A friend of mine posted a trolling rant about not using GNU/Linux because it rejects UEFI secure boot. This post making me not able to sleep. So, here I am to write this down my own personal note. I hope I could get to sleep after this.
First of all, the whole UEFI is great. In my late experience with EFI shows that it was the answer for new standard in booting up systems. Curently we still have the BIOS style partitioning or we could say, the Master Boot Record. MBR originally supports four partition only. But, the partition can be lengthened by using a partition called Extended Partition which could held another partition inside of it.
Nowadays harddisk becomes cheap and MBR becoming less interesting. It only supports 2 TB at most. Then, how about our SAS storage with hundreds of TB (almost Pita). Then, came GPT partition scheme which became a part of (U)EFI specification. The interesting thing about (U)EFI is that you must spare a FAT32 partition on the begining of disk containing binaries (firmwares) that needed to boot the system.
We used to be using bootloader that resides on the special part of MBR. It might be GRUB, BURG, LILO, syslinux, etc. But, because of the advent of (U)EFI, all became unnecessary. MBR is no longer there. Luckily, GRUB 2 tries to emulate that by making its own EFI-compatible binary that would bootstrap to its GRUB system. This binary/firmware copied into the special partition FAT32, into the special EFI directory.
Because of that, in my experience of XServe 3.1 machine, I could install new OS on that machine without having a “bless” or any third-party bootstrapping. All I need to do is just put my GRUB firmware there and it boots fine. Well, the hardware did have a long delay. I guess it tried to search all disks that could have EFI partition.
Now, this isn’t even what I want to talk about. It’s just that I want to emphasis that UEFI as a whole is not a bad thing. Not until suddenly Microsoft propose “secure boot” into it.
Selling Dead Donkey
I put that mark there because there isn’t any security about it but a false sense one. I might say it was like selling a dead donkey. It’s an old story about a man sought to buy a dead donkey from a farmer. He then made tickets to sell for people with that donkey as the reward. Long story short, the tickets were sold and there was a winner. The winner then complained about the dead donkey when the person sought the prize. He then apologized and refunded the ticket he sold to the winner with compensation. More explanation in Google.
There is nothing secure about mandating a key put on commodity hardwares. It will eventually leaked like DRM.
Consider this all parts come from China. Btw, I’m talking about how easy to emulate parts when hardwares nowadays are using generic spare parts. Not any other meaning. With some low-level programming on commodity hardware, one can extract the keys. Hackers love the challanges and Crackers making advantage from their discoveries.
In the end you must made at least one of these two choices.
First, you could make a back door to update the keys. A back door on a public specification? I know I don’t need to explain this why this would not work. Big companies may making secret ingridients that made the specification not U anymore.
Second, you would ditch the a generation of hardwares that comes with the compromized key. Can you do that to your enterprise customer? Meh, you might pretend and hide any CVE related to that. Or, is that already a part of business? ;-(
Making Admins Having More “Free Time”
Then comes the part where I have a problem with this secure boot: It takes extra time to configure UEFI board because of the burden in my work of field. I mean which dude/miss sysadmin that don’t create customized system and deploy it on many machines on an advance data center? We all have our own recipees.
I know what I do when a server arrives. I delete the original and customize the inside with my own OS and configuration. I would install it with preconfigured services that I know and with only known ports open. Well, at least at initial launch we audited the ports. Hahaha… (just saying that so I would not felt like a snotty brat bragging)
How is it possible to do it with every system locked with keys? I have to disable secure boot one machine at a time. Well, if it was a maintainance mode, I may have one or two machines. But, what if it was a time when we refresh the whole system?
A friend told us that in his place, he let the vendor managed all. His organization bought a solution which came with supports. A great story how he can have a couple hours of free support in a week. Unfortunately, he was from State and here I am on a third world country with… (I want to say it, but not polite)
When people in State protesting about their rights, they know what they said. And their laws protect their interest. But, when it comes to a third world country like mine, we only sighted and hoping to get something like a post from a blog or forum. Support is not a viable option here. Once you bought a product, you’re on your own.
Or, is there any hidden support?
A Problem With Third World Country
Like ST12, I buy Windows XP and install it on an new empty laptop to tell how sucks it is (not really compared to Vista). Later, I was found out that my legal OS is “illegal”. At that time, my perceived word of “OEM” means it would install on blank windows. Why was it was sold at the first place? Or, is it a part of offer that I didn’t knew that the seller was selling it to me instead offering me as an upgrade option?
Imagine if secure boot was implemented on commodity hardwares sold in our country like peanuts. People would not know what’s happens. The hardware suddenly couldn’t install older operating system and its competing. Then, they would complained. Realize about that, the seller at Mangga Dua tried to help by disable the secure boot and we all live happily ever after. Well, not really, why should I pay more for the feature that I would not use and hinder me? I feel like helping to flourish secure boot while not using it.
Many would fall victim more of it if Windows 8 still mandating that secure boot is active and could not be disabled. Meaning, every future commodity hardware would have secure boot defaulted.
We can’t like our friends in Europe that can push away monopolies and have an option. We can’t be like our friends in State where they can poke Customer Support easily. In those countries people choose FOSS because they prefer it and personally know the value of it. We can only have anything that thrown at us.
This isn’t fair and against humanity. Our digital divide would be increasingly far.
In my country, people still have GNU/Linux because it is a gratis software, not as a creative tool for customizing solution. We aren’t at that stage yet but we are trying to. And this is why secure boot would add another barrier in order us to grow.
Some folks said that many GNU/Linux vendors could put their keys on the hardwares as a part of UEFI. Some big vendors like Red Hat, Novell, Canonical, etc. could easily defend their products. But, what about Blankon? Who would sponsor Blankon to put the keys into the UEFI board once it is on commodity hardware?
Again, it would be a new obstacle that FOSS community in my country to tackle. We might get through with it. With casualties and so on. And then, a big company add an extra layer to current secure boot (and call it “enhanced”). Then, we could only limited to a few hardwares.
Can we protest it? Can we have a support to guide the convert? In my country support is bromance. None exists. Even if there is one, it would be non-official. Of course, there is a viable pirated version of OS.
This really saddened me. I can buy original softwares; in fact, I have MSDN AA privilege. But, not that many people have the same opportunity. I thought FOSS could provide a competing solution that viable for people. People would not forced to break the law anymore, at least not from my field (IT). That’s why I chose to use FOSS in the first place.
All In All
This is getting soap drama. But, sadly that’s the reason why secure boot is evil. Not only it gives a false sense of security, it also pose a social problem to third world country, at least my country.
I know that secure boot isn’t enforced, but this is my note for you who thinks that secure boots is OK. It isn’t.