Microsoft Windows 8 UEFI Secure Boot complaint: The case for and against

A Linux user group filed a complaint with the European Commission alleging Microsoft's UEFI practices violate antitrust laws. Does the complaint have legs?
Written by Liam Tung, Contributing Writer

Earlier this week Hispalinux, a Spanish group which represents 8,000 Linux users, filed a complaint with the European Commission over the UEFI Secure Boot required for Windows 8 hardware, labelling it an "obstruction mechanism" that limited consumers' choice of operating system.

The group argued UEFI placed that choice between Microsoft, which it says holds a dominant market position, and hardware manufacturers.

"As Linux users and professionals, we find it deeply disturbing that, to be able to boot a Linux operating system, or any other operating system for that matter, on a computer configured with Microsoft's UEFI Secure Boot keys," Hispalinux spokesperson Paul Brown told ZDNet, adding that 90 percent of the machines on the market are configured this way.

"An individual, group of developers or company has to ask Microsoft for permission, wait for them to answer, and live with the threat that said permission can be revoked unilaterally by Microsoft at any moment and for any or no reason."

Antitrust expert Keith Hylton, a professor of law at the Boston University School of Law, says the complaint may be valid under European law, where a firm with a dominant position may have a duty to support rival products.

"The law is pretty clear in the US that a dominant firm has no duty to provide support to the products of its rivals," Hylton told ZDNet. "The law is less clear in the EU, and so a claim such as this may have some plausibility under EU rules."

Dominant position

Another case involving Microsoft's dominant market position was the EC's €561m ($731m) fine for Microsoft failing to comply with a five year order that required it to offer Europeans a choice of browser. The EU imposed the order on Microsoft in 2009 to address competition concerns about the company tying Internet Explorer to its dominant Windows desktop OS.

However, with UEFI, the European Union's Competition Commissioner Joaquín Almunia said in January he had not found any evidence Microsoft's "security requirements" would result in practices that violate the EU's competition laws.

Noting that range of factual, legal and economic considerations must be considered, Almunia said that it appeared that OEMs can give end users the option to disable UEFI secure boot.

The Secure Boot workaround

Paul Ducklin, a Linux user and consultant with security vendor Sophos, says that users can load a different OS, but it's not easy, in particular for less tech-savvy consumers.

"You can turn Secure Boot off, allowing you to load anything you want (though, admittedly, without the intended boot-time protection), or you can upload your own Platform Key, making you the cryptographic master of your own device.

"Nevertheless, doing so isn't a piece of cake, and replacing the Platform Key means you can't run the Windows 8 bootloader any more." 

Hispalinux's Brown adds that while it can be disabled on Intel x-86 machines, it cannot be disabled on ARM devices that run Windows RT. These haven't been hugely popular yet but ARM does have big aspirations for ARM PCs

"In any case it should be the other way round," said Brown. "It should be deactivated by default and, if the user needs secure boot, s/he can be given the instructions to activate it. The reasoning behind this is that deactivating Secure Boot is not a trivial or simple task for a non-technical user. Different providers locate the secure boot kill-switch in different places and under different names in the scarily complex and dangerous UEFI control panel."

"It has to be done from the UEFI control panel. It cannot be done from within the operating system. For example, on ASUS laptops it is not called 'Secure Boot' at all, but 'Legacy Mode', giving the impression that you are using something outdated and insecure."

That OEMs can give users the option to disable UEFI may dampen the chances the EU does anything immediately about the complaint, but it doesn't invalidate Hispalinux's legal argument either, according to Hylton.

"The EC's comments suggest that there is so far no factual basis to support the charge against Microsoft. That's not the same thing as saying that the plaintiff's theory has no basis in the law," he said.

According to Hispalinux's Brown, the complaint is about Microsoft using its influence to sway manufacturers to include UEFI Secure Boot with "exclusive Microsoft keys".

"The complaint refers to the imposition on computer manufacturers to include UEFI Secure Boot with exclusive Microsoft keys into computers with Windows 8 preinstalled. This mechanism, to all practical effects, impedes or seriously hinders booting any operating system (save Windows 8) without the express permission from Microsoft," said Brown.

"To be able to attain this goal, Microsoft has had to use all its influence and power in the market to force computer and component manufacturers to accept its monopoly in the UEFI Secure Boot key generation system."

The feature, according to Hispalinux, will "damage any chance of technological independence of the citizens, reducing their roles to mere passive users" and turn the machine in to an electrical appliance with only one possible use.

"It will also damage free competition, weakening the technological sector, leading to more poverty and unemployment in Europe," said Brown. 

Microsoft said in a statement: "UEFI is an industry standard aimed at improving computer security and the approach has been public for some time.  We’re happy to answer any additional questions but we are confident our approach complies with the law and helps keep customers safe."

Editorial standards