|
|
Subscribe / Log in / New account

Garrett: Responsible stewardship of the UEFI secure boot ecosystem

[Posted July 12, 2022 by corbet]

Matthew Garrett grumbles about an apparent Microsoft policy change making it harder to boot Linux on some systems.

So, to have Microsoft, the self-appointed steward of the UEFI Secure Boot ecosystem, turn round and say that a bunch of binaries that have been reviewed through processes developed in negotiation with Microsoft, implementing technologies designed to make management of revocation easier for Microsoft, and incorporating fixes for vulnerabilities discovered by the developers of those binaries who notified Microsoft of these issues despite having no obligation to do so, and which have then been signed by Microsoft are now considered by Microsoft to be insecure is, uh, kind of impolite?

to post comments

Color me shocked...

Posted Jul 12, 2022 15:27 UTC (Tue) by dskoll (subscriber, #1630) [Link] (25 responses)

Wasn't this always the MSFT end-game? I mean, who is really surprised by this?

Color me shocked...

Posted Jul 12, 2022 16:11 UTC (Tue) by ermo (subscriber, #86690) [Link] (14 responses)

> Wasn't this always the MSFT end-game? I mean, who is really surprised by this?

It's certainly possible.

It is, however, also possible that something happened behind the scenes internally at MSFT that the rest of us aren't (yet) privy to.

Hence, it might pay to hold fire until MSFT is given a chance to respond?

"Never ascribe to malice that which is adequately be explained by incompetence" as the saying goes.

Color me shocked...

Posted Jul 12, 2022 16:28 UTC (Tue) by khm (subscriber, #108825) [Link] (7 responses)

> It is, however, also possible that something happened behind the scenes internally at MSFT that the rest of us aren't (yet) privy to.

Does that matter? It's the same end result, the inevitable outcome of anyone engaging in good faith with a massive corporation is always betrayal, generally the moment it becomes possible. The Microsoft apologists knew it was a scorpion, and decided to cross the river with it. I'm not sure that the complicated internal politics of bad behavior are relevant to the resulting bad behavior, unless we're looking to make more excuses.

Color me shocked...

Posted Jul 14, 2022 18:25 UTC (Thu) by carenas (guest, #46541) [Link] (6 responses)

>> It is, however, also possible that something happened behind the scenes internally at MSFT that the rest of us aren't (yet) privy to.
> Does that matter?

Yes, because not giving them first an opportunity to clarify their position to this "apparent" change implies we are assuming bad faith and not willing to give the benefit of the doubt first.

It should be also obvious to anyone following recent news that this is not the biggest concern inside MSFT who just announced layoffs, so the possibility of just being a misunderstanding is more likely than usual IMHO

Color me shocked...

Posted Jul 15, 2022 3:30 UTC (Fri) by linuxrocks123 (subscriber, #34648) [Link] (3 responses)

This isn't exactly a non-story, but it's a mountain-from-molehill type situation. There's a checkbox in the BIOS to enable the third-party key if you want. All they did is disable it by default, which sort of makes sense I guess if the use case is "locked-down corporate office drone machines that we replace every three years, at great expense, even though they're still working fine, because we're morons."

Color me shocked...

Posted Jul 15, 2022 13:57 UTC (Fri) by mattdm (subscriber, #18) [Link] (2 responses)

> There's a checkbox in the BIOS to enable the third-party key if you want.

This is a huge problem. It is hard enough for people to do a Linux install (even if they're not making the problem even harder for themselves by wanting preserve and dual-boot Windows on the same system).

Adding in "change your BIOS setting" is a big hurdle.

Add in "how you get to your BIOS settings is different on every computer! you probably hit a key during startup. really fast though, before it does other stuff. And what key it is will be different".

Add in "once you are in the settings, you'll get some weird gui, or maybe a text interface which, if you are old enough, you will remember as how your parents may have used computers"

Add in "okay, look around for a section that might have the relevant settings. we don't know what that section is called. it will be different from computer to computer. something with 'boot', or 'security', or something".

Add in "now, in this security section, find, like, the most obscure sub-section you can. excellent. change this one setting, which will have some name that sounds related to what we're talking about. it will probably have a warning telling you not to change it. also, don't change other settings because they might really make your system less secure."

And now, add in "some systems might not even have this setting. hope yours does!"

Color me shocked...

Posted Jul 15, 2022 14:47 UTC (Fri) by excors (subscriber, #95769) [Link] (1 responses)

On the other hand that doesn't sound much different to upgrading from Windows 10 to 11, which requires a TPM. Many people have a firmware TPM that's disabled by default, so they have to go through the BIOS and find the PTT/fTPM option before being allowed to upgrade. Presumably Microsoft doesn't think that's an insurmountable obstacle for most Windows users.

Color me shocked...

Posted Jul 17, 2022 9:44 UTC (Sun) by geert (subscriber, #98403) [Link]

Which proves that the meme "No one ever got fire for buying ..." still applies to Microsoft?

Cfr. people "could not" switch to OpenOffice because it looked different than Microsoft Office, followed by Microsoft introducing "the ribbon"...

Color me shocked...

Posted Jul 15, 2022 23:55 UTC (Fri) by jdulaney (subscriber, #83672) [Link] (1 responses)

This is the same Microshit that bragged about helping put kids in cages.

Color me shocked...

Posted Jul 16, 2022 0:01 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

And Linux is used in North Korea and Russia to replace Windows.

Color me shocked...

Posted Jul 12, 2022 16:37 UTC (Tue) by bpearlmutter (subscriber, #14693) [Link] (2 responses)

How about *not* holding fire, instead going ballistic about this issue, so MS will learn a valuable lesson and be more careful next time? You know, encourage them to develop internal mechanisms to avoid making this kind of screw-up in the future.

This makes sense regardless of whether or not it was accidental.

Color me shocked...

Posted Jul 12, 2022 16:54 UTC (Tue) by donbarry (guest, #10485) [Link] (1 responses)

The community is not served by extending the slightest trust to Microsoft or any other corporate entity in holding the keys for access to widely used hardware platforms.

The only solution is to demand a public trust hold these and administer them on behalf of computer users everywhere.

This is a time when Microsoft stands exposed (again) and such a demand can be raised and escalated. To defer endlessly to Microsoft is to once again lose the moment and either lose the battle now or set up one for a future loss -- nowhere is anything other than a perpetuation of the stalemate of the status quo ante a possibility without fighting for the control to be given up by Microsoft.

Color me shocked...

Posted Jul 13, 2022 16:52 UTC (Wed) by midol (guest, #25855) [Link]

as a matter of actual real-world fact Microsoft has been convicted in open court of criminal monopolism. See here:

https://corporatefinanceinstitute.com/resources/knowledge...

In light of this, the characterization of the Linux community of Microsoft as being untrustworthy is an accurate description, no matter how heatedly presented.

Color me shocked...

Posted Jul 13, 2022 5:14 UTC (Wed) by oldtomas (guest, #72579) [Link] (2 responses)

Remember that corporations aren't people. There's something with corporations I like to call "emergent evil". It may well be that no one personally wants evil [1], but the emerging behaviour (think anthill) still results on that.

So for corporations, I prefer this bastard made of Hanlon's razor and Clarke's third law "Any sufficiently advanced malice is indistinguishable from stupidity".

CYA, plausible denial, diluted responsibility and all that.

For me, this practically means that Microsoft should get as much flak as humanly possible for this.

[1] sometimes, some people very much do, as the current Uber files thing chillingly shows.

Color me shocked...

Posted Jul 13, 2022 12:28 UTC (Wed) by atnot (subscriber, #124910) [Link] (1 responses)

> There's something with corporations I like to call "emergent evil"

I think this is the most useful framework to think about these things.

For example, imagine you are in charge of security at Microsoft. You propose to a wide array of security measures. Some of them require additional work in Windows, some of them require work from vendors and some would be easy to enable but require extra development to make work well with other operating systems.

Your boss is tasked with picking which of these things should be the companies priority this year. Which of these do you think will be at the bottom of the list? The measures start to roll out and you receive backlash. You earnestly suggested these security measures in good faith so you will of course defend them and be adamant that their purpose is security. But your good intentions were ultimately irrelevant, because filtered through bad incentives they created emergent evil.

"Is Microsoft good or bad" is a trick question, it's a blind self-feeding machine.

Color me shocked...

Posted Jul 15, 2022 19:09 UTC (Fri) by Wol (subscriber, #4433) [Link]

I dunno about "emergent evil", but there is also "responsibility to your stake holders", which is a legal obligation, and is rarely thought through by legislators.

Unfortunately, as someone caught up in the disability/benefits/advocacy mess, you very soon realise that people *want* to be helpful, but are seriously constrained in what the law allows them to do (or they're in "cover your ass" mode, because if they don't they know the law will be looking for a scapegoat :-(

It's like GDPR - I don't consider it onerous - but I absolutely insist people I deal with provide me with proof they "opted in". Otherwise I'm setting myself up for an "unfortunate" interview with the police if things turn nasty.

Cheers,
Wol

Color me shocked...

Posted Jul 12, 2022 16:18 UTC (Tue) by paulj (subscriber, #341) [Link] (1 responses)

Yep, this was always the end-game. And no doubt there were discussions here on LWN many years ago predicting this.

This is what you get when you dance with the (monopolistic) devil.

Color me shocked...

Posted Jul 12, 2022 16:59 UTC (Tue) by donbarry (guest, #10485) [Link]

General purpose computing is under attack. That the issue has raised its head again now reflects broader issues in the world, ones aimed against the right to run software of one's choice on one's hardware platform.

The usual boogymen are trotted out to justify this -- if one can run one's own OS and one's own preferred programs under it, why the terrorists, child pornographers, and drug lords win. Only a criminal or maladjusted type (clearly a future criminal in their thoughtcrime) would be conspiracy mongering against the great corporations and governments in their control of our computing platforms.

Color me shocked...

Posted Jul 18, 2022 1:17 UTC (Mon) by mirabilos (subscriber, #84359) [Link] (7 responses)

Well yeah, not surprising.

I can’t read the article though. Cloudflare is blocking lynx. Can someone copy/paste it into here?

Color me shocked...

Posted Jul 18, 2022 8:46 UTC (Mon) by pabs (subscriber, #43278) [Link] (6 responses)

The copy in archive.org works for me if I accept the cert (not sure why lynx can't auto-validate it):

https://web.archive.org/web/https://mjg59.dreamwidth.org/...

Color me shocked...

Posted Jul 18, 2022 10:55 UTC (Mon) by mirabilos (subscriber, #84359) [Link] (5 responses)

Oh, that works here. It doesn’t for other sites hit by Cloudflare/hCAPTCHA’s willful incompetence.

The answer to your parenthesised question is ECMAscript, and that people consider it a “hacking[sic!] tool” ☹ the lynx mailing list is full of visually impaired people reporting troubles.

Color me shocked...

Posted Jul 19, 2022 4:19 UTC (Tue) by pabs (subscriber, #43278) [Link] (4 responses)

My question was about lynx not accepting the TLS certificate of web.archive.org, not about JavaScript. lynx seems to use GnuTLS for accessing TLS websites, but gnutls-cli accepts the cert just fine, while lynx does not. Other text based and graphical browsers seem to accept the cert fine too.

Color me shocked...

Posted Jul 19, 2022 14:34 UTC (Tue) by mirabilos (subscriber, #84359) [Link] (3 responses)

> My question was about lynx not accepting the TLS certificate of
> web.archive.org

Huh? Works for me…

Color me shocked...

Posted Jul 20, 2022 0:55 UTC (Wed) by pabs (subscriber, #43278) [Link] (2 responses)

This is with the versions of lynx/GnuTLS in Debian bookworm, probably something changed that broke it.

Color me shocked...

Posted Jul 21, 2022 17:20 UTC (Thu) by mirabilos (subscriber, #84359) [Link] (1 responses)

Interesting. I just did this in a cowbuilder chroot (apt-get install lynx ca-certificates) and it works: lynx https://web.archive.org/web/20220717155444/https://mjg59....

Maybe your CA bundle has something disabled or so? Also, (non)gnuTLS tends to use the batch file /etc/ssl/certs/ca-certificates.crt instead of individual files like OpenSSL, which is generated, and I had cases where it was out of date. (The file in sid is 195453 bytes.)

Color me shocked...

Posted Jul 22, 2022 0:02 UTC (Fri) by pabs (subscriber, #43278) [Link]

Turns out the problem was caused by setting LYNX_CFG to an empty file, I guess the global config file in /etc is required for proper TLS support :)

Garrett: Responsible stewardship of the UEFI secure boot ecosystem

Posted Jul 12, 2022 16:56 UTC (Tue) by mcon147 (subscriber, #56569) [Link]

I'm surprised that a regulatory body hasn't gotten involved. Seems like a big conflict of interest to have microsoft control this process

Garrett: Responsible stewardship of the UEFI secure boot ecosystem

Posted Jul 12, 2022 17:14 UTC (Tue) by neggles (subscriber, #153254) [Link] (4 responses)

I mean, Microsoft do have a point. The signed EFI shim binary being trusted by default makes Secure Boot almost entirely pointless.

Of course, turning it off doesn’t fix all the other "Secure" Boot issues and bypass methods, so it’s a bit lame and half-assed, but that goes for everything related to W11 in my opinion…

Garrett: Responsible stewardship of the UEFI secure boot ecosystem

Posted Jul 12, 2022 23:02 UTC (Tue) by Smon (guest, #104795) [Link] (1 responses)

I totally agree. I don't want somebody else booting their OS on my pc. (Windows or signed Linux).
I use my own secure-boot signing-keys and PCR-7 value for my TPM2.0.

Garrett: Responsible stewardship of the UEFI secure boot ecosystem

Posted Jul 14, 2022 0:51 UTC (Thu) by timrichardson (subscriber, #72836) [Link]

Restricting to Microsoft-signed OS might not stop someone booting their own Windows from a portable device, I guess, since I suppose it is signed by Microsoft. But in any case, does this buy much additional security? If someone has physical access to your machine, they could steal it, substitute it (to fool you into using it and then getting keylogged), replace the motherboard (same), and any defences to those attacks (e.g. encryption) would also defend against someone booting another OS, I think.

Garrett: Responsible stewardship of the UEFI secure boot ecosystem

Posted Jul 13, 2022 19:50 UTC (Wed) by timrichardson (subscriber, #72836) [Link] (1 responses)

What do you think Secure Boot is supposed to do? It's not supposed to lock a machine to one OS, it ensures the OS you are booting is what you think it is.

Garrett: Responsible stewardship of the UEFI secure boot ecosystem

Posted Jul 14, 2022 7:09 UTC (Thu) by Wol (subscriber, #4433) [Link]

What it's supposed to do, and what it actually achieves, are not always one and the same thing.

Given the grief I'm having, and I suspect Secure Boot may be responsible, despite Windows never having touched the laptop ...

The *achievement* may well be to ensure x86 only ever runs Windows.

Cheers,
Wol

Garrett: Responsible stewardship of the UEFI secure boot ecosystem

Posted Jul 12, 2022 21:52 UTC (Tue) by flussence (guest, #85566) [Link]

As the kids say, we're at the “finding out” phase.

Garrett: Responsible stewardship of the UEFI secure boot ecosystem

Posted Jul 15, 2022 1:13 UTC (Fri) by jdulaney (subscriber, #83672) [Link] (2 responses)

This is the same company that bragged about helping put children in cages.

with apologies to whomever is inconvenienced

Posted Jul 16, 2022 14:52 UTC (Sat) by cbushey (guest, #142134) [Link]

A link to relevant story or at least time/location of event humbly requested. :)

Garrett: Responsible stewardship of the UEFI secure boot ecosystem

Posted Jul 17, 2022 17:53 UTC (Sun) by johannbg (guest, #65743) [Link]

In America, prisons and it's clients represent a market so it should not come as a surprise to anyone that Microsoft and it's partners ( like Tribridge ) have put up and sold an array of surveillance and Big Data analytics solutions to prisons, courts and community supervision programmes and it would be foolish for other software companies not to partake and get a piece of that correctional pipeline cash cow in the states.

It might have bragged about it's DAS system, Microsoft Aware, it's offender/Youth/Pretrial 360 or someother platforms it's selling but directly bragging about help putting children in cages doubt it since it bad for biz if it did so link plz where Microsoft is actually doing that.

Garrett: Responsible stewardship of the UEFI secure boot ecosystem

Posted Jul 24, 2022 8:09 UTC (Sun) by ssmith32 (subscriber, #72404) [Link]

Hmmm.. I understand the grumbles (mostly - I'm not as familiar with TPMs & secure boot as I should be..), but I can't help thinking:

(1) Apple locks their computers down a fair bit (particularly if you lump gianormus phones into small computers)

(2) My system76 desktop is not, and never will be, affected by this, as far as I can tell..

(3) My current job, and the few jobs before that, all involved Mac laptops being the standard computer given out.

So, to me, this sounds like yesterday's battle. But MSFT is making lots of money, somehow. So it probably affects some population of people, I'm just not sure who...


Copyright © 2022, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds