Fedora Considers Building In a Dependency on M$…

Fedora is considering getting M$ to sign a bootloader for them so they can boot Fedora GNU/Linux on UEFI hardware. This is a dangerous precedent. Different evil scenarios:

  • M$ gets this procedure to become standardized in GNU/Linux and then revokes the signing keys or raises prices prohibitively…
  • M$ makes demands to compromise software freedom in a distro before signing the bootloader…
  • M$ insists the bootloader phones home (M$) so that M$ knows where to send salesmen…
  • M$ shifts to a per-core model instead of flat-rate…
  • M$ persuades OEMs to reject the key eventually…
  • Distros like Debian GNU/Linux with strong support for software freedom may be cut out of booting from future hardware…“Debian will remain 100% free
    We provide the guidelines that we use to determine if a work is free in the document entitled The Debian Free Software Guidelines. We promise that the Debian system and all its components will be free according to these guidelines. We will support people who create or use both free and non-free works on Debian. We will never make the system require the use of a non-free component.”

A dependency on a convicted serial monopolist is not in the best interests of the world. One of the major themes and desirable features of GNU/Linux is independence from M$. The world should be very careful before sacrificing our children to the god, M$.

While UEFI is supposed to be a layer of security against malware, M$ considers Free Software like GNU/Linux to be malware and will not hesitate to use its influence over OEMs to implement this DRM (Digital Restrictions Management) – like tool against GNU/Linux. Of course, M$ is unlikely to get away with anything indefinitely, but that does not matter to M$. When $billions per quarter are being raked in, even one more quarter of excluding GNU/Linux from retail shelves matters. M$ will do anything to accomplish that.

see Fedora 18 to support UEFI Secure Boot – The H Open Source: News and Features.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

18 Responses to Fedora Considers Building In a Dependency on M$…

  1. oldman says:

    “In fact lot of those workstations come with coreboot open source bios so you are allows to replace the bios to lock the systems absolutely in a unique way.”

    I’ve been looking around the Dell HP and Lenovo sites and I cant find any such support. I would appreciate your assistance with a URL on this sir.

  2. oiaohm says:

    oldman

    “Most of which use Red Hat or SUSE. Both of whom will probably sign on to signing their boot loads because their customers will expect it.”

    Both Redhad and SUSE customers will expect means to change signing.

    In fact lot of those workstations come with coreboot open source bios so you are allows to replace the bios to lock the systems absolutely in a unique way.

  3. oldman says:

    “There are Linux Workstations on the market more expensive beasts than you general Windows PC’s and also Higher Spec.”

    Most of which use Red Hat or SUSE. Both of whom will probably sign on to signing their boot loads because their customers will expect it.

    End of problem

  4. oiaohm says:

    Viktor “Oh, wait … there are no vendors who want to sell “Linux PCs”. My bad.”

    There are Linux Workstations on the market more expensive beasts than you general Windows PC’s and also Higher Spec.

    Viktor as a Linux user I have a use for a secure boot framework I can control to prevent Linux systems themselves being breached.

    Linux Workstations have support TPM protected boot for a long time. So preventing boot loader or kernel replacement.

    So just get it threw your thick head us Linux people want to use Secure boot under our own control to prevent those without direct access to the hardware from doing alterations we don’t approve of.

    Yes its a case of MS late to Party and wrecking the party.

  5. Viktor says:

    There is no reason why secure boot could not have been done a different way.

    Secure Boot can be switched off! Can we move on? It’s a perfect solution because now vendors can release “Linux PCs” which are just normal PCs but with Secure Boot switched off.

    Oh, wait … there are no vendors who want to sell “Linux PCs”. My bad.

  6. oiaohm says:

    jon the process is insane.

    There is no reason why secure boot could not have been done a different way.

    Place public key on installation media particularly formated. Bios sees key it don’t know Bios asks user for approval with very big bad warning message it is even possible with modern day bios for them to go on-line and update there black lists before installing.

    Yes have two different medias in bios installation media and running media. Also could have been done dongle solution with like a special usb port just for firmware keys. Heck make this internal port so you have to open machine to plug extra firmware keys in. Hackers would not beat this remotely.

    The current option suxs. Even one laptop per child laptops have a more sane solution. Each one of thoses has a global signing key for one laptop per child software and signing key per machine. So you want to run something else sign it.

    Thing is allowing users to install there own keys allows people to bypass MS DRM. This is not about protecting you from viruses. Its about taking control of your machine.

    Linux many systems it can implement to prevent intrusion based of TPM chip and supporting bios chips.

    Really the plug on motherboard with firmware key would be the best. Why my systems not running Linux someone installing windows on them is installing malware. Also if its a standard new version of windows comes out just change the plug.

    But we had to get insanity.

  7. oe says:

    If I were Redhat I’d let the huge lead Android and GNU/Linux have in the ARM world to allow the Non-UEFI hardware (DRM’ed anti-feature hardware) to crush out any feeble Win8-compliant crap…it’s not a huge risk as “8” seems to be carrying the taint of Vista on it….. corporations aren’t apparently keen on it and consumers wowed with IPad and Kindle Fire’s and Galaxy Tabs are getting much more discerning….

  8. Ivan says:

    If it could be turned off, what use is it?

    And if it can’t be turned off with physical access, zealots burn Redmond to the ground and call Fedora evil for having Microsoft sign the boot-loader so Red Hat can continue the hobbyist beta-testing.

    I suppose it’s a win-win for professional whiners pundits.

  9. Clarence Moon says:

    you don’t call that other OS by its build or kernel ID

    Well, of course not, Mr. Pogson. It is called by a product name, for example “Windows 7” or “Vista” or “Windows Server 2008”. The same is true for most people’s references to products like Android, Ubuntu, or Fedora. That sort of product name, altered from release to release, gives the product a sort of identity in any product market and lets people distinguish one offering from another.

    Can wee agree to do that universally from now on? You could perhaps continue to praise and cite your awe over “Wheezy” rather than the tortured string of categorizations that you generally use.

  10. “Until we see the OEMs shipping units we don’t know whether or not the UEFI could be turned off.”

    Try reading harder.

    One, for the fifty thousandth fucking time, we are talking about Secure Boot. Secure Boot is a _single feature_ of UEFI. UEFI is a standard for PC firmware. Talking about ‘turning off UEFI’ is nonsensical. Would you talk about ‘turning off BIOS’?

    So, please say ‘turn off Secure Boot’ in order not to look like an idiot.

    More importantly, from the article that everyone is busy burning but no-one seems to be taking the trouble to read:

    “all x86 Windows machines will be required to have a firmware option to disable this or to permit users to enrol their own keys”

    It’s right in the first paragraph. So, actually, we already know that all Windows-certified machines *will* have the option to disable Secure Boot or to use the user’s own signing keys.

  11. Ivan wrote, “a small portion of OS hobbyists that can’t figure out how turn UEFI off will face.”

    Until we see the OEMs shipping units we don’t know whether or not the UEFI could be turned off. If it could be turned off, what use is it? An intruder could turn it off, install his rootkit and be done.

  12. Clarence Moon wrote, “a group that insists on calling something like Linux “GNU/Linux””.

    Well, you don’t call that other OS by its build or kernel ID, so why should we describe/name GNU/Linux by its kernel. The GNU system predated Linux by several years. UNIX operating systems had been around long before Linux. There’s not any particular reason to call GNU/Linux, “Linux”, but many do because they are lazy/ignorant. I drive a Lexus because the whole system is a Lexus. I don’t call it a V4-internal-cumbustion-automobile-built-in-Japan. GNU is a lot more than the software on the client/server systems. It’s a toolchain used to create and install software, too. GNU is a complete environment for IT of which Linux is only one part, although very important. We can plug other kernels into the GNU system but Linux is the one with the widest hardware support and most tested. There are a bunch of kernels in the Debian GNU/Linux repository:
    “dns323-firmware-tools – build and manipulate firmware images for the DNS-323
    kfreebsd-image-8-amd64 – kernel of FreeBSD 8 image (meta-package)
    kfreebsd-image-8.3-1-amd64 – kernel of FreeBSD 8.3 image
    kfreebsd-image-9-amd64 – kernel of FreeBSD 9 image (meta-package)
    kfreebsd-image-9.0-1-amd64 – kernel of FreeBSD 9.0 image
    kfreebsd-image-amd64 – kernel of FreeBSD (meta-package)
    libguestfs0 – guest disk image management system – shared library
    linux-image-3.2.0-2-amd64 – Linux 3.2 for 64-bit PCs
    linux-image-3.2.0-2-amd64-dbg – Debugging infos for Linux 3.2.0-2-amd64
    linux-image-3.2.0-2-rt-amd64 – Linux 3.2 for 64-bit PCs, PREEMPT_RT
    linux-image-3.2.0-2-rt-amd64-dbg – Debugging infos for Linux 3.2.0-2-rt-amd64
    linux-image-amd64 – Linux for 64-bit PCs (meta-package)
    linux-image-rt-amd64 – Linux for 64-bit PCs (meta-package), PREEMPT_RT”

    What we call an OS is our business. Even that other OS goes by different names, some quite rude.

  13. Clarence Moon says:

    What can you expect from a group that insists on calling something like Linux “GNU/Linux”? You are dealing with a fanatic, so plan accordingly.

  14. lpbbear says:

    Its a total load of crap. Microsoft is clearly attempting to regain all the “marbles” its lost to Linux competitors over the last several years using the bullshit excuse of stopping malware at the bootloader to control competitors access to PCs and associated hardware. Its clearly an antitrust issue and legal action will eventually have to happen as competitors realize Microsoft has once again rigged the game against them.

    Microsoft sucks.

  15. Ivan says:

    While I get that somewhere in the magic fairy land that you live in the pixie dust of ARM and unicorn farts from Debian meet everyone’s computer needs, in the real world this is a pragmatic solution to the manufactured problem that a small portion of OS hobbyists that can’t figure out how turn UEFI off will face.

  16. Viktor says:

    The world remains too complex for you, Pogson. As always. It must be nice to be able to think in terms of black and white about everything.

    Let me summarize for you:

    – Every computer shipping with Windows 8 must have a firmware option to disable Secure Boot. This is a concession Microsoft made.
    – Microsoft signing the bootloader is the most simple and least expensive solution.

    Stop spreading FUD. Even Linux developers aren’t as paranoid as you.

  17. jon wrote, “Wintel hardware”.

    The world does not depend on Wintel. There’s no need to have M$ or Intel dictate what software can run on a PC.

  18. jon says:

    If you’re implicitly referencing Matthew Garrett’s piece, I read it to mean the approach they’re considering is essentially the only acceptable and affordable approach to dealing with an ugly sitution.

    Microsoft’s idea here is to prevent malware that loads prior to the boot cycle. That’s not something to lament. As I understand, however, Windows will identify unsigned bootloaders as malware and push out updates disabling them. That means anyone dual booting Windows and an unsigned Linux bootloader will, sooner or later, be unable to boot either Windows or Linux.

    Debian’s sentiments are fine and all, but they, and every other distribution, is going to face the same issue if we continue to expect Linux to be installed and used on Wintel hardware.

    Apple is quickly moving to a signed app regime, so I wouldn’t be surprised to see something very similar implemented there.

Leave a Reply