Forgot your password?
typodupeerror
Operating Systems Ubuntu Linux News Your Rights Online

FSF Criticises Ubuntu For Dropping Grub 2 For Secure Boot 296

Posted by samzenpus
from the I-am-dissapoint dept.
sfcrazy writes "The Free Software Foundation (FSF) has published a whitepaper suggesting how free operating systems can deal with UEFI secure boot. In the whitepaper, the foundation has criticized the approach Canonical/Ubuntu has taken to deal with the problem. The paper reads: 'It is not too late to change. We urge Ubuntu and Canonical to reverse this decision, and we offer our help in working through any licensing concerns. We also hope that Ubuntu, like Fedora, will actively support users generating and using their own signing keys to run and share any versions of the software, and not require users to install a key from Canonical to get the full benefit of their operating system.'"
This discussion has been archived. No new comments can be posted.

FSF Criticises Ubuntu For Dropping Grub 2 For Secure Boot

Comments Filter:
  • by Viol8 (599362) on Monday July 02, 2012 @11:55AM (#40517723)

    ... for someone to hack the secure boot BIOS and provide an easy way for users to reflash theirs from Windows or whatever OS is preinstalled on the machine when bought new. No doubt this will prevent windows being reinstalled but unless you want a dual boot machine I doubt this matters much.

    On a related note, how will this affect linux being booted from within windows (if anyone still uses that approach)?

    • by crazyjj (2598719) * on Monday July 02, 2012 @11:59AM (#40517747)

      hack the secure boot BIOS

      Citizen, you have advocated criminal violation of the Digital Millennium Copyright Act. Please place your hands in the yellow circles and await a police action.

      • by shentino (1139071) on Monday July 02, 2012 @12:13PM (#40517863)

        Sadly I think this may well be true in the future if hacking your own PC is treated by Microsoft the same way that modchipping your PS is treated by Sony

        • by JerkBoB (7130) on Monday July 02, 2012 @12:55PM (#40518267)

          Sadly I think this may well be true in the future if hacking your own PC is treated by Microsoft the same way that modchipping your PS is treated by Sony

          I haven't really been paying attention to what Sony has been doing (don't own a PS3), but I wonder if Sony really cares about modchipping itself, or if they just want to keep modded consoles off of PSN?

          The latter seems reasonable to me... If you want to mod the console, fine. Just don't expect to be allowed to play in the sandbox with all of the unmodded consoles. You know if they let modded consoles on that games would be flooded by griefers and other annoying breeds of adolescent (chronological or mental).

          Not picking a fight, just wondering if I'm missing something...

        • by isorox (205688)

          Dan would eventually find out about the free kernels, even entire free operating systems, that had existed around the turn of the century. But not only were they illegal, like debuggers—you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that.

          http://www.gnu.org/philosophy/right-to-read.html [gnu.org]

        • by AmiMoJo (196126)

          Is there actually any evidence to back up this assertion? The stated reason is to prevent malware replacing the bootloader or low level drivers, and to prevent bootloaders used for piracy. Both are pretty common these days.

          What benefit would MS gain from locking out other operating systems? Linux is still no where near making an substantial inroads on the desktop or on tablets. Okay, there is Android, but do they really think many consumers will want to replace their tablet's OS with a different one?

          I'm not

    • by Anonymous Coward on Monday July 02, 2012 @12:01PM (#40517763)

      I'd say the ultimate solution is for every linux fan to stop recommending computers with locked BIOSs, push hardware with coreboot, and to ignore distros which aren't playing ball. Cracking it is the pragmatic solution.

      • Re: (Score:3, Insightful)

        by ArsonSmith (13997)

        How will Microsoft deal with the loss of all 8 of those sales.

      • by Microlith (54737) on Monday July 02, 2012 @12:37PM (#40518093)

        stop recommending computers with locked BIOSs

        So eventually all of them?

        push hardware with coreboot

        None?

        Cracking it is the pragmatic solution.

        Nor is pushing hardware that doesn't exist.

      • Re: (Score:3, Insightful)

        by ugglybabee (2435320)

        I'd say the ultimate solution is for every linux fan to stop recommending computers with locked BIOSs, push hardware with coreboot, and to ignore distros which aren't playing ball. Cracking it is the pragmatic solution.

        I've been using Linux for ten years, since August of 2002, and I don't know what the FUCK any of this means.

    • by Anonymous Coward on Monday July 02, 2012 @12:20PM (#40517925)

      So far there's no indication that you need to hack anything. Microsoft requires that PC's sold as certified for for Windows 8 allow you to enter custom mode and load your own certs. The reason Linux Distros are going the routes they are, using a Microsoft Signed boot loader, is that they want something that will be bootable on any machine out there with out having to enter the bios. While your typical users here on slashdot probably doesn't have any problems entering their bios and adjusting Bios settings for many other users is something they've never done and it's going to be extremely specific to that mfgs implementation on that particular hardware so no general set of instructions is possible.

      • by AmiMoJo (196126)

        Isn't entering the BIOS pretty much the only way to install Linux on many PCs now? By default most seem to be configured not to boot from CD or USB drive and the boot menu key is disabled. Manufacturers don't want the hassle of dealing with people who left a bootable CD in the drive.

    • Doable, I am sure. But it'd have to be done for every motherboard and every revision, and meddling in the EFI at that level is how you brick things. It's not the type of dangerous, difficult operator you want to require linux newbies do before they can even install it.
    • by betterunixthanunix (980855) on Monday July 02, 2012 @12:35PM (#40518049)

      for someone to hack the secure boot BIOS

      So it's come to the point of having to attack our own computers just to run the software we want? The fact that we have to resort to these measure is a sign of just how bad things have gotten.

      provide an easy way for users to reflash theirs from Windows or whatever OS is preinstalled

      So to run free software, I have to first agree to yet another license for proprietary software? That is a step backwards if I have ever seen one.

      No doubt this will prevent windows being reinstalled but unless you want a dual boot machine I doubt this matters much

      There are lots of people who want or need dual boot. I would guess that a substantial fraction, maybe even a majority, of GNU/Linux users have dual boot. People should be free to use their computers the way they want, which includes the freedom to dual boot.

      • by Nerdfest (867930) on Monday July 02, 2012 @01:02PM (#40518371)

        We've been at that point for quite a while now. Have a look at any of the iDevices. Even some of the Android phones have locked bootloaders (which don't restrict which apps you can install, but they limit your OS options). We're just seeing it spread, much like the locked Apple market is spreading to Windows metro.

        • Indeed, although we can at least find computers from major manufacturers that will run GNU/Linux -- and we can tell people what to avoid. With Microsoft going full-steam on restricted boot environments, it will only be a few years before we cannot buy a laptop from Dell that will run GNU/Linux (except for those distros that have made a deal with Microsoft -- so much for choice).
    • Just to be clear, UEFI is not BIOS unless you use one which chooses to provide BIOS emulation.
    • Well if you are worried then the answer is simple, support AMD who has switched to Coreboot [softpedia.com] instead of UEFI as the replacement for BIOS. Since I doubt VERY seriously MSFT would have the brass balls to try to ban AMD systems from running Win 8 (and most likely risking another antitrust investigation) they will have to allow AMD systems to use Coreboot which means if you don't like it? The source is right there, help yourself and flash away.

      But whether FSF likes it or not MSFT seems bound and determined to get rid of Windows piracy not with the carrot but with the stick, since its common knowledge that Win 7 is completely cracked wide open thanks to bootloaders that even allow the machines to get all updates without so much as a WGA warning so like it or not MSFT is gonna push this. At least AMD is supporting an open tech that you can flash yourself, although you always have the option of just turning the damned thing off and not using Secureboot.

      Personally while i think offering Win HP for $50 and the Family Pack for $100 (which there is one of the family packs being offered right now on deals.woot for $95 and free shipping, its on page 4 i believe) to end piracy ultimately its their OS and they can be as tarded as they want with it. I think everyone is getting their panties in a wad over nothing myself, the amount of backlash I've seen at the shop over Win 8 is 10 times worse than Vista so I have a feeling its gonna be the new MS Bob and the OEMs are gonna be killing secureboot and shipping Win 7 as fast as they can get them out the door. Don't forget Vista had crazy anti-piracy shit in it too and it BOMBED like Michael Richards at an NAACP fundraiser so I really think we don't have anything to worry about here.

  • by GeneralTurgidson (2464452) on Monday July 02, 2012 @12:05PM (#40517797)
    Go ask Novell how well chasing that Microsoft interoperability trains works.
    • Novell made a killing and and was an industry powerhouse for decades. Much of their wealth came from making the Microsoft environment easier to use.

      Also many of Microsoft's biggest competitors started of by being compatible with Microsoft. Google providing Exchange protocol services, Office file format compatibility, same with Apple, OpenOffice, etc. And that hasn't worked out too bad for them.

      • by Microlith (54737) on Monday July 02, 2012 @12:54PM (#40518253)

        And it's always been on the thin edge of the razor. Microsoft has readily yanked their chains by changing the file formats and protocols, keeping them perpetually behind in terms of compatibility.

        As for Novell, compatibility providing a few years of bounty is meaningless when the source of that bounty turns around and uses their monopoly to effectively drive you from the market. All you've done is made them more powerful.

    • Maybe you should be asking Microsoft how well the Novell interoperability train is?

      How conveniently we forget Novell was kicking Microsofts butt (in networking). And doing everything they could to keep Microsoft out.
  • by gQuigs (913879) on Monday July 02, 2012 @12:08PM (#40517813) Homepage

    not as much, but still (for planning to use the MS key). It's a very bad position we (Free Software) are in with Restricted/Secure boot. I think it's time the Linux friendly vendors really get behind CoreBoot [http://www.coreboot.org/Welcome_to_coreboot] and let us be truly independent.

    As it is setup right now:
    Binaries can only be signed with one key. If you use Microsoft's key, you can't use your own.
    Not all vendors may support letting users add their own keys. (and even if they do it certainly complicates a fresh install).
    ARM will be completely locked down if vendors want MS to run on it.
    If you use the Microsoft key, they can revoke your access (they likely need cause, but still)

  • This is nothing new (Score:2, Interesting)

    by 101percent (589072)
    Ubuntu/Canonical has been the worst type of Karma whores since the beginning. They built a following by pimping the philosophy of freedom, only to abandon these ideals once the foundation was set. They have enouraged people to accept non-free video and wireless drivers, while companies like RedHat have tried to work with Vendors and educate folks about why this is a bad thing. Now with their app store with non-free projects; they've even undone this feat with kneeling towards Redmond (secureboot). I kno
    • hey built a following by pimping the philosophy of freedom, only to abandon these ideals once the foundation was set. They have enouraged people to accept non-free video and wireless drivers

      Really now? So it wasn't defaulting to the piece of shit Nouveau driver instead of the Nvidia blobs for the past few releases, making me have to jump through hoops before I decided to just use Xubuntu in Virtualbox on Windows instead of fucking with it anymore.

      There's a lot of legitimate shit you can call Canonical on. Let's focus on the real ones instead of on the "free as in what we say it is" frothing.

      • by drinkypoo (153816)

        Really now? So it wasn't defaulting to the piece of shit Nouveau driver instead of the Nvidia blobs for the past few releases, making me have to jump through hoops

        Great, Free Software proponents cry when Ubuntu starts offering nVidia drivers, and now you cry because you have to install the nvidia driver and maybe blacklist Nouveau.

        • by Junta (36770)

          No, a few purists decry the implicit endorsement of closed binary by Ubuntu working to automatically lead a user to use the nVidia binary instead of the less featureful Nouveau drivers. They appreciate Fedora's stance, hoping that one day it will topple nVidia's thinking and result in a quality open source driver, but see players like Canonical ruining that opportunity to change reality for the better.

          More pragmatic Linux users express a sentiment that they appreciate Ubuntu's efforts to more carefully con

    • Re: (Score:3, Insightful)

      by Junta (36770)

      RedHat have tried to work with Vendors and educate folks about why this is a bad thing

      The key word here being 'tried'. It really hasn't done anything to change the ubiquity of MP3 and h264. In that case, the momentum (mp3 is as good as the alternatives technically and has been around longer) or technical merit (h264 hs *no* unencumebered competition to acheive the same results) far offsets the ideology of 'free' for most of the world that we must live in. We aren't sufficiently better off in drivers due to RH's stance (fglrx and nvidia drivers are still pretty much required to extract val

  • a sea change (Score:5, Insightful)

    by Anonymous Coward on Monday July 02, 2012 @12:30PM (#40517997)

    This is the start of a sea change in who controls our computers. Yes, for now you can turn it off (oh, sorry, unless you're using an ARM system), but this is just the first step. They can't go the entire way all at once. They've tried before, and learned they have to go one step at a time. Each step doesn't seem so bad, until finally, all the cards fall into place.

    Already most of our mobile devices no longer belong to us, unless you manage to defeat the device's security that is meant as security against YOU, the owner of the device. Bought anything with iOS, or about 95% of the Android devices? Or WP7? Sorry, someone else owns it even after you purchased it. That's the world that many powers like Microsoft and many governments desire for the whitebox PC. A locked down device that obeys other masters, only booting "trusted" OSs that let those masters have the final say over what your computer does. Because a world where a billion individuals had control over their own computers could not be allowed to persist. It threatens too many corporations and governments.

    Of course, people will buy these increasingly locked down PCs just like they are falling all over themselves to buy tablets, so this world WILL come to pass. All we can do is figure out how to deal with it.

    • I don't understand how Intel supports this. They have pumped a lot of money and support into Linux in the past. Why would they now produce products that freeze it out?
      • Servers and Laptops (Score:5, Interesting)

        by betterunixthanunix (980855) on Monday July 02, 2012 @01:06PM (#40518401)
        Intel knows where they can make money from GNU/Linux: servers. That is not the target of this restricted boot system, and even if these restrictions come to servers, nobody will complain -- professional IT workers can put a $99 signing key purchase on their budget and continue to deploy whatever they want. Desktop GNU/Linux is not going to make Intel all that much money, and they know it -- Windows and Mac OS X are where all the desktop money is.

        Intel and everyone else knows that restricted boot environments for personal computers (desktops and laptops) will be hugely profitable. Entertainment companies love it -- they can deploy a new kind of DRM that won't be defeated for years (see: PS3). Software companies love it, because they can stop people from applying cracks to evade DRM. ISPs love it because they can better lock-down their networks if they can control the computers that can be connected to those networks. The potential for money-making deals is HUGE, and Intel knows that when their chips are the center of these profitable systems, they make lots of money.

        At the end of the day, Intel could not care less about hackers or computing freedom; they exist to make money, and there is no money to be made in allowing desktop and laptop users to have freedom.
  • My big concern is corporate computers. If your company is issuing you a computer, and they don't realize that some engineers want to run Linux, they may not let you install new keys or disable the secure boot. This is where it's a good idea to have one vendor using the Microsoft key, and other vendors using their own keys (and hopefully getting major PC sellers to include those keys). That way we at least have one solution that will work even on a locked-down system.

    I think Red Hat's strategy is to be th

    • If your company is issuing you a computer, and they don't realize that some engineers want to run Linux, they may not let you install new keys or disable the secure boot

      Sounds like a big selling point: "Make sure your employees only run approved software!" Corporate bosses are not going to complain about losing control, and if the engineers are unable to make a business case for approving another OS (see how things switch up there), they had better just deal with what was approved.

      I think Red Hat's strategy is to be the Linux distribution that will work without having to mess with any secure boot issues,

      Which is a fine strategy for making money on a GNU/Linux distro, but some of us would prefer not to have to get Microsoft's permission to run the software we want to run. If you look at wh

  • Is there any way to get editors who know enough English to at least filter out sentences like:

    The Free Software Foundation (FSF) has published a whitepaper recommending free operating systems how to deal with UEFI secure boot.

    It's not like it would have been hard to change it to:

    BLOCKQUOTE>The Free Software Foundation (FSF) has published a whitepaper recommending ways for free operating systems to deal with UEFI secure boot.

    And yes, I know that being a grammar nazi is unfashionable. But illiteracy rea

    • Re: (Score:3, Funny)

      by Anonymous Coward

      Is there any way to get editors who know enough English to at least filter out sentences like:

      The Free Software Foundation (FSF) has published a whitepaper recommending free operating systems how to deal with UEFI secure boot.

      Oh, please, it's just a one-letter typo, no need to get twisted.

      The Free Software Foundation (FSF) has published a whitepaper recommending free operating systems howl to deal with UEFI secure boot.

      There, fixed it.

  • by seandiggity (992657) on Monday July 02, 2012 @01:01PM (#40518347) Homepage

    Although it was obvious the FSF would take this position, as it should, isn't it strategically wise to have multiple solutions for users to load a (mostly) free software OS on hardware with UEFI? For similar reasons, I think it's good to have Android devices running ClockworkMod so that they may boot CyanogenMod/Replicant. I understand that we (free software advocates) should always be encouraging consumers to make smart choices and purchase devices that will run free software (and a complete free software stack, when that's possible).

    However, free software would become an "oasis in a desert", rather than a large and thriving ecosystem, if binary blobs, non-free drivers, non-free BIOS's, firmware hacks, etc. weren't around. It would become increasingly difficult to bring in more users. Those who have developed free software implementations to replace proprietary ones originate from all over the free software spectrum, so the pool of developers would also shrink.

    I think you always want both: the hardcores who will run free software and free software only, and those who will make compromises on devices until (if/when) stable free software is developed for those devices. The FSFE's advice on installing CyanogenMod [fsfe.org] seems like a sensible approach that takes this into consideration. Likewise, why not help someone install as much free software as possible on a device with a non-free BIOS/bootloader?

    It seems to me that UEFI will die a quick death if we A) fight very vocally against it, B) convince powerful corporations and governments that it's bad for them, C) ignore it where/when we can, and D) help others to circumvent it when necessary. It doesn't seem much different than the DRM problem in that way.

    I would be very happy with Canonical's UEFI strategy if the following from this past /. comment [slashdot.org] can be done:

    - Canonical will get efilinux signed with microsoft keys. So GRUB2 has to be made bootable from efillinux (efilinux is rather primitive, it just loads a kernel from a set collection of blocks from the device and run it. It shouldn't be too much difficult to have efilinux load and execute a GRUB2's "stage 1.5" or "stage 2"). Thus efilinux is the part that needs to be signed with microsoft's key (and efilinux's license makes it possible. Although that also means that you won't be able to hack it).

    ...

    - GRUB2 can load coreboot (an opensource firmware) payloads, so it could also load SeaBIOS (a legacy BIOS implementation as a coreboot payload). - GRUB2 can also load windows XP's boot loader. So if any of the above is possible (either chainloading efilinux to grub2, or signing grub2 in a gplv3 compatible way). That means that grub2 could be used to boot windows XP on secure-boot hardware. (with seabios providing the legacy bios compatibility, and windows XP's ntldfr being loaded from grub2).

    That unfortunately-complex method of chaining together multiple bootloaders seems to allow for any OS, even legacy ones, to boot (or at least attempt to boot) on UEFI hardware. Such a door might be closed if Canonical decides it won't play ball with Microsoft, and that seems like a door worth having open. However, I welcome any rebuttals...I don't know nearly enough about the issue.

    • by Microlith (54737)

      It seems to me that UEFI will die a quick death

      The problem, again, is not UEFI but secure boot. The two are not inextricably linked.

      It doesn't seem much different than the DRM problem in that way.

      You'll have an uphill battle. Apple is transparently convincing people that DRM is good.

      chaining

      Can't happen. If any point has a flaw then the key gets revoked. From the UEFI platform down to the kernel needs to be "trusted" to betray the user, and the kernel must be secured against local exploits that allow bypass

  • Half-joking, but I wonder if contracting out a community-speced and community-funded motherboard would be possible. It might be worthwhile if for no other reason than to possibly catch MS leaning on contract manufacturers from even considering fabbing a motherboard outside of their control.

[Crash programs] fail because they are based on the theory that, with nine women pregnant, you can get a baby a month. -- Wernher von Braun

Working...