Why does Secure Boot need such draconian control?
3rd Nov 2012 | 10:00
Pros and cons of Secure Boot explored
There's a new unavoidable conundrum for free software, and it has a name that conjures up thoughts of either a totalitarian regime, or a decent way of ensuring that malevolent code doesn't slip in between the cracks in your BIOS and your operating system.
It's called Secure Boot, and it's part of the Unified Extensible Firmware Interface specification (UEFI) developed for the next generation of PCs.
Secure Boot is designed to only allow signed code to boot your machine, and only entities that hold a valid key can sign the code that will allow your machine to boot. If the code can't be verified, it won't be able to run, in which case you'll probably be presented with an updated version of the message you used to get when you accidentally overwrote the master boot record.
It means that the USB version of Ubuntu 10.10 you've been relying on to undelete your Windows files and repair over-written master boot records will no longer work - at least not on a new machine that conforms to the specification. But then you probably won't have MBRs any more, either.
Windows 8, and machines that are sold and certified to run it, will need to use Secure Boot. This is a good thing in some ways. For Microsoft and for Windows users, it will mean that one of the most glaring loopholes in PC security can finally be sealed. Trojans won't be able to hide, and Microsoft will be able to control the entire software stack from the boot to the desktop.
This will make it a lot harder for anything to usurp the operating system before it reaches sentience, and it's something Apple has been able to do for a long time.
It's part of the reason why iOS hardware hasn't yet been compromised and why, despite everyone owning one, Apple's devices seem to be retaining their integrity (though now that I've written this, there's probably some terrible malware infecting every iOS device on the planet).
But in other ways, this isn't a good thing. Apple controls every line of code that goes through the CPU, whether that's the bootstrap or any one of the thousands of apps vetted and sandboxed to run on its devices.
It does this on an Apple TV, its music players, its tablets and its phones. Its PCs famously only run on authenticated hardware too, and Apple wants to take the sandbox approach used in iOS development to the desktop.
It will do this by making the OS X App store as popular and as integral to OS X as possible, and by forcing developers into the sandboxed environment it is creating.
There are similarities between the level of control in Secure Boot and the direction Apple is headed in when it comes to running software on your hardware, and while this development will be good for consumer confidence, I don't think it's a good thing for freedom or for security.
It stinks of an easy option being made because, surreptitiously, it's an idea that also works to give Microsoft more control. There should be a more imaginative solution to these problems, because it's unclear what this going to mean for Linux - and more importantly, what is it going to mean for choice.
Do you really want an operating system vendor to have this level of control over your hardware? Apple customers can be excused somewhat because they buy a device that's been 'Designed by Apple in California', and they know what they're not getting. But the PC market is completely different, and in a good way.
There's no official platform, hardware or vendor. There's massive variety, and whether you're buying a laptop or putting your PC together from components, you have a great deal of choice.
Big Linux distributions like Fedora and Ubuntu are making their own arrangements for procuring the credentials to allow booting - the price isn't prohibitive, and it's a system managed by Verisign, not Microsoft. But it's causing a split, not just because people can't agree on the best approach, but because it's already creating friction.
The Free Software Foundation, for instance, criticised Ubuntu's plans use an Ubuntu-specific key for what the FSF calls Restrictive Boot, as well as Canonical's intention to drop the Grub bootloader over concerns that using it will break the terms of the GPL used to distribute.
But what about the smaller distributions, updates, unofficial re-spins and personal redistribution to friends? I don't understand why Secure Boot needs to have such draconian control over the PC. Why can't it be used only when booting Windows, for example, and who's naive enough to think that the keys won't be cracked or stolen, giving hackers an even softer back door into Windows than before?
Secure Boot isn't a solution, it's about control and it's removing choice from a platform that has always flourished because of it. Whether that was Microsoft capitalising on the rise of IBM-PC clones, or Linux undercutting UNIX when it appeared on x86. And to paraphrase Benjamin Franklin, those who sacrifice freedom for security deserve neither.