FSF Criticises Ubuntu For Dropping Grub 2 For Secure Boot

sfcrazy writes "The Free Software Foundation (FSF) has published a whitepaper suggesting how free operating systems can deal with UEFI secure boot. In the whitepaper, the foundation has criticized the approach Canonical/Ubuntu has taken to deal with the problem. The paper reads: 'It is not too late to change. We urge Ubuntu and Canonical to reverse this decision, and we offer our help in working through any licensing concerns. We also hope that Ubuntu, like Fedora, will actively support users generating and using their own signing keys to run and share any versions of the software, and not require users to install a key from Canonical to get the full benefit of their operating system.'"

They also criticized Fedora..

[gQuigs]

not as much, but still (for planning to use the MS key). It's a very bad position we (Free Software) are in with Restricted/Secure boot. I think it's time the Linux friendly vendors really get behind CoreBoot [http://www.coreboot.org/Welcome_to_coreboot] and let us be truly independent.

As it is setup right now:
Binaries can only be signed with one key. If you use Microsoft's key, you can't use your own.
Not all vendors may support letting users add their own keys. (and even if they do it certainly complicates a fresh install).
ARM will be completely locked down if vendors want MS to run on it.
If you use the Microsoft key, they can revoke your access (they likely need cause, but still)

Re:They also criticized Fedora..

Why CoreBoot? What's wrong with stuff like OpenFirmware, or even just finishing projects to boot properly from EFI machines (which are not "secure"). There's no reason to ask HW manufacturers to adopt some completely new firmware stack when there are already-working ones which are more than "open" enough. The only real problem here is with this new Secure Boot add-on, but there is no reason to throw the baby out with the bathwater. OpenFirmware / EFI can replace BIOS just fine and not have any restrictions. They already exist and manufacturers already know how to use them.

Re:people who use ubuntu are linux posers anyways

[jellomizer]

Linux has gone mainstream... Just not on the desktop. Where is remains a distant 3rd behind Windows and OS/X.
With Android, Linux is quite popular with mobile. Linux is also strong on the server side too.
Linux never made it to the desktop, because there were too many drivers to support. When you luck out and get a System that is well supported by Linux... Linux rocked on that system. However if you try to put Linux on a poorly supported system, it usually sucked, and felt like a cheap OS.

If Microsoft make "Windows 9" a Linux Distribution with a Windows themed UI. It would probably be just like Vista, many people complaining about hardware compatibility, systems crashing all the time (due to improper drivers)

Servers and Laptops

[betterunixthanunix]

Intel knows where they can make money from GNU/Linux: servers. That is not the target of this restricted boot system, and even if these restrictions come to servers, nobody will complain -- professional IT workers can put a $99 signing key purchase on their budget and continue to deploy whatever they want. Desktop GNU/Linux is not going to make Intel all that much money, and they know it -- Windows and Mac OS X are where all the desktop money is.

Intel and everyone else knows that restricted boot environments for personal computers (desktops and laptops) will be hugely profitable. Entertainment companies love it -- they can deploy a new kind of DRM that won't be defeated for years (see: PS3). Software companies love it, because they can stop people from applying cracks to evade DRM. ISPs love it because they can better lock-down their networks if they can control the computers that can be connected to those networks. The potential for money-making deals is HUGE, and Intel knows that when their chips are the center of these profitable systems, they make lots of money.

At the end of the day, Intel could not care less about hackers or computing freedom; they exist to make money, and there is no money to be made in allowing desktop and laptop users to have freedom.

Re:Servers and Laptops

[betterunixthanunix]

SecureBoot is not a DRM system (for now).

For now indeed -- it is blindingly obvious that this is a temporary situation.

If SecureBoot is on, the requirement is that the code executed before ExitBootServices() has to be signed

Thus closing the one remaining loophole in PC DRM, the loophole that has been the bane of entertainment and software companies (and especially the combination of those, video game companies) for decades. If the bootloader must be signed, then the bootloader can be designed to only load a signed kernel, which will only run signed applications, which will not receive signatures if they can possibly circumvent a DRM system. That is the point here -- you will not be able to just patch software to remove license checks, you will not be able to cheat in video games by executing code in kernel mode (yes, really, people do this -- in MMORPGs, where cheating successfully can yield real world profits), you will not be able to examine memory from processes that forbid it (so no more grabbing secret keys out of RAM), etc. The only reason that has not happened yet is that the PC software ecosystem is so massively complex and there is so much legacy code that no longer has anyone maintaining it, all of which has to be run somehow. I suspect that Microsoft's solution to that will be to create a secure sandbox where unsigned code can be run, but where it is unable to interact with any other software (so e.g. unsigned code could open some process' memory and examine it, but only if that process is running in the sandbox -- and of course, a signed application could forbid being run in a sandbox). They cannot do everyone at once -- gradually moving in for the kill is a better tactic for them.

So for example one can create a Boot Loader like EFILinux that will be signed and conform to the specification, and that can load unsigned kernels, and those unsigned kernels can contain any code

Sure, but look at the Fedora rationale; they noted that if they sign code that can be used to launch "malware" that attacks Windows, they will get in trouble. That's the difficulty here -- for a system to be secure in the restricted boot / DRM sense, in must never allow unsigned code to run, except in a strictly confined environment (so certainly not in kernel mode). For now, you can load an unsigned kernel, but the noose is already around your neck -- if you get caught doing something Microsoft (or whoever else) doesn't like, you are in trouble.

Re:The FSF

[Microlith]

it appears that the FSF is feeling hurt because Ubuntu is switching to another open source bootloader that doesn't use the GPL.

No, they're concerned that Ubuntu is giving up a GPL bootloader because they're choosing to adopt Microsoft's secure-boot solution, which effectively puts all such systems under Microsoft's control and makes it infinitely harder for "unapproved" software to run on the systems (which, if Microsoft's attitude is any indication, would include virtually all Free Software.)

companies have the right to secure their computers.

So my computer belongs to Microsoft? Dell? Asus?

Perhaps you missed the bit where ALL systems with the Windows 8 logo were going to be forced into this locked state by default. It's not just a corporate security feature, it's being rammed down ALL of our throats.

Re:I suppose the ultimate solution is...

[hairyfeet]

Well if you are worried then the answer is simple, support AMD who has switched to Coreboot instead of UEFI as the replacement for BIOS. Since I doubt VERY seriously MSFT would have the brass balls to try to ban AMD systems from running Win 8 (and most likely risking another antitrust investigation) they will have to allow AMD systems to use Coreboot which means if you don't like it? The source is right there, help yourself and flash away.

But whether FSF likes it or not MSFT seems bound and determined to get rid of Windows piracy not with the carrot but with the stick, since its common knowledge that Win 7 is completely cracked wide open thanks to bootloaders that even allow the machines to get all updates without so much as a WGA warning so like it or not MSFT is gonna push this. At least AMD is supporting an open tech that you can flash yourself, although you always have the option of just turning the damned thing off and not using Secureboot.

Personally while i think offering Win HP for $50 and the Family Pack for $100 (which there is one of the family packs being offered right now on deals.woot for $95 and free shipping, its on page 4 i believe) to end piracy ultimately its their OS and they can be as tarded as they want with it. I think everyone is getting their panties in a wad over nothing myself, the amount of backlash I've seen at the shop over Win 8 is 10 times worse than Vista so I have a feeling its gonna be the new MS Bob and the OEMs are gonna be killing secureboot and shipping Win 7 as fast as they can get them out the door. Don't forget Vista had crazy anti-piracy shit in it too and it BOMBED like Michael Richards at an NAACP fundraiser so I really think we don't have anything to worry about here.