M$ Seeks Monopoly on ARMed Devices

M$ is a big player in IT. By insisting that “secure booting” must be enabled on all ARMed devices on which M$ will licence “8”, M$ is seeking monopoly on ARM. Any manufacturers of ARMed chips will have to prevent GNU/Linux to boot from those chips if they want to sell to OEMs shipping “8”. The only alternative is to supply two types of chips, doubling inventory costs.

M$ will not do this for x86 systems because there are tons of businesses still running XP and they have a licence permitting them to run on new hardware but on ARM there is no legacy software from M$.

While it is less likely that anyone would want to swap OS on embedded systems, many people want to do that for smart thingies with upgradeable OS such as smart phones and tablets. I expect the world should lay a huge anti-trust suit on M$ sooner rather than later to prevent this action. An injunction would be nice.

see Software Freedom Law Centre (SFLC)

see Glynn Moody

M$, we’re watching. You’re not going to get away with this. 8-|

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

60 Responses to M$ Seeks Monopoly on ARMed Devices

  1. oiaohm says:

    Hanson LibreOffice is not the only office suite on Linux. Koffice/Calligra Suite is quite decent. Some areas beat LibreOffice hands down like project management. LibreOffice has none. There are also 3 closed source options.

    Java I have 3 different engines.
    smplayer is my most common media player not vlc.

    Where is your idea we don’t have a choice.

    Hanson my point is who has the right to lock the hardware. OS maker, Device maker or Device Owner.

    I am 100 percent sure in my eyes that the OS maker really should not have a say if a device is locked or not. They only made the OS not the hardware. The device has to be unlock-able so they can sell upgraded. Really a OS maker pushing for locked hardware is attempting to cut off own nose. So should be thought of as insane.

    Device makers should have the right to lock the device as long as they support the device. Like providing secuirty updates.

    Device Owner should have rights to recycle the hardware how ever they see fit when its no longer supported by device maker.

  2. Hanson says:

    “How is the success of Android/Linux about marketing but not about Linux???”

    Because GNU/Linux hasn’t made inroads while Android has exploded? If it were purely about Linux, Microsoft should have toppled over years ago. But Windows is a marketable product, while GNU/Linux in its basal form is not. Even high priest Mark Shuttleworth has understood that, which is why he pushes Ubuntu, not GNU/Linux. But even Ubuntu is too poor a product to succeed.

    “I guess that explains why hundreds of millions use GNU/Linux, Android/Linux, FireFox, Java, LibreOffice, VLC, etc. (sarcasm) It’s just such poor stuff.(/sarcasm)”

    Funny, isn’t one of the arguments you Linux people always like to dig out of the earth that something isn’t necessarily good just because it has mass behind it? Now the reverse is true?

    I’d also be more interested in the “etc.” part. Have you included there all the software that sucks?

    – GNU/Linux isn’t a success.
    – Android is a success thanks to Google pushing it.
    – Firefox is a bad browser. It should die, but Google loves keeping it alive for image reasons.
    – Java. Really? Java!?
    – LibreOffice. Well, it being the only real office suite for Linux, you don’t really have a choice, have you?
    – VLC. Sucks on all operating systems it supports.

  3. Hanson confuse two issues, “How can Samsung & Co. market Android phones successfully? By making Linux the non-issue.”

    How is the success of Android/Linux about marketing but not about Linux??? Google can market anything it wants to. That’s what it does better than anyone else in the world. They could market GNU/Linux with as much success. That’s the reason M$ has always viewed them as an enemy. First they ignored Google. Then they made fun of Google. Then they fought Google. Then Google won.

    Hanson also bases his reasoning on facts not in evidence: “your software is lacking in functionality and appeal”.

    I guess that explains why hundreds of millions use GNU/Linux, Android/Linux, FireFox, Java, LibreOffice, VLC, etc. (sarcasm) It’s just such poor stuff.(/sarcasm)

    Last year, more people bought systems running Linux than that other OS. Smartphones, tablets, netbooks, notebooks, and yes, even desktops running Linux sold hundreds of millions more units than M$ shipped. So, Hanson’s opinion is nonsense. The only place where M$ does well is on the desktop/notebook market where OEMs and retailers cooperate in the fraud of eliminating choice on retail shelves. M$ only gets traction on servers because that other OS needs lots of support just to stand up.

  4. Hanson says:

    “That’s not unreasonable but we have seen M$ stock nothing but their stuff on retail shelves, negating the basis of the concept, choice.”

    Pogson, you haven’t understood that Linux doesn’t have a marketing department. (You only have zealous parrots like Jim Zemlin.) In some ways you seem to believe that you don’t need one. Perhaps having one would finally allow you to enter the real world. And let you realize that the “good enough” software you strive for isn’t software you can market well. That your fragmented distribution landscape isn’t something you can market well. That your Linux celebrities like Torvalds, Stallman, Kroah-Hartman and so on are people who can’t be marketed well and can’t themselves market Linux well.

    Why don’t you ask your buddies over at Google how they got Android off the ground? How can Samsung & Co. market Android phones successfully? By making Linux the non-issue.

    Or ask Bruce Perens:

    “Open source is the only credible producer of software that isn’t bound to a single company’s economic interest. [But] open source has mostly not built a relationship with the common person and does not have their sympathy. There are a lot of people who believe we are the ones who make viruses. We have not been able to protect our own future by reforming law that is hostile to it.
    We have to reach the common man. We haven’t yet developed the sympathy for users that is manifested by Apple. We do very good inward facing. We work very well with each other. It is the outside world I want you think about. It’s up to the rest of us to build bridges with normal folk.”

    “Open source is being sold as apps to people who don’t even know they could get the same thing for free elsewhere . . . We are seeing some signs that Linux and open source have peaked. The locked-down platform is beating us in many ways today.”

    (Source: http://www.lifehacker.com.au/2012/01/perens-the-iphone-is-destroying-democracy-and-open-source/)

    People are unlikely to be educated, you have to appeal to them. And you are unable to do so because you’re unwilling, and because your software is lacking in functionality and appeal.

  5. Hanson wrote, “If you don’t like locked-down hardware, don’t buy it.”

    That’s not unreasonable but we have seen M$ stock nothing but their stuff on retail shelves, negating the basis of the concept, choice.

    It’s also clearly an anti-competitive move and is illegal in many jurisdictions. I expect sooner or later some legal authority will decide collusion between manufacturers and M$ to exclude other operating systems is illegal even coloured by the myth of excluding malware. GNU/Linux and Android/Linux are not malware but will be excluded from millions of units for no ordinary business purpose.

    We would not accept automobiles that run on only one brand of fuel, one brand of tire, and one brand of oil. We do not accept personal computers that run only one brand of OS. It’s a single point of failure far worse than WGdisA.

  6. Hanson says:

    “One way or another it’s a mess/obstacle for FLOSS and M$ likes it that way.”

    Which mess? It’s all just in your head, Pogson.

    If you don’t like locked-down hardware, don’t buy it. It’s a company’s prerogative to lock hardware down. You still own the hardware. If you want to hack it to pieces or reverse engineer it to hell until you can install GNU/Linux, you can do just that.

    Stop pretending that the ability to install Linux on everything is some sort of human right. If you think that it is, talk to the United Nations about revising “The Universal Declaration of Human Rights”.

    There’s an easy solution for every problem you have: everyone has to become a hacker. Richard Stallman’s wet dream.

  7. oiaohm says:

    Clarence Moon read it carefully. Robinson-Patman

    http://en.wikipedia.org/wiki/Robinson%E2%80%93Patman_Act

    It only applies to the price of the item. MS arm stuff falls under limited clientele. Yes they sell to everyone in there clientele base at the same price.

    But to be clientele to by the arm version you must agree to the Microsoft rules that restrict a stack of things.

    Basically Robinson–Patman Act does not say I can buy it and run the hardware the way I want. If MS wants the condition that I cannot unlock the hardware to buy the product they can enforce it and not breach that act.

    It does not help in this case at all. The issue is limited clientele that is something Robinson–Patman Act does not address.

    Patent cases Robinson–Patman should apply a lot.

  8. Clarence Moon says:

    You seem rather stupid in regard to the law, Mr. Oiaohm. I do not think that you understand it very well. Robinson-Patman is not limited to retail sales and is not even particularly relevant to such sales.

  9. oiaohm says:

    Clarence Moon not for arm. The point I am critical making.

    Windows 8 for arm is not coming out in a boxed set. It for sale to hardware makers only under conditions.

    “That is guaranteed by the Robinson–Patman Act” does not apply in this case because its not a open sale item. It a select clientele only item.

  10. Clarence Moon says:

    You can buy as many copies of Windows 8 as you wish, Mr. Oiaohm, once it is available for sale, and at the same price as anyone else. That is guaranteed by the Robinson–Patman Act.

  11. oiaohm says:

    Dr Loser
    “17. MANDATORY: No in-line mechanism is provided whereby a user can bypass Secure Boot failures and boot anyway Signature verification override during boot when Secure Boot is enabled is not allowed. A physically present user override is not permitted for UEFI images that fail signature verification during boot. If a user wants to boot an image that does not pass signature verification, they must explicitly disable Secure Boot on the target system.”

    You cannot read. Even that this says user must they must explicitly disable secure boot. It does not truly say that the user has to be enabled to perform that action. On non arm inserted before “If a user” would solve any means to legal argument about this.

    Even so the later clause could still over ride this because find a single clause where it clearly states the user was given the right to override. The arm clause is directly stating that it taken away.

    The wording need to be change DR Loser. Currently you are placing your hope that a Judge rules in your favor. Could a judge rule that 17 is over ruled by 21 yes they could.

  12. oiaohm says:

    Dr Loser there will be no boxed sets for arm version of Windows 8. Either it comes on the device or it don’t.

    So yes Arm version MS has absolute control. You do what they say or they will not sell you copies of windows to put on the product. Why do windows phone 7 look so much the same. Because shell design is partly defined by the agreement you have to sign to get access to Windows phone 7.

    MS is very use to absolute control on arm devices.

  13. oiaohm says:

    Clarence Moon and with arm license to acquire OEM copies. If you don’t pass Windows 8 certification for the device you will not be allowed to by Arm copies of Windows 8.

    Dr Loser this by me is about a key thing that happened.
    “Currently hardware makers don’t have that option with the way the agreement is currently being worded.”
    First draft was sent to hardware makers for approval. The later draft with alterations have been straight up released to public. No option for hardware makers to ask for alterations before printing. There is no feedback option either.

    What I am making clear is MS is taking contract talk out of the hardware makers hands and into their own completely.

    Currently out of the hardware makers hands. This is now down to consumers to complain. If they don’t we will be stuck with lemons.

    Dr Loser
    “Can it legally enforce the prevention of a Windows 8 installation on a non-compliant ARM system?”
    In fact yes. This is the big problem. Because the ARM windows 8 license includes a clause at this stage that it must only be installed on “Windows 8 Certified Systems” on the arm platform. Same way apple does with OS X.

    MS has been restricting down the licensing and requirements.

    I have roughly 15 years in embedded development. I am fairly much in the loop. Your not DR Loser otherwise you would have already seen the up coming projected licensing agreements.

    If you are in the embed game large enough you would have been sent a copy of the first draft Dr Loser. Basically its not where to download it.

  14. Clarence Moon says:

    They can withhold the Windows 8 certification logo, nothing more. But that is a big thing with OEMs.

  15. Dr Loser says:

    @Robert and everybody:

    That was inconceivably dull, and I apologise.

    Now, moving beyond the individual paragraphs on a single page of a 293 page document, there is a more general issue here, and I think we’re all adult enough to discuss it (Koz, you have my permission to be a pointlessly insulting, yet adult, part of the discussion).

    To whit: As oiaohm has admitted, this is a draft contract.

    As all of you who have worked in the IT industry are aware, draft contracts are amenable to all sorts of pressures and will typically come with buried legal Easter Eggs. (“liquidated damages” is one of my favourites.)

    So, then. Two interesting questions about this particular draft:

    (1) Is it intended to define the following (from page 12)?

    “This release to web (RTW) document contains the Windows Hardware Certification requirements for Windows 8 Certified Systems. These requirements are Microsoft’s guidelines for designing systems which successfully meet Windows performance, quality, and feature criteria, to assure the optimum Windows 8 computing experience. Successfully following this guidance will allow a partner to receive certification for their system.”

    (2) Can it legally enforce the prevention of a Windows 8 installation on a non-compliant ARM system?

    My supposition at this point is that it is a fairly well-intentioned (given lawyers and legacy crap) attempt at (1). And that it cannot do (2).

    But if y’all want to continue frothing at the mouth about page 116, with or without amendments, then carry on. They closed the hospital at Bethlehem a couple of centuries ago, and I’ve still got several thrupenny bits stored up for the purposes of weekend amusement.

  16. Dr Loser says:

    You know, oiaohm, I was going to demolish your argument brick by brick, on the standard “humorous” observation that you are a brick short of a load.

    Turns out I was wrong.

    Some loads are just over-bricked.

  17. Dr Loser says:

    @oiaohm:

    “I guess you have zero embedded development experience to understand what 18 was saying. Like I cannot sign memtest86 or equal due to Windows 8 rules.”

    I guess I have far more embedded development experience than you (roughly five years). I also assert that the question is entirely irrelevant.

    Feel free to explain how these (draft; remember you finally had to concede that they were draft) rules forbid you from signing memtest86. Your expertise in these areas is always a refreshing change from boring old reality.

    “Basically if 18 was altered to allow makers tools to be signed and run. The windows 8 devices would be unlock-able with hardware maker approval. Currently hardware makers don’t have that option with the way the agreement is currently being worded.

    What, wording like (I’m using your old link):

    “Execution of these tools and shells must require that a platform administrator disables Secure Boot.”

    As usual, my highlighting of your relevant assertion.

    You fail. Miserably.

  18. Dr Loser says:

    @oiaohm:

    “20 delete ‘On non-ARM systems,’ and ‘On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enable.’ And you are back to first draft.

    “21 delete ‘On non-ARM systems,’ and ‘Disabling Secure MUST NOT be possible on ARM systems.’

    Basically first draft take perfect care of consumers rights. This later draft is reason for worry.”

    Fascinating, young man.

    Am I correct in saying that you pointed us, not three days ago, at the site wherefrom I downloaded this “contract?”

    And am I not correct in suggesting that your subsequent observations were based upon the exact text that you suggested we download?

    And am I correct in pointing out that, at the time (of the download of the text that you were apparently deeply concerned by), you were very much not of the opinion I highlight?

    If I am correct in this, then there is a reasonable supposition that you are full of shit.

    But even somebody who is full of shit deserves a second chance. Care to give us the updated link?

    And while I’m at it, the change to (21) apparently removes several of your more paranoid objections. That has to be a good thing, no? It’s difficult to be sure until you provide us with the actual link.

  19. Dr Loser says:

    @oiaohm:

    “17 most likely will be reworded it has not been altered from first draft yet. Clause 17 only need a minor additions of if not arm in a few places to resolve the conflict.”

    Now, this particular claim of yours is both important and risible.

    Section 17, for those who cannot be bothered to read it again, basically allows a user to “explicitly disable” Secure Boot, ie UEFI.

    According to Oiaohm, who knows these things, it will be crapped all over just so’s M$ can wield their mighty monopolistic sword.

    As a slightly more reasonable person, I beg to suspend my disbelief.

  20. Dr Loser says:

    @oiaohm:

    “‘On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enable.’

    “Section 20 completely kills you. This forbids third party KEK that were not there when the system was send to customer. Custom mode is how you install those third party KEK. So Windows 8 that is arm basically forget any ideas of being able to upgrade it to Windows 9 let along install Linux.”

    Read Section 20 again. And while you are doing so, reconsider your interesting hypothesis that it is a particular aim of the section to forbid the possibility of upgrading Windows 8 to Windows 9.

    a) It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK.
    b) If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system will be operating in Setup Mode with Secure Boot turned off.
    c) The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults.

    Once again, lousy drafting, representing whatever the previous contracts might have been. However: the important sub-clause here is (a). Sub-clause (a) effectively renders the PK utterly worthless. This is fairly clearly (on a proximity basis alone) the reason for the final sentence.

    Why is Custom mode required to install third party software? What is (inherently) wrong with Secure mode?

    I remain unkilled and unconvinced.

  21. Dr Loser says:

    @oiaohm:

    “‘Execution of these tools and shells must require that a platform administrator disables Secure Boot.’

    “This limits what a KEK can be issued for.

    “Because this is what Grub EFI contains is diagnostic options. So you are forbin to sign the Grub bootloader not because is GPL3 or anything else because it a diagnostic tool. So to run Linux we must either have the option of running in custom mode when we can upload our own keys or non-secured mode.

    “The big one here “decommissioning tools”. What is a decommission tool. That is the tool you use to remove secure boot from a system. And possible then latter install your own once the system is decommissioned. Also you cannot run under OS hardware diagnostics. Basically 18 + 21 equals screwed on arm to recycle the device for another OS.”

    See my highlight.

    It limits anybody who is not a “platform administrator” from doing this stuff.

    Not exactly an onerous limit, when (as I assume will be the case with ARM devices) the platform administrator is also the user.

    Or do you have a problem with the equivalent Linux Desktop notion of “root”?

  22. Dr Loser says:

    @oiaohm:

    “Dr Loser remember that document is not the final draft.”

    Funny that, because up until now you were abstracting from it as though it were. Silly me for following your lead.

    “So that loop hole you found that the wording is wrong mostly will be fixed before final.”

    What, the (two) loopholes that I, and IANAL, pointed out would make it inoperative in law?

    Well, let’s remind ourselves of what I actually said. I said that it was clearly badly drafted, presumably by a junior M$ lawyer, and that the phrase in question was clearly a follow-on. There are two ways that this could be fixed (to use your term):

    (1) The two additional words I proposed could be incorporated. This would then make it consistent, but not remotely a lock-in clause.
    (2) The lock-in could be explicitly defined. This would be far more difficult, and would involve a revision of that entire page. I’ve only read that page, since it’s the only one you pointed me at, but I wouldn’t be surprised if it affects the whole rest of the document.

    Of course, there’s also (3) it’ll be left there, because it’s hardly worth the effort (the benign intent implied by the other paragraphs is still in force) and M$ have no intention of Evil Law Suits on the issue.

    This one is going to be easy. Let’s just wait and see what the final draft says, shall we?

    If it incorporates all or part of (2), I expect you to come back and gloat.

    If it represents (1) or (3), I expect a fulsome, though not necessarily intelligible, apology for your unfounded fantasies.

  23. oiaohm says:

    Dr Loser remember that document is not the final draft.

    So that loop hole you found that the wording is wrong mostly will be fixed before final.

    First draft contains no special treatment for arm.

    You have miss read section 18. Because section 18 is lethal.
    “18. MANDATORY: UEFI Shells and related applications. UEFI Modules that are not required to boot the platform must not be signed by any production certificate stored in db, as UEFI applications can weaken the security of Secure Boot. For example, this includes and is not limited to UEFI Shells as well as manufacturing, test, debug, RMA, & decommissioning tools. Execution of these tools and shells must require that a platform administrator disables Secure Boot.”

    This limits what a KEK can be issued for.

    Because this is what Grub EFI contains is diagnostic options. So you are forbin to sign the Grub bootloader not because is GPL3 or anything else because it a diagnostic tool. So to run Linux we must either have the option of running in custom mode when we can upload our own keys or non-secured mode.

    The big one here “decommissioning tools”. What is a decommission tool. That is the tool you use to remove secure boot from a system. And possible then latter install your own once the system is decommissioned. Also you cannot run under OS hardware diagnostics. Basically 18 + 21 equals screwed on arm to recycle the device for another OS.

    “On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enable.”

    Section 20 completely kills you. This forbids third party KEK that were not there when the system was send to customer. Custom mode is how you install those third party KEK. So Windows 8 that is arm basically forget any ideas of being able to upgrade it to Windows 9 let along install Linux.

    17 most likely will be reworded it has not been altered from first draft yet. Clause 17 only need a minor additions of if not arm in a few places to resolve the conflict.

    The agreement puts the hardware maker in a location they cannot run there own hardware diagnostic tools that are OS independent to rule out OS malfunction vs hardware malfunction due to the wording.

    The anti-arm modification that has been added is for sure a rushed job Dr Loser.

    Other than 21 missing a word. Every error you are point to is section that existed prior to the anti arm modification clauses being added. Dr Loser.

    15-19 is exactly how the first draft of that agreement read. Has not been altered.

    20 delete “On non-ARM systems,” and “On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enable.” And you are back to first draft.

    21 delete “On non-ARM systems,” and “Disabling Secure MUST NOT be possible on ARM systems.”

    Basically first draft take perfect care of consumers rights. This later draft is reason for worry.

    Yes it has a few flaws but this is the path MS is on.

    I guess you have zero embedded development experience to understand what 18 was saying. Like I cannot sign memtest86 or equal due to Windows 8 rules.

    Basically if 18 was altered to allow makers tools to be signed and run. The windows 8 devices would be unlock-able with hardware maker approval. Currently hardware makers don’t have that option with the way the agreement is currently being worded.

    MS has played there hand want they want. A few legal wording errors they have until April at least to correct those. So you should not be presuming those any way around their intention.

    Those sections is a jigsaw if you read them alone they seam fairly ok. But you have to view them as a complete puzzle how are you going to obey all of them and unlock a device. Answer you cannot.

    How are you going to run grub you cannot. How are you going to allow windows 9 to run. Again you are not.

    Dr Loser peer to patent and Oin are both IBM backed bodies. Also IBM legal department gives talks at Linux conferences from time to time about how they want to have the patent system reformed.

  24. Dr Loser says:

    And just to make myself plain once again, Robert:

    After checking things up (which neither you nor oiaohm have ever done, to my knowledge), and after weighing up the evidence, I’m going to stand by my conclusion.

    There is no UEFI/ARM conspiracy or legal obstructionism going on here.

    And I still own both of your asses.

  25. Dr Loser says:

    And on a nicer note, Robert, would you care to point me to (non Android) Linux competition with Microsoft in the ARM sphere?

    As far as I am aware, Debian has given up on it and Ubuntu has no immediate plans (unsurprising, since Ubuntu is at heart a massively unsuccessful rip-off of Debian).

    Can we expect an ARM desktop release soon?

  26. Dr Loser says:

    Let me just reiterate the portion of the paragraph in question. I pointed out that the whole thing is badly-written, and I pointed out that it is legally unenforcable.

    “Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.”

    Not only has the idiot junior lawyer left out the word “Boot” in the second sentence, but he/she has also left out the word “Programmatic” before “Disabling.”

    That is what I meant by a follow-on.

    Do you really think that Microsoft would stubbornly persist on this in court? Well, probably you do.

    But do you really think that such an argument would stand a snowball’s chance in hell?

    Idiot? Well, Forest Gump to you. At least I bothered to read the bloody thing, interpret it, and then admit that I had made a mistake.

  27. Dr Loser says:

    @Robert:

    “Twit! Clearly, M$ is specifying one thing for x86/amd64 and another for ARM. That is not a contradiction but shows M$’s intent to gain monopoly on ARM.”

    Oh well, there goes sane argument, then.

    Clause 21 will never stand up in court. It is self-contradictory. Furthermore it is contradicted by clause 17.

    Do I get a pat on the head for reading/research?

  28. Dr Loser says:

    Apologies for going back to the side-issue, but:

    “IBM is one of the biggest callers for patent reform to prevent bogus patents.”

    Proof, oiaohm?

    “They like patents that people have truly done R&D.”

    Proof, oiaohm?

    “There are stack of patents that have no R&D behind them. Some legal person thought up the idea and took out a patent”

    Proof, oiaohm?

    “.. so the patent now exists causing everyone hell.”

    Proof, oiaohm?

    I doubt anybody outside FOSS has even noticed it in the year since it has been published.

    Let me remind you that it is a patent application designed to protect a particular automated system (or did you not pay attention to me telling you that? Surely not).

    Every single other point exists solely inside your head.

  29. Dr Loser failed to read the context when he wrote, “Interestingly, it is contradicted in the same clause:

    “A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv.””

    Twit! Clearly, M$ is specifying one thing for x86/amd64 and another for ARM. That is not a contradiction but shows M$’s intent to gain monopoly on ARM. They do not want to preven all their existing software from running on new x86/amd64 systems so they need the bypass. For ARM they have no legacy stuff so they are “all-in”, trying to mess with competition.

  30. Dr Loser says:

    And then again, possibly not, having revisited 21:

    “Disabling Secure MUST NOT be possible on ARM systems.”

    Finally, we have the point at issue.

    Now, I’m not weaseling out of this, and I’d appreciate a sane conversation on the issue.

    (If I were going to weasel out of it, I would point out that “Disabling Secure” doesn’t mean a thing, legally, without the word “Boot” after it. It’s an interesting sub-clause, isn’t it? I’d agree: it’s probably been injected by some junior MS lawyer who wants to impress his bosses.)

    Interestingly, it is contradicted in the same clause:

    “A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv.”

    The courts would therefore be allowed to decide between the two interpretations. I would be very surprised if they didn’t choose the latter. Alternatively, the entire clause is moot.

    In fact, and since I am thinking on the fly here, the MUST NOT sentence logically flows on from the previous sentence, which is a warning that you are not allowed to do this programmatically.

    I suppose you can accuse Microsoft of just about anything you want; but surely this is the first instance that anybody can find where they’ve written a legal contract quite so incompetently.

  31. Dr Loser says:

    @oiaohm:

    “If Dr Loser is a inside man he sure does not know how to read the fine print of a contract.”

    An inside man wouldn’t need to, would he?

    But this is hardly small print. I took my bifocals off and read every single word, with no loss of clarity whatsoever.

    May I ask (politely) how many IT-related contracts you have read, whilst in a legally- and financially-binding position?

    @Robert:

    “Thanks for the research/reading.”

    What research? He just picked a link off Glyn Moody, if not somewhere else. This isn’t research: it’s perilously close to plagiarism.

    And as for reading, my previous post suggests that (if he is capable of it at all) Oiaohm didn’t spend his valuable time doing any such thing.

    —————-

    This is even better than the last time (Unearned Revenues).

    This time, I own both of your asses.

  32. Dr Loser says:

    @pog & oiaohm:

    Make up your mind. Either I am an inside man, or I’m not.

    Alternatively, I have never even bothered to look at the contract and it was a throwaway comment, expecting a response. Which I now have, courtesy of Mr Oiaohm, and I will now examine page 116. Here it is in all its unvarnished glory:

    “15. MANDATORY: Microsoft Key Encryption Key (KEK) is provisioned A valid Microsoft-provided KEK shall be included in the KEK database. Microsoft will provide the KEK in the form of either an EFI_CERT_X509_GUID or EFI_CERT_RSA2048_GUID type signature. The Microsoft KEK signature shall use the following SignatureOwner GUID: {77fa9abd-0359-4d32-bd60-28f4e78f784b}.

    “16. MANDATORY: PKpub verification. The PKpub key shall be owned by the OEM and stored in firmware flash. The private-key counterpart to PKpub is PKpriv, which controls Secure Boot policy on all OEM-manufactured devices, and its protection and use must be secured against un-authorized use or disclosure. PKpub must exist and the operating system must be able to read the value and verify that it exists with proper key length.

    “17. MANDATORY: No in-line mechanism is provided whereby a user can bypass Secure Boot failures and boot anyway Signature verification override during boot when Secure Boot is enabled is not allowed. A physically present user override is not permitted for UEFI images that fail signature verification during boot. If a user wants to boot an image that does not pass signature verification, they must explicitly disable Secure Boot on the target system.

    “18. MANDATORY: UEFI Shells and related applications. UEFI Modules that are not required to boot the platform must not be signed by any production certificate stored in db, as UEFI applications can weaken the security of Secure Boot. For example, this includes and is not limited to UEFI Shells as well as manufacturing, test, debug, RMA, & decommissioning tools. Execution of these tools and shells must require that a platform administrator disables Secure Boot.

    “19. MANDATORY: Secure Boot Variable. The firmware shall implement the Secure Boot variable as documented in Section 3.2 “Globally Defined Variables’ of UEFI Specification Version 2.3.1 Errata A”

    “20. MANDATORY: On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: “Custom” and “Standard”. Custom Mode allows for more flexibility as specified in the following:
    a) It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK.
    b) If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system will be operating in Setup Mode with Secure Boot turned off.
    c) The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults.
    On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enable.

    “21. MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.”

    It’s very badly written, isn’t it?

    Nevertheless, 15 is unexceptionable (unless you object to legalese overhead, which in a sense is what this is). Ten minutes’ effort at most.

    17 points out, rather forcefully I believe, that the user should (in the general case) have the ability to disable Secure Boot. Otherwise, what does it mean?

    “If a user wants to boot an image that does not pass signature verification, they must explicitly disable Secure Boot on the target system.”

    18 and 19 are an attempt to define how a UEFI system is implemented in practice, which (assuming no evil intent) is no bad thing.

    20 is a reiteration of the general principles laid out in 17, which are that the thing is secure, but under user control.

    And 21 says … well, just read what 21 says. Let’s just remove 21 and allow any old malware to crap all over our boot sector, shall we?

    The key phrase in 16 is as follows (my highlights):

    The private-key counterpart to PKpub is PKpriv, which controls Secure Boot policy on all OEM-manufactured devices.

    There is no indication that PKpriv is expected to be under the control, sole or otherwise, of Microsoft. There is no contractual reason why the OEM should not retain PKpriv for its own purposes.

    Thus oiaohm’s (and Glyn Moody’s and Robert’s) arguments are shot to hell, as far as I can see.

    ——————–

    Sometimes, oiaohm, people actually take the time to read your links. When those people are me, and when I come from a position of no prior knowledge whatsoever, and I analyse what is put in front of me in a neutral manner …

    … when those people are me, I often find myself in the position of wondering what all the fuss is about.

    ——————-

    Let me put this very plainly to you both. At no point on page 116 does Microsoft assert the right, or even the requirement, to ban other software (sc. an operating system) from booting on a device covered by the contract.

    At all points, they are attempting to define the security model implemented via UEFI. Why? Who knows? The love of the common people, or possibly the very real likelihood of getting sued?

    At every relevant point, the user is the focus and the user is enabled to make the relevant choice.

    Evil, isn’t it?

  33. Ray says:

    On the other hand, we don’t even know the specifications of the UEFI Microsoft’s implementing. And second, I really don’t think that Microsoft would even attempt to try and do this, as it doesn’t want to risk antitrust again.

  34. oiaohm wrote, “Read page 116 of that. Dead simple UEFI secure boot custom mode where you can load your own signing files to use your own binaries or other third parties is fully disabled. Option to boot with secure mode off is also not allowed on arm.”

    Thanks for the research/reading. It’s pretty clear this is not about security of IT but security for M$’s monopoly. They are trying to extend it to ARM. They are creating a burden for the ARMed ecosystem, competitors and especially they are painting hardware makers into a corner. This system clearly raises the cost of IT and should be scrapped. The world is bigger than M$ and can tell M$ to go to Hell.

  35. oe wrote, “consumers will run from it.”

    I hope that is true but non-M$ stuff has to be on retail shelves for this to work. Will manufacturers be willing to produce two complete ecosystems of ARMed hardware?

  36. oiaohm says:

    Robert Pogson if Dr Loser is a inside man he sure does not know how to read the fine print of a contract.

  37. oiaohm says:

    Dr Loser can you not do research or read.

    http://www.softwarefreedom.org/blog/2012/jan/12/microsoft-confirms-UEFI-fears-locks-down-ARM/ This link follow.
    Then down load “Windows Hardware Certification Requirements ”

    Read page 116 of that. Dead simple UEFI secure boot custom mode where you can load your own signing files to use your own binaries or other third parties is fully disabled. Option to boot with secure mode off is also not allowed on arm.

    So now everything must be signed by a MS or not run.

    Its in the Windows Hardware Certification requirements without obeying those you will not be allowed to ship windows 8 arm as part of current contract. So yes up the crapper.

    Dr Loser IBM that is only one patent of IBM of about 400 covering taking out patenting, monitoring patents, confirming that someone is in volition of patents and the list goes on. The IBM done a process around they called barb-wiring. Mostly to make sure that no one else could do the same thing to them. Of course I will leave it to your to find all 400.

    “And it boggles the mind that IBM would attack the current patent system, even with all its flaws. Do you remember which company has by far the largest number of patents?”
    Main reason IBM takes out patents is defensive move.

    IBM is one of the biggest callers for patent reform to prevent bogus patents. They like patents that people have truly done R&D. There are stack of patents that have no R&D behind them. Some legal person thought up the idea and took out a patent so the patent now exists causing everyone hell.

  38. Dr Loser wrote, “There is nothing in the current contract”.

    Ah hah! An inside man.

  39. Clarence Moon wrote, “In any case, the need to spend some money to validate a FLOSS item is apparently seen as a fatal impediment.”

    Money is not the problem. Permission to run software on a computer is. It will be difficult/expensive/impossible for every manufacturer to include keys from every version of the bootloader from every future release of every future distro. Why the Hell should a developer or end user need permission from a hardware maker to run software? There may also be practical problems of the sheer number of keys required to keep up with rapid development of any number of bootloaders. There may be legal problems with FLOSS bootloader licences. The only practical solution would be for a motherboard to accept any key as valid, completely bypassing M$’s stated goal of security. The best solution is not to dance to M$’s tune.

  40. Andrew says:

    “It does remove the notion of PCs being an all-skate sort of proposition open to anyone with a goofy idea.”

    Is this something like ‘gun-control’ but for computing devices?

  41. Dan Serban wrote, “Remember this episode?”.

    I don’t want a world where people have to break the law to use computers they bought. In Canada and USA there’s a law against breaking DRM etc. It is supposed to protect copyright holders, not monopolists, but it could be misused to prevent people from running different software on a device.

  42. Dan Serban says:

    If worse comes to worst and this goes through unchallenged, I have a prediction about what will happen.
    Remember this episode?
    http://en.wikipedia.org/wiki/AACS_encryption_key_controversy
    I predict some disgruntled employee of Qualcomm, Samsung, or whatever company makes those locked down tablets, is going to leak the key, and it’s going to spread like wildfire on forums and social networks.
    The key will then be hardcoded in custom versions of GRUB etc. and suddenly Linux runs on these tablets.
    MS catches wind, changes the key, issues an update, everything is back at square one, rinse, repeat…

  43. Clarence Moon says:

    It does remove the notion of PCs being an all-skate sort of proposition open to anyone with a goofy idea. The provider would have to participate in the business at least to the extent necessary to get one’s key registered by the manufacturer and that might cost someone some money.

    Money is what the bulk of the FLOSS folk do not want to have to use for software and they even talk about money as an evil.

    In any case, the need to spend some money to validate a FLOSS item is apparently seen as a fatal impediment.

  44. Dr Loser says:

    @oiaohm:

    “Its in the current contract that MS is putting up for Windows 8 Arm. Of course MS could end up back down on this as well.”

    You’re not addressing the point. UEFI does not a priori prevent “other software” from booting.

    There is nothing in the current contract that suggests that Microsoft are going to extend it in this way.

  45. Dr Loser says:

    @ooiaohm:

    You don’t seem to be exercising much independent thought here: just parroting what Wolfgang Gruener says (tongue-in-cheek, as far as I can tell).

    It’s a patent application for a method to automate patents. It’s hard — no, I take that back — it’s impossible to see how this could be used to invalidate patents filed and exercised in any way other than through the specifics in the application.

    And it boggles the mind that IBM would attack the current patent system, even with all its flaws. Do you remember which company has by far the largest number of patents?

    “IBM basically has done this as absolute proof the system need reform.”

    I see you’re mangling the English language again. “Basically” does not mean “not in any way whatsoever.”

  46. oe says:

    This makes buying ARM stuff simple, anything without a Windows sticker is probably good….

    The world I think has gotten used to mobile computing in phones and tablets that just works and won’t jump for Redmond’s shovelware….consumers will run from it.

  47. oiaohm says:

    http://www.conceivablytech.com/4823/business/the-ultimate-patent-troll-patent-get-sued-when-you-file-a-patent

    Note IBM has managed to create patent in every part of taking out a patent. So if IBM decides to operate as patent troll. Heaven help anyone holding patents. Have a patent is proof you owe IBM money.

    IBM basically has done this as absolute proof the system need reform. IBM is trueful about the case for reform of the system. IBM still like the idea of patents.

  48. oiaohm says:

    Dr Loser IBM took out the patent as test of how bad of patent you could get approved by the patent board.

    http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PG01&s1=20100332285.PGNR.&OS=DN/20100332285RS=DN/20100332285

    IBM has some very warped approved patents.

    Really if IBM started applying the patents they hold with force the results kinda would highly destructive.

    Basically what is the best way to bring down the patent system cause it to completely grid lock. Who hold the most patents IBM. Who could grid lock the completely system. IBM.

    Really the biggest patent holder deciding to act how the other brats do would make reform required quickly.

    “Unless you have some (even anecdotal) proof that Microsoft is going to be able to enforce this on ARM device manufacturers, then, as usual, you are blowing in the wind.”

    Its in the current contract that MS is putting up for Windows 8 Arm. Of course MS could end up back down on this as well.

    But until they do presume has to be applied.

    Do nothing it most likely will be enforce.

  49. Dr Loser says:

    @oiaohm:

    “Andrew funny enough IBM holds the patent for being a patent troll. About time IBM goes collects some payments.”

    Is the poster boy, Oiaohm. Is the poster boy: not “holds the patent.” Otherwise they would enforce this patent on other patent trolls, no?

    So, let’s see. You are absolutely and positively against patent trolls — as are we all. But not if the patent troll in question is IBM.

    Because IBM is so virtuous and all, and has never had dubious dealings with out-and-out fascists and was never a monopoly, and anyway you can’t touch them for that guv because they now embrace Linux and it isn’t “embrace and extend and destroy and we’re gonna keep all the important stuff for ourselves and not release it to the community,” no, it’s …

    … well, I have to be fair to you. IBM is competing in several areas against Microsoft. That makes them as pure as the driven snow.

  50. Dr Loser says:

    @Robert:

    “Android and Apple do not prevent software loaded into the system from booting.”

    Neither does UEFI, a priori.

    Unless you have some (even anecdotal) proof that Microsoft is going to be able to enforce this on ARM device manufacturers, then, as usual, you are blowing in the wind.

  51. oiaohm says:

    Ray. With Android I can order a device from china and run Android on it. Device landed blank.

    If the device is a HTC Android device I can run the HTC boot loader unlock-er program so disabling the secure boot. This is true for a lot of Android makers if you ask you don’t need to use some third party rooting tool. They will unlock just don’t expect them to do repairs on the device any more.

    MS case is different its part of contract to use the OS that the hardware makers don’t provide this option. If the hardware can or cannot be unlocked should be a pure hardware maker selection.

    Andrew funny enough IBM holds the patent for being a patent troll. About time IBM goes collects some payments.

    Yes Apple does the same as MS with iphone and ipads.

    Also wine is a important factor. Good section of the code is known to be arm compatible. Reactos.org a clone of windows does have a arm version.

  52. Andrew says:

    GNU/Linux, Android have no problems with malware affecting boot sectors, so there really is no need for secure boot, unless microsoft can’t secure its own software.

  53. Clarence Moon wrote, “you have a cow over their meager efforts to build some basic security into the boot process”.

    Uh, let’s see. How much malware propagates through re-re-reboots? None, Nada, Zilch.

    How much Free Software gets to run when hardware re-boots? Millions of installations.

    See the picture. This is not about security which is lost if the unit falls into hands that can reboot it. M$’s key will allow the thing to reboot, no? Once the thing is booted, the intruder who holds the gadget in his hands can get into it a million ways. For example, the key only affects the bootloader so a malware artist can butcher that other OS one way or another if he has control of the storage medium and get the bootloader to transfer control to his stuff sooner or later. You have to accept this unless you deny M$’s stuff is susceptible to malware.

  54. Dan Serban wrote, “I suspect it won’t matter much on ARM, since the app ecosystem there is pretty much a blank slate.”

    That’s the point. M$ wants to make the slate M$-only. Suppose you are a chipmaker (these gadgets are often SoCs, System on a Chip, with everthing in the chip), and you think someone somewhere will make a device with Phoney “7”. You will want to produce a device containing M$’s pet keys. Do you want to increase your inventories, production runs, mask development, etc. to cater to Android/Linux and all the other /Linux OS as well. None of them will pay you to insert a key. So you make only chips that run M$’s stuff and production of competitive OS dries, somewhat.

    I wish the manufacturers would have the balls to tell M$ to take a long walk off a short plank but they love no-risk cash that M$ can supply… Manufacturers of devices are not going to want to add in key-sniffing stuff on top of the hardware. They too will want it in the chip. M$ has been talking with ARM and chip-makers. What has been in the discussion? I hope a bunch will tell M$ to keep their keys so the market for ARMed thingies can remain diverse but I would bet M$ is trying its hardest to lock everything up. We shall see. Back-up plan is MIPS… and x86 is still available because M$ gave many permission to run XP forever on x86.

    This could be a new cash-cow for M$ if the world allows it. M$ wants milk/money, change the keys on new devices so the old software won’t run… lather, rinse, repeat, the new WARM treadmill.

  55. Clarence Moon says:

    My goodness, Mr. Pogson, Mitt Romney himself could take some flippy-flop lessons from you! On the one hand you point out almost daily how Microsoft has lost the ARM market and is not even a strong force in the x86 market anymore and here you fret over an immediate need for anti-trust law enforcement.

    You continually poke fun at the ineptness of Microsoft in regard to security features and then you have a cow over their meager efforts to build some basic security into the boot process.

    I am not sure that you really want a better world, Mr. Pogson. You seem to really only care about Microsoft’s demise.

  56. Android and Apple do not prevent software loaded into the system from booting. Apple might like to but they don’t succeed. Android/Linux has nothing in it to prevent booting. This is done at the hardware level by M$ and its partners right from power-on. Is the binary digitally signed by M$? No – no execution… Yes – execution. Unless the codes can be broken or the manufacturers distribute keys from gazillions of Linux developers Linux under anything will not run. It could be a role for The Linux Foundation to provide signatures for boot loaders but I don’t see it being workable with the rate at which FLOSS is produced/revised. Will the FLOSS world be content to have a single bootloader blessed by manufacturers? Linus and Zemlin might be satisfied with that but FLOSS is a meritocracy, not a monopoly.

    One way or another it’s a mess/obstacle for FLOSS and M$ likes it that way.

  57. Ray says:

    And two, we don’t even know what does it mean by UEFI anyways…

  58. Ray says:

    I don’t get it, Android and Apple are doing the exact same thing, where you have to root/jailbreak application which is not in the app store.

  59. Dan Serban says:

    I have thought about this.
    I suspect it won’t matter much on ARM, since the app ecosystem there is pretty much a blank slate. I even saw a CES demo showing Android apps running on “8” in a WINE-esque emulation layer. So the roles seem to be reversed, at least for the time being.
    “8” on ARM isn’t going to benefit from first mover advantage, just like WP7 didn’t over in smartphone land.
    And just like with WP7, I suspect it will be up to the free market to decide which tablet is better, and the market will decide in favor of either iPad or Ice Cream Sandwich tablets.

  60. Andrew says:

    Business methods at microsoft as such is not new.

    http://semiaccurate.com/2009/06/12/ms-steps-snapdragon/

    Maybe they should patent that also.

Leave a Reply