Don't like Secure Boot? Don't buy a Chromebook.

[mjg59]

(Edit: It's been suggested that the title of this could give the wrong impression. "Don't like Secure Boot? That's not a reason to buy a Chromebook" may have been better)

People are, unsurprisingly, upset that Microsoft have imposed UEFI Secure Boot on the x86 market. A situation in which one company gets to determine which software will boot on systems by default is obviously open to abuse. What's more surprising is that many of the people who are upset about this are completely fine with encouraging people to buy Chromebooks.

Out of the box, Chromebooks are even more locked down than Windows 8 machines. The Chromebook firmware validates the kernel, and the kernel verifies the filesystem. Want to run a version of Chrome you've built yourself? Denied. Thankfully, Google have provided a way around this - you can (depending on the machine) either flip a physical switch or perform a special keystroke in the firmware to disable the validation. Doing so deletes all your data in the process, in order to avoid the situation where a physically present attacker wants to steal your data or backdoor your system unnoticed, but after that it'll boot any OS you want. The downside is that you've lost the security that you previously had. If a remote attacker manages to replace your kernel with a backdoored one, the firmware will boot it anyway. Want the same level of security as the stock firmware? You can't. There's no way for you to install your own signing keys, and Google won't sign third party binaries. Chromebooks are either secure and running Google's software, or insecure and running your software.

Much like Chromebooks, Windows 8 certified systems are required to permit the user to disable Secure Boot. In contrast to Chromebooks, Windows 8 certified systems are required to permit the user to install their own keys. And, unlike Google, Microsoft will sign alternative operating systems. Windows 8 certified systems provide greater user freedom than Chromebooks.

Some people don't like Secure Boot because they don't trust Microsoft. If you trust Google more, then a Chromebook is a reasonable choice. But some people don't like Secure Boot because they see it as an attack on user freedom, and those people should be willing to criticise Google's stance. Unlike Microsoft, Chromebooks force the user to choose between security and freedom. Nobody should be forced to make that choice.

(Updated to add that some Chromebooks have a software interface for disabling validation)

Comments

Red herring?

[(Anonymous)]

Is this an attempt to justify the fact that you have been working to make secure boot workable for Linux? Or is it an attempt to criticise some developers you don't like who are working for Google?

Tell me one thing: in your history of using Linux, how many cases have you come across of a compromised kernel being used to boot a box?

Why are people suddenly all barking about secure boot? Has there been some massive security incident that nobody on earth knows about - except Microsoft and Google?

Sam Varghese

Re: Red herring?

[mjg59]

Is this an attempt to justify the fact that you have been working to make secure boot workable for Linux? Or is it an attempt to criticise some developers you don't like who are working for Google?

No? It's an attempt to dissuade people from blindly recommending Chromebooks as an alternative to Microsoft's imposed Secure Boot setup.

Tell me one thing: in your history of using Linux, how many cases have you come across of a compromised kernel being used to boot a box?

More than once. The use of kernel modules as persistent rootkits is hardly uncommon.

Why are people suddenly all barking about secure boot? Has there been some massive security incident that nobody on earth knows about - except Microsoft and Google?

Secure Boot would be impractical to implement on BIOS systems, so the timing's largely down to the availability of alternative firmware implementations for x86. Embedded devices have implemented equivalent technology for years.

Re: Red herring?

[(Anonymous)]

And who are these people who are blindly recommending Chromebooks? Too cowardly to name names are we, Garrett? Have you actually got your hands on one before writing or is this again based on hearsay?

Re: Red herring?

[mjg59]

What?

Re: Red herring?

[(Anonymous)]

Your whole post - is it written after getting hold of a Chromebook or is it based on "research" on the interwebs?

Re: Red herring?

[mjg59]

It's based on reality, Sam. If you have an alternative source of facts that contradicts me, please feel free to let me know.

Re: Red herring?

[(Anonymous)]

You didn't answer the question - trying out your "evade the issue and it will go away" tactic perhaps?

did you or did you not get hold of a chromebook before you wrote this post?

Re: Red herring?

[mjg59]

Sam, if you believe that anything I've written is inaccurate, just say so.

Re: Red herring?

[(Anonymous)]

I'm asking a very simple question: do you have a Chromebook on which you test your assumptions before writing?

Re: Red herring?

[mjg59]

Which assumptions?

Re: Red herring?

[(Anonymous)]

I've worked professionally on Chromebooks and ChromeOS and believe everything in this post is correct. What do you believe is wrong, and on what grounds?

Incidentally - did you have an OLPC (or Peruvian child) when you wrote this article: http://www.itwire.com/opinion-and-analysis/open-sauce/55572-olpc-failure-in-peru-its-own-fault ? Did you own Red Hat shares when you wrote http://www.itwire.com/business-it-news/open-source/58011-red-hat-profit-down-stock-up ? If not, why not?

Re: Red herring?

[(Anonymous)]

Call me naïve, but I'm far more inclined to trust what Matthew writes about verified booting than anything you come up with, regardless of whether or not he has a device in his physical possession.

Re: Red herring?

[(Anonymous)]

The issue of whom you trust is not at issue here.

Re: Red herring?

[(Anonymous)]

The issue of whom you trust is the central one in ALL security settings.

Re: Red herring?

[ryanb.pip.verisignlabs.com]

I think it is a simple question that warrants a simple answer.

If Matthew answered yes, then I'm more inclined to take his opinion at face value. If he said no, what he has written may be factually accurate, but it might suggest that it was written with a bias.

I have a Chromebook and I see nothing wrong with the facts in this post. But I must admit, Matthew's credibility is tarnished because he wouldn't say if he was using a Chromebook or not. It doesn't change the facts, but it makes me question the intent.

Simply answering no would have disarmed this argument for me, but now it comes across as deceptive by dodging the question.

Everything that glitters isn't Secure Boot

[peter.stuge.se]

It's an attempt to dissuade people from blindly recommending Chromebooks as an alternative to Microsoft's imposed Secure Boot setup.

I think that is counter-productive, Matthew.

Just like I have a coreboot bias, you likely have an ever so slight UEFI Secure Boot bias, having worked with it for so long. You understand how Secure Boot works while most of our community - that is, the community of people desiring general purpose computers - may not.

You understand what Secure Boot could do for us, and you have spent an enormous amount of time trying to solve the problem of how Linux can fit into that structure. Your effort is phenomenal!

As you may know, I have been participating in the coreboot project since some 12 years. My experience there and in the security field tells me that it is absolutely critical for our community NOT to depend on any single boot verification structure, and certainly not one which is being deployed to let Microsoft decide what a computer says is secure and insecure.

Microsoft clearly isn't acting in our best interest.

Google is also acting in their own interest, but at the moment I feel that our community's interest in having control over our machine's firmware aligns well with Google's interest.

That's the reason to act fast against UEFI Secure Boot.

Unfortunately for you, your job is to act fast toward UEFI Secure Boot, to make it "just work" for Red Hat and friends. I have the utmost sympathy for you, in having to deal with that problem every day. It doesn't take reading your musings on how broken everything is, to realize that it is not too joyous work.

Google has developed their own x86 firmware based on well-known components such as coreboot and U-boot, and not only do they provide their customers freedom to root their hardware, they have also chosen to (use components such that they must) publish their entire firmware source code.

Google is clearly being vastly more progressive than the UEFI Forum and Microsoft.

But them doing something that is much better isn't why the Chromebook really does deserve to be recommended as an alternative to Microsoft's Secure Boot.

The Chromebook deserves to be recommended because it is doing something different.

The ideal solution for our community hasn't been productized yet - maybe not even developed yet. As you know, the majority of our community doesn't have experience with security with or without involving hardware, and even fewer have x86 firmware experience. I believe (I'm just naïve like that) this may change thanks to your work, coreboot's work, and Google's work. I think it must change.

the timing's largely down to the availability of alternative firmware implementations for x86. Embedded devices have implemented equivalent technology for years.

coreboot has facilitated implementation of equivalent technology for years, 15 years to be precise. For some reason, the UEFI Forum and Microsoft have chosen a different route. The UEFI Forum's and Microsoft's route is not helping our community, while Google's route is.

That's why it makes sense to recommend a Chromebook, to anyone who is concerned about their machine's firmware, and the future of general purpose computing.

Re: Everything that glitters isn't Secure Boot

[mjg59]

Secure Boot and equivalent technologies are only benefits to our community when the user can choose who to place their trust in. I don't want to have to place my trust in Microsoft or Google. And, right now, I'm guaranteed to have the opportunity to make that choice on x86 UEFI systems, and I'm guaranteed not to have that choice on a Chromebook. I hope that the situation will change in the future, but at the moment buying a Chromebook isn't a vote for user control.

Re: Everything that glitters isn't Secure Boot

[peter.stuge.se]

right now, I'm guaranteed to have the opportunity to make that choice on x86 UEFI systems, and I'm guaranteed not to have that choice on a Chromebook.

You actually have much more choice with the Chromebook, because not only does it come with the developer mode which allows you to replace all of the system including the firmware - it also runs a firmware whose source code Google contributed to coreboot nearly a year ago.

Re: Everything that glitters isn't Secure Boot

[mjg59]

No, developer mode doesn't allow you to replace the firmware. You need to remove the write protection on the flash, which is a very warranty-voiding exercise.

Re: Everything that glitters isn't Secure Boot

[(Anonymous)]

Consider that you are talking about a sub-$200 computer that's probably pretty darned reliable. You are crying over spilled milk.

Re: Everything that glitters isn't Secure Boot

[peter.stuge.se]

developer mode doesn't allow you to replace the firmware. You need to remove the write protection on the flash,

You're perfectly right about that! Sorry for my mistake. :(

which is a very warranty-voiding exercise.

That is not at all clear. The machine does need to be opened (how many screws are there?) but removing the write-protect seems to involve simply moving a jumper or a screw. How will Samsung react to a warranty claim? I guess they will just fix it for you.

My point still stands however; the Chromebook deserves recommendation for the simple reason that it is not going the UEFI Secure Boot route.

Re: Everything that glitters isn't Secure Boot

[(Anonymous)]

I haven't worked with UEFI in quite a long time. When you say 'replace the firmware', what do yo mean by that? The entire firmware including the reset vector and all code to initialize the hardware (memory training, etc)? I didn't know UEFI is allowing an end user (as long at the code is signed) to completely replace the system's firmware. I also wasn't aware that vendors were open sourcing their reference code in an open source fashion so an end user could build their own firmware.

Re: Everything that glitters isn't Secure Boot

[mjg59]

You don't need to replace the UEFI firmware in order to replace the keys. You do need to replace the Chromebook firmware in order to replace the keys.

Re: Everything that glitters isn't Secure Boot

[(Anonymous)]

That is untrue. The issue your post doesn't discuss is that the ChromeOS security model relies on hardware write-protect to the flash chip containing the firmware as the core in it's security model, so you need to disable the hardware write-protect and then run the script that Duncan posted in the comments above (/usr/share/vboot/bin/make_dev_firmware.sh) to get the ChromeOS firmware on with whatever keys you specify as an argument to the script. The ChromeOS team's biggest problem here is not documenting this process better.

Re: Everything that glitters isn't Secure Boot

[mjg59]

The script that reads the existing firmware image, modifies it and then writes it back? How is that not replacement?