Announcement

Collapse
No announcement yet.

New Group Calls For Boycotting Systemd

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Luke
    replied
    If a machine can't be unlocked, that means it's bricked to me

    Originally posted by interested View Post
    Yep. Almost the only way the Linux community have any influence on the hardware is by "wallet voting". The hardware vendors doesn't care about online pleas or open source, they only care about money and competitive advantages over their competitors.

    Back in the old days there was very limited Linux hardware support, that meant Linux buyers just had to buy from a limited selection; but when Linux adoption grew, that suddenly meant substantial extra sales of certain hardware, that again meant more vendor Linux support in order to gain market shares etc.

    The bad thing is that some of the "lock down" mechanisms are mandated by Microsoft, the hardware vendors have no choice but to support secure UEFI boot if they want to run MS software.
    So traditional "wallet voting" doesn't help against the concept as a whole since it isn't a consumer choice, but decided by business contracts.

    I think the Linux community needs to discuss the concept of signed booting and trusted computing. My own take on the subject is, that since we can no longer avoid it on the hardware, boycotting the concept doesn't work. We may as well use the good parts for our benefit and see if we can pressure hardware vendors and standard committees to support the Linux way of using it.

    While the technical details may be many, I think most Linux users (and computer users in general), would say, that whatever the solution is, it should leave the end user in total control whether to use the secure facilities or not.
    The only products that lack an option to say NO are food and water. if industry requires all computers to be locked so well we can't crack them, we still have the options to buy used or buy nothing. Just like I choose not to have a smartphone and not to be on Facebook, I can also choose not to have a computer if I can't get one that works for me instead of working for Hollywood and the FBI.

    For me, it's OK to have to crack the BIOS/UEFI or even have to force-flash new firmware with a Bus Pirate, but not OK to have a machine that can't be cracked by any means unless it's the test subject for the cracking research itself. It must either have the option to disable secure boot, the option to use my keys, or a crack against it-one of the three. If any machine that can run Linux without having to be actively cracked is on the market, that renders all that require cracking uncompetitive in my book as well. I do not demand support, but I DO demand tolerance and no active interference, such as that code in one vendor's UEFI implementation that looks for a boot image named either for Windows or RHEL. That code will run any bootloader given the correct string name, but I would not pay a penny for the board on the grounds of not rewarding active interference.

    The day Microsoft announces that it will be required for motherboards to be hard-locked against any other OS to be able to boot Windoze is the day I stockpile the last generation of AMD hardware not to support that requirement. Since I don't play pay games, watch pay movies, or deal in 4K content, there is no reason for me to ever need new hardware unless what I have is stolen in a police raid or by burglars, or dies from electromigration. There should be plenty of Bulldozer, Piledriver, and Phenom II stuff on Ebay for years to come, so Microsoft and Apple can go to hell. With luck the locked boards get cracked and remain usable, but I'm not betting anything important on that.

    I don't need to connect to a new style "secure Internet" since I don't bank online or use paid services like Netflix. In fact, over a decade ago there was a bill that went nowhere in the US Congress to require secure boot to a drm-supporting, approved OS as a condition of legal connection to the Internet. That would have been defeated by dial-up services over voice lines, faster services tunneled as encrypted packets through "approved" machines treated as untrusted routers and looking like a corporate VPN to the telcos, and of course by good old fashioned flash drive filesharing: Hollywood's old digital audio tape nightmare returning.

    There are good reasons I never throw away operable Pentium 4 or later hardware, and the current industry talk of walled gardens is one of them.
    Last edited by Luke; 15 September 2014, 08:35 PM.

    Leave a comment:


  • interested
    replied
    Originally posted by Luke View Post
    If manufacturers go this route, the counter is obvious: boycott their hardware, the same way I refuse to buy a smartphone because I distrust not only their software but also their firmware. Some will be hacked and jailbroken, some will get mod chips, but why bother so long as hardware that can be freely used exists, even if you have to buy it used. There are enough Linux users who don't like walled gardens to make a "RHEL-only" device a dud on the sales floor, and if they want to use Linux moving any part of the kernel that they simply HAVE to use to GPL 3 would shut them down outright. Too bad relicensing the entire kernel under GPL3 would be such a quagmire...
    Yep. Almost the only way the Linux community have any influence on the hardware is by "wallet voting". The hardware vendors doesn't care about online pleas or open source, they only care about money and competitive advantages over their competitors.

    Back in the old days there was very limited Linux hardware support, that meant Linux buyers just had to buy from a limited selection; but when Linux adoption grew, that suddenly meant substantial extra sales of certain hardware, that again meant more vendor Linux support in order to gain market shares etc.

    The bad thing is that some of the "lock down" mechanisms are mandated by Microsoft, the hardware vendors have no choice but to support secure UEFI boot if they want to run MS software.
    So traditional "wallet voting" doesn't help against the concept as a whole since it isn't a consumer choice, but decided by business contracts.

    I think the Linux community needs to discuss the concept of signed booting and trusted computing. My own take on the subject is, that since we can no longer avoid it on the hardware, boycotting the concept doesn't work. We may as well use the good parts for our benefit and see if we can pressure hardware vendors and standard committees to support the Linux way of using it.

    While the technical details may be many, I think most Linux users (and computer users in general), would say, that whatever the solution is, it should leave the end user in total control whether to use the secure facilities or not.

    Leave a comment:


  • Luke
    replied
    The answer to that might be not to buy ARM for handling your data

    Originally posted by jbernardo View Post
    As it was too late to edit my post, here is the rest of it:

    "We want our images to be trustable (i.e. signed). In fact we want a fully trustable OS, with images that can be verified by a full trust chain from the firmware (EFI SecureBoot!), through the boot loader, through the kernel, and initrd. Cryptographically secure verification of the code we execute is relevant on the desktop (like ChromeOS does), but also for apps, for embedded devices and even on servers (in a post-Snowden world, in particular)." (http://0pointer.net/blog/revisiting-...x-systems.html)

    With this, we will no longer have linux. We'll have a tivo, that only runs something mandated by the hardware seller, and that the user can't change. Right now, I can replace the firmware on my routers with DD-WRT, or Tomato, or whatever else. I can install plain linux on a chromebook. I can install linux on a laptop. With this? Possibly the only linux allowed will redhat, and all ARM devices will become non-upgradeable/customisable appliances, to throw away every year as they become "obsolete".
    Am I the only one who is scared of this "tivoisation" by design? Apparently for the lennart-fans here, this is a "good thing"(tm).
    If manufacturers go this route, the counter is obvious: boycott their hardware, the same way I refuse to buy a smartphone because I distrust not only their software but also their firmware. Some will be hacked and jailbroken, some will get mod chips, but why bother so long as hardware that can be freely used exists, even if you have to buy it used. There are enough Linux users who don't like walled gardens to make a "RHEL-only" device a dud on the sales floor, and if they want to use Linux moving any part of the kernel that they simply HAVE to use to GPL 3 would shut them down outright. Too bad relicensing the entire kernel under GPL3 would be such a quagmire...

    Leave a comment:


  • Luke
    replied
    A trustable TPM is main weak link in securing own systems

    Originally posted by interested View Post
    Relax. For normal PC's and servers, this would mean another level of defence against getting the machines compromised by malware and hackers. The machine owner owns the signing keys too. This is fully blessed by Linus Torvalds himself.

    Regarding embedded devices. It has been possible the last decade or so, to lock down any embedded device so that Linux won't run on it. I believe many Android phones comes with a bootloader lock already, so that only signed OS's can boot from the device. Such hardware could easily make it impossible to install Linux or other unsanctioned OS's on the hardware.
    These days many manufacturers doesn't bother, or makes it possible to disable the bootloader lock, simply because it sells better that way it appear.

    It won't change a thing in that regard that Linux will have better support for cryptographically signed OS.

    Regarding upgrading such a cryptographically signed Linux, then remember that system updates still works as usual, including OS upgrades.

    So nothing will really change from today; if the hardware manufacturer won't let you run another unsanctioned OS on their hardware, they can easily make it so. (like the xbox etc.).

    A cryptographically signed Linux OS however, will be of tremendous benefit for all who cares about privacy, surveillance, and security.
    I've actually thought of using this sort of system to allow verification of my own kernel and initramfs without having to boot them and compare after the fact to a stored hash, as a defense against boot time software keyloggers. The problem is almost all attackers I am concerned about are state-level attackers, so I have to assume they can bypass a TPM as trivially as the FBI is known to be able to bypass an ATA security lock on a hard drive. Thus I would need either a covert place to stash the signing keys or a TPM that could be trusted. I don't have the resources to manufacture a TPM myself. Naturally, the only key I would ever trust to verify images I have made myself is my own, as that's the only way I can guarantee that nobody else has the private key.

    The main disadvantage of pre-boot authentication is having to trust the TPM, the main advantage is not having to trash your passphrase and LUKS keys if an attack is detected. The main advantage of post-boot authentication is not having to trust any commercial cryptgraphic device, the main disadvantage is having to make a new passphrase and rekey everything if an attack is detected. Both can be defeated by a really skillful opponent even without backdoors, so they are but layers in a larger defense.

    BTW, to use a hash of the whole system partition (not just /boot) for a pre-boot check would be time consuming, it takes long enough to take a hash of a boot partition used for cryptsetup. When hash values rather than signatures are used, a file could be renamed, a new file run, and the last step being to remove the new file and restore the original name. This won't change the timestamp in many cases, but will change the partition hash due to changed bits.

    Leave a comment:


  • interested
    replied
    Originally posted by jbernardo View Post
    I was more hoping for something from the "systemd cabal" (as they called themselves in that blog post) stating clearly that the machine owner will always have the keys, and will be able to sign, build and install his own packages. They are the ones pushing for this "all signed tamper proof" OS, so something more specific would be nice.
    They can't guarantee that, but it is has nothing with their proposal, that is an effect of having a TPM framework in the hardware; if the hardware vendor only allows a certain signed OS to boot, then there is nothing one can do than avoid buying the product. The present framework allows for the end user to have the final say and having the final "key" for locking the system and this is what people want and the only really viable solution for the general pc/workstation/server market.

    So if the hardware allows for the end user to having the final key for locking the system down, then it allows for a very secure OS with everything regarding boot and base system having signed keys. As it is now, we experience all the down sides of having TPM frameworks with hardware like the xbox and PS4 being locked down, but doesn't benefit from its upsides that allows for a secure Linux OS installation.

    It would be commercial suicide for any general Linux distro to make a locked down OS that didn't allow for running third party unsigned software. Seriously, who would want that? The paying costumers all tend to run such third party software, or use Linux to develop stuff, all of which would be impossible on such a locked down system.

    Leave a comment:


  • interested
    replied
    Originally posted by jbernardo View Post
    If both of this statements (in particular the first) are true, then my fears are mitigated - for now. Do you have any verifiable source on this?
    I didn't specifically address the first question about always having the key:
    It is probably quite possible to use TPM to lock down a Linux system so that only the device manufacturer can modify the OS (the end user doesn't won the keys). But this has been possible for a very long time and Lennart's suggestion for re-organising the Linux OS layout doesn't change a bit about this.

    Linus' suggestion is to never buy such locked down hardware, vote with your feets so to say.
    That strategy seems to work somewhat, in that enough people only buys smartphones that allows a Cyanogenmod version to be installed, so many phone makers allows disabling the bootloader lock, even though it is trivially for them to lock down the system completely. Several router vendors also acknowledge third party firmware.

    Given the choice, Linus will never endorse or allow support for third party vendor hardware locks in the kernel.

    So for all end user devices that allows the installation of Linux, the owner will always own the keys for locking it down or not.

    Leave a comment:


  • jbernardo
    replied
    I was more hoping for something from the "systemd cabal" (as they called themselves in that blog post) stating clearly that the machine owner will always have the keys, and will be able to sign, build and install his own packages. They are the ones pushing for this "all signed tamper proof" OS, so something more specific would be nice.

    Leave a comment:


  • interested
    replied
    Originally posted by jbernardo View Post
    If both of this statements (in particular the first) are true, then my fears are mitigated - for now. Do you have any verifiable source on this?
    Here is an old mail from 2006 where he says "Because digital signatures and cryptography aren't just "bad DRM". They very much are "good security" too." :
    http://lkml.iu.edu//hypermail/linux/...02.0/0498.html

    Here is the release notes from an old 2.6.12 kernel, where a new feature is support for Trusted Computing (TPM):
    http://www.tech-forums.net/forums/f4...eleased-55423/

    You can find other statements like this about trusted computing etc. The point is, that he thinks it is great to for the device owner to have the signing keys so that the system can be locked down and be very secure. Of course he also thinks it is fine that Debian signs their own packages and that no one gets that key. That is just good security.

    On the other hand, Linus is of course totally uncompromising against supporting hardware signed keys were the device owner doesn't own the keys too: (warning: Linus giving the finger photo and strong language)

    http://arstechnica.com/information-t...oat-microsoft/

    Leave a comment:


  • jbernardo
    replied
    Originally posted by interested View Post
    The machine owner owns the signing keys too. This is fully blessed by Linus Torvalds himself.
    If both of this statements (in particular the first) are true, then my fears are mitigated - for now. Do you have any verifiable source on this?

    Leave a comment:


  • interested
    replied
    Originally posted by jbernardo View Post
    As it was too late to edit my post, here is the rest of it:

    "We want our images to be trustable (i.e. signed). In fact we want a fully trustable OS, with images that can be verified by a full trust chain from the firmware (EFI SecureBoot!), through the boot loader, through the kernel, and initrd. Cryptographically secure verification of the code we execute is relevant on the desktop (like ChromeOS does), but also for apps, for embedded devices and even on servers (in a post-Snowden world, in particular)." (http://0pointer.net/blog/revisiting-...x-systems.html)

    With this, we will no longer have linux. We'll have a tivo, that only runs something mandated by the hardware seller, and that the user can't change. Right now, I can replace the firmware on my routers with DD-WRT, or Tomato, or whatever else. I can install plain linux on a chromebook. I can install linux on a laptop. With this? Possibly the only linux allowed will redhat, and all ARM devices will become non-upgradeable/customisable appliances, to throw away every year as they become "obsolete".
    Am I the only one who is scared of this "tivoisation" by design? Apparently for the lennart-fans here, this is a "good thing"(tm).
    Relax. For normal PC's and servers, this would mean another level of defence against getting the machines compromised by malware and hackers. The machine owner owns the signing keys too. This is fully blessed by Linus Torvalds himself.

    Regarding embedded devices. It has been possible the last decade or so, to lock down any embedded device so that Linux won't run on it. I believe many Android phones comes with a bootloader lock already, so that only signed OS's can boot from the device. Such hardware could easily make it impossible to install Linux or other unsanctioned OS's on the hardware.
    These days many manufacturers doesn't bother, or makes it possible to disable the bootloader lock, simply because it sells better that way it appear.

    It won't change a thing in that regard that Linux will have better support for cryptographically signed OS.

    Regarding upgrading such a cryptographically signed Linux, then remember that system updates still works as usual, including OS upgrades.

    So nothing will really change from today; if the hardware manufacturer won't let you run another unsanctioned OS on their hardware, they can easily make it so. (like the xbox etc.).

    A cryptographically signed Linux OS however, will be of tremendous benefit for all who cares about privacy, surveillance, and security.

    Leave a comment:

Working...
X