FSF Criticises Ubuntu For Dropping Grub 2 For Secure Boot

sfcrazy writes "The Free Software Foundation (FSF) has published a whitepaper suggesting how free operating systems can deal with UEFI secure boot. In the whitepaper, the foundation has criticized the approach Canonical/Ubuntu has taken to deal with the problem. The paper reads: 'It is not too late to change. We urge Ubuntu and Canonical to reverse this decision, and we offer our help in working through any licensing concerns. We also hope that Ubuntu, like Fedora, will actively support users generating and using their own signing keys to run and share any versions of the software, and not require users to install a key from Canonical to get the full benefit of their operating system.'"

I suppose the ultimate solution is...

[Viol8]

... for someone to hack the secure boot BIOS and provide an easy way for users to reflash theirs from Windows or whatever OS is preinstalled on the machine when bought new. No doubt this will prevent windows being reinstalled but unless you want a dual boot machine I doubt this matters much.

On a related note, how will this affect linux being booted from within windows (if anyone still uses that approach)?

They also criticized Fedora..

[gQuigs]

not as much, but still (for planning to use the MS key). It's a very bad position we (Free Software) are in with Restricted/Secure boot. I think it's time the Linux friendly vendors really get behind CoreBoot [http://www.coreboot.org/Welcome_to_coreboot] and let us be truly independent.

As it is setup right now:
Binaries can only be signed with one key. If you use Microsoft's key, you can't use your own.
Not all vendors may support letting users add their own keys. (and even if they do it certainly complicates a fresh install).
ARM will be completely locked down if vendors want MS to run on it.
If you use the Microsoft key, they can revoke your access (they likely need cause, but still)

This is nothing new

[101percent]

Ubuntu/Canonical has been the worst type of Karma whores since the beginning. They built a following by pimping the philosophy of freedom, only to abandon these ideals once the foundation was set. They have enouraged people to accept non-free video and wireless drivers, while companies like RedHat have tried to work with Vendors and educate folks about why this is a bad thing. Now with their app store with non-free projects; they've even undone this feat with kneeling towards Redmond (secureboot). I know not all Linux users care about freedom, but it is sad how even prominent linux users feel like they've accomplished something by getting their local school or whatever to use Ubuntu. People may complain about the free software philosophy all they want, but soon if Ubuntu continues, its going to be a much lesser degree of the early iterations of Windows with lots of propreitary-ness with bits and pieces of freedom (Windows started out using some BSD code). tl:dr Shuttleworth and Canonical are hypocrites and karmawhores.

Re:people who use ubuntu are linux posers anyways

[jellomizer]

Linux has gone mainstream... Just not on the desktop. Where is remains a distant 3rd behind Windows and OS/X.
With Android, Linux is quite popular with mobile. Linux is also strong on the server side too.
Linux never made it to the desktop, because there were too many drivers to support. When you luck out and get a System that is well supported by Linux... Linux rocked on that system. However if you try to put Linux on a poorly supported system, it usually sucked, and felt like a cheap OS.

If Microsoft make "Windows 9" a Linux Distribution with a Windows themed UI. It would probably be just like Vista, many people complaining about hardware compatibility, systems crashing all the time (due to improper drivers)

Re:They also criticized Fedora..

[Anonymous Coward]

If memory serves the Microsoft key is pretty much going to be required no matter what Fedora or Ubuntu does because PCI-E cards will have their bios signed with a MS key and you have to trust them in order to do secure boot.

Re:They also criticized Fedora..

[Anonymous Coward]

Why CoreBoot? What's wrong with stuff like OpenFirmware, or even just finishing projects to boot properly from EFI machines [sourceforge.net] (which are not "secure"). There's no reason to ask HW manufacturers to adopt some completely new firmware stack when there are already-working ones which are more than "open" enough. The only real problem here is with this new Secure Boot add-on, but there is no reason to throw the baby out with the bathwater. OpenFirmware / EFI can replace BIOS just fine and not have any restrictions. They already exist and manufacturers already know how to use them.

Servers and Laptops

[betterunixthanunix]

Intel knows where they can make money from GNU/Linux: servers. That is not the target of this restricted boot system, and even if these restrictions come to servers, nobody will complain -- professional IT workers can put a $99 signing key purchase on their budget and continue to deploy whatever they want. Desktop GNU/Linux is not going to make Intel all that much money, and they know it -- Windows and Mac OS X are where all the desktop money is.

Intel and everyone else knows that restricted boot environments for personal computers (desktops and laptops) will be hugely profitable. Entertainment companies love it -- they can deploy a new kind of DRM that won't be defeated for years (see: PS3). Software companies love it, because they can stop people from applying cracks to evade DRM. ISPs love it because they can better lock-down their networks if they can control the computers that can be connected to those networks. The potential for money-making deals is HUGE, and Intel knows that when their chips are the center of these profitable systems, they make lots of money.

At the end of the day, Intel could not care less about hackers or computing freedom; they exist to make money, and there is no money to be made in allowing desktop and laptop users to have freedom.

Re:The FSF

[Microlith]

it appears that the FSF is feeling hurt because Ubuntu is switching to another open source bootloader that doesn't use the GPL.

No, they're concerned that Ubuntu is giving up a GPL bootloader because they're choosing to adopt Microsoft's secure-boot solution, which effectively puts all such systems under Microsoft's control and makes it infinitely harder for "unapproved" software to run on the systems (which, if Microsoft's attitude is any indication, would include virtually all Free Software.)

companies have the right to secure their computers.

So my computer belongs to Microsoft? Dell? Asus?

Perhaps you missed the bit where ALL systems with the Windows 8 logo were going to be forced into this locked state by default. It's not just a corporate security feature, it's being rammed down ALL of our throats.

Re:With all due respect

[betterunixthanunix]

You don't have to rely on Canonical unless you want to use their product, which is essentially what choosing software is, you use someone's software (maybe your own) over someone else's because of the choices they made.

Sure, that's the way things work right now. When UEFI restrictions come into play, things start to work differently. I can choose not to use Ubuntu and Fedora, and then what? I get stuck jumping through hoops just to install anything else -- and while I have the technical expertise and patience needed to do so, it is still annoying, and for some people it is either too annoying or too difficult to do.

That is the choice this situation forces you into: either you accept the code written by Fedora or Ubuntu, or you have to work hard to get something else up and running / pay for the right to do so. You are not able to simply reject those distros whose choices you disagree with; you must decide if those accepting those choices would be as bad as trying to get something else to work. A few months ago, I stopped using Fedora because of a disagreement I had with their choices (completely unrelated to the boot process); now I have to reevaluate that, because getting the distros I like to run on the next laptop I buy might require more of a time commitment than I can make.

I honestly don't understand how you have a problem with the concept of distros deciding to do certain things certain ways? Did you write your own package manager and kernel? In which case why are you using Ubuntu anyway? Why are you even using Linux, they've made all sorts of choices for you.

I am free to accept or reject the choices that other people made. I can always fork a project if I do not like the direction it is taking. Except, of course, if I need a digital signature from the project in order to run my fork on my own computer / if I have to get some company's permission (i.e. by paying a fee).

It is not about other people making decisions; it is about my freedom to accept those decisions. Maybe I like everything in Ubuntu, except for the bootloader -- maybe I really want to run grub2. Now I am stuck jumping through all sorts of hoops to get that to work -- either buying a key and agreeing to contracts, or putting the system in custom mode and instructing anyone who wants to use my code to do the same. Forking a distro in this model sounds like a giant pain, with extra hurdles and hoops that just push people to use the handful of distros that can pay to play.

Re:Servers and Laptops

[betterunixthanunix]

SecureBoot is not a DRM system (for now).

For now indeed -- it is blindingly obvious that this is a temporary situation.

If SecureBoot is on, the requirement is that the code executed before ExitBootServices() has to be signed

Thus closing the one remaining loophole in PC DRM, the loophole that has been the bane of entertainment and software companies (and especially the combination of those, video game companies) for decades. If the bootloader must be signed, then the bootloader can be designed to only load a signed kernel, which will only run signed applications, which will not receive signatures if they can possibly circumvent a DRM system. That is the point here -- you will not be able to just patch software to remove license checks, you will not be able to cheat in video games by executing code in kernel mode (yes, really, people do this -- in MMORPGs, where cheating successfully can yield real world profits), you will not be able to examine memory from processes that forbid it (so no more grabbing secret keys out of RAM), etc. The only reason that has not happened yet is that the PC software ecosystem is so massively complex and there is so much legacy code that no longer has anyone maintaining it, all of which has to be run somehow. I suspect that Microsoft's solution to that will be to create a secure sandbox where unsigned code can be run, but where it is unable to interact with any other software (so e.g. unsigned code could open some process' memory and examine it, but only if that process is running in the sandbox -- and of course, a signed application could forbid being run in a sandbox). They cannot do everyone at once -- gradually moving in for the kill is a better tactic for them.

So for example one can create a Boot Loader like EFILinux that will be signed and conform to the specification, and that can load unsigned kernels, and those unsigned kernels can contain any code

Sure, but look at the Fedora rationale; they noted that if they sign code that can be used to launch "malware" that attacks Windows, they will get in trouble. That's the difficulty here -- for a system to be secure in the restricted boot / DRM sense, in must never allow unsigned code to run, except in a strictly confined environment (so certainly not in kernel mode). For now, you can load an unsigned kernel, but the noose is already around your neck -- if you get caught doing something Microsoft (or whoever else) doesn't like, you are in trouble.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:people who use ubuntu are linux posers anyways

[Anonymous Coward]

My initial response was : "who cares, as long as it's fun" .
And Linux is fun .