"Secure Boot" and free software

Interesting, long post on how the hell Linux vendors make their product work now that MICROS~1 has enabled BIOS DRM.

(The tl;dr version: running a custom kernel on modern hardware just became rocket surgery.)

Fedora 18 will be released at around the same time as Windows 8, and as previously discussed all Windows 8 hardware will be shipping with secure boot enabled by default.

Most hardware you'll be able to buy towards the end of the year will be Windows 8 certified. That means that it'll be carrying a set of secure boot keys, and if it comes with Windows 8 pre-installed then secure boot will be enabled by default. This set of keys isn't absolutely fixed and will probably vary between manufacturers, but anything with a Windows logo will carry the Microsoft key. [...]

Secure boot is built on the idea that all code that can touch the hardware directly is trusted, and any untrusted code must go through the trusted code. This can be circumvented if users can execute arbitrary code in the kernel. So, we'll be moving to requiring signed kernel modules and locking down certain aspects of kernel functionality. The most obvious example is that it won't be possible to access PCI regions directly from userspace, which means all graphics cards will need kernel drivers. Userspace modesetting will be a thing of the past. Signed modules are obviously troubling from a user perspective. We'll be signing all the drivers that we ship, but what about out of tree drivers? We don't have a good answer for that yet. [...]

If I take a signed Linux bootloader and then use it to boot something that looks like an unsigned Linux kernel, I've instead potentially just booted a piece of malware. And if that malware can attack Windows then the signed Linux bootloader is no longer just a signed Linux bootloader, it's a signed Windows malware launcher and that's the kind of thing that results in that bootloader being added to the list of blacklisted binaries and suddenly your signed Linux bootloader isn't even a signed Linux bootloader. So kernels need to be signed.

Tags: , , , , ,

18 Responses:

  1. Piku says:

    Coming soon to DealExtreme and eBay - "Windows 8 PC unlock bios security bootloader jailbreak drm chip".

    And the witless idiots will still find out ways to install malware on their computers.

    Think I'll stick with my Mac, at least I accepted at purchase the fact I'm mostly renting the user experience and have little control over it.

    • Barry Kelly says:

      Been using Windows since 94. Last virus / malware, also 94; it was a DOS boot sector virus.

      If you don't have ADHD and can resist click compulsion, Windows security isn't so bad.

      • Chas. Owens says:

        Correction, last virus / malware you know about. Unless you have a some form of intrusion detection kit running all the time storing its data on a separate server (preferably to a media that cannot be changed), you could have been compromised and be unaware of the problem, and even that is susceptible to blue pill style attacks.

        • Barry Kelly says:

          True, and I could also be living in a simulation along the lines of Bostrom's hypothesis. But it is unlikely; I've never had a positive match on a rootkit detector, and I log all internet traffic on a separate box (I don't run P2P software from my main machine - odd IPs and strange traffic stands out).

      • Hex says:

        I may have to quote that last sentence from time to time. Well put.

  2. Chas. Owens says:

    …Microsoft [has] modified their original position and all x86 Windows machines will be required to have a firmware option to disable this or to permit users to enrol their own keys…

    Bah, I say. Installing Linux has always involved at least a trivial amount of reading and finding strange options to tweak even in the best of times. A simple firmware setting is not so hard to change.

    • Hub says:

      You must not have done that in a while. Last time I installed a Linux from scratch, ie last year, all I had to do was boot the installer, which only involve choosing a different boot device.

      What Microsoft is doing is just making things more complicated, like it is not enough that we have to pay the Microsoft tax to get decent (read laptops) hardware.

      • Chas. Owens says:

        It happened within the last few days with the latest version of Ubuntu. The culprit this time was the video card; I had to enable the third-party drivers to get it to work correctly. It was a trivial little task for me, but I rate it at least as hard as setting a firmware option.

        Unless you are buying the hardware with Linux already on it, there is often a bit of tweaking you still have to do to get it to work right and the tweaking is probably not obvious to a newbie user (note: this holds true for MS Windows as well).

        • phuzz says:

          Did you have a problem with integrated nVidia drivers by any chance? Me too :(
          I swear I've had more problems caused by updates in Ubuntu than I have with Windows updates in the last few years.

          Back on topic, while a signed kernel will be helpful in Windows, most people keep their data in userspace, so apart from malware having a harder time installing it's self deep into the system, I can see malware writers moving more towards pwning browsers etc. rather than OSs

  3. Adam says:

    Good thing malware's never been digital signed by legit certificates before.

  4. Nathan Roberts says:

    This bullshit is going to make it even harder for me to fix people's computer/rescue data using things like Knoppix/UBCD/etc isn't it?

    • Vincent says:

      No, because your knoppix cd will most likely have a signed bootloader.

      • And how exactly will Knoppix have aquired that? What if I want to build that CD/stick image myself?

        I can't tell whether Fedoras decision to build a full lockdown signing chain is because they think it's a good idea, or whether they think they need to do that to continue to be able to sign the bootloader, but the end result is the same: buy your binaries from an approved vendor, or get stuffed. No more compiling your own kernel.

        (And yes I realize the current plan is that you can fork over $100 and get a signing key yourself. Nobody except for a couple of hardcode geeks will be willing to do that, and rightly so. And yes, right now it seems you can disable SecureBoot, but for how long will that continue to be the case? Why as a systems/BIOS vendor bother with the option?

        I have little love for the GPL (BSD guy myself), but it's not because the dangers it's trying to address aren't there...

    • Ben Morrow says:

      You say that as though it's a bad thing. AFAICS, anything which makes it easier for me to get to the point where my better judgement says 'sorry, no, I really can't help you with that' is a net win…

    • John Morton says:

      Just boot into "disable Secure Boot"/developer mode. You probably have to go into the bios to boot the rescue media if the bios doesn't have a boot selector option.

  5. Angelo says:

    sigh just when I thought the culture in the U.S. was making some tiny progress in expecting phones to be unlocked, they're now moving to lock all devices.

  6. Tom Novelli says:

    Consumer IT hardware is going down the tubes... over the next few years I'm looking to DIY hardware (eg. Raspberry Pi) to fill the gap. Meanwhile, when my clients need new computers, I may have to avoid Dell etc, and order separate components... assembly takes less time than searching for an acceptable pre-built machine. BTW, these are small offices running mostly XP, just adding Win7 in the past year... they can't be bothered with Win8 for a few years. It would be just as disruptive to them as switching to Mac, Linux, BSD.

  7. Alex says:

    How, exactly, does Fedora plan to get around the fact that GRUB 2 is licensed under GPL 3+, which contains provisions forbidding "tivoization"? If they plan on distributing signed GRUB 2 binaries, they must not only provide source code for their modifications but also everything else needed to turn that source into a working binary, i.e. their signing keys.