"Secure Boot": Who will control your next computer?
FSFE's goal is to ensure that the owners of IT devices are always in full and sole control of them. This fundamental principle is recently being challenged.
With a function called "Secure Boot", which will be deployed in computers starting 2012, manufacturers of IT hardware and software components are striving to get into a position where they permanently control the IT devices they produce. Hence such devices will be "secure" from the manufacturer's perspective, but not necessarily from the owner's point of view: The owner can be treated as an adversary. By preventing uses of the device which the manufacturer does not intend, they can control and limit what a general purpose IT machine (e.g. a PC, laptop, netbook) may be used for. In case of IT devices with internet access, they can alter these usage restrictions at any time without even informing the device owner. As a result, IT manufacturers at their will can take away common rights owners of products usually receive.
"Secure Boot": Gatekeeper before the operating system
When powered on, IT devices execute a startup process called booting. In case of computers this startup process is comprised of executing firmware. This firmware, in turn, starts another program called a boot loader, which then launches the actual operating system, on top of which applications can be executed. In 2012 the industry-wide transition of PCs, notebooks, servers, and other computers' firmware from conventional BIOS to UEFI will be mostly complete. Compared to conventional BIOS, UEFI has several advantages, such as faster boot time, operating system independent drivers, and the promise of extended security.
The security aspect is handled by a function called "Secure Boot". Since UEFI 2.3.1 (released April 8, 2011) "Secure Boot" ensures that during the boot process only software will execute, which complies with one of predeployed cryptographic signatures. This is done to prevent unwanted software from being executed during the startup of the computer, by cryptographically verifying a signature of each software component (various stages of the UEFI firmware, the boot loader, the operating system kernel, etc.) before starting it. Therefore the cryptographic signatures to be utilised have to be deployed in the UEFI signature database of each IT device equipped with UEFI "Secure Boot", before a cryptographically signed software component can be started on that specific machine.
FSFE expects that the vast majority of the computer manufacturers will implement "Secure Boot", as Microsoft has announced that computer manufacturers must implement UEFI "Secure Boot", if they want to acquire a Windows 8 certification for devices they build, e.g. for putting the "Compatible with Windows 8" logo on them.
The computer: a general purpose machine
Evolving the computer as a general purpose machine over the past decades, our society has created a powerful tool to perform all kinds of tasks with a single machine. Now IT manufacturers have discovered that they may have an economic interest to arbitrarily limit what these machines can achieve. With "Secure Boot" the owners of IT devices will not be able to independently determine the usage of their machines, as they cannot decide which software to run.
The entity who eventually controls which software can be executed on a device and thus determines the specific functions the device performs, ultimately can control any data processed and stored by the device. In result, the owner of an IT device may not be in sole control of their own data any more.
For which devices does this apply?
Currently many people base their analysis of the UEFI situation on the "Windows 8 Hardware Certification Requirements", published by Microsoft in December 2011. It is understood that Microsoft did not and still does not have to make any versions of these hardware-certification requirements public, as they are the base of an individual contract between Microsoft and each hardware manufacturer seeking to obtain Microsoft's Windows 8 Certification for their computer-products. Hence the "Windows 8 Hardware Certification Requirements" can change anytime without public notice, or specific details of the logo-requirements may differ between manufacturers: Everything happens at Microsoft's will and mostly behind closed doors. Thus nobody can rely on the published version of the "Windows 8 Hardware Certification Requirements" being static, but realise the details devised for "Secure Boot" as a "moving target".
So the problem of "Secure Boot" is not necessarily limited to "Connected Stand-By Systems" (probably a large share of the future market of notebooks, netbooks and PCs) and computers based on ARM microprocessors (mainly tablets and mobile phones), but can be expanded to any other type of devices by Microsoft anytime. Equally, hardware manufacturers not producing Windows 8 devices may deploy UEFI "Secure Boot" or other boot processes restricted by the help of cryptographic signatures. TiVo has been doing this for a decade, and various gaming consoles from Sony to Microsoft are using cryptographically restricted boot processes as well. Other device manufacturers may employ specifications or requirements similar to the "Windows 8 Hardware Certification Requirements", in order to artificially restrict the capabilities of IT devices.
Restricitons to be extended to applications?
While the UEFI "Secure Boot" specification (as well as the specifications of the Trusted Computing Group defining "Trusted Boot") covers the primary boot process up to the operating system's kernel, the infrastructure to extend signature-checking to all software running on a computer is mature and working in various operating systems. But beside Windows 8 it is currently only enforced for Windows device drivers.
Threat to general purpose computing
If all these measures would be solely under control of device owners, these could be in their best interest, helping them to enhance security of the boot process, which today is mostly unsecured. This would be the case if the security subsystems specified by the UEFI forum and the Trusted Computing Group (TCG) would technically guarantee the owner's permanent, full and sole control over configuration and management of these security subsystems, which includes the creation, storage, use and deletion of cryptographic keys, certificates and signatures. But as soon as other entities beside the device owner can utilise these security subsystems, this enables them to preclude unintended or simply unforeseen usages of these IT devices.
Hence, with the implementation of "Secure Boot", the availability of true general purpose computers under full owner control may be greatly reduced. Devices significantly restricted by measures as "Secure Boot" under company control are usually called appliances or special purpose computers (e.g. media centres, telephones, book readers). Thus at least some Windows 8 devices will rather constitute a Windows appliance than a customary computer. While there may be a market for such computing appliances, the FSFE strongly calls for clearly labelling such IT devices as restricted to use models foreseen by a company, in order to duly inform a potential buyer.
Is circumventing these restrictions an option?
IT savvy people may think that they have seen such measures before, and most of them were cracked. This was the case in various models of the PlayStation and Xbox gaming consoles, as well as many newer mobile phones. But the quality and breadth is wider this time:
- UEFI "Secure Boot" is primarily aimed at traditional PCs.
- It is backed by large parts of the IT industry, see e.g. the members of the UEFI Forum.
- Its design and specification are result of a collective effort of IT engineers from various companies. It draws on a decade of experience with signature based boot processes and hence avoids many classical pitfalls, e.g. the lack of a properly specified and cryptographically secured firmware (UEFI) update process.
- It utilises hardware based security subsystems, e.g. as specified by the TCG (TPM or MTM, and accompanying specifications): While the UEFI specification does not mandate a specific implementation of "protected storage" for cryptographic keys, certificates and signatures, the recent TCG specifications (since 2011) fit well.
- Security flaws in "Secure Boot" implementations are expected (as in all software), but as there will be commercial competition between UEFI vendors, it is in their best interest to resolve these security flaws. In contrast, in the past only individual manufacturers implemented cryptographically restricted boot processes for their own, specific devices: TiVo Inc. for their TIVOs, Microsoft for various generations of their Xbox, as well as Sony for their Playstations.
Furthermore, even though many of similar usage restrictions have been cracked in the past, this only shows that their technical implementations were flawed and open to malware, hence not providing the "security" they were designed for. Although this is likely to apply to some "Secure Boot" implementations as well, breaking such mechanisms can never be a solution for freedom issues or the lack of controllability by the device owner.
For maintaining sustained growth in the development and use of software, the broad availability of general purpose computers is crucial.
FSFE demands that before purchasing a device, buyers must be informed concisely about the technical measures implemented in this device, as well as the specific usage restrictions and their consequences for the owner.
Furthermore, FSFE strongly recommends to exclusively purchase IT devices which grant their owners full, sole and permanent control over security subsystems (e. g. signature-based usage restrictions), in order to maintain the ability to install arbitrary software and lastly to retain exclusive control over ones own data.