Like many organizations, the FSF is suffering financially. Operationalcosts have risen and revenue has not kept up, because people all over theworld are going through the same challenges as we are. The FSF has animportant role to play for computer users globally for years to come, and westill have a lot of work to do.
Can you support our efforts by joining the FSF as an associate member foronly $12/month ($6 for students), introducing a friend to free software, orgifting a membership?
By supporting us today, you help secure the future of software freedom!
To respect user freedom and truly protect user security, computer makers must either provide users a way of disabling boot restrictions, or provide a sure-fire way that allows the computer user to install a free software operating system of her choice.
Microsoft has announced that if computer makers wish to distribute machines with the Windows 8 compatibility logo, they will have to implement a measure called "Secure Boot." However, it is currently up for grabs whether this technology will live up to its name, or will instead earn the name Restricted Boot.
When done correctly, "Secure Boot" is designed to protect againstmalware by preventing computers from loading unauthorized binaryprograms when booting. In practice, this means that computersimplementing it won't boot unauthorized operating systems -- includinginitially authorized systems that have been modified without beingre-approved.
This could be a feature deserving of the name, as long as theuseris able to authorize the programs she wants to use, so she can runfree software written and modified by herself or people she trusts.However, we are concerned that Microsoft and hardware manufacturerswill implement these boot restrictions in a way that will preventusers from booting anything other than Windows. In this case, a bettername for the technology might be Restricted Boot, since such arequirement would be a disastrous restriction on computer users andnot a security feature at all.
The potential Restricted Boot requirement comes as part of aspecification called theUnified Extensible Firmware Interface(UEFI), which defines an interface betweencomputer hardware and the software it runs. It is software that allowsyour computer to boot, and it is intended to replace the traditionalBIOS. Most Lenovo, HP, and Dell computers ship with UEFI, and othermanufacturers are not far behind. All Apple computers ship with EFI andcomponents from UEFI. When booting, this software starts a chain which,using a public key cryptography-based authentication protocol, can checkyour operating system's kernel and other components to make sure theyhave not been modified in unauthorized ways. If the components fail thecheck, then the computer won't boot.
The threat is not the UEFI specification itself, but in how computermanufacturers choose to implement the boot restrictions. Depending on amanufacturer's implementation, they could lock users out of their owncomputers, preventing them from ever booting into or installing a freesoftware operating system.
It is essential that manufacturers get their implementation of UEFIright. To respect user freedom and truly protect user security, theymust either provide users a way of disabling the boot restrictions, orprovide a sure-fire way that allows the computer user to install afree software operating system of her choice. Computer users mustnot be required to seek external authorization to exercise theirfreedoms. Further, he or she must be able to replace the bootloader and firmware altogether. Thecorebootproject is an example of a free software alternative to proprietary BIOS and bootloaders.
The alternative is frightening and unacceptable: users would have togo through complicated and risky measures to circumvent therestrictions; the popular trend of reviving old hardware withGNU/Linux would come to an end, causing more hardware to be tossed inlandfills; and proprietary operating system companies would gain agiant advantage over the free software movement, because of theirconnections with manufacturers.
We will be monitoring developments in this area closely, and activelycampaigning to make sure this important freedom is protected. Ourfirst step is to demonstrate that people value this freedom, and willnot purchase or recommend computers that attempt to restrict it.
UEFI secure booting, byMatthew Garrett; in addition to providing a brief overview ofRestricted Boot, this article explains specifically whydual-booting an operating system may be difficult, or at timesvirtually impossible, for systems implementing and using RestrictedBoot.
Trusted Computing 2.0, by Ross Anderson of the Security Research, Computer Laboratory, University of Cambridge.
On November 2, 2011, ZDNet blogger, Ed Bott,reports:
A Dell spokesperson stated that, “Dell has plans to make SecureBoot an enable/disable option in BIOS setup.”
HP has only stated that, “HP will continue to offer its customers a choice of operating systems. We are working with industry partners to evaluate the options that will best serve our customers.”
