Free Software Foundation Campaigning To Stop UEFI SecureBoot

hypnosec writes "The Free Software Foundation is on an offensive against restricted boot systems and is busy appealing for donations and pledge in the form of signatures in a bid to stop systems such as the UEFI SecureBoot from being adopted on a large-scale basis and becoming a norm in the future. The FSF, through an appeal on its website, is requesting users to sign a pledge titled 'Stand up for your freedom to install free software' that they won't be purchasing or recommending for purchase any such system that is SecureBoot enabled or some other form of restricted boot techniques. The FSF has managed to receive, as of this writing, over 41,000 signatures. Organizations like the Debian, Edoceo, Zando, Wreathe and many others have also showed their support for the campaign."

Grub?

[TheRealMindChild]

Hasn't Ubuntu made GRUB a SecureBoot [h-online.com] boot loader? How isn't this sufficient?

Concealed defect

[jandar]

It should be mandated that any restriction on a general purpose computer has to be stated clearly as such on the packing, otherwise it would a intentionally concealed defect.

What about severs and web hosts / ECT

[Joe_Dragon]

What about severs and web hosts / ECT.

Windows 7 UEFI secure boot??? enterprise use is way to big for that to get locked out.

Where is HP and DELL in this???

Supermicro??

Tyan??

Linux in Medical Devices (do really want MS windows to be the only choice there??)

http://blogs.windriver.com/medical/2011/11/using-linux-in-medical-devices-what-developers-and-manufacturers-need-to-know.html [windriver.com]

Secure Boot is just a waste and fixes no problem.

[VortexCortex]

Let's put on our thinking caps folks. Return Oriented Programing is an exploit engineering technique that uses the existing signed and/or encrypted code to create the exploit code. That means Secure Boot is defenseless to stop this type of exploit. If the application or OS code has mistakes in it then a function pointer on the stack, or in the heap (read/write memory) can be overwritten and be used by exploits via return oriented programming, and SecureBoot won't help one bit -- The code that's running is signed and/or encrypted. So if the Application or OS code isn't secure (which it won't be) then SecureBoot is pointless. What that? It won't be able to infect a boot sector? Well, if you've got malicious code running on your system then there exists an exploit vector that cane simply be re-exploited next time you boot up. See? Pointless.

Ah, but what if the Application and OS code could be written to be secure against stack smashing and undesired code pointer manipulations? Well then, there wouldn't be any exploit vectors that you needed SecureBoot to protect you against. See? Pointless.

Well, I say "Pointless", but what I mean is useless from an end user perspective. I don't mean to gloss over the only real use SecureBoot has: To prevent you from installing your own OSs and Applications, and having control over your own computers.

Re:Grub?

[cheesybagel]

What Ubuntu did was very unsatisfactory. You still cannot easily compile your own kernel. What that ex-RedHat guy did was a lot better since you can load anything you want as long as you confirm your choice on boot.

Here is what RMS should be doing instead of this petition which is going to get nowhere:

1. Restart work on coreboot
2. Make coreboot work with Windows and Linux as is
3. Convince more motherboard manufacturers to support coreboot
4. Ask Linux users on install if they want to backup their old BIOS and install coreboot as their default BIOS

Re:Grub?

[Sir_Sri]

Probably because people may still want to update their MOBO firmware without opening the case, same with installing a new OS.

It's one thing to do it on your machine at home. It's another to deploy 500 machines where you have to change a jumper on each one, and then change it back.

We, the FSF, like Secure Boot

[gnujoshua]

This post is a little misleading. We think Secure Boot is OK [fsf.org] so long as computer makers implement it in a way that it still allows a user to control his or her own computer. What we don't want computer makers to do is implement UEFI in such a way that a user is unable to sign their own software (e.g. bootloader) AND they are unable to turn Secure Boot off -- we call such an implementation Restricted Boot (because we want to emphasize that it instead of providing security, it exists to restrict a user from controlling his or her own device). We hope that computer makers will choose to implement UEFI in a way that truly does provide security and control, and many are implementing Secure Boot in this way.

Joshua Gay
Licensing & Compliance Manager
Free Software Foundation

Re:Not realistic

[SuricouRaven]

Conspiracy? Well, yes. This is *Microsoft* we're talking about here. The company convicted of antitrust violations by both US and EU regulators. The company which has a history of using every dirty trick in the book to get ahead, and which for many years waged a campaign against open source that seemed at times like some sort of personal vendetta. And the company which has now announced they are building a big 'Kill linux' button which they can press by revising a single clause in a contract. Based simply on the past actions of the company, it would seem a very bad idea to trust them with such power.