Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DRM Microsoft Ubuntu Windows Linux

Richard Stallman Speaks About UEFI 549

An anonymous reader writes "Despite weaknesses in the Linux-hostile 'secure boot' mechanism, both Fedora and Ubuntu decided to facilitate it, by essentially adopting two different approaches. Richard Stallman has finally spoken out on this subject. He notes that 'if the user doesn't control the keys, then it's a kind of shackle, and that would be true no matter what system it is.' He says, 'Microsoft demands that ARM computers sold for Windows 8 be set up so that the user cannot change the keys; in other words, turn it into restricted boot.' Stallman adds that 'this is not a security feature. This is abuse of the users. I think it ought to be illegal.'"
This discussion has been archived. No new comments can be posted.

Richard Stallman Speaks About UEFI

Comments Filter:
  • by Teresita ( 982888 ) <badinage1&netzero dot net> on Tuesday July 17, 2012 @10:03PM (#40681005) Homepage
    All those Win8 machines people are going to kick to the curb, and places like RE-PC won't even be able to make sell them as "boot only" boxes ready for another OS because the boot is locked down at the hardware level.
    • by shutdown -p now ( 807394 ) on Tuesday July 17, 2012 @10:13PM (#40681073) Journal

      It only applies to ARM devices, not all PCs.

      • You say that like they cannot possibly be the same thing.

        PC these days doesn't mean x86-based.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          You say that like they cannot possibly be the same thing.

          No he didn't, he said ARM devices are "not all PCs." Read better.

          • by cmat ( 152027 ) on Tuesday July 17, 2012 @10:42PM (#40681293)

            I think the implication is that should Microsoft choose to not support x86 devices, then ARM devices may be "all PCs" that can run Windows 8.

            • by hazydave ( 96747 ) on Wednesday July 18, 2012 @01:01PM (#40687765)

              Of course Microsoft will support x86 PCs.

              The difference is that simple "here's what the lawyers are telling us" thing. Microsoft was judged a monopoly, but very specifically on x86-based PCs. That's just the way the court defined it. Now, as with their IE vs. Netscape things, it's not necessarily kosher for a proven monopoly to use their monopoly powers to grab some new territory. But as Microsoft has always proven, it's better to do that damage now and get slapped on the wrist later, with the damage probably undoable, than to just not do it.

              So they'd like to lock-down all PCs. We have known that for years -- they've been talking about doing just that for years. But the lawyers are certainly telling MS brass that you can't just go and make it virtually impossible to put something other than Windows on every new PC. So they're leaving that option in the hands of the manufacturers, and the simple fact that virtually all PCs will be shipped with the locks enabled, if there's a key hidden in there were only we computer savvy folk know where to find it.

              But ARM isn't x86, and Microsoft has no monopoly there. So they're going for it -- grabbing for all they can. Same reason the ARM systems won't allow anyone who isn't Microsoft to use the Win32 APIs. They're all there on the ARM machines, just as on the x86 machines. But Microsoft is legally bound to make all OS calls they use available to all developers. But clearly, the lawyers have decided that, too, only applies to x86 machines.

              This is very likely to be a train wreck of a launch. Buyers have enough trouble understanding the tech, now they're going to have to figure out why one tablet sold with Windows will run all their existing Windows programs (though it'll need a mouse and keyboard, but ok, I like those on my Android tablet when running shells, etc), and the one sold next to it will only run brand new stuff you have to buy directly from Microsoft. Should be fun to watch.

      • by SuricouRaven ( 1897204 ) on Wednesday July 18, 2012 @01:53AM (#40682391)
        For now. Secure boot is Microsoft building a big 'destroy linux' button and promiseing they won't push it.
    • by exomondo ( 1725132 ) on Tuesday July 17, 2012 @10:15PM (#40681097)
      Why not? There's no hardware lock preventing them, turn SecureBoot off and you're good to go. Or if you want to leave SecureBoot on use an OS from a vendor that provides keys. Or if you want to use an OS that doesn't provide keys yet still want SecureBoot on then get a key from a CA like Verisign.
      I don't see what the problem is here.
      • by Anonymous Coward on Tuesday July 17, 2012 @10:24PM (#40681163)

        Yeah, this will be great you naive fool right up until the time x86 boards stop shipping with secure boot disableable and when Verisign stops selling keys for less than 99,000 dollars for "security" reasons. The funny thing is the hackers will just find a way to infect your machine around this scheme and the consumers will be left holding the bag. Again. I hope the EU steps in and brings MS to their knees.

      • by Anonymous Coward on Wednesday July 18, 2012 @01:36AM (#40682303)

        Problem is - you cannot generate your own key. You HAVE to get the key somewhere else, and getting that key will cost money (yes for non-commercial use it is free .... for now). Some operating systems are self build, and they have to get a new key every time they change something at kernel level. That will be a great hindrance.

        Now - you can say "big deal - just switch off secure boot". The problem with that is a lot of people just want to dual boot with Windows. Problem with that is - if your distro has no key, yo are forced to do a cumbersome "reboot - go to BIOS - switch off secure boot - save settings - reboot again - start the distro" and when you go back to windows you have to do "reboot - go into BIOS - switch on secure boot - save settings - reboot again - boot Windows". This gives a physical and psychological barrier, that will be a big hindrance for acceptance of any other OS than Windows. In fact all not-signed disto's will be "flagged" as difficult to use, just because the hoops you have to jump trough to get everything working. This creates a unfair advantage for windows (because secure boot is on by default if you want to have a Microsoft certification).

        And there are problems with getting this key. The user cannot generate the key themselves. If that would be the case all problems where over. No the user politely have to ask for a key, and so are depending on a third party if they are allowed to use the hardware they just bought for dual-booting. As I said - for now it is free, but there are no guarantees it will stay that way. And if you are making a OS for commercial purposes, you have to pay $99 - again ... for now. This could easily be raised to $999, or $9999 or $9999999 or whatever they want.

        And last - if Microsoft has secure boot in place it is a given fact (make no mistake - you wont get a MS approved certification if the hardware you make has no secure boot, so most hardware makers wont take any risk and comply to the demands of Microsoft). And when secure boot is in place Microsoft can increase the demands surrounding this secure boot (if this will be in the field of key generation or increased "safety" demands is to be seen, but you can be sure it will generate a increased barrier for other operating systems).

      • That they will not allow you to turn it off.
        Which, as I've understood it, is exactly what they require of all arm-based computers designed to run win8.

      • by sjames ( 1099 )

        Wrong. In order to meet MS's requirements for Windows on ARM, the firmware must not allow SecureBoot to be turned off or a new key set.

      • by Cito ( 1725214 )

        Since I work for Microsoft, but nowhere in the top levels of course. The plan is that on X86 pc's secureboot is optional in the bios for windows 8. But on tablets and smartphones it is not optional which is the test.

        the plan is that secure boot is like a "beta test" for desktops since it will be optional in the bios. But the plan is on the next version of windows "windows 9" you could say that secure boot WILL NOT BE OPTIONAL on desktops.

        That has been the plan all along on internal meetings, memos and even

  • Crippled Hardware (Score:5, Insightful)

    by Archangel Michael ( 180766 ) on Tuesday July 17, 2012 @10:03PM (#40681007) Journal

    The Hardware is crippled for the sake of Microsoft. Period.

    Secure boot is Microsoft's attempt to maintain computer OS market share as their influences is being stripped away by the likes of Google (Android) and Apple (iOS). With HTML5 on the way, we will have WEB based applications that rival desktop versions, and run on ANY device. The OS is just a layer to get to where the real work gets done, information exchange.

    AND the worst part is, secure boot doesn't actually fix the problem it pretends it solves. It can't. This is the whole DRM of DVD's and BluRay all over again. Look at how well that is working out.

    DRM is broken by design.

    • Re:Crippled Hardware (Score:5, Informative)

      by Altanar ( 56809 ) on Tuesday July 17, 2012 @10:12PM (#40681071)
      Don't like it? Go into your BIOS and turn it off. The specification mandates that it have a disable option. How hard is it to disable? Take a look at this image: http://imgur.com/QW1Pp [imgur.com]
      • by 0123456 ( 636235 ) on Tuesday July 17, 2012 @10:15PM (#40681095)

        Don't like it? Go into your BIOS and turn it off. The specification mandates that it have a disable option.

        Yeah, and?

        Windows 9 will probably make 'Windows Lockin' mandatory on x86 as it does on ARM, and it dramatically increases the difficulty of installing an alternate OS. No more booting Linux from CD and installing without even touching the BIOS.

      • Re:Crippled Hardware (Score:5, Interesting)

        by X0563511 ( 793323 ) on Tuesday July 17, 2012 @10:21PM (#40681133) Homepage Journal

        So when you get your MB (made in China), with a BIOS apparently coded in a rural part of China (have you seen BIOS lately?), and find it doesn't let you disable it...

        What, exactly, is your recourse?

        Coreboot [coreboot.org] is the only answer, and that's not going to happen while Microsoft (and probably Apple as well) isn't bankrupt.

        • Get hardware with a "certified for Win8" logo. MS requires that any such provide a way to disable secure boot.

          Or do research on hardware you buy before you buy - a good idea in general.

        • by jonwil ( 467024 )

          AMD has actually committed to supporting Coreboot on their CPUs and chipsets.

      • How do you propose documenting that for new users that want to try out Linux but aren't comfortable messing around in their BIOS? Getting them to figure out what motherboard/BIOS version they have so you can send them just the right screenshot?
      • Re:Crippled Hardware (Score:4, Informative)

        by phantomfive ( 622387 ) on Tuesday July 17, 2012 @11:17PM (#40681517) Journal
        Does anyone actually support this move by Microsoft?

        The way I see it, if this were about the user, they would allow the user to change the key to whatever the user wants. Then you can sign your own OS.

        We've known for a long time [wikipedia.org] that Microsoft wants to lock other OSes out of the hardware.
      • Re:Crippled Hardware (Score:5, Informative)

        by Mousit ( 646085 ) on Wednesday July 18, 2012 @12:20AM (#40681921)

        Don't like it? Go into your BIOS and turn it off. The specification mandates that it have a disable option..

        No, no the specification does NOT mandate that it have a disable option. The specification simply does not prohibit providing such an option (for the moment at least). The motherboard manufacturer and/or BIOS makers are completely free to not provide a disable option if they so desire.

        Whether the (lack of) option becomes common or not is another thing entirely, of course.

    • by Kjella ( 173770 ) on Tuesday July 17, 2012 @10:48PM (#40681329) Homepage

      AND the worst part is, secure boot doesn't actually fix the problem it pretends it solves. It can't. This is the whole DRM of DVD's and BluRay all over again. Look at how well that is working out. DRM is broken by design.

      That depends on what problem it is you think it pretends to solve. A computer made to only run signed code doesn't have the same fundamental weakness as DRM has where the private key has to be somewhere to decrypt it, nobody but Microsoft is going to have Microsoft's private signing key and unless they give you that option disabling the signature check is going to be extremely hard. Getting any other code to run - except user space code in Win8's application sandbox - will be as hard as cracking the Xbox360 or the PS3. I suspect that with a "boiling the frog" strategy the current document said people MUST be able to disable it on x86, the next one will say MAY and with a nudge and a wink to the OEMs it's going to end up at MAY NOT.

      • with a nudge and a wink to the OEMs it's going to end up at MAY NOT.

        There will always be OEMs willing to ignore the "rules". For example, during the heyday of the DVD and Blueray players it was very easy to purchase one that ignored region codes, "user prohibited operations" and other such DRM nonsense and these "hacked" players remain available to this day. If demand exists the market will supply it no matter what the laws or rules say. Don't allow yourself to be ruled by silly laws; those who know don't care and those who care don't know.

  • by theswimmingbird ( 1746180 ) on Tuesday July 17, 2012 @10:05PM (#40681017)

    But I couldn't boot into my OS.

  • The Right To Read (Score:5, Informative)

    by andrew3 ( 2250992 ) on Tuesday July 17, 2012 @10:06PM (#40681021)

    Richard's story, The Right To Read [gnu.org], has already sort of predicted this move.

    But not only were [free operating systems] illegal, like debuggers—you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that.

    Despite what people say about Restricted Boot, it opens up the world of computers to a whole new set of attacks... by megacorporations like Microsoft.

  • by goruka ( 1721094 ) on Tuesday July 17, 2012 @10:19PM (#40681127)
    Manufacturers should be free to do whathever they want with the devices they create. If they want to lock them, fine. If they want to lock them because a carrier asks? fine, lock it for that carrier or ignore the carrier. It's still their choice
    I also can understand hardware requirements for a licensed OS, such a certain button layout, screen resolution, etc. Those make sense and ensure it runs as intended. The same way, Microsoft can make their own devices and lock them and it's their choice.
    But manufacturers being forced by to lock the devices by the mobile OS supplier? That's abuse!. It's Microsoft abusing their desktop PC monopoly power, patents, etc. against the OEMs. What is MS afraid of, people installing Android or Ubuntu on their newly acquired devices?
    • by fredprado ( 2569351 ) on Tuesday July 17, 2012 @10:34PM (#40681243)
      But as soon as you let manufacturers do as they wish with the devices they sell that is the natural progression. That is why in many countries in the world the buyer have rights that conflict with this idea. Here in Brazil, for example it is illegal to lock cellphone devices to specific carriers, for example, and personally I think that is right. Once you buy something you should be entitled to do whatever you wish with it.
    • by sjames ( 1099 )

      That's exactly what they're afraid of. They don't want Windows to become known as part of the crapware you blow away to install a real OS on the device.

      That's exactly how I think of it most of the time on servers and desktop machines.

    • by Sloppy ( 14984 )

      Manufacturers should be free to do whathever they want with the devices they create.

      I really do wholehearted agree, without reservation at all.

      But also (you knew there would be a "but" didn't you?) I think we can demand anything we want (take it or leave it), such as serving the public good, if any of those manufacturers want the special favor of limited liability protection, an unnatural right.

      I also think we can demand anything we want (take it or leave it) from those who want government-granted monopolie

  • Quoting myself [slashdot.org], from *yesterday*:

    Yeah, and RMS was talking non-sense yesterday. What is the world coming to ...

    Yesterday? I'm a big fan of RMS - since before the beard - but the day he doesn't talk non-sense will be news.

    You're welcome.

  • by Anonymous Coward on Tuesday July 17, 2012 @10:28PM (#40681193)

    Let me explain ... me I just bought an wireless access point ... and I have no intention at all of using it
    as an access point. I want a device with a set of excellent antenna's, great rx sensitivity and it has to
    have monitor mode so I can capture raw 802.11 frames and I have to be able to make it send arbitrary
    802.11 frames as well.

    Yeah I found a great little device for doing just that ;-)

    Thankfully this device is not locked down with a secure boot loader !!! I did have to open it up and access
    the serial port on the board to load dd-wrt (an alternative linux distribution for wifi routers) but it was *easy*
    and the chipset it has is a.) linux supported and b.) the chipset and the linux driver support monitoring
    and injection.


    If the router had had a secure boot scheme I would have had to first work hard on getting around that. JTAG.
    Glitching, and in a few years from now even these techniques might not work anymore. In FACT ... the ARM
    chips do have a jtag interface but now there's SECURE MONITOR MODE for jtag meaning you have to first
    do a cryptographic challenge/response sequence before you get access to the chip via JTAG.


    Anyhow here's the game plan that's been decided in the back room .... There will be secure boot on commodity hardware.
    Vendors who are in the club will get their code signed easily. For a while small fries will also get their code signed for a
    fee. The consumer will have the impression that there is still choice, Linux is not going to go away tomorrow, a signed and
    authorized kernel will be available.

    However, you will find that you're going to be locked out more and more out of your system. At some point you will not be sure
    anymore what is running in the background and what backdoors are introduced into the system. You will have to trust a kernel
    image that is given to you encrypted and that may contain all sorts of things.

    It's the future they want. The ability to access/erase/modify your data, activate your microphones and video cameras, prevent you
    from doing anything they don't want you to. Sure there will be exploits for a while and ways to regain access however limited or temporary
    but as the game plan advances.. give it another 10-15 years at the rate tech is advancing and it will be VERY HARD TO IMPOSSIBLE for
    YOU small fries to do anything about it. Maybe someone with millions of $$$ can hack their devices but you with a small salary will
    not ... and they will detect that you tried and put you away.

    Well that's their game plan .... Now YOU!!!! need to do something about it!!!

    Enough all caps. But yeah to drive the point home.

    It starts with easy things and yes.. the way freedom is going away it may well end someday with a whole lot of violence, blood and tears ...

    Enough. Think this one through. Do you want to spend the rest of your life with locked down ipads never sure if
    they're watching you with it, too scared to type anything 'radical' into it, too locked down to do what you want
    while the box has the 100x the power tech has to do but is using that to make your life hard and miserable???

    Help me out here, I don't want this kind of future.

    • by thatkid_2002 ( 1529917 ) on Wednesday July 18, 2012 @02:03AM (#40682447)

      I agree with pretty much everything you said... But getting rid of ARM? What sort of stupid bullshit is that? The problem has *NOTHING* to do with the architecture and everything to do with Microsoft. Putting it into perspective - there is not a single ARM device that you can buy today that has UEFI... And somehow the problem is ARMs' fault?

      I guess perhaps the mindset of the embedded industry who don't think that proprietary blob drivers are a bad thing (hey, nobody but us will ever update the software!) is partly to blame. Yes, most of these companies use ARM, but it still has nothing to do with ARM.

  • Good for Stallman (Score:5, Insightful)

    by quixote9 ( 999874 ) on Tuesday July 17, 2012 @10:49PM (#40681345) Homepage
    He may be dogmatic, but he's also right WAY more than he's wrong. All of open source owes him a lot.
  • by flyingfsck ( 986395 ) on Wednesday July 18, 2012 @03:25AM (#40682899)
    Someone will just make a warm boot utility that will run after the secure boot. So all that will happen is that the machine will take longer to boot.
  • by unixisc ( 2429386 ) on Wednesday July 18, 2012 @03:35AM (#40682967)
    Given the density of NOR flash these days - and no, I'm not talking about SSDs - can't any vendor just throw the Linux kernel into the BIOS, and then have everything else - from x11 and up - on the HDD/SSD? That way, the booting experience will be smooth w/o needing to have GRUB or GRUB2, and beyond that, everything will be on the hard drive. Note that this assumes that only 1 OS is on the computer (which is the way I generally prefer it - I don't have any computer share OSs.
  • by Requiem18th ( 742389 ) on Wednesday July 18, 2012 @01:13PM (#40687863)

    Let me clarify what some people are saying about how Microsoft can't demand locked BIOS because of anti-trust laws.

    They are wrong. MS can demand secure boot. As long as there is a way for other comercial companies to get into this scheme, they can't be accoused of monopolizing the market.

    And why would they? Secure boot won't prevent Google from releasing another TV OS. Won't prevent Apple from selling more iPads, won't even prevent System 76 from selling Ubuntu. But your S76 laptop won't have the DRM hardware module to run Netflix and your PVR that does have it won't install another OS.

    Freedom will be isolated to specific machines to be easily ignored while all useful applications will be restricted to a "safe zone". That is, safe from user's freedom.

The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system.