The worst part is that the masses are going to think these anti-user measures are helping them, "because security". They'll see only the "prevents hackers" part being advertised and agree wholeheartedly, or even if they realise that it means they won't be able to choose the firmware they run, they'll shrug it off as "I'm basically never going to do that, so why should it matter to me?" The majority have spoken for security over freedom, and lead us down this path, where eventually almost no one will own the computers they use, or be allowed to do anything with them (including write software) except as permitted by the organisations that control them.
This is really, really scary. It's quite reminiscent of the dystopia in Stallman's "The Right to Read":
https://www.gnu.org/philosophy/right-to-read.html
It won't be easy to turn the situation around, but if anything I believe it will have to start with education - to reverse the brainwashing that companies and governments have propagated, and show people the power they can have when they control their computing devices. It is particularly hard when the majority are barely computer-literate, and there is vested interest in keeping them that way.
I don't think the situation has gotten to the point where it's necessary to stockpile older and freer computers, but that could be an option in the future. However, I'm certainly not going to be replacing my Thinkpad X60 with anything else for as long as possible.
I think this famous quote really needs to be made more aware of among those preparing to fight against the war on general-purpose computing: "Those who give up freedom for security deserve neither."
Boot Guard, evidently, doesn't require building a walled garden, either, according to this article. You can use it to securely attest to the signature on the firmware, and seal your hard drive's encryption key to that attestation. That way an unauthorized modification to the firmware won't result in your private data being stolen, but the computer remains usable with an intentional modification to the firmware, whether it's Coreboot or a manual binary patch or whatever.
Freedom and security shouldn't be a tradeoff. Security includes making sure authorized use of the system is permitted. Freedom involves making sure that my computer isn't acting against my interests. We need to stop portraying this as a tradeoff, and we should make it clear that we'll accept (and maybe even demand) security when it is done in the service of computing freedom.
(x86) Secure Boot was a big step forward here for both freedom and security: it lets me make sure that only an OS I choose runs on my machine, and that no nonfree OS, not even the one that came with the computer, will boot up unless I want it to. It also (obviously) played well into the security demands of the wider market. We should be demanding more things like Secure Boot, alongside fewer things like Boot Guard.
[1] https://www.gnu.org/philosophy/can-you-trust.html
[2] I don't mean fair use in a strictly legal sense, because I live in the US where the DMCA forbids breaking DRM even for what would otherwise be fair use under copyright law; but I think it should be fairly uncontroversial that doing so is moral.
That is true for very competent end users, but near impossible for the general masses.
We have come so far as to be able to install big Linux distributions like Fedora and Ubuntu without any hassle on Secure Boot systems. That only works though, because their bootloader, kernel and kernel modules were blessed (i.e. signed) by the distributor. Building your own kernel still requires you to disable Secure Boot (or far more difficult, add your own key to Secure Boot and sign everything yourself). Heck, even ZFS, which is otherwise as easy to install as adding a third party repository, is incompatible with secure boot, as it loads a custom kernel module.
Now, to visualize the real world difficulty of disabling secure boot imagine guiding your spouse or friend through this process over the phone: Reboot the system a few times until they found the text telling which key press during boot to enter EFI setup or guess correctly for their hardware manufacturer, let them read out aloud what they see - possibly in a language they don't speak well if the interface is not localized, navigate them through the menus, find out how to change the Secure Boot setting (one should think switching binary settings and moving stuff up and down in a list would be a solved UI problem nowadays… speaking from experience with my HP Probook UEFI interface, it is not, though), (if you are particularly unlucky: explain which keys of their keyboard layout map to the needed US keyboard layout), exit and safe the settings.
All in all I think for the average user (who doesn't even know what firmware is), signed images are a good thing.
How would Lenovo react if Broadwell devices began receiving many service calls under warranty? Presumably the lock could be changed by a motherboard replacement.
Related article, http://www.pcworld.com/article/2883903/how-intel-and-pc-make..., ".. New thinkpad's can't be used anymore for coreboot. Especially the U and Y Intel CPU Series. They come with Intel Boot Guard and you are won't be able to boot anything which is unsigned and not approved by OEM. This means the OEM are fusing SHA256 public key hashes into the southbridge.
... to their credit, Intel does allow PC manufacturers to configure the hardware in a different way. The real way to get that open hardware seems to be to build it from scratch and make the right decisions along the way, as Purism is trying to do. If you want this sort of open hardware, be prepared to vote with your wallet."
http://blogs.coreboot.org/blog/2015/02/23/the-truth-about-pu...
Which is much less than they market it, but that's part of the issue some people in the coreboot community have with Purism. They present it as some groundbreaking success (while it's nothing but clicking a different checkbox in a tool), and I really doubt it's the "first [laptop] to ship" that way. Chromebooks come to mind.
Boot Guard is a hardware-level protection that cannot be removed or disabled.
Of course the latter is (theoretically) non-malicious, but something of that permanence disturbs me far more than some easily-removed malware. The fact that it is used to ensure that the OS and everything above it is in an "assured state" means that it could also be used to prevent users from uninstalling "approved" software like Superfish.
Unfortunately, Intel stripped this freedom from CPU owners by allowing OEMs to lock down the boot process in a manner that cannot be bypassed. Soon Coreboot will be all but dead for machines with Intel processors -- other than Chromebooks which ship with Coreboot. Owners will have to accept the bios that vendors give us.
The UEFI legacy boot option also seems to be on its way out, so I expect there will be fewer OS choices in our future too.
http://www.pcworld.com/article/2883903/how-intel-and-pc-make..., "There’s also a second option: “Measured Boot” mode, where the hardware securely stores information about the boot process in a trusted platform module (TPM) or Intel Platform Trust Technology (PTT). The operating system could then examine this information, and—if there was a problem—present an error to the user.
More on DRTM & SRTM: http://theinvisiblethings.blogspot.com/2011/09/anti-evil-mai...
And there won't be much opposition from Linux, given that all major (and most minor) distros now ship Secure Boot enabled.
The Linux community should stop to fiddle with locked-down boot systems. They actually should boycott locked-down systems and only support hardware vendors who officially support Linux. Many of them are presented at LinuxGizmos. I believe that such hardware vendors are much more open to the demands of the Opensource Community than vendors who produce locked-down systems.
These are four different technologies. Some of them help your freedom. Some of them hurt it. Some of them have nothing to do with your freedom at all. It doesn't really do anyone any favors to lump them all in the same category; it certainly doesn't make hardware vendors inclined to think you're making cogent arguments.
I run Linux on my Thinkpad, with UEFI-only enabled, secure boot disabled, and UEFI will boot my kernel directly using EFISTUB - no more screwing around with bootloaders. It's awesome!
There's even ways to use SecureBoot with various distros [1]. Sure it's a pain, but it can be done. Having and using teh tech is a different issue from vendors hindering what you can do with your hardware.
[1] http://www.rodsbooks.com/efi-bootloaders/secureboot.html
Scary times indeed.
>This means the OEM are fusing SHA256 public key hashes into the southbridge.
SHA256 public keys, scary indeed.
The "secure Boot" isn't to secure the boot against rootkit, but secure from "unauthorized" or "unsupported" install your favorite operate system. In this case, I cannot install windows 7 on my brand new laptop.
I still remember the SIM card lock from carriers years ago, so if i am the vigilant, I am going to ask users to pay upfront to unlock "Secure Lock" so that they can install another operate system.
