The Linux Foundation today released technical guidance to PC makers on how to implement secure UEFI without locking Linux or other free software off of new Windows 8 machines. The guidance included a subtle tisk-tisk at Microsoft's Steven Sinofsky for suggesting that PC owners won't want to mess with control of their hardware and would happily concede that to operating system makers and hardware manufacturers.
UPDATED: Meanwhile, competitors Red Hat and Canonical also released a jointly penned white paper today that offers strong condemnation of Microsoft's UEFI plans and generally pans secure UEFI altogether. [Link, PDF]
Hey, why should the Free Software Foundation get the last word, with its anti-secure-boot petition?
BACKGROUND: Next-gen boot spec could forever lock Linux off Windows 8 PCs
The Red Hat/Canonical paper also warns that time is running short to stop the secure boot train. The paper's first sentence is, "Given that Microsoft’s Windows 8 will require secure boot to be enabled by default, it is expected that the majority of personal computer devices will ship with it enabled in the first quarter of 2012."
The paper then reiterates the fear that secure boot could lock Linux off of Windows 8 PCs forever. "Unfortunately, Microsoft’s recommended implementation of secure boot removes control of the system from the hardware owner, and may prevent open source operating systems from functioning. The Windows 8 requirement for secure boot will pressure OEMs to implement secure boot in this fashion."
Microsoft has already publicly denied this -- which I'll get to in a minute -- and the Linux Foundation is trying to stem the tide of anger by showing PC makers how secure UEFI can be implemented per Microsoft's directive, while still giving PC owners control over their devices.
To recap: The next-generation boot specification is known as Unified Extensible Firmware Interface. Microsoft is requiring Windows 8 PC makers to use UEFI's secure boot protocol to qualify for Microsoft's Windows 8 logo program. Secure UEFI is intended to thwart rootkit infections by using a key infrastructure before allowing executables or drivers to be loaded onto the device. Problem is, such keys can also be used to keep the PC's owner from wiping out the current OS and installing another option such as Linux. It can also prevent them from loading their own device drivers.
The Red Hat/Canonical paper points out that this can hinder third-party hardware manufacturers as much as it can hinder open source operating systems.
It is possible for OEMs to implement Secure UEFI in a way that users can simply disable it. Sinofsky, who is president of Microsoft's Windows division, pointed this out in a blog post last month. He also noted that the Samsung Windows 8 developer tablet given away to BUILD attendees could disable secure boot. But Microsoft is not mandating the disable option. Matthew Garrett, a developer that works for Red Hat and has been involved in the UEFI specification process, has said that Red Hat is aware of some Windows 8 PCs that do not allow users a way to disable.
MORE FALLOUT: Some W8 PCs won't turn off secure boot, Red Hat warns
The issue becomes even trickier if PC owners don't want to disable secure UEFI and still want to be able to load Linux or to dual-boot Windows and Linux. In that case, they need access to the master platform key. Only the owner of the platform key can authorize new firmware or operating systems to be loaded onto the device. Then they will need a way to manage the signature database that validates the firmware, drivers and operating system.
Many free software advocates fear Microsoft is pushing an approach in which the key does not wind up in the hands of the devices owner.
“Steven Sinofsky has suggested in his blog posting … that the average platform owner might wish to give up control of the PK [platform key] (and with it control of the signature database) to Microsoft and the OEM suppliers of the platform. This mode of operation runs counter to the UEFI recommendation that the platform owner be the PK controller,” the Linux Foundation authors say in their paper entitled, Making UEFI Secure Boot Work With Open Platforms. The paper was written by James Bottomley, CTO at Parallels and Jonathan Corbet, Editor at LWN.net , both of whom are on the Linux Foundation Technical Advisory Board.
This paper concedes that some PC owners may have no desire to manage a PK infrastructure to use their PCs and would just as soon give it over to Microsoft to do, even if that means they will not be able to load drivers or operating systems unless Microsoft first approves.
But the Red Hat/Canonical paper is not so soft spoken, and offers one reason after another as to why secure UEFI is simply a bad idea. The paper, UEFI Secure Boot Impact on Linux, was penned by James Bottomley, Jeremy Kerr, Technical Architect at Canonical and Matthew Garrett the Senior Software Engineer at Red Hat that has been warning the world about secure boot for months now.
"Although there are some end-user benefits of secure boot, there are some consequences that may
benefit proprietary software vendors, rather than the user," the authors argue. These benefits could include forced hardware obsolescence and forcing a user to buy only from a designated pre-approved "App Store," the authors say.
This paper also points out that hardware makers could be harmed by secure boot. "If the component vendors signs their own drivers, then they must ensure that their key is installed on all hardware they wish to support. This approach would prevent new hardware vendors from entering the market until they had distributed their key to a range of OEMs, and has a large per-platform overhead," the authors write.
But for those that want control and want the extra security secure UEFI affords, The Linux Foundation paper is proposing several guidelines -- and is taking a we-can-all-play-nicely-together tone, too.
The Linux Foundation wants:
1) all platforms that enable UEFI secure boot to ship “in setup mode” where the PC owner can be the one to initially control the platform key. The owner can choose one controlled by Microsoft at that time. The device owner should also be able to return to setup mode and change the choice. This is particularly important if the owner sells the machine.
2) an operating system to detect when the PC is in setup mode and install keys appropriately at that time and then activate secure boot mode.
3) a firmware-based mechanism used to allow a platform owner to add new keys for validating software while running in secure mode so that dual-boot systems can be set up.
4) a firmware-based mechanism for easy booting off of removable media.
5) At some future time, the Foundation also wants an operating-system- and vendor-neutral certificate authority to be established to issue keys for third-party hardware and software vendors. However, the paper notes while this would make using secure UEFI easier, a new CA isn't mandatory.
The authors emphasize that secure UEFI doesn't have to be a technology that drives stakes between Microsoft and free software.
“Some observers have expressed concerns that secure boot could be used to exclude open systems from the market, but, as we have shown, there is no need for things to be that way,” they write. “If vendors ship their systems in the setup mode and provide a means to add new [keys] to the firmware, those systems will fully support open operating systems while maintaining compliance with the Windows 8 logo requirements. ”
Still, how much burden will the average Windows 8 consumer want to take on to manage secure UEFI? How much will the typical enterprise want to do? Can PC makers find a balance?
Like this? Here's more:
History of malware: from script kiddies to rootkits
Why Windows 8 is Microsoft’s 'Apple-like' Slippery Slope
Open source: You know, for kids!Does Android Make Microsoft More Money Than Windows Mobile?