[personal profile] mjg59
(Edit: It's been suggested that the title of this could give the wrong impression. "Don't like Secure Boot? That's not a reason to buy a Chromebook" may have been better)

People are, unsurprisingly, upset that Microsoft have imposed UEFI Secure Boot on the x86 market. A situation in which one company gets to determine which software will boot on systems by default is obviously open to abuse. What's more surprising is that many of the people who are upset about this are completely fine with encouraging people to buy Chromebooks.

Out of the box, Chromebooks are even more locked down than Windows 8 machines. The Chromebook firmware validates the kernel, and the kernel verifies the filesystem. Want to run a version of Chrome you've built yourself? Denied. Thankfully, Google have provided a way around this - you can (depending on the machine) either flip a physical switch or perform a special keystroke in the firmware to disable the validation. Doing so deletes all your data in the process, in order to avoid the situation where a physically present attacker wants to steal your data or backdoor your system unnoticed, but after that it'll boot any OS you want. The downside is that you've lost the security that you previously had. If a remote attacker manages to replace your kernel with a backdoored one, the firmware will boot it anyway. Want the same level of security as the stock firmware? You can't. There's no way for you to install your own signing keys, and Google won't sign third party binaries. Chromebooks are either secure and running Google's software, or insecure and running your software.

Much like Chromebooks, Windows 8 certified systems are required to permit the user to disable Secure Boot. In contrast to Chromebooks, Windows 8 certified systems are required to permit the user to install their own keys. And, unlike Google, Microsoft will sign alternative operating systems. Windows 8 certified systems provide greater user freedom than Chromebooks.

Some people don't like Secure Boot because they don't trust Microsoft. If you trust Google more, then a Chromebook is a reasonable choice. But some people don't like Secure Boot because they see it as an attack on user freedom, and those people should be willing to criticise Google's stance. Unlike Microsoft, Chromebooks force the user to choose between security and freedom. Nobody should be forced to make that choice.

(Updated to add that some Chromebooks have a software interface for disabling validation)


Date: 2013-02-04 11:52 pm (UTC)
From: (Anonymous)
I applaud Google for letting users at least disable the validation verses a company like Apple that does not let you disable the validation on their ARM devices (iPod Touch, iPhone, iPad, Apple TV, etc.). I am typing this from an ARM Chromebook, and I love it. It is the most secure consumer OS available today on the market, and it is very inexpensive at that. If you ever want to tweak, you can do that too! I think that this is unfair criticism of Google who are trying to allow for options by allowing the disabling of secured boot.

Re: Wow

Date: 2013-02-06 09:07 pm (UTC)
From: (Anonymous)
So you applaud Google for being almost as bad as Apple but not quite as bad? Wow. The bar is set pretty low for corporate behaviour if that is how it works.

Re: Wow

Date: 2013-03-25 01:02 am (UTC)
From: [identity profile] ryanb.pip.verisignlabs.com
I compare the Chromebook secure boot to be very similar to how Android secure boot works for Nexus devices.

With Android, if I want install a custom ROM, I have to unlock the bootloader. When I do so, it wipes the user data partition and performs a factory reset. From that point forward, the device will show an unlocked symbol at the bottom of the screen while the device boots. Chromebooks go one step further by changing the boot cycle cadence so that it is obvious that the device is unlocked.

Now if I'm running my custom ROM on Android, it might be possible to flash a compromised ROM while I'm not looking, suffering the same fate as running your Chromebook insecure. The Chromebook, with its ability to boot from as SD Card means that you can keep the SD Card physically secure when your device is not. You can then boot from that SD Card, still seeing the "Unverified ROM" screen, but knowing that the ROM you are booting from IS trusted.

I'm not sure I understand how having user keys is a security advantage. While I can understand that this might allow you to run user signed ROMs without the unverified ROM warning screen, it opens the door for someone to install a ROM that they've signed and install the user key for validation. Booting such a ROM would give no real indication to the user that they are running a compromised system.

If you are going to take a Chromebook and run Linux on it, I have no problem if I have to press CTRL-D if its presence makes it clear when a Chromebook is running a verified ROM.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

  • (Anonymous) - Wow

Expand Cut Tags

No cut tags