Anti-malware hardware has the potential to make it illegal and impossible to choose to run Linux


35 Responses to “Anti-malware hardware has the potential to make it illegal and impossible to choose to run Linux”

  1. Lurking_Grue says:

    If the released the keys then malware could be signed to also run. 

    I’d rather take my chances with the malware.

  2. retchdog says:

    I heard the same thing ten years ago. And five years ago. And I’ll hear it again also in another five years. This just won’t happen. If nothing else (and there are a lot of things else…), IT departments run their own kernels and there’s just no way to keep that hardware from consumers at large.

    Also, tablets are designed to fill this “restricted casual computing” niche. As long as there are general-purpose PCs, this kind of tinkering will be part and parcel.

    • Cory Doctorow says:

      Previous versions of this fight have been different, because of the number of big industrial players who were invested in GNU/Linux — HP, IBM, etc — none of whom are in the PC business. The major proprietary OS vendors have historically put a lot of pressure on OEMs to lock hardware, and now they’ve got even more motivation, thanks to the success of the “app store” model.

      • retchdog says:

        I still just don’t buy it. App store apps are (more or less, generally speaking) bound to the OS already; they are their own lock-in, just as brick-and-mortar apps have been in the past. I don’t see how the app store changes anything.

        Even if we assume the worst case that the big boys like Dell _all_ implement this across the board, there will still be independent PC vendors like, say, System 76 (not an endorsement, just a random name). In the worst reasonable case scenario (i.e. barring government-mandated TC), this just means that free PCs will cost, at a guess, maybe $100 more. Further, this is just until competition and economies of scale kick in. Let’s just say that Thinkgeek sold $76M in trinkets last year to a customer base which would probably be quite interested in buying the unfettered computer…

  3. So when do we get the arduino equivalent of desktop hardware?
    Open source and competitive with intel, amd, ppc etc.

  4. That_Anonymous_Coward says:

    And because we the uneducated masses can not be trusted to know how it works, we will never know what else was put in with it.  Look at the laws they are trying to pass to protect the copyright business model, outlaw free speech, and any other attack on our liberties.  How soon until they just sneak in a required set of code that makes you trackable, and funnels the things you say to a system looking for “suspicious” behavior.

    And while we have heard about this in the past, now we have a public so terrified that every brown person is a terrorist they willingly accept their rights being taken away by a law… because I’m good they would never use it on me.

    This sounds terrifying

  5. librtee_dot_com says:

    Ironic, of course, because the absolute best way to avoid malware is to run Linux/OSX.Hmm..I wonder who has been spearheading this?

    Microsoft has long been on a crusade against Linux, which they (rightly) see as their biggest competitor. 

    Especially in this age where so much software is run in browser, it makes less and less sense to pay for an OS.

    Microsoft, being the master of dirty tricks, would love to see something like this. 

    The MS anti-trust trial of ten years ago was a complete sham. They ignored the most galling anti-competitive behavior of MS- they have long strongarmed OEMs into not offering Linux, or risk losing their friendly licensing deals with microsoft. 

    There is no technical reason for every hardware maker not to offer linux in dual boot mode on every PC they sell, it would not increase their costs in any way, and would offer users a guaranteed ‘clean boot’ environment for doing online banking etc. securely.

    The ONLY reason they don’t is Microsoft’s strongarming. This is simply an evolution of that.

    Windows might sometimes be more convenient to use (and other times much less convenient), but every person who is paying attention and cares about net liberty has a moral obligation to avoid Microsoft products, and avoid giving any money to Microsoft, whenever possible.

  6. I can feel the next antitrust suit careening up Microsofts alley soon. 

  7. Arthur McGiven says:

    I suspect that restrictive trading like this would be illegal under European law – MS has already been caught out here.

  8. journey46 says:

    A manufacture has the right to do as they wish. Let’s hope that what they wish is a happy, loyal customer base.
    Toshiba chooses not to pay licensing fees to AMD for certain video driver updates.
    This is probably to sell more Qosmio series with beefier video cards to gamers.
    I don’t game but would like to update my Satellite video drivers so I am screwed.
    While I would like to see 100% support in driver updates from Toshiba I can understand it may not be cost effective for them.
    Still Toshiba is my brand of choice and I am very happy so far. (going on 8 years and 2 laptops now)

  9. John Ohno says:

    This was put in matter-of-factly as part of Rainbows End, and I thought this was by far the least realistic thing Vinge had in that book. While there will be some manufacturers that put out TC-enabled hardware that can’t run arbitrary OSes (and there have been in the past… Macs, notably, for a long time, and various other ‘turn key’ systems in the 80s and early 90s), two things always happen to such products: 1) just as with all forms of copy-protection, all forms of user-lockout eventually get broken: we can run Linux on GirlTek organizers, ffs, and the harder something is made out to be (regardless of whether or not it’s actually worth doing) the more effort will be made at actually doing it; 2) products incapable of performing those tasks that their competitors are capable of performing tend to lose (notable exception: the iPod, which remained popular through sheer hipsterism during the period prior to the point when J Random Primate could install Linux on one with one click if he felt like playing BreakOut). Basically, if TC systems keep people from doing anything they feel like doing, not only will TC systems be circumvented, but those alternatives to TC systems will profit from those too lazy to use someone else’s rooting code.

  10. paul says:

    If this comes to pass, malware makers will likely be at an advantage compared to FOSS types. Anyone who deliberately releases a key will find it blacklisted in short order (albeit there are always questions about how well revocation mechanisms will work), but someone whose key is stolen will do their best to conceal that fact for as long as they can. And if they’re big enough, revocation and re-up would have a big enough impact (think Service Pack Day multiplied by a zillion) that it might not happen at all.

  11. chrisharringtonjp says:

    I have some faith in hardware vendors. I’m a Linux user and I usually put together my own PCs from parts. As long as there is any kind of parts market, then there will always be enough prebuilt PCs on the market without any kind of lock down to fill the demand for non commercial OS users. And I think that all major PC manufacturers would find themselves having to offer a few models in their lineups at the very least without any lockdown. While the vast majority of consumer purchasers would not care, the percent that would, and the percent of businesses that would, would be significant enough to effect product lineups across the board. 

    Sure, normal PC users and some businesses that change their mind about their OS choices at some point may be inconvenienced, but then that will make them think twice about their next purchase, which will subsequently be reflected in hardware vendor design choices.

    Even if implemented, the idea would not last very long IMHO.

    • librtee_dot_com says:

      We live in a world where the art of regulatory laws ‘protecting’ people from ‘dangerous’ products, in order to enshrine established industry players, has become something of an art form.

      In ten years, if these become popular, is it inconceivable that such laws could be passed, to ‘protect the public from malware and viruses (and, ehrm, non-microsoft/apple operating systems)?’ 

      Look at food – in many cases, truly healthful food is restricted, and junk food is promoted, all in the name of ‘public safety.’

      As it is, these initiatives would absolutely and forever cripple the growth of desktop linux. Currently, you can be turned on to Linux by a friend who pops a disk in your drive. If these became common, for the vast majority of non-techie users (who tend to use mainstream vendor PCs), this would be cut off. You would have to buy a computer to use Linux on it; thus only people who are already Linux fans would buy computers capable of running it.

    • Xof says:

      Yeah, just like I can build my own Blu-Ray player.

      Oh, wait.

  12. pjcamp says:

    Yet another reason to build your own. Buy parts; assemble them the only way they fit together. Install what you damn well please.

  13. librtee_dot_com says:

    P.S. Hey..what happens if, after they produce a few tens of millions of locked down motherboards…someone leaks the key and it gets on digg? What then???

  14. Adam Fields says:

    I don’t see this going very far. The regulators have already ruled that it’s legal to jailbreak phones to run your own software, regardless of DMCA provisions ( Running your own OS on a computer you’ve purchased is likely to be similarly protected.

  15. cdale77 says:

    This week, I uninstalled linux from my main box after 5 years of using Slackware, Gentoo, and Ubuntu. I use linux now as a headless Samba box in the office. It’s *great* for that. 

    I went to Windows 7 because linux is either totally worthless as a desktop machine if you want any flexibility or don’t want to spend 15% of your time trying to figure out why something like your USB ports don’t work, or, it’s slow and klunky like Ubuntu. The only distro the compared to Windows 7 in terms of speed was Gentoo. Which took 2 days to compile and actually broke a machine once while building X. 

    I tried, I really did, to use linux on the desktop. It’s not there. During my whole 5 year experience, every year was the “year of the linux deskotp.

    So, frankly, as much as I intellectually care about this, I find it hard to really be worked up about. Just being honest. 

  16. proginoskes says:

    I’m really not too worried about this. It’ll eventually end up like DVD-Video. Some anonymous Scandinavian will crack the one or two popular implementations of this DRM, beyond repair.

    Linux vendors will sell unfettered machines that lacked the DRM to start with. Linux users who want to use whatever bad or good hardware they like will execute the cracks and continue to do whatever they want with their PCs.

  17. kmoser says:

    This is why every purchaser of such a device must insist the manufacturer provide the keys, else the product should be returned. Would you buy a car with a proprietary electrical system that didn’t let you install aftermarket parts? I’m sure Richard Stallman has something similar to say along those lines.

  18. daniel123123 says:

    In a world where there is every single day more: open software, more desktops, laptops and tablets capable of running linux, more arduino devices, more maker faires, more commits on github, the idea that there might be something for other people offends a certain set of nerds.

    It’s precisely like American Christians offended at the “war on christmas”.

  19. digi_owl says:

    Strictly speaking, this is a extension to UEFI added to the latest version of the specification. It just happens that UEFI is built to be more capable and extendable then BIOS ever was, and so do not have to go with the TPM that older variants of the concept used. One can use UEFI both with and without this. Still, i wonder how that Linux based “BIOS” is getting along…

  20. scav says:

    I don’t think the DMCA is applicable here.  Just because TC sort of looks like DRM if you squint at it just right doesn’t make it legally the same.  The technical measure is not protecting copyrighted material, so it is not a DMCA violation to circumvent it.

    This never got tested in the Sony vs GeoHot case, which ended in settlement, I suspect, because Sony weren’t super confident they could win.

    So this stupid scheme would be cracked, and installer packages would be up on Debian non-us within weeks.

  21. Matthew McPherson says:

    So this applies to boards that are made for large scale distributors to be used in office machines that will never be leaving the office they were destined for? Seems like kind of a moot point already since IT depts. build their own servers from appropriate parts (or at least, good departments do) and simply wouldn’t include a board that has this.

    So as long as you assemble your PC yourself, a task that requires the ability to read a colour coded chart and operate a screwdriver safely, this won’t affect any home open source users. Building a PC may have once been an arcane art but now its so easy a child can do it. 

  22. Listen people, you’re given a choice between two fine operating systems, which satisfies most of the consumer market.  Why would you need or want more than that? 

    Be happy with what you’ve been supplied by our corporate overlords, and stop rabble rousing.

    – Andrew Davies
       Coca-Cola drinker

  23. Thomas Shaddack says:

    Give me JTAG or give me death!

    There is a way to have the (purported) security offered with this scheme, while also offering the flexibility for everyone. Just make the keys area physically accessible via a set of JTAG pins, or at least solder pads. And it could be write-only.

    The other option is a complete chipping of the BIOS, like it’s done with some gaming consoles. A chip piggybacked on the original one, and chip-enable signals toggled with a switch to select the one the user wants.

    There is a lot of prior art for this in the world of game consoles – which are nothing more than a specific kind of generic-purpose computer, locked down in a pretty much similar way.

    Legal or not, there will be ways. And if they have laws, we have soldering irons. Which means we will win at the end – or at least not lose, which in fourth-generation warfare on the decentralized side more or less equals winning.

  24. Chris says:

    I’d file this under “wouldn’t it suck if?” rather than “imminent threat.”

    I simply can’t picture the de facto outlawing of specific operating systems. Samizdat black markets where people sell printouts of Linux kernels and USB sticks that offer clean installs… great sci-fi, but I just can’t seem to get myself afraid that it might actually happen. Like retchdog said, there will always be computer manufacturers (like System76) that will fill the “untrustworthy computing” niche.

  25. UncleB says:

    Watch closely now, as the American protectionists get ugly, try to monopolize computing world-wide! Watch me mail order a computer from China,or india, Ubuntu already installed, for free as usual!

  26. MyrddinWilt says:

    There are two separate issues here, the first is whether manufacturers will lock down their hardware so that only Windows can run and only with authorized drivers. The second is whether Linux can be signed so that it can be booted under this type of BIOS.

    The first concern is not valid because any manufacturer who locks down the BIOS to that degree will prevent anyone writing or even testing drivers on that machine. That would make it impossible to properly test the machine during manufacture for a start.

    The requirements for Windows-8 are simply that the BIOS check for signed boot by default. If there is a market for machines that can run Linux, manufacturers will produce them. I can’t see any reason why the manufacturers would not want to do so, Linux is a significant market.

    The second concern is a problem that RMS and the Linux community created intentionally. They have known that signed boot path is something that the enterprise computing world has wanted for decades. Without trusted boot any O/S is going to be suspect. In the security world, any O/S with a million or more lines of code is going to be full of holes. Any O/S is only as secure as the most incompetent coder allowed to write unmanaged code.

    When the first proposals for signed boot were made ten years ago, RMS rewrote the GPL to expressly prevent GPL code from being used in a trusted boot scheme. As a result the current Linux bootloader, GRUB2 is under GPL3 and cannot be signed unless the signer discloses the signing key (which would breach their license for the cert).

    The upshot is that Linux is going to be much less attractive for servers than at present until there is a GPL2 bootloader that can be signed. If a Linux machine is compromised there will be no means of getting back to ground truth. Even a clean install can’t guarantee recovery from a rootkit with a firmware leave behind.

    • Eric Rucker says:

      Well, there’s always forking an older GPLv2 version of GRUB…

    • digi_owl says:

      The GPL3 was written to protect against third party holding the signing key. The igniter was Tivo, but similarly would be say the *AAs holding the right to yay or nay any piece of software on a piece of hardware that could output audio or video.

  27. borkbork says:

    I don’t think that MS would be the most likely candidate to implement such OS locking features in shipped hardware. No names, but glowing fruits come to mind… 

Leave a Reply