Secure Boot is the Future of Linux

What I’m about to say is going to be one of many (at least initially) unpopular opinions, inspiring an instant knee-jerk reaction that I’m stupid, crazy, in league with various user freedom villains, or simply being contrarian for the sake of pageviews. As such, I really hope people actually read my reasoning, and hopefully agree with me, or at least disagree for informed reasons. Because it’s about to get controversial up in here, so don your flack jacket and safety goggles.

While Microsoft is clearly and unquestionably trying to use Secure Boot as an excuse to stifle adoption of increasingly competitive free software, this has the potential to backfire and turn out to be something wonderful, because it offers the solution to a longstanding problem with preloaded Linux computers that will only become more and more of a pain point as Linux adoption accellerates.

That’s right, Secure Boot is a good thing for Linux.

And while I do definitely mean that in a sense of “encouraging hardware manufacturers to stand up for themselves and tell Microsoft to go fuck themselves,” that’s not the only sense I mean it in. Because OEMs like Dell aren’t angels either (though their forays into preloaded Linux are not just commendable, but exciting).

What I’m Not Saying

Let’s get this out of the way to avoid confusion later in the article. I do state these things elsewhere, but I feel like they deserve emphasis.

  • Secure Boot, in its present state and/or dictated by Windows is still not a good thing. An axe can be a very useful tool, but less so when funky-shaped and in the hands of a homicidal madman.
  • I’m proposing SB as the solution to a problem, with the understanding that SB alone cannot comprehensively solve the problem. It reduces our attack surface, but cannot completely disintegrate it.
  • To be properly useful to Linux users, and not just a harmful weapon wielded by Microsoft, certain implementation details should/must be followed, which I list later in the article. This is about the potential of Secure Boot as a tool, not its current capacity for it. I know this sounds fishy, but it really does not take much to follow these guidelines, and to the best of my knowledge they do not violate existing UEFI standards.

The Windows Discount

If you’re a typical Linux geek, most of your present Windows experience is using other people’s machines, or dual-booting for that one program or program genre you can’t do without (for most people, that’s gaming - an industry showing a glorious movement toward ubiquitous Linux support, such that within five years, not having a Linux port will be considered unusual, or at minimum, old-fashioned). And these people, I suspect, are one of the last holdouts who still believe in the Windows Tax of yore. These are the people most likely to have been exposed to the idea of the Windows Tax, but not the turned tide being demonstrated in Best Buys across the world today.

The Windows Tax is a nickname for Windows licensing fees. This price is included in the purchase of almost all prebuilt computers - namely, the ones with Windows preinstalled - whether you actually want Windows on your computer or not. And it’s a pretty good way of describing the injustice of having to pay for something you don’t want inextricably bundled with something you do. For a long time, this was also a valid complaint in purely financial terms.

Anyone following the troubled rise of preinstalled Linux, though, is probably familiar with one disconcerting truth. These days, where two machines with equivalent hardware are sold, one Ubuntu and one Windows… the Ubuntu computer is always more expensive. Wait a minute, what? What the heck happened, and how does that even work?

On the surface of it, it shouldn’t. Ubuntu is free. Windows is $200 dollars by rough average. So, at that level of theory, Windows computers should cost about $200 more than equivalent Ubuntu machines, not $50 less. So, by these very ballpark and averaged estimates, that leaves about $250 worth of “dark matter” money unaccounted for, that has to be coming from somewhere. And it is.

The “dark matter” money comes from the fact that Windows is not the only software that OEMs install. You also get a trial version of that antivirus that costs a lot of money and pressures you into buying all the time. You get game demos you don’t care about, a couple widgets, and even malware. Preinstalled by the OEM as part of their company’s stock disk image for that hardware model. All of which is (at least theoretically) profitable software paying top dollar to get preinstalled on people’s machines. Most of these crapware vendors easily recoup that money later on thanks to clueless users, the elderly, etc. It’s profitable to sell machines dirty, not clean.

Windows is cheaper to preinstall than Linux because it has more than enough third-party subsidization to be that way, and each of those third-party elements undermines your machine’s stability and respect for personal privacy, with varying degrees of malicious and/or manipulative behavior.

That’s why it’s not called the Windows Tax anymore. It’s the Windows Discount.

The Discount Comes To Linux

Linux is widely known for its security against third-party attackers, though this is mostly the case for high-visibility servers. This property of the world’s most popular free OS family is completely underminable by the use of malicious preinstalled software. This exact scenario is presented by the possibility of taking the concept of the Windows Discount, and applying it to Linux. Because honestly, think of the savings from an OEM’s perspective, for a minute. If you’re making $250 now to compensate for Windows Licensing, imagine how much better that $250 would be as pure profit. You could basically afford to sell your cheapest machines for free, and still make a marginal profit (not that you’d want to necessarily go that far with it, of course).

Make no mistake, the rise of preinstalled Linux carries with it the imminent threat of third-party shenanigans at all levels of visibility. But let’s not forget that there’s an element of game theory attached to this, which is part of the reason Linux preinstallation never caught on that well before in the first place.

Users savvy enough to want Linux are also usually savvy enough to distrust preinstallation for the reasons above. And from that point of view, you’re going to have to wipe the drive and reinstall from a trusted source anyways, with the typical workflow of torrenting a distro ISO of your choice / burning to removable media / installing across the whole disk. AKA, the same thing you’d do as the first step if you’d bought a Windows machine. And if you’re reinstalling anyways, you might as well get the cheaper Windows version… thus, a demand for preinstallation that’s almost completely marginalized to the “I’m buying a thing to make a point” demographic.

So users don’t trust preinstallation, and OEMs know that preinstallation is less profitable because of it - less hardware purchases, and of those, less people retaining the original installation (thus, reduced effectiveness of “discount” software, and reduced revenue from that).

This has been an underlying thorn in Linux preinstallation’s side for at least a decade, sabotaging all but a few attempts to make money in that market. And if it’s not profitable, it won’t happen, much to the chagrin of everyone who’d prefer the world’s users to be running free, trustworthy operating systems by default.

Solving The Trust Problem

Ultimately, the above reduces to a simple paradox of trust. OEMs are selling Linux to a market that distrusts them, and given the track records and current behavior of OEMs, this distrust is reasonable and correct. It’s also the biggest poison for Linux adoption.

The funny thing is, Microsoft accidentally solved this problem, in its attempts to get desktop Linux to just die already, something that’s going to become an increasingly important priority with the rise of Linux gaming and the unimpressiveness of Windows 8. Secure boot goes a long way towards solving the above trust problem.

You see, secure boot can be used to verify the integrity of Linux operating systems, to a point at least. It can be used as a layer of promise that the pristine distro you expect has not been tampered with, using signed kernels. Admittedly, it only protects a very small part of the stack, but it’s a step toward distro maintainers being able to guarantee that all software on the system is stock Ubuntu, stock Debian, or stock Fedora before beginning the update process from that pristine state.

UEFI Secure Boot is definitely not the only piece of this picture. It only provides some low-level guarantees, though a few extensions could make it significantly more usable for Linux:

  • Print cryptographic information verbosely during the boot process, so that it can be checked against the appropriate distro maintainers’ public keys.
  • Offer full-disk/partition cryptographic hash checking, and do this by default on first boot to see if the disk image is one of several images signed by your root authority.
  • If a bootloader fails to pass a signature test, don’t abort. Prompt the user before continuing, with the default selection being “No”. There are many situations where the user wants to make a one-time exception, and this should be made convenient without being confusing or inclined toward insecurity.

OEMs will always, inevitably be in a position of power, such that with sufficient effort, they can sabotage security for their own purposes. Part of Linux’s postinstall value has always been its subversiveness, the fact that the hardware was not designed to crack Linux and escalate a series of attacks on your root partition’s integrity. That element of protection will evaporate with the popularization of Linux. While the above extensions to Secure Boot go a long way toward plugging these security holes, preinstalled Linux must still be considered a brave new world full of unsolved security concerns that must be ironed out through time and research. However, this does not put me off from buying a preinstalled Linux computer - rather, it encourages me to do my part in driving up demand, which will help motivate the requisite research. That, and writing articles like this, of course.

The Future Of Discountware

It won’t stop existing, but it’ll stop being malicious. If distro maintainers have more certification control over the starting point of preinstalled Linux machines, then they can find ways to partner with commercial software that do not sacrifice ethics or security. Obviously this is still the kiss of death for most third party preinstallware, but that’s because most third preinstallware deserves to die in a very tall, gasoline-fed fire.

For example, you might get the free version of Ardour installed - an open source audio tracker with paid support. Perhaps a few Dell-specific packages from the Ubuntu repository, meeting the repository maintainers’ standard for entry, such as the ones that come with the Dell XPS-13 (project codename Sputnik).

The real potential that I’m hoping for is not just for discountware. I want to see a world where bug reporting, tracking, and financing is effortless (or as close as it gets). Tools that integrate with FreedomSponsors.org and are accessible via system tray would be ideal. “Oh, looks like LibreOffice goes wonky when you do this thing. I’m gonna recreate as video, check a few checkboxes for diagnostic commands I’m comfortable with reporting as part of the bug report, and sponsor this for $5 over Paypal, all via a popup form. Cool.”

My hope is that one day, free software will be highly profitable to build and support, as long as it’s used. This means that normal, quality open source projects can afford to pay their way onto distros (subject to maintainers, of course), and have that investment rewarded in greater financial return. And that, in turn, supports distro maintainers. Maybe it’s a pipe dream, and money is too corrupting an influence to be beneficial in the open-source ecosystem, but I don’t think so. Linux is as good as it is today thanks to commercial support as much as independent development. Free software is best when funded - “free as in freedom” is what matters, “free as in beer” doesn’t have to mean nobody pays to support it.

It is one of my personal goals in life to see free software get the financial support that it deserves, without compromising its integrity, and I welcome anyone’s vision or criticism on how to get there.