Apparently people don't want a system where they can guarantee the kernel has not been compromised

[torkell]

I should really stop reading articles about the Windows 8 Secure Boot requirements. I'm only going to get annoyed at all the spectacularly incorrect commentary. Apparently people don't want a system where they can guarantee the kernel has not been compromised by malware.

As best as I can tell, this is what the Windows 8 logo certification actually requires (note: I'm only paying attention to x86-based systems. ARM-based stuff is an entirely different kettle of fish):

• The firmware must support secure boot.
• The firmware must contain the Windows 8 certificate (because, duh).
• If secure boot is enabled, then the firmware must not load any unsigned kernels or drivers (that's the entire point of secure boot).
• The firmware may contain any number of other certificates.
• It must be possible to install your own certificates, delete certificates, or even turn off secure boot entirely.

Originally only the first three were actual requirements, but the masses complained that Windows 8 certification did not explicitly require that you would be able to install Linux. So the other requirements were added.

It turns out that a program can only be signed by one certificate, so by far the easiest way to release a signed Linux kernel that will Just Work is to sign it with a certificate that is in turn signed by the Microsoft one as that's going to be present in pretty much any system. And it turns out that one can buy such a certificate (or equivalent - I've not looked in detail at signing your own kernel works) from Verisign for $99. Fedora are going to do this, and I'd imagine that the other major Linux distributions will also do so (because most users want something that Just Works)

So where, exactly, is the problem with all this for x86? I'll agree that the (completely different) requirements for ARM-based systems prevent other operating systems being installed, but when was the last time you saw a desktop computer that ran anything other than x86 or x86_64?

Comments

[pewterfish.livejournal.com]

Well, therein lies the question. If you require any desktop machine that's not based on x86/x86_64 to run Win8, then maybe you'll see less than you otherwise would.

From an ARM POV (all views my own, not the company's), I'd /love/ to know why MS are scared of letting ARM-based kit compete on a level playing field. I guess there's no reason an ARM-based machine couldn't be released with linux and without Win8. It's not like secure boot is impossible on an ARM box: hell, it's easier than in x86, there are entire hardware modes explicitly designed for it.

It looks like marketing, from start to finish, basically. "We'll only let you put our logo on the machine if X, Y and Z".

The resistance to signing is a licensing issue, and a shrewd move by MS, I think. Because the kernel is a big cluster of patches written by a lot of people, exactly who should pay for the signing key? That Fedora are willing to do it is, well, nice, but... doesn't really solve the root problem. It's better than nothing, I guess.

[torkell]

It does seem odd that ARM is more heavily restricted. The conspiracy view would be because MS think they can get away with it, which they probably can - they don't have a monopoly on ARM, and it's no worse than what the other major end-user platforms do (e.g. Apple iStuff). There also isn't yet such a thing as a standard ARM platform one can just feed a CD or similar to and install Windows/Linux/whatever.

On x86 at least, I think the intention is that if you want to use secure boot with your own kernel then you'll be expected to generate a suitable certificate (self-signed would work) and use that. Since the average user isn't going to a) want to do that, or even b) know how, Fedora have chosen to ship kernels signed with a certificate that is in turn signed by the MS certificate as then they have a kernel which will work without requiring any BIOS changes. I think they intend other distributions to either get their own signed certificate (Redhat and CentOS will likely do this), use a self-signed one and require the user to install the certificate if they want to use secure boot, or just expect the end user to deal with it all (Slackware will likely do that).

[delta_mike]

The notion of having (optional) cryptographic authentication is not inherently a problem at a technical level; the concern is, of course, who holds the keys, and the resulting economic consequences.

It's like designing a system of governance -- you want the system to survive, and for people not be screwed, in the event that one or more of the agencies responsible for ensuring that the population's needs are met fail, are malicious, attempt to use their privileged position exploitatively, or are subverted. At the moment, with the current system -- and, vitally, the default settings -- and are looking worriedly at some of the failure modes.

[torkell]

I can't make sense of the last sentence in your comment - is part of it missing?

boots? kernels?

[(Anonymous)]

WWW.a-letter-from-home.blogspot.co.UK, posted Sunday morning, not Sunday afternoon!

Re: boots? kernels?

[torkell]

You mean this post? I get the boots and kernels, but I've got absolutely no idea what fish kettles have to do with computers! I've written a longer reply on your blog.

Re: boots? kernels?

[(Anonymous)]

I quote from your article; "As best as I can tell, this is what the Windows 8 logo certification actually requires (note: I'm only paying attention to x86-based systems. ARM-based stuff is an entirely different kettle of fish):"
since kernels and boots seem to acquired IT specific meanings, I wondered if fish kettles were some kind of strang part of the software as well.....

No, I didn't wonder that at all, really. Well, maybe a little.