Richard Stallman Speaks About UEFI

← Back to Stories (view on slashdot.org)

Richard Stallman Speaks About UEFI

Posted by Soulskill on Tuesday July 17, 2012 @01:55PM from the i-wonder-what-he'll-say dept.

An anonymous reader writes "Despite weaknesses in the Linux-hostile 'secure boot' mechanism, both Fedora and Ubuntu decided to facilitate it, by essentially adopting two different approaches. Richard Stallman has finally spoken out on this subject. He notes that 'if the user doesn't control the keys, then it's a kind of shackle, and that would be true no matter what system it is.' He says, 'Microsoft demands that ARM computers sold for Windows 8 be set up so that the user cannot change the keys; in other words, turn it into restricted boot.' Stallman adds that 'this is not a security feature. This is abuse of the users. I think it ought to be illegal.'"

22 of 549 comments (clear)

Min score:

Reason:

Sort:

Crippled Hardware by Archangel+Michael · 2012-07-17 14:03 · Score: 5, Insightful

The Hardware is crippled for the sake of Microsoft. Period.
Secure boot is Microsoft's attempt to maintain computer OS market share as their influences is being stripped away by the likes of Google (Android) and Apple (iOS). With HTML5 on the way, we will have WEB based applications that rival desktop versions, and run on ANY device. The OS is just a layer to get to where the real work gets done, information exchange.
AND the worst part is, secure boot doesn't actually fix the problem it pretends it solves. It can't. This is the whole DRM of DVD's and BluRay all over again. Look at how well that is working out.
DRM is broken by design.

--
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
1. Re:Crippled Hardware by Altanar · 2012-07-17 14:12 · Score: 5, Informative
  
  Don't like it? Go into your BIOS and turn it off. The specification mandates that it have a disable option. How hard is it to disable? Take a look at this image: http://imgur.com/QW1Pp
2. Re:Crippled Hardware by X0563511 · 2012-07-17 14:21 · Score: 5, Interesting
  
  So when you get your MB (made in China), with a BIOS apparently coded in a rural part of China (have you seen BIOS lately?), and find it doesn't let you disable it...
  What, exactly, is your recourse?
  Coreboot is the only answer, and that's not going to happen while Microsoft (and probably Apple as well) isn't bankrupt.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
3. Re:Crippled Hardware by 0123456 · 2012-07-17 14:41 · Score: 5, Insightful
  
  And when that happens, you will have a good reason to get upset. Until then it's just speculation.
  Yes, you're right. Microsoft would never, ever even think of locking all other operating systems out of the PC market.
  How could I possibly have been so stupid?
  Meanwhile, back in the real world, the day you're locked out of all new PC hardware is a day too late to get upset about it.
4. Re:Crippled Hardware by Kjella · 2012-07-17 14:48 · Score: 5, Insightful
  
  AND the worst part is, secure boot doesn't actually fix the problem it pretends it solves. It can't. This is the whole DRM of DVD's and BluRay all over again. Look at how well that is working out. DRM is broken by design.
  That depends on what problem it is you think it pretends to solve. A computer made to only run signed code doesn't have the same fundamental weakness as DRM has where the private key has to be somewhere to decrypt it, nobody but Microsoft is going to have Microsoft's private signing key and unless they give you that option disabling the signature check is going to be extremely hard. Getting any other code to run - except user space code in Win8's application sandbox - will be as hard as cracking the Xbox360 or the PS3. I suspect that with a "boiling the frog" strategy the current document said people MUST be able to disable it on x86, the next one will say MAY and with a nudge and a wink to the OEMs it's going to end up at MAY NOT.
  
  --
  Live today, because you never know what tomorrow brings
5. Re:Crippled Hardware by vux984 · 2012-07-17 15:19 · Score: 5, Insightful
  
  If I want to buy a Windows lockin computer to run Windows, that doesn't keep anyone from producing a product that can run any free os.
  That is correct, but playing devil's advocate here... the market for such a product would be relatively small, and it would need to be purpose built for that market, and purpose bought.
  The days of taking home a used PC from the office that had been retired and popping linux on it to play around would be over.
  The days of dropping a live distro in would be over.
  The days of buying a PC and dual booting linux would be over.
  We would instead need to special order a linux capable product, and use it for that purpose. Its not the end of the world, but it would be the end of an era that would be greatly missed by those of us that care.
6. Re:Crippled Hardware by Mousit · 2012-07-17 16:20 · Score: 5, Informative
  
  Don't like it? Go into your BIOS and turn it off. The specification mandates that it have a disable option..
  No, no the specification does NOT mandate that it have a disable option. The specification simply does not prohibit providing such an option (for the moment at least). The motherboard manufacturer and/or BIOS makers are completely free to not provide a disable option if they so desire.
  
  Whether the (lack of) option becomes common or not is another thing entirely, of course.
I would have had first post! by theswimmingbird · 2012-07-17 14:05 · Score: 5, Funny

But I couldn't boot into my OS.
The Right To Read by andrew3 · 2012-07-17 14:06 · Score: 5, Informative

Richard's story, The Right To Read, has already sort of predicted this move.

But not only were [free operating systems] illegal, like debuggers—you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that.
Despite what people say about Restricted Boot, it opens up the world of computers to a whole new set of attacks... by megacorporations like Microsoft.
1. Re:The Right To Read by Squiddie · 2012-07-17 14:26 · Score: 5, Interesting
  
  The worst part about rms is that all his fears always come true.
2. Re:The Right To Read by styrotech · 2012-07-17 14:49 · Score: 5, Funny
  
  That's only because the bad guys look at what he fears for some good ideas.
  Now if only RMS had've patented his ideas :)
Re:You know what you're getting by andrew3 · 2012-07-17 14:09 · Score: 5, Insightful

It's not that simple. Many users don't know what UEFI or Restricted Boot are. If they see a Certified for Windows 8 logo on a computer when they're buying it, they don't know that means extra restrictions for them.
Not everybody cares about computers, which is why Restricted Boot is so bad.
Shackles by Taco+Cowboy · 2012-07-17 14:10 · Score: 5, Insightful

If Microsoft got what it demands, that ARM devices that runs Win 8 be permanently locked, then the only option that I have, as a consumer, is to NOT BUY THAT DEVICE

No point of supporting dictatorial regime, be it political dictatorial, or hardware dictatorial

--
Muchas Gracias, Señor Edward Snowden !
1. Re:Shackles by X0563511 · 2012-07-17 14:15 · Score: 5, Insightful
  
  Of course, the salesdroids would point the finger squarely at ARM, should the sales numbers not measure up.
  Voting with your wallet only works correctly if the fallout falls in the right place.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
2. Re:Shackles by IAmR007 · 2012-07-17 15:13 · Score: 5, Insightful
  
  It also only matters if enough people vote with their wallets. The majority of people don't care about other operating systems or even care about having the choice.
3. Re:Shackles by Kjella · 2012-07-17 15:19 · Score: 5, Informative
  
  It is even worse than that - if it is wont be possible to change the certificate on a machine and that certificate get compromized, then it means there is no security anymore neither... The device is now junk after maybe one month of owning it. You need a new device regardless. And dont tell me you have not heard of the certificates for BlueRay and so on being compromised...
  BluRay players have a private key to decrypt that can be compromised. Secure Boot only has a public key to verify so it can't be compromised, there's no secret.
  
  The alternative - Microsoft can remotely update the certificate, but that also mean any remote attacker who break the key can change it...
  No. If Microsoft was to be hacked and their signing key compromised - a pretty heavy feat of hacking in itself, they'd pull out their root key and revoke that key then create and sign a new signing key. This is PKI 101, you always have a root key for situations like this. Of course if their root key was compromised they're fucked, but that one is deep in a vault deep in the bowels of Microsoft and the only place it'd come out would be in a secure facility to sign a new signing key.
  
  --
  Live today, because you never know what tomorrow brings
4. Re:Shackles by garyebickford · 2012-07-17 15:33 · Score: 5, Interesting
  
  Funny you should mention blu-ray. I just bought a blu-ray player and the Firefly blu-ray discs (full series plus the movie). The player and the discs were such a PITA to use that I returned everything as defective. The fact that the player also skipped when playing regular DVDs was bad, and the ridiculously bad user interface and slow load times, and hopelessly slow and useless 'web interface'.
  But the fact that one has to sit through (feels like) 10 minutes of WARNING COPYING IS EVIL messages at the start, and another 10 minutes of WARNING COPYING IS EVIL at the end OF EACH EPISODE, IN FOUR DIFFERENT LANGUAGES was beyond the pale. AFAI am concerned, this ridiculous waste of my time constitutes a defective product. So, no more blu-ray for me, and $200 of lost sales for the vendors - not to mention that Samsung will have to repackage the player for resale.
  For perspective, had I kept the blu-ray it's likely I would have spent $300 over the next year on videos. And I need a big screen TV, preferably with passive 3D (I happen to like 3D). So that's a total of about $1500 in lost sales - sorry folks, get your act together. Until I can watch a 3D blu-ray movie on a device of MY choosing, _at least_ as easily as I can watch a DVD now (preferably easier), my money will stay home.
  I had read the various complaints from /.ers and others about the problems with blu-ray, and now I have experienced them first hand. I'm no pirate - the only videos I've downloaded have been from archive.org, and authorized ones. But I was sorely tempted to buy a blu-ray drive for my desktop (which I was going to set up with MythTV anyway) and rip the Firefly discs. I would have even kept them, if I could watch the stupid things without so much hassle. They've actually made watching a movie in your own home a bigger hassle than driving to the theatre (in my case a 40 minute drive, and paid parking to boot).
  I wonder if a class action suit against the media companies regarding the lack of usability and lack of fair use would succeed.
  In any case, this UEFI thing appears to be the first step in destroying the personal computing device market and turning it into a monopolist's dream, following the blu-ray debacle. If all else fails, I'll just spend the time on my sailboat, and exude feelings of pity for young whippersnappers who are growing up with no alternative to being 'sharecroppers' for the media.
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
S/BOOT is about taking people's freedom by Anonymous Coward · 2012-07-17 14:28 · Score: 5, Insightful

Let me explain ... me I just bought an wireless access point ... and I have no intention at all of using it
as an access point. I want a device with a set of excellent antenna's, great rx sensitivity and it has to
have monitor mode so I can capture raw 802.11 frames and I have to be able to make it send arbitrary
802.11 frames as well.
Yeah I found a great little device for doing just that ;-)
Thankfully this device is not locked down with a secure boot loader !!! I did have to open it up and access
the serial port on the board to load dd-wrt (an alternative linux distribution for wifi routers) but it was *easy*
and the chipset it has is a.) linux supported and b.) the chipset and the linux driver support monitoring
and injection.
IF SECURE BOOT COMES AROUND WE WONT BE ABLE TO DO THAT ANYMORE!!
If the router had had a secure boot scheme I would have had to first work hard on getting around that. JTAG.
Glitching, and in a few years from now even these techniques might not work anymore. In FACT ... the ARM
chips do have a jtag interface but now there's SECURE MONITOR MODE for jtag meaning you have to first
do a cryptographic challenge/response sequence before you get access to the chip via JTAG.
WTF!! I FUCKING OWN THIS BOX WHO THE FUCK ARE YOU TO KEEP ME FROM USING IT AS I SEE FIT, YOU SCUM!!
Anyhow here's the game plan that's been decided in the back room .... There will be secure boot on commodity hardware.
Vendors who are in the club will get their code signed easily. For a while small fries will also get their code signed for a
fee. The consumer will have the impression that there is still choice, Linux is not going to go away tomorrow, a signed and
authorized kernel will be available.
However, you will find that you're going to be locked out more and more out of your system. At some point you will not be sure
anymore what is running in the background and what backdoors are introduced into the system. You will have to trust a kernel
image that is given to you encrypted and that may contain all sorts of things.
It's the future they want. The ability to access/erase/modify your data, activate your microphones and video cameras, prevent you
from doing anything they don't want you to. Sure there will be exploits for a while and ways to regain access however limited or temporary
but as the game plan advances.. give it another 10-15 years at the rate tech is advancing and it will be VERY HARD TO IMPOSSIBLE for
YOU small fries to do anything about it. Maybe someone with millions of $$$ can hack their devices but you with a small salary will
not ... and they will detect that you tried and put you away.
Well that's their game plan .... Now YOU!!!! need to do something about it!!!
IT STARTS WITH SAYING NO TO ARM AND BROADCOM HARDWARE
IT STARTS WITH INFLUENCING BUYING AT WORK.
IT STARTS WITH GETTING RID OF THEIR STOCK
IT STARTS WITH CALLING THEM UP AND BUGGING THE SHIT OUT OF THEM
IT STARTS WITH EDUCATING EVERYBODY ELSE AROUND YOU.
Enough all caps. But yeah to drive the point home.
It starts with easy things and yes.. the way freedom is going away it may well end someday with a whole lot of violence, blood and tears ...
Enough. Think this one through. Do you want to spend the rest of your life with locked down ipads never sure if
they're watching you with it, too scared to type anything 'radical' into it, too locked down to do what you want
while the box has the 100x the power tech has to do but is using that to make your life hard and miserable???
Help me out here, I don't want this kind of future.
The elephant in the discussion by recoiledsnake · 2012-07-17 14:46 · Score: 5, Insightful

If Microsoft got what it demands, that ARM devices that runs Win 8 be permanently locked, then the only option that I have, as a consumer, is to NOT BUY THAT DEVICE
No point of supporting dictatorial regime, be it political dictatorial, or hardware dictatorial
The elephant in the discussion is the iPad, an ARM based device with a locked bootloade. No one wants to talk about making it illegal, only Windows RT tablets must be outlawed, Apple is free to do whatever they want. Say you bought an iPad on Slashdot, automatically get +5 for not choosing a PC with Windows. But guess what? Apple bans Firefox from the iPad while you can even install Linux on a PC.

--
This space for rent.
You say fallacy, I say heuristic by tepples · 2012-07-17 15:30 · Score: 5, Insightful

the slippery slope argument is a logical fallacy
Logical fallacies work only in the case where all premises are known with certainty. Where premises are not knowable with such certainty, or where premises change over time with a change in culture, fallacies become heuristics.
Re:Sucks to be a used PC reseller... by Anonymous Coward · 2012-07-17 17:36 · Score: 5, Insightful

Problem is - you cannot generate your own key. You HAVE to get the key somewhere else, and getting that key will cost money (yes for non-commercial use it is free .... for now). Some operating systems are self build, and they have to get a new key every time they change something at kernel level. That will be a great hindrance.
Now - you can say "big deal - just switch off secure boot". The problem with that is a lot of people just want to dual boot with Windows. Problem with that is - if your distro has no key, yo are forced to do a cumbersome "reboot - go to BIOS - switch off secure boot - save settings - reboot again - start the distro" and when you go back to windows you have to do "reboot - go into BIOS - switch on secure boot - save settings - reboot again - boot Windows". This gives a physical and psychological barrier, that will be a big hindrance for acceptance of any other OS than Windows. In fact all not-signed disto's will be "flagged" as difficult to use, just because the hoops you have to jump trough to get everything working. This creates a unfair advantage for windows (because secure boot is on by default if you want to have a Microsoft certification).
And there are problems with getting this key. The user cannot generate the key themselves. If that would be the case all problems where over. No the user politely have to ask for a key, and so are depending on a third party if they are allowed to use the hardware they just bought for dual-booting. As I said - for now it is free, but there are no guarantees it will stay that way. And if you are making a OS for commercial purposes, you have to pay $99 - again ... for now. This could easily be raised to $999, or $9999 or $9999999 or whatever they want.
And last - if Microsoft has secure boot in place it is a given fact (make no mistake - you wont get a MS approved certification if the hardware you make has no secure boot, so most hardware makers wont take any risk and comply to the demands of Microsoft). And when secure boot is in place Microsoft can increase the demands surrounding this secure boot (if this will be in the field of key generation or increased "safety" demands is to be seen, but you can be sure it will generate a increased barrier for other operating systems).
Re:Sucks to be a used PC reseller... by SuricouRaven · 2012-07-17 17:53 · Score: 5, Insightful

For now. Secure boot is Microsoft building a big 'destroy linux' button and promiseing they won't push it.