Saturday, October 29, 2011

UEFI Secure Boot Controversy Explained

There's been a lot of buzz and hyperbole spread out over the Internet regarding a new UEFI specification called secure boot. The concern isn't with secure boot itself but with its potential to prevent computers from running any operating system other than Microsoft Windows 8. I've discussed, read, and debated this issue quite a bit and wanted to throw formalize the situation as I understand it. I hope that this explanation is clear, factual and not favoring any political agenda.

Secure Boot is a new feature where a computer will only boot an operating system that contains a digital signature known to the motherboard. But what does that even mean? In digital cryptography there is an idea of what is called a public key and a private key. The author of a digital file can sign that file with their own private key. This key, as the name suggests, is private to the author. Only the person with that key can sign the file as long as that key stays private. Once it is made public the game is off.

The public key can be used to authorize the file. Using the public key I can verify that it is indeed signed by the person claiming to be the author. To play that explanation back to the real world, Microsoft would sign its Windows 8 operating system with its private key. Any operating system with this signature attached to it must have come from Microsoft as only they have the key. The computer hardware itself would have a copy of Microsoft's public key, which it can then use to verify that the operating system is genuinely from Microsoft. It any unauthorized modifications have been made to it the verification process would fail, and the computer would fail to boot. This would both insure that a malicious program hasn't modified Windows 8 in a way that is harmful to the user, and would also help verify that the system is not pirated.

Here's where the controversy comes in. What if I buy a machine configured with secure boot and I wanted to run something else, such as a GNU/Linux distribution, Solaris, BSD, or my own homemade operating system? I couldn't, unless it was signed with a private key, and the computer had the public key to verify it with. Or, if the user could simply disable secure boot, then they could run a different operating system. Let's pause for a moment now. Secure boot can be a good thing. Ensuring that a verified operating system is running on your machine can only be good for you. Boot sector viruses can cause all sorts of mayhem. You only want on your machine the things that you have authorized to be on your machine. If something gets installed on your machine that you didn't authorize, the fact it found a backdoor into your machine is a good sign that was only put there with malicious intent. With that, let's continue.

So let's explore the option of disabling secure boot. The first problem with this is that the ability to disable secure boot is not a requirement, and it is likely that many vendors will ship hardware without this option. The desire to disable secure boot to install something other than Windows is, admittedly, a niche desire amongst consumers. Vendors have a tendency to not cater to the niche. They focus on delivering the pieces that the masses will want. How this will really play out is yet to be seen. Perhaps all PCs shipping with secure boot (which is likely to soon be all PCs) will have the ability to disable it, but it seems reasonably likely this may not be the case.

But even if all PCs shipped with secure boot have the ability to disable it, we still aren't in the scenario we want to be in. Remember, secure boot is a good thing. If the only way to install GNU/Linux is to disable secure boot, it means that I am missing out on an important feature of my hardware. Why can't I enjoy the freedoms and security of Linux, and the security of secure boot? There's no technical reason why this can't happen. But first, my computer needs the public key to whatever third party OS I choose. This leads me into my next piece, and is absolutely the most crucial part.

How does my PC with secure boot receive the public keys that list the operating systems that are allowed to boot? Microsoft's recommendation, and requirement to be Windows 8 certified, is for the hardware vendors to provide this. This is called being a certificate authority, or CA. A CA has a list of whitelist, or allowed, public keys and who they belong to. They also provide a blacklist of, or denied, public keys. This puts the hardware vendor in control of what can and cannot run on the hardware they ship. But what's wrong with that? The problem are many, but I'm going to only focus on the two major issues.

The first problem is that you own that hardware. You bought it. It is yours and it should obey your commands. If you can only do with your hardware what the manufacturer says, then it hardly really belongs to you. Like having to ask your landlord permission to paint your living room, you will have to ask Dell, or Intel, or whomever anytime you want to do something that they didn't preapprove. This is a horrible way to move forward with technology. It is a fundamental freedom of ownership that you get to do what you want with it, within the limits of the law. If you wanted to run something they didn't preapprove, what kind of hurdles do you think you would run through trying to get in touch with your computer manufacturer and getting them to add new keys, which they could only push out to your machine, because you wouldn't want them to be adding keys for any consumer who just calls in and asks them to do so.

This could have a disastrous effect on the young tinkerers who like to play with hardware and make it do all the things it's not supposed to do so that they can one day because the future Steve Jobs and Larry Schmidts of the world. The ability of the young to toy with hardware and software in weird ways is how visionaries are born. The second problem with making computer manufacturers the CA is the barrier it creates to new entrants in the market. Imagine that you created a really great products, say a new operating system, and your just this geek living in your mother's apartment, but you know if you can just get it out there the world will be at your feet. But how? How are you, Mr(s). Nobody, going to convince all the different manufacturers out there to review your software, to make sure you aren't just some schmoe trying to get bad things on people's computers, and then get them all to add your key to their customer's hardware? The answer is simple. You won't. And whether or not your idea would have flopped, or transformed the world doesn't matter. You where stopped before you where even allowed to try. This is a horrible artificial barrier to progress and innovation.

The good news is that it is not necessary. All we simply need to do is for hardware vendors to make consumers the CA. This may sound difficult, what does the average human being know about being a certificate authority? People want to spend their time in front of their computer using it, not messing around with blacklists and whitelists for public keys. That's simply not feasible.

However, it is possible that your computer can have a standard means of accepting and denying keys upon request. Let's start with the scenario of a new PC owner booting up their Windows 8 machine for the first time. The bootup initial bootup process of the installer could request the computer to add the Microsoft key. This would then create a prompt for the user to either accept or deny the key. Most people would just accept it and continue, no big deal. Someone like myself may deny it, I don't want to run Window (actually I wouldn't purchase a PC that even comes with Windows, but that's another story.) For the person who denies it, they may put the CD into their machine that has the installer for their OS of choice. That installer would have its own public key, which would then prompt the user to accept, and then could boot that OS. It's even reasonable that antivirus programs could help the user keep the whitelist and blacklist up to date, requesting the computer to add whitelist and blacklist keys, and each time the user would accept or deny the request.

This puts the user in control. Only the owner of the hardware has the authority to accept or deny software from running on their own system, and it doesn't have to be complicated. It also allows all software vendors to play ball on an equal field.

I hope you find this post to clear and lacking of hyperbole. It is not an attempt to call foul on Microsoft or anyone else. I do not believe anyone is acting in bad faith with secure boot, but I do believe we can have user freedom, security, and robust software competition all at the same time.