Weekly Edition
Return to the Kernel page
| |||||||||||||
Loading keys from Microsoft PE binaries
The kernel does not run programs in Microsoft's Portable
Executable (PE) format. So when a
patch came along adding support for those binaries — not to run
programs, but to use them as a container for trusted keys — the reaction
was not entirely positive. In truth, the reaction was sufficiently negative to be widely quoted
across the net. When one looks beyond the foul language, though, there are
some fundamental questions about how Linux should support the UEFI secure
boot mechanism and how much the kernel community needs to be concerned
about Microsoft's wishes in this area.
The work done at Red Hat, SUSE, the Linux Foundation, and elsewhere is sufficient to enable a distributor to ship a binary distribution that will boot on a secure-boot-enabled system. Such distributions are often built so that they will only load kernel modules that have been signed by a trusted key, normally the distributor's own key. That restriction naturally causes problems for companies that ship binary-only modules; such modules will not be loadable into a secure-boot system. Many developers in the kernel community are not overly concerned about this difficulty; many of them, being hostile to the idea of binary-only modules in the first place, think this situation is just fine. Distributors like Red Hat, though, are not so sanguine. One solution, of course, would be for those distributors to just sign the relevant binary modules directly. As Matthew Garrett points out, though, there are a number of practical difficulties with this approach, including the surprisingly difficult task of verifying the identity and trustworthiness of the company shipping the module. There's also the little problem that signing binary-only modules might make Red Hat look bad in various parts of our community and give strength to those claiming that such modules have no GPL compliance problems. So Red Hat would like to find a way to enable proprietary modules to be loaded without touching them directly, allowing the company to pretend not to be involved in the whole thing. Red Hat's solution is to convince the kernel to trust any signing key that has been signed by Microsoft. Binary module vendors could then go to Microsoft to get their own key signed and present it to the kernel as being trustworthy; the kernel would then agree to load modules signed with this key. This only works, of course, if the kernel already trusts Microsoft's key, but that will be the case for all of the secure boot solutions that exist thus far. There is one other little problem in that the only thing Microsoft will sign is a PE binary. So Red Hat's scheme requires that the vendor's key be packaged into a PE binary for Microsoft to sign. Then the kernel will read the binary file, verify Microsoft's signature, extract the new key, and add that key to the ring of keys it trusts. Once that is done, the kernel will happily load modules signed by the new key. This solution seems almost certain not to find its way into the mainline kernel. In retrospect, it is unsurprising that a significant patch that is seen as simultaneously catering to the wishes of Microsoft and binary module vendors would run into a bit of resistance. That is even more true when there appear to be reasonable alternatives, such as either (1) having Red Hat sign the modules directly, or (2) having Red Hat sign the vendor keys with its own key. Such solutions are unpopular because, as mentioned above, they reduce Red Hat's plausible deniability; they also make revocation harder and almost certainly require vendors to get a separate signature for each distribution they wish to support. Linus has made it clear that he is not worried about those problems, though. Security, he says, should be in the control of the users; it should not be a mechanism used to strengthen a big company's control. So, rather than wiring Microsoft's approval further into the kernel, he would rather that distributors encourage approaches that educate users, improve their control, and which, he says, would ultimately be more secure. Loading a module in this environment, he said, would be a matter of getting the user to verify that the module is wanted rather than verifying a signing key. The other reason that this patch is running into resistance is that there is widespread skepticism of the claim that the loading of unsigned modules must be blocked in the first place. Proponents claim that module signing (along with a whole set of other restrictions) is needed to prevent Linux from being used as a way to circumvent the secure boot mechanism and run compromised versions of Windows. Microsoft, it is said, will happily blacklist the Linux bootloader if Linux systems are seen as being a threat to Windows systems. Rather than run that risk, Linux, while running under secure boot, must prevent the running of arbitrary kernel code in any way. That includes blocking the loading of unsigned kernel modules. It seems that not all kernel developers are worried about this possibility. Greg Kroah-Hartman asserted that module signature verification is not mandated by UEFI. Ted Ts'o added that Microsoft would suffer public relations damage and find itself under antitrust scrutiny if it were to act to block Linux from booting. It also seems unlikely to some that an attacker could rig a system to boot Linux, load a corrupted module, then chain-boot into a corrupted Windows system without the user noticing. For all of these reasons, a number of developers seem to feel that this is a place where the kernel community should maybe push back rather than letting Microsoft dictate the terms under which a system can boot on UEFI hardware. But some of Red Hat's developers, in particular, seem to be genuinely afraid of the prospect of a key revocation by Microsoft; Dave Airlie put it this way:
Its a simple argument, MS can revoke our keys for whatever reason,
reducing the surface area of reasons for them to do so seems like a
good idea. Unless someone can read the mind of the MS guy that
arbitrarily decides this in 5 years time, or has some sort of
signed agreement, I tend towards protecting the users from having
their Linux not work anymore...
Others counter that, if Microsoft can revoke keys for any reason, there is little to be done to protect the kernel in any case. In the end, this does not appear to be an easy disagreement to resolve, though some parts are easy enough: Linus has refused to accept the key-loading patch, so it will not be merged. What may well happen is that the patch will drop out of sight, but that distributors like Red Hat will quietly include it in their kernels. That will keep this particular disagreement from returning to the kernel development list, but it does little to resolve the larger question of how much Linux developers should be driven by fear of Microsoft's power as they work to support the UEFI secure boot mechanism. (Log in to post comments)
Just a user interface issue? Posted Feb 28, 2013 6:20 UTC (Thu) by jreiser (subscriber, #11027) [Link] According to UEFI Secure Boot, Microsoft says "systems certified for Windows 8 [on non-ARM machines] must allow secure boot to enter custom mode or be disabled." Then in theory the user can enter any key in custom mode, and secure boot will honor that key. Apparently current UEFI instances require the user to type the long custom key, but instead UEFI could read the key from a USB device or filesystem and display it to the user for approval. Is there more to the brouhaha than just a user interface issue?
Just a user interface issue? Posted Feb 28, 2013 12:22 UTC (Thu) by k3ninho (subscriber, #50375) [Link]
At the moment, people are aware of the spectrum of non-technical to technical users and are choosing to solve the UEFI secure boot problem in a way that is no further bar to non-technical users dual-booting Linux.
In the past, there's been a trickle-down solution where the more-technical people build their own platform and community and it slowly becomes something that less-technical people can do. In this case, that doesn't apply: security is intended to be a blocker to access, and being on the wrong side of that divide must be enforced or it's not security.
For this problem, the Linux Foundation should be paying for a technical advisor to go round the mainboard manufacturers enrolling them in the Linux UEFI Certification Program and supplying them with a signing key which is used in addition to the MS one. The program is created to allow for corporations to build system images with their own platform keys under which they control the entire secure environment. That should be the real motivation for this, with desktop users being secondary beneficiaries. Thus is no extra burden on the non-technical user and such a setup allows UEFI Secure Boot to work as intended.
K3n.
Just a user interface issue? Posted Feb 28, 2013 17:26 UTC (Thu) by raven667 (subscriber, #5198) [Link]
The problem is that the Linux Foundation doesn't have the money to be a CA and maintain all the infrastructure that entails, while RedHat does have the money but they don't want to foot the bill because they are afraid of being seen as the Microsoft of the Linux world. All the people who are complaining about MS might be complaining about RH instead which could affect sales. There is also the difficulty of getting enough OEMs to bundle additional keys in and the additional barrier if some users can't boot your install media, they are just going to walk away.
It's a kind of logical insanity, since logic seems to get one to a place where MS/Verisign is the only signing authority.
Just a user interface issue? Posted Feb 28, 2013 21:39 UTC (Thu) by Lennie (subscriber, #49641) [Link]
If you ask Verisign to maintain a Verisign signed CA like Microsoft is doing I'm sure it would be expensive.
So how much money does it take to maintain a selfsigned CA ?
You don't need an organisation like Verisign to sign the CA.
Just a user interface issue? Posted Feb 28, 2013 21:45 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
running a CA is dirt cheap (look at openca), running a good CA securely costs a bit more.
you need to have processes in place to keep the bad guys out, this probably means that it takes more work to do the signing
you need redundancy
you need to spend time figuring out if you should sign things (unless you are a commercial CA, in which case you just need to see if the credit card accepts the charge)
That being said, the cost of running the CA itself is trivial compared to the cost of getting your cert accepted and in the various places it needs to be to do any good.
Just a user interface issue? Posted Feb 28, 2013 22:33 UTC (Thu) by Lennie (subscriber, #49641) [Link]
Forget I even mentioned it, I made a mistake in my thinking.
Just a user interface issue? Posted Feb 28, 2013 22:14 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
Doing it properly, including identity verification for people in arbitrary countries, with proper software and physical security for the keys? No, it's not cheap.
Just a user interface issue? Posted Feb 28, 2013 22:59 UTC (Thu) by Lennie (subscriber, #49641) [Link]
If we forget for a moment that for this purpose doing a custom CA is not useful in this case... as I wasn't thinking properly.
Doing a secure custom CA needs these things, I guess ?
If you get yourself some cheap netbooks with a builtin TPM and install Linux on it you can then store two copies of your keys in two seperate safes possibly in different buildings. Then you have 3 things solved.
An east european TLD does this for their DNSSEC keysigning keys if I remember correctly. The zone singing keys are on a machine behind a firewall which is used to push updates to the publicly visible servers.
In DNSSEC the zone signing keys are used to sign the DNS data and key signing keys are used to sign the zone signing keys every couple of months.
Just a user interface issue? Posted Feb 28, 2013 23:36 UTC (Thu) by raven667 (subscriber, #5198) [Link]
Take a look at the requirements for WebTrust to get an idea of some of the basic minimums of procedures that need to be followed, documented and audited.
http://www.webtrust.org/homepage-documents/item27839.aspx
Just a user interface issue? Posted Feb 28, 2013 23:45 UTC (Thu) by Lennie (subscriber, #49641) [Link]
Depends what you use it for of course, but if you want to get into browers or a sub-CA then yes, WebTrust is where you can go.
I know if that is what you want, you need a lot of stuff done because I've been following what CAcert is doing.
So why not get them the money? Posted Mar 4, 2013 11:51 UTC (Mon) by Max.Hyre (subscriber, #1054) [Link] The problem is that the Linux Foundation doesn't have the money to be a CA [....]Sounds like a perfect case for a Kickstarter project. I'd certainly pay a significant (to me) amount of cash to get a native Linux UEFI key built into most machines. I suspect I'm not alone.
So why not get them the money? Posted Mar 4, 2013 15:16 UTC (Mon) by raven667 (subscriber, #5198) [Link]
I agree, I think that building a Linux vendor CA and getting it in the common default firmware is the right strategy, using the shim should be seen as a delaying action to make time. Just like win8 certification there should be a general Linux cert which covers this, with a sticker for the machines and everything if possible. Why not?
So why not get them the money? Posted Mar 5, 2013 17:07 UTC (Tue) by ortalo (subscriber, #4654) [Link]
There are other people like me who think that UEFI is introduced by Microsoft to fight Windows piracy (and even possibly to fuel their forced upgrade strategy) and will very certainly never be usable as an end-user security mechanism by design. Not too speak of the fact that I have always expressed doubts about centralized certification authorities ala X.509 even before the DigiNotar fiasco (only louder now), especially given revocation... difficulties (to say the least).
The only thing that made me doubt of the inutiliy of UEFI "security" up to now and eventually consider *not* deactivating secure boot is the involvement of people like Matthew Garret (and co.)...
Maybe I am concluding to fast and getting old. Or maybe not...
So why not get them the money? Posted Mar 5, 2013 17:20 UTC (Tue) by raven667 (subscriber, #5198) [Link]
> UEFI is introduced by Microsoft to fight Windows piracy
I'm not sure how that's supposed to work, uEFI isn't TPM and provides no way to validate a license key or enforce DRM, it's really only useful for preventing malware from modifying the boot process.
It would have been nice if mjg59's proposal for automatic key enrollment would have gotten some traction because that could have been the mechanism to become independent of the MS signing infrastructure. IIUC the problem here is that the key signing through MS is made to fit MS existing tooling for signing PE binaries, which is understandable, but it seems to me the solution is to build an alternate signing infrastructure that works the way we want, within the constraints of the uEFI standard. Maybe it would be even better to modify the uEFI SecureBoot standard to do more exactly what we want but it might be too late for that as the current standard is now widely shipping and can't be changed. Maybe can't be changed for 20+ years.
So why not get them the money? Posted Mar 6, 2013 8:47 UTC (Wed) by ortalo (subscriber, #4654) [Link]
Well, I do not understand your (technical) interrogations. M$ ensures that its version of Windows is executed (or, why do we bother at all with signing a linux-oriented boot loader?). Most recent versions of MS/Win phone home one way or another and check the number of running instances in their environnement very precisely. Everything is in place to compare with the actual bill sent every year...
Linux users in this game are just the troublemakers who made apparent that M$ was grabbing control of OS instances. I am speculating yes, but I suspect this is more due to licensing reasons and monetary interest rather than security reasons and moral issues...
The actual full details may not be perfect, but that would not be the first a commercial security mechanism has design vulnerabilities... Furthermore, the objective is to increase the bill, not block the customer system.
So why not get them the money? Posted Mar 6, 2013 16:42 UTC (Wed) by mjg59 (subscriber, #23239) [Link]
"M$ ensures that its version of Windows is executed"
No, it doesn't. You're able to disable the signature checking and you're able to install your own keys. Having done that, you're then free to lie to the OS about whether or not it booted a signed binary.
So why not get them the money? Posted Mar 6, 2013 18:42 UTC (Wed) by raven667 (subscriber, #5198) [Link]
Or maybe to put it another way, Windows itself can't "require" the signature checking because that happens at a layer below and previous to what the running OS kernel can control. There isn't a mechanism for a running system, doing licensing or validity checks, to verify that it was booted "securely", the verification is forward, not backwards.
Do I have that right, mjg59? 8-)
So why not get them the money? Posted Mar 6, 2013 18:50 UTC (Wed) by mjg59 (subscriber, #23239) [Link]
Yes, that's correct.
So why not get them the money? Posted Mar 5, 2013 17:21 UTC (Tue) by mjg59 (subscriber, #23239) [Link]
Secure Boot controls what binaries your firmware will boot, not which firmware your binaries will boot on. It's exactly the wrong way round to be usable as an anti-piracy mechanism.
So why not get them the money? Posted Mar 6, 2013 8:57 UTC (Wed) by anselm (subscriber, #2796) [Link] Also it's not as if piracy was keeping Microsoft up at night. People have been stealing Microsoft software for nearly 40 years and the company is still doing great. Bill Gates is still #2 on the Forbes list, so there doesn't seem to be an obvious problem. Microsoft is doing little things here and there to make life harder for pirates (think »activation«), but actually getting rid of piracy altogether isn't that high up on their agenda. If they wanted to, they could certainly stamp out piracy nearly completely but (a) this would also inconvenience legitimate users, in particular »enterprise« users, which would be counterproductive – these users might get silly ideas like looking at operating systems that make for less hassle, such as Linux –, and (b) a certain level of piracy ensures that anybody who wants Windows badly enough will be able to get it, which is way better than encouraging them to look at icky free alternatives like Linux.
Just a user interface issue? Posted Feb 28, 2013 12:24 UTC (Thu) by keeperofdakeys (subscriber, #82635) [Link]
This is entirely correct, and a utility has been created (and signed) to do this. http://blog.hansenpartnership.com/linux-foundation-secure...
You also can view a talk with James explaining it in detail. http://mirror.linux.org.au/linux.conf.au/2013/mp4/Making_...
Third party approval unique? Posted Feb 28, 2013 9:07 UTC (Thu) by stevan (subscriber, #4342) [Link]
From a freedom-appreciating user's perspective, it doesn't feel right to start kow-towing to an antagonistic third party on the basis of what they may or may not do with a power you have gifted to them. I was wondering, though, whether this is a unique issue in the kernel's development or whether similar issues have arisen in the past. If so, how were they handled then?
S
Third party approval unique? Posted Mar 6, 2013 9:02 UTC (Wed) by ortalo (subscriber, #4654) [Link]
IMO, that's pretty much the first time such an issue arise in practice at this scale.
Precedents with similarity are TCPA and TPM chipsets, but those explicitly allowed user-generation of secret keys. Analogy can be made with older things too (like the "Clipper chip"). But none of these were scheduled for generalization. None of these were under control of a single company. The idea of a secure BIOS/ROM itself is pretty old btw. M$ applied it already more or less to the XBox. But personally, I view it as unapplicable in practice outside of niche markets because it involves centralized control of the signing key - and that is nearly impossible to do realistically (we are starting to see it... then you'll have revocation, compromise of keys, etc. Imagine how all this will collapse when the ONLY secret key will be attacked. ;-).
The other precedent is in the mobile phone space with network-operator locking of (subsidized) mobile phones, but not with open source software (and usually relying on the SIM smart card as a security kernel - which is probably a much better idea IMO).
Loading keys from Microsoft PE binaries Posted Feb 28, 2013 11:41 UTC (Thu) by paulj (subscriber, #341) [Link]
I'm sceptical that MicroSoft would face anti-trust issues if they chose SecureBoot of Windows over allowing Linux users to boot arbitrary code.
There are huge, powerful interests out there that would very, very much welcome consumer hardware being locked down. They've been lobbying hard for more than a decade, and achieved significant success in getting legislation favourable to them passed across the world (EU, US, etc). They've managed to persuade technology hardware vendors to implement ever more capable, cryptographically-backed locking-down of compute hardware - they give such hardware a boost in the market by favouring such devices in their own products (e.g. with better quality, or even by /only/ supporting such devices). In some jurisdictions, the interests pushing for this include large, state-owned and otherwise venerated institutions - such as the BBC.
The PC is the last redoubt. The only open, user-controlled compute platform that is sufficiently ubiquitous that the powerful interests can not afford to restrict their product from it and widely available. The powerful interests would very, very much like that to change.
These powerful interests are of course the media industries, audio and video. They would, without a doubt, strongly support the locking-down of PCs. It is naïve to think that the issue would be seen solely as one of MS anti-trust. Naïve to think MS would automatically be slapped down. Many, besides MS, want PCs to be locked-down and control taken away from users and instead be in the hands of a large corporate. It is naïve to think they will not work long (as they have already) and fight very hard to make it come true.
Loading keys from Microsoft PE binaries Posted Feb 28, 2013 12:29 UTC (Thu) by keeperofdakeys (subscriber, #82635) [Link]
Unfortunately there isn't a huge conspiracy behind this. As for the antitrust issue, currently Microsoft has done nothing to trigger an antitrust case. Implementing secureboot is optional (agreeing to the Windows Certification terms), and Microsoft haven't abused their position of power (yet).
Loading keys from Microsoft PE binaries Posted Feb 28, 2013 12:45 UTC (Thu) by paulj (subscriber, #341) [Link]
I'm not claiming there's some shadowy conspiracy pulling strings. I'm saying there are powerful media interests, who have worked and lobbied tirelessly, to further their own interests. It's a fact, and it's had an immense effect on technology and the internet in the last decade.
These same interests also "want"[1] to get rid of open PCs (either by getting rid of PCs, or by locking them down). There is no reason to doubt they would not lobby as hard and effectively for such, if it came down to legal questions, as they have done in the past for changes to copyright law (criminalisation of what used to be civil matters, the criminalisation of making anything that defeats copyright "protection" technologies, etc).
No conspiracy needed, just the continuation of widely documented prior practice.
1. For a definition of "want" == that it is very much in their interests, and consistent with their previous behaviour.
Loading keys from Microsoft PE binaries Posted Mar 1, 2013 7:11 UTC (Fri) by kleptog (subscriber, #1183) [Link]
While it's true that there are interest trying to get rid of open PCs, I'm really sceptical that they are going to get anywhere. The global IT industry is on the order of $3 trillion annually, the movie industry is a tiny fraction of that. The IT industry can't work with closed PCs, because they're not consuming, they're producing.
It does surprise me that media companies have had an effect way above their weight but that's because the IT industry has traditionally not used its clout. No unions, for example. The tendency to route around problems rather than fixing them. It's changing though, as large tech companies like Google are getting involved in the political side of things.
That's not to say there won't be rough times ahead, but I think it will turn out ok.
Loading keys from Microsoft PE binaries Posted Mar 1, 2013 10:35 UTC (Fri) by paulj (subscriber, #341) [Link]
As you note, the media industry has punched above its weight compared to the IT industry, judging by revenue in having laws introduced to the detriment of technology vendors and (more so) users. However, there surely are good reasons for that.
E.g., the media industry has a very direct financial stake in having restrictive copyright laws, and closed hardware that allows media to be controlled. The more control they have, the fewer alternatives there are to them, the more they can charge and profit. Thus, there is a clear, strong financial incentive for them to work tirelessly and continuously to further these goals.
The technology industry on the other hand does not have a clear financial stake. It has, at best, political biases (e.g. towards freedom) and woolly, vague, speculative, long-term reasons as to why it might prefer more open platforms - in general. However, there are some technology companies who *also* support closed platforms, as they *also* see themselves as content providers and/or curators, through things like iTunes and app stores. So the technology industry is fragmented, and further, those who are against the closing of technology do not have clear financial incentives to do so - which means they can easily lose interest in the issue, or not pursue it as aggressively as a media company might pursue the other side.
History is the only guide we have to the future, and the history over the last 15 years has been that computing platforms are becoming ever *more* closed. The PC may not yet be closed, but it too has now had the technological *capability* to be closed down added to it.
I'm far less optimistic than you are. I'm sure we'll always still be able to buy unlocked PCs, but I wonder if they'll be like specialist developer platforms, costing far more than standard PCS...
Loading keys from Microsoft PE binaries Posted Mar 5, 2013 17:19 UTC (Tue) by ortalo (subscriber, #4654) [Link]
I share your pessimism sometimes. However, it seems to me at such times that open hardware initiatives bring some optimism there (not too speak of the fact that we may need to re-open the good old electronics books). The Pi is not so expensive after all... ;-)
Furthermore, I have also noticed with some surprise in recent years that law enforcement people (including judges) are starting to listen when you speak of potential legal deficiencies [1]. Communication is still pretty difficult because both cultural background are very different (engineering and legalese) but that's probably not so desperate. They are getting burnt by computer security failures too and they will react with their own tools too.
[1] Usually reformulated as law enforcement (applicability) issues rather than core legal issues btw. But IANAL of course and they were so do not even trust my reformulation... ;-)
Loading keys from Microsoft PE binaries Posted Mar 13, 2013 17:42 UTC (Wed) by nye (guest, #51576) [Link]
>The Pi is not so expensive after all... ;-)
It is however a closed platform on which it happens to be possible to run Linux in a co-processor with help from the proprietary boot loader and platform firmware.
Loading keys from Microsoft PE binaries Posted Mar 13, 2013 19:32 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
so not that different from the closed source BIOS that we've been living with for decades.
except that the documentation is out there for you to develop your own bootloader (you just get the broadcom SDK for the chip)
Loading keys from Microsoft PE binaries Posted Mar 14, 2013 12:01 UTC (Thu) by nye (guest, #51576) [Link]
>so not that different from the closed source BIOS that we've been living with for decades.
Really not even remotely the same. The RPi is an exceptionally closed platform; in order to do anything with it you need to use Broadcom's binaries. Bear in mind that the main processor is actually the GPU; the processor that Linux treats as the CPU is in fact completely controlled by the graphics firmware.
> except that the documentation is out there for you to develop your own bootloader (you just get the broadcom SDK for the chip)
To the best of my knowledge, that's untrue. It's a question that gets asked pretty frequently though, so if you know better than anyone else, you could do many people a favour by posting that information on the RPi forum.
In general, I think the RaspberryPi is a textbook example of where we don't want things to go if we want open systems under the user's control.
Personally I consider many of the foundation's public statements to be borderline fraudulent, and have a hard time with continuing to assume good faith given their behaviour and response to criticism thus far.
I recommend that nobody buy an RPi, for any purpose; it is an enemy of Free Software.
Loading keys from Microsoft PE binaries Posted Mar 14, 2013 16:18 UTC (Thu) by Jonno (subscriber, #49613) [Link]
> The RPi is an exceptionally closed platform; in order to do anything with it you need to use Broadcom's binaries.
Sure, just as you need to use «Motherboard-Manufacturer»'s binaries (eg. BIOS and/or EFI firmware) to do anything on a regular x86 PC...
> Bear in mind that the main processor is actually the GPU; the processor that Linux treats as the CPU is in fact completely controlled by the graphics firmware.
To my mind, the only thing that makes the Pi "worse" than the competition is that the binaries are located in a FAT FS on an SD-card, rather than in on-board flash, and thus more obvious to the casual observer. That it simplifies fw upgrades (and downgrades, making a PS3-like bait-and-switch by Broadcom impossible), seems to be ignored.
The Pi situation is by no means "good" from a user freedom perspective, but it's not really any worse than any other arm, x86 or ppc system in existence.
Loading keys from Microsoft PE binaries Posted Mar 14, 2013 17:24 UTC (Thu) by johill (subscriber, #25196) [Link]
> where the system was under the control of OtherOS running at one of the SPU's, while the PPC core and remaining SPU's was allocated to Linux, with a limited fw interface to OtherOS to access the HDD and display hardware
I believe this is a misrepresentation, Linux/OtherOS was/is running in a hypervisor, not on the bare metal other CPU. The SPUs couldn't control the main CPU anyway, they're pretty much just signal processing units.
Loading keys from Microsoft PE binaries Posted Mar 14, 2013 19:14 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
> Really not even remotely the same. The RPi is an exceptionally closed platform; in order to do anything with it you need to use Broadcom's binaries.
show me anything along the lines of the following tutorial
Also, since the broadcom chip is sold for embedded uses, you can get everything you need from broadcom to develop your own code to replace the Pi foundation provided (note, not broadcom provided) bootloader binaries.
Frankly, I wish that the source for this was available, but given the current patent mess, the choice is betwen providing this bootloader as a binary, or having to pay patent licensing fees for the video codecs in every Pi sold. And in this situation I prefer keeping the price down to given money to the patent extortionists like MPEG-LA.
And since this is on the SD card, it's always possible for this to change in the future. Either the patent mess could change, or someone else could write a replacement bootloader and make it available.
While I fully understand the feeling that this is not ideal, calling something that has put over a million devices running Linux into people's hands "and enemy of Free Software" is cutting off your nose to spite your face.
Loading keys from Microsoft PE binaries Posted Mar 18, 2013 13:02 UTC (Mon) by nye (guest, #51576) [Link]
>While I fully understand the feeling that this is not ideal, calling something that has put over a million devices running Linux into people's hands "and enemy of Free Software" is cutting off your nose to spite your face.
If that were the only criterion, we would laud TiVo as a far greater force for free software.
Regardless, the thing that really upsets me about the RPi is the level of double-speak that comes from the foundation. If they were to acknowledge how closed their platform is in comparison to a standard PC that would be one thing, but to keep beating the drum about how open and amazing they are leaves a bitter taste.
Also, they've been pretty unpleasant to people who have anything critical to say about the project (and I don't mean me; I mean people who are more polite). The effect has been to give me a very powerful impression that they don't really care about openness at all except as far as it can be used for marketing purposes.
Loading keys from Microsoft PE binaries Posted Mar 18, 2013 23:29 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
First off, I think Tivo shipping was a very important milestone in the domination of Linux. Before that there were not a lot of Linux based home appliances, they demonstrated that Linux could work in large scale deployments to people's houses (and for years afterwords I still had arguments with people claiming that Linux could not be used in that type of environment)
Second, the Pi allows you to run with everything running in the Linux space being open source, this is FAR better than most computers with reasonable graphics do.
If you are so worried about how the binary blob in the GPU can access the memory that the Linux kernel uses, then you had better not have any PCI cards (especially not any PCI graphics cards) in your desktop PC, because the binary blob firmware running on any PCI attached device can access any memory in the system (unless you are using IOMMU and the device driver has been written to limit the hardware)
Would it be better if the bootloader/GPU firmware was open? of course it would be.
As for the reaction from the people at the Pi foundation to 'polite' criticism, given the abuse that they have suffered, I think it's a matter of the well being poisoned, after being abused by so many obnoxious people, their patience is long gone and they don't react well to anyone. This doesn't mean that they don't care about openess, it's just part of human nature.
> If they were to acknowledge how closed their platform is in comparison to a standard PC that would be one thing
I don't believe that their system is closed compared to a standard PC, so I can easily see how they don't either.
Loading keys from Microsoft PE binaries Posted Feb 28, 2013 17:06 UTC (Thu) by Aliasundercover (subscriber, #69009) [Link]
Saying Microsoft hasn't abused its position of power yet (on this particular issue) is a lot like saying Lucy hasn't pulled the football away yet (on this particular kick).
Loading keys from Microsoft PE binaries Posted Feb 28, 2013 12:14 UTC (Thu) by dgm (subscriber, #49227) [Link]
Linux distributions are like a herd of lambs being lead to the fold. Red Hat tactic is to keep their heads down and follow along.
One can agree that having the option to trust Microsoft is not the same as actually doing so, but users will obviously follow the path of least resistance (how has the resources to do otherwise?)
So, do you agree that it's in out best interest do act like that?
Why not sign the kernel module directly? Posted Mar 2, 2013 18:49 UTC (Sat) by cesarb (subscriber, #6266) [Link]
I have not followed the discussion closely, so I am sorry if this has already been discussed, but why not sign the kernel module (with a PE wrapper if needed) directly instead of signing a key which will in turn be used to sign the module?
Adding support for a new kernel module format (even if it is just a simple wrapper around the ELF binary) might be more acceptable than the proposed key importing scheme.
Loading keys from Microsoft PE binaries Posted Mar 7, 2013 2:36 UTC (Thu) by kevinm (guest, #69913) [Link]
One objection that I haven't seen mentioned yet is that this proposal appears to involve using Microsoft's signing infrastructure in a way in which it wasn't designed to be used.
Specifically, Microsoft's CA is designed to sign PE binaries that can be loaded as part of the UEFI boot process. This proposal involves wrapping an X.509 certificate inside a "false flag" UEFI binary in order to have it signed - as far as Microsoft is aware, they're signing a UEFI binary, but that's not how the file is going to be used - instead, it's going to be used as a container for an X.509 certificate that Linux will trust.
Say the private key for one of these embedded certificates escapes into the wild, or more simply the legitimate owner of the certificate uses it for nefarious purposes - will we really be able to convince Microsoft to revoke that signature or blacklist the PE binary? Remember that the PE binary that Microsoft signed can't itself be used to directly subvert the UEFI boot process - the executable portion of it is only a stub - but it *can* be used to subvert Linux systems. Will Microsoft care, or will they just say that the bug is in the fact that we're loading a certificate from that binary, when that isn't what it's for?
As a further objection, there's no reason why the Microsoft signature should be trusted by the Linux kernel for loading modules. Yes - anyone who can get a Microsoft-signed certificate can have their bootloader trusted, but that presupposes that they were able to install their own malicious bootloader in the first place. It's a much lower bar to be able to attempt to load a module into a running kernel than rewrite the bootloader, so I don't think it's a good idea that anyone who can create a trusted bootloader should also be able to create trusted kernel modules.
Loading keys from Microsoft PE binaries Posted Mar 10, 2013 16:36 UTC (Sun) by lipak (guest, #43911) [Link] There are times when (upon reading Linus' comments) one feels that he is just good at coding and making wise-cracks --- often using language that would "make a sailor blush". Then there are times when one realises that he has a really clear vision of what role he sees for Linux. This is one of those latter times. Linux is about empowering users, about giving them a chance to take control of their own machines. It is not about getting users to trust some Big Brother --- be it Microsoft or someone else --- who will tell them that such trust will simplify their life. That is what the recent instructions from James Bottomley are about. That is what Linus is echoing in his own way. Users should be able to use UEFI to take control of their machines. As developers, we should make it possible for users to do so by providing well-documented code and procedures.
|
|||||||||||||