mjg59: UEFI secure booting (part 2)

Matthew Garrett (

mjg59) wrote,
@ 2011-09-23 07:57 am UTC

Entry tags:

UEFI secure booting (part 2)

Microsoft have responded to suggestions that Windows 8 may make it difficult to boot alternative operating systems. What's interesting is that at no point do they contradict anything I've said. As things stand, Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems. But let's have some more background.

We became aware of this issue in early August. Since then, we at Red Hat have been discussing the problem with other Linux vendors, hardware vendors and BIOS vendors. We've been making sure that we understood the ramifications of the policy in order to avoid saying anything that wasn't backed up by facts. These are the facts:

Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems.

Microsoft have a dominant position in the desktop operating system market. Despite Apple's huge comeback over the past decade, their worldwide share of the desktop market is below 5%. Linux is far below that. Microsoft own well over 90% of the market. Competition in that market is tough, and vendors will take every break they can get. That includes the Windows logo program, in which Microsoft give incentives to vendors to sell hardware that meets their certification requirements. Vendors who choose not to follow the certification requirements will be at a disadvantage in the marketplace. So while it's up to vendors to choose whether or not to follow the certification requirements, Microsoft's dominant position means that they'd be losing sales by doing so.

Why is this a problem? Because there's no central certification authority for UEFI signing keys. Microsoft can require that hardware vendors include their keys. Their competition can't. A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's. No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft's influence here is greater than even Intel's.

What does this mean for the end user? Microsoft claim that the customer is in control of their PC. That's true, if by "customer" they mean "hardware manufacturer". The end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC.

If Microsoft were serious about giving the end user control, they'd be mandating that systems ship without any keys installed. The user would then have the ability to make an informed and conscious decision to limit the flexibility of their system and install the keys. The user would be told what they'd be gaining and what they'd be giving up.

The final irony? If the user has no control over the installed keys, the user has no way to indicate that they don't trust Microsoft products. They can prevent their system booting malware. They can prevent their system booting Red Hat, Ubuntu, FreeBSD, OS X or any other operating system. But they can't prevent their system from running Windows 8.

Microsoft's rebuttal is entirely factually accurate. But it's also misleading. The truth is that Microsoft's move removes control from the end user and places it in the hands of Microsoft and the hardware vendors. The truth is that it makes it more difficult to run anything other than Windows. The truth is that UEFI secure boot is a valuable and worthwhile feature that Microsoft are misusing to gain tighter control over the market. And the truth is that Microsoft haven't even attempted to argue otherwise.

(Read 193 comments) - (Post a new comment)
(Flat) (Top-level comments only)

Re: Bug-free firmware?

(Anonymous)
2011-09-24 09:31 pm UTC (link)

"While (especially Windows pirates) will get through that"

This isn't an anti-piracy feature. It is an anti-malware feature. For all of the beating up that Microsoft gets over security issues, Microsoft is attempting to keep malware from being part of the boot process. Unless the malware gets signed by Microsoft's key (or any other OEM-approved key), a rootkit or bootkit won't be able to load during the Windows start up process.

As you are from the land of Mac, I will explain a bit more detail here. When a rootkit loads during boot, it can fool the rest of the computer (and all anti-virus products) that there is NO malware on the machine. This means that most measure to protect a machine from viruses and keyloggers can be circumvented by the presence of this software running.

Macs have benefited from 3 things security-wise.

1 - a different security architecture than Windows.

2 - a low market share, virus writers get much more impact from writing viruses for the other 90% of the world.

3 - The people in poor asian countries where many viruses are written simply cannot afford Macs. They find old PCs and install some pirated version of Windows and start coding their exploits on the cheap.

Microsoft has since changed its security architecture, and there are many new security exploits being released for Macs. Windows is now officially more secure than Macs. Additionally, Windows has a user security culture that is paranoid about security and malware.

Mac users are resting on their laurels thinking that security and malware isn't an issue for them. Apple does whatever it can to cover up these issues and not tell anybody about them until they have been addressed. Mac users are being mislead, by themselves and Apple, and even more vulnerable now than Windows users have been.

I welcome anything Microsoft can do to make the Windows experience more secure and stable.

(Reply to this) (Thread from start) (Parent) (Thread) (Hide 3 comments) (Show 3 comments)

Re: Bug-free firmware?

(Anonymous)
2011-09-25 09:50 am UTC (link)

How much do you want to bet they will use this for anti-piracy? And then we can have more people waste their time running pirated Windows instead of getting a proper Linux installed and start doing something USEFUL.

I've been using Gentoo for over 4 years and Linux for at least 5. I use it 90% of the time. My MacBook is my laptop on the go. I use the Terminal a lot and ssh my servers to work with them. Things like sshfs, etc are installed too. I also use my Mac to test Qt applications I make in Linux, and develop iPhone apps (some of which I code in Linux; sometimes the cross compiler messes up).

Mac OS X is secure, and not just by obscurity:
1) Every application downloaded from the web (and not the Mac App Store, where apps are all signed) will warn the user EVERY time it is run if it is not signed. Using the terminal is the only way to disable this. So, most users don't. Numbers are showing that Mac users want to use the App Store (which is close to a package manager but not quite there yet), and they do not download from random sites. Paranoia mode is good here. As you know on iPhone, this situation is enforced and this is how 99% of the user base wants it (including me). I'm willing to bet App Store only on OS X is the future with a developer mode so we can actually make things. This is what people want, not some make up boot loader protection nonsense. Only an OS as badly designed as Windows would need that. Microsoft is desperate to hire good coders, but only bad ones worship MS and go work there these days.
2) Application Entitlements (which is new to Lion and taken from iOS). Basically, the real question here is why have we allowed applications in the past to do anything they wanted (at your user level)? Why do they just get access to the video camera, or the network card, etc, without question? With Application Entitlements, an application specifies what it needs access to (such as camera, GPS, etc), and the user is told about this. I think this would be an awesome thing to implement in Linux just as much.

These 2 are ways the user gets to be informed in a friendly way before they decide to let their system get potentially hosed.

3) UNIX-based, POSIX certified. Need I say more? It is not some exotic proprietary OS. It is a fine-tuned Mach kernel and a FreeBSD-based userland (Apple even provides patches to FreeBSD to this day).
4) Safari web browser. A secure, WebKit-based, standards-based web browser (that you could say has little market share therefore it's 'obscure'). The big development is that it is not the only one (out of Qt, Google, Gtk, etc) and so most of what Apple does to WebKit benefits everyone (and WebKit work by Apple is primarily driven by OS X needs; you know about ?) and vice-versa. Compare IE's track record with Safari. Sure, you can get another browser on Windows. On both OS's, 90% of the users do not.
5) Sources available for review (including WebKit's base, CoreFoundation, etc). Ignorant folk might think this is dumb. http://opensource.apple.com even gives you iPhone development tools, libraries, etc. (And no, Apple is NOT obliged to make them work on Linux!) People use these things and people send Apple patches too. The kernel is no longer open source, if that makes you feel safe for some reason. Is any code from Windows available to review without an NDA? Hardly any.
6) Certain actions require typing a password (NOT just pressing a button!), such as: installing a new application to /Applications (depending on what the application needs to do), installing apps from the App Store, changing settings in System Preferences (all of which can be locked down at the user's discretion).

I won't be surprised if Windows 8 is nothing more than a slight upgrade, some artificial crap (like not including certain features in 'lesser' versions), and a huge WinSxS directory for backward compatibility (just like Vista and 7). Moving forward? Yeah, right. More like status quo as always.

Secure boot might help MS, but it's a very bad band-aid for an aging operating system that let's face it, is obsolete. Microsoft sure likes playing this retrofitting game.

Regarding keys for Linux booting, I do not feel like having some 'commission' who gets to make/have/get keys, even if it were for Linux and free OS's. Even a benevolent dictatorship is still a dictatorship (Gentoo Foundation nor Apple are my gods/kings/who I worship/work under). We should not need that. Regardless, what we should have are secure and non-secure environments in all OS's. The 'locked down' OS is fine, as long as it provides a backdoor (root) only the owner can use, and a developer mode. That doesn't require keys on boot up, it just requires a stricter kernel and a stricter user land (limitations on memory access, application/library hashes, etc). And of course developer mode, which just lets us gain a few more privileges so we can work faster while we need it.

(Reply to this) (Thread from start) (Parent) (Thread) (Hide 1 comment) (Show 1 comment)

	Re: Bug-free firmware? (Anonymous) 2012-02-16 02:02 pm UTC (link)
	"How much do you want to bet they will use this for anti-piracy?" I sure hope they do as this might boost Linux adoption a lot in poor countries ;) (Reply to this) (Thread from start) (Parent)

Not 'anti-piracy' but 'anti-competitive'

(Anonymous)
2012-08-30 08:47 pm UTC (link)

[Microsoft is attempting to keep malware from being part of the boot process.]

...By preventing the computer owner from replacing the boot loader or MBR of his own HDD on his own computer?

Why not just secure his OS the way that OS/2 did or the way that Mac OSX or *NIX does? From the moment I boot my machine until the moment that my OS is fully loaded, how on earth is something like arootkit or bootkit going to insert itself into the boot loader or OS kernel or UEFI? It had to have done so prior to the last shutdown and herein lies the problem.

Most BIOSes I have played with in the past ten years had a feature to stop this. I could tell my BIOS to make the MBR read-only. I had to go into the BIOS to disable this feature before every new OS install I did then turn it back on after. This computer has a UEFI instead and actually lacks that feature. :-)

[virus writers get much more impact from writing viruses for the other 90% of the world]

Actually, they get more impact from writing viruses for the ubiquitous server OS which is... LINUX! LAMP is the most prominent stack in the server world. Problem is that their virus code does not work. Even "proof-of-concept" code does not work because they require a privileged user to deliberately execute it.

[The people in poor asian countries where many viruses are written...]

Really? Where is that statistic to be found? Based on cases going through the courts, they are found in Europe and America. Quit the racist remarks based on unproven stereotypes.

[They find old PCs and install some pirated version of Windows and start coding their exploits on the cheap.]

...And pirated versions of compilers too.... Would it not be simpler to get a free OS that comes with all the development tools they need and code on those? I.e., Linux, BSD, etc.? Then would it not be easier to write Linux viruses than cross-compile? Oh, wait.... Then they have to get the end user to run it as a privileged user instead of a drive-by install. My bad.

[Windows has a user security culture that is paranoid about security and malware.]

And with good reason: Windows has not secured their software so know they want to penalize OEMs who do not allow the end user/system owner to uninstall Windows or to dual-boot.

Logics

{FULL DISCLOSURE: I have been a UNIX user since 1988, an OS/2 user from Warp3 through Warp4 (up to 1998) and a Linux user since 1997. I have used Caldera, SCO, RH, Mandrake, Mandriva, PCLinuxOS, SuSE, Fedora, Open Suse, CentOS, Gentoo, Mint, Ubuntu, et al. I still regularly install PCLOS, Suse, Mint and Ubuntu for residential clients and Suse, Ubuntu, RH and CentOS for commercial clients.}

(Reply to this) (Thread from start) (Parent)

(Read 193 comments) - (Post a new comment)
(Flat) (Top-level comments only)