User: Password:
|
|
Subscribe / Log in / New account

Details on Ubuntu's UEFI secure boot plan

Details on Ubuntu's UEFI secure boot plan

Posted Jun 22, 2012 19:32 UTC (Fri) by dbruce (guest, #57948)
Parent article: Details on Ubuntu's UEFI secure boot plan

"but in the event
that a manufacturer makes a mistake and delivers a locked-down system
with a GRUB 2 image signed by the Ubuntu key, we have not been able to
find legal guidance that we wouldn't then be required by the terms of
the GPLv3 to disclose our private key in order that users can install a
modified boot loader. At that point our certificates would of course be
revoked and everyone would end up worse off."

IANAL, but I don't think that can happen. It seems to me that in the above scenario, the manufacturer would be in violation of the GPLv3. Assuming a relevant copyright holder stepped forward to enforce the terms, the manufacturer would have to cease distribution and could be forced to pay some sort of damages. But I doubt a court would be inclined or able to force Ubuntu to do anything, if Ubuntu wasn't the violator.

It sounds like a spin on the old "if I accidentally link my code to GPL code and distribute it, then the GPL will spread to my code", which of course is not the case.


(Log in to post comments)

Details on Ubuntu's UEFI secure boot plan

Posted Jun 22, 2012 20:16 UTC (Fri) by cjb (guest, #40354) [Link]

> IANAL, but I don't think that can happen. It seems to me that in the above scenario, the manufacturer would be in violation of the GPLv3.

You're assuming that the source request is addressed to the manufacturer. What if the source request is addressed to Ubuntu? They did choose to make a GPL code release, and they do have the key that's a necessary part of the installation instructions for that release. IANAL either, but I think they would be in violation if they chose not to answer.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 21:22 UTC (Sat) by rich0 (guest, #55509) [Link]

The GPL does not require anybody to provide the sources of anything to anybody they didn't distribute GPL code to.

If Ubuntu doesn't distribute GPL code to end users then they don't have to provide source, keys, etc to them. Whoever does distributed GPL code to end users does have to do this, and anybody with a copyright to the code can sue them if they fail to do so.

Now, if one of the hardware vendors were to ask Ubuntu for their signing key, then they'd have to provide it to them. So, this isn't going to be of much help...

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 22:23 UTC (Sat) by anselm (subscriber, #2796) [Link]

The GPL does not require anybody to provide the sources of anything to anybody they didn't distribute GPL code to.

That's if they give the recipient the sources (keys, etc.) along with the executables.

If instead they offer to provide the sources upon request, they have to do that for »any third party«. At least that's what the GPLv2 says, which is the version the Linux kernel uses.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 23:17 UTC (Sat) by mjg59 (subscriber, #23239) [Link]

GPLv3 makes a distinction between source and "Installation Information" (keys and so on). You only have to distribute the latter if you distributed a User Product. If Canonical don't sell hardware themselves then that shouldn't trigger.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 25, 2012 17:56 UTC (Mon) by hamjudo (guest, #363) [Link]

Certain classes of configuration errors would cause the GPLv3 clause to trigger on companies selling hardware preloaded with the GPL software.

Canonical is trying to write software that hardware selling companies will be willing to use. Even if Canonical itself isn't liable, they won't be able to get their customers, the hardware vendors, to ship the software if it is perceived to be a legal minefield.

Hardware vendors with significant per unit profit margins can absorb the cost, if a fraction of systems need to be RMA'd. The business model does not work for hardware vendors with small margins if there is a significant chance of RMA expenses.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 25, 2012 18:43 UTC (Mon) by raven667 (subscriber, #5198) [Link]

You probably know more than I do about it but I don't think the GPLv3 demands the release of private key material, it is only concerned with the owners practical ability to load their own modified software on the device, which is far more easily serviced by providing a mechanism to manage keys local or to disable signature checking on boot. In any case I'm sure someone could crate a contrived example where the only way to comply with the GPLv3 is to disclose signing keys but I don't think that is how it works in practice.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 22, 2012 20:43 UTC (Fri) by raven667 (subscriber, #5198) [Link]

This bit sounded like mistaken reasoning to me. The GPLv3 never requires distribution of private keys, that is just a bad meme that keeps going around. If the manufacturer pre-loads a machine then they are the ones distributing the software, just like other software where the manufacturer gets a license to distribute from the OS vendor. If, by some mistake, they don't provide a way to load user-customized software, by breaking key installs or preventing secure boot from being disabled, then they are in violation of their distribution license.

In this hypothetical case I think it would make sense for the manufacturer to RMA or refund the bad equipment. I think the talk about disclosing private keys is ludicrous.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 22, 2012 21:21 UTC (Fri) by bronson (subscriber, #4806) [Link]

The GPLv3 requires the ability to load user software. If the only way to do that requires disclosing the signing keys, then so be it, that's what must happen.

Remember that it's Microsoft who set this whole UEFI mess up, not Ubuntu.

Why does this sound so far fetched to you? Seems like a perfectly reasonable reading to me.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 21:25 UTC (Sat) by rich0 (guest, #55509) [Link]

Yes, but that duty only falls on whoever is distributing the code to the user in question. If a computer requires a signed GPL image to boot, then whoever distributed the computer with the GPL software on it has to provide the key. Nobody else is a party to this. If a vendor distributes GPL code and requires it to be signed by a key they don't have, then they've exposed themselves to legal liability with no remedy short of issuing new hardware.

How is Ubuntu a party to what some hardware vendor does with their software, unless they paid them to do it?

Details on Ubuntu's UEFI secure boot plan

Posted Jun 27, 2012 1:28 UTC (Wed) by bronson (subscriber, #4806) [Link]

Ubuntu distributed the soft are to the vendor. You don't think the vendor will kick lawsuits their way if at all possible?

> How is Ubuntu a party to what some hardware vendor does with their software, unless they paid them to do it?

Ubuntu can enter into a valid contract with a hardware vendor with no money changing hands. And they can even get paid to do it! In fact, one would expect that this is their intent.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 27, 2012 8:13 UTC (Wed) by dgm (subscriber, #49227) [Link]

> Ubuntu distributed the soft are to the vendor.

But, as long as Ubuntu is not the one holding the keys, they will be in the clear regarding GPL compliance.

> You don't think the vendor will kick lawsuits their way if at all possible?

They can sue anybody they want, but that's frivolous litigation, and they may be fined for that.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 27, 2012 18:38 UTC (Wed) by bronson (subscriber, #4806) [Link]

> But, as long as Ubuntu is not the one holding the keys, they will be in the clear regarding GPL compliance.

Exactly. And Ubuntu is the only one holding their key. Did you think somebody else would have it?

> that's frivolous litigation

It's not frivolous if it's the only way for the white box distributor to to comply with GPLv3.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 10:29 UTC (Thu) by jschrod (subscriber, #1646) [Link]

OK, so if the hardware vendor is obliged to deliver the key, and Canonical plans to convince hardware vendors to use their key -- where does the vendor get the key from, if not from Canonical?

It's not of practical relevance that "user demand => Canonical commitment" does not happen. The thing that might happen is "user demand => vendor commitment => vendor demand => Canonical commitment", and that's what the fuzz is about, AFAIU.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 13:54 UTC (Thu) by dgm (subscriber, #49227) [Link]

I think you're assuming that:
- providing some key is the only way to allow modified software to run.
- that key can only be Canonical's.

Instead, the hardware vendor can:
- provide other means (disable secureboot).
- provide vendor's specific keys.
- provide means to install (additional) customer keys.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 14:14 UTC (Thu) by jschrod (subscriber, #1646) [Link]

> I think you're assuming that:
> - providing some key is the only way to allow modified software to run.
> - that key can only be Canonical's.

That's what this sub-thread is about. Read bronson's post (http://lwn.net/Articles/503072/) where it started. There it's argued that even under the assumptions cited by you above, this is OK. Then rich0 came in and told bronson that this won't matter for Canonical. And my contribution was to point out the fallacy in his thinking.

> Instead, the hardware vendor can:
> - provide other means (disable secureboot).
> - provide vendor's specific keys.
> - provide means to install (additional) customer keys.

These are other scenarios. It's about an hypothetical scenario where the end user can demand the keys. My contribution to the discussion is that then, in this case, a hardware vendor will not shield Canonical from that demand.

Please also note that the FSF seems to agree that the situation, that keys must be supplied, is plausibel, as Nate notes in the Security feature article. I wouldn't discard their opinion on the GPLv3's meaning as fast as many here are ready to do. And if I would be responsible for due diligence in a company and would receive such warning from the FSF, I would make sure that my company pays attention to it.

Btw, FTR: We use neither Ubuntu nor Fedora and will probably turn off secure boot on our systems, when it arrives. So I consider myself impartial concerning the different factions in this discussion.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 17:11 UTC (Thu) by dgm (subscriber, #49227) [Link]

Let's put some context, then:

raven667: In this hypothetical case I think it would make sense for the manufacturer to RMA or refund the bad equipment. I think the talk about disclosing private keys is ludicrous.
bronson: The GPLv3 requires the ability to load user software. If the only way to do that requires disclosing the signing keys, then so be it, that's what must happen.

> My contribution to the discussion is that then, in this case, a hardware vendor will not shield Canonical from that demand.

In my opinion (IANAL), you're wrong. Those are the facts:

* The customer has received a device from a device vendor, with some software covered by the GPL v3.
* The device vendor can distribute this software only as long as it complies with the terms of the license. These terms include allowing the customer to run modified versions of the software.
* The device vendor cannot comply with the license terms, because they do not posses the signing keys, and cannot offer any alternative method.
* Thus they have been distributing the software without a proper license.
* Canonical is distributing the software to the vendor, and they fully comply with the requirements of the GPL. Their customer (the device vendor) would not have any problem loading any modified versions, because they control which keys are loaded.

So, to sum it up, the vendor would be distributing a pirated copy of Ubuntu. It's their fault, and they are the ones that have to pay for it.

To prevent this from happening, device vendors should provide means to load alternative keys or disable secure boot.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 25, 2012 0:00 UTC (Mon) by dgm (subscriber, #49227) [Link]

> If the only way to do that requires disclosing the signing keys

Sure there are a few options before they get at that. Released a "fixed" version of the UEFI firmware being much easier for everyone.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 15:07 UTC (Sat) by blitzkrieg3 (guest, #57873) [Link]

> IANAL, but I don't think that can happen. It seems to me that in the above scenario, the manufacturer would be in violation of the GPLv3.

IANAL either. You're forgetting that the manufacturer and Ubuntu have a relationship. If Dell for example accidentally ships a locked down firmware and is in violation, and to be compliant they would need the signing key, they would put pretty significant pressure on Canonical to release the key.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 24, 2012 1:52 UTC (Sun) by Fowl (subscriber, #65667) [Link]

Surely they could just release an update that would fix their bug.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 10:35 UTC (Thu) by jschrod (subscriber, #1646) [Link]

> It seems to me that in the above scenario, the manufacturer would be in
> violation of the GPLv3.

Yes, and the manufacturer will have a contract relationship with Canonical (why else would they use Canonical's key?), so the manufacturer's onus will be passed on to Canonical.

> IANAL, but I don't think that can happen. [...] It sounds like a spin on
> the old "if I accidentally link my code to GPL code and distribute it,
> then the GPL will spread to my code", which of course is not the case.

Well, according to Nate's feature article on this weeks Security page:

> The company consulted with the FSF about that topic, and were warned
> that the authorization key clause would probably (although not
> definitely...) apply.

So you should be careful with that allegation of a spin: The source is said to be the FSF. Do you accuse them of spinning this tale?

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 14:35 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

Why would Canonical sign a contract that left them open to that liability?

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 14:53 UTC (Thu) by jschrod (subscriber, #1646) [Link]

Because otherwise -- without indemnification -- a hardware vendor would not put Ubuntu on the systems? The OEMs I know would demand such a contract. After all, the market for pre-installed Ubuntu systems ain't large; it's Canonical seeking out the hardware vendors, not the other way round.

And since, as Nate reports, the FSF seems to have warned Canonical that their interpretation of the GPLv3 is plausible, I wouldn't discard that warning so easily.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 14:58 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

I have no idea why Canonical would indemnify a vendor against mistakes the vendor has made. That's not usually how indemnification works.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 15:18 UTC (Thu) by jschrod (subscriber, #1646) [Link]

I interpret Canonical's posts and Nates article as follows:

Canonical wants hardware vendors to sell systems with pre-installed Ubuntu. They want to use their own key (i.e., the Canonical key, not a vendor key) on these systems. If they would use Grub2, they are afraid that the GPLv3 would backfire in the case that an end user demands keys for the system, owing to the GPLv3's anti-Tivo clause, to be able to change the running system. The FSF was asked and they answered that validity of such a demand seems to be plausible.

The vendor won't be able to pass on the Canonical key, as they don't have it. The ability to change the key and to resign all system stuff, is the obvious solution, and the one that you have chosen for Fedora. Canonical seems to have the opinion that implementation of a good key exchange facility is too much hassle for the vendor, and (my interpretation) diminishes their chances to get into a good relationship with the hardware vendor. They don't want the vendor pass on a key-release demand to them that they can't fulfill, either. So they took the easy way out, and use a non-GPLv3 boot loader -- problem surely gone, for them. And that after they made quite some investment, with upstream contributions, into Grub2, so it's surely not an straight-forward decision for them.

> That's not usually how indemnification works.

I regularly have to sign contracts, where I promise I delivered everything an end customer might ask for under the GPL, and where I take on the onus of delivering more stuff if an end customer comes up with a valid demand that is not covered by my deliverables. So, from my POV, such demands are common.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 15:26 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

It's fine providing the end-user is able to enrol their own keys - the original signing keys are then not required to replace grub, so there's no need to give them to anyone. Microsoft require that all Winodows-certified systems provide that functionality, so any off the shelf firmware is going to implement it - vendors would have to actively remove the functionality in order to have a problem. The contract with Canonical should simply state that it's the vendor's responsibility to provide this feature in order to comply with the software licenses.

If vendors *want* to ship systems without supporting re-enrolment of keys then yes, there's an obvious problem. But given Mark Shuttleworth's voiced concerns about user freedoms with secure boot, I'd be surprised if Canonical wanted to support that.

Details on Ubuntu's UEFI secure boot plan

Posted Jul 1, 2012 13:39 UTC (Sun) by rahulsundaram (subscriber, #21946) [Link]

FSF seems to disagree with Canonical's interpretation in this case however.

http://www.itwire.com/business-it-news/open-source/55484-...

"Sullivan said this was unfounded and based on a misunderstanding of GPLv3. "We have not been able to come up with any scenario where Ubuntu would be forced to divulge a private signing key because a third-party computer manufacturer or distributor shipped Ubuntu on a Restricted Boot machine."


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds