jazz and conversation, from the foot of Mt Belzoni (ikkyu2) wrote,
jazz and conversation, from the foot of Mt Belzoni

More on Secure Boot and Linux

And I do mean "Moron."

I was pretty excited about my new PC. It has a cutting edge motherboard chipset. In fact, I paid about $150 premium because I wanted a Z77 chipset on the motherboard because I wanted to be able to take advantage of Intel's latest technologies. I am an Intel shareholder and I think Ivy Bridge is sexy and I like that Intel spends more on capex than the GDP of a medium sized country every year. Enough about that.

The remainder of what's written here isn't warranted for accuracy and I welcome corrections. Secure Boot is a technology that uses a Verisign certificate to make sure that untrusted software simply can't run - can't get a root access and boot up as an OS at startup time. It's meant to prevent, as I understand it, a certain kind of attack known as a rootkit, and I think that the main reason is to retard the proliferation of these botnets that are used all over the place to zombify peoples' computers and use them in DDOS attacks and other ways of hacking.

A side effect of this is that it's hard to dual boot Windows 8 with Linux on such a machine. No, actually, it's really hard. If the Linux columnist for zdnet can't make it work with personal assistance from the head of the Fedora dev team, what chance does an ordinary mortal like you or me have? (I was pretty sure I'd bricked my new computer for an hour last night; not cool, not cool at all, and is the kind of thing that makes me never want to hear about Linux again for a long time.)

I get why Linux distros don't want to buy in - it makes their bootloader non-GPLv3-able, in other words, a key part of their software isn't free anymore (as in both speech and beer.) And I actually get why Microsoft might prefer to lock Linux out of hardware they view as "theirs;" Win8 is less of a productivity suite, more of a "We captured eyes and market share" type of experience, that's the way OS engineering is going these days. However, I find it reprehensible of them, but, it's Microsoft, what do you expect?

What I don't get is why INTC is going along with this? What do they stand to benefit by locking Linux out of their hardware? Do they think they're appeasing MSFT?

The hard part about interpreting this is that Secure Boot actually offers some neat features. It's neat to not be rootkit-able, frankly; that's a feature I'd pay a few bucks for. I get that free software doesn't want to have to pay a few bucks to use firmware and hardware based technology, but what exactly is the alternative when the issue at hand is security?

Frankly, thinking from a security perspective, I find it hard to believe that there are no malicious persons on any particular Linux dev team, be they government, corporate, political, or just random hackers; introducing subtle security holes for the benefit of their employers while at the same time contributing 'upgraded' code. I could say the same about MS or AAPL or any OS developer, of course, but I think when the source is truly open, and forks as much as Linux does, vetting every code contributor or vetting all the code would be a nightmare and is just the kind of nightmare that open source tends to ignore completely because it is not equipped to deal with it. (I could be wrong about this; would love to learn more, if I am.) I totally get, in fact, that Verisign might not want to issue certs to this kind of codebase!

Murkier is the role of the Win 8 hibernate-shutdown. Right now, when I tell Win8 to shut down, it doesn't; it hibernates, conserving power; writes RAM to disk; takes a disk snapshot; and when it awakens again, anything that's new on the disk is destroyed. That's pretty clearly not playing nice with any other OS that might want to, you know, use the disk while Windows is sleeping. I can see where this would offer security benefits, but, [expletive deleted], did it ever give me a hard time when this machine corrupted its OEM Win8 install on first bootup in my house; and it really makes it nearly impossible to share data or dual boot with a Linux or any other OS. Also, if a cosmic ray strikes, good luck ever booting that volume again; I feel like someone didn't really think this through, or else they had way more faith in MS's Repair and Restore Points utility than any real world user of the tech ever had. I get that BIOS is an old technology and delays my startup by like a minute and that this makes it speedy, but frankly if I used this computer for anything more mission critical than Steam gaming (Steam cloudbases your saves!) I'd certainly shut it right the [expletive] off because of the risk of data and OS corruption.

Tough stuff. As an end user I actually am kind of enjoying Win 8 - it boots fast, works well as a sort of casual computer OS for gaming and knowing what the weather is and having a lot of colorful squares on screen; and it plays well with all my hardware. As a guy who was listening to rms lecture a roomful of bearded dudes in 1990, I really do believe software, at least some software, ought to be free; and I am really kind of put out that I bought expensive hardware that can't play nice with free software. And as a dude whose gf is on an [expletive] moral crusade to get me to run Linux, frankly the whole thing is sort of a headache, especially as I was justified and ancient with a copy of Kernighan and Pike in my hand before she was out of diapers. (She thinks I ought to up/downgrade to Windows 7; I have no good counterargument except "really, must I learn Yet Another Crappy Micro$oft OS so that I can run Linux?")

I assume the major Linux distros will get on board and Fix This; I don't know how, but then again those people who make that stuff work are way smarter than me about such things and can make it so functional computer illiterates like me can get this working without difficulty. Until then, though, I am puzzled and annoyed.

Comments welcome.
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded