Microsoft Subnet An independent Microsoft community View more

Microsoft's Secure Boot, Red Hat request ignites Linus Torvalds' NSFW flame war

When a Red Hat developer requested for Linux creator Linus Torvalds to make issues about Microsoft's Secure Boot easier to deal with on Linux, Torvalds ripped into him and said Linux won't 'deep-throat Microsoft."

We all may have bad days from time to time, but if it progresses to language that would be bleeped out on mainstream TV news, then a person might hope that it doesn't receive undue attention. However, after Ars Technica's Jon Brodkin wrote about a heated exchange on the Linux Kernel Mailing List, when you try to access those messages, you instead see: "The server is taking too long to respond; please wait a minute or 2 and try again." That's when cached content can save the day to see what the fuss was about.

The issue goes back to Microsoft's decision to require UEFI (Unified Extensible Firmware Interface) secure boot on all machines running Windows 8. It's like an updated BIOS that lets an OS access hardware. In reply to users who want to dual-boot Linux/Windows, Microsoft said UEFI-enabled secure boot, and disabling it, will be left to PC manufacturers. Yet many people agreed that leaving those choices to a hardware manufacturer that may be more inclined to make Microsoft happy than to cater to user choice was a stupid move. Matthew Garrett, a Linux developer at Red Hat, said "The end user is not guaranteed the ability to disable this functionality" and "is no longer in control of their PC." He later released a shim, a secure boot bootloader. Then, earlier this month, Linux Foundation director James Bottomley announced that he too had "created a preliminary version of a workaround that should allow the use of Linux on newer hardware."

Yet according to the Linux Kernel Mailing List archive, specifically the topic of the public key management standard, Red Hat developer David Howells' request for Torvald's to "pull a patchset please" started quite the flame war. Part of the explanation included that if the code were in the Linux kernel, then Red Hat could "embed an X.509 certificate containing the key in a section called '.keylist' in an EFI PE binary and then get the binary signed by Microsoft."

You may think cute and cuddly when you think Tux, but the Linux creator is well-documented as being a bit more prickly. As The Register previously pointed out, Linus Torvalds had told students at Finland's Aalto University, "Some people do think I'm a grumpy old man. I realize if you only see my flames and curses, and not when things go well, you will think I hate everybody. I'd like to be a nice person and curse less and encourage people to grow rather than telling them they are idiots. I'm sorry - I tried, it's just not in me. I like the fact we have a lot of personalities in the kernel team who can guide people through the development process. I've never been that person."

With that in mind, Torvalds' heated reply was neither for the easily offended, nor for the faint of heart. (Warning: Cursing ahead!)

Included in David Howells' reply of what he called "a problem" with Torvald's idea was that "Re-signing would make the keys then dependent on our master key rather than directly on Microsoft's. Microsoft's revocation certificates would then be useless. The only way Microsoft could then revoke the extra keys would to revoke our master key."

Matthew Garret bravely jumped into the fray and, in part, responded:

Vendors want to ship keys that have been signed by a trusted party. Right now the only one that fits the bill is Microsoft, because apparently the only thing vendors love more than shitty firmware is following Microsoft specs. The equivalent isn't just Red Hat (or anyone else) programmatically re-signing those keys, it's re-signing those keys with a key that's trusted by the upstream kernel. Would you be willing to carry a default trusted key if some sucker/upstanding and trustworthy member of society hosted a re-signing service? Or should we just assume that anyone who wants to ship external modules is a f**king idiot and deserves to be miserable?

(I mean, I'm fine with the idea that they're f**king idiots and deserve to be miserable, but apparently there's people who think this is a vital part of a business model).

Well that set the Linux creator off again, but this time Torvalds wrote:

Garrett replied again, as did many others, while the entire issue ping-ponged back and forth in a way that might either ignite your anger, or make you chuckle. I know it's a serious issue, and I'm sorry there's no privacy on a mailing list, but it made me laugh.

What is not funny is Microsoft's decision to require UEFI in the first place. Before long, Microsoft will be saying that the retail license for Office 2013 is only good for the life of the PC on which it was installed, or until you reinstall Windows, whichever comes first. Oh wait...

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Insider Tip: 12 easy ways to tune your Wi-Fi network
Join the discussion
Be the first to comment on this article. Our Commenting Policies