Skip to comments.TLWIR 51: Coreboot: the Solution to the Secure Boot Fiasco
Posted on 01/02/2013 8:50:31 AM PST by ShadowAce
Summary: Is it possible that the recent attempts to push secure boot onto computer users was a response to the growing hardware vendor support for coreboot back in 2011? This is only speculation on my part, but I suspect that this might be the case. Coreboot is a badly needed solution that can restore freedom to PC users while updating the outdated PC BIOS technology.
What is CoreBoot?
Coreboot is a free software replacement for the BIOS currently found in most computers. It is also a better alternative than UEFI/secure boot because it gives the owner of a computer the freedom to do whatever they want. If you buy a Windows 8 PC with secure boot, AND you want to enable secure boot, you are met with certain restrictions. Secure boot uses public key cryptography to restrict what operating system(s) can boot on a PC with secure boot enabled. The concept behind secure boot is good from a security standpoint, but if you want to use it AND use GNU/Linux, you have to use a cryptographic key signed by Microsoft. Microsoft could revoke this key at any time, effectively giving them the ability to prevent you from using GNU/Linux and secure boot at the same time. NO ONE should be able to dictate to you, the PC owner, what you can or cannot do on your computer system, in my humble opinion. Coreboot offers the same security benefits as secure boot, and it maintains the users freedoms.
The Reddit Arguments
[12/30/12 UPDATE: The FSF campaign to stop secure boot has now made it to the Reddit homepage! Please show them your support by signing their petition and donating to the cause. ]
I frequent the Reddit Linux page at reddit.com/r/linux, and I monitor what people have to say about the Free Software Foundations campaign against secure boot. The most common complaints that I see are as follows:
Both are very valid criticisms, so let me address them both. x86 PCs still maintain somewhere around 90% of the global PC market share. In contrast, Apple holds a miniscule share of the desktop PC market. If Apple decides to lock users of Apple computers out from controlling the computers firmware, the consumer has a lot of choices outside of Apple. Similarly, some Android phones come with locked bootloaders, but there are a lot of Android phones and tablets that have boot loaders that can be easily unlocked. In fact, any Nexus-branded Android device has an unlockable boot loader, by Googles mandate. So again, the Android consumer has choices.
On the GNU/Linux side, secure boot will introduce confusion, and a set of two very bad choices. Choice A: secure boot is good technology from a security standpoint, but if I want to use GNU/Linux without being dependent on a Microsoft-signed key, I have to disable it. More on this later. Choice B: I can enable secure boot to get the security benefits, but I will have to depend on a key signed by Microsoft, and they can choose to disable that key at any time. If I make this choice, who is REALLY in control of my PC?
Now back to choice A. Think about who the biggest users of Windows 8 will be be from a revenue standpoint: probably businesses. Businesses usually want to run the most secure option, so they will probably choose to enable secure boot by default. This scenario discourages them from running GNU/Linux, Windows 7 or earlier, or any alternative operating system. I think that this is the whole point. Secure boot pushes the user in the direction of a Windows 8 choice. This is an abuse of market position, and it is anti-competitive. It is also clearly wrong.
The fact that secure boot can be turned off is not a valid counter argument. It demotes the GNU/Linux user to an inferior status: either they have to settle for a crippled system where innate security capabilities of that system are disabled, or they are left in a position of dependency on a Microsoft key. Either scenario is sub-optimal. Right now, Linux has an incredibly good reputation for security. Here is the reputation that Linux will end up getting: Linux is the operating system that you have to turn off security to install. This is not an accurate statement, but this is how memes start: non-technical people talking about technical topics. Turn off secure boot becomes turn off security. Linux is secure becomes Linux is insecure. Certainty becomes uncertainty. The confidence of being able to install whatever you want to gives way to confusion. This confusion can only be fully resolved by sticking to one dominant vendor .
If security was really the primary concern when the need to replace BIOS was being investigated, then coreboot was available, it was free, and it was open source. Why in the world would anyone have thought that UEFI/secure boot was a better solution? Id like you to please give this question more thought AFTER you read Table 1 below.
Why We Need Coreboot
UEF/secure boot supports the effective duopoly that currently exist in PC hardware. AMD and any other company, such as a motherboard manufacturer, who does not get on the UEFI train is effectively locked out. To me, it is pretty clear that UEFI/secure boot encourages those who make a certain set of decisions, and punishes those who make another set of decisions. I wont spell out all of my conclusions here. However, I came to them by studying the history of EFI and UEFI paying close attention to Apples shift from open firmware to UEFI. I looked at who created EFI, who financed EFI, and who stands to gain financially if UEFI/secure boot are implemented on x86 PCs.
In 2011, AMD began to dive deeply into supporting coreboot. On February 28, 2011, they released technical details of source code that AMD released in support of the coreboot project . On May 6, 2011, AMD pledged to support booting with coreboot in all of its future microprocessors . This revolution would have given the average PC user a lot more freedom, and a lot more control, over their computer system. A few months after this revolution started, it was announced that Windows 8 would be released with a version of secure boot that would turn back the hands of time, and greatly restrict what a PC user was able to do. I suspect that AMDs support of coreboot scared someone. I believe that pressure was applied to AMD to get them to join the UEFI Board of Directors. THe UEFI Board has no members from the Free Software Community :
Let us review the various PC firmware systems in the context of Richard Stallmans Four Essential Freedoms :
|The freedom to run the program, for any purpose.||Yes||No||Yes|
|The freedom to study how the program works, and change it so it does your computing as you wish.||Yes||No||No|
|The freedom to redistribute copies.||Yes||No||No|
|The freedom to distribute copies of your modified versions to others.||Yes||No||No|
|*Based on outdated technology.||No||No||Yes|
Table 1: The PC Firmware Freedom Matrix *Not one of the four essential freedoms.
Table 1 clearly shows that coreboot best protects the freedoms of the PC user. Now, let us revisit the question from earlier: Why in the world would anyone have thought that UEFI/secure boot was a better solution? If you look at Table 1, can anyone give me a rational reason why UEFI/secure boot would be a superior alternative to coreboot? Faster boot time? More secure? Better for the consumer? What was the MOST likely motive for picking secure boot? I would would love to hear any responses to these question in the comments.
What You Can Do
There are at last 2 petitions created to protect the freedoms of PC user, one by the Free Software Foundation, and the other one on WhiteHouse.gov. Signing them would send a powerful message to the PC and motherboard industries that coreboot is a better choice than secure boot.
Ronald G. Minnich, one of the co-authors of coreboot, has been a vocal opponent of secure boot, as has the Free Software Foundation. Minnich explains coreboot far better than I could in this 2008 video.
Link to Video
Thank you for reading The Linux Week in Review 51!
I’m kinda wonder why don’t they just make computer and tablet embedded systems with maybe at least 8GB SSD soldered in the motherboard to load firmware instead of OS, another SSD or hard disk for programs and data storage? Maybe computer devices will run lot faster?
I'm not aware of any business who'd want to give the workers a huge tablet with no "Start" button and no way to launch applications except by typing their name on a special screen. How many common folks remember names of the software that they run daily? They just click on icons that are in a certain place, and a familiar interface shows up. I personally don't know the names of 90% of stuff that is on my computer. Why should I remember arcane names that software developers assign to their products? I have what I need on the desktop and in the start menu, arranged as I want it to be. Win8's Start screen is a mile-long pale shadow of these two essential launchers, and it is minimally customizable.
I can get around Win8 if I must. But first I am professionally working with computers, and second I have the OS modified to restore the Start button and to get rid of the awful Start screen. You cannot expect that from a mom and pop business because they can't, and you cannot expect that from a Fortune $n business because they don't need to - they have downgrade rights, and Win7 is all that they will ever need for the nearest decade.
If I need a new PC for the business and I cannot buy one with Windows 7, I will put it together from parts instead. TigerDirect sells Win7 Home Premium for $99 and Pro for $139. And if MS pulls that stock, it should blame only itself for the aftermath. None of our accountants, who are not exactly spring chickens, are willing or ready to learn the new tablet UI of Win8 (not that it is any good in the first place.)
I bought a new laptop last week hoping to get in before secure boot was implemented, no such luck, it had win8 on it, I went into bios and disabled secure boot, and it still would not let me install Ubuntu or Win7, so I took it back to Frys, told them why and they had no problems exchanging it for the LAST LAPTOP they had with win7 on it. There were literally hundreds of laptops and desktops being returned because of Windows8. The desktop people for the most part opted to build their own after this, So much so that they were just about out of cases when I got there. no such luck with a Laptop though. This will not end very well for Manufacturer’s, and maybe people will wake up to how inferior Windows really is. I actually have been encouraging people to go buy new computer, and then RETURN it the next day, making sure to tell the store that it is because of WINDOWS 8 and the inability to put your own software on a piece of equipment YOU OWN. Why the manufacturers went along with this farce is beyond me, if it was me, I probably would have told Microsoft OK, and then turn around and offer All Computers with NO SOFTWARE at all, just a cd for drivers to be used on ANY software you wish to install. Start forcing the people to BUY Microsoft and watch what happens, as long as it is included people will use it, but give them a choice and Windows is GONE.
ps. What software do you think virtually every Webserver runs?? LINUX!! WHY?? Because it is absolutely SECURE, unlike WINDOWS.
I like windows 7. I have the home premium version on this laptop. The backup laptop runs 7 as well, but not sure which one.
Is there a benefit to changing up to Pro?
A Pro will allow you to join the domain. I can't think of anything else that would be easy to describe. You can see the details here. In short, if you don't have a DC at home then you don't need Pro. If you do have a domain controller then you already know the answer ;-)