Lock-in, not security
Summary: News and analysis of UEFI ‘secure boot’ (lockdown), including the new role played by the Microsoft-funded SUSE
The UEFI Forum contacted me yesterday, seeking to arrange an interview with UEFI executives. I clarified that my intent is to focus on the impact UEFI has on freedom and choice. It’s not just a Microsoft problem, but Microsoft uses a ‘feature’ in UEFI to impede adoption of GNU/Linux.
Novell, which is close to Microsoft not just due to CPTN (Novell was funded by Microsoft and so is SUSE), has had its former developers help spread UEFI [1, 2], much to Microsoft’s chagrin. They did this inside the Linux Foundation. OBS, another Novell project that got into the Linux Foundation, is helping UEFI restricted boot even further. To quote Mr. Larabel: “OBS, the Open Build Service developed largely by openSUSE, has reached version 2.4. With Open Build Service 2.4 comes support for a new package format, Secure Boot signing, and other features.”
“By refusing to bootstrap a compromised system UEFI would offer neither cure nor prevention.”Therein lies the issue with Microsoft influence. Even Torvalds appears to have complained about this influence.
Microsoft did not need restricted boot for security. It is nonsense. Days ago Microsoft announced 33 more security holes in its software (the real numbers are higher, but Microsoft keeps some holes hidden for vanity purposes). Well, that’s where the real security threat exists, not in boot time. Microsoft essentially calls for setting up an alarm system in premises that have neither walls nor fences. Microsoft is also spying on people in the name of 'security' (Skype), leading to this reminder that software freedom matters (“Skype is following your links – that’s proprietary for you”).
By refusing to bootstrap a compromised system UEFI would offer neither cure nor prevention. All it does is prevent people from having choices, █
Send this to a friend
The universal operating system should help hold Microsoft accountable for anticompetitive practices
Summary: With UEFI cracked as a security measure, all that is left can be deemed an impediment to GNU/Linux booting; hence, Debian GNU/Linux (leading among the free operating systems) should be used as evidence against Microsoft in an antitrust case
Microsoft cannot quite market the limitations of UEFI, notably restricted boot. Truth be told, boot-time malware is not the real threat but mostly a conceptual one (with proofs of concept put out there by security researchers), and moreover UEFI is easy for malicious entities to bypass [1, 2], as proven before (Torvalds, clearly not a fan of all this, saw it coming). Just like DRM, it hurts legitimate users and developers the most. No wonder there is an antitrust complaint over it,
“Truth be told, boot-time malware is not the real threat but mostly a conceptual one…”“A critical vulnerability in Internet Explorer 8 is being exploited in the wild and full information about how to make use of the vulnerability is now in widespread circulation. The recent attack on a sub-site of the US Department of Labor has revealed the attackers were in fact using a new exploit for a 0-day vulnerability which only affects Internet Explorer 8,” says this report. So why does Microsoft obsess over boot-time?
UEFI addresses an issue which hardly exists, it is a solution in search of a problem. A highly-anticipated Debian version was released the other day and it is not compatible with Microsoft’s latest hardware restrictions, says Sam Varghese. To quote:
The Debian GNU/Linux project released version 7.0 of its well-known Linux distribution on May 4, two years and three months after the last version came out.
Debian backs the FSF on this matter, so it can hopefully add its support to the antitrust complaint too. █
NB: I am a Debian GNU/Linux user. This distribution recently got some endorsements from the FSF, and vice versa. Its policies under the latest leadership are commendable.
Send this to a friend
2009 and before:
Summary: Money from Microsoft helps influence a Linux banding of companies that need virtualisation
AS Red Hat recently hired from Microsoft for virtualisation leadership we needn’t be shocked that in a Linux Foundation article from Zemlin [1, 2], with help or a boost from New York Times blogs that label it “Corporate Style” (as if ethics can be neglected when you deal with a corporation), Red Hat et al. enter into bed with Microsoft. This is widely covered, naming both the Linux Foundation and Microsoft. “Is Microsoft influence already making itself felt at Red Hat?” This is what Will Hill thinks. It is about virtualisation:
Recently, I argued that while there’s been a lot of Software-Defined Networking (SDN) hype, it’s also real and will redefine corporate networking in the coming years. The Linux Foundation agrees and — in its OpenDaylight Project — has introduced a community-led and industry-supported open-source framework to accelerate SDN adoption, foster new innovation, and give it a more open and transparent approach.
Red Hat will be working on building and delivering an SDN solution that integrates with OpenStack and Linux’s built-in Kernel-based Virtual Machine (KVM) hypervisor.
Microsoft hasn’t spelled out what it plans to contribute to the project yet.
For now, it provides funding and insists on making its virtualisation purely proprietary. Last year Microsoft indirectly (but more directly than before) paid the Linux Foundation as well. We has seen that before and it leads to self-censorship. █
Send this to a friend
Photo by Alex Dawson, 2002
Summary: “Because it really shouldn’t be about MS blessings, it should be about the *user* blessing kernel modules,” Torvalds explains
THE MAN who habitually dismisses some Microsoft critics proves his older statements to be somewhat hypocritical. He too treats Microsoft exceptionally.
Torvalds recently made headlines by using strong language and addressing a controversial subject. It is about UEFI with restricted boot and here is some more relevant coverage he generated, helping to raise awareness of the issue:
A push by Red Hat kernel developer David Howells and ex-Red Hat developer Matthew Garrett to get code supporting secure boot merged into the mainline kernel to meet some of Microsoft’s requirements has led to a sharp rebuke from Linux creator Linus Torvalds.
Howell made a request for a patchset to be pulled into the mainline kernel last Thursday, writing, “It (the patchset) provides a facility by which keys can be added dynamically to a kernel that is running in secure-boot mode.
Linux guru Linus Torvalds is at it again. After telling Nvidia to go forth and multiply, the outspoken Torvalds has decided to share some of his thoughts on Microsoft’s signing techniques in a heated online argument with fellow Linux developers.
The developers were discussing ways of improving the Linux kernel with a bit of code that makes it easier to boot on Windows 8 PCs. The process of booting Linux on PCs shipped with Windows 8 has been complicated due to the widespread use of UEFI firmware with Secure Boot feature enabled. Red Hat developers emailed Torvalds to discuss the addition of new keys to the Linux kernel, which should get around the issue.
Red Hat’s Secure Boot support is a case of the company wanting to “deep-throat Microsoft”, according to a forthright posting from Linus Torvalds on the Linux kernel developer mailing list. Torvald’s comments were made in response to plans by a Red Hat developer to extend Linux support for Secure Boot. The comments have given rise to an ongoing discussion, during which several prominent kernel developers have shared their thoughts on Secure Boot support in Linux.
Moreover, as it turns out, US citizens can now sign this petition calling for the White House to get involved to tackle the antitrust abuse (reports suggest that Microsoft’s fine for antitrust abuses in Europe is only weeks away).
James Bottomley wrote about this in his blog, but being former Novell staff who had worked on Microsoft projects, we expect no strong opposition from him. Steven J. Vaughan-Nichols, a Novell-sympathetic writer, wrote this followup:
No one, but no one, in the Linux community likes Microsoft’s mandated deployment of the Unified Extensible Firmware Interface (UEFI) Secure Boot option in Windows 8 certified PCs. But, how Linux should handle the fixes required to deal with this problem remains a hot-button issue. Now, as the debate continues hot and heavy, Linus Torvalds, Linux’s founder and de facto leader, spells out how he thinks Linux should deal with Secure Boot keys.
Swapnil Bhartiya, not a strong critic of Novell because he likes SUSE, sure isn’t a fan of what Microsoft is doing here. He is in good company when he writes along the same lines of Torvalds, whom he interviewed last year:
There is a heated (heat is a bit colder word) debate going on within the Linux community over how should Linux handle the Microsoft’s secure boot keys.
In an ongoing discussing Linus Torvalds has made some suggestions which he believes put users in control of their system and not Microsoft.
Torvalds was sarcastic when saying, “let’s please Microsoft by doing idiotic crap approach.”
This attitude is not exactly news (Torvalds alleges that so-called Secure Boot has nothing to do with security). “Because it really shouldn’t be about MS blessings, it should be about the *user* blessing kernel modules,” Linus Torvalds believes. He basically agrees with Richard Stallman and the FSF then.
Dr. Garrett, on the other hand, continues to push for the agenda that Microsoft hoped for, facilitating its control over Linux, Here is part of this whole long discussion where Torvalds says:
So instead of pleasing microsoft, try to see how we can add real security:
- a distro should sign its own modules AND NOTHING ELSE by default. And it damn well shouldn’t allow any other modules to be loaded at all by default, because why the f*ck should it? And what the hell should a Microsoft signature have to do with *anything*?
- before loading any third-party module, you’d better make sure you ask the user for permission. On the console. Not using keys. Nothing like that. Keys will be compromised. Try to limit the damage, but more importantly, let the user be in control.
– encourage things like per-host random keys – with the stupid UEFI checks disabled entirely if required. They are almost certainly going to be *more* secure than depending on some crazy root of trust based on a big company, with key signing authorities that trust anybody with a credit card. Try to teach people about things like that instead. Encourage people to do their own (random) keys, and adding those to their UEFI setups (or not: the whole UEFI thing is more about control than security), and strive to do things like one-time signing with the private key thrown out entirely. IOW try to encourage *that* kind of “we made sure to ask the user very explicitly with big warnings and create his own key for that particular module” security. Real security, not “we control the user” security.
Sure, users will screw that up too. They’ll want to load crazy nvidia binary modules etc crap. But make it *their* decision, and under
*their* control, instead of trying to tell the world about how this should be blessed by Microsoft.
Because it really shouldn’t be about MS blessings, it should be about the *user* blessing kernel modules.
Quite frankly, *you* are what he key-hating crazies were afraid of. You peddle the “control, not security” crap-ware. The whole “MS owns your machine” is *exactly* the wrong way to use keys.
Sam Varghese, consistently an opposer of restricted boot, says that it would put “Linux is at Microsoft’s mercy”:
Linux companies or organisations that have paid for, and obtained, keys from Microsoft to ensure that their distributions can be booted on secure boot-enabled devices, have to abide by the terms of a contract or else may have their keys revoked.
Whatever some Linux developers with past in Novell may say, at least we know Torvalds’ approach is perhaps more similar to the FSF’s than his employer’s. █
Send this to a friend
Summary: Red Hat an accomplice in Microsoft’s restricted boot plans and Linus Torvalds is not happy
Torvalds’ complaints about UEFI restricted boot are nothing new. That anticompetitive scheme from Microsoft is polluting the kernel with binaries which merely serve to help discriminate against Linux and Torvalds has just opened his mouth again, sending out a “NSFW Red Hat rant”:
Linux overlord Linus Torvalds has again vented his spleen online, taking on Red Hat employee David Howells with a series of expletive-laden posts on the topic of X.509 public key management standard.
The action takes place on the Linux Kernel Mailing List, with Howell posting a request that Torvalds “pull this patchset please”.
Howells wants the patchset pulled so Red Hat can “”embed an X.509 certificate containing the key in a section called ‘.keylist’ in an EFI PE binary and then get the binary signed by Microsoft.” This arrangement, he suggests, is more elegant than the way the Linux kernel signs certificates today. Torvalds’ initial response is “Not without a lot more discussion first”, because “Quite frankly, this is f*cking moronic. The whole thing seems to be designed around stupid interfaces, for completely moronic reasons. Why should we do this?”
For future reference, here is the original context dated Thursday, 21 Feb 2013 15:47:58 (GMT). Thanks, Torvalds, for doing the Right Thing® in this case. █
Update: Linus Torvalds To Secure Boot Supporters: This Is Not A Dick-Sucking Contest
Send this to a friend
Pointing the finger at the real culprit
Summary: Spin regarding UEFI and complicity among some has been responsible for tarnishing the name of Microsoft’s competition (Linux), not just suppress or altogether block its adoption
Linux developers who are serving Microsoft’s agenda with UEFI restricted boot are typically former Novell staff. These are people who in the past too worked on Microsoft software, interjecting Microsoft agenda into Linux because Microsoft was paying Novell for it.
This damaging work is reinforcing the weird notion of “Windows 8 PCs”, as if hardware should no longer be software-agnostic, even on desktops. A more reasonable response would have been an antitrust complaint, not legitimisation of anti-competitive practices that brick hardware. A FOSS basher and occasional Microsoft booster writes about it as though it’s good news, leading others to parrot the official line that has Microsoft controlling the platform, containing the competition (Linux).
We should really be smarter about it. Once Microsoft controls Linux at boot time it can abuse Linux at will. Here is a memorable lesson from WordPerfect, which had to depend on Windows (needless to say, Windows clearly discriminated against WordPerfect). The trial still goes on and here is the latest:
It’s going to be David Boies himself speaking for Novell in the Novell v. Microsoft WordPerfect antitrust appeal before the 10th Circuit Court of Appeals in Denver.
The basis of this antitrust trial is, Microsoft used its API control (similar to restricted boot control) to penalise and suppress WordPerfect. UEFI restricted boot enables similar abuse of power, so pundits who give their opinions about it should take into account Microsoft’s historical behaviour. Dr. Garrett too should be aware that his work is helping Microsoft, more recently generating coverage like this or this, blaming Samsung rather than Microsoft (which masterminded the whole thing) after it helped generate negative publicity for Linux, the kernel (later it turned out that Linux [can be] acquitted in Samsung laptop UEFI deaths). Sure, Samsung is Ballnux (Microsoft-taxed Linux) anyway, so it oughtn’t be endorsed, but with coverage like this we lose sight of the real culprit. Microsoft is guilty for shoving this nonsense down OEMs’ throats and the Linux Foundation’s endorsement for Microsoft’s tactics is in no way helpful. More fiascos are surely on their way and we must remember to blame the company which pushed for it, not those who failed to follow orders from Redmond. █
Send this to a friend
Summary: Microsoft unable to compete amid new wave of form factors and deterrence against Linux installs put in place, with patent baggage too
THE Microsoft booster whom we like to cite for his ridiculous spin is already recognising the undeniable. As he put it in his headline, “Dismal news for Microsoft’s mobile efforts: Windows Phone and Windows 8 tablets sales are in the dumper” (yes, indeed).
Microsoft just got hit with a double-whammy: Reports show that Windows Phone market share is in the very low single digits in the U.S. and have declined since the release of Windows Phone 8, and Microsoft’s tablet share is scraping the bottom. Will Microsoft eventually be forced to run up the white flag?
The latest figures about Windows Phone share from Comscore are grim. In the quarter ending in December 2012, Microsoft had a 2.9% market share of the smartphone market in the U.S., compared to 53.4% for Android, 36.3% for the iPhone, and 6.4% for Blackberry. More disturbing still is that Microsoft’s market share declined from the quarter previous, when it had a 3.6% market share. That means that Microsoft’s share of the smartphone market declinced since the release of Windows Phone 8.
Yes, it’s ComScore again, the company we've just mentioned. They’re Microsoft-friendly. So the real numbers are probably far worse for Microsoft.
It is clear to us what Microsoft can do now in order to stay relevant. It will resort to dirty tricks and market distortion, as usual. We should boycott Microsoft Dell and not expect it to be a GNU/Linux player anymore:
Microsoft scared of Linux, hence loans Dell to distribute PCs with Windows
The Redmond based software giant, Microsoft, has a good hold on the market when it comes to computers, both desktops and laptops. But in the post PC market, eh. There are many players in the post PC market who do better than Microsoft. For example, Apple is doing very well in the tablet and smart phone market, and Samsung has become the top dog when it comes to Android based smart phones, but may not be for tablets.
Microsoft is also screwing with Linux booting abilities, as evidenced by this latest update from Dr. Garrett:
The recent Linux kernel commits avoid one mechanism by which Samsung laptops can be bricked, but the information we now have indicates that there are other ways of triggering this.
Here is a report about it:
Garrett, who was involved in work on UEFI support in the Linux kernel, bases his comments on the information available to him. His comment about other ways of triggering the problem chimes with a report from a reader who, in creating UEFI boot entries, managed to confuse the firmware on his Samsung laptop to the extent that it was no longer possible to access the UEFI setup. When the problem first came to light, Greg Kroah-Hartman, who worked on the samsung-laptop driver, made it clear in a post on Google+ that, in his view, Samsung was the only party in a position to resolve the cause of the problem and that a firmware update was required.
In Garrett’s recent talk about it he said that UEFI is also FAT-encumbered (patents), which makes one wonder. Don’t allow anyone to tell you that UEFI is a solved problem. █
Send this to a friend
Summary: UEFI, Mono and OOXML recalled along with their role in suppressing GNU and Linux adoption
The other day we named SJVN (Steven J. Vaughan-Nichols) for publishing “Linux on Windows 8 PCs: Some progress, but still a nuisance” and the context was spin that said Microsoft liked Linux while attacking its booting rights. Groklaw‘s Pamela Jones wrote something similar to us: “What’s clear to me is that Microsoft hates Linux, it would like it to die, and it throws tacks in its roadway perpetually at every opportunity.”
“What’s clear to me is that Microsoft hates Linux, it would like it to die, and it throws tacks in its roadway perpetually at every opportunity.”
–Pamela JonesThe media spin which says Microsoft likes Linux often cites or quotes former Novell employees (we will abstain from naming some in order to keep this impersonal), i.e. people who were paid by Microsoft to work on stuff like Hyper-V, Mono, Moonlight, and OOXML.
UEFI is a similar story and former Novell staff maintains it. The same goes for Mono backer Xamarim and some elements of LibreOffice (the Go-OO component, which was made obliged by Microsoft money to promote OOXML). We previously explained how OOXML helped impede FOSS adoption in Germany, e.g. in Freiburg [1, 2, 3].
Behind the scenes in Munich [1, 2, 3] Microsoft worked to lobby against it too, using a study which the The H says is nonsense, based on what Munich itself is saying:
Talking to The H’s associates at heise open, the head of the Press and Information Office at Munich City Hall, Stefan Hauf, said that it was not possible to conduct a thorough analysis of the study based on the published summary and that many of the study’s assumptions could not be verified due to the lack of detail. Hauf said that, for example, the study factors in support costs for 12,000 clients from the start of the project, although the number of clients gradually rose to 13,000 over the duration of the project. Additionally, workplace maintenance and support is only a minor work aspect for the 1,000 IT staff that are listed in the study, he added.
HP’s calculation completely omits hardware costs as the study assumes that Linux and Windows systems have “roughly the same hardware requirements”. Hauf disagrees: this approach ignores “the experience that Linux clients have lower hardware requirements than Windows clients”, he said. The official added that the study does not differentiate between migration and regular life cycle management costs, and that regular updates of the same operating system were rated as migrations.
HP is worth boycotting over this, but since Red Hat relies on HP servers and both are UEFI backers we find those two sharing a bed, more so this week. █
Send this to a friend
« Previous entries Next Page » Next Page »