In Defense of Free Software: My Case Against Lenovo in Mexico
globalvoices.orgThere's a collective of quixotic Mexican software developers and users that is quite active. I wonder why is it that FSF's philosophy with its exhortation to viciously defend freedom resonates so well in some parts of Mexico. It was those groups, which congregate on the Hackmitin[1], Hacklab Autónomo[2] and Rancho Electrónico[3] that helped Jacobo Nájera with his legal proceedings against Secure Boot.
I went a couple of times to the Hacklab. It's an interesting place. At the time, it looked like they were squatting in an abandoned building and they looked like Hollywood hacker stereotypes. If it weren't for the proliferation of hardware with Debian and Trisquel logos, their appearance make you would think these were just ordinary anarchist punks. In a way, that's what they are, except they are technoanarchist punks, and obviously not completely anarchist as they know how to work with the legal system. They were very left-leaning, distrustful of all corporations, completely aligned with FSF philosophy; radical, feminist, and fiercely protective of their rights.
I rather miss that scene. I haven't found quite something like it here in Canada.
I hope Nájera manages to get somewhere, but it seems like a hopeless fight against MSFT, the one that is really ensuring that installing the OS of your choice is impossible. The whole "security" thing is a sideshow; the real goal here with "Secure" Boot is to make it harder to install unlicensed copies of Windows.
---
[1] http://hackmitin.espora.org/
("mitin" in Spanish is from English "meeting" but has left-leaning political connotations such as protests and marches.)
> The whole "security" thing is a sideshow; the real goal here with "Secure" Boot is to make it harder to install unlicensed copies of Windows.
How does that make sense? The Lenovo laptop in question, like most non-Apple PCs sold in the West, came with a licensed copy of some version of Windows; and Microsoft's strategy lately has been to offer (almost coerce) free OS upgrades, apparently valuing users being up-to-date over the revenue it could gain from the meager fraction of users who'd pay for upgrades. So there's little reason for users to ever install pirated copies of Windows on such devices, or for Microsoft to care if they do (in order to downgrade or whatever).
In China and elsewhere the situation is different, but since the manufacturers are "in on" the piracy, there is no reason they'd enable any firmware features that could hinder users from installing pirated Windows; and even if a future version of Windows requires Secure Boot, that would just be patched out along with the activation checks. (That is, if China ever gets off Windows XP!)
> The whole "security" thing is a sideshow; the real goal here with "Secure" Boot is to make it harder to install unlicensed copies of Windows.
This is an utterly ridiculous conspiracy theory with zero connection to the reality.
Not only does Secure boot not affect someone trying to install a pirated copy of Windows, but it singlehandedly does more against malware than the entire AV industry ever.
If you can't disable "secure boot" - you should return that piece of lock-in trash and request a refund.
Lenovo are also infamous for refusing the refund the Windows tax (i.e. when you want refund the price of Windows that came with computer pre-installed, because you don't want to use it). Only taking them to court can help.
I’m not defending Lenovo, I think they broke the law here and should fix their UEFI firmware.
However, when you throw away your OEM windows, you’re essentially throwing away money.
There’re good laptops that come with Linux or FreeDos preinstalled.
They mostly targeted towards enterprise market (who get their Windows through volume licensing). But I find it’s a good thing: besides OS choice I usually get upgradability, reliability, and reasonable prices (IMO companies are better at tracking their expenses). For example, take a look at HP ProBook series: they are good, include wide range of specs, and if you want to, you can get one without Windows.
There’re good laptops that come with Linux or FreeDos preinstalled.
This is an excellent and underrated point: http://arstechnica.com/gadgets/2016/06/the-xps-13-de-dell-co....
> However, when you throw away your OEM windows, you’re essentially throwing away money.
Can you actually get these *nix laptops for cheaper than their Windows equivalents? I personally consider Windows these days to be just one more piece of bloatware to remove, but I never got the impression that it added much to the bottom line cost.
Those aren’t exactly *nix laptops, those are enterprise-targeted laptops without an OS.
And yes, models without Windows are typically cheaper, sometimes significantly.
Consider ProBook 450 G3 X0P36ES versus T6Q45ET. They both have i5-6200U, 4GB RAM, matte 15” FullHD, Intel GPU. The former has FreeDOS preinstalled and costs €540, the latter includes Windows 7 Professional and costs €750.
I am from Brazil. When I was looking for a laptop in 2013, most non windows laptops, even when compared to identical models that had windows, were usually 130usd more expensive...
I bought then an ASUS n46vm with win8, hoping to remove it and install linux... never figured how to boot any os installer, even after disabling secureboot even memtest86 refused to boot.
That's an error if you want Linux [0] to work on client hardware.
Manufacturers pay the distributions to do hardware enablement if they think there is a customer for the OS on their hardware: alternative OS users are invisible if they buy Windows laptops. Every quarter when the distributions meet with the manufacturers the main topic of conversation is how many units shipped with their OS - this guides investment.
Furthermore, manufacturers are the main way that other parts of the ecosystem learn about demand for an OS. As a Linux distribution, if you can't get Intel to give support for a chipset then the main thing you do is phone up HP/Dell/Lenovo etc and get them to convince Intel for you. That's not going to happen if the manufacturer doesn't know that there are client side Linux users.
[0] I don't know about the hardware enablement story for alternatives like *BSD
I applaud the OP for pursuing this so far. I'd probably just have returned the device, demanded my money back and bought something else.
What is Lenovo's incentive for DRM'ing their bootloader?
Secure Boot is designed to prevent malware from tampering with the BIOS by verifying bootloader (and sometimes kernel-mode driver) signatures.
In this case, it looks like Lenovo either accidentally or intentionally borked the implementation of Secure Boot, because you are supposed to be able to turn it off when using non-Microsoft operating systems.
FWIW, I believe Fedora supports Secure Boot by signing a static bootloader ("shim") that loads GRUB after checking its signature[0].
> loads GRUB
As your link mentions, that loader only loads signed kernels (with signed modules).
edit:
> designed to prevent malware
That's the official story. Anybody familiar with Microsoft's history knows they have been trying to lock down the wintel platform for a long time. Creating a "Trusted Computing" environment specifically for DRM purposes has been a goal since "Palladium".
I thought twice about responding to this.
I worked on Palladium from very early days in 2002 through renaming to NGSCB and the eventual shutdown/transition of the project to ship BitLocker in Vista
The team never saw DRM as being an interesting use case. Remember that the Darknet paper [1] was written by the Palladium architects and product manager. The team fully understood that DRM wasn't an effective use of a secure computing environment.
The scenarios that we were interested in were more like credential management, or being able to run remote sessions from a trusted space within an otherwise untrusted machine, etc.
Interesting; I stand corrected. Thank you for responding!
oops forgot the reference...
[1] http://www.bearcave.com/misl/misl_tech/msdrm/darknet.htm
> That's the official story. Anybody familiar with Microsoft's history knows they have been trying to lock down the wintel platform for a long time. Creating a "Trusted Computing" environment specifically for DRM purposes has been a goal since "Palladium".
Are you implying Microsoft encouraged Lenovo to disable the firmware toggle for Secure Boot? Even though it's only defective on one model of one manufacturer's computer, and literally any other computer (including the Surface x86 line) can toggle it?
I don't see why they would maliciously introduce Secure Boot and only sabotage it on a very small number of computers.
Microsoft seems to have used a phased-in strategy: first it was all optional, then it should be there by default but ALSO with a mandatory option to disable to get the Windows logo (and probably goes with big OEM deals) then IIRC with Windows 10 MS dropped the mandatory removable part (but it is still ok to have it) on x86, and on non-x86 this is probably already mandatory to NOT be able to remove it. I guess in a few years they will render it mandatory to NOT be able to remove it also on x86, for new computers to be eligible to Windows compat logo/OEM deals.
Given implementations are huge and full of bugs, the stated intent is also complete bullshit: it is actually far more dangerous to have a platform with that kind of "security" measures, because once a hole is found malware can hide in there more efficiently and be extremely difficult to remove.
How does Secure Boot enable malware to "hide in there more efficiently"? With or without Secure Boot, a compromised bootloader is in a privileged position, but not any more so with Secure Boot, from what I can tell.
Because there is in general nothing to authenticate the hardware owner in contrast with the usual OS users/admins - that the model consider corrupted, and because it is designed to msot of the time prevent modification by even admins (allowing only modifications signed by the hardware manufacturer), if a security hole is discovered and exploited it is not very easy to revert the system in a good state; it can even become completely impossible if the malware patches the security hole after having exploited it. So it can then sit there, unremovable, and with ultra-privileges. The situation is similar to infected android: because of the security model it is not supposed to happen (most of the time, there are often "bugs" even in the informal model), but because software are full of security holes once one is exploited it is less easy to remove the infection than it can be on a PC.
This is for this reason that the security community consider the Intel Management Engine a huge security risk, and the situation is only marginally better with x86 firmware using such "security" features.
Microsoft is in an impossible position here. Signed kernels are the only way to prevent rootkits. If they don't move in this direction people will complain about insecurity. If they do we get complaints about locking down the platform.
How about letting the owner uploading keys combined with a hardware switch to enable that?
Yeah, seems like there ought to be some way to do it securely if you have access to the hardware.
Shouldn't laptop manufacturers go the extra mile to help people install alternative operating systems on their laptops ? If these operating systems provide additional value to consumers, it makes their product ( the laptops ) more valuable. These manufacturers do not exist solely to make money for Microsoft.
> These manufacturers do not exist solely to make money for Microsoft.
These manufacturers do primarily exist to make money for Microsoft. Their margins are stupidly low, sometimes even negative, and yet Microsoft always enjoys very, very healthy margins on Windows itself.
If the industry stopped racing to the bottom they'd be fine. Until then they need the Microsoft marketing money they get to survive.
Do they have another agreement with Microsoft which establishes a better price for Windows if Microsoft gets to be the OS gatekeeper (as seems to be the case)?
Google seems to turn up numerous people having no trouble disabling Secure Boot and installing Linux on that model computer. I wonder if the problem is confined to particular sub-models or particular revisions of the BIOS?
I had a asus n46vm with the buggy behavior... but found noone else complaining about it on Google.
Since it also had other quirks (usb 3.0 port never worked) it might be a hardware defect interacting with the boot process.
The appropriate course of action is to get a refund for the defective goods and move on with your life.