Slashdot Mirror

← Back to Stories (view on slashdot.org)

Free Software Foundation Campaigning To Stop UEFI SecureBoot

Posted by timothy on from the no-one-will-ever-name-a-child-uefi dept.

hypnosec writes "The Free Software Foundation is on an offensive against restricted boot systems and is busy appealing for donations and pledge in the form of signatures in a bid to stop systems such as the UEFI SecureBoot from being adopted on a large-scale basis and becoming a norm in the future. The FSF, through an appeal on its website, is requesting users to sign a pledge titled 'Stand up for your freedom to install free software' that they won't be purchasing or recommending for purchase any such system that is SecureBoot enabled or some other form of restricted boot techniques. The FSF has managed to receive, as of this writing, over 41,000 signatures. Organizations like the Debian, Edoceo, Zando, Wreathe and many others have also showed their support for the campaign."

3 of 355 comments (clear)

  1. Secure Boot is just a waste and fixes no problem. by VortexCortex · · Score: 5, Interesting

    Let's put on our thinking caps folks. Return Oriented Programing is an exploit engineering technique that uses the existing signed and/or encrypted code to create the exploit code. That means Secure Boot is defenseless to stop this type of exploit. If the application or OS code has mistakes in it then a function pointer on the stack, or in the heap (read/write memory) can be overwritten and be used by exploits via return oriented programming, and SecureBoot won't help one bit -- The code that's running is signed and/or encrypted. So if the Application or OS code isn't secure (which it won't be) then SecureBoot is pointless. What that? It won't be able to infect a boot sector? Well, if you've got malicious code running on your system then there exists an exploit vector that cane simply be re-exploited next time you boot up. See? Pointless.

    Ah, but what if the Application and OS code could be written to be secure against stack smashing and undesired code pointer manipulations? Well then, there wouldn't be any exploit vectors that you needed SecureBoot to protect you against. See? Pointless.

    Well, I say "Pointless", but what I mean is useless from an end user perspective. I don't mean to gloss over the only real use SecureBoot has: To prevent you from installing your own OSs and Applications, and having control over your own computers.

  2. Re:Grub? by cheesybagel · · Score: 5, Interesting

    What Ubuntu did was very unsatisfactory. You still cannot easily compile your own kernel. What that ex-RedHat guy did was a lot better since you can load anything you want as long as you confirm your choice on boot.

    Here is what RMS should be doing instead of this petition which is going to get nowhere:

    1. Restart work on coreboot
    2. Make coreboot work with Windows and Linux as is
    3. Convince more motherboard manufacturers to support coreboot
    4. Ask Linux users on install if they want to backup their old BIOS and install coreboot as their default BIOS

  3. We, the FSF, like Secure Boot by gnujoshua · · Score: 5, Interesting

    This post is a little misleading. We think Secure Boot is OK so long as computer makers implement it in a way that it still allows a user to control his or her own computer. What we don't want computer makers to do is implement UEFI in such a way that a user is unable to sign their own software (e.g. bootloader) AND they are unable to turn Secure Boot off -- we call such an implementation Restricted Boot (because we want to emphasize that it instead of providing security, it exists to restrict a user from controlling his or her own device). We hope that computer makers will choose to implement UEFI in a way that truly does provide security and control, and many are implementing Secure Boot in this way.

    Joshua Gay
    Licensing & Compliance Manager
    Free Software Foundation