Forgot your password?
typodupeerror
Microsoft Red Hat Software Linux

Linus Torvalds Explodes at Red Hat Developer 786

Posted by samzenpus
from the can't-we-all-just-get-along? dept.
sfcrazy writes "Quite a lot of people raised their eyebrows the way ex-Red Hat developer Matthew Garrett made Microsoft the 'universal' control of any desktops PCs running with UEFI secure boot. Though the intentions of Garrett were clear — to enable GNU/Linux to be able to run Linux on Windows 8 certified PCs with secure boot; it was clearly putting Microsoft in a very powerful position. Linus, while a supporter of secure boot, exploded at Garrett and Howells when they proposed its inclusion in the kernel. Linus responded: 'Guys, this is not a d*#@-sucking contest. If you want to parse PE binaries, go right ahead. If Red Hat wants to deep-throat Microsoft, that's *your* issue. That has nothing what-so-ever to do with the kernel I maintain. It's trivial for you guys to have a signing machine that parses the PE binary, verifies the signatures, and signs the resulting keys with your own key. You already wrote the code, for chissake, it's in that f*cking pull request.'" Update: 02/25 17:24 GMT by U L : The headline/article are misleading, since mjg seems to agree that the patch is a bit complicated : "(I mean, *I'm* fine with the idea that they're *@#$ing idiots and deserve to be miserable, but apparently there's people who think this is a vital part of a business model)". The issue at hand is a set of patches to load and store keys inside of a UEFI PE binary which is then passed to the kernel, which then extracts the keys from the binary. It's absurd, it's messy, and it's only needed because Microsoft will only sign PE binaries so not supporting it makes restricted boot even more difficult to support.
This discussion has been archived. No new comments can be posted.

Linus Torvalds Explodes at Red Hat Developer

Comments Filter:
  • by Anonymous Coward on Monday February 25, 2013 @10:48AM (#43002561)

    I'd love to see the two having an argument.

  • by MrBandersnatch (544818) on Monday February 25, 2013 @10:51AM (#43002587)

    me to better understand the issue here?

    • by betterunixthanunix (980855) on Monday February 25, 2013 @11:02AM (#43002783)
      The high-level view is this: Microsoft wants to ensure that nobody can run unapproved software on their home computers. As a first step toward this nightmare, they bullied computer makers into shipping a bootloader signature system that could potentially prevent people from running GNU/Linux. Red Hat, a multibillion dollar GNU/Linux distributor, decided to play along and got a special signing key from Microsoft. Linus apparently does not want to play along (and I commend him for it).
      • by h4rr4r (612664) on Monday February 25, 2013 @11:10AM (#43002885)

        Because Linus knows what we all do, that this will end badly for RedHat. MS will come up with a reason to break booting RedHat later. No one plays with MS and comes out ahead.

      • by gweihir (88907) on Monday February 25, 2013 @11:43AM (#43003375)

        Good summary. A better way to do this is to a) make it easy for users to add keys, like a really obvious box on boot-up: "Do you really, really want to add keys for this new OS you are installing?" and b) have BIOS makers and main-board vendors include the keys for most Linux distros.

        The problem with that is however that secure boot is broken as soon as a single OS maker/distro gets compromised. So while this is better, it still sucks badly, security-wise. "secure" boot is one of the ideas that looks good on first glance, but when you really get into the details it turns out to be fundamentally broken. Its only really reliable function is to make booting/installing anything but Windows harder and possibly infeasible for the average user. And, yes, that includes recovery CDs, utility CDs for restoring backups, hardware diagnostic CDs, etc. MS does not care that it screws over the user as long as their market-share increases. Plain old massively unethical business practices disguised as security feature.

      • by RightSaidFred99 (874576) on Monday February 25, 2013 @02:27PM (#43005509)

        Thank you for the paranoiacs view.

        Now for the real summary. For many, many reasons the ability to securely load and boot an OS with trust starting almost immediately on boot is desirable. This has been implemented as a secure boot facility that can, on x86 platforms, be disabled and which allows the user to install their own keys. It is an open solution.

        For some reason, many OS vendors have decided to piggy back on Microsoft's signing infrastructure and now some guy put forth a shitty approach to doing this that Linus didn't like for technical reasons. There are non-shitty approaches to said solution, but Linux dweebs generally like to attribute all ills to Microsoft so somehow Microsoft (who doesn't even sell any significant number of computers) is at fault.

  • by Stewie241 (1035724) on Monday February 25, 2013 @10:57AM (#43002671)

    So I wasn't clear... Linus is saying he is against merging the code into the kernel, right?

  • whew! (Score:3, Insightful)

    by FudRucker (866063) on Monday February 25, 2013 @10:57AM (#43002679)
    glad Linus knows better than to let microsoft skullfuck him,

    "attaboy" Linus! Kudos :)
    • Re:whew! (Score:4, Insightful)

      by Frosty Piss (770223) * on Monday February 25, 2013 @12:07PM (#43003685)

      And a very good point, but not just Microsoft.

      Torvalds is in a tough key position in that one of his jobs is to keep the kernel "clean" and efficient.

      There are almost certainly many more "vested interests" besides Microsoft that would like to see some special little chunk of code that directly addresses their "proprietary" needs inserted in the kernel. And if this is allowed, in the end we have the mess that is the Windows kernel.

      Seriously, insert [any big corp] into the discussion instead of MS. Oracle comes to mind, and Red Hat was involved here as well...

      Maybe Torvalds sounds like a "douche", but maybe people should know better than to foist dung disguised as kernel patches / additions at him?

  • by Anonymous Coward on Monday February 25, 2013 @10:59AM (#43002707)

    The more I learn about the developers within the tight circle of the Linux kernel the more elite and prickish they sound. That doesn't mean they aren't talented and can do a good job it's just a different environment than one I'd ever want to work in. It's extremely hostile with many competitors (windows, apple) trying to get you to conform so they control you.

    Linus is that grizzly old man in the log cabin who owns 20,000 acres of timber that the logging companies desperately want. Except he has a gun, and he never wears any pants.

  • by Anonymous Coward on Monday February 25, 2013 @11:04AM (#43002817)

    And I speak for all of us when I say, I'm jealous of Linus's talent, success, and natural authority, but most of all, I hate his ability to cut through bullshit and put supercilious poseurs like me in their place.

  • by Anonymous Coward on Monday February 25, 2013 @11:05AM (#43002823)

    As Cardinal Richeleiu is reputed to have said:

    Give me six lines written by the most honest of men, and I will find something to hang him.

    Take it out of context and give it an inflamatory introduction and it looks like an explosion.
    Read the exchange in the original context and it reads like just another frank exchange on the LKML.

  • by Anonymous Coward on Monday February 25, 2013 @11:11AM (#43002891)

    Posting anonymous just to be sure..

    Since i saw a Google Tech Talk with Linus on stage, i certainly like him less.
    http://www.youtube.com/watch?v=4XpnKHJAok8 [youtube.com] (mostly about Git but nonetheless showcasing his persona)

    Linux is great and all, but i am certainly not a fan of Linus anymore. Respect though for his incredible achievements.
    He's a dick the same way Jobs was (also sharing similar strengths regarding vision), and i now realize he basically is a real life Sheldon Cooper, ego humor and everything.

  • Thick Skin (Score:5, Insightful)

    by Bucc5062 (856482) <bucc5062@gmailCOUGAR.com minus cat> on Monday February 25, 2013 @11:20AM (#43003029)

    If you do not have a thick skin in this business you will get eaten up from the inside. I learned that the hard way. This is a business of egos, because this is first a business of Art and Art is ego. Yes, we wrap logic and algorithms around it, but the foundation is a creative process and that is tied to ego.

    The question I have is what happens to Linux after Linus? If he is the Monarch, is there an heir or will Linux slowly begin to splinter without that strong Ego to guide its vision. Seems like the King does not want something added to "his" kernel, but had he disappeared just before his tirade, what would have happened?

    maybe this goes into the deeper question of who (or what) defines the core of a Kernel. For Windows, iOS it seems to be decisions by committee and business need. For Linux? We say it is open source, but with His Holiness issuing colorful decrees, how open is it besides the obvious insurrection approach.

    From what little I've garnered about the man, that was a fairly tame tirade, it does no impact on the progress of Linux and once I finally understood the issue I tended to agree with Linus's view, though with less passion.

  • by T.E.D. (34228) on Monday February 25, 2013 @11:45AM (#43003403)

    My theory is that we all have a Stallman Point, a spot on the spectrum of the slide away from personal computing freedom where we just can't calmly stand around and watch folks push things further the wrong way. It looks to me like Linus just hit his with this "SecureBoot" crapola.

    Sadly, everyone has a slightly different Stallman Point, and folks who haven't yet reached theirs look at someone getting upset and think "what an unreasonable person", while those who are long past theirs look at the same person and say "what a buffoon. If he'd only had this fit back at *my* Stallman Point we could have nipped this in the bud, but now its far too late".

    • by Junta (36770) on Monday February 25, 2013 @12:00PM (#43003615)

      Actually, his criticisms aren't about personal computing freedom and secureboot. His criticism is that crafting a PE executable for the express purposes of containing certificate data is utterly asinine. The correct response would be for MS to accomodate signing data in the more usual ways. I suspect a proposol to wrap the x509 data with a dummy ELF file would be met with similar rejection. The difference being no one would propose such a dumbass approach so we'd never find out, it's only thanks to MS dickishness that such a workaround would even be proposed.

  • by Dcnjoe60 (682885) on Monday February 25, 2013 @12:08PM (#43003693)

    Here's a thought. If having Microsoft being in charge of providing the key as to who gets to boot or not is such a good idea, then it would make just as much sense to have Apple be in charge of the key or even Redhat. Would Microsoft be willing to put Redhat in control of key signing into their kernel? Probably not. Then why should the linux kernel be subjected to Microsoft's control?

    Torvalds is correct on this. It is unfortunate in the way he articulated it, because instead of reasoned argument, it comes across as a flaming rant.

  • Who cares (Score:4, Funny)

    by gorbachev (512743) on Monday February 25, 2013 @12:15PM (#43003789) Homepage

    This would've been a more interesting article, if it discussed the merits or lack thereof, of the RedHat change in the Linux kernel.

    The "drama" the article discusses is of no value to anyone, but the likes of Nerd TMZ (if there was such a thing).

    Can we please stop posting articles such as these? And if someone does post one, can we NOT promote them onto the front page?

  • by Tablizer (95088) on Monday February 25, 2013 @12:34PM (#43004037) Homepage Journal

    l. Linus responded: 'Guys, this is not a d*#@-sucking contest

    That's not cussing, it's Perl. Relax guys.

  • by tekrat (242117) on Monday February 25, 2013 @01:50PM (#43005021) Homepage Journal

    Who should be holding the keys to their computer -- the user of the computer of course! But Microsoft doesn't think that way, they think that they should "own" the PC, and the user just uses it. Might as well be a corporate mainframe with millions of dumb terminals in that case, and that's what we are moving towards.

    Look at the XBOX -- the new one -- It will have to be connected all the time to the internet, to "verify" every game you try to play. So, how long until your PC has to be connected to internet to "verify" your BIOS before it will even boot into an OS?

    And Microsoft holding the keys? What happens if, 6 weeks after we've had this forced on us, MS goes out of business? Or is "bought" in some hostile takeover and then the one server verifying all those keys is removed from service (anyone remember MLB or Danger/Sidekick?)

    We will all have to throw away our machines. And we can't even back them up to recover the data (forget about moving the HD to a new machine with no key'ed BIOS, MS has already seen to that with new DRMs in Win8).

    If we hand MS the keys, MS could destroy the entire PC industry with one mistake. Which would destroy the economy. All those machines all over the world that hold so much data that runs our planet, pfft. And those servers won't be running Linux after all, because MS prevented that from loading years before this tragedy took place.

    And the mistake wouldn't even have to be MS's fault. I mean, how hard would it be for the Chinese to hack their way into the keys and disable the whole thing?

  • by bperkins (12056) on Monday February 25, 2013 @02:55PM (#43005919) Homepage Journal

    I think a lot of folks here are missing the point. The trouble is that the kernel running in secure boot mode has to be able to receive signed keys in a secure way (if you think secure boot is worth anything, many do not).

    Linux running in secure boot mode is a done deal. The question is how do you import keys that are signed by Microsoft. In an ideal world you'd just upload the signed X.509 cert and you'd be done. Unfortunately, Microsoft will only sign PE binaries.

    So the developers opted to enclose the X.509 cert in a PE binary. Unfortunately, that means the kernel needs to be able to read the PE binary and verify the signature all in kernel space, then extract the x,509 cert. This is undeniably messy.

    Now lots of folks will argue that there's no point to this and it should be done in user space. I'm not going ti argue with that, but the reality is that most of the mechanics of this are already implemented, just not the PE stuff. You can sign kernel modules and verify them in kernel space with x.509 certs (at least by my reading of the thread).

    Frankly, I think this is pretty much the only thing to do short of talking MS into signing x509 certs. The other suggested work-arounds involve additional authorities or doing stuff in user space. They are all workable, but are pretty clumsy compared to what's being proposed.

    I think it may have been a mistake to just drop this ugly change on Linus without his involvement. My guess is that if the problem had been stated before coming up with a proposed implementaon, they might have come up with essentially the same solution with less drama.

"The Amiga is the only personal computer where you can run a multitasking operating system and get realtime performance, out of the box." -- Peter da Silva

Working...