
Microsoft is killing Linux shops with Secure Boot - gabordemooij
Here are some examples (Dutch so I passed the links through Google Translate)<p>http://translate.google.com/translate?sl=auto&#38;tl=en&#38;js=n&#38;prev=_t&#38;hl=en&#38;ie=UTF-8&#38;eotf=1&#38;u=http%3A%2F%2Fwww.mingos.nl%2F&#38;act=url<p>http://translate.google.com/translate?hl=en&#38;sl=auto&#38;tl=en&#38;u=http%3A%2F%2Fwww.hettes.nl%2F<p>http://translate.google.com/translate?hl=en&#38;sl=auto&#38;tl=en&#38;u=http%3A%2F%2Flinuxcomputers.nl%2F<p>It's now impossible to buy a Linux laptop in the Netherlands. You <i>HAVE</i> to pay for Windows, even though you don't want to use that OS at all.<p>Seems like we're back to square one. And the worst part is, nobody seems to care. No outcry from the developer community. It's really sad. We don't seem to give a shit about freedom and choice.
======
UnoriginalGuy
Wait wait wait...

So Microsoft demands(!) that all x86 PCs and laptops which are sold in its
certification program have to have Secure Boot easily disable-able in the
BIOS/uEFI by the end user...

So these Linux-computer companies either buy laptops from manufacturers
directly or produce their own, but somehow the laptops they're buying are
unable to have Secure Boot turned off even though that is the industry
standard and literally what every single laptop retailer's laptops do?

This whole thing makes no logical sense at all.

I totally doubt that anyone is producing x86 laptops where you cannot disable
Secure Boot, if for no other reason that it would make these laptops
ineligible for Windows/Microsoft certification which consumers care about.

These companies might be going out of business, but trying to tie it to Secure
Boot is nonsensical.

Plus on top of everything I just said several Linux distributions now support
Secure Boot out of the box. So these companies don't even have to go into the
BIOS/uEFI and change the settings, just install Ubuntu like they always have.

So OP: PROVE that Secure Boot is the cause of these companies going under? Or
at least explain the logic to it.

~~~
Toshio
> "So Microsoft demands(!) that all x86 PCs and laptops which are sold in its
> certification program have to have Secure Boot easily disable-able in the
> BIOS/uEFI by the end user..."

You say "easily disable-able" but that's not the case. The process of
disabling SecureBoot is anything but easy, and it's undocumented.

~~~
UnoriginalGuy
On my motherboard I go:

Security (tab) -> Secure Boot -> Disabled -> Save

And it is documented. It is right there in the manual. This is an ASRock
motherboard produced in the last few years.

It literally is as complicated as turning on and off the internal sound or
networking, or switching on USB legacy mode.

PS - This web-site shows a different ASRock motherboard with the same-ish
setup: [http://www.eightforums.com/tutorials/17058-secure-boot-
enabl...](http://www.eightforums.com/tutorials/17058-secure-boot-enable-
disable-uefi.html)

------
alanctgardner2
Having worked at (and briefly managed) a local computer store, then a big box
store, it's a brutal business. In the small store we made all our money on
service: selling recycled commodity boxes was a way to get traffic through the
door, so you could fix them later. A few high-end builds were the highlight of
my year, but they were few and far between. We considered offering Linux, but:

\- It used to be that most technical people ( and some non-technical) would
buy desktops. You can sidestep the Windows tax and attendant issues by
building a desktop (from parts you know work well with Linux), and maybe hit a
competitive price in the high end. Now that desktops are a tiny sliver of the
market, these stores are enslaved by OEMs, reboxing existing laptop designs.

\- Starting from the same wholesale price, Linux resellers 'add value' by
installing Linux. But this value-add isn't really apparent to a large enough
audience - there isn't enough public awareness, and people aren't willing to
pay a premium. Especially if they're competent enough to install Linux
themselves. In my experience people expect ANY OS to be free; when we used to
try and sell Win XP as an upgrade (over 2K), people were aghast that the
software cost money.

\- People want free support if you sell them on Linux. If they nuke the
system, you either scare them off with your hourly service rate, or you eat
the cost of the labour and go broke.

\- So the vendor either charges a higher sticker price and doesn't sell many,
or eats the labour cost for developing Linux support, fixing and reboxing
laptops and tries to make up the tiny (or even negative) gross margin on
volume.

When I moved to a bigger chain store, they subsidized the low-margin laptop
market by aggressively pushing house-brand accessories: cables, cases, blank
media, printer ink. These small stores are typically much less aggressive
about selling high-margin commodities along with a system (it's harder to do
with less capital, space and by mail).

So it isn't a problem of freedom and choice. It isn't a problem of Microsoft
crushing little independents (not consciously). The computer business is very
hard to do well at small scale, and you should expect that on a medium time-
scale most will die. This is only exacerbated by the rush to laptops, then
tablets and smartphones, where it's impossible to differentiate.

------
pyalot2
There are two separate but correlated issues.

1) SecureBoot on WART (windows on ARM) 2) SecureBoot on x86/64

The first issue (WART) is easily explained. Microsoft stipulates that ARM
vendors may not accept any other operating system than Windows to run. This is
a case where one company (Microsoft) colludes with other companies (Asus etc.)
to create a product that is closed to the competition.

The second issue (x86/64) is more nuanced. Microsoft stipulates that other
OSes need to be able to run on these devices. However to do so one has to
obtain a boot key from microsoft. The bios mechanism to restrict boot also has
to work. There are a couple issues with this: 1) microsoft so far has issued
barely any secure boot keys 2) Obtaining a secure boot key costs money 3)
Microsoft can revoke those keys at any time 4) The implementation of secure
boot on some devices is hardcoded to windows and won't work otherwise

Both topics are not a "market issue" because there are multiple companies
involved, many of which are monopoly holders in an area or other. Dell/HP/Asus
etc. are monopoly holders to personal computing hardware. And Microsoft is a
monopoly holder to personal computing operating systems. When you get multiple
monopoly holders banding together forming one company, you are talking of a
syndicate. Syndicates are explicitely forbidden to be formed under monopoly
laws. Thus Microsoft and its OEMs are in deep shit, at least in theory.

~~~
pyre

      | Dell/HP/Asus etc. are monopoly holders to
      | personal computing hardware
    

Doesn't the mono- part of monopoly make this statement a little shakey?

------
scholia
Microsoft doesn't sell laptops to OEMs, and none of these companies is buying
anything from Microsoft, so I don't see what Microsoft has to do with it. If
they have lost their original supplier, for whatever unstated reason, there
are dozens of Asian white box PC makers who will ship whatever you like, at
low prices....

Perhaps the market is just too small to make financial sense, or these Dutch
shops have no money.

I used the Wayback machine to have a look at the products and the results are
not too exciting. For example, a year ago, the 1.9kg Mingos LT-13-2 laptop had
a 1.3GHz Pentium, 2GB of RAM and a 160GB hard drive for €540.00 ($708) with
Ubuntu.

[http://web.archive.org/web/20120603005911/http://www.mingos....](http://web.archive.org/web/20120603005911/http://www.mingos.nl/ubuntu-
laptops/mingos-lt-13-2.html)

I can't see how any rational person would buy that, even if they were totally
clueless, rabid anti-Microsoft fanboys. It's not like installing Ubuntu is
_hard_ ...

This whole thing makes no sense.

------
Ergomane
You can still buy a Dell XPS 13 with Ubuntu via dell.nl or an OS-less laptop
via BTO.

> <http://linuxcomputers.nl/>

They don't appear to even mention secure boot as the reason, but pricing,
margin and lack of interest, both from consumers as from vendors.

~~~
Toshio
The thing is, high-end laptops used to be one expensive option among many
before the whole SecureBoot thing.

You had a choice.

That choice has been killed. High-end laptops are now the only option if you
want freedom, and that's not an accidental thing, it's by microsoft's design.

~~~
mdmarra
I'm failing to see why disabling Secure Boot on a lower-end laptop before
installing Linux isn't a viable option here?

Of course, being able to have it ship disabled by default is ideal, but for
the HN crowd and for Linux shops, disabling Secure Boot in BIOS/EFI is
trivial.

~~~
phaylon
What about people who want to dual-boot?

~~~
illuminate
What about them? It remains trivial to dual-boot.

------
crutch
Dutch here. These vendors have all run into the same problem; their Dutch
distributor is no longer able/willing to sell them laptops without Windows 8
preloaded and they haven't found an alternative distributor.

Previously they could buy branded laptops (HP, Lenovo, and such) without
Windows. Consumers can already buy such laptops with Windows, and then install
Linux on them. These shops made it possible to buy laptops free of Windows, so
without having to pay "Windows-tax".

Hettes.nl have received an outpouring of support and have started a petition
with the intent to get this practice of product tying discussable in the Dutch
House of Representatives and in a well known Dutch consumers' rights
television show, and raise awareness of this to the European Union.

They write (my translation):

"At this moment we are receiving many comments about the stopping of
Hettes.nl, also on the Internet we are mentioned multiple times and many
visitors of Hettes.nl are disappointed that we are stopping. Because of these
comments we want to start a petition to make the Dutch government and the
European union see that this product tying should stop and that it should be
possible to buy computers (any brand) without Windows. So that we can offer
computers without Windows to consumers that prefer other operating systems!"

The petition is the link in the last paragraph on this page:
<http://www.hettes.nl/hettes-stopt>

Edit: added translation of Hettes.nl paragraph about their petition.

------
mcpat
Not exactly a solution to the troubling issue, but System 76 assembles
wonderful linux machines and they ship to the Netherlands.

<https://www.system76.com/home/shippinginformation>

~~~
claudius
For appropriate values of ‘wonderful’. But I guess if one pays 1500+ € for a
computer, an extra 100 € for Windows is not all that important.

~~~
guilloche
So, even if I hate MS and did not use their product, I still need to pay to
support MS to be even more evil next time.

~~~
claudius
I see it as a slight annoyance that comes bundled with this wonderful
trackpoint. Really, my point was that this is a major issue if the system
costs 500€, but about two thirds less important if it costs 1500€.

------
muddybulldog
There no outcry because what you've shown is a market issue that has nothing
to do with secure boot or Microsoft.

~~~
sharms
I am not sure that is fair; the websites above mention that they can no longer
purchase laptops without a Microsoft license, which hurts their ability to
remain profitable.

Ie at one point you could argue that if you didn't like AT&T, then the market
would create a viable alternative. It never did, and was broken up as we know
the free market does not solve everything.

In this situation, you could argue the market would create a viable
alternative, but Microsoft has a consistent track record of influencing the
market monopolistically.

~~~
lovehashbrowns
It's just the market that has gone in this direction.

As mentioned previously, it used to be the case that you could make a living
off of making custom PCs and selling them for a premium. You can still
actually do this, charging for a 15% premium or something like that, and make
a part time job out of it. But then you have to provide services such as
overclocking and water-cooling. Back in the days of XP and Vista, all you had
to do was assemble a system from OEM parts and sell it. You could offer higher
quality parts + a Windows OS + better performance/price ratio and still be
profitable because the system you made would still be cheaper than a pre-built
computer.

The thing that has changed is, as I said, the market. You can't do that
anymore because the margins are prohibitively small. You need to buy in bulk
and sell in bulk to make any kind of money.

But that's not an issue with Microsoft or this secure boot thing, that's just
the way that prices have changed in the market. A lot of companies can no
longer afford to sell systems without the extra money from MS sales and the
bloatware. It was never all that profitable to sell Linux machines to begin
with, and it's even harder now. But it's still possible. It's just that you
have to sell huge numbers of them, more than before, in order to stay afloat.

Another thing that you have to take into account is that it's a niche market
to begin with. Most people who enjoy Linux also know how to manage it, know
how to assemble a computer, and would prefer to set up the software/hardware
themselves rather than have a company do it for them.

I could be wrong in some of what I have above but that's my understanding of
this whole issue.

------
eliben
Of all the vile things Microsoft has been doing to suppress superior
competition to their inferior products, this must be one of the vilest. It's
absolutely disgusting.

------
jeena
I don't quite understand from those links how Microsoft does that, what is
Secure Boot, what are Linux shops and what does Microsoft do to kill them?

~~~
Toshio
If you haven't been following this story as it developed over the past year
and a half, microsoft corporation has leveraged their existing dominant
position in the desktop OS market and mandated that OEMs include microsoft's
encryption key in their motherboards, to the exclusion of all other encryption
keys, as a prerequisite to their logo certification program.

What is sad though is that antitrust regulators worldwide have looked at this
practice and saw nothing wrong with it.

~~~
jagermo
You forget to mention that secure boot can be disabled. And that there are
Linux distributions that can handle secure boot.

To quote the Linux Foundation: "Linux and other open operating systems will be
able to take advantage of secure boot if it is implemented properly in the
hardware. This document is intended to describe how the UEFI secure boot
specification can be implemented to interoperate well with open systems and to
avoid adversely affecting the rights of the owners of those systems while
providing compliance with proprietary software vendors' requirements."
[http://www.linuxfoundation.org/publications/making-uefi-
secu...](http://www.linuxfoundation.org/publications/making-uefi-secure-boot-
work-with-open-platforms)

~~~
Toshio
> "You forget to mention that secure boot can be disabled."

Correct. But the steps to do so vary wildly from motherboard to motherboard
and are not documented anywhere.

In fact, one of the things HispaLinux requested is that OEMs provide clear
documentation of the technical steps required to disable SecureBoot.

~~~
jagermo
Yes, I agree (although you cannot really blame Microsoft for this). But, to be
honest, someone who is able to install Linux should also be able to roam
through the Bios (which he/she should do anyway to check the settings, e.g.
confirm the boot sequence). Plus, as far as I understand it, Linux can
actually profit from secure boot, right?

------
X4
In future Organizations want us to "Root" our PC's, huh? We didn't complain
enough, we accepted that our vendor-locked Smartphones had to be rooted, to
become free. Our freedom is getting hand-cuffed slow enough, that the spoilt
Slave of the industry doesn't revolt, but fast enough to raise profits for the
supporters of this party.

My words in your ears, dear friends. We have to stop the engine of slavery,
the software that limits our hardware, it will limit our horizon when we allow
it mature and manifest itself within our technology. Viva Freedom!

~~~
jagermo
No, you just head into the UEFI Bios and turn secure boot of. No rooting
required here (besides its not being the right phrase).

~~~
betterunix
Unless you are on ARM, and only for now.

~~~
jagermo
Agree, sorry, should have mentioned that I mean the X86 plattform.

~~~
betterunix
Sure, but ARM is going to be more and more common on low-end computers. Even
if the ability to disable these restrictions on x86 is still available in five
or ten years -- and I am not so confident that it will be -- it will not
matter for people who cannot spend more than $500 on a computer.

~~~
recoiledsnake
Are you saying that WindowsRT will totally take over the ARM market and kill
Android?

~~~
betterunix
No, I am saying that much of what we now think of as the "x86 market" will be
taken over by ARM. Cheap desktops and laptops are not going to stick with x86
forever, but there will still be demand for desktop and laptop form factors
and there will still be demand for Windows.

~~~
X4
Fedora’s Matthew Garrett explains his position very good. The "UEFI Forum",
which controls the Standard, is made up of computing industry representatives
including Microsoft, Apple, Intel, AMD, and a handful of computer
manufacturers.

<http://mjg59.dreamwidth.org/12368.html> This a more technical perspective:
<http://www.rodsbooks.com/efi-bootloaders/secureboot.html>

The day people start doing more than watching youtube videos with their ARM
computers is certainly a possible future. Smartphones are becoming a stronger
selling factor than the PC industry. We all agree that the future is mobile
and everbody is betting on this future.

Although not a BIOS disadvantage per se, switching from EFI mode to BIOS mode
requires re-installing your OS(es), or at least reconfiguring their boot
loaders.

------
guilloche
I myself will boycott the evilest MS and will not buy anything associated with
MS from now on.

Secure boot is evil until we can provide our own key. Even if GNU keys are
permitted, it is still bad enough.

~~~
Tomdarkness
You can provide your own keys, at least on some motherboards. Here is the
screenshot from my motherboard's bios:

<http://i.imgur.com/XkJ11If.png>

------
skriticos2
I bought my high end Ubuntu laptop from System76 (1) but the international
shipping is horribly expensive (north of $100). I'd hope there would be
regionally more distributed dedicated Linux hardware shops. Well, maybe this
will happen when things get worse?

[1] <https://www.system76.com/>

------
smogzer
Politicy makers are dumb. They took ages to resolve an issue such as
availability to choose the default browser on an operating system, yet, in
their closed world of waiting for their retirement checks, they, and their
fault of ideals in their confortable sofas do no address the :

simple issue of hardware and operating system separation.

~~~
sultezdukes
Because responsible citizens should be making those decisions, not "policy
makers".

~~~
dhimes
Unfortunately, in market-driven cases like this the decisions are being made
by the middle of the bell curve. And we know what that means:

[http://usatoday30.usatoday.com/news/washington/2003-09-06-po...](http://usatoday30.usatoday.com/news/washington/2003-09-06-poll-
iraq_x.htm)

------
outside1234
Run Linux on your iPad or iPhone then. Oh wait.

~~~
Toshio
It's different. Apple and microsoft can do what they want with
hardware/software bundles that they build themselves. That's why noone
complains that those surface products are locked down, it's because microsoft
manufactures them. Consumer harm comes into play when microsoft leverages
their existing desktop OS monopoly to twist OEMs' arms into including an
encryption key that OEMs gain no direct benefit from.

~~~
recoiledsnake
>That's why noone complains that those surface products are locked down, it's
because microsoft manufactures them

The Surface Pro is not locked down. You can even remove Microsoft's key and
stop Windows from booting and install Ubuntu's key or your own.

>Consumer harm comes into play when microsoft leverages their existing desktop
OS monopoly to twist OEMs' arms into including an encryption key that OEMs
gain no direct benefit from.

The OEMs benefit is that their customer's PCs are not vulnerable to
undetectable rootkits as soon as they get on the internet and get hit by a
Java, Flash exploit or download a fake codec or toolbar. Interesting how no
one seems to talk about benefits of secure boot to real users in this
discussion.

~~~
Toshio
> "Interesting how no one seems to talk about benefits of secure boot to real
> users in this discussion."

Look, microsoft should be working to fix their software instead of leaving it
as it is and instead making life miserable for those who want digital freedom.

~~~
illuminate
"microsoft should be working to fix their software"

This is how they are working to fix their software.

------
recoiledsnake
Here we go again, just like last time with lots of FUD. I read through the
links in the post and they're completely devoid of any details.

First, I completely fail to see what this has to do with Secure Boot. If
you're a System Builder and you're able to install Linux but are unable to
turn off a checkbox in the settings, then you're a shitty system builder and
deserve to have your business shut down.

Second, I completely fail to see what this has to do with Windows 8. The main
complaint seems to be that the big OEMs are not shipping laptops without
Windows being already installed. Wasn't this true with Windows 7 too?

It looks like the magic words "Windows 8 Secure Boot" were included in the
headline and post only to gain HN karma points.

If you're a business and want laptops without an OS, you need to go to the
ODMs like Clevo, Compal, Asus, MSI, Quanta, Wistron, Mitac, Arima and Invente.
<http://en.wikipedia.org/wiki/Original_design_manufacturer>

They will happily sell you laptops in bulk without an OS installed. For
example <http://www.system76.com> does exactly that.

Looks like the computer shops linked seem to just want Lenovo to sell them
bare laptops so they can skim a profit by just loading Linux on them and then
selling them for a higher price. Guess what, Lenovo doesn't want to increase
their costs by creating a separate assembly line process which won't make them
any money.

Asus sells barebones laptop kits if I am not mistaken.

It's interesting how yelling "OMG WINDOWS 8 SECURE BOOT!!!" gets you a lot of
karma here even though it has nothing to do with the issue at hand.

The user is in control of the PC. They can load any key they trust or roll
their own personal key and even remove Microsoft's key to prevent Windows from
booting on their computer.

I don't see why tens of millions of PCs used by non-technical people should be
susceptible to undetectable rootkits out of the box just to appease some
stupid system builders who can't find the setting to turn it off in the BIOS
menu.

~~~
Toshio
> "If you're a business and want laptops without an OS"

No, I'm a consumer who wants the same variety of laptops/specs/price points
that are sold with windows eight preinstalled, to be available without
microsoft's contraptions, be they operating systems or encryption keys.

microsoft doesn't want me to have that choice, and this is the topic at hand,
and by the way, you should consider sticking to the topic at hand.

~~~
scholia
Easy: buy a Mac.

If there was a viable market of people willing to pay an economic price for a
Linux laptop then there would be companies to provide them. Several have
tried. Some are still trying (eg Dell) though it's hard to make money selling
to cheapskates.

As it is, whatever Linux market there is depends on the economies of scale
created by the Windows market. You're saving far more money thanks to Windows
than you would ever pay for Windows licences.

~~~
gabordemooij
Why on earth would I buy a Mac if I am looking for a Linux machine trying to
avoid paying for something I don't use. Does it make me a cheapskate if I
don't want to pay the Windows/Apple tax? I would have no problem spending
let's say $1500 for a decent Linux latop: one with certified hardware, a
penguin key (instead of a Windows key), a pre-installed Linux distro and no
secure boot nonsense.

~~~
powertower
Often times, due to Microsoft co-marketing funds, "desktop real-estate"
(trial-ware installs), and some other things - that end up offsetting the
OEM's costs - you're actually paying less for a system with Windows installed
then you are for a system without an OS installed. So the cost issue is mostly
a non-issue, as to maintain the same profit margins the OEM will sell the non-
OS system at a higher price.

This is especially true for "basic" systems, were they sell them at almost
cost price... As OEMs make all their profits on upgrades and higher spec
systems that they can sell at a markup.

------
Toshio
I'm with you. HispaLinux did send a memo to their local EC office, but the
official position in Brussels seems to be that there's been no breach of law.

Speaking for myself, I sent a private e-mail to Neelie Kroes saying that I
support the position of HispaLinux and that I regard it as an anticompetitive,
exclusionary practice for there to be only microsoft's encryption key by
default on all new motherboards, to the exclusion of say the GNU/Linux
community's key.

But there's only so much one private e-mail can do.

~~~
recoiledsnake
> I sent a private e-mail to Neelie Kroes saying that I support the position
> of HispaLinux and that I regard it as an anticompetitive, exclusionary
> practice for there to be only microsoft's encryption key by default on all
> new motherboards, to the exclusion of say the GNU/Linux community's key.

The whole problem is that there is no "GNU/Linux community's key" because no
one is stepping up to provide it. The big OEMs had already told Red Hat that
they're willing to include the community's keys so I fail to see the
"anticompetitive, exclusionary practice". Microsoft does not mandate that only
its key should be included by default on all new motherboards. The OEMs are
free to include any other keys.

~~~
betterunix
Who do you trust to maintain a GNU/Linux community key? The Free Software
Foundation, which takes an extreme position that even excludes Fedora? The
Linux Foundation, which talks about compliance with proprietary vendors'
requirements? Linus Torvalds, who takes no issue with TiVO?

There is no _single_ vendor I trust with the decision about which distro's
bootloaders can be signed. I only trust the distro I am using, and only
because I can switch to another distro at will (which I have done three times
since I began experimenting with Linux all those years ago). That is the
problem with the UEFI design: it does not let me, the user, decide who to
trust, unless I am technically adept enough to install custom keys (I
personally am, but even a lot of people at the local LUG and 2600 meetups are
not).

What we really need a system that allows me to install whatever OS I want, and
allows that OS to optionally enable bootloader signing with its own key. I
should be able to hit a button while booting up to enable a special "OS
installation mode," which will boot from a USB device or a DVD to install an
OS. During that process, the OS installer can load keys for bootloader
signing. The user should _always_ be able to install the OS of their choice,
and should _not_ have to rely on Microsoft or anyone else to "approve" a
bootloader, OS, or anything else.

------
rth
In Turkey's laws you can not sell a product with combining another product in
same label. Computer is a product and software is another product. Hence you
can not sell them under same label according to laws. But they selling
computers by combining with M$ licenses. Some of my friends had to seek to
justice but as you expect they can not take their money back.

The winner is always who has the big money. They don't need to put an
encryption key in motherboards. They do this f.cking shit already without key.

~~~
jagermo
In all fairness, I don't think secure boot has the IT pros in mind. It targets
the vast majority of IT users who have no clue at all and install every crap
they can find on their systems. I recommend you take a look at this document
by the linux foundation. [http://www.linuxfoundation.org/publications/making-
uefi-secu...](http://www.linuxfoundation.org/publications/making-uefi-secure-
boot-work-with-open-platforms)

