Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD's De Raadt Slams Red Hat, Canonical Over 'Secure' Boot

Posted by timothy on from the so-you're-not-a-fan-then dept.

An anonymous reader writes "OpenBSD founder Theo de Raadt has slammed Red Hat and Canonical for the way they have reacted to Microsoft's introduction of 'secure' boot along with Windows 8, describing both companies as wanting to be the new Microsoft."

10 of 391 comments (clear)

  1. Expected by Daniel_Staal · · Score: 3, Informative

    I love OpenBSD, and run it on my firewall at home, but anyone who's followed De Raadt over the years has to be 100% expecting this.

    Including the over-the-top language.

    --
    'Sensible' is a curse word.
  2. External intermediate nonce & public key & by tlambert · · Score: 4, Informative

    You ship the TPM with a per-TPM public key in it, and a USB dongle with a certificate on it signed with the per-TPM secret key for the per-TPM public key, and then you require the presence of the dongle to intermediate the installation of the OS of your choice onto the machine. You allow installation of other public keys signed with the private key, and you have another public key and separate private key to permit per-device self-signing of whatever code you want, but only on a per-device basis.

    Then you have your BIOS/EFI/UEFI/Coreboot/u-boot refuse to do anything other than go into "install mode" if the dongle is inserted so that the dongle will be removed after installation for normal operation so that it can't be abused by malware.

    After that, all vendors are responsible for securing their own OS past the point of it being loaded into memory.

  3. Losing Influence by wzinc · · Score: 3, Informative

    Microsoft is quickly losing influence; I don't think their secure boot stuff is going to be that big of a deal. I would say they have a chance with Windows Server, but 2012 has Metro, so I think they'll be declining on all sides now. They don't seem to care about what people actually want; they just want to push some new thing.

    Personally, I never liked Windows, but with Metro even on Server, I'll be seriously pushing Linux at work.

  4. Re:A bit over the top by Baloroth · · Score: 4, Informative

    Of course, the DOJ decision was after this little tidbit:

    The D.C. Circuit Court of Appeals overturned Judge Jackson's [original judge who issued the breakup order] rulings against Microsoft. This was partly because the Appellate court had adopted a "drastically altered scope of liability" under which the Remedies could be taken, and also partly due to the embargoed interviews Judge Jackson had given to the news media while he was still hearing the case, in violation of the Code of Conduct for US Judges.[17] Judge Jackson did not attend the D.C. Circuit Court of Appeals hearing, in which the appeals court judges accused him of unethical conduct and determined he should have recused himself from the case.

    (bracketed bit inserted by me)

    --
    "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  5. Re:A bit over the top by cpu6502 · · Score: 4, Informative

    Now here's an essay for you to read..... written by the Free Software Foundation:
    (snip)

    In theory, there should be no problem. In practice, the situation is more complicated. As currently proposed, Secure Boot impedes free software adoption. It is already bad enough that nearly all computers sold come with Microsoft Windows pre-installed. In order to convince users to try free software, we must convince them to remove the operating system that came on their computers (or to divide their hard drives and make room for a new system, perceptually risking their data in the process).

    With Secure Boot, new free software users must take an additional step to install free software operating systems. Because these operating systems do not have keys stored in every computer's firmware by default like Microsoft does, users will have to disable Secure Boot before booting the new system's installer. Proprietary software companies may present this requirement under the guise of "disable security on your computer," which will mislead new users into thinking free software is insecure.

    Without a doubt, this is an obstacle we don't need right now, and it is highly questionable that the security gains realized from Secure Boot outweigh the difficulties it will cause in practice for users trying to actually provide for their own security by escaping Microsoft Windows.

    It's also a problem because the Windows 8 Logo program currently mandates Restricted Boot on all ARM systems, which includes popular computer types like tablets and phones. It says that users must not be able to disable the boot restrictions or use their own signing keys. In addition to being unacceptable in its own right, this requirement was a reversal from Microsoft's initial public position, which claimed that the Windows 8 program would not block other operating systems from being installed. With this deception, Microsoft has demonstrated that they can't be trusted. While we are interpreting their current guidelines, we must keep in mind that they could change their mind again in the future and expand the ARM restrictions to more kinds of systems.

    The best way out of all of this (other than having all computers come pre-installed with free software) would be for free software operating systems to also be installable by default on any computer, without needing to disable Secure Boot. In the last few weeks, we've seen two major GNU/Linux distributions, Fedora and Ubuntu, sketch out two different paths in an attempt to achieve this goal.

    Fedora's approach

    There is much to like about Fedora's thinking, as explained by Matthew Garrett......... Unfortunately, while it is compliant with the license of GRUB 2 and any other GPLv3-covered software, we see two serious problems with the Microsoft program approach.

    1) Users wishing to run in a Secure Boot environment will have to trust Microsoft in order to boot official Fedora. The Secure Boot signing format currently allows only one signature on a binary -- so Fedora's shim bootloader can be signed only by the Microsoft-vouched key. If a user removes Microsoft's key, official Fedora will no longer boot, as long as Secure Boot is on.

    2) We reject the recommendation that others join the Microsoft developer program. In addition to the $99 expense being a barrier for many people around the world, the process for joining this program is objectionable. A nonexhaustive list of the problems includes: restrictive terms in multiple of the half-dozen contracts that must be signed, a forced commitment "to receive targeted advertisements and periodic member email messages from Microsoft," and a requirement to provide notarized proof of government-issued identification and a credit card.

    Ubuntu's approach

    Their approach has the same issue as Fedora's official method. Users have to trust Microsoft in order to boot official Ubuntu CDs. Their certification program amplifies this problem, because it means no one can sell certified Ubuntu machines without trusting Microsoft.

    --
    My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
  6. Re:A bit over the top by vux984 · · Score: 5, Informative

    ), but it doesn't change the fact Canonical and Redhat were forced to buy a license *from Microsoft* or else their OSes would not run.

    That is not true.

    Their OSes will run just fine provided any of the following are done:

    a) the user logs into UEFI and disables secure boot

    b) the user logs into UEFI and installs a distro key

    c) the user logs into UEFI and installs their own key and signs the distro themselves.

    d) the distro provider works with the manufacturer to have their key pre-loaded the same as microsofts.

    Microsoft (currently) does prevent or even hinder any one of those alternatives on x86.

    Canonical and Red Hat noted that a & b require at least a nomimal effort by the end user. (c requires a fair bit of effort for the end user) And that d required a substantial effort on their part.

    So they chose "e) sign our distros with the MS key" that Microsoft already took the effort to have preloaded so that our users don't need to take the nominal step of disabling secure boot or of installing their own keys.

    "That is called restraint-of-trade and it is VERY clearly a violation of the Sherman Antitrust "...

    No its not.

    "now they are actively blocking other OSes from Opera/Google/other OSes from running (unless they beg MS for a license)"

    You don't need a license from microsoft. The end user can disable secure boot. The end user can install their own keys. The distro can approach the hardware manufacturer and have their own keys preloaded along side microsofts.

    Microsoft isn't preventing anyone from doing anything, and you do not need to interact with microsoft at all to install other OSes.

    Please COMPREHEND the above before replying or commenting on the subject further.

  7. Re:Why I Left OpenBSD by Anonymous Coward · · Score: 3, Informative

    http://www.trollaxor.com/2010/06/why-i-left-openbsd.html
    Copy and paste from this retard.

  8. Re:A bit over the top by AdamWill · · Score: 5, Informative

    "That's a nice 3-page essay (double-space I presume), but it doesn't change the fact Canonical and Redhat were forced to buy a license *from Microsoft* or else their OSes would not run."

    That's still not a fact. We were not forced to buy a license. We had several options, which Matthew outlined way back at the start of this whole saga, in this blog post:

    http://mjg59.dreamwidth.org/12368.html

    Specifically, the paragraph headlined "Getting the machine booted". It mentions the other options, including "the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it" and "producing some sort of overall Linux key". There is also the obvious negative possibility of simply not signing anything at all; this would require users to disable Secure Boot in the firmware before installing Linux, but it doesn't prevent them from doing so.

    Both Fedora (note, Fedora, not RH; RH does not necessarily always follow what Fedora does) and Ubuntu had several choices and _chose_ to go with the Microsoft signing service as the 'least bad' option (well, Ubuntu will also be self-signing, for OEM preloads). The fact that we are _choosing_ to get our releases signed with the Microsoft/Verisign key does not imply that we were _forced_ to do so. We _choose_ to do so on the basis that it'll provide the maximum possible success rate of Fedora installs with the minimum amount of work. We could have chosen to self-sign, or not to sign at all, and ask users to disable Secure Boot or import our key. We decided not to do so.

    "Problem si that peope like YOU seem to think corproatuions never od anything wrong"

    This is an absurd stretch. You appear to be implying that anyone who suggests that a corporation might ever do anything at all that is _not_ wrong, must therefore believe that a corporation can _never_ do anything wrong. This is clearly ridiculous and false. You also mistake my opinion that Microsoft's actions are _not illegal_ for an opinion that they're _right_. These are not the same thing at all. I have carefully refrained from stating in public any personal opinion on the Rightness or Wrongness, from an ethical/moral standpoint, of Microsoft's actions. This is intentional. What I have said several times is that I don't believe the actions can successfully be characterized as _illegal_. Not everything that's wrong is also illegal. But if something is wrong/bad but not illegal, then you can't defeat that something through the courts. This sub-thread was prompted by someone saying that RH and Canonical should have chosen to prosecute or sue Microsoft. My point is that this is hardly a viable option if the suit would fail.

  9. Re:A bit over the top by occasional_dabbler · · Score: 3, Informative

    Utter f*cking rubbish. I just installed W8 preview alongside Ubuntu 12.04 (yes, a sweet combination, Ithankyou). Of course the Winstaller doesn't nicely search out the other OSs but it was a couple of clicks on a bootable Ubuntu CD to fix this.

    --
    "Our opponent is an alien starship packed with atomic bombs," I said. "we have a protractor"
  10. Re:A bit over the top by justforgetme · · Score: 3, Informative

    Ok, you see, this exactly is a problem. This isn't a monopoly abuse in the classical sense it just is a move to establish the big enterprise at the cost of the smaller solutions. The thing is Microsoft paves the "way" to signed bootloaders in a way that is very unfriendly to homebrew since software can't (AFAIK) auto install it's certs into the pre boot process. This leaves two options: 1) manual installation of the certs by the end user which isn't very straight forward and could even become impossible 2) pre installation of all available certs by the manufaturer (now guess for how many reasons manufacturers aren't going to auto install keys for all available linux/hurd/bsd distros, yep there are many).
    Which leaves independent guys that release some spin of some distro out of the game completely since they do not have the manpower to ring up all manufacturers and `demand` the inclusion of their signatures on the manuf's devices' uefi rom and makes it much more difficult for guys trying to do mobile device gnuxes hanging there not knowing how to actually respond.

    So yeah. It hasn't anything to do with monopoly or any other 80s board game. It's just the fat bully pushing around the nerds.

    --
    -- no sig today