Torvalds clarifies Linux's Windows 8 Secure Boot position

Torvalds clarifies Linux's Windows 8 Secure Boot position

Summary: The fuss over how to handle Windows 8 PC's Secure Boot keys in desktop Linux continues and Linus Torvalds spells out how he wants to see it handled.

SHARE:

No one, but no one, in the Linux community likes Microsoft's mandated deployment of the Unified Extensible Firmware Interface (UEFI) Secure Boot option in Windows 8 certified PCs. But, how Linux should handle the fixes required to deal with this problem remains a hot-button issue. Now, as the debate continues hot and heavy, Linus Torvalds, Linux's founder and de facto leader, spells out how he thinks Linux should deal with Secure Boot keys.

LinusTorvalds
Linus Torvalds spells out how Linux is going to handle Windows 8 Secure Boot keys and signed modules.

Torvalds was mad as hell with proposals to place Secure Boot keys and their management into the Linux kernel itself. Torvalds called the idea "moronic."

That said, there still needs to be some way to deal with the necessary evil of Secure Boot key management. Or, does there?

Part of the concern driving the desire to manage Secure Boot at a low-level in Linux is that a Microsoft-signed, Linux Secure Boot key might be used to hack systems. If that were to happen, some developers fear that Microsoft would disable the key. This would have the effect of disabling Linux PCs using that Secure Boot key. And, no one wants that.

According to Matthew Garrett, the leading Linux UEFI programmer and creator of the shim model of dealing with Windows 8 Secure Boot on the Linux Kernel Mailing List (LKML), "Microsoft may remove a Compatible Product from the Microsoft Compatibility Lists and/or revoke the digital signature upon 30 days notice to Company in the event Microsoft determines in its sole judgment that the security of the UEFI Code is compromised." And, therefore, he continued, "ability to use the signed code [such as that used in Linux's fixes for Secure Boot] to boot an untrusted copy of the Windows kernel is a clear breach of the trust model."

But how serious is this threat? James Bottomley, CTO of Server Virtualization at Parallels and the Linux kernel developer behind the Linux Foundation UEFI pre-bootloader, told me that he discounts the arguments that "Microsoft will blacklist our key argument"

Bottomley continued:

"There are two points to consider here: firstly we don't have a key: if you look at shim and my PreBootloader, they're actually signed with the *same* key. That means that there's no real distro-specific key to blacklist. Secondly, Microsoft isn't going to get into the business of policing Linux security. What they've told us privately is that as long as no-one comes along with a plausible exploit for Windows based on using a secure boot enabled Linux system, they don't care what we do. This 'plausible exploit' has to be some way of getting ordinary Windows users to run the code and become compromised, it's not an experienced Linux user becoming root and subverting Windows on their local box."

Other senior Linux kernel developers agreed with Bottomley. Ted Ts'o wrote:

"Microsoft would take a severe hit both from a PR perspective, as well as incurring significant legal risks if they did that in certain jurisdictions --- in particular, I suspect in Europe, if Microsoft were to break the ability of Linux distributions from booting, it would be significantly frowned upon."

Greg Kroah-Hartman, another prominent Linux kernel programmer, wrote that he doesn't buy Garrett's interpretation of what Microsoft wants. "I fail to see how Microsoft should be dictating how Linux, or any other operating system, works, especially when they aren't even signing the kernel, they are merely signing a bootloader shim and saying 'do your best for keeping the rest of the system secure please.' "

Bottomley added:

"We do need pieces in the kernel to exploit secure boot in a way that users can take advantage of, so signed modules is definitely part of that. The only bit I don't buy is the lock root out of modifying the hardware approach because I can't really see a use case for it outside of 'we think this will make Microsoft happy.'"

And what does Torvalds himself think about all this? He's not happy. "Stop the fear mongering already."

Torvalds then goes on, in his own take-no-prisoners style, to suggest a plan on how to deal with Secure Boot signed keys and modules, which "is based on REAL SECURITY and on PUTTING THE USER FIRST instead of your continual 'let's please Microsoft by doing idiotic crap' approach.' "

Specifically:

  • A distro should sign its own modules AND NOTHING ELSE by default. And it damn well shouldn't allow any other modules to be loaded at all by default, because why the f*ck should it? And what the hell should a Microsoft signature have to do with *anything*? 
  • Before loading any third-party module, you'd better make sure you ask the user for permission. On the console. Not using keys. Nothing like that. Keys will be compromised. Try to limit the damage, but more importantly, let the user be in control.
  • Encourage things like per-host random keys--with the stupid UEFI checks disabled entirely if required. They are almost certainly going to be *more* secure than depending on some crazy root of trust based on a big company, with key signing authorities that trust anybody with a credit card. Try to teach people about things like that instead. 
  • Encourage people to do their own (random) keys, and adding those to their UEFI setups (or not: the whole UEFI thing is more about control than security), and strive to do things like one-time signing with the private key thrown out entirely. IOW try to encourage *that* kind of "we made sure to ask the user very explicitly with big warnings and create his own key for that particular module" security. Real security, not "we control the user" security.

Torvalds concluded, "It really shouldn't be about Microsoft blessings, it should be about the *user* blessing kernel modules. Quite frankly, *you* are what the key-hating crazies were afraid of. You peddle the "control, not security" crap-ware. The whole "Microsoft owns your machine" is *exactly* the wrong way to use keys."

OK, so how would that actually work in practice? Torvald answers:

So the first order should be: "we provide modules to cover all normal users". You use the RH [Red Hat] key for that.

The *second* order should be: "we encourage and tell people how to add their own keys and sign modules they trust".

The third order should probably be "we encourage people to use random one-time keys - probably with UEFI key checking turned off entirely, because let's face it, that doesn't really add any real security for most people". It's what kernel developers and most servers would probably want to use. They likely don't do the whole UEFI crap anyway, and random one-time keys are actually better against things like rootkits etc than *any* centrally administered chain of trust.

Only somewhere really really deep down should the "OK, what about a MS signature" thing be. It could be part of the user-level application (part of your distribution) that displays the "Are you really sure you want to load this module with an unrecognized signature? I can tell that it has a MS signature on it". But by the time you get this far, you've already failed the first few normal levels.

So, there you have it. Until you pry Torvald's cold dead fingers from Linux, Microsoft Secure Boot keys and signed binary modules are not going to be in the Linux kernel.  

You will, however, be able to use these to install and boot Linux on Windows 8 PCs; but that will be done in userspace, not Linux's heart. And, if you really want to load Microsoft-signed drivers, such as hypothetical, future binary-only graphics drivers from Nvidia or ATI/AMD, you'll be able to do that too as well. It just won't be incorporated to automatically happen in Linux's core functionality.

Related Stories:

Topics: Linux, Hardware, Microsoft, Open Source, Operating Systems, Software Development, PCs, Windows 8

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

334 comments
Log in or register to join the discussion
  • Kudos to Linus

    He stands up for what he believes in.
    RickLively
    • Linus must win!

      Look, The first thing I do with a new computer is remove windows from it. Been doing that since 2003 when my winders computer got a virus is killed everything I had in it. I have a samsung TV that runs linux and I cannot hack into. Thats the last samsung TV I will buy. Go ahead MS make your PC's unhackable and see where the users go. I have not bought a tablet computer yet because every new version seems to be more restrictive than before. But that's all coming to an end and PCs are on their way out. Tablets should be boot friendly with what ever the user wants to run. Not everyone needs to type a letter. I did buy an arduino and launchpad and will be getting a raspberry pi. I don't need them. I just want them to make stuff in the garage. Not everyone is into excel and word. Today people just want this stuff, they don't need it. So if you want us to buy it, then stop making it hard for us to use it.
      AomeDina.SD
      • RE: Linus must win!

        "Look, The first thing I do with a new computer is remove windows from it."

        Funny. The first thing I do with a new computer is unwrap the motherboard from its packaging. Why even pay for Windows at all?
        xyzyxx
        • And 30 minutes later

          You file the first RMA....
          I personally stopped doing my own assemblies and ask someone to do it for me along with all the usual QC and inevitable RMAs. Not saying the company's name so this is not considered a spam.
          kirovs
          • THere are ...

            Literally thousands of companies out there who build custom PCs for you at about the same cost an OEM would. Why not buy from them? Or just buy from and OEM like Dell or HP who actually sells computers with Ubuntu installed?
            mrefuman
          • Glad You Brought This Up

            I tried many times to by from Dell strictly with ubuntu on it, no matter how i worded it on the phone, Ubuntu, or have you ever heard of Linux? they did not have a CLUE to what i was talking about and seemed 3 sheets to the wind. I still in all my cases ended up buying the garbage pre installed on a good high end dell pc and removing the dame garbage to install ubuntu. So something is not right or its country specific.
            syncdram2010
          • Yes, Dell hasn't made it easy, or even everywhere

            at least, not until recently with the Sputnik/ XPS13 Developer's Edition -- and that's definitely niche.

            The problem for the OEMs is that they're very dependent on Microsoft; Windows is not only a 'critical resource' but it's available from only one supplier, and it's utterly essential for 90-something percent of their market -- they can't afford to peeve Microsoft beyond some point -- or risk much of their ability to compete by losing reliable access, favorable licensing deals. and co-marketing qualification for Microsoft co-marketing support.

            (Look what happened to Asus a few years ago at the 2009 Taipei Computex, when they strayed from the fold -- the Asus CEO ended up making a public apology over the Linux/Android Snapdragon netbooks -- and Asus is still running the sycophantic Windows advertizing campaign that came out of that incident).

            But OEMs are clearly not happy -- they are looking for options and exploring alternatives alternatives. And the success of Android has made the threat of striking out more credible.

            Dells semi-committed flirtation with Linux is a case in point. (See, I wasn't just rambling.) Dell used to just placate Microsoft by making it difficult for customers to find and order Linux systems, and by not showing equivalent hardware available for both Linux and Windows, or at equal prices. (For example, I myself would have bought a Dell Linux netbook -- if only I could have gotten it with the same 6-cell battery as was available for the Windows version).

            But with Sputnik or XPS13 Developers Edition, Dell has found a way to really demonstrate Linux's viability, on the same hardware as Windows, without directly confronting Microsoft and forcing a showdown.

            Of course, if you can't justify the cost of an XPS13, the old hassle still holds, Microsoft still weilds the big stick, and progress is glacial.
            bswiss
          • No need to say the company name ..

            I think most here probably know who you're talking about. Did tens of thousands of dollars of business with that company over the years without a single incident. Not one. Received a bad part from them, tried RMA'ing it and they refused! After doing tens of thousands of dollars in business with them over the last 8-10 years they refuse a $159 RMA? Never doing business with them ever again.

            And to stay on topic, I'm not buying a UEFI motherboard. Period. If it comes down to it, I'll take my un-installed H55 motherboards back out of storage and re-install the CPU's and use them if I have to. No way I'll buy hardware that restricts which OS I decide to put on it.
            leb4
          • You don't have to.....

            build your own system!
            Charles_B
          • UEFI isn't an issue

            You can just turn off the secure boot, or change/add keys. No need to stick with old tech forever. Best of all, you can remove the MS key and not let anything Microsoft boot on your system. :-)
            jgm2
        • Is this UEFI garbage in all boards now?

          I have not looked in the last few years. Can you still buy GOOD motherboards that do not include all this UEFI garbage? I will never want Windows 8 anyway so why would I want a board that has been screwed up to support it? After a few minutes of reading it seems that 'Secure Boot' is what is making things so difficult. Can it be turned off in the bios, or UEFI, or whatever.
          GKSeifert
          • Mostly

            Most boards do come with UEFI now to make the Windows 8 compatible. However, UEFI by itself isn't an issue. UEFI includes a "Legacy BIOS" setting that allows you to boot non-UEFI operating systems. It works quite well. The only issue with UEFI is those pesky Windows 8 computers that come with UEFI with Secure Boot enabled. Though, I've been told you can disable Secure Boot. (not that I believe everything I'm told)

            @kirovs: Funny, I build my own computers and I've never had to RMA. I'm not saying there aren't bad products out there, there are. In fact, the last desktop computer I bought in a store had a hard drive issue within the first few weeks of using it. I swapped out the drives (yes, I killed the warranty) and had no further issues with it. In fact, I gave it to my mom in 2010 and she's still using it. So, just because you buy a computer from a company that builds them doesn't guarantee you won't get crappy components.
            SciFiDude79
          • Half the fun is to figure out which components won't need RMA.

            They usually aren't the cheapest. User reviews are a modern day miracle. :)
            SlimSam
          • EUFI does not necessarily mean "safe boot" compatible

            Don't be misled by the EUFI hype. I was. I restricted my choices to EUFI motherboards for my workstation build in the fall of 2011 just so I would enjoy whatever safety I get with safe boot under Windows 8. Now I am running Windows 8 and, now that I have learned how to get work done with it, think it is great.

            Imagine my disappointment when Windows 8, during install, announced that my EIFI ASUS P8Z68-V PRO very top of the line motherboard has a EUFI BIOS that is NOT compatible with safe boot. Asus, so far, has not responded to my inquiry so I gather they don't plan to support Safe Boot on their EUFI BIOS.
            erlewis9
          • Oops, I mean UEFI

            Oops, I mean UEFI
            erlewis9
          • That's what you get for believing Microsoft

            They said it would work, now didn't they? It was on the internet there in b/w and the internet is always right. Right?

            ;)
            CaviarGreen
          • Thanks.

            Looking further I see that on many boards Secure Boot can be disabled in setup. So if Windows 8 is not involved 'I don't think' there should be a problem with Linux or other OSs. Hope I an right on that. But apparently some boards lock that option so it can not be shut off. That is a serious problem, and I will never buy one of those boards.
            GKSeifert
          • Where did you hear this FUD?

            "But apparently some boards lock that option so it can not be shut off."

            This is FUD. This is a lie that has been spread by Linux FUDsters.
            toddbottom3
          • Actually...

            Microsoft received significant backlash for suggesting manufacturers limit it to Windows on PCs and eventually they dropped it from their certification program... But the tablets are this way, nobody fought for the tablets.
            microcode
          • I did...

            ...but no one listened. :-( Even after we won the desktop battle, everyone was still going on about the desktop. Now we'll see ARM laptops that are locked into Windows only as a result.
            jgm2