SecureBoot (restrictedboot), and the paradox of the biggest shit by Microsoft

#1

SecureBoot was meant to be a feature to avoid malware and insecurities to run in a computer, but leaving this nonsense stupidly-made concept for the end, let's first see what is happening:

- Please, don't :exploding_head: until the end, the explosion will be bigger

First important point:

Most people have choose open-source software (gnu, linux, bsd, etc) because its open source, this means that they are allowed to modify the source code and change it for their needs, it allows them HAVE FREEDOM.

So let's say I want to recompile the default kernel provided by debian, this is easy:

$ apt-get source linux

  • then you append a patch, change settings, whatever...
  • then you recompile the package, perfect! you have a package of the kernel ready and working, just in the same way is built on debian, and that's the idea by having apt sources after all

But then, your package is named -unsigned, its ok, you can install it and having your extra modules added and working, but since it is not signed, you cannot use it with secureboot-(limited) computers

No problem, you do the same for the signed package:

apt-get source linux-signed-amd64

This one is meant to contain the signatures (.sig files) that proofs the integrity (so, not modified) of the compiled modules and kernel, so, if every .sig file matches the compiled binary module in its checksum, and builds a kernel package without the "unsigned" name-extension

This means, this new signed package can boot in a secureboot system, but if you compile an extra module that is not signed, you cannot load it (example: you cannot use the virtualbox or nvidia module if is not signed, nor reiser4 or aufs modules too)

Simple to understand, right? secureboot only allows your machine to boot from a trusted source

More specifically, it only allows to boot from what "someone with authority" decided to confirm (by signing) that is this executable is trustable :thinking: does this makes sense? well, a bit

Now, who is "that authority"? Originally only microsoft (only we own the keyyys!!), and if you wanted to be able to sign anything, you must pay to microsoft a good amount for that. Actually seems like there's more keys and linux developers and debian developers can sign the executables too, not bad...

But wait, let's come back at the original problem: we have "apt-get source" the linux-signed-amd64 package, in order to do the same thing (modify it to your needs), and what we have inside? a lot of .sig files that references to the exact checksum of the compiled kernel modules. Where is the .sig files for the new extra modules that you included in your modified kernel? there's not... we should add it then... ?

Wait! there's no code! these are unmodifiable binary files! (did i already said "apt-get SOURCE"?). You can generate a new one for your module but not! you don't own the keys! wtf i feel confused! :exploding_head: :confusing:

Let me say again: you download it as "apt-get source package" to modify the source code to satisfy your needs, that what all this opensource freedom is about, and you can't!

Have we lose our FREEDOM !?

Have we lose our FREEDOM !?

Have we lose our FREEDOM !?

:thinking: :astonished:

Now, let's think one moment, this is what this supadupa-in-drugs-invention-by-microsoft concept has about "security"?

So:

  • computer turns ON
  • bootloader needs to be signed in order to run
  • kernel loaded by bootloader needs to be signed in order to run
  • you cannot load "untrusted" modules of kernel if they are not signed, your computer is limited, LIMITED

This remembers me, one time in the history where WindowsXP extort manufacturers requesting a fee in order to include their hardware drivers to be accepted in windows, otherwise you had a message saying "this driver is not trustable, do not use it! it's dangerous!", what a fuckers...

But then what? your system has booted, and you are using it, even if you are a simple user (with root access) or an admin of datacenters, you can INSTALL any software in the computer, this software runs as ADMIN (root), for example just adding it as a daemon in the boot process, and since has full privileges, it can do anything in your computer, so you are fsck'ed :nanana: no security cookies for you today

Ok let's imagine, in a supposed future, you cannot install any application (or run it) in the system level if is not signed (trusted), so again: you are not allowed to run the software you wish to have, your computer is limited, LIMITED

But you can still install software from user, right? you can download a .tar.gz source and compile it yourself, install it in your home, and run it, right? so where is this FUCKING security? -that- code can do anything with your user-data, destroy, corrupt, steal your passwords, etc, so where is the security, mr. stinky microshit? :poop: the security is on the system layer? we don't care about the system layer! it is just an OS that can be reinstalled in minutes, there's no important data on it (but we want it to work in a secure and trusted way, that's true), so again, where is the security?...

Oh, are we supposing an ideal future where EVERY exectuable cannot run if is not signed? even in the user-level layer? well, on such case, sounds secure, but then you are allowed to do almost nothing, only use the software provided by the OS

Then you cannot even create a bash script? they should be signed in order to run your code?

Then your shells will not work anymore because you cannot run things that are not signed?

:exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head::exploding_head:

Is this the end of the software world? not yet...

The end of the world:

So we are living now in a world where you can only run software provided by the OS and you cannot open a terminal, nor write any script, you are happily living in a 1984 world, what's next? :slight_smile:

One day the master keys is believed to be insecure

Microshit has the master keys of the control of all the computers of the world

One day, the master key doesn't allow other OS's to be signed anymore, and then only windows is allowed to boot

All 100% of the computers runs windows now

The secureboot virus has been procreated everywhere so much that you cannot buy a computer without the hardware / bios strict secureboot limitation (becase we accepted today to use it!)

Your ass looks like a black hole now

I will let your imagination fly...


Let me say it clear: I would like to make elive to run on computers that requires secureboot to be able to use elive, but i don't want to support this macroscopical-catastrophical shit, which I think it is very dangerous the day of tomorrow. I think that the entire free-software/opensource community should simply boicot secureshit by not supporting it (not against security but against shit), and claiming the users to return their limited computers to the sellers since they are broken by design, this megalomaniac idea should be not be accepted, it should be illegal!

:hot:


"This isn't security, it's user harassment" - @triantares


Some interesting links:

https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/whitepaper-web

Linux's worst-case scenario: Windows 10 makes Secure Boot mandatory, locks out other operating systems - ExtremeTech

2 Likes
SecureBoot / UEFI
#2

Lovely rant. :mwahaha:

I agree there's some very dangerous aspects there fo the future.

#3

What The Fuck ......

SERIOUSLY?

#4

They're already doing it on their arm architecture devices. :face_vomiting:

#5

"their" ? :smiling_imp:

Im just having :nauseated_face: reading other linux OSes of their details about how to enable secure boot in their OS... with things like "our grub signed by microsoft" :nauseated_face: and similar things everywhere, it's like... :woman_facepalming:

#6

Also on Nokia, btw.
That's why I never bought a Nokia again,
although this devices are good - but...

#7

So all in all:
The enemy is identified.
(Btw: Apple is not any better nowadays)
Therefore we are all here now,
but are we safe and sound yet ???

#8

Already reality on several Notebooks.
Ya, true.

#9

So, this means, and in addition to the fact, that there are chips on the millenium build mainboards which to likes "to call home" (MS, NSA) -
that ALL data can be known by unknown and unwanted whoever sucking organisations.

Gooood. Fine.

How will we do now...

Again, let's put it together:
The keys for disk encription belongs to MS.
For Mac hardware they probably belongs to Apple.
Then we have mainboards which likes to share all and everything of the users content with the NSA and their buddies.
And I don't want to start with mobile devices yet.

Ahm.....

#10

("We are heading into a total Disaster" Richard Stallman)

#11

That is one of the reasons (among many others) that I'm keen on saving old hardware and having a proper OS like Elive running on it.
The older stuff didn't have spyware built in (yet) .... it was still too easy to mess with the software in those days. I mean 99% of the world ran Win95 up to XP, they were open doors and windows practically (and sometimes no roof :nanana:)
Apple will proliferate itself as the champion of user privacy in the near future, I suspect as it' s aura of "superduper snazzy" hardware is wearing off since Jobs' demise.

Alas, I fear that after getting the hardware under control, the powers that be will come after the DIY free software users and makers too.
All the more reason for everyone to get a FSF membership so it can not be easily ignored. Sometimes Stallman goes over the top IMO but quite often it is needed to take strong stance to even get a message across.

1 Like
#12

I do like Secure Boot.
A few years back, we've just migrated 600 Desktops from Win XP to Win7. These days TPM was well known as bad, but Secure Boot was some kind of new. So we've struggled with it and asked our vendor how to disable it.
Instead of hand out the manual with the needed information, he offered us a consulting. yawn, another lost day with marketing blah blah ...
But I was wrong! The Consultant was very good and knows his product. So he solved all our issues.

The systems has to run as 'Administrator', because some measurement equipment needs direct access to the serial port (or any emulation of the same). So every user (on 600 Desktops!) could bring a virus, that is getting permanent with changing the boot loader. And now we've got a tool against that.

The only system red in monitoring was mine ... Because I had to disable Secure Boot to get Linux (dualboot) on my laptop.

The issue here is not 'Secure Boot'. The issue is to find out how to disable it with non-administrator-knowledge (and on some systems even as admin). I even understand why it is activated as default ... But on Home Computers? With nobody takes care about the maintenance?

#13

:disappointed_relieved::cry::disappointed:

#14

not for encryption, for decide "what can run" and "what cannot run" in your computer

no, if you buyed it it belongs to you, you must own your hardware, not another entity

the "beautifuly-words marketing-spelled words" sounds good... but the implementation is bad, instead of making your computer "secure" it makes your computer "limited" and with an external entity who decides what you can run or cannot run in your computer

note: Elive has since the first versions already a system that verify's the authenticity of the system, but uses a much different approach!:

  • when you download the elive isos, you have also the .sig files to verify that they are not modified (signed by elive)
  • when you install, the installer first checks the integrity of the full system to verify that nothing has been modified from it, this is also good to verify that the download was not corrupted (stop/cut download)
  • so this security included in elive since the first versions is a mesure to verify authenticity of the product... NOT a limitation:
  • after your system is installed, the entire system is yours, up to you what you do on it (and fully responsible of that), you have not any restriction / limitation / verification

THAT, is a much different approach of security, instead, secure boot simply doesn't allows you to modify the system as your own (or install another OS, or make your own OS, or compile your own kernel, or using a different bootloader, etc...)

In short terms, secureboot makes your computer limited, not allowing you to run whateveryouwant on it (microsoft monopol slaping again)

2 Likes
#15

ya, but the reality is : You don't !
(at least for the average users, they are victims of Apples commercial strategy;
90% of the users data, especially imgaes, ends on Apples servers. Of course for a monthly feee...)

#16

then you should not pay for it :slight_smile:

#17

easy said.
and what about the "NSA chipsets" - how you avoid them - not pay? :nod::face_vomiting::-1:

1 Like
#18

lol

2 Likes
#19

.... exatly!

Seriously:
You buy a computer. Anyone.
You give your money over - you get the computer for it, ok.
Computer means the whole stuff inside included, ya.
But after removing MickyMouse ah Microsoft from it, you have to realize
that you can not install what you want.
This is where we already are today - I give a shit for it to who the keys belongs to,
MS or Bugs Bunny, I don't care.
I want to do boot, use and install what I want, not what these bloody mf's want me to do.

BTW there is still an alternative way like Tuxedo among some others does ( ! I hope ! )

mhmmpfffff :face_vomiting: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

1 Like
#20

Exactly, that's the point