Secure boot and the future of Trisquel. Who will pay Microsoft?

18 replies [Last post]
t3g
t3g
Offline
Joined: 05/15/2011

I read today that RedHat will pay Microsofot to make sure their operating systems are able to boot with the upcoming Secure Boot that Microsoft may or may not require OEMs to have: http://www.geek.com/articles/news/redhat-will-pay-microsoft-to-ensure-fedora-18-runs-on-windows-8-pcs-2012061/

With this in mind, it would suck if operating systems will require payment to Microsoft to be able to install with Secure Boot in place. How would this affect community distros like Debian, Slackware and Arch? If that is the case, would Canonical pay Microsoft for Ubuntu? I say this because Trisquel is based off of Ubuntu and their payment towards it would then hopefully affect Trisquel due to the shared code base.

I am aware that there are companies like Think Penguin and System76 that think about GNU/Linux support as their main concern, but Secure Boot affects the average consumer who buys a computer from a store or a retailer like Dell.

Let's just hope Stallman doesn't have another heart attack if this is the way of computing from now on.

Rick Hodgin
Offline
Joined: 05/13/2012

Exactly my thoughts. The only good news I read is RedHat's boot loader
will only load grub2, which can then be used to launch other free
operating systems, and not just RedHat's.

Still, Secure Boot will now be enabled by default on all devices, and
only a hidden setting turns it off.

Evil. Just evil.

The Freedombox project could surely use everybody's support who's
outraged by this. Google "freedombox" if you don't know about it. It's
a design to get a completely free software stack running on a tiny
server about the size of a cell phone, and for less than $50 when
complete. The idea is to have millions of these little servers running
outside the regular Internet.

Best regards,
Rick C. Hodgin

On 06/01/2012 12:49 PM, tegskywalker [at] hotmail [dot] com wrote:
> I read today that RedHat will pay Microsofot to make sure their
> operating systems are able to boot with the upcoming Secure Boot that
> Microsoft may or may not require OEMs to have:
> http://www.geek.com/articles/news/redhat-will-pay-microsoft-to-ensure-fedora-18-runs-on-windows-8-pcs-2012061/
>
> With this in mind, it would suck if operating systems will require
> payment to Microsoft to be able to install with Secure Boot in place.
> How would this affect community distros like Debian, Slackware and
> Arch? If that is the case, would Canonical pay Microsoft for Ubuntu? I
> say this because Trisquel is based off of Ubuntu and their payment
> towards it would then hopefully affect Trisquel due to the shared code
> base.
>
> I am aware that there are companies like Think Penguin and System76
> that think about GNU/Linux support as their main concern, but Secure
> Boot affects the average consumer who buys a computer from a store or
> a retailer like Dell.
>
> Let's just hope Stallman doesn't have another heart attack if this is
> the way of computing from now on.
>

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I actually hope no other GNU/Linux distribution will sign pacts with Microsoft to merely be able to boot their system. If Canonical follows Red Hat (and, I believe Novell) then manufacturers will keep on satisfying Microsoft's demands (against discounts on the Windows licenses I guess) and we will be screwed. Notice in particular than, as far as I understand, you cannot modify the kernel and still be able to boot it. Freedom 1 is under attacked.

Notice that rms did not have any heart attack.

leny2010

I am a member!

Offline
Joined: 09/15/2011

Please stop feeding the Troll.

t3g
t3g
Offline
Joined: 05/15/2011

I'm not trolling. Just thought I should relay some important news.

miga
Offline
Joined: 09/17/2011

I really hope that computers that aren't "Windows 8 certified" such as those that are custom built (either by yourself or a company, choosing your own components and making a PC out of it) don't have Secure Boot. As long as that's the case, I can deal with that since I only build my own computers.

Chris

I am a member!

Offline
Joined: 04/23/2011

It sounds unlikely any system will be without this 'feature' should the industry adopt it. It's like the non-free BIOS now. Nobody caters to GNU/Linux because users don't demand freedom/compatibility. The people who buy such hardware are almost entirely doing so because they made bad decisions in the first place (replacement pieces/systems).

leny2010

I am a member!

Offline
Joined: 09/15/2011

On 02/06/12 14:15, chris [at] thinkpenguin [dot] com wrote:
> It sounds unlikely any system will be without this feature should the
> industry adopt it. It's like the non-free BIOS now. Nobody caters to
> GNU/Linux because users don't demand freedom/compatibility. The people
> who buy such hardware are almost entirely doing so because they made bad
> decisions in the first place (replacement pieces/systems).

As Professor Anderson of Cambridge University pointed out last September
Microsoft would fall foul of EU monopoly law if they cooked Windows 8
Logo requirements so as to cut out GNU/Linux.

In January it transpired Microsoft are doing the opposite with x86 logo
requirements, they're insisting GNU/Linux boot must be possible. But
they're locking ARM PCs.

In March I posted here a summary of a letter from my MEP / European
Deputy where at my prompting she has asked the European Commission to
consider if even locking ARM PCs is a violation of European Law.

See it all on my home page.

http://andrewlindley.co.uk/

The FSFE is right, the _general_ practice of producing restricted boot
computers has to fought or we're limited to jailbreaking new devices on
a case by case basis and general purpose computing devices are under
threat.

But as far as 'Secure Boot' goes, I repeat YHBT.

--
With computer technology we're building a world where Orwell's 1984
could be a childhood fantasy akin to Santa Claus. What makes you
think software without ethics is tenable?
http://www.gnu.org/philosophy/free-sw.html

SirGrant

I am a member!

I am a translator!

Offline
Joined: 07/27/2010

Although you have to consider not all of us live in the EU.

Either way I would believe Trisquel's position is in line with the FSF's position on "Secure Boot"

leny2010

I am a member!

Offline
Joined: 09/15/2011

On 02/06/12 22:55, sirgrant [at] member [dot] fsf [dot] org wrote:
> Although you have to consider not all of us live in the EU.

The Dec 2011 Microsoft document that Glynn Moody links and quotes as
stating that Microsoft mandate user UEFI Restricted Boot override for
non-ARM processors is in the en-US part of msdn.microsoft.com . Almost
certainly international.

>
> Either way I would believe Trisquel's position is in line with the
> [https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/ FSF's
> position on "Secure Boot"]

Yes, I signed that petition when it started. It's Oct 2011 and may have
been the first I heard of the issue, I really can't remember. I would
encourage people to sign it if they haven't already. However, events
have moved on. For all we know the start of that campaign may have been
what triggered the Dec 2011 document release.

I am of course, just speaking for myself. The 'member' badge is a small
reward for paying money to support Trisquel. It doesn't make what I say
any more special than anybody else.
--
With computer technology we're building a world where Orwell's 1984
could be a childhood fantasy akin to Santa Claus. What makes you
think software without ethics is tenable?
http://www.gnu.org/philosophy/free-sw.html

Chris

I am a member!

Offline
Joined: 04/23/2011

I don't get how this is suppose to fix/secure anything. If it ultimately loads grub2 where is the security benefit? The infection point just changes.

Michał Masłowski

I am a member!

I am a translator!

Offline
Joined: 05/15/2010

> I don't get how this is suppose to fix/secure anything. If it
> ultimately loads grub2 where is the security benefit? The infection
> point just changes.

It loads a restricted grub2 which cannot load its modules and which
loads only signed kernels. So it is theoretically secure. The only
"problem" would be a bug in one of many complex signed programs or the
firmware used allowing changing it.

leny2010

I am a member!

Offline
Joined: 09/15/2011

As Professor Anderson of Cambridge University pointed out last September
Microsoft would fall foul of EU monopoly law if they cooked Windows 8
Logo requirements so as to cut out GNU/Linux.

In January it transpired Microsoft are doing the opposite with x86 logo
requirements, they're insisting GNU/Linux boot must be possible. But
they're locking ARM PCs.

In March I posted here a summary of a letter from my MEP / European
Deputy where at my prompting she has asked the European Commission to
consider if even locking ARM PCs is a violation of European Law.

See it all on my home page.

http://andrewlindley.co.uk/

The FSFE is right, the _general_ practice of producing restricted boot
computers has to fought or we're limited to jailbreaking new devices on
a case by case basis and general purpose computing devices are under
threat.

But as far as 'Secure Boot' goes, I repeat YHBT. Go back and read the article the Troll linked and what was said here - you'll find they're on different things.

t3g
t3g
Offline
Joined: 05/15/2011

I apologize for going too far with word choices in regard to leny and exposing others on this forum to vulgar language. With that in mind, I still think he needs to keep his envy towards me to himself as his venting of personal demons doesn't benefit anyone.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

It looks like the money to get a cryptographic key signed is both moderate US$ 99 (to sign as many binaries as you want) and not going to Microsoft but to Verisign: http://mjg59.dreamwidth.org/12368.html

It may be a good solution in the end.

Dave_Hunt

I am a member!

Offline
Joined: 09/19/2011

Would people who build their own kernels have to buy their own keys?
I'd guess the key used to sign the stock Trisquel, for instance, image
wouldn't work with any image of a kernel with patches applied, parts
removed, etc?

-Dave

On 06/04/2012 01:17 PM, magicbanana [at] gmail [dot] com wrote:
> It looks like the money to get a cryptographic key signed is both
> moderate US$ 99 (to sign as many binaries as you want) and not going to
> Microsoft but to Verisign: http://mjg59.dreamwidth.org/12368.html
>
> It may be a good solution in the end.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

The answer is in the article I pointed to:
A lot of our users want to build their own kernels. Some even want to build their own distributions. Signing our bootloader and kernel is an impediment to that. We'll be providing all the tools we use for signing our binaries, but for obvious reasons we can't hand out our keys. There's three approaches here. The first is for a user to generate their own key and enrol it in their system firmware. We'll trust anything that's signed with a key that's present in the firmware. The second is to rebuild the shim loader with their own key installed and then pay $99 and sign that with Microsoft. That means that they'll be able to give copies to anyone else and let them install it without any fiddling. The third is to just disable secure boot entirely, at which point the machine should return to granting the same set of freedoms as it currently does.

teodorescup

I am a member!

Offline
Joined: 01/04/2011

Dose anybody know why the BIOS is no longer put on a ROM ?

From what I saw, the Secure Boot justification from Microsoft is sharing basically the same problem with the FSF's need of free BIOS, which is that the BIOS is not read only.

Michał Masłowski

I am a member!

I am a translator!

Offline
Joined: 05/15/2010

> Dose anybody know why the BIOS is no longer put on a ROM ?

Updates?

> From what I saw, the Secure Boot justification from Microsoft is
> sharing basically the same problem with the FSF's need of free BIOS,
> which is that the BIOS is not read only.

Secure Boot aims to solve the problem of code on disk running in kernel
space not being read-only. It's a different problem. Its security
assumes parts of the BIOS being read-only.