Canonical, the FSF and the Ongoing Secure Boot Saga

What do the Energizer Bunny and the ongoing Windows 8 Secure Boot Saga have in common?

Yes, that’s right: They both just keep going.

Scarcely a week goes by these days, in fact, without some fresh proclamation to fan the flames of UEFI controversy here in the Linux blogosphere.

‘There Is Much to Like’

It was just a few weeks ago that we learned about Fedora’s solution, of course.

Since then, Canonical has outlined the (also controversial) approach it plans to take — followed in short order by new comments and criticism from none other than the Free Software Foundation.

“There is much to like about Fedora’s thinking,” wrote FSF Executive Director John Sullivan in the group’s white paper on the topic.

‘We Urge Canonical to Reverse This Decision’

As for Canonical’s solution? Not so much.

“Our main concern is that because they are afraid of falling out of compliance with GPLv3, they plan to drop Grub 2 on Secure Boot systems in favor of another bootloader with a different license that lacks GPLv3’s protections for user freedom,” Sullivan wrote.

“We urge Ubuntu and Canonical to reverse this decision, and we offer our help in working through any licensing concerns,” he added.

Discussion at Debian

There’s been plenty of speculation as to Canonical’s rationale — not to mention some justification from Mark Shuttleworth himself.

Meanwhile, reports of murmurings on the topic among Debian developers have kept imaginations active, as has the arrival of the first retail PCs to support UEFI Secure Boot.

Bottom line? No proverbial “fat lady” is going to be singing around here anytime soon.

On Slashdot and beyond, the flames of controversy just keep getting higher.

‘The User Had Better Be Able to Control It’

“FSF has it right on ‘secure boot,'” opined blogger Robert Pogson down at the Linux blogosphere’s seedy Broken Windows Lounge.

“If it’s about security, the user had better be able to control it to adapt to any eventuality,” Pogson explained. “The concept that M$ should control what runs on a PC is a nightmare.”

To wit: “Look at some of their brilliant ideas,” Pogson pointed out. “Exclusive dealing, ever-evolving protocols and file-formats, bloat that makes Moore’s Law blush, extreme numbers of APIs to allow malware-authors maximum creative opportunities, and MIPS-eating applications.

“They also missed the boat on smartphones and tablets,” he added. “Their only vision is a license from M$ on every PC.”

In short, “it’s time the world told M$ where to get off,” Pogson concluded.

‘Ubuntu Is Right to Be Concerned’

Chris Travers, a Slashdot blogger who works on the LedgerSMB project, was sympathetic to Canonical’s perspective.

“It’s a good decision for Ubuntu,” Travers told Linux Girl.

“The problem with the GPLv3 is it is even less clear than the GPL v2, and Ubuntu is right to be concerned,” Travers explained. “The license is long, it’s complicated, and it’s contradictory with its presumed meaning, so you can’t simply read the license to figure out what it means.

“This is why I won’t touch it for software I write,” he added.

“If Ubuntu represents to distributors that they do not have to share their keys, are they guilty of Grokster-style contributory infringement?” Travers mused. “If Ubuntu has the right to take steps to ensure that their distributors distribute keys and fails to take them, can they be held liable for vicarious infringement?

“I am sure the answer that motivated them was, ‘why not?’ In that case, the right thing to do is to find some other bootloader,” he opined.

‘It Is Poorly Done’

However, “I am not impressed at all with the way Secure Boot is being implemented,” Travers said. “It is a counter-measure against an important emerging threat model, but it is poorly done.”

For example: “Cryptographic security requires the ability to rotate keys; otherwise, a spear-phishing email could reduce all the security to nothing overnight, and users’ only recourse would be to buy a new computer perhaps a few months later,” he explained.

“If keys could be rotated and bootloaders re-signed (perhaps via a USB drive and a firmware-level setup utility), then sophisticated users would have a fighting chance,” Travers concluded. “But as it is, nobody has any chance at all.”

‘Still a Massive Improvement’

Another question entirely, however, “is whether we even need something as complicated as GRUB or an EFI boot loader,” consultant and Slashdot blogger Gerhard Mack suggested.

“For all its faults and the NIH brain damage that kept Intel from considering far superior solutions, it is still a massive improvement over the current BIOS,” Mack opined.

“With EFI, boot loaders don’t need to perform the gymnastics needed to load a fully 32- or 64-bit OS from a 16-bit environment,” he pointed out.

‘It Is Getting a Bit Irrelevant’

Roberto Lim, a lawyer and blogger on Mobile Raptor, wasn’t sure it really mattered anymore.

“In my humble opinion, it is all getting a bit irrelevant,” Lim told Linux Girl. “The days of the open PC platform are at an end. With each generation of new devices, they will become more like regular electronics, designed to work with a particular version of hardware or software just like game consoles and Smart TVs.”

Linux is battling Windows for market share “in an arena which will grow smaller by the year,” he predicted. “Really, Linux is still designed like it is going to be installed on a traditional desktop, rather than a laptop” or smaller device.

“You have to look at the new playing field where a computer can now also take the form of a mobile phone, tablet, gaming console or even a television set,” he suggested. “The functionality of these devices is converging.”

The solution, then, “is not to try to find a way to keep on installing Linux in PCs designed for Windows or Mac OSX, but to just start selling Linux PCs and devices,” Lim concluded. “Someone buying a Linux laptop because it has Linux on it would be refreshing.”

‘Why Is Anybody Listening to RMS?’

Last but not least, Slashdot blogger hairyfeet said it all amounts to so much FUD.

“WHY exactly is anybody listening to RMS and his FSF anymore?” hairyfeet wondered. “Seriously — I wanna know. He takes money from Intel and IBM, has NO problems with CEOs making huge money — only programmers — and still acts like it is 1975, going so far as to call everyone ‘hackers’ like he’s at a homebrew club.

“We all know the FSF is his org and his pulpit for the ‘RMS religion,’ which frankly has left sensible about three exits back,” hairyfeet added.

‘Steve Ballmer Edition’

As for “why Secure Boot?” hairyfeet went on. “Simple: Go to TPB and look up ‘Windows 7 SP1 all versions pre activated’ and see for yourself.

“The boot process is completely hacked on Win Vista and Win 7, and frankly without some sort of secure boot, MSFT might as well let guys set up on the street corner with ‘Steve Ballmer Edition’ USB drives for $10 like they have in China,” he explained.

“The whole thing is FUD on the part of the FSF and RMS anyway,” hairyfeet added. “Are you gonna seriously tell me someone has the skills to 1. Know what Linux is; and 2. Download and burn a Linux ISO; but 3. Doesn’t even have enough common sense to switch a single setting in UEFI?

“Really?” he concluded. “Because if you expect anyone to buy that, I have some magic beans you might be interested in.”