UEFI secure boot and Linux

The place for chatting and discussing subjects unrelated to Wesnoth.

Moderator: Forum Moderators

Post Reply
Naron
Posts: 166
Joined: August 22nd, 2012, 1:25 pm
Location: Romania

UEFI secure boot and Linux

Post by Naron »

I recently read an article that says that Windows 10 will require Secure Boot enabled and the possibility of deactivation is left to the OEM manufacturers.
If they decide that you can not disable Secure Boot, you can not install Linux or any other alternative OS. It is very sad for me, because it seems a deliberate limitation of user's rights. They should not dictate what I install on my system. The personal computer is not personal anymore.

Perhaps I exaggerate ... or maybe we're heading towards an Orwellian society.
Thoughts?
User avatar
iceiceice
Posts: 1056
Joined: August 23rd, 2013, 2:10 am

Re: UEFI secure boot and Linux

Post by iceiceice »

Sounds pretty ambiguous to me.

For some customers, like if you are Sony for instance, maybe you care only about not getting rooted, and then this is probably a desirable feature.

I think it comes down to who is "authorized". If "authorized" is a free and open system and legitimate competitors can all get authorized, then its probably a good thing. If not I guess it's probably anticompetitive. Maybe microsoft will get sued again.
Naron
Posts: 166
Joined: August 22nd, 2012, 1:25 pm
Location: Romania

Re: UEFI secure boot and Linux

Post by Naron »

What I wanted to say is that everything becomes more restrictive. For Windows 8, Microsoft requested that Secure Boot is activated and the user be able to disable SB, if desired.
But for Windows 10, Microsoft requires that Secure Boot to be activated, and the OEMs can choose to implement the on/off switch for the feature or not.
This "small" difference is what worries me.
And it seems to me abnormal the fact that in order to install another OS, you must ask for a digital certificate from Microsoft. Why do I need permission from Microsoft for this?
User avatar
nuorc
Forum Regular
Posts: 582
Joined: September 3rd, 2009, 2:25 pm
Location: Barag Gor

Re: UEFI secure boot and Linux

Post by nuorc »

Naron wrote:Perhaps I exaggerate ... or maybe we're heading towards an Orwellian society.
Thoughts?
I read that it's basically the NSA's TPM being white-washed. And that it means you can't flash your bios. And that the NSA has bios backdoors. And the decision if you are able to flash the bios or install linux will be made by Dell, HP, Lenovo... And since their machines came with a lot of crapware, one should maybe judge it by that.
I have a cunning plan.
User avatar
lipk
Posts: 637
Joined: July 18th, 2011, 1:42 pm

Re: UEFI secure boot and Linux

Post by lipk »

So Microsoft is becoming more restrictive by NOT requiring manufacturers to implement certain features in their products? Scandalous power abuse! :P
User avatar
Iris
Site Administrator
Posts: 6797
Joined: November 14th, 2006, 5:54 pm
Location: Chile
Contact:

Re: UEFI secure boot and Linux

Post by Iris »

lipk wrote:So Microsoft is becoming more restrictive by NOT requiring manufacturers to implement certain features in their products? Scandalous power abuse! :P
I don’t think this is about Microsoft becoming restrictive, but rather about allowing OEMs to do as they want when they are historically known to not care enough about supporting non-Microsoft operating systems.
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
User avatar
iceiceice
Posts: 1056
Joined: August 23rd, 2013, 2:10 am

Re: UEFI secure boot and Linux

Post by iceiceice »

I will say, having some sort of validation process for OS's is one thing, I mean that is a legitimate security worry.
However, if the keys are not in the hand of the user, but in the hands of Microsoft or even the OEM manufacturer, that seems broken.

I guess I would draw an analogy between this, and the common practice of car manufacturers, and Apple for that matter, to put custom screws in their product so that you can't use a phillips or flathead screwdriver to open them up, and have to use a crazy "triangle" screwdriver (or similar) which you either must purchase separately, or which is only available to dealerships.

These practices are not considered illegal currently, just annoying and cheesy, but in my opinion it would be a good thing if they were illegal. They are anti-competitive in my opinion.
User avatar
lipk
Posts: 637
Joined: July 18th, 2011, 1:42 pm

Re: UEFI secure boot and Linux

Post by lipk »

I don’t think this is about Microsoft becoming restrictive, but rather about allowing OEMs to do as they want when they are historically known to not care enough about supporting non-Microsoft operating systems.
Well, they already provide approximately zero support for everything different than Windows, but simply allowing them on their hardware is an entirely different matter. It doesn't require any effort on their part and I can't see why they wouldn't do it.
However, if the keys are not in the hand of the user, but in the hands of Microsoft or even the OEM manufacturer, that seems broken.
If by 'key' you mean the possibility to turn Secure Boot off, then I agree entirely, however in this case the system didn't become any more broken than it was by passing the decision to the OEMs. It should be the lawmakers' job to guarantee free and fair competition, not Microsoft's. If you literally mean the RSA keys, I'm interested in whose hands would you like to see them? Should we all sign our bootloaders with our own keys or what?
User avatar
Elvish_Hunter
Posts: 1575
Joined: September 4th, 2009, 2:39 pm
Location: Lintanir Forest...

Re: UEFI secure boot and Linux

Post by Elvish_Hunter »

iceiceice wrote:I guess I would draw an analogy between this, and the common practice of car manufacturers, and Apple for that matter, to put custom screws in their product so that you can't use a phillips or flathead screwdriver to open them up, and have to use a crazy "triangle" screwdriver (or similar) which you either must purchase separately, or which is only available to dealerships.
However, there's a difference: one can easily get such kind of screwdrivers on eBay, but one can't so easily get a modified BIOS...
iceiceice wrote:These practices are not considered illegal currently, just annoying and cheesy, but in my opinion it would be a good thing if they were illegal.
Maybe I'm wrong, but I seem to remember that EU laws allow users to refuse the license of an operating system and ask to have it refunded. I need to find some more infos, but if that's the case I guess that several manufacturers may end up getting sued.
Anyway, if every other computer will end up being locked in a way that I can't disable, probably I'll buy a Raspberry Pi 2 or some similar board - at least, these aren't locked. Not the best solution, I know, but what else can I do without involving lawyers?
Current maintainer of these add-ons, all on 1.16:
The Sojournings of Grog, Children of Dragons, A Rough Life, Wesnoth Lua Pack, The White Troll (co-author)
Naron
Posts: 166
Joined: August 22nd, 2012, 1:25 pm
Location: Romania

Re: UEFI secure boot and Linux

Post by Naron »

shadowm wrote:
lipk wrote:So Microsoft is becoming more restrictive by NOT requiring manufacturers to implement certain features in their products? Scandalous power abuse! :P
I don’t think this is about Microsoft becoming restrictive, but rather about allowing OEMs to do as they want when they are historically known to not care enough about supporting non-Microsoft operating systems.
Exactly that's the problem. Microsoft could force the OEMs to not implement the on/off switch. Of course, unofficially. Maybe it's exaggerated, but given Microsoft's history, it is possible. In response, maybe the open-source movement will develop an open hardware that will run any OS.
Time will show how things will evolve. I hope that everything will be fine, but somehow I doubt it.
User avatar
iceiceice
Posts: 1056
Joined: August 23rd, 2013, 2:10 am

Re: UEFI secure boot and Linux

Post by iceiceice »

lipk wrote:If by 'key' you mean the possibility to turn Secure Boot off, then I agree entirely, however in this case the system didn't become any more broken than it was by passing the decision to the OEMs. It should be the lawmakers' job to guarantee free and fair competition, not Microsoft's. If you literally mean the RSA keys, I'm interested in whose hands would you like to see them? Should we all sign our bootloaders with our own keys or what?
Sure, we should be free to do so if we want.

Normally, if I buy a house or a car, I'm free to go to a locksmith and get new keys made. I shouldn't need to consult the contractor who built the house to do this, and it's not like he should have keys to my house forever either.

I guess that this is part of UEFI:
http://en.wikipedia.org/wiki/Unified_Ex ... ecure_boot
wikipedia wrote: Additional "Key Exchange Keys" (KEK) can be added to a database stored in memory to allow other certificates to be used, but they must still have a connection to the private portion of the Platform key. Secure boot can also be placed in "Custom" mode, where additional public keys can be added to the system that do not match the private key.
wikipedia wrote: Other developers raised concerns about the legal and practical issues of implementing support for secure boot on Linux systems in general. Former Red Hat developer Matthew Garrett noted that conditions in the GNU General Public License version 3 may prevent the use of the GRUB bootloader without a distribution's developer disclosing the private key (however, the Free Software Foundation has since clarified its position, assuring that the responsibility to make keys available was held by the hardware manufacturer),[67] and that it would also be difficult for advanced users to build custom kernels that could function with secure boot enabled without self-signing them.[90] Other developers suggested that signed builds of Linux with another key could be provided, but noted that it would be difficult to persuade OEMs to ship their computers with the required key alongside the Microsoft key.[3]
If you can't use your own signed keys or publicly available signed keys, only the keys that came with the device, that sounds pretty broken to me, and it seems to be the whole issue -- whether "configuration" and "custom mode" should be possible or not.
Elvish Hunter wrote: I know, but what else can I do without involving lawyers?
I doubt that you won't be able to find normal hardware that can run linux. Linux has too much marketshare to just be abandoned by all major manufacturers, I think. Maybe many or most of them, but not all of them.
Naron wrote: I hope that everything will be fine, but somehow I doubt it.
https://www.youtube.com/watch?v=zaGUr6wzyT8
User avatar
Crow_T
Posts: 851
Joined: February 24th, 2011, 4:20 am

Re: UEFI secure boot and Linux

Post by Crow_T »

I always assumed this place was full of computer nerds- who buys brand name gear when it's so much more rewarding to get a custom rig :geek: :lol:

Sooner or later someone will figure out a way to bypass the lock out I'm sure, it's only code after all.
User avatar
Iris
Site Administrator
Posts: 6797
Joined: November 14th, 2006, 5:54 pm
Location: Chile
Contact:

Re: UEFI secure boot and Linux

Post by Iris »

Naron wrote:Exactly that's the problem. Microsoft could force the OEMs to not implement the on/off switch. Of course, unofficially. Maybe it's exaggerated, but given Microsoft's history, it is possible. In response, maybe the open-source movement will develop an open hardware that will run any OS.
I probably should rephrase my statement above. As I understand it, this is not about Microsoft forbidding anything, but rather about not forcing OEMs to allow disabling secure boot. I don’t think Microsoft could possibly get away with forbidding the option to disable secure boot, given its track record in U.S. and European courts. However, if OEMs are not required to provide the option to disable secure boot, it’s not too unlikely that they won’t provide it at all. They are known to be lazy when it comes to supporting other operating systems at the firmware level, which is why e.g. ACPI support on Linux is a nightmare — a large number of systems out there are designed specifically for compatibility with Windows and require workarounds integrated in the Linux kernel or custom (unsupported) patched firmware to work fully or correctly.
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
User avatar
iceiceice
Posts: 1056
Joined: August 23rd, 2013, 2:10 am

Re: UEFI secure boot and Linux

Post by iceiceice »

It depends also on how much of an influence Microsoft has had on the various OEM's decisions.

I don't think courts would look at OEMs, just out of the blue, deciding to lock out all non-Microsoft OS's as just a happy accident for Microsoft. The last time Microsoft was sued, it was found that they colluded illegally with Intel and others to try to make their products only interoperate with one another and box out their respective competitors. So if there's another lawsuit it might play out the same way -- I don't think the "it's not Microsoft doing it, it's the OEMs" line of argument would necessarily be persuasive. If there's any kind of collaboration or exchange I think it could be illegal. (Not a lawyer.)
User avatar
Pentarctagon
Project Manager
Posts: 5527
Joined: March 22nd, 2009, 10:50 pm
Location: Earth (occasionally)

Re: UEFI secure boot and Linux

Post by Pentarctagon »

I don't know about here in the US, but I could see Microsoft getting sued in the EU again, since they previously sued them over having only IE pre-installed with Windows.
99 little bugs in the code, 99 little bugs
take one down, patch it around
-2,147,483,648 little bugs in the code
Post Reply