Bonum Certa Men Certa

Today in UEFI 'Secure' Boot Debates (the Frog is Already Boiling and Melting)

posted by Roy Schestowitz on May 28, 2024

Over at LQ today:

Originally Posted by TheJooomes /div>
That's the meaning I extracted from "no BIOS", "third party UEFI certificates have been disabled", and "The era of general purpose computing is drawing to a close". I haven't heard of cases that extreme before so I want more than a claim in a forum thread.
No problem. Here are two links, the first one via an archive in case m$ changes it:

"Secure the Windows boot process":

and "Using your own keys"

Though the first one has a lot of weasel-wording it still makes the point. Notice that you have to actually parse the document:

Configure UEFI to trust your custom bootloader. All Certified For Windows PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems.
The word "default" is not used specifically, yet the default is exactly what is being described.

Also, the gotcha there is certified. Those which are not certified and those which are certified but not in compliance are not going to permit that. Talk with people who deal with resale of used systems and you will get plenty of first hand anecdotes, there are certainly such shops or individuals in your geographical area.

If you have not gone out of your way to follow trends in ICT lately then it would not be strange that you have not heard of third party certificates being disabled by default. Again, there was a lot of discussion and detailed analysis before UEFI was even rolled out. All that is buried somewhere in the search engines, assuming the pages are even still up.

Edit: See also:
Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party
Certificate to be disabled by default. This means that for any of these Lenovo
platforms shipped with Windows preinstalled an extra step is needed to allow Linux to
boot with secure boot enabled.

UEFI + Secureboot was always just a lot of "security theatre" marketing for the gullible. For proprietary OS vendors, security is a feature which can be sold for profit. The aim was always to lock out alternative OS such as Linux. UEFI itself was dreamed up by a consortium of the x86 hardware/bios vendors, MS and Apple.

Those who still believe that Secureboot is really about security and preventing "evil maid" attacks need to pull their heads out of the sand. Business often invents the problem, then sells the solution and this was very similar, but not quite the same. It also came packaged with MS' anti-competitive, hostile agenda to destroy Linux - all dreamed up during the Steve "Linux is a cancer" Ballmer era.

It astounds me that users of FOSS operating systems who post on sites like this one, happily walked down that path, eagerly supporting sell outs like Canonical and Red Hat and are still parroting the marketing speak about Secureboot, many years later. Many of these people were running Linux on hardware which was not configured for dual booting Windows 8.0/8.1, yet still they took great pride in running a UEFI only system, disabling legacy boot, jumping through hoops to configure their OS to boot by this horrible convoluted broken and ironically, insecure MS design, which even uses the antiquated MS FAT file system.

MS wants to ensure that only a Microsoft OS can boot from the bare metal, it has been paving the way for this for years. For Linux it has invested in WSL/WSL2 and it has lured people across with the convenience of that.

The TPM/TPM2 is a further assault on your freedom to install what you want to install on the hardware you paid for. It is one of the latest advances in "Trusted Computing", which is anything but trustworthy...

There are some gotchas too. For example, TC can support remote censorship. In its simplest form, applications may be designed to delete pirated music under remote control. For example, if a protected song is extracted from a hacked TC platform and made available on the web as an MP3 file, then TC-compliant media player software may detect it using a watermark, report it, and be instructed remotely to delete it (as well as all other material that came through that platform). This business model, called traitor tracing, has been researched extensively by Microsoft (and others). In general, digital objects created using TC systems remain under the control of their creators, rather than under the control of the person who owns the machine on which they happen to be stored (as at present). So someone who writes a paper that a court decides is defamatory can be compelled to censor it - and the software company that wrote the word processor could be ordered to do the deletion if she refuses. Given such possibilities, we can expect TC to be used to suppress everything from pornography to writings that criticise political leaders.
The gotcha for businesses is that your software suppliers can make it much harder for you to switch to their competitors' products. At a simple level, Word could encrypt all your documents using keys that only Microsoft products have access to; this would mean that you could only read them using Microsoft products, not with any competing word processor. Such blatant lock-in might be prohibited by the competition authorities, but there are subtler lock-in strategies that are much harder to regulate.
12. Scary stuff. But can't you just turn it off?

Sure - unless your system administrator configures your machine in such a way that TC is mandatory, you can always turn it off. You can then run your PC as before, and use insecure applications.

There is one small problem, though. If you turn TC off, Fritz won't hand out the keys you need to decrypt your files and run your bank account. Your TC-enabled apps won't work as well, or maybe at all. It will be like switching from Windows to Linux nowadays; you may have more freedom, but end up having less choice. If the TC apps are more attractive to most people, or are more profitable to the app vendors, you may end up simply having to use them - just as many people have to use Microsoft Word because all their friends and colleagues send them documents in Microsoft Word. By 2008, you may find that the costs of turning TC off are simply intolerable.
In the world of "Big Tech", the words "trust", "security" and "privacy" don't mean what you think they mean.

Other Recent Techrights' Posts

EU 'Chat Control' Law is Already Discrediting the Stated Goals of GDPR
Equip kids with always-on always-connected microphones and double-sided cameras, just to be safe...
Jean-Pierre Giraud, Possible Forgeries & Debian: elections, judgments, trademark already canceled, archaeologist
Reprinted with permission from Daniel Pocock
Justices Jeremy Johnson and Victoria Sharp to Decide the Fate of Julian Assange in About Three Weeks
Will he be back home in Australia by year's end?
Treating Them as Teammates, Not as Political Props, Trophies, or Objects
Most of the world's people are women
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, June 19, 2024
IRC logs for Wednesday, June 19, 2024
Morocco: GNU/Linux Surges From 0.1% to 4.21%
Microsoft has mass layoffs in Africa these days
[Meme] EU Chat Control II
Stuff like "Chat Control" means that GDPR will lose credibility and the true motives be rightly scrutinised/questioned
You're Only Proving Our Point, Sir
clearly obsessed with what we write
Just Because It Happened Over 20 Years Ago Doesn't Mean It's "Old News" or Stopped Happening
This strategy merely evolved
Thanking Solderpunk for 5 Years of Gemini Protocol
Long live Gemini Protocol and long live Solderpunk!
[Meme] He Who Controls the Boot
And licks the Microsoft boot
[Meme] systemd-recovery
Imagine "Linux" (Poetterix) becoming so unreliable that it needs factory resets
Almost Every Day This Month the GNU/Linux "Market Share" Grows in statCounter
Advocates like to see progress
Dawg, I Herd You Like Freedom
In the context of Software Freedom, little is ever said about free speech
Links 19/06/2024: Microsoft Faces Big Backlash, Bytedance Referred to US Department of Justice
Links for the day
Gemini Protocol Turns 5 in 15 Hours
Geminispace is still very much alive
OSI's Blog is Still 100% "AI" Nonsense Sponsored by Microsoft (the Authors Are Also Salaried by Microsoft)
The founder of the OSI no longer supports the OSI
Poland is Another Country Where Bing Lost a Lot of Market Share Since the LLM Gimmicks
down from 3.24% to 2.4%
It Took Microsoft More Than 3 Years to Get a Quarter of Windows Users to 'Upgrade' to Vista 11 (3 Out of 4 Windows Users Still Reject It)
That is exactly what's happening right now
[Meme] The Empire
Don't be like Putin
They Want 'Transparency' Only for the General Public (Every Bit of Communication Available to the Government, Usually Via Corporations)
The EU might decide to effectively ban SSH
Free Software Won't Fix Equality, But It Helps
Let's examine Free software in the context of: 1) money. 2) justice.
Links 19/06/2024: SFTP and Gopher Milestone
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, June 18, 2024
IRC logs for Tuesday, June 18, 2024
US Surgeon General's Advice on Social Control Media (and "Smart" Phones) Seems Reasonable
People forget what the real world is about
Quiet at Planet Debian has not had any updates since 5 days ago
Belarus: Bing Fell From 1.1% to 0.6% Since Microsoft Started the LLM Hype (Yandex is 50 Times Bigger Than Bing)
Now enter Belarus
Morale at Microsoft Sinks to New Lows
The annual 'Employee Signals' survey showed a drop from 69% to 62% in positive responses
Microsoft Windows is Being Abandoned in the UK, Relative to Other Platforms (New All-Time Lows)
Windows at new lows
Links 18/06/2024: More Executives Leave Microsoft, Attacks on the Press in Russia and 'Exile'
Links for the day
[Meme] Always Livecasting
Wait Till Systemd-Recall
Australia: Bing Lost Market Share Since the LLM Hype ("Bing Chat")
Google rose, Bing went down
Gemini Links 18/06/2024: Unconscious Consumption and Firewall Autoban
Links for the day
[Meme] Canonical Has Basically Become Novell II
Today's Canonical...
While Everyone is Furious at Vista 11 (Over TPM, Recall and Other Malicious 'Features') Canonical is Selling It to People
So the only thing Canonical says about Windows is that you should give it a try?
Links 18/06/2024: Adobe and Internet Archive in Trouble
Links for the day
Peter Duffy Explains SystemD
Ein Volk, Ein Reich, Ein Führer!
[Meme] The Doyen and the Colonel
EPO continues to prioritise lawbreaking over knowledge
EPO Union Action: Next Week SUEPO The Hague and SUEPO Munich Talk About New Pension Scheme (NPS) and Salary Savings Plan (SSP)
So there are basically 32 days left for more people to intervene
[Meme] Wait Till Systemd-Recall
The only thing Linux still needs is a forensics backdoor
GNU/Linux Up This Month in India (or Why Famous Criminal Bill Gates Keeps Visiting Modi)
truth tends to catch up with people
Microsoft Poetterix is Work in Progress
Linux's New DRM Panic 'Blue Screen of Death' In Action
24/7 Work Discipline
it's not so much about how much (or how long) one works, it's about how one works and whether one feels comfortable doing it
Adamant Conformism is an Enemy of Science
"The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable man"
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, June 17, 2024
IRC logs for Monday, June 17, 2024
Links 18/06/2024: Further Mass Layoffs and Gemini Leftovers
Links for the day
At IBM, "Brownnosing is the Norm."
Many of these comments are from IBM insiders
Myanmar/Burma: Google Gains One Percent, Microsoft Loses One Percent Since the LLM Hype ('Bing Chat')
it's not hard to understand LLMs didn't replace real search and didn't replace Google, either
[Meme] KISS, not SAAS
Gemini Protocol turns 5 in exactly 2 days
Hostageware: The Threat of Clown Computing (or 'SaaS', Another Misnomer or Buzzword) to Computer Users Everywhere
This problem isn't limited to Free software adopters