Red Hat | UEFI Secure Boot - Trusted Computing Fears Realised

Red Hat yesterday defended its decision to collaborate with Microsoft in forcing Linux users to pay a $99 fee to install custom kernels as the “best thing for its users”. In truth this is a delusional position to take - the best thing for users is to pressure the software/hardware industry to avoid obvious situations where customers will become victims of vendor lock-in and inability to make full use of the devices in which they invest a non-trivial amount of money. Red Hat claims the following:

Such creative individuals can also participate by simply enrolling in the $99 one time fee to license UEFI. For users performing local customization, they will have the ability to self-register their own trusted keys on their own systems at no cost.

But this is quickly revealed to be false information by visiting the Microsoft sysdev portal and noting the following (emphasis in first paragraph is mine):

Microsoft is pleased to announce that, for a limited time, VeriSign is offering the ‘Microsoft Authenticode’ Digital Certificate at a substantially reduced price by following the link below.

• VeriSign ‘Microsoft Authenticode’ Code Signing Digital Certificate($499 $99 USD)

The second point Red Hat made, where one can register their own trusted keys at no cost, is dubious at best. This is a feature which can optionally be implemented by OEM’s designing their motherboard firmware, and there are no indications that any manufacturers have indeed implemented it at this time. If they do, this is the only correct way to instruct users to protect their freedom and rights as a consumer, not to tell them to “pay up bigtime” to a broker which is, in the end, going to be hostile to them. Red Hat’s Tim Burke, Vice President of Linux Engineering, further asserts:

Some conspiracy theorists bristle at the thought of Red Hat and other Linux distributions using a Microsoft initiated key registration scheme. Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative.

When subjected to even the most shallow of analysis one will see that this is not a good-faith initiative. Secure boot functionality has not been proven to enhance system security one bit. I’m willing to bet that once secure boot enabled devices appear on the market there will be no shortage of malware available for these devices. The only known and confirmed purpose of secure boot (as demonstrated in Apple devices) is to ensure that the device runs only system software approved by the manufacturer and its partners. This is hostile to users and to free market competition, and can in no way interpreted as good-faith. Read more: http://www.redhat.com/about/news/archive/2012/6/uefi-secure-boot