Locking bootloaders with trusted computing is an important step towards protecting users from some of the most devastating malware attacks: by allowing the user to verify their computing environment, trusted computing can prevent compromises to operating systems and other low-level parts of their computer's operating environment.



But as with every security measure, there's a difference between "secure for the user" and "secure against the user." Bootloader protection that doesn't allow an owner to decide which signatures they trust is security against the user: security that prevents the user from overriding the manufacturer, and so allows the manufacturer to lock the user in.

Apple's latest bootloader protection, the controversial T2 chip, is a good example of this. The chip comes with a user-inaccessible root of trust that allows for the installation of Apple and Microsoft operating systems, but not GNU/Linux and other open and free alternatives.





There's no reason it has to be this way: Google's flagship Pixel Chromebooks come with hardware switches that can be activated during the bootup to allow their owners to change which signatures the system trusts (users can initialize these systems with passwords that prevent others from covertly altering the trusted root later). This gives users the best of both worlds: a system that, by default, protects them from malware, and, with should the user choose, allows them to nominate parties other than Google to decide whom they trust.

To make things worse, publishing tools to allow for bootloader overrides is legally risky under section 1201 of the DMCA, which provides for 5 year prison sentences and $500,000 fines (for a first offense) for anyone who trafficks in tools to override access controls for copyrighted works.

Update: After some doing, it's possible to install GNU/Linux by disabling boot security altogether, though some further tweaking is required. However, unlike with the Pixel, you can't manually install your own trusted signatures into the bootloading security process.

Apple's T2 documentation makes it clear and explicitly mentions Linux: NOTE: There is currently no trust provided for the the Microsoft Corporation UEFI CA 2011, which would allow verification of code signed by Microsoft partners. This UEFI CA is commonly used to verify the authenticity of bootloaders for other operating systems such as Linux variants. In other words, until Apple decides to add this certificate or the T2 chip otherwise is cracked so it could be fully disabled or allowed to load arbitrary keys, good luck even being able to boot Linux distributions on the new Apple hardware.

Apple's New Hardware With The T2 Security Chip Will Currently Block Linux From Booting [Michael Larabel/Phoronix]





(via /.)