LWN: Comments on "Fedora, secure boot, and an insecure future"

Fedora, secure boot, and an insecure future

mjg59 — Thu, 21 Jun 2012 13:10:47 +0000

Nothing. Then you just have to get every manufacturer to include them. If you want to run a signing service then you'd also need to handle identity verification, key security and revocation. That's likely to cost rather a lot

Fedora, secure boot, and an insecure future

jimbo — Thu, 21 Jun 2012 06:09:49 +0000

Can't we get our own set of keys? This would ensure that we don't have to rely on Microsoft being good guys in the future.

Just how much do UEFI signing keys cost?

--
jimbo

Fedora, secure boot, and an insecure future

Cyberax — Wed, 20 Jun 2012 19:53:23 +0000

>The OS cannot verify what the firmware tells it, so this information is not useful for DRM.
That's temporary. The next step is integration with TPM to measure the UEFI integrity.

Fedora, secure boot, and an insecure future

BenHutchings — Wed, 20 Jun 2012 18:45:46 +0000

They know or will know how to disable secure boot and it would not deter them from using Linux if they could do.

What if they're installing it for someone else? Having to find and disable that option is an additional barrier; you'll probably spend the time to do it for your own PC but are more likely to give up on someone else's. Also, what if the other person is a bit naive about downloading programs and would benefit from that protection against malware?

Paying $99 is just supporting and putting Microsoft in a better position than they are now...

The money goes to Verisign, supposedly subsidised by MS.

Well we just edit the kernel... but hang on that windows update last week meant I can no longer disable secure boot....

But you can run it in a VM in which you have a modified UEFI that always says 'Secure Boot is enabled'. The OS cannot verify what the firmware tells it, so this information is not useful for DRM.

PC suppliers, and the commercial impact of secure boot on them

BenHutchings — Wed, 20 Jun 2012 18:35:23 +0000

You can't install an OS you don't trust and somehow configure it into an OS you do trust. How can you know it really follows your configuration, and doesn't have a secret backdoor?

Fedora, secure boot, and an insecure future

Cyberax — Mon, 18 Jun 2012 19:24:30 +0000

I'm using my homegrown secure boot + remote attestation solution for physical security of servers containing medical data. Right now it's cobbled from BIOS with TPM support.

Ultimately, secure boot is a good thing. However, the way it's being implemented is far from perfect. By about ten light-years.

Fedora, secure boot, and an insecure future

mathstuf — Mon, 18 Jun 2012 19:06:46 +0000

What's wrong with the kernel (and other software) being compatible? Should a company or school not be allowed to force that students use their vetted Linux distro/version combo rather than some custom distro? I would like to ensure my servers are using the right versions of things. I'd use my own key, but if we said "Linux shouldn't even support SecureBoot" then this isn't possible. Having a distro get a key from Microsoft or using its own key are separate things.

Fedora, secure boot, and an insecure future

josephkliener — Mon, 18 Jun 2012 15:32:41 +0000

Actually it is more than $99.

It is also the wasted time and red hat or community money and resources making a secure boot compatible kernel... this is $100,000's of work and man hours.

PC suppliers, and the commercial impact of secure boot on them

josephkliener — Mon, 18 Jun 2012 15:22:36 +0000

I trust myself. I would not even trust red hat with a forced global key. At least with the repository PGP keys it is my choice to install them. They don't come pre-installed.

Fedora, secure boot, and an insecure future

josephkliener — Mon, 18 Jun 2012 15:09:20 +0000

Time and time again, it was even said by Linus himself. Linux should be focusing on pre-installed systems.

The user who knows how to download Linux, put it onto a USB stick or USB, restart their computer (potentially have to press the boot menu key for their computer) and run or install Linux. They know or will know how to disable secure boot and it would not deter them from using Linux if they could do. The user that Fedora and Gnome 3 are tailoring their user friendliness to does not exist. 99% of people if it does not come pre-installed they will not change. How do you think people find about Linux? Is there any T.V. Advertising? This kind of attitude is ridiculous. Paying $99 is just supporting and putting Microsoft in a better position than they are now... which currently is failing in every market. Some of these guys are so old and stuck in the 90's thinking that Microsoft on desktop is still the relevant target. The Tablet and Mobile market and some lesser extent Mac is where it is all concentration is at the moment, and you guys are ignoring ARM (which may be a waste of time or it may overtake x86). Secure boot and Windows 8 are aimed for high-end systems currently (e.g. ultrabooks), and these are going to be direct competition with MacBookPros and iPads.... if you were an un-informed consumer, who could not disable secure boot which one would you buy?

Also I have no idea why you cannot see that Secure Boot is supportive of a DRM system. Sure if you are talking proper access control, with a crypto module and tamper resistance, and remote attestation. Yes it does not support that. But what sort of DRM do we have at the moment? Well it is software based, and can be circumvented by say, using software to dump the memory or effectively installing your own root kit. Well what happens if Windows supports software DRM at the kernel level and prevents memory dumping of a certain application? You have to edit the kernel to circumvent the DRM for your system. What happens if at the kernel level it requires the user space code to be signed by Microsoft and downloaded from the Microsoft store. Well we just edit the kernel... but hang on that windows update last week meant I can no longer disable secure boot.... I cannot boot if I try to circumvent the DRM... Okay so I will have to flash the hardware manually... wait a minute the manufacturer has hard coded their certificate into the chip... crap DMCA territory.

This is exactly how the iPhone works and jailbreaking iPhones has a specific exception granted to it that might or might not be granted if secure boot was one day disallowed from being disabled.
Sure their are ways around certain aspects, the system does not have any real unique identifier that cannot be faked, but as it stands currently windows advantage or whatever uses a bunch of ridiculous random hashes of bios, cpu, driver information. The uniqueness required for DRM is included in the software key, which will disable windows update, etc. if it detects it is circumvented already.
Companies want DRM at any level, they would even accept obfuscation as a form of DRM if they thought it would stop even 1 person from pirating their stuff. All it takes it one person to go.... hey wait a minute if we stop people from disabling secure boot we could be in a better place than we are now.... this would trump whatever anti-trust people would through our way.

Sure you could install pirated software on a pirated copy of windows on a computer without secure boot. But in 5 years time you will be stuck with old hardware, as everything you want to buy will come with secure boot.

I mean another example could be on a system with windows 8 starter, black list the signatures for windows 8 home, and premium, ultimate etc. then if they purchase the upgrade you use windows update and the manufacturer's key to un-blacklist the version of windows they purchased. How can you say this is not DRM...

Coreboot support and linux on pre-installs is the way forward. That $99 could be spent elsewhere. Save the pennies and the dollars will look after themselves

PC suppliers, and the commercial impact of secure boot on them

jdobbs1010 — Fri, 15 Jun 2012 22:43:08 +0000

The company where I work has recently migrated from Windows XP to Windows 7 as the standard corporate desktop for its entire workforce. Its taken them a long time and a lot of money to do this. I doubt they will be rushing out to buy Windows 8/secure boot hardware for a few years to come. I've also read in the IT press how Windows 8 is likely to flop like Vista. I suspect there's going to be a lot of Windows 7 desktops around for quite some time to come in the corporate world. Which means corporate PC suppliers (HP etc) must sell PCs that can have this feature disabled if they want the corporate business. I am imagining a little switch at the back, turning secure boot on and off, like the little piece of plastic on 3 1/2 inch floppies to toggle the read-only. Worse for the casual user would be a jumper on the motherboard (if motherboards still have jumpers nowadays)

Another question raised in the comments was 'who would step up and manage a key independently of Microsoft'. What about a big PC vendor? They surely have in interest in it, and might get a competitive advantage - as long as its OK to have 2 keys on the same machine, then why wouldn't they? (apart from risking Microsofts ire). They could even charge something for a 'free software key'. I'd be happier paying that, than a Microsoft tax.

That said, the whole scheme is a recipe for abuse by commercial interests. Some entity has to manage the keys, and hence has power over the hardware owner. Power corrupts etc. Who would you trust - Microsoft? HP? Verisign? Your government? Redhat board of directors? Those Debian fanatics? FSF? Pick your poison!

Fedora, secure boot, and an insecure future

JanC_ — Thu, 14 Jun 2012 13:52:52 +0000

Those numbers were for sales last year BTW.

Fedora, secure boot, and an insecure future

JanC_ — Thu, 14 Jun 2012 13:51:15 +0000

Canonical mentioned recently that they know about something between 8-10 million computers being sold with Ubuntu pre-installed by OEMs. That's already more than the number of PCs sold with Mac OS X pre-installed, and I'm sure it's more than enough for MBAs not to laugh at it...

Fedora, secure boot, and an insecure future

mjg59 — Thu, 14 Jun 2012 12:05:33 +0000

Right now you can't buy any motherboards that implement secure boot at all. No signed operating systems have been released yet - what would the boards boot?

Fedora, secure boot, and an insecure future

mjg59 — Thu, 14 Jun 2012 12:03:58 +0000

That's why you're able to revoke binaries at the firmware level.

Fedora, secure boot, and an insecure future

tonyblackwell — Thu, 14 Jun 2012 09:51:22 +0000

lLts of erudite discussion here, but I can't find anything relating to the immediate practical problem. Are there any currently available motherboards which implement UEFI but also provide a BIOS way to disable secure boot for linux?

From my attempted discussions with Gigabyte and ASUS the answer from both of these appears to be 'no', although it was conducted in English text with folk who may have missed the point.

Amoungst our community, does anyone have higher-level contacts than just their generic web interface to get some answers? - or at least discuss the issue?

Fedora, secure boot, and an insecure future

kevinm — Thu, 14 Jun 2012 05:07:57 +0000

It doesn't matter if you release an update for the signed bootloader that refuses to boot the known-buggy kernel, because the original signed bootloader that *doesn't* have that update is still out in the wild. Malware that wants to take over Windows machines will simply use the un-updated signed bootloader together with the signed buggy kernel.

Fedora, secure boot, and an insecure future

bronson — Tue, 12 Jun 2012 01:37:19 +0000

Complex, proprietary wireless stacks covered by tenuous patents.

Custom key management

nix — Mon, 11 Jun 2012 12:14:13 +0000

removing all existing keys and uploading a local key

That sounds like you think that uploading a local key should require removal of the existing ones. Thanks, but no thanks: being able to boot from distro-provided rescue CDs is sometimes very useful!

Fedora, secure boot, and an insecure future

cortana — Mon, 11 Jun 2012 11:50:58 +0000

I've come to begrudgingly accept that proprietary graphics drivers are a fact of life, but I really don't understand the recent (or so it seems to be) fetish with proprietary ethernet drivers! A decade ago any cheap PC had an onboard VIA or Realtek ethernet interface that worked fine with open drivers... what has changed?

Fedora, secure boot, and an insecure future

nix — Mon, 11 Jun 2012 11:37:09 +0000

I'd have assumed that... but the company I bought Linux hardware from last is now selling machines advertised as 'Linux-friendly', every one of which requires a binary-only module for its network card and another binary-only module for its graphics. So allowing user recompilation of kernels doesn't seem to be a long way up vendors' priority lists :(

Fedora, secure boot, and an insecure future

raven667 — Sat, 09 Jun 2012 01:27:33 +0000

Yep, Fedora is not playing that game, they aren't going to to ship for Win8 logo ARM machines for this very reason.

Fedora, secure boot, and an insecure future

wookey — Sat, 09 Jun 2012 00:28:30 +0000

Except on ARM where you don't get the option of disabling it.

Fedora, secure boot, and an insecure future

raven667 — Fri, 08 Jun 2012 16:54:16 +0000

Hardware with the Win8 logo will be shipping with secure boot enabled by default, the MS keys loaded by default and must have the option to disable secure boot, they may also have the option to load their own keys. Fedora will be having their bootloader signed by MS because it's user-unfriendly to require a trip to the firmware to modify secure boot settings before booting an install CD. If you want to install custom software or older software (Win7 or whatever) you will have to fiddle with the firmware in any case.

Fedora, secure boot, and an insecure future

raven667 — Fri, 08 Jun 2012 16:33:04 +0000

> Fortunately there are other comments on this article that claim that disabling is practically important for Microsoft, so there's hope...

The obvious being that Win7 doesn't support secure boot and will need to run on Win8 hardware for the foreseeable future, both for home users and businesses. Maybe in 10+ years we'll be having this discussion again, but probably not before then unless secure boot somehow comes to Win7 via a service pack or something (and if MS are content to leave behind users who can't/won't upgrade software).

Fedora, secure boot, and an insecure future

dgm — Fri, 08 Jun 2012 13:13:47 +0000

>> As long as you have local key management and the option to disable your rights have not been infringed in _any_way_.

> This simply isn't the case. Free Sofware— and the success of our ecosystem— depends on not just the ability to be personally free but to have the freedom to pass those rights on to other people.

Gentlemen, you need to realize that the problem is not Fedora or what they do. The problem lies in those distributing Fedora, that is, the OEMs. If System77 or Dell ships a laptop with Fedora preinstalled, then they are the ones that _have_ to instruct the user on how to change the keys, should they want to.

Fedora is just trying to be nice to people that didn't chose a preinstalled system, and instead just want to test the distro in hardware blessed for Windows 8. That you can do this is GOOD.

Fedora, secure boot, and an insecure future

drago01 — Fri, 08 Jun 2012 10:27:06 +0000

You still have this right (with or without secure boot). Fedora has no obligation by *any* license that can be called free to help your fork. Either by making there software less usable or anything else. All they have to do is to provide you the source and tools needed to create the fork.

And they *do* that. You have the source. You have the tools. If you want to sign it ... fine pay the 99$ and go ahead. If you don't or even can't (because you cannot afford the 99$) that's fine as well this does not make the software any less free.

By your logic Fedora is not free already because they have a competitive advantage over forks by having infrastructure (builders, mirrors, bug tracker...). All those cost way more then the stupid 99$. Oh and the trademark and marketing budget.

This is not that hard to understand really.

Fedora, secure boot, and an insecure future

ballombe — Fri, 08 Jun 2012 09:56:55 +0000

> Only if you want to be signed by the existing Verisign/MS authority, you can always be your own authority and have the end-user load keys in by hand.

So far no evidence that 'loading key by hand' will be actually possible has been provided, and indeed this is one of the premise of the Fedora decision. You cannot have it both way.

LWN: Comments on "Fedora, secure boot, and an insecure future"

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

PC suppliers, and the commercial impact of secure boot on them

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

PC suppliers, and the commercial impact of secure boot on them

Fedora, secure boot, and an insecure future

PC suppliers, and the commercial impact of secure boot on them

Other long term problems

Other long term problems

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Other long term problems

Other long term problems

Other long term problems

Fedora, secure boot, and an insecure future

Other long term problems

Other long term problems

Other long term problems

Other long term problems

Custom key management

Other long term problems

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Other long term problems

Fedora, secure boot, and an insecure future

Other long term problems

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future