LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Posted Jun 7, 2012 20:23 UTC (Thu) by raven667 (subscriber, #5198)
In reply to: Fedora, secure boot, and an insecure future by gmaxwell
Parent article: Fedora, secure boot, and an insecure future

> requirement that it needs to be possible to disable it is in Microsoft's requirements. I can't reasonably expect their enforcement to be too aggressive

A boot locked system will be unable to run Win7 which is not a desirable outcome and is why this requirement exists. The manufacturers have no independent desire to boot lock anything. Win8 ARM can be boot locked because there is no installed base.

> billion dollar corporations can take away users rights

bull s**t . Also "OMG CORPORATIONS!". I feel bad being so sarcastic but your point is just so misinformed.

As long as you have local key management and the option to disable your rights have not been infringed in _any_way_.

> minimum cost of $99

Only if you want to be signed by the existing Verisign/MS authority, you can always be your own authority and have the end-user load keys in by hand. The whole purpose of being signed by the Verisign/MS key is to make it easy to work by default without requiring end-user interaction with the firmware. These systems are _not_ boot locked.

> What Redhat should be doing is distributing their secure boot signing key

No.

Seriously, no. You have no need for that to exercise your software freedoms since you can load your own keys or disable the entire secure boot system. There is no restriction preventing you from running your own modified boot loader software. Let me repeat that, there is no restriction preventing you from running your own modified boot loader software.

> displays a set of help screens to help users turn it off or add their own keys

Not possible because you can't modify the authorized keys via booted software, only from the firmware.

> displays a set of help screens to help users turn it off or add their own keys

Now that we've dealt with a number of misconceptions, the real issue is that the key management isn't as easy as it should be. Ideally when booting off removable media (USB, CD, PXE, not SATA) there would be a standard place to put public keys and the end user could be prompted on the console as to whether to import such keys before the beginning of the boot process. That would make it very easy for each spin or custom distro, even locally generated ones, to include their own key infrastructure, and use the secure boot feature, which is currently possible but is more work than strictly necessary. Developers who modify software probably don't have too much trouble jumping through the hoops required to use their own keys but it's not a user-friendly process for the majority of Fedora (or Ubuntu or Debian or SuSE, etc.) users who just want to get a machine installed and working.

(Log in to post comments)

Fedora, secure boot, and an insecure future

Posted Jun 7, 2012 21:07 UTC (Thu) by gmaxwell (subscriber, #30048) [Link]

> As long as you have local key management and the option to disable your rights have not been infringed in _any_way_.

This simply isn't the case. Free Sofware— and the success of our ecosystem— depends on not just the ability to be personally free but to have the freedom to pass those rights on to other people.

If "just turn it off!" was enough for me it would also be enough for Fedora.

And again, there is no guarantee that it will be deactivatable. It was not until Redhat fought to fix that, and windows 7 existed before then.

As far as the corporation comment— Microsoft and RedHat sat at a negotiation table making these decisions, I'm not saying that I should have been there— but where was the non-profit and/or governmental party representing my interests relative to my ability to distribute software which will easily run on the widely available computers tomorrow?

> That would make it very easy for each spin or custom distro

And Fedora could work to make it easier. In the short term where getting the firmware consistent isn't an option having good help would be an option. This would leave all users, distributors, and authors equal and working towards common goals.

Fedora, secure boot, and an insecure future

Posted Jun 8, 2012 5:17 UTC (Fri) by raven667 (subscriber, #5198) [Link]

>> As long as you have local key management and the option to disable your rights have not been infringed in _any_way_.

>This simply isn't the case. Free Sofware— and the success of our ecosystem— depends on not just the ability to be personally free but to have the freedom to pass those rights on to other people.

And you still haven't provided any example as to what rights aren't being passed on to other people, because there aren't any and you have no argument.

> And again, there is no guarantee that it will be deactivatable. It was not until Redhat fought to fix that, and windows 7 existed before then.

I'm not sure I can even parse that. In any event key management and the ability to disable are part of the Win8 logo requirements which should be widely adhered to. It doesn't have anything to do with RedHat and much to do with Win7.

> As far as the corporation comment— Microsoft and RedHat sat at a negotiation table making these decisions

Maybe they were smoking cigars and drinking whiskey too...

> And Fedora could work to make it easier

And of course the tools Fedora uses to make this happen will be available to anyone so it will be at least as easy for you or me as it is for them.

Fedora, secure boot, and an insecure future

Posted Jun 8, 2012 10:27 UTC (Fri) by drago01 (subscriber, #50715) [Link]

> This simply isn't the case. Free Sofware— and the success of our ecosystem— depends on not just the ability to be personally free but to have the freedom to pass those rights on to other people.

You still have this right (with or without secure boot). Fedora has no obligation by *any* license that can be called free to help your fork. Either by making there software less usable or anything else. All they have to do is to provide you the source and tools needed to create the fork.

And they *do* that. You have the source. You have the tools. If you want to sign it ... fine pay the 99$ and go ahead. If you don't or even can't (because you cannot afford the 99$) that's fine as well this does not make the software any less free.

By your logic Fedora is not free already because they have a competitive advantage over forks by having infrastructure (builders, mirrors, bug tracker...). All those cost way more then the stupid 99$. Oh and the trademark and marketing budget.

This is not that hard to understand really.

Fedora, secure boot, and an insecure future

Posted Jun 8, 2012 13:13 UTC (Fri) by dgm (subscriber, #49227) [Link]

>> As long as you have local key management and the option to disable your rights have not been infringed in _any_way_.

> This simply isn't the case. Free Sofware— and the success of our ecosystem— depends on not just the ability to be personally free but to have the freedom to pass those rights on to other people.

Gentlemen, you need to realize that the problem is not Fedora or what they do. The problem lies in those distributing Fedora, that is, the OEMs. If System77 or Dell ships a laptop with Fedora preinstalled, then they are the ones that _have_ to instruct the user on how to change the keys, should they want to.

Fedora is just trying to be nice to people that didn't chose a preinstalled system, and instead just want to test the distro in hardware blessed for Windows 8. That you can do this is GOOD.

Fedora, secure boot, and an insecure future

Posted Jun 8, 2012 9:56 UTC (Fri) by ballombe (subscriber, #9523) [Link]

> Only if you want to be signed by the existing Verisign/MS authority, you can always be your own authority and have the end-user load keys in by hand.

So far no evidence that 'loading key by hand' will be actually possible has been provided, and indeed this is one of the premise of the Fedora decision. You cannot have it both way.

Fedora, secure boot, and an insecure future

Posted Jun 8, 2012 16:54 UTC (Fri) by raven667 (subscriber, #5198) [Link]

Hardware with the Win8 logo will be shipping with secure boot enabled by default, the MS keys loaded by default and must have the option to disable secure boot, they may also have the option to load their own keys. Fedora will be having their bootloader signed by MS because it's user-unfriendly to require a trip to the firmware to modify secure boot settings before booting an install CD. If you want to install custom software or older software (Win7 or whatever) you will have to fiddle with the firmware in any case.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds