Boot-Up Blues: New & Improved

I’ve written here a couple of times before about efforts to get PCs to boot more quickly, by speeding up the BIOS firmware, as well as guidelines  to improve the security of the BIOS code and boot process.  One effort that was expected to help in achieving these goals is the development of the Unified Extensible Firmware Interface [UEFI] specification, to improve on the BIOS specification first defined with the introduction of the IBM PC in 1982.

One of the features introduced in the UEFI specification is called Secure Boot; this provides that the machine will only boot using code signed with a trusted cryptographic signature; trusted signature(s) would be pre-configured into the UEFI subsystem.  This, in itself, is unobjectionable, and is in line with the recommendations for BIOS security made by the NIST.  However, as with so many security issues, the devil is in the details, and as implementation approaches, the devil has definitely appeared on the scene.

The issue revolves around Microsoft’s specified requirements for hardware to be “logo certified” compatible with its forthcoming OS version, Windows 8.   Microsoft’s current statement is that new PCs, in order to receive their certification, must ship with Secure Boot enabled, and a Microsoft signing key installed.  For PCs based on the traditional Intel x86 architecture, the statement also says that the user must be given a means by which Secure Boot can be disabled, so that any software, signed or not, can be installed locally.  It also requires that there be a mechanism by which the user can add or replace trusted keys.  (These capabilities are not required, however, for machines with ARM processors, which would include most tablets and smart phones.)

This has raised questions from those involved with free/open-source software (such as the Linux OS).  It would mean that, for new x86 PCs with Windows 8 pre-installed, the user would have to bypass Secure Boot in order to install Linux, either to set up a dual-boot system, or to replace Windows entirely.  And it might be impossible to do at all on an ARM-based system.

Two large suppliers of Linux distributions have taken steps to address the potential problem.  Red Hat, which distributes Fedora Linux, has entered into an agreement with Microsoft and Verisign under which, in essence, Fedora’s first stage boot loader will be signed by Microsoft.   Canonical Ltd, distributors of Ubuntu Linux, have taken a different approach.  Ubuntu will have its own trusted key, which will be installed in firmware on “Ubuntu Certified” machines; in other cases, it can be installed by the user.  (This does not address the problem of ARM-based machines.)

The Free Software Foundation [FSF] has published a white paper that discusses problems with Secure Boot in general, and also takes issue with both the Fedora and Ubuntu solutions.  Their key objection, in both cases, is that the approaches require the user to trust Microsoft’s signature, in addition to any others that the user may add.  Although I think it highly unlikely that Microsoft would use that trust to somehow “sabotage” machines with Linux installed, the FSF’s objection is certainly valid in principle.

The FSF has an additional beef with the Ubuntu solution, because in designing it Canonical has decided to switch from the GRUB 2 boot loader, licensed under the FSF’s GPLv3 license, to an Intel boot loader, efilinux, with a more permissive license.   According to Canonical’s chief executive and founder, Mark Shuttleworth, the change was made because they worried that, if a manufacturer shipped a PC in which Secure Boot could not be disabled, Canonical might be forced, under the terms of the GPLv3 license, to disclose its private signing key.  The FSF argues that it was not consulted about this, and would not take such a step in any case.  Shuttleworth says that Canonical did receive legal advice.

The SFLC advice to us was that the FSF could require key disclosure if some OEM screwed up. As nice as it is that someone at the FSF says they would not, we have to plan for a world where leaders change and institutional priorities change. The FSF wrote a licence that would give them the rights to take specific actions, and it’s hard for them to argue they never would!

It is hard to know what to make of the FSF’s argument; the SFLC is the Software Freedom Law Center, headed by Professor Eben Moglen of Columbia University Law School, former general counsel of the FSF, who was directly involved in drafting the GPLv3 license.

My own reaction to all this is that, if Microsoft sticks to its current statements, the situation with x86 machines, requiring the user to bypass Secure Boot or install additional trusted keys in order to install Linux or other alternative software, is a nuisance, but a bearable one.  I am much more concerned about the situation with ARM machines; one of the great virtues of the PC environment is that it is open, and that users can control the machines they own.  If you have an Apple iPad, you cannot use any software that does not have’s Apple’s imprimatur.   I am not surprised that Microsoft would like to move in that direction, but I can see no reason for users to accept that.

Azure Welcomes Linux

I’ve noted here before that Microsoft, a company that has traditionally been dismissive of the open-source software movement (CEO Steve Ballmer once described Linux as “a cancer”), seems to have undergone something of a change of heart.  It moved customers of its discontinued “Live Spaces” blogging platform to the open-source WordPress, and announced that it would use the Apache Foundation’s Hadoop project for “big data” applications.  It has even become a significant contributor to Linux kernel development.

In a recent announcement, reported in an article at Ars Technica, Microsoft has now said that Linux will be a first-class OS citizen in its new Azure “cloud” service, along with Windows server systems.

OpenSUSE 12.1, CentOS 6.2, Ubuntu 12.04, and SUSE Linux Enterprise Server 11 SP1 join Windows Server 2008 R2 and Windows Server 2012 Release Candidate in the list of compatible operating systems that can be used in Azure’s new infrastructure-as-a-service virtual machine role.

Although it was possible to use Linux on Azure in a limited way before, this announcement means that, like Windows virtual machines [VMs], Linux VMs will be persistent, making them much easier to integrate with an enterprise’s overall IT environment.  Another aspect of the new capabilities is Azure Virtual Network, which will allow Azure VMs to be securely linked to traditional on-premises infrastructure over a virtual private network [VPN].

In conjunction with the Microsoft announcement, there were also announcements of commercial support services for Linux on Azure.  Wired reports, in a post on the “Cloudline” blog, that OpenLogic, a commercial support provider for open-source software, will provide Service Level Agreement [SLA] support for the CentOS Linux distribution on Azure.   According to an article at Ars Technica, Canonical Ltd, the sponsor of the Ubuntu Linux distribution, is working with Microsoft to provide similar support for Ubuntu on Azure.   Mark Shuttleworth, the founder of the Ubuntu project, anticipating that there may be some reluctance on the part of some open-source stalwarts to partner with Microsoft, writes in a blog post:

There is nothing proprietary in Ubuntu-for-Azure, and no about-turn from us on long-held values. This is us making sure our audience, and especially the enterprise audience, can benefit from the work our community and Canonical do no matter where they want to do it.

I’m sure that some free software folks will feel like participating only while holding their noses, if that; but actually, it seem to me that this is a significant victory.  Microsoft is doing this, at least in part, because their customers are demanding it. As the line sometimes attributed to Gandhi has it, “First they ignore you, then they laugh at you, then they fight you, then you win. “

Ubuntu 12.04 Reviewed

Late last month, I posted a note here about the release of Ubuntu Linux 12.04, “Precise Pangolin”.  Ars Technica now has a review article that covers changes in this release in considerably more detail.  (Note that this covers the base Ubuntu distribution released by Canonical Ltd, and does not necessarily apply to other variants, such as Kubuntu or Xubuntu.)

The review concentrates on the desktop and user interface portions of the system, which is sensible, since they provide the major differentiating factors between versions.  (Because the architecture of the Linux OS and  desktop is much more modular than that of, say, Microsoft Windows, it is generally possible to run almost any Linux application on any contemporary Linux system.)    Since 2010, the Ubuntu project has been working on a new desktop environment, called Unity, that attempts to deliver a more consistent user interface across applications and devices, including mobile devices.

The review is, I think, well done, and the author, Paul Ryan, has done a good job of explaining how the Unity interface differs from some more familiar interfaces.  Having had a couple of weeks to try the new release, I agree with his basic conclusion that the interface is significantly improved from earlier versions, but still has a few rough edges.   This release of Unity has a new feature, called Heads Up Display [HUD], which is intended to save time for users who prefer to keep their hands on the keyboard.

Let’s suppose that I am running Firefox on Ubuntu (as, in fact, I am at the moment), and I want to see the HTML source for the page I am looking at.  The conventional way to do this, as of Firefox 12.0, is to pull down the “Tools” menu, then select “Web Developer”, and then “Page Source”.  If HUD in enabled, I can just start typing “page source”, and HUD will show me all the menu items that match.  A nice side benefit of this is that I don’t have to remember which sub-menu contains the function I want.

The new version also includes a new privacy management framework called Zeitgeist, which allows you to control the extent to which the Unity system tracks your usage of applications, files, and so on.  Although the initial implementation is not perfect, it is a step forward.   It regulates the information gathered by Unity itself, but does not affect any logging or other data capture done by individual applications.

The whole review article is worth a read if you use or are interested in Ubuntu, or even if you’re just interested in interface design.

 

Ubuntu Linux 12.04 LTS Released

Canonical Ltd, the corporate sponsor of the Ubuntu Linux distribution, has announced the availability of version 12.04 LTS, code named “Precise Pangolin”†, for Desktop, Server, Cloud, and Core products.

There are 54 product images and 2 cloud images being shipped with this 12.04 LTS release, with translations available in 41 languages.  The Ubuntu project’s 12.04 archive currently has 39,226 binary packages in it, built from 19,179 source packages, so lots of good starting points for your imagination!

This is a long-term support [LTS] release.  A new version of Ubuntu is released twice yearly, in April and October, giving version numbers of the form YY.MM, from the year and month of the release..  Most releases receive updates for security issues and bug fixes for 18 months, but every two years an LTS release is made.  Historically, these have received three years of update support on the desktop, and five years for the server edition.  In this case, Canonical has said that all versions will receive five years of updates.  The LTS releases are especially helpful to those who may have sizable Ubuntu deployments, as well as those who just want less frequent OS updates.

In addition to the Linux operating system, the distribution contains a large number of applications, including the Firefox browser, the LibreOffice office suite, and media players.  Many more applications are available in the Ubuntu software repositories, and can be downloaded and installed easily using the Software Center tool included in the distribution.  As usual, the CD images available for download can be used as a bootable “live CD”, so that you can try things out without any modifications to your system; it also allows you to do a standard installation to the hard disk.  More information about this version is available in the Release Notes.

The base Ubuntu distribution for desktop and laptop computers uses Canonical’s Unity desktop shell [GUI].  Other versions are also available.  The Kubuntu version uses the KDE graphical interface, which some users prefer; it is available for download here.  Another variant, Xubuntu, uses the Xfce desktop manager; users with older hardware, especially, may find it of interest, since its resource requirements are more modest.  You can download Xubuntu here.   The announcement from Canonical also lists some other, more specialized, variants.

The Ubuntu Linux system, and the tools included with it, are all free software; you are not only allowed, but also encouraged, to share the software with others.

Ars Technica has an initial review of the new release.

† The Ubuntu project uses alliterative animal names for its releases.  So we have had Dapper Drake, Hardy Heron, Intrepid Ibex, and Oneiric Ocelot, among others.