Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FSF Does Want Secure Boot; They Just Want It Under User Control

timothy posted about a year and a half ago | from the where-the-devil-is dept.

DRM 210

Yesterday, we ran a story with the headline "Free Software Foundation Campaigning To Stop UEFI SecureBoot." It's more complicated than that, though, writes gnujoshua: "We want computer manufacturers to implement Secure Boot in a way that is secure. If a user can't disable Secure Boot and they are unable to sign their own software (e.g., bootloader, OS, etc), then we call that particular implementation 'Restricted Boot.' We don't want computer makers to implement Restricted Boot. We want them to implement Secure Boot and to provide a way for individuals to install a fully free OS on their computers. Many computer makers are implementing UEFI Secure Boot in this way, and we want to continue encouraging them to do so." The complete text of the statement they'd like people to sign reads: "We, the undersigned, urge all computer makers implementing UEFI's so-called "Secure Boot" to do it in a way that allows free software operating systems to be installed. To respect user freedom and truly protect user security, manufacturers must either allow computer owners to disable the boot restrictions, or provide a sure-fire way for them to install and run a free software operating system of their choice. We commit that we will neither purchase nor recommend computers that strip users of this critical freedom, and we will actively urge people in our communities to avoid such jailed systems."

cancel ×

210 comments

What problem does it solve? (5, Interesting)

Gothmolly (148874) | about a year and a half ago | (#42427475)

What problem does Secure Boot solve, other than Microsoft's "other OS" problem?

Re:What problem does it solve? (4, Interesting)

Great Big Bird (1751616) | about a year and a half ago | (#42427489)

In days gone by a 'boot sector virus' was a real danger. This would seemingly prevent that.

Re:What problem does it solve? (4, Interesting)

macemoneta (154740) | about a year and a half ago | (#42427507)

The boot sector issue has already been solved by most BIOS by (optionally, under user control in the BIOS configuration) preventing writes to the sector. The only time you need to unlock it is when you want to update the bootloader (relatively rare). I'm still at a loss for the value-add presented by secure boot.

Re:What problem does it solve? (5, Interesting)

Anonymous Coward | about a year and a half ago | (#42427593)

The value is that it's DRM. Obviously this has no value to any computer user, but it has value to the people who try to force the proprietary OS on you (Microsoft).

Re:What problem does it solve? (-1)

Anonymous Coward | about a year and a half ago | (#42427613)

A boy stands naked and alone in an ominous dark alley, spreading his arms out as if he's pretending to be an airplane. A lone red children's toy can be seen stuck between the boy's ass cheeks spreading its arms out as if it's pretending to be an airplane. The toy has now vanished, and witnesses report hearing the sound of an elevator...

Re:What problem does it solve? (0)

Anonymous Coward | about a year and a half ago | (#42427947)

DRM is a subset of security and has missive overlap. SecureBoot is SSL for your boot process.

Headline is disingenuous (4, Informative)

AliasMarlowe (1042386) | about a year and a half ago | (#42428155)

TFS has a headline which says "FSF Does Want Secure Boot". It would appear that this is not the case. The FSF would apparently prefer if secure boot were not implemented at all, but if it must be there, they ask that it be done in a way which allows straightforward user installation of a non-DRM OS.

Re:What problem does it solve? (1)

mjg59 (864833) | about a year and a half ago | (#42427957)

It's not DRM. You can turn it off in the firmware and there's no way for the OS to know that you did.

Re:What problem does it solve? (0)

Anonymous Coward | about a year and a half ago | (#42428085)

For now, look at Windows RT on ARM tablets for an example of where Microsoft wants to take this...

Re:What problem does it solve? (2, Informative)

Anonymous Coward | about a year and a half ago | (#42428143)

Wrong.

1. You can turn it off on x86 - not on ARM

and the biggy:

2, Windows can tell if it was booted in secure mode or legacy mode.

So basically you couldn't be more wrong. Congratulations.

Re:What problem does it solve? (1)

mjg59 (864833) | about a year and a half ago | (#42428291)

How does Windows know whether it was booted in secure mode? It makes the EFI GetVariable() call. Which is a function pointer handed to it by the firmware. Which you can modify if you're running untrusted code. So, no, Windows can't tell.

Re:What problem does it solve? (5, Informative)

AmiMoJo (196126) | about a year and a half ago | (#42427611)

Many viruses modify either the OS bootloader or low level drivers (SATA, PCI bus etc). By loading so early in the boot process they have full and unrestricted access to the entire machine, making them excellent and difficult to remove rootkits.

This isn't just a Windows problem either, all operating systems are vulnerable to the modification of core boot files.

Re:What problem does it solve? (-1)

Anonymous Coward | about a year and a half ago | (#42427663)

You are bare asshole looks so goodocioooooooooooous! I want to taste it! I want to slurp it directly off until it's absolutely dripping with saliva!

Re:What problem does it solve? (5, Interesting)

Billly Gates (198444) | about a year and a half ago | (#42427681)

Many viruses modify either the OS bootloader or low level drivers (SATA, PCI bus etc). By loading so early in the boot process they have full and unrestricted access to the entire machine, making them excellent and difficult to remove rootkits.

This isn't just a Windows problem either, all operating systems are vulnerable to the modification of core boot files.

One of the only cool things about Windows 7/8 do is have protected kernel paths combined with signed drivers in x64. This makes the job of a rootkit much harder and is one of the only arguments to give for die hard XP users who are chaining their old systems by their ankles for life afraid to upgrade.

It is not about DRM at all and is not used. A signed bootloader with the kernel path and device drivers prevent the next aulurion worm/rootkit from taking shape as nothing untrusted can run from the kernel.

It is great for corporate customers. If this could be used for gnu/Linux the situation would be great for security.

Re:What problem does it solve? (3, Insightful)

segedunum (883035) | about a year and a half ago | (#42427791)

This makes the job of a rootkit much harder and is one of the only arguments to give for die hard XP users who are chaining their old systems by their ankles for life afraid to upgrade.

It's not a case of being afraid to upgrade. It's the fact that users, companies and organisations have software and infrastructure that runs and is tested on XP and there is zero benefit to them changing it. Kind of like how a great deal of mainframe code is still written in COBOL. There is no benefit to rewriting it and people do not have the time or the resources. You might not like that but that's the real world.

It is not about DRM at all and is not used. A signed bootloader with the kernel path and device drivers prevent the next aulurion worm/rootkit from taking shape as nothing untrusted can run from the kernel.

Anything can be deemed to be untrusted, that's the problem. I'm afraid the rootkit/virus/security angle to this stuff is just an excuse, plain and simple.

It is great for corporate customers.

It's a disaster for corporate customers. They face a future of new hardware refusing to boot existing versions of Windows or any other operating systems, enforced upgrades and a spiralling in costs, licensing and otherwise. A rootkit is the least of their worries.

Re:What problem does it solve? (1)

Billly Gates (198444) | about a year and a half ago | (#42427881)

This makes the job of a rootkit much harder and is one of the only arguments to give for die hard XP users who are chaining their old systems by their ankles for life afraid to upgrade.

It's not a case of being afraid to upgrade. It's the fact that users, companies and organisations have software and infrastructure that runs and is tested on XP and there is zero benefit to them changing it. Kind of like how a great deal of mainframe code is still written in COBOL. There is no benefit to rewriting it and people do not have the time or the resources. You might not like that but that's the real world.

It is not about DRM at all and is not used. A signed bootloader with the kernel path and device drivers prevent the next aulurion worm/rootkit from taking shape as nothing untrusted can run from the kernel.

Anything can be deemed to be untrusted, that's the problem. I'm afraid the rootkit/virus/security angle to this stuff is just an excuse, plain and simple.

It is great for corporate customers.

It's a disaster for corporate customers. They face a future of new hardware refusing to boot existing versions of Windows or any other operating systems, enforced upgrades and a spiralling in costs, licensing and otherwise. A rootkit is the least of their worries.

I posted comments here debating slashdotters who feel anyone still running an old IE at work deserves to be hacked who do not understand corporate IT. Like the mainframes platforms of old there are solutions for them. Citrix and MS terminal servers are just 2 to run older software.

I have also seen consumers who feel XP is the best OS ever made and that Windows 7 must be a Vista as slashdotters called it Vista 2.0 and think that just because it runs on 128 megs of ram make it a supperior product over anything else etc.

Why upgrade what works fine?

The fact of the matter is new hardware does not like XP very well. I read stories of help desk spending a week hacking .ini files and reverse engineering Windows 7 drivers to run on XP for these users! USB 3, touchscreens, tablets/netbooks with strange chipsets and digitizers, and other things already do not have XP drivers nor support. XP is on life support for only the corporate laptops that are $$$ for Dell and HP units. These will get EOL'd and you are screwed as they wont run XP anymore by 2014.

It is a security risk, and the rest of the world who does not have your requirements are moving on. Already Office 2003 is not fully compatible with the newest .docx files in Office 2013 and sometimes Office 2010.

Worms are a constant problem and the situation under XP is getting drastically worse! Did you read about hte newest malware targetting the XP versions of Ie 8, 7, and 6? Who are you going to get support from after next year?

It is time to consider Hyper V, Windows Server 2003 terminals, and Citrix similiar to rally and x3700 IBM terminal software for these must have apps before it is too late. I disagree that a corporate customer wouldn't love to have documents time bomb, lock and encrypt files, and prevent software that is unathorized to steal keystrokes at bootup. Secureboot and drming of some Office files would have its benefits keeping confidentiality.

I know it is an uneccesary cost for you but come on? 12 years is a FUCKload A LOT of time and you can't expect everyone to stop innovation to service you. As it is we can't even move to HTML 5 yet due to XP. Most do not run 15 year old software and there are options so your users can move on and still run these old apps. It costs money too for Ms and everyone else to backport everything to so many browsers and operating systems and your helpdesk will love the malware and fake AV popup calls go down from a more secure browser/OS. Those ancient VB and IE 6 apps do not need internet access from your Citrix terminal program.

Re:What problem does it solve? (3, Insightful)

segedunum (883035) | about a year and a half ago | (#42428131)

I posted comments here debating slashdotters who feel anyone still running an old IE at work deserves to be hacked who do not understand corporate IT.

You feel free to debate other 'Slashdotters' as much as you like to fit your own arguments. There are other browsers available on XP besides IE since Microsoft claims they can't upgrade it.

Like the mainframes platforms of old there are solutions for them. Citrix and MS terminal servers are just 2 to run older software.

More complexity and more expense to continue running exactly what users were running before. The corporate world has no time for it. However, we still have forty year old COBOL code calculating our bank balances every day and people are not going to be rewriting what they have in .Net to run on a newer platform. There is only so much Microsoft can squeeze from that lemon.

The fact of the matter is new hardware does not like XP very well.

Well it wouldn't would it, you idiot? That's why corporations are virtualising old versions of Windows, but this presents Microsoft with a dilemma. Previously they depended on perpetual hardware upgrades but virtualising Windows allows corporations to continue functioning as normal and upgrade hardware pretty much forever. Enter 'Secure Boot'. Hardware that doesn't have the keys to boot 'foreign' hypervisor platforms and hypervisors implementing Secure Boot that have keys only to boot what they feel like.

These will get EOL'd and you are screwed as they wont run XP anymore by 2014.

People will care little. I know of people running NT 4, many virtualised, on closed off networks because they have applications on there that would take a great deal of time and effort they don't have to upgrade. Iit is simply the way the real world is.

It is a security risk, and the rest of the world who does not have your requirements are moving on.

The numbers in the corporate world who are still running XP tell you otherwise. They aren't moving on.

Already Office 2003 is not fully compatible with the newest .docx files in Office 2013 and sometimes Office 2010.

That's not anyone's problem but Microsoft. No one cares in the corporate world. Many have mail merges and Office BASIC tied into Office 97. They won't be rewritten. They already have all their documents in the old binary doc format and have no time to do conversions or find out if a new version of Office will actually open them.

Did you read about hte newest malware targetting the XP versions of Ie 8, 7, and 6?

The moral of the story? Don't use IE.

Who are you going to get support from after next year?

People are not phoning Microsoft up every day of the week getting support to keep their systems running. Things are a known quantity.

It is time to consider Hyper V, Windows Server 2003 terminals, and Citrix similiar to rally and x3700 IBM terminal software for these must have apps before it is too late.

More complexity the corporate world dislikes. However, those who have needed to virtualise and and run terminal sessions have been doing so. The trick with that though is that you don't need a magical desktop environment to run web or remote applications.

I disagree that a corporate customer wouldn't love to have documents time bomb, lock and encrypt files, and prevent software that is unathorized to steal keystrokes at bootup.

I thought this wasn't about DRM? ;-) Any experience of corporate IT tells you these are accidents waiting to happen. All you'll get is a load of support calls asking you why something doesn't work.

I know it is an uneccesary cost for you but come on? 12 years is a FUCKload A LOT of time and you can't expect everyone to stop innovation to service you.

Like I said, as something becomes part of the infrastructure it doesn't get changed. That's why we have forty year old COBOL code and platforms still calculating peoples' bank balances. Desktop software during the 90s, culminating in Windows XP, became a part of that infrastructure which is why it is going to be virtually impossible to get much of the corporate world off it. Twelve years is absolutely nothing in the grand scheme of things.

As it is we can't even move to HTML 5 yet due to XP.

Don't use IE. Download and use another browser on XP. ;-)

It costs money too for Ms and everyone else to backport everything to so many browsers and operating systems and your helpdesk will love the malware and fake AV popup calls go down from a more secure browser/OS.

1. No one cares about people having to support IE. The solution is to download another browser for XP. 2. XP is already pretty secure when you stop running users as administrators. There are ways and means and it is a known quantity.

Those ancient VB and IE 6 apps do not need internet access from your Citrix terminal program.

People do not need the latest version of Windows, or even Windows at all in many cases, to run web based and terminal applications. ;-)

I just had a good chuckle as I read through this. It just sounded like outright desperation and it is something I imagine being discussed within the walls of Redmond when they ask themselves why the corporate world doesn't have IT teams totally dedicated to continually upgrading their Microsoft software and just how they can squeeze more money out of the market.

Re:What problem does it solve? (1)

AmiMoJo (196126) | about a year and a half ago | (#42428009)

It's not a case of being afraid to upgrade. It's the fact that users, companies and organisations have software and infrastructure that runs and is tested on XP and there is zero benefit to them changing it. Kind of like how a great deal of mainframe code is still written in COBOL. There is no benefit to rewriting it and people do not have the time or the resources. You might not like that but that's the real world.

The key difference is that people tend not to use their mainframe running COBOL code to browser the internet at lunch time. Software for XP tends to be end-user software, on vulnerable workstations.

Windows 7 does provide a full XP virtual machine as well.

Re:What problem does it solve? (1)

segedunum (883035) | about a year and a half ago | (#42428167)

The key difference is that people tend not to use their mainframe running COBOL code to browser the internet at lunch time. Software for XP tends to be end-user software, on vulnerable workstations.

You're missing the point. Corporations have desktop software that they completely rely on that was written for the NT4/Windows 2000/Windows XP era as the desktop market expanded within business through the 90s and early 00s. That reached a critical mass some years ago. I hate to burst peoples' bubbles on this but companies do not spend vast sums on having dedicated teams of people continually upgrading Microsoft software and rewriting their own software to run on new platforms nor do they care about people telling them how vulnerable their desktops are. Their current dektops are a known quantity. Microsoft is going to find that out the hard way as they try and squeeze the lemon further over the next few years.

Re:What problem does it solve? (0)

Anonymous Coward | about a year and a half ago | (#42427819)

You say:

" One of the only cool things about Windows 7/8 do is have... "

Iddat what it do? Hey, they don't think it be like it is, but it do 'cause they got nothin' nice to say 'bout Windows 8.

Mup da doo didda po mo gub bidda be dat tum muhfugen bix nood cof bin dub ho muhfugga.

-- Bix Nood

Re:What problem does it solve? (0)

Anonymous Coward | about a year and a half ago | (#42427755)

Had one of those show up on a relatives computer a while back. Only way to deal with it was a Kaspersky rescue CD, amusingly built on Linux and KDE.

ovo - hoot

Re:What problem does it solve? (5, Interesting)

VortexCortex (1117377) | about a year and a half ago | (#42428059)

The BIOS exists in the mother board's firmware. When you turn on the computer the BIOS is what is first executed. BIOS is what searches for drives that are bootable by looking for a first sector with 0x55 0xAA @ byte positions 510 & 511 (offset from pos 0, the first byte). If you tell the BIOS not to allow writes to any boot sectors then there can be no writing to the OS bootloader which starts off in that boot sector. That sector's 512 bytes (minimum) get loaded at seg:off 0000:07C0h on x86 systems, and the code begins executing in 16 bit real mode. In that 466 bytes of data (512 - 2 - 64 for partition table) it's a pretty tight fight, but I've managed to squeeze in a hash algorithm and a fingerprint along with the loader code for my own OS. If my boot sector is write protected, then it can't be modified, and it can verify the early environment kernel it loads hasn't been tampered with as well. From my early kernel I can perform signature verification of all other code loaded -- From drivers and applications to even other OS's sectors (for multi-boot). Signatures are either embedded in the executable as part of my extension to ELF or in a separate table in the case of the multi-boot OS sectors. Furthermore, the /boot/ system can be stored on read only media, such as a CD ROM, to prevent any tampering when the OS isn't running (you can do this with Linux too). This is how I secure even x86 systems w/o the option to disable boot sector writes -- Boot a CD that boots the OS.

EFI requires a FAT 32 file system to store your boot data within. Other FATs like FAT16 are supposed to be supported, but in my experience only FAT32 works reliably. This is nice because the BIOS can load your whole early kernel image into memory, set up protected mode and begin executing the kernel image at its desired memory location without requiring you to write bootstrap loader that does this. EFI sucks a bit because I'll miss the old real mode and the ability to install old OSs like DR DOS & DOS 3.1, and miss all those classic graphics modes, but that's a lot of baggage (service interrupts) for BIOS to have to support, and it's all a bit buggy anyway from BIOS to BIOS...

UEFI, SecureBoot, adds the requirement that the boot image be cryptographically signed with a key stored in the firmware. However, what good does it do to cryptographically sign the kernel image and verify it at boot if the OS doesn't take over and cryptographically verify all the low level drivers, etc? It's not any good, that's what. So, the OS has to support that same sort of signature system that I can achieve on an x86 without UEFI's help, given that BIOS lets me disable writing to the boot sector, or I boot from a read only media (CD/DVD).

There's nothing preventing EFI from having an option one could enable to prevent changes to the bootable sectors while the system is running. Drives would have to support a "mark read only" standard for sectors that the EFI or the OS itself could use to prevent changes to data on disk. The point is that the same exact benefits UEFI provides can be provided by simply setting sectors "read only" at boot -- No signature chains required in the damn BIOS at all. OS code will be responsible for verifying its own signature chains anyway, so the OS could be written in such a way that it's early kernel doesn't ever need to be modified -- Public Key Crypto could be used in the 1st stage kernel to allow any 2nd stage to be verified once the 1st stage is loaded, and different signed 2nd stages could be created for kernel upgrades. To keep the whole system secure only the 1st stage would need hardware write only protection. Additionally, the write-only method would allow any OS be installed without requiring clumsy crypto-key management -- End users could set a BIOS flag: Allow new OS Installation During Next Boot: [ON | OFF] much easier than looking up and entering a huge hex key -- What are the chances you'll mistype one char? Ugh, THAT's going to raise the bar to install new OSs, and be a huge pain in the neck even if the FSF gets their way.

As someone who's implemented both a UEFI boot chain, as well as an x86 boot chain with the same security benefits that UEFI provides, I can see why UEFI works the way it does -- Because Drives don't support a "mark sectors read only" protocol, and boot images don't fit in a single sector. However, I think UEFI is far less elegant, and a real clusterfuck to implement from both the hardware and software side of things -- I mean, FAT32 is Microsoft's Proprietary File System, and parts of it are patented: Short to Long name mapping, for example. It just feels like a land mine. Think about how much more complex UEFI is than simply booting from a damn CD, esp. considering that UEFI doesn't provide any real benefit over booting from CD -- IMO, that's just bad. Clearly, all we need is the ability to put data into some read only memory during an OS install. THAT would be a solution. Not UEFI.

Besides: Coreboot is a far better solution [coreboot.org] -- Put the head of the OS's secure crypto chain directly into the MOBO Firmware, and allow users to change out UEFI with good ol' BIOS services instead if that's what they want or need to have. A standard for any motherboard to have the aforementioned "allow OS installs this boot" option, and an interface to flash the mobo with the OS boot loader -- Bingo. A real and elegant solution. Protip: Less choice is never a good option.

Re:What problem does it solve? (1)

BitZtream (692029) | about a year and a half ago | (#42428139)

EFI sucks a bit because I'll miss the old real mode and the ability to install old OSs like DR DOS & DOS 3.1, and miss all those classic graphics modes, but that's a lot of baggage (service interrupts) for BIOS to have to support, and it's all a bit buggy anyway from BIOS to BIOS...

FYI, EFI is more than capable of presenting a BIOS environment to the next stage of the boot process, ask any mac owner.

Re:What problem does it solve? (1)

Rockoon (1252108) | about a year and a half ago | (#42428299)

If my boot sector is write protected, then it can't be modified, and it can verify the early environment kernel it loads hasn't been tampered with as well.

You speak later about booting from read only media, but thats part of the problem. Even if you prevent a specific boot sector from being written to, that doesn't tell you or the kernel anything about which bootsector was loaded and executed... and therefore the kernel cannot know that it has, or ever had, full control.

Re:What problem does it solve? (2, Interesting)

Gaygirlie (1657131) | about a year and a half ago | (#42428161)

I haven't seen a virus or other malware in YEARS that modified the kernel, bootloader or drivers. The ones I have seen have just attached themselves to the system once the kernel and its drivers are already loaded, and thereby Secure Boot wouldn't do a diddly good against those, and these kinds of viruses/malware packages are a dime a dozen.

Secure Bullshit (1)

kawabago (551139) | about a year and a half ago | (#42427701)

Anything in a computer that calls itself 'Secure' isn't. Secure Boot is a false sense of security that will lead people to think they are safe. Secure Boot is Microsoft's Security against competition.

Re:Secure Bullshit (3, Funny)

morcego (260031) | about a year and a half ago | (#42427857)

All computers have a SECURE setting. It is called "Power off".

Re:Secure Bullshit (1)

fredgiblet (1063752) | about a year and a half ago | (#42427929)

Wake-on-LAN

Re:Secure Bullshit (1)

Gaygirlie (1657131) | about a year and a half ago | (#42428175)

Wake-on-LAN

...isn't on by default.

Re:Secure Bullshit (0)

Anonymous Coward | about a year and a half ago | (#42428221)

real slashdoters unplug the network cable

Re:What problem does it solve? (2, Informative)

mjg59 (864833) | about a year and a half ago | (#42427955)

BIOS boot sector protection has never prevented writes to the MBR unless you're running DOS - any actual OS uses direct hardware access instead of using the BIOS, and so it can't be blocked. It'd be possible for the BIOS to complain that the MBR's been modified, but it has no way of verifying that the partition boot code or the actual bootloader are still secure. Unsurprisingly, malware authors take advantage of this - https://support.kaspersky.com/viruses/solutions?qid=208280748 [kaspersky.com] has a list of modern bootkits.

Re:What problem does it solve? (0)

Anonymous Coward | about a year and a half ago | (#42427981)

SecureBoot also protects you from someone with physical access or drive-by attacks like plugging a DMA device into a firewire or Thunderbolt port.

SecureBoot also protects you from non-BootRecord changes to your boot-process like changes to your kernel, drivers, or your init.

SecureBoot can protect you even from root user by not allowing non-signed kernels/drivers/etc from loading.

Re:What problem does it solve? (1)

BitZtream (692029) | about a year and a half ago | (#42428113)

And then the tiny ass bootsector loads another unchecked block of code that can easily be tampered with.

The boot sector is .... 512 bytes. That is bearly enough code to do anything useful, it is infact NOT enough space for the code required to boot my FreeBSD machine which has its root on ZFS, as such that process is two stage (well more than that in actuality) and the boot sector really just points to another boot block in an known location that the bios doesnt' give a flying fuck about.

There isn't enough room in the boot sector to verify the next stage is the expected one, hell there isn't enough space in the boot sector to store the fraking public key needed let alone the code and hashes.

You utterly fail to know anything about which you speak.

SecureBoot allows the system to boot from known binaries every time, no worries about a root kit.

Doesn't make the system un-hackable, but it gives you a known-good starting point, and that goes a long way.

Boot sector protection doesn't do shit in that respect.

Re:What problem does it solve? (1)

BitZtream (692029) | about a year and a half ago | (#42428145)

I posted too soon :/

It should also be noted that 'boot sector protection' as implemented doesn't work unless you're using BIOS calls to do the write. Once you're using direct hardware access like every OS on the planet does, BIOS doesn't have any part in the process and thus is a non-starter.

Re:What problem does it solve? (4, Interesting)

segedunum (883035) | about a year and a half ago | (#42427761)

1. It heads off anything else that is good enough being installed on to PC hardware that Microsoft deems threatening.

2. It's a lovely form of DRM Microsoft is probably salivating at. It means that future hardware can explcitly refuse to install previous versions of Windows even if it is possible.

3. Manufacturers will probably love it because there is the possibility that they can enforce what hardware can or can't be installed in the system. The net result is that hardware will have an artificially shorter life from now on and things will get a whole lot more expensive for users and for any prospective entrants into the hardware business. In fact, it will be downright impossible. Expect this to turn into one God-awful mess.

4. Everyone talks about Linux and other operating systems, but it will have an interesting effect on virtualisation. Microsoft has long been deeply uncomfortable about non-Microsoft systems running Windows virtual machines. The net effect is that these days you can run NT, Windows 2000 or Windows 2003 and prolong their life on new hardware by virtualising. With 'Secure' Boot Microsoft gets to dictate what hypervisors will run on hardware in future and they'll be able to control the life of their current and future operating systems. Expect to install Windows 8 on Windows Server 2015 with Hyper-V? Nope, sorry. Windows will probably also end up refusing to run as a guest on any hardware it doesn't like.

Basically, it's the end of the PC platform. I don't know whether Microsoft realises it but we'll all look back on this as the beginning of the end for them.

Re:What problem does it solve? (0)

Billly Gates (198444) | about a year and a half ago | (#42427789)

Not true at all.

Windows Server 2012 is the first version of Windows (behind Linux and Solaris I may add) that is actually built to be run in a VM. For example you do not need to give it the max ram usage and have the image use 100% of it instead of dynamically use it up to the limit as it needs. VMware and Hyper-V have drivers to load without secureboot that are in Windows 8 and Server.

Re:What problem does it solve? (1)

segedunum (883035) | about a year and a half ago | (#42428191)

-- Whoosh Re-read carefully. I'm afraid you're not arguing anything by giving us an astroturfed commercial for Windows 2012.

Re:What problem does it solve? (1)

oneandoneis2 (777721) | about a year and a half ago | (#42427867)

The most important one is that it can gaurantee that the software you're running is the software you THINK you're running.

Simple example: Someone nasty gets access to your Linux box and installs a rootkit. This includes a modified version of "ps" that won't show the rootkit process(es), making it harder for you to notice it's there.

If you use a Linux machine that's set up to take advantage of the hardware, you could have it set to, say, only allow software that was signed by Canonical to run on it. This would mean that all your Ubuntu software would work fine, but the new version of 'ps' our malware installed, that wouldn't run. This would alert you instantly to the fact that someone has installed malicious software, and allow you to get rid of it.

Of course, we all use more than just Ubuntu's own packages, so you'd also want it to allow software that you personally signed with a secure key (i.e. one that ISN'T kept on the machine so the bad guy can snag it) - otherwise you wind up in an Ubuntu "walled garden". So it's important that you can say who you trust to provide software you can run on your machine.

It's actually a nice idea, (I'd certainly like my next PC to take advantage of it) but unfortunately one that gets constantly overrun with paranoid hype about it being designed to kill FOSS.

Re:What problem does it solve? (1)

rudy_wayne (414635) | about a year and a half ago | (#42427877)

What problem does Secure Boot solve, other than Microsoft's "other OS" problem?

Actually, it doesn't even "solve" that problem. Secure Boot is only a potential problem on computers running Windows 8. Once you buy that computer, Microsoft has already collected their "Windows Tax" so even if you install some other OS, it has no effect on Microsoft. They already got their money. This is one of Microsoft's biggest problems. The monopolist mentality is so deeply entrenched that they spend an enormous amount of time and money on stupid crap that is of absolutely no benefit to them.

More importantly, however, why exactly would you buy a computer with Windows 8 on it just so you can wipe it and install something else? That makes no sense.

Re:What problem does it solve? (1)

DigiShaman (671371) | about a year and a half ago | (#42427991)

It prevents rootkits from hijacking the OS at bootup. For example malware acting as a hypervisor with your real OS running under it.

Re:What problem does it solve? (0)

Anonymous Coward | about a year and a half ago | (#42428339)

It solves the problem of operating system trust in DRM systems. It would also make it possible for the OS to require Secure Boot validation at some later time, meaning running the os in virtual machines would require the manufacturer of the virtual machine to get some form of license. And it would make it a lot more difficult to pirate the OS.

Here's to hoping (2)

Sable Drakon (831800) | about a year and a half ago | (#42427481)

They may say they're committed, but let's hope they put their money where their mouth is the next time a machine they really want comes to market.

Its all in the language (0)

Great Big Bird (1751616) | about a year and a half ago | (#42427505)

I notice the language they use, such as calling the thing they are against 'Restricted Boot', and calling it 'jailed systems'. All quite expected, but I find it patronizing for them to have to call it by weaselly words.

Re:Its all in the language (5, Insightful)

cwebster (100824) | about a year and a half ago | (#42427541)

'Jailed' is the popular nomenclature. What do you think 'jailbreaking' means on your mobile device? It means unlocking the bootloader so it will boot unsigned or differently signed kernels. Doesnt sound patronizing to me, it sounds descriptive.

Re:Its all in the language (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42427545)

Weaslly words? The lockdown in the name of "Secure Boot" is a weasel word. Calling it what it is in its implementation on ARM, "Restricted Boot" is not weasely--it's correct (cf. "Digital Rights Management" vs. "Digital Restrictions Management")

Re:Its all in the language (1)

NemosomeN (670035) | about a year and a half ago | (#42427777)

The problem I personally have with it is, traditionally, if you "invent" something, you get to name it. Other people can complain, and say that your name is inaccurate, but FSF is trying to replace the name being used. They've done this in the past, as noted by others. I'd much rather say "'Secure Boot' is a load of horse shit" than start calling it "HorseShit Boot."

Re:Its all in the language (-1)

Anonymous Coward | about a year and a half ago | (#42427569)

watch out, you will get the freetards worked up, and they will launch an all out assault on your pro MS devil ass

Re:Its all in the language (0)

Anonymous Coward | about a year and a half ago | (#42427753)

You poor lost soul.

You need to go to an FSF temple and repent your proprietary ways so you can learn of the true GNU and be saved.

Re:Its all in the language (1)

Sable Drakon (831800) | about a year and a half ago | (#42427609)

This was probably written by lawyers, the masters of weasel words. Did you expect anything less?

Re:Its all in the language (0)

Anonymous Coward | about a year and a half ago | (#42427709)

How dare you discount the holy word of the GNU.

All hail lord Stallman.

Re:Its all in the language (0)

Anonymous Coward | about a year and a half ago | (#42427945)

Why don't you just go back to sucking Ballmer's dick.

Re:Its all in the language (5, Insightful)

PolygamousRanchKid (1290638) | about a year and a half ago | (#42427713)

Most people buying a computer will hear "Secure Boot", and yell, "Good! Secure! War on Terror!"

When they hear "Restricted Boot", they will scream, "Bad! Restricted! War against my freedom!"

It's those folks who this wording is for, not Slashdot folks.

Re:Its all in the language (1)

icebike (68054) | about a year and a half ago | (#42427931)

Mod parent up.

Words have meaning, and I like descriptive product names.

Re:Its all in the language (1)

segedunum (883035) | about a year and a half ago | (#42427797)

Quite frankly I find the term 'Secure Boot' a greatly misleading term when you consider how this can, and alas will, be used.

Re:Its all in the language (1)

Bert64 (520050) | about a year and a half ago | (#42427823)

Calling it "secure" is weaselly, as it will do very little to improve security for the users and their data.

So then they're fine with Windows 8 (5, Insightful)

Missing.Matter (1845576) | about a year and a half ago | (#42427537)

So then they're fine with the way Windows 8 handles it? Because that's exactly what Microsoft demands of computer manufacturers who want to be certified for Windows 8.

Windows RT is a whole different matter, but Windows RT also accounts for about 0% of the tablet market right now. Why is the FSF making all this noise now, when Apple has been happily locking down the iPad since 2010? Microsoft is just joining the party, and it seems a little late for FSF to get self-righteous about it.

But more power to them I guess. It seems like a tough fight, however, when users have a great deal of choice between tablets (both locked and unlocked), even with the locking down of certain hardware.

Re:So then they're fine with Windows 8 (4, Insightful)

Microlith (54737) | about a year and a half ago | (#42427565)

Why do people think that no one complained about Apple's lock down? They've had a walled garden in place since iOS 2.0 and it's always been a point of contention. Secure Boot just brings the threat of universal lock down that much closer.

Re:So then they're fine with Windows 8 (2)

Missing.Matter (1845576) | about a year and a half ago | (#42427599)

FSF did complain [fsf.org] about iPad, but it seems they were focused on the DRM aspect of the store. Did they also start a campaign about the locked bootloader? I'm just looking at the practicality of their campaign... if they were really concerned about the practice, perhaps they should have started this campaign before Apple sold 100 million locked down iPads, and turned locking down tablets into an industry standard. Microsoft has carte blanche to lock down Windows RT because they can point any government agency to Apple and say "They're the market leaders in this space and they lock down their hardware."

The "Apple does it too" line doesn't nullify what MS is doing, but it does make stopping their efforts much more difficult for FSF.

Apple did not get a free pass (3, Informative)

tuppe666 (904118) | about a year and a half ago | (#42427665)

Why do people think that no one complained about Apple's lock down? They've had a walled garden in place since iOS 2.0 and it's always been a point of contention. Secure Boot just brings the threat of universal lock down that much closer.

Well to be fair both the FSF and EFF have been heavily involved after Apple demonised their customers calling them criminals for for jailbreaking Apples Phones(not theirs). Ignoring the fact that those are *electronic* devices and Apple is nowhere near a monopoly (I now its not a good answer for apple users), but again the same groups are not just focused on Microsoft. As for the FSF a quick Google gives this http://www.defectivebydesign.org/blog/1256 [defectivebydesign.org] , although the jailbreak DMCA exemption for the iPhone...and not the tablet, have been big news on most technology sites.

Re:So then they're fine with Windows 8 (1)

segedunum (883035) | about a year and a half ago | (#42427843)

Why do people think that no one complained about Apple's lock down? They've had a walled garden in place since iOS 2.0 and it's always been a point of contention. Secure Boot just brings the threat of universal lock down that much closer.

Because secure boot is about locking down the PC platform. It's on a whole different level. People can actually chose not to use iOS. They don't exactly get a choice these days not to use a PC.

Re:So then they're fine with Windows 8 (4, Informative)

rekoil (168689) | about a year and a half ago | (#42427585)

The FSF has been knocking Apple over iOS since its release. http://www.fsf.org/blogs/community/why-free-software-and-apples-iphone-dont-mix [fsf.org]

Re:So then they're fine with Windows 8 (1)

Missing.Matter (1845576) | about a year and a half ago | (#42427685)

They seem to be more focused on the DRM aspect in your link, and again here [fsf.org] . What I'm saying is that this campaign against one single implementation of a locked bootloader means absolutely nothing if the leader in the marketplace has sold 100 millino locked down units and you've done nothing to stop that. If the FSF succeeds with their campaign, most tablets sold will *still* be locked down. What will they gain by this?

Think of it like a boss battle, where the boss is supported by many little nuisance helpers. Sure you can pick off the helpers, but when they're all dead the boss is still there.

Re:So then they're fine with Windows 8 (1)

amiga3D (567632) | about a year and a half ago | (#42428027)

That's one hardware vendor versus dozens. Restricted-Boot will cover all the other hardware vendors. Apple gets to cheat because they make the software for their hardware. All the people that buy Apple know this and in fact it's one of the reasons some of them buy Apple. I own a Mac computer but I bought an Android phone because I don't like the total lock down they have on the iOS devices. I pretty much run anything I want on my Mac so they haven't taken the process to the Computer side of the business yet. When they do I'm done with that too.

Re:So then they're fine with Windows 8 (0)

Anonymous Coward | about a year and a half ago | (#42427595)

because man apple had darwin man, and its MS gatekeeping our computers man like a Fascist man and RMS made a compiler man and you just want to burn down all of our efforts man, you disgust me man, go back to defending your corporate overloads man, defend MS to the death you pig but some of us like FREEDOM man.

Re:So then they're fine with Windows 8 (2)

Xtifr (1323) | about a year and a half ago | (#42427669)

So then they're fine with the way Windows 8 handles it? Because that's exactly what Microsoft demands of computer manufacturers who want to be certified for Windows 8.

Only on x86. The MS requirement for user-control over UEFI only applies to x86 systems. Arm based systems (phones, pads, etc.) have no such requirement.

But yes, I was surprised and pleased that MS included those requirements, even if it was just for x86, and I'm sure the FSF was as well.

Re:So then they're fine with Windows 8 (1)

segedunum (883035) | about a year and a half ago | (#42427855)

But yes, I was surprised and pleased that MS included those requirements, even if it was just for x86, and I'm sure the FSF was as well.

I wasn't surprised. On x86 they had to because of the stink that would be created if corporations couldn't install existing Windows versions on new hardware or run their ghosting and imaging tools. On ARM they have no such problems and all they want to do is ensure Android cannot run.

Re:So then they're fine with Windows 8 (0)

Anonymous Coward | about a year and a half ago | (#42427717)

Microsoft is just joining the party, and it seems a little late for FSF to get self-righteous about it.

People have been complaining about it since Microsoft started pushing it years and years ago but it was called something else then (I just can't remember what), they just renamed it UEFI last year. And Red Hat has been complaining about it for at least that long.

It's a moot point anyway, its already been cracked [[http://tech.slashdot.org/story/11/11/17/1928203/windows-8-secure-boot-defeated]].

Re:So then they're fine with Windows 8 (1)

mjg59 (864833) | about a year and a half ago | (#42427977)

You've linked to a story about a traditional MBR bootkit that doesn't even run under UEFI. Secure Boot is, as far as anyone knows, not yet cracked.

Re:So then they're fine with Windows 8 (1)

segedunum (883035) | about a year and a half ago | (#42427831)

So then they're fine with the way Windows 8 handles it? Because that's exactly what Microsoft demands of computer manufacturers who want to be certified for Windows 8

The difficulty is that OEMs will not lose any Windows 8 certification if they do not implement a user configurable key database. If it boots Windows 8 Microsoft won't care. Microsoft tacked that on to their 'mandatory requirements' knowing full well it won't be implemented in just about any case. In another 'mandatory requirement' they specify that the key database contents are to be determined by the OEM.

As for disabling secure boot, that was done so that existing versions of Windows and other platforms can at least be installed for a period without kicking up a stink. Ghosting imaging and other tools are a problem. In a few years new hardware will ship where you can't disable secure boot and anyone wishing to boot up on a PC platform will have to be deemed acceptable by Microsoft in order to get their software booted or even running on Windows itself. Freely available software will be out of the question.

Re:So then they're fine with Windows 8 (1)

mjg59 (864833) | about a year and a half ago | (#42427993)

Microsoft have told me that they'll revoke certification for any vendor who doesn't provide the appropriate options. If you have examples of machines that have certification and which don't allow any modification of the key database, let me know so we can find out if they were telling the truth.

Re:So then they're fine with Windows 8 (0)

Anonymous Coward | about a year and a half ago | (#42428187)

MB makers want to build systems for the lowest possible cost, so any feature they can remove, such as user control over the UEFI keys will save them money. In this way will loading anything over than Windows be blocked.

Re:So then they're fine with Windows 8 (1)

amiga3D (567632) | about a year and a half ago | (#42427983)

If I buy a computer from Dell I don't want Microsoft telling me what I can use it for.

Here Comes The Judge (0)

Anonymous Coward | about a year and a half ago | (#42427555)

This behavior sounds like a lawyers wet dream to me. Talk about an attempt to form a monopoly. Anybody selling a system that prevents the user from using free software or OSs deserves a big, fat, nasty, very expensive, tour of courts all over the world.

Re:Here Comes The Judge (1)

kthreadd (1558445) | about a year and a half ago | (#42427627)

Sounds pretty much like what Apple has been doing for a few years now on the mobile side. How's it going with that lawsuit?

Re:Here Comes The Judge (1)

BitZtream (692029) | about a year and a half ago | (#42427795)

Apple can do anything it wants with its OWN devices. When they start using their (non-existent) monopoly to force others to follow the same rules, its different.

You don't get to tell a company how to sell its own product just because it doesn't let you freeload on their work.

Re:Here Comes The Judge (0)

Anonymous Coward | about a year and a half ago | (#42427987)

I feel dumber just having read that

Re:Here Comes The Judge (1)

kthreadd (1558445) | about a year and a half ago | (#42427999)

Of course they can. I was just replying to the following:

Anybody selling a system that prevents the user from using free software or OSs deserves a big, fat, nasty, very expensive, tour of courts all over the world.

All Praise Lord Stallman (0)

Anonymous Coward | about a year and a half ago | (#42427561)

Our great lord and saviour.

The humble masses bow to the great unwashed one.

Re:All Praise Lord Stallman (0)

Anonymous Coward | about a year and a half ago | (#42427591)

He's not so much of a savior, but damn if he isn't good at being a prophet for tidings of doom.

Restricted Boot by definition insecure (5, Interesting)

Todd Knarr (15451) | about a year and a half ago | (#42427607)

Think about it a moment. The ultimate piece of malware would be one that can make your computer run software of someone else's choice, prevent you from running software other than the malware, and block you from removing the malware from the system or preventing it from running. Every piece of malware out there tries to do this, with varying degrees of success. Look at the malware that tries to disable anti-virus/anti-malware software.

Now, Restricted Boot would give someone else control over what software could boot on the machine, and prevent you from changing that list of authorized software. You cannot authorize software you want to run to run, nor can you remove authorization from software you do not want to run. You can't influence what runs at boot, you can't alter it's operation. In short, you've bought into every malware author's wet dream: a system where they can do anything they want and the user can't do a thing about it.

And if you think "Oh, but all the system software would be signed by Microsoft, so how would the malware authors get the keys to authorize their software?", think about this: Microsoft certificates have already been compromised. The bad guys have already gotten access to what they need to sign software with legitimate Microsoft keys. The certificates used by the Flame malware [sans.edu] were only some of the most recent. And I'd note this older bulletin [microsoft.com] describing a situation where Verisign issued legitimate certificates issued to Microsoft to black-hats with no association with Microsoft. The bad guys obtaining the private keys to sign software isn't a theoretical discussion, it's already actually happened.

Re:Restricted Boot by definition insecure (3, Interesting)

Billly Gates (198444) | about a year and a half ago | (#42427655)

The master keys have not been compromised. Only one of the older ones which are derived from the master for signing software under XP. MS has revoked that particular key and replaced it with another one. The bad guys also forged one of Adobe's for running signed flash applets as well but Adobe has replaced it. The master key in both situations are still secure.

Re:Restricted Boot by definition insecure (2, Informative)

Anonymous Coward | about a year and a half ago | (#42427807)

The problem regarding the "Secure Boot"-key are a bit different:

Because they are built into the UEFI-firmware they cannot be easily replaced. You have to upgrade your firmware to get a new key. And then there is some kind of chicken&egg problem:

When the built-in key is compromised what should be updated first? The boot-loader (Signed with the non-compromised key) ? Or the key? If you replace the boot-loader first, the firmware refuses to load this boat-loader. And if you first replace the key, you have the same problem.

To replace the key and the boot-loader you have to disable "Secure Boot" in the firmware (Disabling by software is not allowed), then update the key (Means flashing a new version of the firmware) and the boot-loader and then reactivate "Secure Boot".

Now think of Average Joe or your grand mother and tell me how someone like them will accomplish this.

Wrong (4, Insightful)

scheme (19778) | about a year and a half ago | (#42427869)

To replace the key and the boot-loader you have to disable "Secure Boot" in the firmware (Disabling by software is not allowed), then update the key (Means flashing a new version of the firmware) and the boot-loader and then reactivate "Secure Boot".

Now think of Average Joe or your grand mother and tell me how someone like them will accomplish this.

Replacing the keys doesn't require reflashing the firmware, you just need go into the UEFI setup screen and add or delete the keys you're interested in. If the key gets compromised, you just go to the setup, add the new key, boot and update the bootloader and go into the setup and remove the old key. Or, even easier, you update the boot-loader on a working system, then go into the UEFI setup and remove the old key and add the new key. The procedure you outlined is unnecessarily complex even assuming that you have to reflash the firmware to get new keys.

Re:Restricted Boot by definition insecure (1)

segedunum (883035) | about a year and a half ago | (#42427885)

The master key in both situations are still secure.

They are not guaranteed to stay that way, that's the OP's point. If I was a serious virus writer this system is a potential boon. If you can find a way of compromising the system so that things appear to be trusted when they're actually not and you can lock out other software as a result you can create a hell of a lot of damage before anyone even notices.

Re:Restricted Boot by definition insecure (1)

mjg59 (864833) | about a year and a half ago | (#42428019)

If you were a serious virus writer you'd already want to use the Microsoft CA to sign your rootkit so you can install it as a signed driver in Windows. Secure Boot moves the vulnerability down the stack, but even now a compromised Microsoft signing key is still massively desirable to virus authors.

Re:Restricted Boot by definition insecure (1)

Dunbal (464142) | about a year and a half ago | (#42427657)

Yup I agree completely. Ultimately I am responsible for my computer, not my OS vendor, and the "trust" model has already proven to be flawed. When the hackers have obtained certificates from the certificate issuing authorities themselves like say, VeriSign, there is no one left to trust. It's a mere marketing term that has no real value. Therefore I must have the keys to my own machine since ultimately I am the only one worthy of my trust.

So they want the status quo then? (2)

scheme (19778) | about a year and a half ago | (#42427625)

So the FSF is basically asking people to sign a petition that asks manufacturers to do what they are already doing and plan on doing ? The current requirements for windows 8 is that users must be able to disable secure boot in the bios and do key management (addition/removal) of keys as well. I don't know of any manufacturer that is planning on doing anything different since that would mean that their systems would not be windows 8 certified.

In fact, I don't think microsoft bans having other keys besides their key in the bios by default.If, for example, the FSF or some coalition (e.g. RedHat, Ubuntu, Debian, etc.) were to come up with some workable way key signing infrastructure, they could petition UEFI/mobo developers to include their keys in shipped products as well. The question is how do you freely allow people to get bootloaders signed without making it easily for malware authors to do the same.

Re:So they want the status quo then? (0)

BitZtream (692029) | about a year and a half ago | (#42427785)

This is just the FSF being douches. They have a petition to get what they already have and want to make it out to be something more than it is.

This is why only fanboys really give a shit about RMS and FSF anymore. Fighting the good fight is one thing. Ranting around like raving nutters when you're already getting what your asking for but acting like you aren't just makes them look dumb.

Re:So they want the status quo then? (3, Interesting)

gtall (79522) | about a year and a half ago | (#42428005)

Can you boot whatever you want on Windows RT thingy? No. RMS and FSF are right, you are wrong.

Re:So they want the status quo then? (0)

Anonymous Coward | about a year and a half ago | (#42428031)

So how's that dual boot on the Surface working for you?

Re:So they want the status quo then? (1)

spitzak (4019) | about a year and a half ago | (#42427825)

The unsigned or differently-signed bootloader is not able to load Windows, because it will leave the machine in a different state that Windows will refuse to load from (ie wrong keys produced by the hardware). So such bootloaders are pretty limited. I could imagine a *huge* piece of Malware that is an entire copy of Windows but the user will lose any personal data stored on the disk in secure encrypted directories so this may be easily noticed, especially if Microsoft defaults to this encryption (which perversely would be in their interest as anybody converting a machine to dual-boot would have to turn off the encryption on any data that they want Linux to be able to read from the Windows partition).

So the ability to install arbitrary bootloaders does not seem like a problem to me.

Re:So they want the status quo then? (0)

Anonymous Coward | about a year and a half ago | (#42427997)

Your so-called huge piece of malware only needs to rewrite a few places of the kernel during the boot sequence to patch-out the was-I-booted-from-a-signed-bootloader check.

Re:So they want the status quo then? (1)

spitzak (4019) | about a year and a half ago | (#42428207)

It will not be able to set a decoding key that the following code needs, so no the following code will not work. It does not just do an if statement, it expects to read a decoding key from a piece of hardware and use that to decode parts of the system.

Re:So they want the status quo then? (0)

Anonymous Coward | about a year and a half ago | (#42427871)

It's the beginning of a new year. The FSF need some made-up crisis to drive fund-raising, same as any other non-profit. (They do more useful things than some non-profits, but it's still all about the fundraising.)

Re:So they want the status quo then? (1)

westlake (615356) | about a year and a half ago | (#42427939)

So the FSF is basically asking people to sign a petition that asks manufacturers to do what they are already doing and plan on doing ?

That is pretty much it.

Secure Boot is part of the UEFI 2.2 spec. Published in 2008. The geek has had four years to prepare for this.

Re:So they want the status quo then? (1)

andrew3 (2250992) | about a year and a half ago | (#42428007)

In fact, I don't think microsoft bans having other keys besides their key in the bios by default.

Windows RT has Restricted Boot on it.

Why is this news now? (0)

Anonymous Coward | about a year and a half ago | (#42427745)

The FSF has had this petition up for several months. It was there long before the first machines with Secure Boot became publicly available. Why is it being covered on Slashdot now? Two articles in two days about something that was covered already seems like a waste of time.

Secure Boot is *not* (necessarily) DRM (3, Interesting)

DrJimbo (594231) | about a year and a half ago | (#42427859)

The essence of DRM is that user is considered to be the attacker. The FSF endorses Secure Boot only when the user has control of the keys so the user is obviously not the attacker in that case. Secure Boot is only a form of DRM when the user/owner does not have control of the keys. This is what we should fight against. Categorizing all forms of Secure Boot as "DRM" is wrong both technically and politically.

Being categorically against Secure Boot is akin to be categorically against digital encryption and signing in general just because they are tools that are sometimes used to create DRM. DRM is bad. Secure Boot without user/owner key control can make it worse. The FOSS community should embrace Secure Boot but fight for key control.

Used properly, Secure Boot will make FOSS systems more secure. It is much better to add security measures *before* they are needed rather than after. We have generally been ahead of the curve security-wise for decades. Embracing Secure Boot (with user key control) will help us stay ahead of the curve. If we instead shun Secure Boot there is a very real danger that we will lag behind.

Again, this is a big NON-ISSUE (1)

Anonymous Coward | about a year and a half ago | (#42428225)

Here is an example of a motherboard from one of the market leaders (ASUS, ASRock, Gigabyte, MSI, Biostar),
that lets you do whatever you want with SecureBoot (rtfm for the feature set)...
http://usa.asus.com/Motherboards/AMD_Socket_FM2/F2A85V_PRO/
And LOOK, you can turn off SecureBoot and/or make any and every key and/or signature whichever way you want it to be.
Precisely according to the UEFI spec as it requires. Read the docs, it's all there. You have full control.

Now, MS has EVERY right to lock their own ARM's and mobos and such proucts down, and they will do exactly that.
But public mobo makers like these big leaders, and third-party chinese ARM'ers and tablet'ers, never will do that with their open non-OEM lines, because they will lose business. Have you ever bothered to look at Chinese dual-sim phones running Android 4.1 and 4.2 for $250 or less? Totally open and unlocked and doing a brisk business.

So this whole thing is TOTALLY and FALSELY blown out of proportion.
The Linux fanboys and handwavers simply didn't bother to read the UEFI spec where it mandates this detailed level of control be given to the user. They didn't consult the hardware makers to ask. And they didn't review the boards on the marketplace.

The lockdown approach presented by the handwavers only applies to people insisting on buying MS-Windows products, for which they'd never want to run any other OS in the first place... precisely because they're self-defined MS-Windows fans, so they never about this, and can enjoy their chains in a blissful stupor.

Everyone else is simply not going to buy MS products.
It's that simple.

Here's an amazing idea. (2)

idbeholda (2405958) | about a year and a half ago | (#42428319)

If you don't like the secureboot idea, THEN DON'T BUY PRODUCTS THAT INCLUDE IT. Seriously, not that difficult of a concept to understand.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...