Garrett: Don't like Secure Boot? Don't buy a Chromebook [LWN.net]

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 4, 2013 21:14 UTC (Mon) by tao (subscriber, #17563) [Link] (21 responses)

Personally I find it better to have the choice, as in Google's case, than not have freedom as an option at all, as in Microsoft's case (on ARM platforms, that is). Obviously being able to have secure boot *and* freedom is the only perfect choice, so Google definitely deserves some flak.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 7:15 UTC (Tue) by nhippi (subscriber, #34640) [Link] (19 responses)

Garret is assuming there are many people who WANT boot time integrity/security checks. Most X86 laptops have had TPM chips from 2004 or so, yet almost nobody has been using them on Linux for anything - let alone for full boot integrity checking. IBM even wrote software to make it possible, but have you heard anyone using trusted grub for example?

So, yes, if you want boot time integrity checking - chromebook won't allow that. But if you didn't use TPM chips in your existing laptops, chances are that the lack of secure boot in chromebook is not going to make any difference to you. (apart from from warning screen on boot telling you OS verification has been turned off).

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 9:53 UTC (Tue) by Fowl (subscriber, #65667) [Link] (10 responses)

I think "most" is a bit of an overstatement. I know none of the laptops I ever had in that time period had one.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 10:43 UTC (Tue) by nhippi (subscriber, #34640) [Link] (9 responses)

It could be an exaggeration - just that all the Thinkpads and Dell/HP laptops passed by my desk seem to have had them.

But the basic points remains - Very few people are interested in secure booting of Linux. Even when for many it would already be possible to do so.

Root sector attacks on Linux?

Posted Feb 5, 2013 12:11 UTC (Tue) by man_ls (guest, #15091) [Link] (8 responses)

It is not surprising: there are very few attacks on Linux that would be stopped with secure booting. Unless the whole platform is secure from end to end (kernel signing, module signing and binary signing) secure boot is not going to make a difference, and I seem to remember that most of this infrastructure is not in place or has just got there recently. Without binary signing then secure boot would only stop rootkits that are loaded as a module. And without module signing, secure boot would only stop malicious kernels (which AFAIK are not a real threat). In short: too much hassle for the benefit.

Apparently for Microsoft secure booting is a very important defense to rootkits. I don't know if this is real or just some Microsoft excuse for messing with our bootloaders.

In fact this post is full of conjecture; it would be nice if someone knowledgeable could give us a more informed opinion.

It's an excuse

Posted Feb 5, 2013 15:12 UTC (Tue) by pboddie (guest, #50784) [Link] (7 responses)

Of course it is an excuse for Microsoft to mess with our bootloaders. Microsoft's traditional response to security concerns has always involved promoting itself as an essential part of the solution - to a problem the company had a large role in creating - while at the same time advocating measures that just happen to further undermine competition in the industry.

So in this case the problem is that malware runs rampant on Microsoft platforms, so the "solution" is to make Microsoft the gatekeeper for all software on hardware that is capable of running Microsoft products. I don't think many of us would regard that as the only solution, let alone the most desirable one, but market regulators seem to have an endless supply of second chances for Microsoft.

The "best case" objective for Microsoft is to make the claim that such hardware is only ever meant to run Windows, just like Apple manages to do with the iPad, but instead of turning our attention to the more blatant case of the iPad and going easy on Microsoft (as some people would apparently prefer), we need to prevent anyone passing general-purpose hardware off as an appliance that is tied to their software portfolio.

It's an excuse

Posted Feb 5, 2013 17:37 UTC (Tue) by raven667 (subscriber, #5198) [Link] (6 responses)

> Of course it is an excuse for Microsoft to mess with our bootloaders.

While you might find plenty of like-minded individuals here I don't think your anti-MS trolling really has a place. The worst that anyone can accuse MS of is benign neglect due to the size of their presence in the industry. If you have a chance you should listen to the engineers who design this stuff and see what their thoughts and motivations actually are, I think you would find them substantially different than your assumptions. Their engineers have gone out of their way to be courteous, helpful and inclusive and are not the villans you make them out to be. SecureBoot is a small piece of a large puzzle to try and reduce the security and integrity issues associated with the modern Internet environment.

It's an excuse

Posted Feb 5, 2013 18:50 UTC (Tue) by man_ls (guest, #15091) [Link]

Yes, at least I was expecting something more fact-based. My comment was already too filled with speculation.

It's an excuse

Posted Feb 5, 2013 19:15 UTC (Tue) by pboddie (guest, #50784) [Link] (3 responses)

I think you will find documents in the public record, some of which having been made public as part of legal proceedings, that show Microsoft's behaviour in various circumstances as being something other than "benign neglect". And while I can easily accept that the engineers are good, honest, upstanding individuals who cooperate with others, one cannot rely on their good behaviour as an indication of corporate policy.

If you really regard criticism of Microsoft's based on that company's record as "trolling", you should reacquaint yourself with that record. The mainstream computing press from the 1990s onwards is one long tale of uncritical promotion of Microsoft products punctuated by crises for which the more reasonable solution may well have been the use of other products instead. The consequence of this cycle of indulgence and forgiveness was a security crisis that even Microsoft acknowledged and did actually lead to a reported improvement in product quality.

SecureBoot may very well be a useful tool, but it has applications that happen to be very convenient to a company that "due to the size of their presence in the industry" has historically acted to take advantage of this position. As a result, it is hardly out of place to point it out.

But then again, perhaps we should be giving second chances to unreformed corporate offenders and hoping for the best, right?

It's an excuse

Posted Feb 5, 2013 19:23 UTC (Tue) by raven667 (subscriber, #5198) [Link] (2 responses)

I'm interested in the facts in this case, not presumption based different events which happend over a decade ago. Do you think nothing in the tech world or in the engineering and leadership of MS has changed since the 1990s ?

It's an excuse

Posted Feb 5, 2013 20:40 UTC (Tue) by mpr22 (subscriber, #60784) [Link]

I do indeed not believe that Microsoft's senior-management culture is significantly more ethical now than it was five or ten or fifteen or twenty years ago.

It's an excuse

Posted Feb 6, 2013 10:43 UTC (Wed) by pboddie (guest, #50784) [Link]

Do you really think you have to go all the way back to the 1990s to find examples? Given Microsoft's consistency, I fully expect people to be excusing Microsoft's behaviour in the year 2030 because the bad behaviour of this decade, once people have had the opportunity to document it fully, is "over a decade ago" and that things must somehow be different.

Oh, and is there a reason why one shouldn't be pointing out the blatant conflict of interest involved here? Make no mistake about this: Microsoft's influence already makes it difficult for vendors to design, manufacture and offer hardware that deviates from Microsoft's criteria (without a huge pile of cash to go against the flow), and this vision which puts Microsoft in a position of additional control is just another way for the company to raise the barrier to new entrants and make alternatives less attractive.

It is, of course, legitimate and necessary to point out the deficiency of the Google-powered product that is the subject of the referenced article, but I imagine that a large amount of any fuss being made is likely to be done to serve other interests. Of course, Microsoft wouldn't dream of bashing Google to shore up their own position because they're different now, obviously, so I guess we get to thank them for being our faithful watchdog and keeping product quality high in the marketplace.

It's an excuse

Posted Feb 6, 2013 18:40 UTC (Wed) by jthill (subscriber, #56558) [Link]

I'm not sure anyone believes Microsoft's engineering staff are responsible for any objectionable behavior on the part of Microsoft.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 16:19 UTC (Tue) by mjg59 (subscriber, #23239) [Link] (2 responses)

TPMs are pretty much useless for performing local attestation. Trusted grub generates a set of hashes that can then be verified by a remote server, but it doesn't let you ensure that your disconnected system is booting the software you think it is.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 9, 2013 21:46 UTC (Sat) by rich0 (guest, #55509) [Link] (1 responses)

I'd think you could do something very close to secure boot using Trusted GRUB and a TPM.

Encrypt your hard drive, and then have an initramfs that requests a decryption key from the TPM and mounts the drive. Record the trust chain and tell the TPM to only yield the key if there is a match.

Sure, the system will boot anything, but nothing on the hard drive can be read unless the proper boot chain is used, and the initramfs can of course do all the verification it wants to, as can the rest of the OS.

Disclaimer - I've never actually tried any of this, but from what I understand this should be possible with Trusted GRUB and a TPM-aware kernel.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 9, 2013 21:52 UTC (Sat) by mjg59 (subscriber, #23239) [Link]

Biggest problem with that approach is that the initramfs has to be part of the trust chain as well, which makes it pretty impractical. It's not really possible for distributions to ship pre-built initramfses, and every update would have to enrol a new set of trusted PCR values in your TPM.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 19:51 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

Actually, TPM chips are quite rare in laptops and are even more rare in desktops.

I'm probably one of the few users of the Trusted GRUB - we're using it for remote attestation for systems containing medical data.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 6, 2013 0:13 UTC (Wed) by FranTaylor (guest, #80190) [Link] (3 responses)

Every Intel OSX system has a TPM chip, that alone makes them pretty common.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 6, 2013 6:16 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]

Wrong. TPM chips were never used on Macs and are not even present in >2008 laptops.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 6, 2013 21:37 UTC (Wed) by khim (subscriber, #9252) [Link] (1 responses)

Actually it's the other way around: later PowerPC models had TPM chips. Apple dropped them when they switched to Intel - and that was... how long ago?

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 7, 2013 12:16 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Early Intel-based laptops also had them (probably because their motherboards were just tweaked off-the-shelf designs). Later they were dropped - TPM chips are just not that useful.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 10:55 UTC (Tue) by tao (subscriber, #17563) [Link]

The headline for MJG's post (and thus also the headline here) is quite misleading though.

Because people who don't like secure boot presumably don't care if it's disabled. And it's perfectly possible to disable secure boot on a Chromebook.

If, on the other hand, they like secure boot but dislikes the fact that it's controlled by Microsoft, then Google's Chromebook is definitely not for them, because of the reasons outlined in his article.

It should be noted, however, that Google is working on providing a means of installing your own key, while Microsoft is intent on keeping the ARM platform locked down without possibility to install your own key (thus preventing anything else than Windows to run on the system).

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 4, 2013 21:37 UTC (Mon) by Aliasundercover (guest, #69009) [Link] (30 responses)

Security isn't just defense from malicious attack. A lot of other things can mangle your computer including software bugs and plain old user error. I have repaired or recovered data from many a non-functioning machine by booting a good operating system from USB stick or CD. On the other hand I have yet to be hit by malware taking over the boot sequence in a way secure boot would have prevented.

All this secure boot stuff lowers my security. My security was never the goal as secure boot is intended to serve the vendor's security at my expense.

Google's switch erasing all user data is a fine excuse for claiming you have the freedom to control your machine when actually doing so will inevitably eat up more time than the fool thing is worth.

Will normal people ever catch on to how their computers serve another master before them? Or did they always feel this way perceiving no net change as it becomes fact?

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 4, 2013 22:03 UTC (Mon) by rengolin (guest, #48414) [Link] (17 responses)

Secure Boot was never to provide the end user security, but to secure market dominance of hardware manufacturers.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 0:06 UTC (Tue) by segedunum (guest, #60948) [Link] (2 responses)

What people are not paying attention to is just how this will end up affecting hardware compatibility. Want to run a piece of hardware not on a vendor's approved list? Nope, sorry. Want to upgrade to a new piece of hardware that shouldn't present a problem? Nope sorry, upgrade your system.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 9:02 UTC (Tue) by khim (subscriber, #9252) [Link]

How is it related to secure boot? Laptops routinely refused to boot with vendor-unapproved WiFi-cards for years and had no need for secure boot for that.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 14:35 UTC (Tue) by drag (guest, #31333) [Link]

> Want to run a piece of hardware not on a vendor's approved list?

Or you can just buy hardware from a vendor that isn't a asshat. There are lots of ways to make sure your hardware is linux unfriendly. Taking advantage of secure boot is just one of them.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 14:18 UTC (Tue) by drag (guest, #31333) [Link] (13 responses)

> Secure Boot was never to provide the end user security, but to secure market dominance of hardware manufacturers.

Pfff. hyperbole.

You can use it to improve the security of your computer. Without the ability to have a secure way to check the checksums your kernel and it's kernel modules at boot up it's impossible to know if your system has been subverted by a LKM root kit.

Kernel-level root kits are not theoretical and are a real issue on Windows and on Linux. Both systems have kernel level root kits that are widely available and are in common use by attackers. You CANNOT depend on userland code, no matter how clever (aka rootkit detector or virus scanner) to verify the security of your system. Any attempts to 'recover' a compromised system is a exercise in abject folly and is one of the purest example of self-defeat you can find in the computer security world.

There are two ways I know of to effectively be able to check your system; One is to boot your system from external media or remove the drive. create a list of checksums of a known good state, and then periodically take your system off line to compare.

The other way is to have a secure boot mechanism.

Now I understand this form of 'secure boot' isn't perfect, but it's a good start.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 16:43 UTC (Tue) by jedidiah (guest, #20319) [Link] (3 responses)

Imperfect? Try ineffective. This is a Microsoft solution we're talking about here. Chances are that it will fail to do what it claims to do while causing a whole host of other problems (some of which are perfectly foreseeable).

Being put in a situation where you are forced to depend on the competence of Microsoft (or even Google) is just absurd. It's especially so when you are also forbidden from fending for yourself.

YOU are probably far more dependable in this area than Microsoft.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 17:44 UTC (Tue) by raven667 (subscriber, #5198) [Link] (2 responses)

> Chances are ...

This is a real system with real documentation and real implementations with real data so that we don't have to make blind suppositions based on nothing more than "MS sux".

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 18:15 UTC (Tue) by hummassa (subscriber, #307) [Link] (1 responses)

> There are two ways I know of to effectively be able to check your system; One is to boot your system from external media or remove the drive. create a list of checksums of a known good state, and then periodically take your system off line to compare.

One more thing: rootkits worth their salt know if the system is trying to checksum some blocks on disk, and return the original blocks for the checksummer program to check, even if the system used other, different blocks to load.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 18:18 UTC (Tue) by hummassa (subscriber, #307) [Link]

This answer is in the wrong point of the discussion. Sorry.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 18:11 UTC (Tue) by hummassa (subscriber, #307) [Link]

> You can use it to improve the security of your computer. Without the ability to have a secure way to check the checksums your kernel and it's kernel modules at boot up it's impossible to know if your system has been subverted by a LKM root kit.

This is an error.

Even with the ability to have a way of checking the checksums of your kernel and modules, there are ways to subvert the kernel and force the loading of a (signed or unsigned) kernel-module-root-kit.

So, even WITH "the ability to have a secure way to check the checksums your kernel and its kernel modules at boot up", it's still "impossible to know if your system has been subverted by a LKM root kit".

Helping some software and hardware manufacturers to maintain dominance is the only thing secure boot tech is effective at.

> You CANNOT depend on userland code, no matter how clever (aka rootkit detector or virus scanner) to verify the security of your system.

That's the problem. Both Windows' kernels and Other OS's kernels depend heavily on userland code and data, and can be manipulated by userland code and data via exploits to load and execute kernelland code. Rootkits abound on all platforms and secure boot initiative never resist attacks long. Non-Windows examples are jailbreaking Apple products, rooting originally-non-rootable Androids, unlocking Sony PS3s, PSPs, among other products.

Honorable mention for resilience so far to AppleTVs model 3, which some people claim are jailbreakable, but the method to do so has not been disclosed publicly yet.

> There are two ways I know of to effectively be able to check your system; One is to boot your system from external media or remove the drive. create a list of checksums of a known good state, and then periodically take your system off line to compare.

How exactly do you know your "checksums of known good state" are really from a good state? once you start checksumming, the system can already be compromised. Other thing: even if you get to "ok, at this point you have to be at what I'll call a known good state", unless you checksum the whole contents of RAM, you don't have any way to know if you do not have an invisible kernel module lurking around somewhere in RAM. Even if your boot media is read-only, it can contain vulnerabilities that make it rootable soon-after-boot (like happens in thethered jailbreaks for Apple products).

> The other way is to have a secure boot mechanism.

Which, for all reasons above, is not an effective way to check it either.

> Now I understand this form of 'secure boot' isn't perfect, but it's a good start.

That is the point: it's not a good start, not only because it isn't worth a damn, but because the thing it *is* good at is "preventing non-technical people from installing another OS in the device or customizing from a certain, manufactured-decided, point on".

Example: Apple. Unless you jailbreak your device (which is fairly simple today, but once upon a time was an ordeal that could need the owner to open up her hardware) you can't change iPhone keyboard layouts or interactions, nor install AppleTV third-party programs, much less install Linux on your AppleTV (which works very well, thank you very much).

The funny part of this example is that jailbreaks normally work by exploiting some unsecured bug on the device's original firmware that could be exploited by malicious third parties. IOW: the security of "secure boot" leaves the devices MORE vulnerable to exploits.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 18:19 UTC (Tue) by hummassa (subscriber, #307) [Link] (7 responses)

> There are two ways I know of to effectively be able to check your system; One is to boot your system from external media or remove the drive. create a list of checksums of a known good state, and then periodically take your system off line to compare.

One more thing: rootkits worth their salt know if the system is trying to checksum some blocks on disk, and return the original blocks for the checksummer program to check, even if the system used other, different blocks to load.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 19:22 UTC (Tue) by dlang (guest, #313) [Link] (6 responses)

if you have the system booted from known-good external media, the rootkit is not running and so it cannot alter the checksum result.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 19:30 UTC (Tue) by raven667 (subscriber, #5198) [Link] (5 responses)

And this is the kind of guarantees you want to try and enforce using secure boot, to get the same experience as booting a live CD but using the binaries already on your system, or a recovery partition on your system. The farther you can push out the point where unchecked code can run and push a rootkit into the running kernel the better. That window can be pretty short though as code can be put into the initial ramdisk and run before PID 1. It'll take many years to gather the interlocking integrity checks to push out the integrity barrier out to a point where you can have a trusted beachhead for keeping your system clean.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 21:49 UTC (Tue) by hummassa (subscriber, #307) [Link] (4 responses)

It is still no guarantee at all, since the root kit kernel mode can be introduced via a carefully crafted dhcp response or USB connected device -- this last way is usually what we do to jailbreak apples.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 22:12 UTC (Tue) by raven667 (subscriber, #5198) [Link] (3 responses)

That's fine, its outside the scope of secure boot which is just protecting the boot loader and early boot process, there will always be kernel exploits that this technology doesn't do anything about. Even in the scenario you describe though you can't persist the compromise, you have to re-exploit the device every time it boots and it can still be patched without the patch being trojan'd, shutting down the exploit.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 6, 2013 0:17 UTC (Wed) by FranTaylor (guest, #80190) [Link]

So what you are saying is that you are investing millions of dollars to secure the front door while leaving the back porch open.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 7, 2013 4:10 UTC (Thu) by paulj (subscriber, #341) [Link] (1 responses)

So the justification for SecureBoot is security, but arguments about the security of the system are out of scope in considering the case SecureBoot?

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 7, 2013 15:18 UTC (Thu) by raven667 (subscriber, #5198) [Link]

The security of the whole system is a wide ranging topic covering application security, kernel security, etc. SecureBoot only has an effect on the UEFI firmware and bootloader code, it doesn't even extend to the kernel, and it only help prevent replacing or modifying the firmware and bootloader without the admin's permission. All other system security is out of scope. What you do with the small advantage that being able to trust the bootloader is the same bits and bytes that it's supposed to be, is up to the implementor.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 4, 2013 23:00 UTC (Mon) by zlynx (guest, #2285) [Link] (11 responses)

Are you trying to make a security feature sound like a evil conspiracy?

Erasing data when disabling secure boot is something I *want* to happen. Otherwise something like a key logger can be installed without ever noticing it.

That (intercept and log the decryption passphrase) is a known attack on encrypted drives, so don't pretend it doesn't happen.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 4, 2013 23:45 UTC (Mon) by jzb (editor, #7867) [Link] (5 responses)

The pretense that secure boot is a security feature is something we need to do away with. Secure boot is a way for Microsoft to fight against "greymarket" copies of Windows. The fact that other vendors are using it is a side-effect, as is any security benefit that might accrue.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 4, 2013 23:57 UTC (Mon) by mjg59 (subscriber, #23239) [Link]

The OS has no idea whether the platform implemented Secure Boot or not. How could you use it for licensing enforcement?

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 0:00 UTC (Tue) by segedunum (guest, #60948) [Link] (3 responses)

Secure Boot is a way for Microsoft not only to lock out other operating systems but more importantly to control the virtualisation of Windows and control hypervisor platforms.

VMware are going to be in for a bit of a shock.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 0:30 UTC (Tue) by raven667 (subscriber, #5198) [Link] (2 responses)

I'm scratching my head here as to what you are on about? How does SecureBoot affect virtualized systems? There is no facility for an OS to attest whether it was secure booted and a software UEFI stack can do whatever it wants, there should be no problem loading the appropriate public keys and emulating the key store, right?

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 6, 2013 0:23 UTC (Wed) by FranTaylor (guest, #80190) [Link] (1 responses)

Sure there is a way for a kernel to assert that it was secure booted. If it is installed on a machine that only allows secure booting, then if the kernel is running, it was secure booted!

Secure boot can most certainly be used to enforce licensing. The serial number of the system can be used as part of the key. The vendor provides an expiring kernel image that only boots on your system. If you don't keep paying and updating your license, someday your computer stops booting. Easy enough.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 6, 2013 3:07 UTC (Wed) by mjg59 (subscriber, #23239) [Link]

Secure Boot doesn't have any concept of expiry.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 5:35 UTC (Tue) by ThinkRob (guest, #64513) [Link] (2 responses)

Erasing data when disabling secure boot is something I *want* to happen. Otherwise something like a key logger can be installed without ever noticing it.

Isn't think backwards?

I mean, don't you want tabula rasa when you're going from open -> "secure"? After all, if "Secure Boot" is working correctly, shouldn't it be impossible for untrusted code (i.e. a keylogger) to execute? If so, then open access mode is the only way it would be able to be installed, so you'd want to nuke everything and start from scratch on the transition back into "secure" mode. No?

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 7:00 UTC (Tue) by raven667 (subscriber, #5198) [Link] (1 responses)

It's not backwards, once you start loading arbitrary software you don't want it to have access to any sensitive data stored on the device. If you want to transition back into secure mode then you may also want to do a reinstall from that point, but each part you boot can verify the next part to help prevent unexpected modifications from accessing sensitive data.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 6, 2013 16:19 UTC (Wed) by ThinkRob (guest, #64513) [Link]

Right, that makes sense. Sorry for being thick!

So basically you want to nuke the sensitive data on each state transition: full access -> "secure" to ensure nothing nasty's picked up, "secure" -> full access to protected private data. Got it.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 17:32 UTC (Tue) by Aliasundercover (guest, #69009) [Link] (1 responses)

> Erasing data when disabling secure boot is something I *want* to happen. Otherwise something like a key logger can be installed without ever noticing it.

If you want it that is your choice. You are choosing to value security against leaking data very highly over security against losing data. This feature may actually give a tiny increment in safety against leaking data to someone who gains physical control of your computer. For that it substantially increases the risk of losing your data. Security against an attacker who has physical possession of your computer is at best an up hill battle.

You are certainly welcome to value every increment of leak protection while ignoring security against ordinary mishaps leading to data loss. I don't think that corner solution is good for everyone. It isn't like there is an easy way to gain the data safety back. Every backup is also a leak path.

> Are you trying to make a security feature sound like a evil conspiracy?

Well, yes actually, security is being used as cover for taking control away from owners and users giving it to vendors. Security is the tech equivalent of "think of the children".

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 17:49 UTC (Tue) by raven667 (subscriber, #5198) [Link]

I think the point is that in its normal usage case there isn't data on the device that isn't synched up to Google, and Google provides export and backup tools so that you can manage your own data, so you are only wiping the local cache.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 4, 2013 22:55 UTC (Mon) by khim (subscriber, #9252) [Link]

Note that there are message from Duncan Laurie from Google which basically says: yes, we know it's a problem and we are working on it.

Not a perfect answer, to be sure, but better then what Microsoft is doing with it's ARM devices (note that ChromeOS ARM devices at least allow "you are free but not secure" mode).

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 4, 2013 23:02 UTC (Mon) by jiu (guest, #57673) [Link]

I'd add it's untypical of google not to get this sort of stuff right from the start. But then they seem to recognise that there is a problem, so let's hope it's only temporary.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 4, 2013 23:09 UTC (Mon) by chithanh (guest, #52801) [Link] (3 responses)

If I understand correctly, the security gain from the requested functionality is limited to a very specific threat scenario. Namely, preventing an attacker who has remote root access to your computer from installing his own kernel.

It will not help against a local attacker, who could just install his own key. And it will not increase security against kernel based rootkits, which are prevented by module signature checks etc.

Also I think the blog post is not of the stellar kind. Already the title is misleading (if you *like* secure boot, with your own key, then buying a Chromebook is a bad idea). Then the author writes about the deletion of local data after enabling developer mode, as if it were a bad thing. Having all data on the sync'ed into the cloud is the point of a Chromebook.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 4, 2013 23:44 UTC (Mon) by arjan (subscriber, #36785) [Link] (2 responses)

" And it will not increase security against kernel based rootkits, which are prevented by module signature checks"

uhm... not really. rootkits use various kernel exploits typically.
secure boot (in part) tries to avoid turning that into something persistent

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 0:49 UTC (Tue) by chithanh (guest, #52801) [Link] (1 responses)

> rootkits use various kernel exploits typically.

Yeah, you omitted the "etc.". Of course signature checking is not the only protection. Restricting write access to /dev/mem is another measure for example.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 2:05 UTC (Tue) by tialaramex (subscriber, #21167) [Link]

You're starting from the assumption that the Linux kernel doesn't have any security holes. This is... quite a bold assumption given the kernel's history.

Secure Boot here is doing defence in depth. It forces the bad guys to either subvert Secure Boot, or give up on totally hiding from the administrator and risk getting caught. How well it works in practice we likely won't know for a few years yet.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 3:08 UTC (Tue) by mathstuf (subscriber, #69389) [Link]

Hmm. The article reads a lot like security of apps on Android. Either I can verify the Google Play Store apps, or turn it off and be able to use F-Droid and the Humble Bundle apps, but have (AFAIK), no verification of any apps that are installed. Has this changed and I missed a memo? Does CyanogenMod support this?

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 11:12 UTC (Tue) by bokr (guest, #58369) [Link] (3 responses)

ISTM that to verify that the BIOS has loaded
a specific boot image into memory only requires
an adequate secure hash value (which can be open
clear text), and the ability of the BIOS
to calculate it as it loads and check it against
a white list that can only be changed in boot mode.

I would tend to trust a hash value published in clear text
here on LWN as much as a functional equivalent embedded
in a signature.

A malware boot image would soon have its hash blacklisted.

So why not a secure boot mode based on open hashes?
Booting an arbitrary modified image *unknowingly* would
be prevented (assuming edit of the hashes is restricted to
you by password protection).

The problem appears to be that the above does not prevent
a user from booting a modified Windows image, simply by
computing and putting its hash in the BIOS white list.

So Microsoft has an understandable and legitimate interest
in preventing that.

In contrast, a Linux user just wants to know that s/he has securely
booted a known image, and doesn't care (or likes) that a zillion others
can boot the same image for the price of downloading or borrowing
media from friends.

A FLOSS-friendly BIOS could make FLOSS BIOS clear-text hash whitelist
maintenance easy by allowing tentative memory load of new images, from
any block stream source (with optional skip/seek), stopping in boot mode
on encountering a new image, with a message that the image was
unrecognized, and would the user like to put its hash in the white list
(with a human mnemonic tag like a lilo label), and continue, or boot from
an alternate block stream.

BTW, if I can't get full use of the general purpose features of a box
that I buy without accepting conditions from the seller, I think
that is an illegal tying[1] and restraint of trade. The solution to
that is anti-trust law enforcement, not shims, IMO ;-/

[1] http://en.wikipedia.org/wiki/Tying_%28commerce%29

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 15:35 UTC (Tue) by khim (subscriber, #9252) [Link]

In contrast, a Linux user just wants to know that s/he has securely booted a known image

You mean owner, not user, here, right? School or some company here... Not the pupil who actually deals with Chromebook, but rightful owner of said device, surely?

and doesn't care (or likes) that a zillion others can boot the same image for the price of downloading or borrowing media from friends.

Right, what about the pupils or employees who are keeping the device in their bag?

I think you are forgetting that ChromeOS goal was explicitly to create device which works in a world where user and owner are different. Right now owner must trust Google which may be not a very good deal in some cases, but of course owner does not trust the user! That's the point: owner can apply seal or something like this to prevent physical tampering, but then software must prevent logical tampering...

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 17:41 UTC (Tue) by raven667 (subscriber, #5198) [Link]

Wouldn't a secure boot based on only hashes instead of signatures require manual intervention from the console every time a security patch went out that affected the bootloader or UEFI environment? I'm not sure anyone wants to deal with that support nightmare when you need to update millions/billions of devices.

Garrett: Don't like Secure Boot? Don't buy a Chromebook

Posted Feb 5, 2013 20:05 UTC (Tue) by vmpn (subscriber, #55435) [Link]

Well put, I want hardware that I paid to boot anything that I signed (no manufacturer, not M$, not my carrier). If I choose to delegate the trust to 3rd party it is up to me to do so.

In terms of preventing attack via kernel, make sure keys are only flashable when physical button is pressed or such, then software cannot override keys on its own.

For physical tampering you can have crypto HW which only allows to generate secret key and use it but not read it and it is erased every time keys are rewritten then you can easily verify that keys have not been tempered with

Everything that glitters isn't Secure Boot

Posted Feb 5, 2013 22:21 UTC (Tue) by stuge (guest, #89191) [Link] (5 responses)

This is a repost of my comment over at Matthew's blog. See the link for his response, and my explanation in response to that where I clarify that anyone can reflash their Chromebook with a coreboot build which does whatever they want. Disclaimer: I have nothing to do with Google, I am however a long time supporter of the coreboot project.

It's an attempt to dissuade people from blindly recommending Chromebooks as an alternative to Microsoft's imposed Secure Boot setup.

I think that is counter-productive, Matthew.

Just like I have a coreboot bias, you likely have an ever so slight UEFI Secure Boot bias, having worked with it for so long. You understand how Secure Boot works while most of our community - that is, the community of people desiring general purpose computers - may not.

You understand what Secure Boot could do for us, and you have spent an enormous amount of time trying to solve the problem of how Linux can fit into that structure. Your effort is phenomenal!

As you may know, I have been participating in the coreboot project since some 12 years. My experience there and in the security field tells me that it is absolutely critical for our community NOT to depend on any single boot verification structure, and certainly not one which is being deployed to let Microsoft decide what a computer says is secure and insecure.

Microsoft clearly isn't acting in our best interest.

Google is also acting in their own interest, but at the moment I feel that our community's interest in having control over our machine's firmware aligns well with Google's interest.

That's the reason to act fast against UEFI Secure Boot.

Unfortunately for you, your job is to act fast toward UEFI Secure Boot, to make it "just work" for Red Hat and friends. I have the utmost sympathy for you, in having to deal with that problem every day. It doesn't take reading your musings on how broken everything is, to realize that it is not too joyous work.

Google has developed their own x86 firmware based on well-known components such as coreboot and U-boot, and not only do they provide their customers freedom to root their hardware, they have also chosen to (use components such that they must) publish their entire firmware source code.

Google is clearly being vastly more progressive than the UEFI Forum and Microsoft.

But them doing something that is much better isn't why the Chromebook really does deserve to be recommended as an alternative to Microsoft's Secure Boot.

The Chromebook deserves to be recommended because it is doing something different.

The ideal solution for our community hasn't been productized yet - maybe not even developed yet. As you know, the majority of our community doesn't have experience with security with or without involving hardware, and even fewer have x86 firmware experience. I believe (I'm just naïve like that) this may change thanks to your work, coreboot's work, and Google's work. I think it must change.

the timing's largely down to the availability of alternative firmware implementations for x86. Embedded devices have implemented equivalent technology for years.

coreboot has facilitated implementation of equivalent technology for years, 15 years to be precise. For some reason, the UEFI Forum and Microsoft have chosen a different route. The UEFI Forum's and Microsoft's route is not helping our community, while Google's route is.

That's why it makes sense to recommend a Chromebook, to anyone who is concerned about their machine's firmware, and the future of general purpose computing.

Everything that glitters isn't Secure Boot

Posted Feb 5, 2013 22:33 UTC (Tue) by mjg59 (subscriber, #23239) [Link] (4 responses)

"anyone can reflash their Chromebook with a coreboot build which does whatever they want"

This is incorrect unless you're willing to disassemble your machine in order to remove the write protection on the flash. The normal developer mode doesn't do so. If you're willing to go to those sorts of lengths, you're pretty close to the point where you can replace the keys on a Windows RT device.

Everything that glitters isn't Secure Boot

Posted Feb 6, 2013 0:26 UTC (Wed) by FranTaylor (guest, #80190) [Link]

Millions and millions of people have made similar hardware modifications to their Xboxes and Playstations and I don't think these people are ready to screw with encryption keys.

Everything that glitters isn't Secure Boot

Posted Feb 6, 2013 1:03 UTC (Wed) by stuge (guest, #89191) [Link] (2 responses)

I was mistaken that the machine does not need to be opened. Sorry! :(

But - removing write protection by removing a jumper or a screw doesn't seem at all intrusive, and while I don't know how a warranty claim would be handled I guess that the machine would just get fixed if someone bricked theirs.

My point still stands however: The Chromebook deserves recommendation simply because it is not using UEFI Secure Boot. As a (huge!) bonus it runs upstream coreboot, and it is very much built to give the owner full control.

If you're willing to go to those sorts of lengths, you're pretty close to the point where you can replace the keys on a Windows RT device.

Software tools for that are already available and Microsoft requires Windows RT devices to have a jumper that allows replacing keys? You know that better than I do, but somehow I doubt that this is the case.

UEFI Secure Boot simply is not a solution. It is the problem.

Everything that glitters isn't Secure Boot

Posted Feb 6, 2013 3:20 UTC (Wed) by mjg59 (subscriber, #23239) [Link] (1 responses)

The systems I've seen require you to break a seal in order to get the machine far enough apart to change the write protection status. The vendors presumably do that for a reason - whether they'd be lenient anyway is an unknown.

UEFI Secure Boot is an open standard that can be implemented without any license fees and which comes with a liberal set of patent grants. There's a fully functional sample implementation available under a free license. Google's verified boot, on the other hand, isn't standardised and Google don't (as far as I know) provide a patent grant. At a technical and legal level, there's little reason to prefer Google's implementation.

Of course, the reality is that Microsoft have control of their market in the same way that Google have control of their market. At present, anyone who wants to run an alternative operating system on these systems does so at the sufferance of a large multinational corporation. Many people feel that Google is more trustworthy than Microsoft, and I can certainly understand why - but in both cases, you're trusting a publicly traded company with a track record of evil activities to behave appropriately.

In this specific instance, Microsoft have insisted that end users be able to install their own keys and are willing to sign alternative operating systems - Google haven't and aren't. Microsoft could change their mind at any time, but that would lead to complicated contractual disputes that would be likely to attract regulatory bodies. Do I trust Microsoft? No. Do I think it's practical for Microsoft to screw the third-party OS market on x86 hardware at this point? No.

We shouldn't prefer Google merely because they're not Microsoft. We should prefer them because they do better, and in this case they're currently not doing better. I hope that changes.

"Software tools for that are already available and Microsoft requires Windows RT devices to have a jumper that allows replacing keys?"

Existing UEFI implementations all just keep the keys in unsigned form in flash. Acquiring an SPI programmer is left as an exercise for the reader.

Everything that glitters isn't Secure Boot

Posted Feb 7, 2013 11:26 UTC (Thu) by ortalo (guest, #4654) [Link]

I still have the feeeling that all of these firmware-only approaches have primarily been initiated by these manufacturers with the objective of protecting *themselves* (diminishing piracy, enhancing their brand / opposing a competitor, reducing legal risk of liability).

I'd personnaly deny Microsoft or Google so strong efforts towards privacy protection. That's still a "desirable marketing option" for them but not so much more.

What I'd choose to do politically is to support both coreboot and RedHat in their efforts, because those seems to be performed by individuals sincerely adressing general security issues. And much more practically at first occasion repeatedly pay both of you a beer until you end up agreeing on anything related (or not). The next day may bring another light on the issue.