New computers sold in the coming months—along with the release of Windows 8—will include a new kind of firmware replacing the old PC BIOSes called UEFI (http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface).
One of the things in the UEFI specification is a feature called "SecureBoot" which makes it so that the system will only boot operating systems which have been cryptographically signed with a certificate which is tractable to a root certificate installed in the firmware. This enables the kind of lockdown we've seen on phones and tablets on a broader spectrum of devices. The UEFI specification itself does not require that there be any mechanism to disable this functionality. The original requirements for the Windows 8 "logo" certification program required manufacturers to install a Microsoft-controlled key and to not permit the user to disable SecureBoot. Some diligent engineers at Red Hat found out about this and through some mixture of negotiation, threats, and negative PR they were able to convince Microsoft to replace the requirement with one to require an option to disable it, but only on x86. (ARM-based systems will still need to have no way to disable the lockdown in order to receive Windows 8 certification.) Another concession they got was that Microsoft would sign other operating systems (via a partnership with Verisign/Symantec) for a $99 fee, with a key accepted under the Microsoft root. Whether manufacturers will comply with Microsoft's requirement to allow it to be disabled on desktops remains to be seen—it doesn't seem likely that Microsoft would be eager to enforce the requirement, since they previously required its opposite. Since as we know here, little usability speedbumps can be a big barrier to access to technology, the (hopefully existing) ability to disable SecureBoot isn't enough for the major Linux distributors: Fedora will be submitting a bootloader to Microsoft's signing process (http://mjg59.dreamwidth.org/12368.html) so it will boot up on SecureBoot locked-down systems. When booted this way, only signed OS kernels can be run, only signed modules will be loadable, direct memory access will be disabled—basically the kind of anti-anti-DRM restrictions needed to prevent the users' software from breaking out of the sandbox. (This has caused some amount of drama, with some people—including myself—arguing against Fedora's participation on software freedom grounds, but it seems certain to happen.) Many pieces of technology are used with few ill effects in freer parts of the world, but find themselves applied in repressive ways elsewhere—such as web censorware, deep inspection firewalls, etc. So I'm wondering: what negative human rights side effects might we expect from SecureBoot? For example, it would be fairly straightforward to ban the import or sale of computer systems which aren't equipped with only a regime-controlled root key, and probably not that difficult to then provide surveillance-enabled operating systems as the only thing that will run on them. I have little doubt that expert users will figure out a way to jailbreak these systems, but will that be sufficient? A lot of this is arguably already true on mobile phones. Have we learned anything there that will tell us if the consequences will be lesser or greater on desktops? Can technology continue to provide solutions for liberty as we move away from general-purpose computing, and oppressionware becomes mandated and installed by default, enforced through hardware restrictions? _______________________________________________ liberationtech mailing list [email protected] Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
