[personal profile] mjg59
(Edit: It's been suggested that the title of this could give the wrong impression. "Don't like Secure Boot? That's not a reason to buy a Chromebook" may have been better)

People are, unsurprisingly, upset that Microsoft have imposed UEFI Secure Boot on the x86 market. A situation in which one company gets to determine which software will boot on systems by default is obviously open to abuse. What's more surprising is that many of the people who are upset about this are completely fine with encouraging people to buy Chromebooks.

Out of the box, Chromebooks are even more locked down than Windows 8 machines. The Chromebook firmware validates the kernel, and the kernel verifies the filesystem. Want to run a version of Chrome you've built yourself? Denied. Thankfully, Google have provided a way around this - you can (depending on the machine) either flip a physical switch or perform a special keystroke in the firmware to disable the validation. Doing so deletes all your data in the process, in order to avoid the situation where a physically present attacker wants to steal your data or backdoor your system unnoticed, but after that it'll boot any OS you want. The downside is that you've lost the security that you previously had. If a remote attacker manages to replace your kernel with a backdoored one, the firmware will boot it anyway. Want the same level of security as the stock firmware? You can't. There's no way for you to install your own signing keys, and Google won't sign third party binaries. Chromebooks are either secure and running Google's software, or insecure and running your software.

Much like Chromebooks, Windows 8 certified systems are required to permit the user to disable Secure Boot. In contrast to Chromebooks, Windows 8 certified systems are required to permit the user to install their own keys. And, unlike Google, Microsoft will sign alternative operating systems. Windows 8 certified systems provide greater user freedom than Chromebooks.

Some people don't like Secure Boot because they don't trust Microsoft. If you trust Google more, then a Chromebook is a reasonable choice. But some people don't like Secure Boot because they see it as an attack on user freedom, and those people should be willing to criticise Google's stance. Unlike Microsoft, Chromebooks force the user to choose between security and freedom. Nobody should be forced to make that choice.

(Updated to add that some Chromebooks have a software interface for disabling validation)


Date: 2013-02-04 06:26 pm (UTC)
From: (Anonymous)
The rationale for forcing uses to choose between security and freedom is because you can't provide both together.

One particular use case that is considered important to Chromebooks is: You should, as a user, feel comfortable and secure using one that you do not own. Perhaps it's a loaner Chromebook like Virgin America provided last year for people on their flights, or one provided by a hotel you're staying at (another pilot Google has run), or a public kiosk, etc.

A simple reboot of the device will show whether or not it is a trusted OS installed on it; this is why once the developer switch is toggled, the firmware will always give scary "OS IS UNTRUSTED!" warnings. All bets are off then: since the owner can manipulate the system, including disabling the verified filesystem, install key loggers, send your passwords to others, etc.

The middle-ground would be to semi-trust externally signed OS, for example permit additional signing keys to be added to the firmware so that it can verify that the non-Chrome OS kernel it's booting matches those keys to give the modding community some level of secure boot support.

You'd have to resolve the UI issue, making sure a user unaware of the concept of modding (my dad, for example) would be still aware that he shouldn't trust the device in its modded state. But also have some other level of UI for the modded device firmware not matching the additional keys, while also still supporting modders who flat out don't want to deal with secure boot.

Our firmware team, though I can't actually speak for them, support modding enough that this is probably more a case of getting people to agree on the right approach rather than flat-out denial. Though also you know how security people like to say No and get angry at you ;)

Re: Rationale

Date: 2013-02-04 06:52 pm (UTC)
From: (Anonymous)
A simple reboot of the device will show whether or not it is a trusted OS installed on it

Which is obviously utter nonsense given that the lender has all the time necessary to install physical keyloggers.

Re: Rationale

Date: 2013-02-04 07:00 pm (UTC)
From: (Anonymous)
And can replace the firmware chip or motherboard or .... as well. I don't think secure boot protects against physical attackers, just remote ones. That's what the chromium docs say too.

Re: Rationale

Date: 2013-02-04 09:09 pm (UTC)
From: (Anonymous)
"The rationale for forcing uses to choose between security and freedom is because you can't provide both together."
Freedom to use - you are correct. My employer, for example, doesn't give me complete freedom on their network. Neither does my bank.
Freedom to know - you are incorrect. It is imperative that how security functions is known so that the owners, operators and other parties can be sure it actually works and will actually do what it claimed.
So, for example, I know how SSH works. Doesn't do me a blind bit of good in accessing an SSH connection unless the owner has configured for me to use and given me the key/passphrase.

"You should, as a user, feel comfortable and secure using one that you do not own."
If one does *anything* sensitive on a device one does not own, one is a blithering idiot. Even a network one doesn't own is suspect (hence VPNs, HTTPS etc). I don't think SecureBoot solve this the problem of nasties on a device someone else owns in any shape or form.

Re: Rationale

Date: 2016-03-12 11:01 pm (UTC)
From: [identity profile] jcg1541.id.fedoraproject.org
I think you "got it". Some other people argue about disadvantage of forcing people to trust google or nothing. They don't realize that other than google, there can be any company that produces their own computer hardware. There are choices.

The bottom line is that the absolute trusted hardware is a hardware you build with your own hands, including etching and doping your own transistors. All other choices are a compromise. There is no such thing as having a compromise and having an absolute control at the same time.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Member of the Free Software Foundation board of directors. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags