Fedora, secure boot, and an insecure future

Posted Jun 7, 2012 13:17 UTC (Thu) by drago01 (subscriber, #50715)
In reply to: Fedora, secure boot, and an insecure future by gmaxwell
Parent article: Fedora, secure boot, and an insecure future

> Under this scheme Fedora (and others who pay MSFT) will enjoy a privileged > position, able to ship software that just works. If I make a respin of Fedora under that model my version will suck until I pay up.

So you are saying we should make Fedora "suck" to save you 99$ ? This has nothing to do with software freedom. You have the source you are free to sign it (with any key) or not sign it at all.

Fedora, secure boot, and an insecure future

Posted Jun 7, 2012 16:42 UTC (Thu) by gmaxwell (guest, #30048) [Link] (11 responses)

"If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all."

Yes. You don't and shouldn't get a free pass on the norms of free software because you can wave your arms and say you can't simultaneously satisfy the many goals you may have.

Your modified version— through the addition of a signature chained to Microsoft's cryptographic lockdown, among other change— of the third party free software you distribute should either live free or die.

Fedora, secure boot, and an insecure future

Posted Jun 7, 2012 17:45 UTC (Thu) by raven667 (subscriber, #5198) [Link] (10 responses)

> free software you distribute should either live free or die.

Great sound bite but I don't really understand what you are trying to say. Any secure boot system where you can install your own keys or disable it is fully compatible with the most stringent of Free Software guidelines. It's not "Tivo-ization" if you can load your own custom code. To claim otherwise is a gross mischaracterization of the issues involved and does not add to any debate of the issues.

Fedora, secure boot, and an insecure future

Posted Jun 7, 2012 18:28 UTC (Thu) by gmaxwell (guest, #30048) [Link] (9 responses)

A couple of points…

UEFI's specification itself does not require that secureboot can be disabled. The only requirement that it needs to be possible to disable it is in Microsoft's requirements. I can't reasonably expect their enforcement to be too aggressive considering that they previously (and still, on ARM) required the opposite.

Signed Fedora will run equally well on systems where secure boot can't be disabled. In the discussion on Fedora-devel the people promoting this change seemed to be saying that this was a good thing that Fedora still ran, and that Fedora/Redhat would have no recourse if it were to happen. What we seem to have constructed is a nice little bit of indirection where a couple billion dollar corporations can take away users rights with respect to software they didn't even write and then all earnestly claim "wasn't me". Instead of "non-transferable covenants not to sue" we have "cryptographic keys you can't distribute", but since code is law (or even more powerful) when it comes to the freedom users have over the software it doesn't matter that the restriction is a technical one.

I also gave the argument above that this isn't the quite same as tivoization, even though the same cryptographic lockdown technology is involved. Fedora is adding functionality to the software to make it run on some new hardware and distributing these enhancements under terms that make downstream distributors choose between the enhancement, making their own version of the enhancement (with a minimum cost of $99) and still limiting further downstream users, or going without the enhancement. What Redhat should be doing is distributing their secure boot signing key, so everyone can enjoy the enhancement without paying fees or losing their ability to modify the software— but presumably they have contractual obligations which prohibit this. I argue that since they can't simultaneously keep the software as free to modify and redistribute as they got it, they ought not to distribute the enhancement at all. Or at least thats an argument.

(And instead, they should make a special signed bootloader shim which, if secure boot is enabled, it displays a set of help screens to help users turn it off or add their own keys— this would itself not be the freeest of software, but it would be trivial and the author(s) would obviously agree with that kind of distribution)

Fedora, secure boot, and an insecure future

Posted Jun 7, 2012 20:23 UTC (Thu) by raven667 (subscriber, #5198) [Link] (6 responses)

> requirement that it needs to be possible to disable it is in Microsoft's requirements. I can't reasonably expect their enforcement to be too aggressive

A boot locked system will be unable to run Win7 which is not a desirable outcome and is why this requirement exists. The manufacturers have no independent desire to boot lock anything. Win8 ARM can be boot locked because there is no installed base.

> billion dollar corporations can take away users rights

bull s**t . Also "OMG CORPORATIONS!". I feel bad being so sarcastic but your point is just so misinformed.

As long as you have local key management and the option to disable your rights have not been infringed in _any_way_.

> minimum cost of $99

Only if you want to be signed by the existing Verisign/MS authority, you can always be your own authority and have the end-user load keys in by hand. The whole purpose of being signed by the Verisign/MS key is to make it easy to work by default without requiring end-user interaction with the firmware. These systems are _not_ boot locked.

> What Redhat should be doing is distributing their secure boot signing key

No.

Seriously, no. You have no need for that to exercise your software freedoms since you can load your own keys or disable the entire secure boot system. There is no restriction preventing you from running your own modified boot loader software. Let me repeat that, there is no restriction preventing you from running your own modified boot loader software.

> displays a set of help screens to help users turn it off or add their own keys

Not possible because you can't modify the authorized keys via booted software, only from the firmware.

> displays a set of help screens to help users turn it off or add their own keys

Now that we've dealt with a number of misconceptions, the real issue is that the key management isn't as easy as it should be. Ideally when booting off removable media (USB, CD, PXE, not SATA) there would be a standard place to put public keys and the end user could be prompted on the console as to whether to import such keys before the beginning of the boot process. That would make it very easy for each spin or custom distro, even locally generated ones, to include their own key infrastructure, and use the secure boot feature, which is currently possible but is more work than strictly necessary. Developers who modify software probably don't have too much trouble jumping through the hoops required to use their own keys but it's not a user-friendly process for the majority of Fedora (or Ubuntu or Debian or SuSE, etc.) users who just want to get a machine installed and working.

Fedora, secure boot, and an insecure future

Posted Jun 7, 2012 21:07 UTC (Thu) by gmaxwell (guest, #30048) [Link] (3 responses)

> As long as you have local key management and the option to disable your rights have not been infringed in _any_way_.

This simply isn't the case. Free Sofware— and the success of our ecosystem— depends on not just the ability to be personally free but to have the freedom to pass those rights on to other people.

If "just turn it off!" was enough for me it would also be enough for Fedora.

And again, there is no guarantee that it will be deactivatable. It was not until Redhat fought to fix that, and windows 7 existed before then.

As far as the corporation comment— Microsoft and RedHat sat at a negotiation table making these decisions, I'm not saying that I should have been there— but where was the non-profit and/or governmental party representing my interests relative to my ability to distribute software which will easily run on the widely available computers tomorrow?

> That would make it very easy for each spin or custom distro

And Fedora could work to make it easier. In the short term where getting the firmware consistent isn't an option having good help would be an option. This would leave all users, distributors, and authors equal and working towards common goals.

Fedora, secure boot, and an insecure future

Posted Jun 8, 2012 5:17 UTC (Fri) by raven667 (subscriber, #5198) [Link]

>> As long as you have local key management and the option to disable your rights have not been infringed in _any_way_.

>This simply isn't the case. Free Sofware— and the success of our ecosystem— depends on not just the ability to be personally free but to have the freedom to pass those rights on to other people.

And you still haven't provided any example as to what rights aren't being passed on to other people, because there aren't any and you have no argument.

> And again, there is no guarantee that it will be deactivatable. It was not until Redhat fought to fix that, and windows 7 existed before then.

I'm not sure I can even parse that. In any event key management and the ability to disable are part of the Win8 logo requirements which should be widely adhered to. It doesn't have anything to do with RedHat and much to do with Win7.

> As far as the corporation comment— Microsoft and RedHat sat at a negotiation table making these decisions

Maybe they were smoking cigars and drinking whiskey too...

> And Fedora could work to make it easier

And of course the tools Fedora uses to make this happen will be available to anyone so it will be at least as easy for you or me as it is for them.

Fedora, secure boot, and an insecure future

Posted Jun 8, 2012 10:27 UTC (Fri) by drago01 (subscriber, #50715) [Link]

> This simply isn't the case. Free Sofware— and the success of our ecosystem— depends on not just the ability to be personally free but to have the freedom to pass those rights on to other people.

You still have this right (with or without secure boot). Fedora has no obligation by *any* license that can be called free to help your fork. Either by making there software less usable or anything else. All they have to do is to provide you the source and tools needed to create the fork.

And they *do* that. You have the source. You have the tools. If you want to sign it ... fine pay the 99$ and go ahead. If you don't or even can't (because you cannot afford the 99$) that's fine as well this does not make the software any less free.

By your logic Fedora is not free already because they have a competitive advantage over forks by having infrastructure (builders, mirrors, bug tracker...). All those cost way more then the stupid 99$. Oh and the trademark and marketing budget.

This is not that hard to understand really.

Fedora, secure boot, and an insecure future

Posted Jun 8, 2012 13:13 UTC (Fri) by dgm (subscriber, #49227) [Link]

>> As long as you have local key management and the option to disable your rights have not been infringed in _any_way_.

Gentlemen, you need to realize that the problem is not Fedora or what they do. The problem lies in those distributing Fedora, that is, the OEMs. If System77 or Dell ships a laptop with Fedora preinstalled, then they are the ones that _have_ to instruct the user on how to change the keys, should they want to.

Fedora is just trying to be nice to people that didn't chose a preinstalled system, and instead just want to test the distro in hardware blessed for Windows 8. That you can do this is GOOD.

Fedora, secure boot, and an insecure future

Posted Jun 8, 2012 9:56 UTC (Fri) by ballombe (subscriber, #9523) [Link] (1 responses)

> Only if you want to be signed by the existing Verisign/MS authority, you can always be your own authority and have the end-user load keys in by hand.

So far no evidence that 'loading key by hand' will be actually possible has been provided, and indeed this is one of the premise of the Fedora decision. You cannot have it both way.

Fedora, secure boot, and an insecure future

Posted Jun 8, 2012 16:54 UTC (Fri) by raven667 (subscriber, #5198) [Link]

Hardware with the Win8 logo will be shipping with secure boot enabled by default, the MS keys loaded by default and must have the option to disable secure boot, they may also have the option to load their own keys. Fedora will be having their bootloader signed by MS because it's user-unfriendly to require a trip to the firmware to modify secure boot settings before booting an install CD. If you want to install custom software or older software (Win7 or whatever) you will have to fiddle with the firmware in any case.

Fedora, secure boot, and an insecure future

Posted Jun 8, 2012 9:06 UTC (Fri) by nelljerram (subscriber, #12005) [Link] (1 responses)

Regardless of what any requirements say, I think what matters is whether the disabling possibility is important in practice to Microsoft. If it is, it will be implemented and well tested by manufacturers, and so we can have some confidence that it will work for us. If it isn't, it won't be well tested even if it's theoretically required and implemented, and then probably won't work for us.

Fortunately there are other comments on this article that claim that disabling is practically important for Microsoft, so there's hope...

(Of course it will still be better to buy from a Linux-supporting manufacturer that doesn't impose the "secure boot" BIOS at all.)

Fedora, secure boot, and an insecure future

Posted Jun 8, 2012 16:33 UTC (Fri) by raven667 (subscriber, #5198) [Link]

> Fortunately there are other comments on this article that claim that disabling is practically important for Microsoft, so there's hope...

The obvious being that Win7 doesn't support secure boot and will need to run on Win8 hardware for the foreseeable future, both for home users and businesses. Maybe in 10+ years we'll be having this discussion again, but probably not before then unless secure boot somehow comes to Win7 via a service pack or something (and if MS are content to leave behind users who can't/won't upgrade software).