Ubuntu Can't Trust FSF's Secure Boot Solution 377
sfcrazy writes "The Free Software Foundation recently published a whitepaper criticizing Ubuntu's move to drop Grub 2 in order to support Microsoft's UEFI Secure Boot. The FSF also recommended that Ubuntu should reconsider their decision. Ubuntu's charismatic chief, Mark Shuttleworth, has responded to the situation during an interview, and explained the reason they won't change their stand on dropping Grub 2 from Ubuntu. Shuttleworth said, 'The SFLC advice to us was that the FSF could require key disclosure if some OEM screwed up. As nice as it is that someone at the FSF says they would not, we have to plan for a world where leaders change and institutional priorities change. The FSF wrote a licence that would give them the rights to take specific actions, and it's hard for them to argue they never would!'"
They expect OEMs to lock machines down? (Score:5, Insightful)
The SFLC advice to us was that the FSF could require key disclosure if some OEM screwed up.
So in other words they're anticipating not only that OEMs are going to accidentally or intentionally ship machines running Ubuntu that are locked down so that you cannot boot your own kernels on them but also that they won't be able to convince the OEMs to fix their broken BIOSes to allow users to run their own code. By not using GRUB2 they ensure that said OEMs would have no legal obligations to allow you to run the code you wanted on the PC you'd just bought.
Re:Ubuntu understands users (Score:5, Insightful)
Until Windows 9 requires that Secure Boot can't be turned off and you can't install new keys if you want to ship with a 'Windows compatible' sticker.
FSF may be fruitcakes at times, but on this they're correct. 'Secure Boot' should have been named 'Windows lockin'.
Re:Ubuntu understands users (Score:5, Insightful)
1. Once the technology is deployed, it requires only altering one line of a contract to kill linux on the desktop.
2. Because being able to ensure the OS hasn't been tampered with by the hardware owner is vital for any attempt to make effective DRM schemes.
Re:Ubuntu understands users (Score:5, Insightful)
While FSF just tries to fight their ideological war, Ubuntu takes less hard road and understands why Microsoft needs to employ secure boot. Good for them, and better for Linux.
How is this good for users? Restricted boot environments are about DRM, not about securing the system from malware. Canonical does not care about whether or not people can use the computers they own in the manner they wish to use them, so how is that a good thing?
I do not want to choose between Fedora and Ubuntu; I want to use whatever distro I fancy, and I want to be able to switch distros without jumping through hoops (yes, there are hoops to jump through now; this move by Canonical does nothing to advance any solution to that problem).
I Call Bullshit. (Score:5, Insightful)
It seems to me that Canonical is missing the bigger piece -- which is that the vibrancy of Ubuntu depends on the wider vibrancy of Linux. If Ubuntu jumps into Microsoft's lifeboat and leaves the rest of the GNU/Linux community to sink or swim, Canonical is ultimately slitting their own throat slowly.
Trusting Microsoft over the FSF seems foolhardy at best.
Not quite: They want to still work in a screwup... (Score:3, Insightful)
The expect that an OEM may screw up. In that case, their current solution will still allow users to run their own code except for the bootloader itself.
But if they used a GPLv3 bootloader, they have received advice that they might have to reveal the key when the OEM screws up, because that would be necessary for someone to provide their own bootloader.
Far better to not chance it and just avoid the GPLv3 for something that actually has a free license, rather than the significant impositions that GPLv3 attempts to impose in the name of the FSF's particular vision of "freedom".
Re:Grub bugs (Score:4, Insightful)
I miss my grub.conf and menu.lst!
Re:Ubuntu understands users (Score:5, Insightful)
I mean reasons that benefit the user
That never enters the picture; users, in this model, are nothing more than an exploitable resource, a source of revenue for the corporate overlords.
Re:Not quite: They want to still work in a screwup (Score:5, Insightful)
The expect that an OEM may screw up. In that case, their current solution will still allow users to run their own code except for the bootloader itself.
In other words, what we had with OtherOS on the PS3.
But if they used a GPLv3 bootloader, they have received advice that they might have to reveal the key when the OEM screws up, because that would be necessary for someone to provide their own bootloader.
How is that a bad thing? This is not a key that is used to protect military secrets, it's a key that serves exactly one purpose: to prevent people from running modified software.
Far better to not chance it and just avoid the GPLv3 for something that actually has a free license, rather than the significant impositions that GPLv3 attempts to impose in the name of the FSF's particular vision of "freedom".
Your freedom to throw punches ends where my face begins. My freedom to install software on my computer is not less important than some OEM's freedom to restrict what software runs on their products.
Re:Ubuntu understands users (Score:5, Insightful)
Everyone knows the Free Software Foundation cannot be trusted, but Microsoft can.
I just got back from vacation...did the universe invert while I was away?
Re:Not quite: They want to still work in a screwup (Score:5, Insightful)
Far better to not chance it and just avoid the GPLv3 for something that actually has a free license, rather than the significant impositions that GPLv3 attempts to impose in the name of the FSF's particular vision of "freedom".
The "freedom" to actually be able to run the software you want on the computer you bought? You're right, they suck.
Re:Ubuntu is doing the right thing (Score:5, Insightful)
If the only thing keeping this secure
Secure from what? The goal is not to secure you from a bootloader virus; I doubt that was discussed for more than five minutes while this system was being designed. The goal is to secure DRM systems from you, the user, because of what happened with DVDs and deCSS, what happens with software cracking tools, etc. The goal is to turn PCs into iPads.
This is a trap, designed to rob you of the freedom you have right now, which as it so happens is the freedom that PCs were meant to provide in the first place.
Not quite the flaw you make it sound like, Mark... (Score:5, Insightful)
Yes! Yes, they could - Because it would mean that the OEM had "accidentally" taken away the user's right to do whatever the fuck they want with hardware bought and paid for by that user. And I have no problem with requiring key disclosure in that situation.
Look, Shuttles, we get the idea that you want every bit as much control over Ubuntu as Microsoft has over Windows, and UEFI has the potential to finally fulfill your little wet dream there. You seem to have overestimated your importance in the Linux world, however - If you won't honor the spirit of "free" software, we'll simply use a distro that does.
Why did you go with Linux? (Score:5, Insightful)
I chose it because I could see the sources, update as I see fit, build as I see fit and be able to do a build without clobbering all my installed software.
So why would I suddenly want to chose a closed source Microsoft solution? This is the company, whose practices since 1995 are the major reason why we have malware, viruses and worms.
Such great vision from the start, nobody would even think to remotely try to control your computer, right?
As a mainframe admin I was charged with keeping sneaky bastages out all the time, why didn't Microsoft believe this sort of thing could happen on a PC? To this day they still have gaping holes in security and their transparency is a thing of fantasy.
But Microsoft isn't changing position? (Score:5, Insightful)
As nice as it is that someone at the FSF says they would not, we have to plan for a world where leaders change and institutional priorities change
As nice as it is that someone at Microsoft says they will sell $99 keys, we have to plan for a world where leaders change and institutional priorities change
Re:Not quite: They want to still work in a screwup (Score:4, Insightful)
How is revealing the key bad?
Well, how about that it would be revoked! Having the key would allow one to subvert Secure Boot on windows systems, so you can bet dollars-to-doughnuts that if Canonical had to release its key, Microsoft would revoke Canonical's key.
Why are we allowing these "people" to do this? (Score:5, Insightful)
Intel had the bright idea back in the nineties and it was soundly rejected; Intel got a lot of bad publicity and backed off. Then MS came up with "Palladium" [theinquirer.net] ten years ago and it, too, was soundly rejected and MS got yet another black eye.
WTF, people?? FIGHT THIS MADNESS!! This is yet another round of MS's war against all other OSes. This is MS wanting to control YOUR computer. This has no upsides whatever, and is all bad.
Gees, ten years isn't that long, have you folks forgotten already?
Re:Not quite: They want to still work in a screwup (Score:5, Insightful)
Otherwise, they are just legitimizing an attack on user freedoms, despite being the maintainers of the most popular GNU/Linux distribution out there (and despite the fact that those very freedoms are what enabled their entire operation).
Re:Ubuntu understands users (Score:5, Insightful)
If I don't have the keys to my computer, it's not mine.
RMS's The Right to Read [gnu.org] looks less and less paranoid all the time.
Re:Why are we allowing these "people" to do this? (Score:5, Insightful)
Gees, ten years isn't that long, have you folks forgotten already?
Two weeks after 9/11 the USAPATRIOT Act was highly controversial, despite the recent attack, and had sunset provisions.
Ten years later, it's renewed without any real debate.
"Keep us safe from the terr^H^H^H^H rootkits". In both cases the power-hungry gladly assume additional control and remove freedoms.
SECURE BOOT IS A FRAUD (Score:5, Insightful)
Ask yourself, what percentage of a system's time and lifecycle are spent in boot? What percentage of the binary runtime image is loaded in this process?
"Secure boot" is FAKE SECURITY whose ACTUAL risk is GREATER than its SUPPOSED benefit. Lock boot images, and the real security problems for persisting on a host and hiding activity will only move to the next rung on this ladder.
The only thing "Secured" is vendor lock-in.
Sure, you can detect a compromised kernel at boottime. That is a FRACTIONAL coutermeasure, to actual risk. EVERY driver and ring-0 loadable module needs also to be signed. It's bullsht, in the real computing world - unless you have an XBox or iPad model.
Re:Which would be a greater attack on user freedom (Score:5, Insightful)
Now is the time to fight back, not compromise. Bootloader restrictions are a direct attack on free software and user freedom, and the response by Canonical and the Fedora project has been to just lie down and accept that attack.
Re:Not quite: They want to still work in a screwup (Score:4, Insightful)
The FSF's version of freedom is equivalent to nanny-state socialism. They've basically decided that their idea of playing nice needs to be enforced by big stick, and will happily trample over anything and everything that does something they dislike.
In this particular case, Ubuntu wants to place a bootloader that will allow you to load ANY operating system, bypassing the "security" features they dislike in the new UEFI. Ubuntu wishes to ensure that users can boot any operating system they like and run any software they want. Their concern is that the GPLv3 makes provisions by which the FSF could, in this case as the owner of GRUB2, deem that a machine that won't let them replace GRUB2 with something else is in violation of the GPLv3. At that point, they can demand that Ubuntu surrender its encryption keys used to provide secure bootloader verification--which then allows anyone to sign any bootloader they want, thus negating any security features you could leverage out of the bootloader (for example, intentionally instructing it to boot only signed code--keeping the chain trusted, rather than booting a foreign OS as is the option).
The point of contention is where the FSF gets to demand Ubuntu hand over their encryption keys for this particular application because they've decided it's 'unfair' that users don't have the option to replace a bootloader. The GPLv3 is a restrictive license agreement whose provisions do in fact allow the copyright holder to make certain demands about HOW their software is used. Most people fixate on the "Free" part because you're free to distribute and modify the software; but you are also "Obligated" to publish your modifications in source form if published in any form.
The GPLv3 brings restrictions on how you can use the software, such that you must be able to modify it--the hardware you use the software on must be configured to allow the use of modified software (or any other software). 'Jailbreaking' is not a thing with GPLv3 because the vendors would have to supply a way to run custom software. If the Linux Kernel was GPLv3, then you wouldn't have to root any phones to install Cyanogenmod: vendors would be required to provide an official method for the end user to replace the software with custom versions.
The Affero versions of the GPL family of licenses go even further: if you USE a modified version of the software, you must publish its source. That means if you modify an AGPL Web server and use it to serve your Web site, you have to put up the Web server's source code. An AGPL Web application would work the same way: modify an AGPL CMS and you need to publish its source code on your Web site.
These licensing restrictions are important to understand when licensing Free software. Canonical has decided not to license GRUB2 in Ubuntu on UEFI platforms because of potential conflicts between their requirements and the requirements of fulfilling the licensing agreement in certain cases. The FSF is extremely well known for its hard-line enforcement stance and thus there is the concern that they would not negotiate to reconcile technical mistakes, but rather take advantage of them to file a hostile injunction and demand release of encryption keys. The FSF behaves in this way because they have high ideals about what's "good for everybody"--as I said, they are effectively nanny-state socialists and want to get their fingers in everything so they can make people "play nice."
In short, this is why we have many licenses. The FSF uses the GPLv3 because they have their ideals and can support them with the GPLv3 (which, by the way, was born mainly out of the FSF's distaste for locked-down TiVo platforms). Other people still use the GPLv2 because they understand what the GPLv3 entails and their ideals are dissimilar from the FSF--Linux is GPLv2 because the relevant bodies are not sharply against locked-down phones running android, something they could legally prevent with GPLv3. Similarly many people use the BSD and MIT licenses because their philosophy is, "Here is code! Somebody might find this useful!"
Re:Ubuntu understands users (Score:5, Insightful)
Some users prefer walled gardens. They don't know what they've lost.
It's rather stunning how close we are getting to some of the dystopias predicted by the FSF. They seemed silly at the time.
Re:SECURE BOOT IS A FRAUD (Score:5, Insightful)
Boot sector virus is not the target, to be fair.
It's to prevent loading a compromised kernel image. A signed boot-loader chain will only load if uncompromisable with cryptographically verified signatures and checksums.
But this is not the threat to most users, most of the time.
And? If they are dumb or mistaken enough to get an infection that will compromise their OS image and ring-0 loadable software? They are going to be compromised in OTHER WAYS that will NEVER touch the system image. Secure system boot is a good way to protect a boot-loader for encrypted volumes - but not even needed for this to be effective.
It is a security chimera - with more opportunity for mistakes and misuse than protection.
Re:Ubuntu understands users (Score:2, Insightful)
I am not denying that such things exist, but there is no reason for the standard to not require a method to install user generated certificates. It does not have to be easy to do, since it would not have to be done frequently: I could generate my own signing key, then sign as many custom bootloaders as a want to. That is the point of "custom mode," but there is a key problem here: there is no guarantee that custom mode will be available, and there is a mandate for ARM devices that run Windows that custom mode be unavailable.
These sorts of design decisions speak volumes about the purpose and scope of the standard. If the purpose of this standard were to protect users from malware, it would not make room for OEMs to lock users out of their own systems (i.e. right now an OEM has to specifically allow users to enable custom mode, as opposed to having to work to prevent users from doing so). Yes, this will make it much harder to create a bootloader virus, but I would view that as a side effect of the real security goal.
The standard? What standard? How will the OEMs be held to that? By what legal force?
Right now Microsoft does require that user loaded keys and a way to turn off secure boot be enabled for Windows 8 certification. They cannot mandate that to the OEMs, because of the anti-trust case, ironically.
Re:Ubuntu understands users (Score:2, Insightful)
some people like to play. others like to tinker. for many tinkering is play. but for many more it is not. I could build my own PC based DVR. we pay for a Dish-NotATivo. my wife wouldn't tolerate the glitches, the growing pains, the tweaking.
'It just works' is highly valuable to many people. Worth paying for. Especially worth giving up for capabilities they won't use anyway, as they spend their free time not tinkering.
It's not wrong to want a walled garden if it gives you what you want. Those wanting a walled garden shouldn't feel guilty about shifting the market away from open gardens. maybe open gardens get more expensive as the market realizes that most people are happy with walled gardens now that they can be easily created. so it goes.
Re:SECURE BOOT IS A FRAUD (Score:3, Insightful)
This has nothing to do with vendor lock in (in the /. microsoft sense) nor is it really targeted at preventing viruses. It is so that microsoft or apple can sell an OS that is guaranteed to not have been tampered with for content protection enforced at boot time by the hardware.
I imagine there will be ways around this, but it is going to be much harder.
-nB
Re:Not quite: They want to still work in a screwup (Score:5, Insightful)
That’s why I prefer contributing to GPL projects over non-copyleft: I know that helps the fight for a world in which all computer users have the 4 freedoms.
Canonical decided that they no longer care about that which made their founder rich.
GPLv3 just closes some loopholes, so I prefer v3 over v2: more measures to ensure my freedom in the cases where I am a mere user (98% of all the software I interact with).
Re:Not quite: They want to still work in a screwup (Score:4, Insightful)
My freedom to install software on my computer is not less important than some OEM's freedom to restrict what software runs on their products.
THEIR products? You paid for them, they're yours. I'd say you have every right to do anything you damned well please on your own equipment, and the vendor has no rights whatever after he has your cash. His rights are completely unimportant, yours are supremely important.
This is like Ford saying you're only allowed to use Firestone tires, Goodrich aren't allowed.
It's madness to go along with this evil bullshit.
Re:Ubuntu is doing the right thing (Score:4, Insightful)
Actually, I'm pretty sure that personal computers were simply "meant" to be useful to the most people possible
No, PCs were built by people who wanted to own and control their computers, and whose opinion was that everyone else should have that freedom. In the 1960s (years before PCs), IBM, AT&T and other companies were already talking about how to bring computers into offices and homes, by selling computation as a utility. The plan was for you to have a terminal in your house, which would connect to a mainframe, and you would pay by the CPU hour, by the storage you used, etc. The computer itself would be equipment owned and operated by the utility.
The point of PCs was to give you a computer that you owned and operated, rather than one you rented. You could install whatever hardware you wanted, you could run whatever software without worrying about the bill, you could modify the system in arbitrary ways. It was never a choice between PCs and having no computer access, it was a choice between PCs and renting time on some mainframe.
Perhaps sad for those of us who tinker, but whether or not the bootloader is locked will have zero impact on the vast majority of personal computer users...
I disagree; stronger DRM means tighter controls on what people can do. Copy a movie to your tablet, so you can watch it on the go? That will be something people will be forced to pay for, or even forbidden from doing in the first place. This is not just about hackers. Ordinary people often have no idea what their computer is truly capable of because they are using software, and now hardware, that is designed to restrict them.
It's also sensationalist to assume that those of us who do tinker will not still have plenty of hardware options
Yeah, but we may be forced to make decisions that we would not have had to make otherwise. What if dual booting becomes impossible, because Windows will not run on a system without these restrictions? That will stop a lot of people -- people who cannot afford two computers (like me when I was in middle school) and who cannot give up Windows.
Either turn off "secure boot" (buy x86)
Not necessarily easy to do; OEMs do not have to cooperate and enable custom mode, let alone allow you to disable the feature entirely.
you may also just build your PC yourself
There is no guarantee that Windows will actually run on such a system. Look at the effort required to get Mac OS X running on a homebrew system; what reason does Microsoft have to make Windows available on a home-built system? Maybe only OEMs will get to do that, or maybe only OEMs will be allowed to install Windows with support for certain entertainment services (e.g. Netflix), etc.
I know that it is a little paranoid, but Microsoft does not have a history of being soft on these things. Remember when they integrated Internet Explorer into the desktop? If Microsoft is pushing this because they envision the future of home computer as being entertainment-oriented -- and I strongly suspect that this is the case -- it is reasonable to assume that they will do everything they can to create a "media ecosystem." Why shouldn't OEMs be cutting deals with media companies? Why wouldn't Microsoft want to position Windows as the software that is used for that purpose? This is something that will probably make a lot of money, for Microsoft and the OEMs that ship Windows systems, and the entertainment companies. Perhaps homebrew systems will also get access -- for a price, and probably a higher price than what OEMs pay.
Of course servers won't have locked bootloaders, either.
I used to think this, but I am not so sure about that anymore. Why not have locked bootloaders on servers? There is a larger security concern there (the stakes are much higher; even if bootloader rootkits are a ra