Linux Foundation Steps Into Windows 8 Secure Boot Flap
Oct 15, 2012 5:00 AM PT
Fans of the classic Pink Panther movies will no doubt remember Chief Inspector Dreyfus, the long-suffering supervisor of Inspector Clouseau who became afflicted with a nervous twitch and over time was reduced to homicidal madness. Herbert Lom, the actor who played Dreyfus so brilliantly, recently passed away.
Linux fans can surely feel some sympathy with Lom's character. We may not have Clouseau to grate on our nerves here in the Linux community, but we certainly have something with the potential to be equally annoying: Windows 8 Secure Boot. Merely mention it, and Linux Girl feels a twitch coming on.
'A Stop-Gap Measure'
Secure Boot has, of course, already figured prominently in the Linux news on numerous occasions over the past few months, but recently it prompted a move from none other than The Linux Foundation itself.
"I'm pleased to announce that the Linux Foundation and its Technical Advisory Board have produced a plan to enable the Linux (and indeed all Open Source based distributions) to continue operating as Secure Boot enabled systems roll out," wrote James Bottomley, chair of the Linux Foundation's Technical Advisory Board, in the official announcement last week.
Taking the form of a dedicated pre-bootloader, the solution is "a stop-gap measure that will give all distributions time to come up with plans that take advantage of UEFI secure boot," Bottomley added.
When The Linux Foundation speaks, FOSS fans tend to listen. Next, they waste no time in their haste to speak their own minds.
'It Is Unnecessary'
"I remember when UEFI/Trusted Computing Platform got floated way back," mused Slashdot blogger yagu, for example. "I always thought that it was insane and would never see light of day. I underestimated my Redmond friends!"
Now, "what's frustrating, even amazing, is that Linux has to deal with this," yagu told Linux Girl. "Or is it more amazing Microsoft can twist elbows so mightily? There is so little empirical evidence that insecure boot technology wreaks havoc. It is unnecessary."
Nevertheless, "under the guise of secure/safe computing, Microsoft gets to put another speed bump on their street," he went on.
Of course, "Linux could be configured with proper certificates," yagu pointed out. "But that would constrain and be anathema to everything Linux. So, Linux now must 'workaround' to get lit up on new hardware."
Meanwhile, "Microsoft smiles," he added.
One result? "The technically curious now (I predict) is a smaller demographic, as each hurdle added whittles the numbers willing to burn so many calories just to get to square one," yagu concluded.
'A Step in the Right Direction'
"This is a stop-gap, but it does perhaps help with the problem of small distros having to deal with hardware that is oriented to Microsoft's UEFI," Google+ blogger Kevin O'Brien pointed out. "Large companies like Red Hat and Canonical can work out their own answers without too much trouble, but the smaller distros, many of which are one-person operations, would have trouble.
"The bigger issue, though, is whether this moves us towards a future where free computing is not allowed any longer," O'Brien added. "Microsoft is fine with that; I'm not."
Indeed, "this is a step in the right direction -- it provides a simple, elegant, universal solution many distros can use without paying the Microsoft tax," agreed Chris Travers, a blogger who works on the LedgerSMB project.
'A Security Half-Measure'
At the same time, however, "I think that Secure Boot is not likely to offer real long-term security, and will go down in operating system history as a security half-measure," Travers added.
"The fundamental problem is a lack of real infrastructure for things like revoking keys, ensuring that as soon as a key is compromised, malware becomes a problem and nobody can fix it," he explained. "I think the general sense is that such is not possible, but spear-phishing is a real problem as far as targeted attacks go, and if foreign governments can break into the Pentagon computers to steal plans for the F-35, I am pretty sure that organized crime syndicates can get the key from Microsoft."
When that happens, "Secure Boot will be no guarantee at all from malware," Travers concluded.
'Microsoft Has Hugely Overstepped'
"I think that this is probably the best solution that I've see so far," Google+ blogger Linux Rants offered. "Rather than have Ubuntu have their solution, and Red Hat have a different one, and blah blah blah ad nauseam, I much prefer a general solution for all Linux distributions."
That aside, however, "I don't think that anybody should have to buy a license from Microsoft to run on a PC that's not made by Microsoft," Linux Rants added. "Not even the Linux Foundation.
"I think that Microsoft has hugely overstepped with these demands," he asserted. "Instead of figuring out ways to work around Microsoft's requirements, someone should bring the DoJ in on this and slap Microsoft down."
'An Incorrigible Anti-Trust Abuser'
Blogger Robert Pogson took a similar view.
"Obtaining a key from an anti-competitive monopolist is not a good solution, but it is better than most others," Pogson admitted.
"I think what is needed in addition is to sue M$ and get the courts to order some independent agency to keep the keys to PCs rather than M$," he suggested. "They are an incorrigible anti-trust abuser and should not be trusted with this role."
'Their Key Will Be Banned'
Slashdot blogger hairyfeet had a dark prediction.
"Mark my words: Not a week after this hits you'll see, 'Win 8 all versions pre-activated' using the LF's 'hack,' and then their key will be banned for being compromised," he warned.
"The moral of the story? Either keep your kernel long enough that it can be properly signed or simply turn off Secure Boot, your choice," hairyfeet concluded.
'They Care About Linux as a Whole'
Not everyone saw it that way, however.
"So everyone is happy now," suggested Robin Lim, a lawyer and blogger on Mobile Raptor. "Microsoft's OS is a little more secure, and the 1000+ Linux distributions can run on Windows 8 hardware."
Meanwhile, "the fact that the Linux Foundation has come up with a solution that works for all of the little distros instead of just the big ones tells me they care about Linux as a whole rather than just the big players," consultant and Slashdot blogger Gerhard Mack told Linux Girl.
That, he concluded, "is another reason for me to renew my membership next year."