

The implications of UEFI "Secure Boot" for Linux users - rlpb
http://blog.canonical.com/2011/10/28/white-paper-secure-boot-impact-on-linux/

======
gwillen
I found something that concerns me a lot at the "announced" link at the start
of the article.

[http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-
the...](http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-
environment-with-uefi.aspx)

If you look at the diagram, it appears that Remote Attestation is being
brought back. For those of you who weren't around, or weren't paying
attention, during the first Trusted Computing War, that means something like
the following:

\- You try to log on to your bank's website \- Your bank queries your TPM \-
Your TPM sends back a signed hash attesting that you're running an unmodified
version of Windows 8 \- The bank lets you on

Versus:

\- You try to log on to your bank's website \- Your bank queries your TPM \-
Your TPM sends back a signed hash attesting that you're running an unmodified
version of RedHat Linux \- The bank denies your login for violating the
security policy \- There is NOTHING you can do about it, short of taking an
electron microscope to your TPM to extract the keys.

Of course, none of this is possible as long as there are a nontrivial number
of people whose machines aren't capable of Remote Attestation. But it's likely
that every machine you've bought in the last 5 years has a TPM with this
capability, which means that as soon as Windows 8 and UEFI Secure Boot have
critical mass, Remote Attestation will have critical mass too. And then it
will start showing up in security requirements for banks and other secure
applications. And then the Linux users will start to feel the heat...

~~~
mjg59
The TPM-based measured boot isn't part of the UEFI secure boot specification.
It's a separate TCG spec. Secure boot doesn't use the TPM and doesn't support
remote (or even local) attestation.

~~~
gwillen
Interesting. It still worries me to see it in the "Windows 8 Platform
Integrity Architecture". Are you not worried about it, or just pointing out
that it's not relevant to the topic at hand?

~~~
mjg59
Lots of (especially cheaper) machines ship without a TPM, so it's difficult
for anything to explicitly require it yet. It's something to be concerned
about in future, but not an immediate issue.

------
snorkel
It's reassuring the Canonical is involved with the UEFI Forum and making
sensible recommendations, it's doubtful that BIOS manufacturers would bother
making a chip that won't support Linux.

It's also amusing the Microsoft is so concerned with malware operating
underneath the OS when most nuisance malware on Windows simply uses the
features that are readily available within Windows itself.

~~~
jolan
It's also to combat piracy. For example, Windows Loader uses a pre-boot
technique to fool WGA:

[http://forums.mydigitallife.info/threads/24901-Windows-
Loade...](http://forums.mydigitallife.info/threads/24901-Windows-Loader-
Current-release-information)

~~~
cdh
If users can easily disable Secure Boot, it won't prevent much piracy at all.

~~~
tango76
Users can disable SB, but then they wouldn't be able to boot Windows 8.

~~~
kevingadd
Isn't it a completely optional feature? Otherwise, Windows 8 would not work on
any pre-Secure Boot PCs.

~~~
tango76
The article states that "According to Microsoft’s presentation at
//BUILD/2011, Secure Boot will be “Required for Windows 8 client”"

~~~
mjg59
For machines that adhere to the Windows 8 logo program. Windows 8 itself will
still boot on BIOS, let alone UEFI systems without secure boot.

------
crististm
The real question is who "approves" what software runs on _your_ hardware? No
software producer should have a say on that. It should be the decision of the
hardware owner.

~~~
parfe
If you read the recent thread about RMS you will see a large market exists of
consumers who don't want the power to make decisions. They don't even want
that option to be available. Quotes like:

\- _Why would I care? I don't know anything about what's under the hood and I
don't want to._

\- _Apple puts DRM on for the user's safety._

\- _The days when every software users was if not programmer then at least IT
guy in some sense are long gone. That model no longer fits the world._

<http://news.ycombinator.com/item?id=3163920>

~~~
marshray
If there had been that large market back in the early 80's I suspect we would
have never seen that massively successful open IBM PC-compatible platform and
ecosystem.

------
zokier
While I agree on that systems should have a mechanism for users to enter
"Setup Mode", I don't understand why the recommendations ask systems to ship
in that mode. It would only affect the first boot of the system, and I
seriously doubt that for anyone that plans installing Linux on first boot
visiting UEFI configuration would be a significant barrier.

~~~
DanBC
Look at the number of people who need help to burn an image to CD or USB
stick.

Or who need help to tell their BIOS to boot from USB before HD.

~~~
zokier
But are these the people that will install Linux on a brand new machine
directly out of a box, that has never been booted to Windows?

------
spinchange
It would be interesting to know how much influence Microsoft seeks to impose
on these new BIOS implementations with their hardware partners and/or how
willing the OEMs will be to bargain it away for more favorable licensing terms
and hence, profits.

We can already see how willing handset makers are to pay them for Android
related cross-licensing. That's extending into the realm of ChromeOS now too.

I hope the days of installing an alternate OS on garden variety hardware are
not numbered, because I suspect the economic leverage Microsoft has vs. the
economic incentive for OEMs to ship open hardware isn't enough. Hopefully, I'm
totally wrong.

------
ajennings
Started a petition on AskForIt.com:

[http://www.askforit.com/3993/all-computer-manufacturers-
that...](http://www.askforit.com/3993/all-computer-manufacturers-that-
implement-UEFI-secure-boot-to-allow-end-users-to-adjust-the-list-of-approved-
software.html)

------
runjake
In related news, I'd kill for an open design workstation with a powerful GPU
(~iPad 2) + iPad 2-class but 64-bit ARM chip that I could run Linux and Chrome
on.

Or even an open spec x64 motherboard with EFI that I can slam an x64 chip
into.

There have been a lot of attempts in the past, but has anyone gotten anywhere?

~~~
crististm
It's pretty hard to make that kind of hw yourself but it's not impossible.
Based on some news here, it looks there are 10-20 years lag between the state
of the art and what you can build on your own. And there are a lot of Asian
companies that don't give a shit on what Microsoft wants.

~~~
tesseract
Building something vaguely iPad-class is not all that hard, as long as you are
OK with it being open source at the board level rather than all the way down
to the silicon level. Check out, for example, the TI BeagleBoard. That's more
like a 1-2 year lag, not 10-20.

