Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Ubuntu Microsoft Linux News

Ubuntu Can't Trust FSF's Secure Boot Solution 377

sfcrazy writes "The Free Software Foundation recently published a whitepaper criticizing Ubuntu's move to drop Grub 2 in order to support Microsoft's UEFI Secure Boot. The FSF also recommended that Ubuntu should reconsider their decision. Ubuntu's charismatic chief, Mark Shuttleworth, has responded to the situation during an interview, and explained the reason they won't change their stand on dropping Grub 2 from Ubuntu. Shuttleworth said, 'The SFLC advice to us was that the FSF could require key disclosure if some OEM screwed up. As nice as it is that someone at the FSF says they would not, we have to plan for a world where leaders change and institutional priorities change. The FSF wrote a licence that would give them the rights to take specific actions, and it's hard for them to argue they never would!'"
This discussion has been archived. No new comments can be posted.

Ubuntu Can't Trust FSF's Secure Boot Solution

Comments Filter:
  • by makomk ( 752139 ) on Friday July 06, 2012 @11:46AM (#40564741) Journal

    The SFLC advice to us was that the FSF could require key disclosure if some OEM screwed up.

    So in other words they're anticipating not only that OEMs are going to accidentally or intentionally ship machines running Ubuntu that are locked down so that you cannot boot your own kernels on them but also that they won't be able to convince the OEMs to fix their broken BIOSes to allow users to run their own code. By not using GRUB2 they ensure that said OEMs would have no legal obligations to allow you to run the code you wanted on the PC you'd just bought.

    • The expect that an OEM may screw up. In that case, their current solution will still allow users to run their own code except for the bootloader itself.

      But if they used a GPLv3 bootloader, they have received advice that they might have to reveal the key when the OEM screws up, because that would be necessary for someone to provide their own bootloader.

      Far better to not chance it and just avoid the GPLv3 for something that actually has a free license, rather than the significant impositions that GPLv3 attem

      • by betterunixthanunix ( 980855 ) on Friday July 06, 2012 @12:05PM (#40565011)

        The expect that an OEM may screw up. In that case, their current solution will still allow users to run their own code except for the bootloader itself.

        In other words, what we had with OtherOS on the PS3.

        But if they used a GPLv3 bootloader, they have received advice that they might have to reveal the key when the OEM screws up, because that would be necessary for someone to provide their own bootloader.

        How is that a bad thing? This is not a key that is used to protect military secrets, it's a key that serves exactly one purpose: to prevent people from running modified software.

        Far better to not chance it and just avoid the GPLv3 for something that actually has a free license, rather than the significant impositions that GPLv3 attempts to impose in the name of the FSF's particular vision of "freedom".

        Your freedom to throw punches ends where my face begins. My freedom to install software on my computer is not less important than some OEM's freedom to restrict what software runs on their products.

        • by nweaver ( 113078 ) on Friday July 06, 2012 @12:16PM (#40565155) Homepage

          How is revealing the key bad?

          Well, how about that it would be revoked! Having the key would allow one to subvert Secure Boot on windows systems, so you can bet dollars-to-doughnuts that if Canonical had to release its key, Microsoft would revoke Canonical's key.

          • by betterunixthanunix ( 980855 ) on Friday July 06, 2012 @12:24PM (#40565269)
            That's the point of GPLv3: if these OEMs want to screw things up, then they have to deal with not getting to run GPLv3 software. If Canonical wants to make these "certified" hardware systems, then they should do one of the following:
            1. Require that all certified systems ship with custom mode enabled by default, or that they ship without any restricted boot environment
            2. Produce a separate key for every OEM, so that if one OEM screws up, they lose their Ubuntu certification without affecting other OEMs.

            Otherwise, they are just legitimizing an attack on user freedoms, despite being the maintainers of the most popular GNU/Linux distribution out there (and despite the fact that those very freedoms are what enabled their entire operation).

            • by nweaver ( 113078 ) on Friday July 06, 2012 @12:30PM (#40565329) Homepage

              Which is a greater attack on user freedom?

              a) Not being able to change the bootloader?

              b) Not being able to install on new systems without changing EFI settings because the signing key got revoked?

              Canonical chose "A". Fedora chose A, too, btw, because they didn't sign grub, but built a "pre-bootloader-bootloader" to load Grub.

              • by betterunixthanunix ( 980855 ) on Friday July 06, 2012 @12:37PM (#40565419)
                Except that Canonical is in a position to demand that EFI boot restrictions be disabled by default. That does not seem to have entered the picture, because they do not care about user freedom. I disagree equally with Fedora's approach, because I personally switched away from Fedora when I disagreed with some changes they made, and this boot restriction system will make that harder to do.

                Now is the time to fight back, not compromise. Bootloader restrictions are a direct attack on free software and user freedom, and the response by Canonical and the Fedora project has been to just lie down and accept that attack.
        • by mcgrew ( 92797 ) * on Friday July 06, 2012 @02:48PM (#40567477) Homepage Journal

          My freedom to install software on my computer is not less important than some OEM's freedom to restrict what software runs on their products.

          THEIR products? You paid for them, they're yours. I'd say you have every right to do anything you damned well please on your own equipment, and the vendor has no rights whatever after he has your cash. His rights are completely unimportant, yours are supremely important.

          This is like Ford saying you're only allowed to use Firestone tires, Goodrich aren't allowed.

          It's madness to go along with this evil bullshit.

      • by 0123456 ( 636235 ) on Friday July 06, 2012 @12:07PM (#40565033)

        Far better to not chance it and just avoid the GPLv3 for something that actually has a free license, rather than the significant impositions that GPLv3 attempts to impose in the name of the FSF's particular vision of "freedom".

        The "freedom" to actually be able to run the software you want on the computer you bought? You're right, they suck.

        • by bluefoxlucid ( 723572 ) on Friday July 06, 2012 @12:46PM (#40565551) Journal

          The FSF's version of freedom is equivalent to nanny-state socialism. They've basically decided that their idea of playing nice needs to be enforced by big stick, and will happily trample over anything and everything that does something they dislike.

          In this particular case, Ubuntu wants to place a bootloader that will allow you to load ANY operating system, bypassing the "security" features they dislike in the new UEFI. Ubuntu wishes to ensure that users can boot any operating system they like and run any software they want. Their concern is that the GPLv3 makes provisions by which the FSF could, in this case as the owner of GRUB2, deem that a machine that won't let them replace GRUB2 with something else is in violation of the GPLv3. At that point, they can demand that Ubuntu surrender its encryption keys used to provide secure bootloader verification--which then allows anyone to sign any bootloader they want, thus negating any security features you could leverage out of the bootloader (for example, intentionally instructing it to boot only signed code--keeping the chain trusted, rather than booting a foreign OS as is the option).

          The point of contention is where the FSF gets to demand Ubuntu hand over their encryption keys for this particular application because they've decided it's 'unfair' that users don't have the option to replace a bootloader. The GPLv3 is a restrictive license agreement whose provisions do in fact allow the copyright holder to make certain demands about HOW their software is used. Most people fixate on the "Free" part because you're free to distribute and modify the software; but you are also "Obligated" to publish your modifications in source form if published in any form.

          The GPLv3 brings restrictions on how you can use the software, such that you must be able to modify it--the hardware you use the software on must be configured to allow the use of modified software (or any other software). 'Jailbreaking' is not a thing with GPLv3 because the vendors would have to supply a way to run custom software. If the Linux Kernel was GPLv3, then you wouldn't have to root any phones to install Cyanogenmod: vendors would be required to provide an official method for the end user to replace the software with custom versions.

          The Affero versions of the GPL family of licenses go even further: if you USE a modified version of the software, you must publish its source. That means if you modify an AGPL Web server and use it to serve your Web site, you have to put up the Web server's source code. An AGPL Web application would work the same way: modify an AGPL CMS and you need to publish its source code on your Web site.

          These licensing restrictions are important to understand when licensing Free software. Canonical has decided not to license GRUB2 in Ubuntu on UEFI platforms because of potential conflicts between their requirements and the requirements of fulfilling the licensing agreement in certain cases. The FSF is extremely well known for its hard-line enforcement stance and thus there is the concern that they would not negotiate to reconcile technical mistakes, but rather take advantage of them to file a hostile injunction and demand release of encryption keys. The FSF behaves in this way because they have high ideals about what's "good for everybody"--as I said, they are effectively nanny-state socialists and want to get their fingers in everything so they can make people "play nice."

          In short, this is why we have many licenses. The FSF uses the GPLv3 because they have their ideals and can support them with the GPLv3 (which, by the way, was born mainly out of the FSF's distaste for locked-down TiVo platforms). Other people still use the GPLv2 because they understand what the GPLv3 entails and their ideals are dissimilar from the FSF--Linux is GPLv2 because the relevant bodies are not sharply against locked-down phones running android, something they could legally prevent with GPLv3. Similarly many people use the BSD and MIT licenses because their philosophy is, "Here is code! Somebody might find this useful!"

          • by Anonymous Coward on Friday July 06, 2012 @02:00PM (#40566643)

            That’s why I prefer contributing to GPL projects over non-copyleft: I know that helps the fight for a world in which all computer users have the 4 freedoms.

            Canonical decided that they no longer care about that which made their founder rich.

            GPLv3 just closes some loopholes, so I prefer v3 over v2: more measures to ensure my freedom in the cases where I am a mere user (98% of all the software I interact with).

          • by higuita ( 129722 ) on Friday July 06, 2012 @02:15PM (#40566919) Homepage

            You don't understand GPL.

            GPL is there to allow the final user to do whatever he want with his hardware.

            A developer is not the final users, if he wants to use GPL code, he must give the same rights he received to everyone.
            GPL2 had some holes that allowed some developers/builders to take the work of others and not giving back what they should.
            GPL3 was made to fix that holes... yep, some people that were abusing the GPLv2 holes didnt like it, but bad luck, its not their code.

            If you don't like that license, don't use programs with it and start over with your preferred license. you are not important, the final users are!

            So here is the global view:
            GPL is to give ALL power to the final users
            Closed source gives all the power to the product owners/builders... the user loses freedom
            BSD/MIT gives all the power to the developer and hope that product owners/builders are nice to not take the user freedom...

            <sarcasm>everyone knows that companies are always nice to the users!!</sarcasm>

            • If you don't like that license, don't use programs with it and start over with your preferred license. you are not important, the final users are!

              Isn't that exactly what Ubuntu is doing here, but the FSF is still objecting?

    • by jmorris42 ( 1458 ) * <jmorris AT beau DOT org> on Friday July 06, 2012 @12:15PM (#40565145)

      It gets better. Ubuntu is assuming this lockdown will be happening with OEMs they have a contractual relationship with.

      Think about it. I put out Unknown Hacker Linux with a boot loader signed by me. I publish it on my website somewhere. Evil Bit Computers downloads it and installs my public key into the firmware of machines that they then sell to the public in a totally locked state. A buyer of one of those machines decides they want to wipe the preload and install Windows 8. They go Evil Bit and demand they keys per the GPL3 and get an Evil Laugh(TM). Then they come to me and demand the signing key and I tell them, I feel your pain but I'm sorry I can't do that because it would compromise every machine installed with packages signed by that key. And they couldn't do a darned thing to me legally because I have no relationship to Evil Bit Computers. If push came to shove Evil Bit could be required to issue new firmware allowing rekeying or they could be barred from distribution of GPL3 software. But I'd never see the inside of the courthouse.

      And now you know why I have never considered Ubuntu. Never could say why, but they have always given off a 'wrong' vibe. Best explanation would be the short story _Young Zaphod Plays It Safe._ Just an undefined unease with em.

    • by mcgrew ( 92797 ) * on Friday July 06, 2012 @12:22PM (#40565251) Homepage Journal

      Intel had the bright idea back in the nineties and it was soundly rejected; Intel got a lot of bad publicity and backed off. Then MS came up with "Palladium" [theinquirer.net] ten years ago and it, too, was soundly rejected and MS got yet another black eye.

      WTF, people?? FIGHT THIS MADNESS!! This is yet another round of MS's war against all other OSes. This is MS wanting to control YOUR computer. This has no upsides whatever, and is all bad.

      Gees, ten years isn't that long, have you folks forgotten already?

  • by Hatta ( 162192 ) on Friday July 06, 2012 @11:49AM (#40564795) Journal

    Grub2 is an epic piece of shit anyway.

    • by jmorris42 ( 1458 ) *

      > Grub2 is an epic piece of shit anyway.

      Not exactly. It is epic. In that it is trying to live up to the "Grand" in its name. But it has to be admitted that it is in one important way inferior to GRUB 1. The big advantage of GRUB over LILO was that you didn't have to worry about an unbootable machine if you changed anything and forgot to 'rerun lilo'. GRUB2 brings those bad days back with it's mammoth configuration file spread into shards in /etc/ to make it possible for scripts to manipilate it in a

      • Re: (Score:3, Informative)

        by Hatta ( 162192 )

        The big advantage of GRUB over LILO was that you didn't have to worry about an unbootable machine if you changed anything and forgot to 'rerun lilo'.

        Which was never a big deal anyway. Just boot from external media run lilo, and reboot. Worked every single time. Why is that worth writing a whole new boot loader over?

        Grub on the other hand would occasionally hose itself for no reason. Booting from external media and running 'grub-install' or 'update-grub' usually worked, but I still had one system that g

  • Grub bugs (Score:4, Interesting)

    by Twinbee ( 767046 ) on Friday July 06, 2012 @11:51AM (#40564821)
    I know this is offtopic, but just a quick request to the powers that be. I tried installing Ubuntu a while back, and 'Grub' not only made Ubuntu boot by defaut, but also wouldn't allow any easy way for to change that to Windows. In addition to that, uninstalling Grub proved to be very cumbersome.

    I'm sure many would be far less patient than me, so it may help perceptions of Linux/Ubuntu if some of the basics were in place.
    • At least Linux Mint's installer, and I think Ubuntu's as well, figure out that Windows is already on your system during the install process, and set up Grub so you can easily just choose "Windows" when the computer is booting up.

      In other words, the "powers that be" know about the problem, and have a pretty good solution in place right now.

    • Re:Grub bugs (Score:4, Insightful)

      by CanHasDIY ( 1672858 ) on Friday July 06, 2012 @12:00PM (#40564945) Homepage Journal
      The worst part (of Grub2, IMO) is, you can't even make configuration changes without blindingly painful, self-inflicted dental surgery, [linuxers.org] or installing a separate, non-default GUI package (startup-config-manager or some such shit) to your Ubuntu box.


      I miss my grub.conf and menu.lst!
      • On noes! Instead of editing /boot/grub/grub.cfg I edit /etc/grub.d/X. The world is ending I say!

        Of course you could just edit the file anyway and not run the generator script ever again, but that would be too complicated I guess....

  • I Call Bullshit. (Score:5, Insightful)

    by darkonc ( 47285 ) <stephen_samuelNO@SPAMbcgreen.com> on Friday July 06, 2012 @11:56AM (#40564889) Homepage Journal
    Canonical can't be held responsible for somebody else's screw-up. If Canonical distributes GRUB consistent with the GPL3, then there responsibility is done. If somebody else screws up by distributing GRUB in a non-conformant way, then all they can do is ask canonical to distribute their private key to get the manufacturer's bacon out of the fire. Canonical would then be free to laugh at them.

    It seems to me that Canonical is missing the bigger piece -- which is that the vibrancy of Ubuntu depends on the wider vibrancy of Linux. If Ubuntu jumps into Microsoft's lifeboat and leaves the rest of the GNU/Linux community to sink or swim, Canonical is ultimately slitting their own throat slowly.

    Trusting Microsoft over the FSF seems foolhardy at best.

    • Part of the vision is that you should buy a Ubuntu system, right? In this case, Canonical is working with the OEMs to produce a certified system.

      Thus if one of the OEMs screws up, Canonical does have a relationship with the product, as provider of the software, and may, under the GPLv3's "anti-TiVoization" clause, have to provide the signing key.

      This is "Better to avoid the problem altogether"

      • by robmv ( 855035 )

        It is simple, add to their legal binding document/contract that the OEM must not ship machines with locked keys and if that happens by accident the OEM must provide an updated firmware

      • Part of the vision is that you should buy a Ubuntu system, right? In this case, Canonical is working with the OEMs to produce a certified system.

        The vision is that you can buy a system that does not impose restrictions on what software you can run. The point of the GPLv3 is to advance that goal. Having Ubuntu but being unable to run a custom bootloader is not part of the vision.

        This is "Better to avoid the problem altogether"

        There is another option: require that any bootloader restrictions be disabled by default. If a user wants the restrictions to be enabled, nothing should stop them; but if the restrictions are enabled by default, an OEM may very well ship a system that does stop users

    • Re:I Call Bullshit. (Score:5, Informative)

      by LourensV ( 856614 ) on Friday July 06, 2012 @02:25PM (#40567089)

      I think the reason for the SFLC's advice regarding having to reveal th key is that Canonical distributes updates directly. Here's the scenario:

      1. The OEM sells a PC with Ubuntu preloaded and the BIOS locked.
      2. The user buys the PC and then updates GRUB2 to a newer version supplied from the Ubuntu repositories. It'll install fine, because it's been signed by Canonical, and the Canonical key is in the BIOS.
      3. User wants to modify GRUB2. They get the sources from Canonical, modify, recompile, and try to install. The computer won't boot, because their modified version is missing a signature.

      This means that Canonical is violating the Tivoisation clause in the GPLv3. Canonical is redistributing GRUB2 to the user, and the licence won't let them do that unless they also provide the user with everything they need to be able to change GRUB2 and load it onto their computer just as they're doing with the original they were given. Since Canonical can't unlock the BIOS (only the OEM can), the only way they can fulfil those requirements is by giving out their key.

  • by Todd Knarr ( 15451 ) on Friday July 06, 2012 @12:02PM (#40564965) Homepage

    I'm sure the SFLC did tell him that a mistake by an OEM could force disclosure of the signing key. But notice he doesn't say explicitly that they told him it could force disclosure of Canonical's signing key. That's because I'm pretty sure they didn't tell him that. Think about it. The logic here is that an action that breaches the GPLv3 by a downstream distributor (the OEM) could force the upstream to correct the breach. Now, suppose I put that in the context of code: I distribute a GPLv3'd piece of software, you receive it from me, modify it and distribute the modified version. If Shuttleworth's argument is correct, then I am in breach of the GPLv3 because I'm not distributing the source code to your modifications as required by the GPLv3. But that's obvious nonsense, since I'm only required to distribute the source code to the software I'm distributing and I'm not distributing your modifications at all. Only you're doing that, and the only way you can pass your obligations back to me is if you're me in the legal sense (ie. a wholly-owned subsidiary company or a division of my company) or if I've signed a contract with you to take on those obligations for you.

    So I suspect that while Canonical would be required to distribute any tools needed to create signed bootloaders and the keys needed for the BIOS to boot them, unless they're distributing the actual hardware it'd be on the OEM (who selected the hardware) to take any steps necessary to comply with the GPLv3 as regards the hardware (ie. either choose a BIOS that allowed keys to be enrolled or Secure Boot to be disabled, or distribute their own signing keys). Of course that could place the OEMs in a bind: if they used Canonical's signed binaries and keys then the OEM would be obliged to provide the signing key, but Canonical is not obliged to provide it to them. Which I think is exactly the situation the FSF desires: OEMs placed in a position where to use a very desirable bit of software in their equipment requires selecting a BIOS that permits user control over the Secure Boot process and keys.

    • When Monty Widenius sold MySQL to Sun nobody worried. What could possibly go wrong?

        Mark Shuttle worth is absolutely correct when he says "we have to plan for a world where leaders change and institutional priorities change."

  • by pla ( 258480 ) on Friday July 06, 2012 @12:07PM (#40565041) Journal
    The SFLC advice to us was that the FSF could require key disclosure if some OEM screwed up.

    Yes! Yes, they could - Because it would mean that the OEM had "accidentally" taken away the user's right to do whatever the fuck they want with hardware bought and paid for by that user. And I have no problem with requiring key disclosure in that situation.

    Look, Shuttles, we get the idea that you want every bit as much control over Ubuntu as Microsoft has over Windows, and UEFI has the potential to finally fulfill your little wet dream there. You seem to have overestimated your importance in the Linux world, however - If you won't honor the spirit of "free" software, we'll simply use a distro that does.
    • by nweaver ( 113078 )

      Except that key disclosure would cause a lot of harm.

      Canonical's solution still allows you to run all your own code except the bootloader in this case. Since the bootloader itself is not locked down, you can boot anything from the bootloader.

      But if they had to disclose the key, then this means Microsoft has to revoke Canonical's key, because that key would allow subverting Window's secure boot model, and now it can't be used to install without requiring user EFI reconfiguration on any PC that includes Cano

  • by ackthpt ( 218170 ) on Friday July 06, 2012 @12:11PM (#40565083) Homepage Journal

    I chose it because I could see the sources, update as I see fit, build as I see fit and be able to do a build without clobbering all my installed software.

    So why would I suddenly want to chose a closed source Microsoft solution? This is the company, whose practices since 1995 are the major reason why we have malware, viruses and worms.

    Such great vision from the start, nobody would even think to remotely try to control your computer, right?

    As a mainframe admin I was charged with keeping sneaky bastages out all the time, why didn't Microsoft believe this sort of thing could happen on a PC? To this day they still have gaping holes in security and their transparency is a thing of fantasy.

  • by CanEHdian ( 1098955 ) on Friday July 06, 2012 @12:13PM (#40565111)

    As nice as it is that someone at the FSF says they would not, we have to plan for a world where leaders change and institutional priorities change

    As nice as it is that someone at Microsoft says they will sell $99 keys, we have to plan for a world where leaders change and institutional priorities change

  • by ThePhilips ( 752041 ) on Friday July 06, 2012 @12:29PM (#40565319) Homepage Journal

    Anybody heard any reaction from the antitrust authorities?

    US would probably remain mum, but I do not think EU would accept the OEM lockdown by convicted monopolist that readily.

    Yes, there are security concerns, but they are negligible compared to the power grab by the convicted monopolist.

  • I wopiudl be interested in the naive idea that users shouidl be able to turn secure boot on and off. So if it's off, no Windows but other OSes could boot. On, and Windows would boot, but other OSes may or may not.

    Then, if I choose to NOT use Windows, I'm in a much simpler reality.

    Of course, I'm certain this cannot work. Darn.

  • by Qubit ( 100461 ) on Friday July 06, 2012 @02:41PM (#40567351) Homepage Journal

    Sure, it would need to be finalized in a legal document, but the first draft can look something like this:

    Canonical: Howdy, Partner. When we work together to bring a computer to market running Ubuntu and GPLv3'd GRUB, can you make sure that the end-user is able to install their own signing keys so they can install modified versions of GRUB, per the licensing terms?

    Partner: Okay, how would we do that? I mean, how can we make sure that we meet the terms of the license?

    C: It's not that difficult. Basically y'all just need to make sure that the end-user can change the set of signing keys listed in the firmware. The Free Software Foundation wrote a whitepaper [fsf.org] about it. You can also contact them via email if you have any questions!

    P: Wow. That's really difficult to understand, too bad we don't have any engineers on staff who can figure....awww... I'm just kidding with you, of course we have skilled engineers and lawyers on staff. We even have people who know how to write emails. We should be all set!

    C: Awesome, Partner. Before you actually ship hardware with an Ubuntu-Certified sticker on it, why don't you send one of the pieces of hardware to us so that we can manually test to make sure that end users can install their own signing keys. We'll use my son jimmy, 'cause we want to make sure it's so easy a kid can do it.

    P: Okay, sounds great on my end. Glad that we had this conversation. I was worried it would take all day, but it really just took 15 minutes of my time.

    C: Yep. Now remember: If you do ship some hardware with GRUB installed and you make a mistake so that users can't install their own signing keys, you're going to have to make a firmware update or otherwise make this problem right. Understand?

    P: Isn't that what we have to do when we break the license of any of the pieces of software that we ship on our devices?

    C: Yes. But I just wanted to make sure that we stated it explictly so that you wouldn't try to push the mistake off on us.

    P: Fair enough.

    C: Great to talk. We'll put all of this down in the formal contract when our lawyers draw it up. Have your engineers call our engineers about any kernel bugs. We should be able to get this hardware out by Q1 of 2013. So long!

    P: Bye!

    ---------------

    I mean, seriously, what's The Big Deal here? Just make some contracts with your hardware partners and hold them to the terms of the contracts like every other business deal that has ever happened. Why does Canonical think this is so difficult?

"Nuclear war can ruin your whole compile." -- Karl Lehenbauer

Working...