ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

It's official - Linux Foundation Secure Boot System Released

<< < (3/5) > >>

Can someone distill the implications here? I've got my own take, but it may be skewed as I don't really like being controlled...
-Renegade (February 09, 2013, 11:34 AM)
--- End quote ---

Distilled and in 25 words or less: I'm afraid your take is likely to be 100% correct. 8)
-40hz (February 09, 2013, 01:18 PM)
--- End quote ---

Sigh... That is NOT what I really wanted to hear... :( I was just hoping that someone who knows more about it than I do would show me that I was wrong.

So, why not just shim-secureboot the legacy OS? (Or "real-secureboot" it after installing the right keys in your firmware)? You can leave SB enabled, and boot both whatever-restricted Windows as well as whatever other OS you've installed keys for? Sure, it's more work than now, but it's doable.

As long as Microsoft sticks to the things they've promised, and outlined in their current Windows certification documents. And that ___is___ a big if, IMHO - and I don't take that for granted.
-f0dder (February 10, 2013, 01:07 AM)
--- End quote ---

Understood. And me neither btw. ;D

But what I am more concerned about is that this so called non-Microsoft non-Windows initiative is about as open as that other famous "open" standard (Java) that somehow never really was because Sun (and now Oracle) insisted on always keeping a very tight rein on it.

To my mind, if some bit of technology is truly "open" as advertised, then you don't have a situation where some animals on the farm are more equal than others like they were in George Orwell's story. But that's exactly what UEFI/SecureBoot is shaping up to be. You have two big players, a few small-time semi-players (who are mostly toadies and hangers-on looking to gain a marketing advantage) - with everybody else in the world being seen as "little people."


There's a very interesting analysis over on the BeginLinux blog that looks at UEFI and some of its implications in light of it being embraced to the exclusion of Coreboot - an open standard that provides the advantages of UEFI- but without the cruft - and more importantly, without enthroning Microsoft Corporation as its de facto gatekeeper.

I frequent the Reddit Linux page at, and I monitor what people have to say about the Free Software Foundation’s campaign against secure boot. The most common complaints that I see are as follows:

* Secure boot can be turned off on x86 machines, so why is it a problem?
* Why does the FSF complain about secure boot’s lockdown of ARM Windows RT devices when Apple and many Android phones do the exact same thing?
Both are very valid criticisms, so let me address them both. x86 PCs still maintain somewhere around 90% of the  global PC market share. In contrast, Apple holds a miniscule share of the desktop PC market. If Apple decides to lock users of Apple computers out from controlling the computer’s firmware, the consumer has a lot of choices outside of Apple. Similarly, some Android phones come with locked bootloaders, but there are a lot of Android phones and tablets that  have boot loaders that can be easily unlocked. In fact, any Nexus-branded Android device has an unlockable boot loader, by Google’s mandate. So again, the Android consumer has choices.

On the GNU/Linux side, secure boot will introduce confusion, and a set of two very bad choices. Choice A: secure boot is good technology from a security standpoint, but if I want to use GNU/Linux without being dependent on a Microsoft-signed key, I have to disable it. More on this later. Choice B: I can enable secure boot to get the security benefits, but I will have to depend on a key signed by Microsoft, and they can choose to disable that key at any time. If I make this choice, who is REALLY in control of my PC?

Now back to choice A. Think about who the biggest users of Windows 8 will be be from a revenue standpoint: probably businesses. Businesses usually want to run the most secure option, so they will probably choose to enable secure boot by default. This scenario discourages them from running GNU/Linux, Windows 7 or earlier, or any alternative operating system. I think that this is the whole point. Secure boot pushes the user in the direction of a Windows 8 choice. This is an abuse of market position, and it is anti-competitive. It is also clearly wrong.

The fact that secure boot can be turned off is not a valid counter argument. It demotes the GNU/Linux user to an inferior status: either they have to settle for a crippled system where innate security capabilities of that system are disabled, or they are left in a position of dependency on a Microsoft key. Either scenario is sub-optimal. Right now, Linux has an incredibly good reputation for security. Here is the reputation that Linux will end up getting: “Linux is the operating system that you have to turn off security to install.” This is not an accurate statement, but this is how memes start: non-technical people talking about technical topics. “Turn off secure boot” becomes “turn off security”. “Linux is secure” becomes “Linux is insecure”. Certainty becomes uncertainty. The confidence of being able to install whatever you want to gives way to confusion. This confusion can only be fully resolved by sticking to one dominant vendor [4].

If security was really the primary concern when the need to replace BIOS was being investigated, then coreboot was available, it was free, and it was open source. Why in the world would anyone have thought that UEFI/secure boot was a better solution? I’d like you to please give this question more thought AFTER you read Table 1 below.
--- End quote ---

Read the rest of the article here.

Those not familiar with Coreboot who wish to learn more about it (or bootloaders in general) can check out this uber-geek video presentation which goes into it in depth. Wikipedia also has a decent summary article on it here.


Coreboot, formerly known as LinuxBIOS, was originally started in 1999 to complement LOBOS [2] (Linux OS Boots OS) as part of an effort to move away from inscrutible and inflexible proprietary BIOS firmware used in clusters at high-security government research labs. However, coreboot took on a life of its own and quickly overcame many obstacles thanks to the help of a friendly and knowledgable open source community. This talk will give an overview of coreboot, what it is capable of, what it is incapable of, and what makes it different from the traditional PC BIOS and EFI. We'll focus on developments in version 3 which cleans up the development model substantially, has much improved ACPI and SMI support, usage of the Linux kernel build system to build coreboot, new ways to boot locally and over a network, do some demos, and more!
--- End quote ---

This project is still active despite being widely unknown to most Linux desktop users. Hopefully, with the advent of UEFI/SecureBoot, it will gain significantly more exposure and presence in the coming year.

@40hz - Thanks for that. I'll watch the video after it downloads and I have time.

On the GNU/Linux side, secure boot will introduce confusion, and a set of two very bad choices. Choice A: secure boot is good technology from a security standpoint, but if I want to use GNU/Linux without being dependent on a Microsoft-signed key, I have to disable it.-40hz (February 10, 2013, 09:49 AM)
--- End quote ---
...or enroll your own key in the firmware.

On the GNU/Linux side, secure boot will introduce confusion, and a set of two very bad choices. Choice A: secure boot is good technology from a security standpoint, but if I want to use GNU/Linux without being dependent on a Microsoft-signed key, I have to disable it.-40hz (February 10, 2013, 09:49 AM)
--- End quote ---
...or enroll your own key in the firmware.

-f0dder (February 10, 2013, 10:35 AM)
--- End quote ---

@f0dder - Sure. But lets forget for a moment that the vast majority of PC users must easily know as much about computer systems and programming as you do.  :P Lets think for a minute about the the tiny minority who just know enough to boot the thing and use it...(kidding!)

See what I'm saying? I'm still confused about some of this and I'm not exactly an amateur when it comes to either Linux or Windows. And you would probably blow my doors off on most of this when it comes to the real hardcore tech - yet even you still have questions.

No big deal? We can work around it? Yeah. We can - and probably will - so all's well and fine.

But that's us.

Microsoft and all the other participants in the "fence in the platform" crowd don't care about us. They're targeting the millions with their new vision. They don't need to worry about the likes of us because we can only use what they make. And if they get to make things the way they want, there will no longer be a platform you can truly make your own.

In many respects it will become much like the old phone systems. One legal provider. One type of service. One manufacturer. With the customer free to do anything they want - provided it's sanctioned by and purchased from those who have been authorized to provide it.

And once that happens, innovation will die because they'll use paranoia and ignorance to have governments outlaw anything that deviates from their model. All in the name of "security," "anti-terrorism" and "legal use."

It used to be a criminal offense in the US to plug any device into the phone system that wasn't manufactured by the phone system. And the US phone system remained a study in archaic 30s technology until that ban was lifted. In very short order we got touch tone dialing, a huge number of telephone styles with all sorts of features, lower costs, direct long distance service, and all the rest when 'Ma Bell' no longer had a stranglehold on US telecommunications.
But that never would have happened if the Bell System continued to be allowed to hold back technology and innovation in order to milk as much revenue as possible out of what they already had. You see it today with data caps on bandwidth. A few entrenched suppliers with monopolies continue to prop up an old revenue model that makes no sense with what we have today.

I once heard a phone company person admit that it probably cost his company more to monitor telephone use and bill for it than it would for them to just charge everybody a flat monthly fee per demarc point and allow unlimited use.

When I asked him why they didn't, he said it was because the government would prefer that they didn't. Apparently my government relies very heavily on the surveillance and monitoring possibilities that a detailed phone bill can provide. And in the USA, they don't need a warrant to look at one.

So there are bigger factors at play behind some of this direction the new PC design is going in... And it's not mere paranoia or "FUD swallowing" should you start noticing it...


[0] Message Index

[#] Next page

[*] Previous page

Go to full version