Re: Laptops, UEFI, Secure Boot and Debian

[Patrick Bartek <nemommxiv@gmail.com>]

On Sun, 24 May 2015, Petter Adsen wrote:

> On Sat, 23 May 2015 12:46:10 -0700
> Patrick Bartek <nemommxiv@gmail.com> wrote:
> 
> > On Sat, 23 May 2015, Petter Adsen wrote:
> > 
> > > On Sat, 23 May 2015 09:04:55 -0700
> > > Patrick Bartek <nemommxiv@gmail.com> wrote:
> > > > I've read about that, but right now until W10 in its final form
> > > > is release, nobody really knows for sure.
> > > 
> > > Well, yes and no. We *do* know that the status has changed from
> > > "mandatory" to "optional", but whether hardware manufacturers will
> > > actually remove the ability to turn Secure Boot off remains to be
> > > seen.
> > 
> > Yes.  I read that.  Wonder what Microsoft has up its sleeve?
> 
> If I were to guess, this is in preparation for at some point in the
> future requiring Secure Boot to be used, without the ability to turn
> it off.

My guess as well.  Anything to make Windows more convenient to use than
installing another OS.  But you gotta think like a Microsoft lawyer
here:  "But, your Honor, you CAN install Linux on the machine. Just
follow these simple 389 steps.  No problem." ;-)

> You know, "think of the children!".
> 
> > Maybe, this is indicative of W10 being even more insecure than
> > previous Windows' OSes.
> 
> Secure Boot itself is not actually such a bad idea, in some
> circumstances it might be nice to have a fully signed chain. IMHO.

But it seems that Microsoft has co-opted it for their own use.  They're
the only ones making and selling the signing keys aren't they?
Shouldn't those security keys come from an independent, unbiased
provider? One that Microsoft has to get their signing keys from, too.

> In itself, it should help to make Windows *more* secure, but this is
> hardly the right place for that particular discussion. Nor do I
> care :)
> 
> > > > I have no problems with turning Secure Boot off and leaving it
> > > > off. It's just that I fear that in the future one won't be able
> > > > to turn it off.  And that will really throw a wrench in the
> > > > Linux community. We'll see.
> > > 
> > > The Linux Foundation is also examining the possibility of
> > > obtaining a key that can be used to sign images for distributions
> > > (free of charge), and there is also work being done on signing a
> > > shim that will launch a "real" bootloader. As the Perl people
> > > lovingly remind us, there's more than one way to do it :)
> > 
> > Where there's a will, there's a way I suppose.  Although, instead
> > of a patch or shim, the threat of a class action lawsuit by Linux
> > developers might be more effective.
> 
> Hardware manufacturers will have to take into account the fact that
> there are a large number of people and organizations that run their
> machines without Windows, so I don't think there will be a lack of
> machines that can turn Secure Boot off in the near future.

Have you forgotten about Asus and its $99 EeePC of a few years ago?
It only ran Linux.  To keep the cost down.  No OS license needed. It
sold very well, but was only a small part of Asus' Windows PC market.
Microsoft still threw a hissy fit and threatened to revoke Asus'
Windows license, if they didn't cnange the EeePC so it could run
Windows XP.  Production on the EeePC ceased, and a year later a new
EeePC debuted running a stripped down version of XP. But now it cost
$199 not $99 whether it ran XP or Linux.  And the consumer got
screwed.  MS didn't care.  They got their unit license fee.

Microsoft holds that Windows license over manufacturers like a battle
axe.  If manufacturers don't go along, off with their heads!  Microsoft
can (and does) get almost anything it wants, and they've got a legal
department that enables them to get away with it. 

> But will it become something to watch out for when buying new
> hardware? Most certainly, at least for a period of time. I have a
> sneaking suspicion that it might become a bigger problem for laptop
> users than for desktop users, although I'm unable to back that up.
> For those of us who prefer to build their own machines, I think it
> will be much less of a problem.

Haven't you heard?  The desktop machine is dead.  Microsoft said so.
So, it must be true. ;-)

> The cleanest option would probably be to allow the owner of the
> machine to install his/her own keys in the firmware, and sign the
> boot image with those.

That won't fly.  Microsoft will stop it.  Not good for MS.

> And we still have legacy mode. For now.

Right.  I expect Legacy to mostly disappear in the next couple years.
"Old, unneeded technology," they'll profess.

> In my view, a solution for Linux that doesn't work for our BSD
> brethren and other people would not be good enough - we shouldn't
> settle for it. I remember all too well how hard it was to get Linux
> (or BSD, for that matter) up and running with new hardware back in
> the day, and I don't want a return to that state of things.
>
> There may very well be another Linus quietly tinkering away at
> something that might become the Next Big Thing out there, and it would
> be a shame if we were to limit hardware to not make that possible.
> 
> I am also not sure MS really _wants_ to lock Linux/others out of the
> playing field. If they do, I assume the murmurs of class-action and
> anti-competition would rise in pitch, and someone might do something
> that could *really* hurt them. They really should work with the
> community to come up with a solution that works for everyone before
> someone forces them to.

Microsoft wants to be the ONLY OS in the world. It's been their goal
since Day One with MSDOS.  However, they can't be and stay out of court.
 So there just needs to be an insignificant OS like Linux (and OSX)
around -- a few % of the market? -- so legally they're not a monopoly.
Insidious plan, huh?

Unfortunately, Microsoft has screwed their customers too many times in
the name of profits, and Linux and OSX are steadily gaining ground,
particularly in the server, business and government markets.

There will never NOT be a Microsoft, but they are scared and scrambling
to correct poor market decision, if they can.  And that's a good
thing.  True market capitalism does work, just slowly.


B