LINUX BLOG SAFARI

Dangerous Concessions: Red Hat, Fedora and the Secure Boot Shocker

Well it’s been a jubilant few weeks here in the Linux blogosphere, thanks largely to some of the spectacularly sane decisions coming out of the tempestuous case of Oracle v. Google.

There have been parties in the streets, celebrations in the cafes, and rowdy songs aplenty being sung down at Linux Girl’s favorite Punchy Penguin Saloon.

So exuberant have been the celebrations, in fact, that Linux Girl quickly lost track of time amid all the revelries. Late last week, more than a few Tequila Tux cocktails later, she lifted her head from the bar once again only to find the mood had shifted dramatically.

‘Signed With a Microsoft Key’

“Microsoft will be offering signing services through their sysdev portal,” wrote Red Hat developer Matthew Garrett in a blog post late last month. “It’s not entirely free (there’s a one-off $99 fee to gain access), but it’s cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions.

“If there are better options then we haven’t found them,” Garrett added. “So, in all probability, this is the approach we’ll take. Our first stage bootloader will be signed with a Microsoft key.”

How innocent words can seem when taken apart from their meaning; put in context, the result was nothing short of a bomb going off in the Linux blogosphere’s main downtown.

‘A Clear Case of Abuse’

“How can this be legal and not an abuse of their monopoly power?” Slashdot blogger nurb432 demanded to know, for example. “Aside from the fact you can turn it off (for now), it still sounds like a clear case of abuse to me and someone should be talking to an attorney about this.”

Indeed, “it’s entirely obvious how this makes it harder for the little man to get ahead in the game,” agreed ZeroSumHappiness among the nearly 800 comments in the same Slashdot discussion.

And again: “Any proper system would have the end user hold the root key for the system and they could choose (or not) to bless certs from various vendors (or just directly sign the bootloader),” sjames pointed out. “Of course, MS doesn’t want a proper system, they want lock-in.”

And one more time: “No, $99 is not a big deal for Redhat,” wrote sl4shd0rk. Trusting Microsoft, however, is, sl4shd0rk added: “‘Ooops, lol.. guess we borked your key sign just before you had that big competing product release. Gee, sorry. We’ll get that fixed right away’.”

‘I Was Profoundly Disappointed’

Such was the dismay over Red Hat’s concession, in fact, that Tim Burke, the company’s vice president for Linux engineering, was compelled to add further explanation last Monday — to the tune of an additional 400-plus comments in yet another Slashdot discussion.

Did his words calm the roiling waters of the Linux blogosphere? That depends who you ask.

“I was profoundly disappointed to see that Red Hat was legitimizing Microsoft’s claim over the boot process,” Google+ blogger Linux Rants told Linux Girl.

‘A Sad State of Affairs’

In fact, “I would like to see a rebellion over Microsoft’s demands,” Linux Rants suggested. “I would like to see hardware vendors coming down on the side of the end users for once.”

Microsoft “has no real authority here,” he added. “If hardware vendors as a whole told them no, Microsoft would have to back down.”

Unfortunately, “hardware vendors lose motivation to do that when end users are apathetic about it, and alternate OS vendors submit to Microsoft’s demands,” Linux Rants explained. “This will only strengthen Microsoft’s hold on the desktop market. It’s a sad state of affairs.”

‘I Hope Anti-Trust Authorities Look into This’

Google+ blogger Kevin O’Brien saw it similarly.

“This certainly gives me a bit of concern because it puts Microsoft in the position of controlling the hardware and being a gatekeeper on what can be installed,” O’Brien explained.

“IS there any evidence that they have ever had this kind of power and *not* used it to crush their competition?” O’Brien wondered. “I hope the anti-trust authorities look into this.”

‘The Weak Link in the Chain’

Red Hat “should never rely upon M$ for anything as fundamental as booting,” asserted blogger Robert Pogson. “There’s just no way increasing the complexity of the boot process and putting M$ and its ‘partners’ as the weak link in the chain is an improvement on anything.”

If the secure boot feature can’t be disabled, “getting hundreds of distros to boot on random hardware will get harder,” Pogson added. “GNU/Linux was at a stage where complete newbies could install and boot. Soon GNU/Linux installers will be treated as malware. Great…”

Instead of joining the ranks of Microsoft’s partners, “Red Hat and others should obtain injunctions on the basis of anti-competition law,” Pogson suggested. “There’s no reason ‘secure boot’ should exclude GNU/Linux. It’s not malware. If the owner of the system wants to install any OS, they should be able to do that without M$’s permission.”

‘More Harm Than Good’

Red Hat’s solution may be good for Red Hat customers and Fedora users, Google+ blogger Alessandro Ebersol told Linux Girl.

“But it’s bad when it legitimates the UEFI locked boot, so M$ can escape anti-trust prosecution,” Ebersol asserted. “M$ is trying to pull off an Apple, which locks its machines’ boots. But then, Apple is a hardware maker, and M$ isn’t.”

At the end of the day, “I think this move from Red Hat does more harm than good, for the whole Linux ecosystem,” he concluded. “It remains to be seen if this farcical nonsense from M$ (UEFI Locked Boot) will stick. I’m guessing it won’t.”

‘Microsoft Should Not Be in Control’

The solution is “actually a lot better than I thought it would be, since $99 for the distro’s publisher isn’t bad,” consultant and Slashdot blogger Gerhard Mack opined.

However, “having said that, Microsoft should not be in control of the master certificate,” Mack added. “Some organization of PC manufacturers should handle it, and Microsoft should be a customer rather than the proprietor to reduce the possibilities for abuse.”

Slashdot blogger hairyfeet, on the other hand, felt the whole topic was “much ado about nothing,” he told Linux Girl.

‘Insane Conspiracy Theory Territory’

“Saying that someone who is 1) smart enough to know what Linux is and to install their own OS; 2) smart enough to find and download an ISO and to burn said ISO; is also 3) too stupid to flip a switch in BIOS seems to stretch the suspension of disbelief into insane conspiracy theory territory,” hairyfeet opined.

“Then there is the fact that secure boot makes NO sense for a good 99 percent of the Linux distros out there, since it’s tied to the kernel,” hairyfeet went on. “As we all know, the Linux kernels get updated with more frequency than Snooki’s wardrobe, so it would be completely pointless to even bother with it when it comes to Linux distros.”

In fact, “the ONLY reason that it makes sense in the case of RHEL is the simple fact that, like most things built for enterprise markets, it’s EXTREMELY conservative when it comes to updates, so frankly they stick with the old kernels a LOT longer than anybody else,” hairyfeet concluded.

“The few companies that keep a kernel long enough to need or desire certification can get it,” he added. “Everyone else can have a three-line how-to on their download page.”

‘This Is a Big Deal’

Much ado about nothing? Others weren’t so sure.

“I don’t think we really know what the antitrust fallout for this is yet,” began Chris Travers, a Slashdot blogger who works on the LedgerSMB project. “I would personally rather see Red Hat sue Microsoft than pay them.

“Microsoft is probably vulnerable here,” he explained. “I would also be surprised if regulators in the US and Europe aren’t watching Microsoft here deciding whether to pursue additional actions against them.”

In short, “they are probably less vulnerable in the ARM space, but in the desktopspace this is a big deal,” Travers concluded.

Katherine Noyes has been writing from behind Linux Girl's cape since late 2007, but she knows how to be a reporter in real life, too. She's particularly interested in space, science, open source software and geeky things in general. You can also find her on Twitter and Google+.

4 Comments

  • Kathryn – Please stop talking your nonsense makes my brain hurt.

    You take the worst possible inaccurate – doomsday scenario posts and regurgitate them as if they were factual. Doom and gloom – your articles are so bad that they are worthy of a Microsoft grassroots campaign award.

    • Sadly all she is doing is holding a mirror up to the FOSS community so if you don’t like what you see? maybe you should fight to change it.

      Heck look at Pogson, who actually has "Voldemort Syndrome" and will always type "M$" or "That Other OS". I wish that were an isolated case but just like politics the "normal" users have either stopped talking or switched to Apple while every year the lunatic fringe gets more bizarre.

      But please don’t take MY word for it, go to Slashdot, OSNews, ANY site that posted anything about secure boot and watch how quickly the posts became ‘Its a M$ Plot to destroy GNU! They are out to get you ZOMG!’ because frankly the FOSS community is waist deep in nutters right now.

      So if you don’t like it CHANGE IT!!! Post and point out the nutters whenever you see them and fight the crazy with facts. Facts like its a single switch in any X86 UEFI to switch off Secureboot, while on ARM, just like on iPad and iPhone, you can’t because its not meant to be a general use computer, or how MSFT has been making money off of Linux for half a dozen years now by selling SUSE licenses with several of their WinServer products.

      If you simply remain silent the crazies win, so let your voice be heard and fight the insanity!

      • I burn a Solaris 11.2 CD and try to boot it on my laptop and it says that "USB CDROM has been blocked by the current security policy". Whose security policy? Not mine….WTF?

  • This is so incredibly dangerous that I hope Red Hat reconsiders its position with regard to this issue. M$ must not, under ANY circumstances, be allowed to hold the world hostage, even for the nominal "ransom" of $99USD…

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Katherine Noyes
More in Community

Which cybersecurity hazard do you fear the most as an individual?
Loading ... Loading ...

LinuxInsider Channels