LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Relicensing and rebasing LibreOffice

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

news at 11.

news at 11.

Posted Apr 25, 2003 6:46 UTC (Fri) by ekj (subscriber, #1524)
In reply to: news at 11. by corbet
Parent article: Linus on digital rights management

Yes, you can make hardware that will only run signed binaries, and thus close that hardware to tinkering. Infact, making such hardware has already been attempted, it's called a console.

In essence, the bootloader of such hardware does the equivalent of:

if (valid_signature(kernel))
boot(kernel)
else
complain_and_stop();

This is nasty, if you are running on such hardware, than the ability to change the kernel in any way you like brings you nothing: if you change anything, even something completely trivial, the signature will no longer be valid, and your new changed kernel will not boot.

Linus is rigth though, this is clearly allowed under the GPL. And furthermore, it very likely CANNOT be forbidden even if we would want to.

A Signature is (or atleast it can be) a separate document saying the equivalent of: "I, Bill Gates, testify to the fact that the kernel with sha1sum=b7a7bf03dcafd4d48001d6a2a6fd2ceaefa4cc1e is trustworthy and can be booted. signed(bill_g)"

There is no way for the GPL, or any other legal document to forbid the above document from existing. The signature above is clearly not a derived work of the kernel, but rather a commentary upon it. (namely a commentary on the trustworthiness) The only info derived from the kernel is the sha1sum, but the only function of this is to make it clear which kernel you are talking about. (much like mentioning the ISBN-number of a book you are reviewing)

Furthermore, there is also no way you would be able to forbid hardware from acting on the existence (or absence) of such a signature. Afterall there is no law saying that "hardware *must* boot all code."

Now, what *would* be nasty would be new laws *requiring* hardware to implement signature-checking. Such laws would essentially make it forbidden to make user-modifiable computers. The way the US is moving at the moment, I would not be too surprised if such a law is introduced and passed in the next few years.

(Log in to post comments)

news at 11.

Posted Apr 25, 2003 13:45 UTC (Fri) by Wol (guest, #4433) [Link]

But new laws *requiring* it would kill the computer industry stone dead! Either you make it well-nigh impossible to get hold of signing keys, which would destroy all the little programming shops (and don't forget, that includes most businesses that use computers as *computers* rather than glorified typewriters), or you end up with loads of keys out there that are forever leaking.

RedHat certainly, and probably other major distributors such as SuSE, would almost certainly publish a signing key for general use.

Have no fear. Such a law would be either unenforceable, or nuke-style destructive. However, given the number of laws recently *passed* which ban the Internet infrastructure in various US states (the so-called super-DMCA bills), unfortunately I can see such laws getting passed...

Cheers,
Wol

Distinguish development workstations from Aunt Tillie's iMac

Posted May 2, 2003 9:31 UTC (Fri) by bgilbert (subscriber, #4738) [Link]

Not necessarily. Consider professional media production houses and copy protection mechanisms like MacroVision. Professional equipment can trivially defeat MacroVision, and anyone who wants to buy an N-thousand-dollar professional deck and TBC can do it. The point of MacroVision is to discourage casual copiers, not professional pirates.

So, require standard home and business computers to execute only signed code. Sell a separate class of hardware -- "development machines" -- which costs $50k/box and will run anything you throw at it. Combine that with a TCPA-like system in which most signed software won't trust a system that can run unsigned code. Then, vigorously prosecute people who "misuse" their code-signing keys* -- and since companies with deep pockets are more likely to have code-signing keys in the first place, this will be effective. The end result is that you've concentrated development on a relatively small number of dedicated, single-purpose, trackable and auditable machines, and motivated everyone with a key to protect it from use by others.

Will this shut down open-source development entirely? Of course not. But it raises the bar; if the average user's workstation can't run the output of its own compiler, it's much harder for people to casually tinker with the code. The trick is to raise the bar too high for Joe Programmer, while still letting small software houses get through.

* What happens if code must meet certain requirements in order to be legally signed (either through outright legislation, federal regulation, or contract with the provider of the signing key)? Through the miracle of selective enforcement, this can leave free software developers with legitimately-obtained signing keys open to fairly significant legal action. That'll be a deterrent as well.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds