Slashdot Mirror

← Back to Stories (view on slashdot.org)

Will Secure Boot Cripple Linux Compatibility?

Posted by Unknown on from the security-through-totalitarianism dept.

MojoMax writes "The advent of Windows 8 is drawing ever nearer and recently we have learned that ARM devices installed with Windows 8 will not be able to disable the UEFI secure boot feature that many of us are deeply concerned about. However, UEFI is still a very real danger to Linux and the freedom to use whichever OS you chose. Regardless of information for OEMs to enable customers to install their own keys, such as that published by the Linux Foundation, there are still very serious and as yet unresolved issues with using secure boot and Linux. These issues are best summarized quoting Matthew Garrett: 'Signing the kernel isn't enough. Signed Linux kernels must refuse to load any unsigned kernel modules. Virtualbox on Linux? Dead. Nvidia binary driver on Linux? Dead. All out of tree kernel modules? Utterly, utterly dead. Building an updated driver locally? Not going to happen. That's going to make some people fairly unhappy.'"

9 of 545 comments (clear)

  1. "Freedom" by bonch · · Score: 4, Interesting

    Would someone interested in Linux on these particular tablets be able to order one from a vendor with Linux (or no operating system) pre-installed? I couldn't find information on whether or not OEMs are restricted from selling pre-installed Linux versions of the tablet. The SoftwareFreedom website says "any ARM device that ships with Windows 8 will never run another operating system, unless it is signed with a preloaded key or a security exploit is found that enables users to circumvent secure boot." The phrase there is "ships with Windows 8," which suggests to me that Custom Boot-enabled versions could ship without Windows. Admittedly, I have a hard time seeing it as a freedom issue, as these are just tech gadgets at the end of the day. I'd rather it was framed as an inconvenience argument, not a freedom one.

    1. Re:"Freedom" by Microlith · · Score: 4, Interesting

      So is Apple

      Apple does not sell its OS to 3rd party hardware vendors and dictate how to lock down the device.

      nothing is stopping Linux tablets from coming to market, in fact there are lots of them out there now

      There are, but how long until MS ramps up the pressure to push Android out of the market via legal and possibly illegal means?

      If you buy a 'Designed for Windows 8' device it's no different than buying an iPad with regard to the operating system.

      Sure it is. The vendor is being forced by the OS supplier to set the device up in a way that precludes alternatives, and leveraging their monopoly platform to do it.

      I doubt there are many people out there who bought an iPad and are complaining that they can't install Linux on it (me included), so why should it be any different for these 'Designed for Windows 8' devices?

      Yeah, minorities should ALWAYS be ignored. Only the masses should ever get what they want, everyone else can go fuck themselves. Right?

    2. Re:"Freedom" by symbolset · · Score: 3, Interesting

      This disease has an easy cure. Just don't buy it. You don't want a Windows tablet anyway. Nobody does.

      --
      Help stamp out iliturcy.
    3. Re:"Freedom" by Darinbob · · Score: 4, Interesting

      There are some cases where secure bootloaders are valid. Ie, so that only owners can modify their devices instead of just anyone who has physical access (electricity meters), rented or leased equipment (broadband routers), and so forth. Sometimes the device requires a level of trust as part of its design and the owners insist on knowing that the firmware has not been tampered with, such as encrypted routers.

      Additionally there is often a market need to create a secured device to prevent or discourage third party sales or hacking. I've seen this activity common in medical equipment where there can be an active trade in in Russia or China of buying old machines and reimaging them and there's no opportunity to sue (yes a murky issue as you buy software features separately from hardware, but the end-user is legally forbidden from putting their own software on in many countries). If I go in for radiation therapy treatment I want to know positively that the hardware/firmware/software has passed FDA scrutiny.

      The issue here with Microsoft and Apple is that they are huge players in the market and they're not doing this to just niche devices. With MS specifically they have a known guilty track record of antitrust activity. MS isn't going to require signing of all third party apps, they specifically want to make sure there is no competition for the operating system

      It would be better overall to allow the consumer to turn on and off the trust levels on the devices. If the operating system boots up and notices that it's not on a secured system then it can just warn the user instead of refusing to boot. This way you can make things more secure without denying the consumer their right to use the equipment in any manner they want.

  2. I predict.... by Bravoc · · Score: 3, Interesting

    There will be a "jailbreak" or somesuch available for these within a matter of hours from when they hit the street.

  3. Re:Simple solution by SeaFox · · Score: 4, Interesting

    No, he's being serious. If you buy then and then return them opened, the store can't resell them as brand new and lose money.

  4. Re:Organized trolling campaign on Slashdot by Anonymous Coward · · Score: 1, Interesting

    I got accused of shilling

    So did bonch.

    Organized Trolling Campaign crap flood: This "shill" crap that has been flying around lately has to stop.
    bonch: The "shill" accusations flying around on Slashdot lately are getting out of control.

    Overly Critical Guy: This isn't bonch
    Overly Critical Guy: This is not bonch.... Signed, NOT bonch

    "NOT bonch"? Ha ha. BUSTED!

    bonch: Seamless experiences win out in the long term. We saw this when gaming moved from PCs to consoles in the 2000s, and it's happening now in the transition to the post-PC era.
    Overly Critical Guy: Seamless experiences always win out over time. We saw it when gaming shifted from PCs to consoles, and now the industry is shifting from desktops to mobile devices.

    Overly Critical Guy: Android phones used to look like this [imgur.com]
    bonch: Android used to look like this [imgur.com]

    Overly Critical Guy: The keyboard looks exactly like Apple's flat keyboard, and the trackpad is the Magic Trackpad that Apple started offering a year or so ago
    bonch: The keyboard looks just like Apple's flat keyboard introduced a few years ago, the trackpad is a clone of the Apple Trackpad.

    bonch: A Slashdot employee recently told me that my comments generate more moderations than any he's ever seen.
    (yes, that is what happens when you mod your own posts up from multiple accounts then everyone else mods them down)

  5. IT'S OVER by Jeremiah+Cornelius · · Score: 2, Interesting

    SOPA PIPA, the "return" of public-domain artefacts to the status of "intellectual property", "secure" boot.

    My .sig is no joke. If the elite in the US and Europe were told "make the choice between keeping Corporate Capitalism or Republican Government?

    I think you know that the last vestiges of the old republic would be swept away... in a twinkling.

    GET THIS STRAIGHT! Democracy is MORE IMPORTANT than mere COMMERCE!

    But it's too late, isn't it? Now, it's all over - except the shouting.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  6. Re:Signed GRUB by letsief · · Score: 3, Interesting

    Honestly, I think you have it backwards. I think its less that UEFI secure boot is most advantageous to Microsoft and more that it happens to be inconvenient to Linux. The open source community, for both good and bad reasons, has made a series of decisions that make a signed code model difficult to implement (and stomach).

    Forgetting about who runs the signing service for a moment, do you have a better idea of how to solve security problems with boot firmware? It's one thing if you don't like the implementation of UEFI secure boot, but you seem to be suggesting that the entire concept behind UEFI secure boot benefits Microsoft. If that's true, what is the alternative?

    I don't think Microsoft particularly wanted to run the signing service. It has already given them headaches, and it opens the door for a lot of potential problems with liability. But who else was going to run it? The UEFI Forum never gave any indication they were willing to run it when the specification was being written. Given they were the natural choice, I think it's pretty clear that means they explicitly didn't want to run it. Who else was going to run it? Verisign? I'm sure that would have gone over much better... Even if things did go that route, who was going to pay for it? If Microsoft funded it, which they probably would have had to, people would have just assumed Verisign was going to do whatever Microsoft told them to.

    Red Hat and Canonical have never given any indication they were willing to run a signing service either. And people in the industry did ask them to. I'm not sure they ever explicitly said no, but they certainly never said yes either.