Ubuntu Can't Trust FSF's Secure Boot Solution
sfcrazy writes "The Free Software Foundation recently published a whitepaper criticizing Ubuntu's move to drop Grub 2 in order to support Microsoft's UEFI Secure Boot. The FSF also recommended that Ubuntu should reconsider their decision. Ubuntu's charismatic chief, Mark Shuttleworth, has responded to the situation during an interview, and explained the reason they won't change their stand on dropping Grub 2 from Ubuntu. Shuttleworth said, 'The SFLC advice to us was that the FSF could require key disclosure if some OEM screwed up. As nice as it is that someone at the FSF says they would not, we have to plan for a world where leaders change and institutional priorities change. The FSF wrote a licence that would give them the rights to take specific actions, and it's hard for them to argue they never would!'"
> Secure Boot is very much required security feature. It will lock out malware that hides rootkits in boot sector. That's a very good thing.
Somebody with more crypto knowhow, please put me some knowledge on here. Because I'm not seeing it that way. Secure boot will work wonders to ensure Hollywierd and Microsoft that their hardware isn't doing something nasty like letting the guy who put money on the counter and thinks they own it (how funny!) run something of their choosing. What I don't see is how it really protects the user from malware.
The security only runs one way. Once somebody can subvert the boot process in any way (and show me ONE device that hasn't been rooted) all malware need do is what it has always been doing. Take over the boot. Then IT checks the sig on Windows and tells it that "I'm the bootloader, you can trust me." and there isn't a 100% sure way to verify backwards. We all know most vendors will still be flashing the BIOS/UEFI from Windows because anything else will be too much hassle for the end users. They will pretty much have to do it to get key revocation lists. Oh yea they talk now about secure pathways through secured supervisor modes but we know that if it is running Windows nothing on that CPU is really and truly secure. And wait until the motherboard makers start encheapening the system. Remember when a physical write protect jumper was standard to protect flash BIOS? And a ROM portion with an emergency rescue reflash util? When was the last time you saw any of those protective measures on sonsumer equipment?
> It's also optional, so you can always install Linux.
On x86, for now.
Democrat delenda est
It gets better. Ubuntu is assuming this lockdown will be happening with OEMs they have a contractual relationship with.
Think about it. I put out Unknown Hacker Linux with a boot loader signed by me. I publish it on my website somewhere. Evil Bit Computers downloads it and installs my public key into the firmware of machines that they then sell to the public in a totally locked state. A buyer of one of those machines decides they want to wipe the preload and install Windows 8. They go Evil Bit and demand they keys per the GPL3 and get an Evil Laugh(TM). Then they come to me and demand the signing key and I tell them, I feel your pain but I'm sorry I can't do that because it would compromise every machine installed with packages signed by that key. And they couldn't do a darned thing to me legally because I have no relationship to Evil Bit Computers. If push came to shove Evil Bit could be required to issue new firmware allowing rekeying or they could be barred from distribution of GPL3 software. But I'd never see the inside of the courthouse.
And now you know why I have never considered Ubuntu. Never could say why, but they have always given off a 'wrong' vibe. Best explanation would be the short story _Young Zaphod Plays It Safe._ Just an undefined unease with em.
Democrat delenda est