft at any moment and for any or no reason."

Antitrust expert Keith Hylton, a professor of law at the Boston University School of Law, says the complaint may be valid under European law, where a firm with a dominant position may have a duty to support rival products.

"The law is pretty clear in the US that a dominant firm has no duty to provide support to the products of its rivals," Hylton told ZDNet. "The law is less clear in the EU, and so a claim such as this may have some plausibility under EU rules."

Dominant position

Another case involving Microsoft's dominant market position was the EC's €561m ($731m) fine for Microsoft failing to comply with a five year order that required it to offer Europeans a choice of browser. The EU imposed the order on Microsoft in 2009 to address competition concerns about the company tying Internet Explorer to its dominant Windows desktop OS.

However, with UEFI, the European Union's Competition Commissioner Joaquín Almunia said in January he had not found any evidence Microsoft's "security requirements" would result in practices that violate the EU's competition laws.

Noting that range of factual, legal and economic considerations must be considered, Almunia said that it appeared that OEMs can give end users the option to disable UEFI secure boot.

The Secure Boot workaround

Paul Ducklin, a Linux user and consultant with security vendor Sophos, says that users can load a different OS, but it's not easy, in particular for less tech-savvy consumers.

"You can turn Secure Boot off, allowing you to load anything you want (though, admittedly, without the intended boot-time protection), or you can upload your own Platform Key, making you the cryptographic master of your own device.

"Nevertheless, doing so isn't a piece of cake, and replacing the Platform Key means you can't run the Windows 8 bootloader any more." 

Hispalinux's Brown adds that while it can be disabled on Intel x-86 machines, it cannot be disabled on ARM devices that run Windows RT. These haven't been hugely popular yet but ARM does have big aspirations for ARM PCs

"In any case it should be the other way round," said Brown. "It should be deactivated by default and, if the user needs secure boot, s/he can be given the instructions to activate it. The reasoning behind this is that deactivating Secure Boot is not a trivial or simple task for a non-technical user. Different providers locate the secure boot kill-switch in different places and under different names in the scarily complex and dangerous UEFI control panel."

"It has to be done from the UEFI control panel. It cannot be done from within the operating system. For example, on ASUS laptops it is not called 'Secure Boot' at all, but 'Legacy Mode', giving the impression that you are using something outdated and insecure."

That OEMs can give users the option to disable UEFI may dampen the chances the EU does anything immediately about the complaint, but it doesn't invalidate Hispalinux's legal argument either, according to Hylton.

"The EC's comments suggest that there is so far no factual basis to support the charge against Microsoft. That's not the same thing as saying that the plaintiff's theory has no basis in the law," he said.

According to Hispalinux's Brown, the complaint is about Microsoft using its influence to sway manufacturers to include UEFI Secure Boot with "exclusive Microsoft keys".

"The complaint refers to the imposition on computer manufacturers to include UEFI Secure Boot with exclusive Microsoft keys into computers with Windows 8 preinstalled. This mechanism, to all practical effects, impedes or seriously hinders booting any operating system (save Windows 8) without the express permission from Microsoft," said Brown.

"To be able to attain this goal, Microsoft has had to use all its influence and power in the market to force computer and component manufacturers to accept its monopoly in the UEFI Secure Boot key generation system."

The feature, according to Hispalinux, will "damage any chance of technological independence of the citizens, reducing their roles to mere passive users" and turn the machine in to an electrical appliance with only one possible use.

"It will also damage free competition, weakening the technological sector, leading to more poverty and unemployment in Europe," said Brown. 

Microsoft said in a statement: "UEFI is an industry standard aimed at improving computer security and the approach has been public for some time.  We’re happy to answer any additional questions but we are confident our approach complies with the law and helps keep customers safe."

Topics: Security, Linux, Microsoft, Operating Systems, EU, Windows 8

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Typical linux FUD

    Nothing here that is new, more whining from the linux community.
    • hoppmang...guess we all know your a Windows Fan boy

      Maybe you should go check your Surface sale............
      Over and Out
      • Human beings dominate rats on planet Earth so ...

        I guess rats deserve to sue Human beings for abusing their donimance to drive rats down to the dark, cold underground. What ultimate sissy BS that is so typical from the Linux camp?
        • That has to be the stupidest analogy I've read in quite awhile

          Sounds like the bitter windoze fanbuis are feeling threatened and getting desperate when they have to stoop to such ridiculous analogies like this.

          The Spanish lawsuit is only the opening shot. They'll be plenty more to come in the next few months. So much for supporting your dirty monopoly.
        • except that "humans"

          (in your terminology), are actually MS sheep, or rather MS Windows lab mice.
      • Another View

        Maybe you should check your linux market share?
  • Nothing but a bunch of hypocrites.

    It's way too simple to turn-off the UEFI secure boot. If those Spanish Linux users can't do that, they should change profession.

    The European law is now nothing more than a Joke.

    Google has 90 percent search market in Europe. Many European businesses and Microsoft has complained to EU about Goggle’s illegal and abusive business practices and tax evasion. So far the EU official has taken no action and is trying for settlement ( Google has bribed most European governments

    Apple is abusing EU law. Apple has no regard for warranty laws in EU. Did EU took any action, NO. Again shame on EU.

    Regarding the lawyer comments

    "Antitrust expert Keith Hylton, a professor of law at the Boston University School of Law, says the complaint may be valid under European law, where a firm with a dominant position may have a duty to support rival products."

    If the above is the law, then EU has clearly failed.

    On a side note, EU is raiding Cyprus banks, a golden rule in capitalism is broken.
    • Wow!

      Five usernames, working on number six

      Owlnet, Owllnet, Owlllnet, Owlll1net, Owllll1net
      • Keeps getting banned

        Blatant shill and full member of the 50c party.
        Alan Smithie
        • Talking about shills....

          If you have a point to make then write it otherwise you are no better than any other shill.

          BTW... a list of morons who call others shills. You all should go out together more often . :-)

          1. Alan Smithie
          2. daikon
          3. D.T.Long
          4. SC007
          5. Cloggedbottom 4 , 5,6,7
          6. My View point
          • Owllll1net, Backup your claim

            Show where I called anyone a shill….

          • The absence of denial

            Can we assume guilt ?
            Alan Smithie
          • We can assume bitter windoze fanbui troll

          • Trolling work help linux cause.

          • @Owllll1net, Backup your claim

            Show where I called anyone a shill….

            That’s what I thought write another silly
            Comment and hide.
          • Trolling work helps you look like an idiot

          • @Owlnet, Just sad

            That is what you wrote correct?

            “Respect opinions” “Only an idiot will call another fellow talkback user an idiot. He is entitled to his opinion.“
            -owllnet 24 August, 2012 22:18”

            Not professional. :(
          • No, its you.

            I respect everybody's opinion, classifying some trolls as trolls doesn't change that. Now what's your point? I published a 'moron' list based on 'shill' name calling.
          • @Owllll1net, Epic fail

            Your failure to provide any links on ZDNET
            I called anyone a Shill, shows you to be a liar.

            Very sad…..

    • A splendid display of bias .....

      and ignorance as usual.