UEFI is a new hardware standard nominally aimed at stopping malicious software, but it could also make it illegal to replace Windows or MacOS with GNU/Linux on your computer. The Linux Foundation has written a technical memo for hardware vendors explaining how they can ship PCs that still protect users from malware, without putting them in legal jeopardy for running free operating systems:
Making UEFI Secure Boot Work With Open Platforms
The recommendations can be summarized as follows:
All platforms that enable UEFI secure boot should ship in setup mode where the owner has
control over which platform key (PK) is installed. It should also be possible for the owner to
return a system to setup mode in the future if needed.
• The initial bootstrap of an operating system should detect a platform in the setup mode,
install its own key-exchange key (KEK), and install a platform key to enable secure boot.
• A firmware-based mechanism should be established to allow a platform owner to add new
key-exchange keys to a system running in secure mode so that dual-boot systems can be set
• A firmware-based mechanism for easy booting of removable media.
• At some future time, an operating-system- and vendor-neutral certificate authority should be
established to issue KEKs for third-party hardware and software vendors.
Read the rest
It's been years since the idea of "trusted computing" was first mooted -- a hardware layer for PCs that can verify that your OS matches the version the vendor created. At the time, TC advocates proposed that this would be most useful for thwarting malicious software, like rootkits, that compromise user privacy and security.
But from the start, civil liberties people have worried that there was a danger that TC could be used to lock hardware to specific vendors' operating systems, and prevent you from, for example, tossing out Windows and installing GNU/Linux on your PC.
The latest iteration of Trusted Computing is called "UEFI," and boards are starting to ship with UEFI hardware that can prevent the machine from loading altered operating systems. This would be a great boon to users -- if the PC vendors supplied the keys necessary to unlock the UEFI module and load your own OS. That way, UEFI could verify the integrity of any OS you chose to run.
But PC vendors -- either out of laziness or some more sinister motive -- may choose not to release those keys, and as a result, PC hardware could enter the market that is technically capable of running GNU/Linux, but which will not allow you to run any OS other than Windows.
What's more, UEFI may fall into the category of "effective access control for a copyrighted work," which means that breaking it would be illegal under the DMCA -- in other words, it could be illegal to choose to run any OS other than the one that the hardware vendor supplied. Read the rest