Guest post by “The UEFI secure boot mechanism has been the source of a great deal of concern in the free software community, and for good reason: it could easily be a mechanism by which we lose control over our own systems. Recently, Red Hat’s Matthew Garrett described how the Fedora distribution planned to handle secure boot in the Fedora 18 release. That posting has inspired a great deal of concern and criticism, though, arguably, about the wrong things.”
Personally I’m expecting the entire Secure Boot system to be referred to the EU competition commission in about 3 seconds flat once hardware begins to appear, and I don’t expect them to be wildly excited by it either.
Specifically because EU (Commission and other institutions) dislikes everything MS does by default. Microsoft having a hold on secure boot will not go down well.
if the industry would have gotten rid of the BIOS altogether. Such an unnecessary layer of software.
Here’s a Samsung Chromebook with CoreBoot instead of the regular BIOS or UEFI:
http://www.youtube.com/watch?v=RypqMqtTPs8
BIOS is 1 million time better than those “bios less” arm/blackfin devices. It is better to have a standardized boot layer than per device custom and incompatible ones. And no, uBoot is not standardized.
Oh, dear…
When BIOS-based motherboards are no longer available, I plan to specifically source hardware which works well with CoreBoot, but what really worries me is when machines with buggy key resetting (and WinRT+ARM machines) start showing up in thrift and refurb shops.
The free community doesn’t always need to get what they want for free. MS and other companies do pay real people to have real jobs and have real lives. For years everyone has claimed that MS get more secure. When they do it they get hammered. If opensourced people want to they can re-write an openbios and one could load it.
The solution is to fix it not to cry about it. An openbios that can be locked is a solution.
The real solution is what DEC used to have. A write protect switch on the drive. We never had any issue with them as long as no one pressed that button.
This isn’t about getting things for free, or about making Windows more secure, it’s about Microsoft making yet another anti-competitive move. Look at their entire history and if you honestly think that this is all about computer bootloader security, I’ve got a bridge to sell you. Bootsector viruses are almost a non-issue today. Maybe back in the sneaker-net days of the late eighties and early nineties where floppy-disk boot sector viruses were a huge problem, something like this would’ve been very helpful. However, today, if you encounter a virus that can attach itself to your boot process, it can also attach itself to other software much higher up the stack with just as much utility to an attacker.
What makes more sense to you, that they are locking the bootloaders to protect against an almost non-existent security threat, or that they are finally so terrified of competition with Linux and Android that they are trying to lock them out?
I think the real target is Android or any OS that can replace Windows on tablets. Making it a hassle to install Linux on your desktop is just a bonus.
Actually boot sector viruses are making a come back.
UEFI isn’t that bad. I kid, I kid.
😐
I registered an account just to reply to your comment. The “Free” in “Free Software” stands for “Freedom”, not price. It’s not about getting what we want or don’t want without paying any money. It’s about not enjoying freedoms over the computing device we own.
You should take a look at https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot to see why there’s this campaign from the free software community against secure boot.
Nobody cares outside of RMS and his fanatics.
Why can’t anyone fix an issue? Instead it is easier to cry foul.
”
The solution is to fix it not to cry about it. An openbios that can be locked is a solution.
”
So get off your silly notions about what free is and either pay to get a fix or have someone or yourself fix the issue.
The issue is around us every day. Only task a 9 year old to know about rootkits, virus’s and malware. Every major OS company knows how dangerous the whole issue it. They can’t simply not rely on software to fix the problem. We as in both MS and other OS users need to have more secure systems.
There is NO FREEDOM while under the threat of hackers. That is not free to me at all. My credit, my personal medical history, my entire life now resides on computers that are subject to attack. Sure if you are a 24 YO that doesn’t have any money or job you many not care but I do.
Get secure to quit talking.
jefro,
I think your understanding of secure boot is flawed to be suggesting that linux users (and the alternative OS crowd at large) are crying about fixing the problem themselves. We’re certainly not crying because we’re lazy or incapable of implementing secure boot ourselves. If this is what you think, then your assumptions are invalid. To gain a better understanding of why secure boot is so controversial, for starters you should read Matthew Garrett’s reports.
The problem for us is that even if we implement secure boot in our alternative/independent/non-commercial/etc operating systems, it will not run on off the shelf consumer hardware in secure boot mode because it’s not signed by microsoft’s key. Microsoft is going to be alone in having a “skeleton” key that can run on 100% of secure boot enabled consumer hardware.
You see, it’s NOT a matter of us making our operating systems secure boot compliant, it’s a matter of who controls the keys. Very few independent software developer has the power to get their keys in consumer devices that would otherwise support their code, not even Red Hat does. This is why they are seeking to boot as a subordinate to microsoft’s bootloader & keys, because at least that way Fedora will boot everywhere windows can. However by doing so they’ve implicitly granted microsoft the technical ability and right to control our usage of Fedora Linux on our own machines, which is outrageous.
In principal, we believe the owners should control their own keys to their own hardware.
Secondly, there are plenty of security issues with the design of secure boot itself. As these new secure boot systems enter consumer homes, all windows users will be vulnerable to signed & hacked Fedora images, all Fedora users will be vulnerable to signed & hacked Windows images. Remember to add in everyone else who gets permission to branch off microsoft’s bootloader. Secure boot with MS keys necessarily becomes a global failure mode where the weakest link dictates the security of the whole model. What do you think about that? From a security perspective, this is awful, and there’s no good reason for it.
Of course they might resort to revoking/reissuing 3rd party keys of legitimate partners who’ve been compromised, but that’ll cause it’s own havoc. We’re not protesting a secure boot feature in general so much as the current flawed and restricted implementation of it.
Way to misunderstand everything. I wonder which rock you’ve been living under.
You see, SecureBoot is controlled by a single entity with absolute power over it, there is no standardized way of creating keys when needed and no design committee to oversee its development. Since it is controlled by a single entity Microsoft can simply refuse to accept requests for keys on a whim. This is a clearly anti-competitive move designed to make using non-Windows operating systems much more difficult.
There is nothing wrong per se in trying to protect a system against boot sector viruses, but it should be made in such a way that there is a documented path for creating new keys via some form of a standards body consisting of multiple entities, and there should similarly be a clearly documented standardized way of disabling SecureBoot. Why a standards body then, you ask? Well, so that multiple entities can strutinize the proposals, to point out flaws and possible improvements that a single entity managing it would possibly miss, and to ensure cross-platform compatibility and end-user benefit.
No, it is not. You cannot e.g. expect IT personnel to install Openbios on every single device they may have to fix.
How would that protect against boot-sector viruses? If the write switch is off then it protects against no viruses, and if it is on the whole disk can only be used for reading stuff, ie. it would be inherently useless, ergo everyone would just keep it switched off -> no protection.
OK, I’ll come clean, it was me that pressed that button. Just couldn’t help myself.
Except secure boot doesn’t solve any real security problem. It’s obviously just a move by MS to stifle current and future competition.
WHY WON”T SOMEONE THINK OF THE CHILDREN…errr…JOBS?!?!
Edited 2012-06-18 03:31 UTC
I wonder if I should tag this comment:
-1 irrelevant.
-1 incorrect.
-1 troll.
What the **** does a locked boot loader with no user-controlled off switch (E.g. on ARM) have to do with MS’ paying real money to their employees?
Newsflash! There are number [1] of [2] multi-billion [3] companies [4] that use / contribute to [5] open [6] source [7], and Gee, they, too, have real employees earning real paychecks.
(And trust me, this list is *very* partial)
– Gilboa
[1] http://finance.yahoo.com/q?s=ibm&ql=1
[2] http://finance.yahoo.com/q?s=GOOG
[3] http://finance.yahoo.com/q?s=INTC
[4] http://finance.yahoo.com/q?s=ORCL
[5] http://finance.yahoo.com/q?s=SSNLF
[6] http://finance.yahoo.com/q?s=VMW
[7] http://finance.yahoo.com/q?s=RHT&ql=0
Edited 2012-06-18 10:20 UTC
I can see no benefit to secure boot. As it has been stated, its a nearly non existant security problem. However, to state that they are terrified of android/linux is a bit reaching; Numbers speak volumes, and they have a lot more to worry about from Apple than from Linux on the desktop market. While it is clearly anti-competitive, I dont see where it is really going to help given that their biggest competitor is Apple, who will never release OSX to function on non-apple hardware and therefore, secureboot makes not difference to in terms of competition. The only place that this could come in to effect is in servers, where Microsoft is still battling linux, however server manufacturers have not been blindly and exclusively producing products for Windows Servers ever, and I would venture to guess that if any server hardware lacked the ability to turn secure boot off so a unix OS could be loaded, it’d likely flop.
That said, the only point I can see in SecureBoot is that it would be the first step in solidifying Microsofts position in application distribution to their platform, ala Apple App store.
All this will only matter if Metro manages not to completely tank.
I personally will never use Windows 8 because of Metro, and will not shrink from speaking badly of people who mindlessly use it on a desktop because its new and cool. Never been a really huge fan of Apples mentality, but after Win8, they will have the only viable desktop option available to mainstream consumers.
Linux for us people will always be an option, but the fragmentation and frankly the lack of coordination will always make it a lesser choice for most consumers and manufacturers alike.
How dare people use something because the like it.
UEFI isn’t about the desktop, that is just a bonus.
Microsoft wants the ARM-devices that run Windows 8 to be Windows 8 only. They specifically say you can’t disable UEFI on those devices.
And they know they can probably get away with it, because (currently) Microsoft has no dominant position in that market.
(didn;t read the post above me till after I posted, he makes some good points, except for his dislike of Metro, which I feel will integrate well with my entire set of devices including the xbox and such, plus I think they are looking to the future and realizing that the desktop is not going to be around in 10 years or so)
MS doesn’t make the bios, the company your looking for is pheonix or the like. They currently do not pay anyone to make bios’s. They have a deal set for Pheonix to secure it. Doing this does not provide any extra jobs, but it does attempt to lock their OS in the market. As far as security, I don’t know how much more secure it can make it, as linux and Mac don’t have secure boot, yet they are not criticized for being insecure. The disk can still be easily read from a third party, by simply writing it to another disk and then booting the other disk. Think it is more about maintaining market share. Please give me some info if I am wrong.
As for what fedora is doing, I don’t think they should have done anything. I think the opensource community should have stuck together on this one and fought it as an infringement on my right to do what I want with my computer. Similar things have happened in the android and ios community. The courts ruled that we can do whatever we like with our devices, like rooting, and cannot be prevented from doing so (albeit there do exist so drawbacks such as breaking of warranty, which is understandable)
Edited 2012-06-17 19:38 UTC
If properly combined with TPM (Trusted Platform Module for Trusted Computing) they can make it about as “secure” as XBox 360.
Which took a 16 months before it was cracked.
I think there might not have been enough interrest from the really good hackers at first though, so it might have been a bit longer because of that.
However most don’t bother because they get their XBOX live subscriptions banned.
Let’s be perfectly honest here. This UEFI bullshit is being inflicted on us by the same bunch of assholes within Fedora who decided to inflict the half-baked garbage known as Gnome 3 upon unsuspecting users of Fedora.
Ummm, yeah where to begin.
See Linux is different than the other OSes you’re probably used to. You hate Gnome 3? No problem, you can install MATE (Gnome 2 kept on life support), KDE, XFCE, LXDE, WindowMaker, TWM, or just hit Ctrl-Alt-F2 and start using the Linux console. So Gnome 3, it wasn’t forced on you.
Also, this UEFI bullshit is being orchestrated by Microsoft. Yeah, they aren’t exclusive in designing and developing it, so there certainly are a few other companies to blame there. However, Microsoft are the ones who are twisting the OEMs arms into enabling it by default.
Fedora, and by extension Red Hat are just trying to figure out how to ensure that their software continues to work on these new Windows 8 stickered computers with minimal interuptions for their users. With that being said, I, like many others, am disappointed that they decided to kowtow to Microsoft, instead of putting up a fight against this clearly anticompetitive practice.
In the same vein you can use Litestep, LDE(X), bbLean, Emerge Desktop on “the other OSes you’re probably used to” – or just start using the Powershell. So, Explorer isn’t forced on you.
Except, that’s not really the case in ~corporate scenarios, where some fairly usual set of defaults does tend to be forced on users. Also when the OS is Red Hat (or its derivatives), which likely will force Gnome 3.
To fix computers I have been using boot CDs, DVDs and pen drives for years. They are very practical and get the job done. I wonder what will happen then if the secure boot Microsoft designed start to refuse such tools. Microsoft own solution was never ever on par with hand crafted 3rd parties ones.
I believe that all this will make hard to me to clean the mess that enter the “Microsoft Windows opened” and also will make it more expensive, time and money wise.
My bet is the MS wants to fight the piracy more effectively, that the system would be strengthened against attacks is probably a side effect. Many exploits exist that work around MS registration/validation by interfering exactly on this stage of OS loading to be able to deliver their payload.
For the time being, you will be able to disable secureboot in the UEFI menu somewhere. Fedora’s issue with that solution is that UEFI isn’t standardized, so they can’t tell their customers 3 simple steps to unlock the device.
There’s a NIST paper on securing systems which also includes firmware level attacks. I’d expect that secureboot has something to do with that rather than licensing concerns – they might need to lock that area down to be able to pass the next level Common Criteria certification.
The issue is also more pressing with UEFI than with BIOS since UEFI is so much more powerful than BIOS – you can load rather arbitrarily sized 32bit modules (built by a modern C compiler), which have access to everything a modern OS provides (threads, networking, plenty of memory). With “UEFI Shell” they basically admitted that UEFI _is_ an Operating System (whose main purpose – for now – is to load another OS).
This cozy environment simplifies attacks somewhat compared with the old BIOS situation.
Security designed by bean-counters, is there anything better?
The design isn’t common criteria. Only the requirements as to what the system is supposed to withstand – and those are quite sound.
Good. I stand corrected then.
While it’s already bad enough that Microsoft is requiring OEMs to use UEFI on their Windows 8 machines, it’s downright disgusting that they have mandated it be completely locked on ARM devices, more so that they have the leverage to demand that. The justification is that it isn’t anti-competitive on ARM because Windows lags behind on tablets, but that argument collapses when you consider there may (will) be ARM desktops and ultrabooks (well, Intel owns the word “ultrabook”, but a rose by any other name…). Microsoft still dominates that market, and consumers really are too dumb to understand what “CPU architecture” means (I dropped that term to a customer by accident, recently, and he thought I meant the form of the case), and why their Windows will have less capabilities than their friend’s.
It is going to take a year or more before people know they should ask what type of Windows it is running so they can run their existing applications on it.
It is like Windows Vista, even “your grandmother” would ask if it was running Vista and wouldn’t buy it if she couldn’t get something else on it.
It is like 2005 all over again, the same “grandmother” comments .
And now everybody loves Vista SE.
People might yet love Win9, after grumbling for some time about Win8, even if 9 will be mostly just Win8 SE / Metro 2.0.
On several occasions I’ve seen and heard the argument that easy disabling (e.g. including a simple switch in the bios/whatever you want to call it) should be a no-go. Then for crying out loud, at least provide a jumper on the mobo in an accessible place (anywhere on desktop/server boards, and near the ram slots on laptops) where those who care enough, can disable it.
Going for abominations like this Fedora plan (where you can’t use your own compiled kernel, modified drivers, etc.) should be the absolute no-go, and distro makers should not offer to voluntarily go with MS’s lockout plan. Instead they should join the effort in full to lobby for including the option to switch off UEFI SB on every and each UEFI hardware.
Except if they want to compete in the server business (RHEL vs. Windows Server 8). Having a checkbox to tick “protected boot process” might come in useful when trying to secure government contracts, whereas having that checkbox empty might hurt sales.
Even NIST is aware that firmware level attacks might be a problem.
MJG is paid by Redhat, and so he will work on what’s best for them. Compiling your own kernel is so far down the requirements lists for enterprise servers that they don’t care about it much. They just need a way to _somehow_ get around the lock-down for their own development (and the geeks) – and right now, there is.
I failed to see how the proposed solution is somewhat unfitting. He asked for a simple jump or switch on motherboards, nothing more. I think it is the best and simplest solution I ever heard. It will not lessen what Red Hat can do or claim for their systems and provides a fair level playing field for all others involved on linux/*BSD, or whatever camps.
After some kicking and screaming, Microsoft was coerced to require a soft switch (somewhere in the firmware menu) to disable secureboot in order to gain the Windows 8 Logo. That’s not the concern.
There are numerous others, eg.: Will that switch cease to exist sometimes, eg. with Windows 9 Logo? Why can you only ever sign files, incl. UEFI drivers with one signature, which grants an effective monopoly to Microsoft?
Using such a switch (no matter if hardware or software) prevents the “boots securely” checkbox item on the RHEL sales material. Redhat _needs_ secureboot capability – not so much for Fedora, but for RHEL.
I guess that they do it for Fedora is just a way to get it tested before they run it by their paying customers.
If they NEED such thing, just REFUSE to boot on machines where this feature is available and was disabled. Nothing more, nothing less. It keep its toys and let the others play with theirs.
Edited 2012-06-18 23:44 UTC
At some point, customers (government, big business) will _require_ “secure” booting. Telling them to buy “insecure” systems (or disabling the secure boot feature) won’t fly.
That would mean death to them then.
UEFI is a clear attempt to prevent competition by a player with a near-monopoly in the market for laptop/desktop operating systems.
In the U.S. there should be anti-trust filed over this.
This would be the third go-round for MS in the anti-trust courts: the consent degree back in the 90s, then the judgement against them in 2001.
Third time’s the charm, MS.
What laptop/desktop OS competition?
You really think MS will need UEFI in that area?