Secure boot, DRM and current hardware. Was: A lightweight laptop with SSD and good GNU/linx support?

Fri Jan 18 17:35:54 UTC 2013

On Fri 18/01/13 16:24 , Sam Liddicott <sam at liddicott.com> wrote:

> Without intended to promote dissent, 

Alas ! the law of unintended consequences... 

> I like UEFI with secure boot when I
> can upload the signing keys and there is a physical switch on such key
> storage.

I don't. The current stage is still early. In the future we'll be denied access to content, 
networks and services (publics services, banking services, whatever) when 
the devices we try to connect to are unable to proof that we run the software they (not us)
trust. I think it's called Remote Attestation. The only way out is not buying our own shackles 
and ensuring DRM enabling hardware fails in the market (I'm not saying the only way out is likely). 
I'm not sure I'll stick to my own advice forever, but at least I'll try to hold for as long as I can 
and if I ever buy shackles just buy the cheapest or something . 

It's difficult to buy computers nowadays, because all implement DRM provisions in one way 
or other. Modern intel processors check signatures on propietary initialization code before they even 
configure RAM. Is that a computer ? AMD at least contributes to coreboot and documents processors, but 
they do implement the basic remote management infraestructure, and tie their CPUs to GPUs
or APUs with propietary AtomBIOS, possibly to keep secrecy on DRM measures. ARM is 
deploying Trust Zone (or True Zone, forgot the name) functionality of similar kind. 

Closed hardware nowadays is not something I recognize as a computer any more, a general 
purpose mathematical machine. 

Open hardware is ok, but still not fit for some purposes and not easy to buy. 

> That way I can secure my own machine and retain my own freedom. 
> I acknowledge that UEFI + secure boot generally refers to something more
> restrictive
> 

I'm no security expert, but I don't think it buys much security either. How do you 
know your signed software is safe ? If enough of your software is really safe, then it wouldn't have let anyone 
modify itself or bootloaders even without secure boot. If some of it isn't then it may be compromised and 
maybe coerced into breaking security even with secure boot. Our current functionality 
is too complex to have simple enough software to be completely validated. Signature checks are
just a way to shove security worries under the carpet. Secure boot with user controlled 
trust and maybe microkernels with small trusted baselines may bring some 
measure of security but that's just theory. In practice you don't audit all your 
software, and even with the huge help of a free software community you can't
be all that sure that software is safe. You'll always be as safe as the society you 
live with accepts because you can't write all the code you run, you can't even read it all, 
and your society will move your requirements fast enough for a minority of secure minded
auditors to be outpaced. And in exchage for that you're throwing a 
computer away and replacing it with a special purpose machine running a 
finite set of trusted software. Bad bargain I say. 

For more information look at the coreboot mailing list archives. It's been discussed a little. 
Btw, one of the coreboot developers recomended chromebooks (and another laptop I think 
too heavy) because (some?) come
with coreboot, which is free firmware (may require blobs depending on the hardware), and 
locks can be disabled by the user. I insist that I don't like todays hardware in general, 
but thought it might be worth noting since discussion is a little centered on the operating
system and drivers, and even laptops sold without OS (when you can find one), or with FreeDOS 
or fully free OSes (is there any?) have closed hardware and 
propietary firmware. So since we have to either refrain from buying or make freedom tradeoffs,
it is not so unwise to pick free firmware if available and replace propietary OS or applications
that may ship with it.  

http://www.mail-archive.com/coreboot@coreboot.org/msg38732.html

http://www.coreboot.org/pipermail/coreboot/2012-April/069598.html

Maybe the best advice is not buying anything, otherwise wait for Rhombus-tech (but there's 
secrecy in ARM chips too, it's more to try to help a path to more open hardware that in the 
future may bring more worthwhile stuff). Otherwise either AMD or ARM or if you go for intel,
a chromebook to get free firmware (with blobs). I don't know. 

Btw, be sure to understand everything if you ever try to install coreboot (or any firmware) 
yourself in your device (more so in a laptop). 
If you don't have proper knowledge and equipment you may render it unbootable (brick it).