Linux Foundation Comes Up With SecureBoot Plan

[phoronix]

Phoronix: Linux Foundation Comes Up With SecureBoot Plan

The Linux Foundation has shared their plan for how they intend to deal with UEFI SecureBoot for running Linux on PCs that have this Microsoft-pushed feature for trying to secure the system boot process...

http://www.phoronix.com/vr.php?view=MTIwNDM

[zigfreed]

Well if Microsoft wasn't going to create the equivalence of the UAC bootloader, then someone else will.

So is there a provider of coreboot motherboards & laptops or is this still a pipe dream?

[schmidtbag]

Great idea, I actually had one similar, but how do they expect to get this from microsoft? That would be like a prisoner asking a guard if they can have a spare key. I thought one of the driving reasons of SecureBoot was specifically to prevent linux from booting on certain devices. Microsoft isn't obligated to give this information away, however, the hardware companies that ship secureboot on their devices are. THEY are the ones that should be giving the linux foundation keys to use. Isn't it illegal for hardware to intentionally restrict what OS can run on it?

[mark45]

Great idea, I actually had one similar, but how do they expect to get this from microsoft? That would be like a prisoner asking a guard if they can have a spare key. I thought one of the driving reasons of SecureBoot was specifically to prevent linux from booting on certain devices. Microsoft isn't obligated to give this information away, however, the hardware companies that ship secureboot on their devices are. THEY are the ones that should be giving the linux foundation keys to use. Isn't it illegal for hardware to intentionally restrict what OS can run on it?

Yes, Microsoft won't just give it out with no strings attached, secureboot was explicitly designed against threats like Linux using the false security bafflegab as an excuse, just like software patents are used to destroy competition with the formal excuse of IP protection.

[deanjo]

Isn't it illegal for hardware to intentionally restrict what OS can run on it?

Grey area. There are literally thousands of devices out there that limit what can and cannot run on the hardware. Game consoles are a perfect example of this, particularly the PS3 where the courts decided not only is it legal to do so but Sony also had the right to remove once advertised capability. They also restrict what applications can run on their systems.

[schmidtbag]

Grey area. There are literally thousands of devices out there that limit what can and cannot run on the hardware. Game consoles are a perfect example of this, particularly the PS3 where the courts decided not only is it legal to do so but Sony also had the right to remove once advertised capability. They also restrict what applications can run on their systems.

Well, that's a little different. First of all, consoles are very different from PCs because they're systems with predetermined specific purposes. The hardware is hand picked and assembled to comply with those purposes. In a PC (including tablets), it's defined as personal for a reason, so you should be able to install whatever you want.

As for hardware manufacturers, I don't think the individual chip makers are allowed to say what is allowed to be run on their parts, and I don't think they honestly care either - if someone wants to buy their product to run [OS name] then that's just 1 more customer for them. So, I doubt IBM cares if their PPC processors are running linux, Mac, or some console OS, and I don't think they have any legal rights to put a restriction on if they did care.

[gamerk2]

Well, that's a little different. First of all, consoles are very different from PCs because they're systems with predetermined specific purposes. The hardware is hand picked and assembled to comply with those purposes. In a PC (including tablets), it's defined as personal for a reason, so you should be able to install whatever you want.

Devils advocate: How is the PS3 any different then a Mac?

[GreatEmerald]

Great idea, I actually had one similar, but how do they expect to get this from microsoft? That would be like a prisoner asking a guard if they can have a spare key. I thought one of the driving reasons of SecureBoot was specifically to prevent linux from booting on certain devices. Microsoft isn't obligated to give this information away, however, the hardware companies that ship secureboot on their devices are. THEY are the ones that should be giving the linux foundation keys to use. Isn't it illegal for hardware to intentionally restrict what OS can run on it?

The keys are provided by VeriSign, not Microsoft. And MS does not restrict who can get a key and who can't.

Of course, this plan invalidates most of the purpose of Secure Boot, but with Linux it's impossible to implement it in the first place. Unlike Microsoft, who can control everything that goes on on their closed and single OS, with all the variants of Linux it is just infeasible to implement Secure Boot without harming something in the process.

Well, that's a little different. First of all, consoles are very different from PCs because they're systems with predetermined specific purposes. The hardware is hand picked and assembled to comply with those purposes. In a PC (including tablets), it's defined as personal for a reason, so you should be able to install whatever you want.

Speaking about that, I still don't get why phones are usually locked down. Smartphones are now "PCs" too. Why do manufacturers insist on locking them down, what does that possibly achieve in the first place? The only sane justification that I can think of is that users can't brick their devices when it's locked down, but then the same applies on desktops. People are just smart enough to not do that if it's dangerous and they don't know what they're doing.

Also, are there any standard bootloader specifications for ARM devices? I'm still confused about why every phone needs an image specifically tailored to it (not counting device drivers). And why the device drivers can't be installed separately to begin with.

[schmidtbag]

The keys are provided by VeriSign, not Microsoft. And MS does not restrict who can get a key and who can't.

I'm sure you're right on that but then why does the Linux Foundation need to get this information from MS? Why not VeriSign?

[QUOTEOf course, this plan invalidates most of the purpose of Secure Boot, but with Linux it's impossible to implement it in the first place. Unlike Microsoft, who can control everything that goes on on their closed and single OS, with all the variants of Linux it is just infeasible to implement Secure Boot without harming something in the process.[/QUOTE]
I thought the same thing, that was one of the first thoughts that came to mind. It might not be as simple as we think though. For example, this could be a closed-source feature.

Speaking about that, I still don't get why phones are usually locked down. Smartphones are now "PCs" too. Why do manufacturers insist on locking them down, what does that possibly achieve in the first place? The only sane justification that I can think of is that users can't brick their devices when it's locked down, but then the same applies on desktops. People are just smart enough to not do that if it's dangerous and they don't know what they're doing.

That's a very good point, but I got the impression there wasn't such a restriction on (most) phones, that's why there's rooting/jailbreaking and guides on how to reinstall Android or WebOS on your own. Tablets get this same restriction, which I think is worse since they don't go much beyond wireless broadband.

Also, are there any standard bootloader specifications for ARM devices? I'm still confused about why every phone needs an image specifically tailored to it (not counting device drivers). And why the device drivers can't be installed separately to begin with.

Yes and no. With ARM, it seems to me every platform so far REQUIRES an SD card (or at least some form of built-in storage) that contains a FAT partition with a text file and some init files you may find in the /boot folder. This text file is a substitute of BIOS, probably because it makes phones more difficult to hack, and because ARM platforms outside of phones and tablets don't have a system battery, and therefore cannot store data in a CMOS. If these files are missing, the device is just a vegetable. Because of how they designed this, you can't just plug in a USB CD drive and use a standard installer. ARM doesn't use MBRs to my knowledge, so GRUB and LILO can be avoided altogether - the only reason you'd install them is if you dual boot, but IMO it's easier to just swap the SD card. Anyway, because linux installers currently don't create this FAT partition with the correct files (apparently the order they're written makes a difference too), and since the content of these files are often specific to the platform you're using, the next best thing is to have a pre-made image.

@gamerk2
Because PS3 is a gaming console (oh sorry, I mean "entertainment system") and Macs are technically PCs, even back when they used the PPC processors. As I was saying before, a device made for a specific purpose is a little different because you're not supposed to personalize it the way you want, you're supposed to use it for what it's advertised for.

[solo2101]

how will this affect custom PCs?