User: Password:
|
|
Subscribe / Log in / New account

Linus on digital rights management

From:  Linus Torvalds <torvalds@transmeta.com>
To:  Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject:  Flame Linus to a crisp!
Date:  Wed, 23 Apr 2003 20:59:45 -0700 (PDT)


Ok, 
 there's no way to do this gracefully, so I won't even try. I'm going to 
just hunker down for some really impressive extended flaming, and my 
asbestos underwear is firmly in place, and extremely uncomfortable.

  I want to make it clear that DRM is perfectly ok with Linux!

There, I've said it. I'm out of the closet. So bring it on...

I've had some private discussions with various people about this already,
and I do realize that a lot of people want to use the kernel in some way
to just make DRM go away, at least as far as Linux is concerned. Either by
some policy decision or by extending the GPL to just not allow it.

In some ways the discussion was very similar to some of the software
patent related GPL-NG discussions from a year or so ago: "we don't like
it, and we should change the license to make it not work somehow". 

And like the software patent issue, I also don't necessarily like DRM
myself, but I still ended up feeling the same: I'm an "Oppenheimer", and I
refuse to play politics with Linux, and I think you can use Linux for
whatever you want to - which very much includes things I don't necessarily
personally approve of.

The GPL requires you to give out sources to the kernel, but it doesn't
limit what you can _do_ with the kernel. On the whole, this is just
another example of why rms calls me "just an engineer" and thinks I have
no ideals.

[ Personally, I see it as a virtue - trying to make the world a slightly
  better place _without_ trying to impose your moral values on other 
  people. You do whatever the h*ll rings your bell, I'm just an engineer 
  who wants to make the best OS possible. ]

In short, it's perfectly ok to sign a kernel image - I do it myself
indirectly every day through the kernel.org, as kernel.org will sign the
tar-balls I upload to make sure people can at least verify that they came
that way. Doing the same thing on the binary is no different: signing a
binary is a perfectly fine way to show the world that you're the one
behind it, and that _you_ trust it.

And since I can imaging signing binaries myself, I don't feel that I can
disallow anybody else doing so.

Another part of the DRM discussion is the fact that signing is only the 
first step: _acting_ on the fact whether a binary is signed or not (by 
refusing to load it, for example, or by refusing to give it a secret key) 
is required too.

But since the signature is pointless unless you _use_ it for something,
and since the decision how to use the signature is clearly outside of the
scope of the kernel itself (and thus not a "derived work" or anything like
that), I have to convince myself that not only is it clearly ok to act on
the knowledge of whather the kernel is signed or not, it's also outside of
the scope of what the GPL talks about, and thus irrelevant to the license.

That's the short and sweet of it. I wanted to bring this out in the open, 
because I know there are people who think that signed binaries are an act 
of "subversion" (or "perversion") of the GPL, and I wanted to make sure 
that people don't live under mis-apprehension that it can't be done.

I think there are many quite valid reasons to sign (and verify) your
kernel images, and while some of the uses of signing are odious, I don't
see any sane way to distinguish between "good" signers and "bad" signers.

Comments? I'd love to get some real discussion about this, but in the end 
I'm personally convinced that we have to allow it.

Btw, one thing that is clearly _not_ allowed by the GPL is hiding private
keys in the binary. You can sign the binary that is a result of the build
process, but you can _not_ make a binary that is aware of certain keys
without making those keys public - because those keys will obviously have
been part of the kernel build itself.

So don't get these two things confused - one is an external key that is
applied _to_ the kernel (ok, and outside the license), and the other one
is embedding a key _into_ the kernel (still ok, but the GPL requires that
such a key has to be made available as "source" to the kernel).

			Linus

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/


(Log in to post comments)

news at 11.

Posted Apr 24, 2003 14:43 UTC (Thu) by coriordan (guest, #7544) [Link]

I don't see why Linus made such a big deal about this announcment. From reading the thread on lkml.org, it seems like the linux-hackers don't really care. I'm guessing this was brought up by talk of Treacherous Computing but I don't think kernel-signing is the same thing.

There are three reasons for it's non-importance:
1) signed-kernels (and other pieces of software) can be a good thing. Wouldn't you like to be sure that the server you log into to check your mail isn't secretly monitoring you? check the signatures of the shell/kernel/mta/mua/etc/etc/... (this could be moot due to reason 2:)

2) A work around is possible. The users only needs to have a copy of a signed kernel on their system, they *don't* have to be running it.

3) The only threat to the user is that certain apps will be programmed to only run if the users system is running a kernel from a particular vendor. This can not possibly ever be a problem to people who use only Free Software.

anyway: people don't care on lkml, I don't see the deal at all.

Ciaran O'Riordan

news at 11.

Posted Apr 24, 2003 14:58 UTC (Thu) by corbet (editor, #1) [Link]

The thing I think you're missing is that people can make hardware that will only run signed kernels. At that point you can wire any sort of DRM into the kernel you want - and make source available - and users still won't be able to change it. So it will be possible to make an Xbox-like system with a Linux kernel.

news:

Posted Apr 24, 2003 16:23 UTC (Thu) by coriordan (guest, #7544) [Link]

> The thing I think you're missing is that people can make hardware that
> will only run signed kernels

I was missing that. Hmmm.

Well, I hope the GPLv3 address this sort of practice. Even if Linus asks developers not to use it, other projects should be protected from this sneaky kind of freedom-circumvention tactic.

I also hope consumers don't support/buy this kind of crippled hardware.

Ciaran O'Riordan

news:

Posted Apr 24, 2003 17:25 UTC (Thu) by dlang (subscriber, #313) [Link]

if GPL v3 attempts to regulate this then there will be interesting fireworks. Linus has the kernel licensed under the GPLv2, NOT GPLv2 or later and so we could get into a mess where a kernel hacker submits something under GPLv3 and Linus rejects it unless they change it to GPLv2 (and if GPLv2 and GPLv3 code is combined which version is the result under)

news:

Posted Apr 24, 2003 18:18 UTC (Thu) by coriordan (guest, #7544) [Link]

This isn't that big a deal. Linux is only one project, if Linus doesn't like v3 he can use v2. Another option is that he can dual license the kernel under both versions, he already accepts dual licensed code so long as one of the licenses is the GPLv2.

This dual licensing situation wouldn't sovle the signed-kernels-only hardware problem but it would allow kernel hackers to use v3 if they want.

Ignoring Linux, I'd like to see v3 address this issue becuase I release software under the GPL, and I wouldn't like it to be used in a way that doesn't give users Freedom.

RMS's comments on this issue would of course be interesting but this situation really isn't that important. The problem of cripling hardware to remove users freedom has already been thought of, and Linus's thoughts on the matter are irrelevant.

Ciaran O'Riordan
...actually, Bruce Perens's comments would be interesting?
(Until now, RMS has been the only person who will publicly disagree with Linus.)

news at 11.

Posted Apr 24, 2003 16:32 UTC (Thu) by dthurston (guest, #4603) [Link]

Umm, you do know that Tivo already does this, right? The FSF has stated that they are fine with the practice (or at least that it doesn't violate the GPL).

FSF not OK with bootloaders that only load *signed* GPL'd kernels

Posted Apr 24, 2003 17:00 UTC (Thu) by emk (subscriber, #1128) [Link]

The FSF is not fine with this practice, as far as I can tell--they really fear things like the next generation XBox, which is apparently targetted to take the place of home computers, but (allegedly) will only run signed software. Once you have DRM, you can see your GPL'd programs, but you may not be able to run modified versions.

However, the FSF does not believe that such sneakiness violates GPLv2, as written. GPLv3 may or may not address this issue.

news at 11.

Posted Apr 25, 2003 6:46 UTC (Fri) by ekj (guest, #1524) [Link]

Yes, you can make hardware that will only run signed binaries, and thus close that hardware to tinkering. Infact, making such hardware has already been attempted, it's called a console.

In essence, the bootloader of such hardware does the equivalent of:

if (valid_signature(kernel))
boot(kernel)
else
complain_and_stop();

This is nasty, if you are running on such hardware, than the ability to change the kernel in any way you like brings you nothing: if you change anything, even something completely trivial, the signature will no longer be valid, and your new changed kernel will not boot.

Linus is rigth though, this is clearly allowed under the GPL. And furthermore, it very likely CANNOT be forbidden even if we would want to.

A Signature is (or atleast it can be) a separate document saying the equivalent of: "I, Bill Gates, testify to the fact that the kernel with sha1sum=b7a7bf03dcafd4d48001d6a2a6fd2ceaefa4cc1e is trustworthy and can be booted. signed(bill_g)"

There is no way for the GPL, or any other legal document to forbid the above document from existing. The signature above is clearly not a derived work of the kernel, but rather a commentary upon it. (namely a commentary on the trustworthiness) The only info derived from the kernel is the sha1sum, but the only function of this is to make it clear which kernel you are talking about. (much like mentioning the ISBN-number of a book you are reviewing)

Furthermore, there is also no way you would be able to forbid hardware from acting on the existence (or absence) of such a signature. Afterall there is no law saying that "hardware *must* boot all code."

Now, what *would* be nasty would be new laws *requiring* hardware to implement signature-checking. Such laws would essentially make it forbidden to make user-modifiable computers. The way the US is moving at the moment, I would not be too surprised if such a law is introduced and passed in the next few years.

news at 11.

Posted Apr 25, 2003 13:45 UTC (Fri) by Wol (guest, #4433) [Link]

But new laws *requiring* it would kill the computer industry stone dead! Either you make it well-nigh impossible to get hold of signing keys, which would destroy all the little programming shops (and don't forget, that includes most businesses that use computers as *computers* rather than glorified typewriters), or you end up with loads of keys out there that are forever leaking.

RedHat certainly, and probably other major distributors such as SuSE, would almost certainly publish a signing key for general use.

Have no fear. Such a law would be either unenforceable, or nuke-style destructive. However, given the number of laws recently *passed* which ban the Internet infrastructure in various US states (the so-called super-DMCA bills), unfortunately I can see such laws getting passed...

Cheers,
Wol

Distinguish development workstations from Aunt Tillie's iMac

Posted May 2, 2003 9:31 UTC (Fri) by bgilbert (✭ supporter ✭, #4738) [Link]

Not necessarily. Consider professional media production houses and copy protection mechanisms like MacroVision. Professional equipment can trivially defeat MacroVision, and anyone who wants to buy an N-thousand-dollar professional deck and TBC can do it. The point of MacroVision is to discourage casual copiers, not professional pirates.

So, require standard home and business computers to execute only signed code. Sell a separate class of hardware -- "development machines" -- which costs $50k/box and will run anything you throw at it. Combine that with a TCPA-like system in which most signed software won't trust a system that can run unsigned code. Then, vigorously prosecute people who "misuse" their code-signing keys* -- and since companies with deep pockets are more likely to have code-signing keys in the first place, this will be effective. The end result is that you've concentrated development on a relatively small number of dedicated, single-purpose, trackable and auditable machines, and motivated everyone with a key to protect it from use by others.

Will this shut down open-source development entirely? Of course not. But it raises the bar; if the average user's workstation can't run the output of its own compiler, it's much harder for people to casually tinker with the code. The trick is to raise the bar too high for Joe Programmer, while still letting small software houses get through.

* What happens if code must meet certain requirements in order to be legally signed (either through outright legislation, federal regulation, or contract with the provider of the signing key)? Through the miracle of selective enforcement, this can leave free software developers with legitimately-obtained signing keys open to fairly significant legal action. That'll be a deterrent as well.

Linus on digital rights management

Posted Apr 24, 2003 16:39 UTC (Thu) by Baylink (guest, #755) [Link]

Personally, I concur with Linus' position, his interpretation of the results of that position, his evaluation of what rms will *think* of these things...

his disagreement with rms on whether that's reasonable :-) ...

and his caveat and projected ramifications thereof.

In short, I agree: non-issue, except to raver-types.

Home "computers" which only run signed software?

Posted Apr 24, 2003 17:05 UTC (Thu) by emk (subscriber, #1128) [Link]

As an author of GPL'd software, I am not OK with the increasing number of home "computers" which only run signed software: TiVOs, game consoles, etc. Sooner or later, these will begin to take the place of home computers (if the manufacturers are to be believed), and the manufacturers would be able to distribute GPL'd software without allowing the users to exercise their rights.

Home "computers" which only run signed software?

Posted Apr 24, 2003 17:23 UTC (Thu) by coriordan (guest, #7544) [Link]

as a fellow gpl-software developer, I second that.

I hope I can use the GPLv3 to protect my software from being run on these freedom-vacuums.

(to the toplevel poster: Linus's opinion is irrelevant in this matter)

Ciaran O'Riordan

Home "computers" which only run signed software?

Posted Apr 24, 2003 18:45 UTC (Thu) by neoprene (guest, #8520) [Link]

Home "computers" which only run signed software.... will first have to be bought by someone.
Such devices are like the current "Tivo" or "Xbox", and cannot take the place of a flexible "PC". Unless "the PC" will be banned I doubt anyone will buy a emasculated "PC".

Home "computers" which only run signed software?

Posted Apr 24, 2003 19:15 UTC (Thu) by coriordan (guest, #7544) [Link]

> Such devices are like the current "Tivo" or "Xbox", and cannot take
> the place of a flexible "PC"

But what happens when Micorsoft release "The Internet Box", a box that runs media-player, Internet Explorer, and MS Word. What if MS release the "tablet computer" and give it a "specially enhanced" processor? All these things are possible and one can't trust individual consumers to choose based on social implication. MS can offer a $150 discount on such "PC"s, once critical mass is achieved they can put the price back up to (and over) the original price since they would have an even tougher monopoly.

(If you don't believe MS will do it, just sub in IBM (or SCO, HP, whatever))

> Unless "the PC" will be banned I doubt anyone will buy a emasculated "PC"

Senator Fritz Hollings (chairman of the Senate for Commerce, Science, and Transportation Committee) is trying to ban[1] "TV" (as we know it) in America. Why not the PC?

Ciaran O'Riordan

[1] http://www.digitalspeech.org/cbdtpa.shtml
(plenty of other interesting pages on www.digitalspeech.org too)

Home "computers" which only run signed software?

Posted Apr 24, 2003 19:35 UTC (Thu) by pointwood (guest, #2814) [Link]

I think you're wrong. Most people isn't aware of those issues. If a certain device fits the users needs - they will buy it.

Home "computers" which only run signed software?

Posted Apr 25, 2003 2:52 UTC (Fri) by Baylink (guest, #755) [Link]

And that's precisely their point...

and I was wrong. I see, now, the point that the anti-signed-kernel crowd are making... and I have to say I agree with them. This is akin to the idea that Seagate and Maxtor will be strongarmed into manufacturing (only) harddrives which have encrypted bus interfaces, such that you can only talk to them if you're....

well, if you're Windows. Cause, y'know, they can't release the key to an open source driver writer.

And yes, this isn't remotely unlikely in the face of the DMCA and it's ilk. People have discussed manufacturing peripherals like this. Imposition by obsolescence. It's not impossible, and Microsoft overthrew the Justice Department, so why not Seagate and Maxtor?

Course, that's just what I think.

And I've been wrong before. See above. :-)

What's this?

Posted Apr 25, 2003 22:26 UTC (Fri) by GreyWizard (guest, #1026) [Link]

What just happened there? Did someone actually read the responses to his post and rationally reconsider his position? I don't think we're on slashdot anymore, toto... ;-)

Yeah; that's what happened.

Posted May 19, 2003 23:49 UTC (Mon) by Baylink (guest, #755) [Link]

Glad I could improve your day. :-)

Home "computers" which only run signed software?

Posted Apr 25, 2003 7:15 UTC (Fri) by dmantione (guest, #4640) [Link]

No you cannot use a license to prevent people running your software on
certain hardware. Copyright law is in the way.

In the Netherlands, the authors law says anyone is allowed to make changes
to software to make it interoperable with his hardware. Since all eu-memers
have compatible copyright laws this is most likely true in the entire Europian
Union. This statement is clearly there to protect end users. However, it also
means you cannot prevent people to modify your software to not run on
DRM-hardware, by law they have the right to modify it.

But, it is not entirely clear if they can accept the free software license then, so
they might then not have the right to redistribute the software.

Home "computers" which only run signed software?

Posted Apr 24, 2003 19:02 UTC (Thu) by iabervon (subscriber, #722) [Link]

I think that all such devices are inherently limited in usefulness, because they can't be used for purposes that the key holder doesn't intend them to be used for. Now, that's perfectly fine. My refridgerator can't run code I write, and neither can my VCR. Now, general purpose computing is getting cheap and, well, general, so you can make a VCR-replacement that has a general purpose computer inside; in fact, the best VCR for the cost (depending on what you want from a VCR) is based on a computer. The thing is that people don't want to have each device appear to be a general purpose computer, even if that's how it works inside.

So the situation is really that computer-based devices are replacing non-computer-based devices, and, in some cases, devices are becoming sufficiently capable that people who needed a computer before can now use a device that doesn't seem to be a computer, and thus don't need an overt computer at all. But then there are people who actually want computers, and these people won't be satisfied with a fridge or a VCR or a car, even if these are really a computer inside.

The thing about general-purpose computers is that you can specialize them, and this may be better than building a special-purpose device from scratch, but it's just different from having a general-purpose computer able to run arbitrary software.

Linus on digital rights management

Posted Apr 25, 2003 7:46 UTC (Fri) by ronaldcole (subscriber, #1462) [Link]

Does Linus not realize that the DMCA and DRM are "imposing someone's moral values on other people" by their very definition?

Linus on digital rights management

Posted Apr 25, 2003 16:51 UTC (Fri) by piman (subscriber, #8957) [Link]

Just an Oppenheimer? The same Oppenheimer that, after building the atomic bomb said "I have become death, destroyer of worlds." Met with President Truman to confess "I have blood on my hands"?

People who act like they're "just engineers" always seem to regret it later.

But what is "signing"?

Posted May 1, 2003 4:31 UTC (Thu) by kcannon (guest, #4867) [Link]

Mr. Torvalds' position is that it is compatible with the GPL to distribute a signed binary of the Linux kernel without providing the means by which users can sign their own binaries. This essentially means that he does not consider the private key required to produce the final binary output to be part of that binary's "source code".

Perhaps it is possible to make that distinction. The problem with this position, however, is that Mr. Torvalds assumes we all agree on what is meant by "signing". To be clear: signing involves taking the output of the normal build process (the compiled kernel) and modifying it in some unspecified way so as to add functionality not present in the compiler's output alone that only a unique party can reproduce. Sure this can mean adding a hash of the binary image to the end of the file but it can also mean adding a proprietary I/O scheduler, memory management subsystem, or anything else. It might even mean overwriting the whole darn thing with a proprietary software product leaving only one particular device driver intact to be incorporated into that new product.

Make no mistake about it: all of these acts are examples of the Linux kernel being "signed" and if the licensor says signing is OK then you can be sure that's what all of the above will be called.

Mr. Torvalds says he doesn't want to interfer with what people do with their kernels. Of course: the GPL allows everyone to "sign" their own copy of the Linux kernel. When, however, they distribute their "signed" product, if the information needed to reproduce all of the functionality of that product is not supplied, then the source code has not been supplied and the GPL has been violated.

-Kipp


Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds