Brave New Trusted Boot World... What??
 

This was mentioned in a thread on the Slackware forum, and was the first I'd heard of it.

So, this article appeared a few days ago: https://0pointer.de/blog/brave-new-t...oot-world.html

Then in the News section of the forum, there was a link to story from El Reg: https://www.theregister.com/2022/10/...ft_poettering/

"Microsoft's Lennart Poettering proposes tightening up Linux boot process
Building your own initial RAMdisk? That's insecure!"

"Microsoft's Lennart Poettering" Funny. I chortled when I saw it, but my then mood changed upon reading the story. In that story there were some links to these comments on Hacker News:

"As somone who never really viewed systemd as a problem I'm starting to think the systemd "haters" were actually right, at least somewhat... Viewing Poettering as some kind malicious entity undermining projects sounds like a conspiracy theory. But now with him working for Microsoft his actions do look like a lot like the "embrace, extend, and extinguish" pattern to me. Yes, yes "Microsoft <3 Linux", of course... And now I am supposed to cheer for the groundwork for the creation of an allmighty authority with the ability to "sanction" some (parts of) operating systems, but not others?" https://news.ycombinator.com/item?id=33341718

"I always thought this outcome was obvious. Systemd controls everything that happens before Linux boots. It controls everything that happens after Linux boots. Might as well call it GNU/Systemd at this point. It's the silent revolution no one wanted. The name itself implies a manifest destiny because System D is 100x greater than System V and they intentionally break POSIX compliance too. Now that the guy who owns the systemd project works for Microsoft, in addition to the fact that the Linux kernel now needs to be a Windows executable in order to boot, that really tells you all you need to know." https://news.ycombinator.com/item?id=33341938

Emphasis mine.

There doesn't seem to be much discussion about this. I, for one, am quite concerned about the direction this is going.

Are you not concerned by it? If not, why not?

Any other thoughts or comments?

Thank you for posting this. I would not be a bit surprised if he was working with or for Microsoft for some time and just announced it publicly when the time was right. But I tend to follow the money trail back to the source when things smell/look fishy.

Actually, "the initrd step" in a great many distros is(!) a vulnerability, since this is the "pre-boot' step in which the kernel attempts to automagically adapt itself to whatever hardware environment it may be faced with. Although this precursory step of the process is not well-understood by many, to finger it as a "potentially exploitable vulnerability" – although IMHO fairly unlikely – cannot be entirely dismissed. "If one puts their mind to it, any point in the process is 'potentially exploitable.'"

This is why ones philosophy personal and project is of the utmost importance. I am reminded of the American statesman Benjamin Franklin: With each addition Pottering et al seem adamant about "taking over" or taking control of most everything and often in the name of security/complexity this is how everyone else does it etc... Is the dog wagging the tail or the tail wagging the dog, and at what point is the tail replaced with tale.

As a locally compiled kernel could be. Does that mean we need to obtain authority from Microsoft before being allowed to use a customised kernel on our own hardware?

Is the frog boiled yet? Seems like it's almost done.

Having "our own hardware" is variable, there is hardware which is soldered together prohibiting replacement of faulty modules.
So having software which is "soldered" together totally makes sense when you look at any and all profit driven software development.
It's nothing new BTW, remember SecuROM?

It's all about getting 'locked in' & profits!

If mainstream Linux ends up 'needing' this, the BSDs are just waiting for new users.

The trouble will be finding a computer that doesn't have all these Microsoft lock ins!

That'll be a non-issue for most, I think. What really put things in perspective for me, is one video I saw long time ago.
The F-Secure crew went through some malware code, and found an address of the guys making it.
They actually went there and found some dudes in extremely poor condition, with a trash-type of PC, writing the malware for fun.
What these guys probably do is they find the nearest trash dump to get broken hardware, solder it together, and re-sell it on the flea market.
They could not care any less about some suits, who think they could buy trust. This is why I think the lock-in situation really depends on what you buy and where.

Now that extremely hairy disk systems have been removed and the processes streamlined, surely you just need the modules to mount / in an initrd. If you compile those modules in, you don't need one at all. I survived for years without one and only went back to them through laziness.

I am concerned, and as a result am dusting off plans to drop Linux in favour of OpenBSD (about to rebuild an old PC to practice on).

So you're fine with a software house having authority over hardware you own?

That notion goes against my grain.

Lennart Poettering can complete Pulse Audio before he does anything else. Could I write it? No. Would I pester everybody so that they took up my system then make it not work for years, then almost work like it should then give up on it? No.
This is not an Ad Hominem, well it is sort-of, but more a "Why the hell trust this guy who is full of shit?".
And, yes, the fact he migrated to Microsoft no matter what their perceived situation regarding open source at the moment (OK they're not the MS of "Linux is cancer" any more) is also not a good sign.

That's not a change just rebranding. Public face/Private face.

Best way to control the opposition is to lead and control the opposition. :scratch:

I don't trust them any more now but I also don't think that the vicious anti-free software attitude that was in the company back then is there now.

Maybe I was not clear before.. It really does depend on what you buy, and who installed the OS.
I didn't see you complain when folks started losing warranty for replacing the android boot loader.
But to make it clear: I'm against locking up the loader/bios and I don't use secure boot, but I never buy stuff with pre-installed OS.

I'm not very worried that Linux will get "locked down" or "locked out" any time soon. It should be obvious that while some, including Poettering, are focused on the Enterprise market, I think there will be enough rebel coders for quite some time to build the truly Free software and firmware just isn't that hard to hack. Every lock has a key.

On systemd, I believe software should be your servant, not your master. It should do things on my terms, not the reverse.

And I'd like to see systemd when the world's hackers notice it's in all servers and start hacking accordingly.

Once, while I was running Gentoo Linux (which is a source-code based distro) I took the time to eliminate the initrd step completely. I knew exactly which kernel modules were needed, since "initrd" had found them. So, I built a kernel which included the necessary drivers directly within itself, with USB drivers as loadable modules which would be loaded or unloaded on demand. I was basically doing this to find out just how quickly I could make the machine boot up. (I got it down to about six seconds flat.)

Linux distros have a lot of drivers – "DEC token-ring adapter card, anyone?" – but you only need a few of them. They're there because there's no way to know which ones you need. Linux needs to "successfully boot on anything," and this is the laborious process by which it does so.

Not me.. had to check the wiki. When that was popular, I wasn't even born yet.

Token Ring? Wasn't that an IBM PS/2 thing? That graveyard of ideas that happened when IBM thought they could lead, and everyone would follow? I feel sorry for the guys who wrote OS/2, designed the hardware, and worked their butts off for years only to see it wasted.

I seem to recall that Token Ring was a pretty good protocol at the time and used with coax cables - I think my school used it for their Netware network.

I didn't know enough at the time about network protocols to evaluate it thoroughly, but nobody said anything bad about it. It's just that IBM patented every part of the PS/2 so your profit on compatibles went to them, and waited for pc manufacturers to queue at their doors. Instead, the pc manufacturers made the appropriate finger gesture (One in the US, but 2 in parts of here) and kept building PCs. :rolleyes:

"Wasted" is the exactly correct term, business_kid, referring to OS/2. My first GUI beyond a mere DOS shell like PCTools, was OS/2 2.1. Within a few months I joined TeamOS2. When Warp 3 was released I bought it immediately and it was amazing. Warp 4 should have left Win95 in the dust because it beat it on ever level excepting graphical glitz, but then IBM never wanted a SOHO system. The community filled in nicely for Desktop user apps but were in stark opposition to IBM protocols and desires.

When Microsoft's Win95 beat IBM in the marketplace so badly, despite it's being many years ahead of Windows, the suits didn't chalk it off to "We weren't looking for that novice market anyway.", they were humiliated yet again and lost all love for what then was the most flexible, stable and powerful OpSys to date anywhere in the world. That didn't stop them from gloating when it won accolades and polls, but nevertheless didn't incite them to recognize it's actual value when banks, hospitals, flight controllers and other mission critical users refused to give it up and demanded support. They just announced a 10 year plan to phase it out and sold it off. What a waste, indeed!

I tried OS/2 myself back in the day. I liked it, but PCs were a means to an end back then for me. Once the Tech sector had ignored IBM and gotten away with it, they weren't interested in the OS either, superior though it was.

I was working but not rich in those years. I needed a business pc I could also do Electronic hardware work on. The kids wanted a PC for games, which saved on Console games. They wrecked it continually - viruses, OS errors with things like non-standard dlls as part of some games, viruses over irc, you name it. So as all the software was windows, OS/2 didn't get a look in. Besides IBM probably made sure the floppies were not compatible.

Hey business_kid! Actually as much of a hassle as the floppies were there were compensations. Back then not many had CD Burners so the floppies were a means to edit the boot process and for adding/substituting drivers loaded for updating or simply specific hardware support. I still have a (not much used anymore but still working) 64 bit AMD FX-57 system with OS/2 WSeB (basically, Warp 5) on it with a couple drivers from eComStation (mainly audio). Amazingly it can still surf the web with Firefox (at least it did 2 years ago), has a complete included Office suite, Lotus Notes, speech recognition with navigation and dictation that works quite well, and naturally it runs like a scalded cat. I did have to buy a proper file manager from "Clear and Simple" but it fully supports an FX-570 GPU with 3D acceleration and drives exceeding 100GB. The community provided drivers from Dani even make SATA SSDs function and it supports more RAM than the mobo does.

As for Windows stuff, relying on Win 3.11 libraries was a bit of a problem but just like with Linux, I learned to not rely on Windows for almost everything. In fact, OS/2 is how I learned about Linux since the release of emx runtimes made it possible to build and run Linux apps and I replaced the Presentation Manager with Enlightenment.

"Old" technologies have a weird way of sticking around. For example, late last year I walked by a Wells Fargo ATM that had crashed, and there on the screen it was ... "OS/2 Presentation Manager!" Yes, in 2021. IBM parted ways with Microsoft on this point, but they did not abandon their investment in the software technology – some of which was (and still is) quite novel.

"Coax" networking, and the various problems that "token ring" was meant to address, went by the wayside when "Cat-5" technologies had advanced to the point that they clearly deserved to take over. But it was not at all clear at the time that they would, or could, do so.

I think: IF you only intend everyone to run a distro (like MLL) under virtualbox, then everybody has the exact same (virtual) Hardware, yes?

For me, It was no contest.

I tried OS/2 in the nineties. I couldn't justify any spare box, so it went.
A friend of mine lived in the country, & had space. When he retired, they took 2 builder's skips full of junk from his place in the country. They're the ships you can't lift, but drag up on low loaders with a crane.

I only had a semi-D, so I was brutal in throwing out junk. OS/2 went out, and all old PCs. I even gave up a service agency because it required more space. I was so lucky that I did, because that lot put through two models of television. The first required travel, storage & parts, but made well; The second was a dud, and bankrupt them. I would have been left with heavy liabilities.

One can still torrent Warp 4.x, & probably 5. But I don't want the antique that will run it.

Check this out http://ecomstation.com/ for OS/2 in 2022. Down but not Out. Also ARCA, another successor, is still in active development in 2022. One could say OS/2 also lives on in all journaling file systems including ext4, and NTFS.

@!!!: Linux cannot make the assumption that it knows anything about the hardware on which it finds itself now expected to boot. And that is what this pre-boot step is for: to detect the hardware and load the necessary modules so that the rest of the system initialization process can proceed and the system can run. But this step can be omitted if you build a custom kernel which already contains the necessary built-in drivers and loadable modules, as I once did. And, to do that might well be "more hardened."

-----

Obviously, IBM continued to use the technology which they developed, particularly for "secure" applications like ATMs. And, they continue to improve it. But, so far as I know, they no longer attempt to sell it nor any successor directly to the public. Nor do they need to. They own it, and they use it on their hardware, and it works fine. There's certainly something good to be said for owning the OS code that you use in such applications: no royalty payments, and total control.

I imagine they hardly sank the level of investment that they did into OS2 simply to have it. They are hardly doing much serious development either, because they need programmers. Can you imagine the job interviews?

....

Interviewer: "The job is for updating and maintaining the OS/2 Warp code base and patching against all known and future bugs. You also will have have to write drivers as required."

Programmer: "OS what?"

Interviewer: "OS/2. It was a separate Operating system for our PS/2 pcs in the 1990s before you were born, but nobody bought the PCs or the OS so we discontinued it. It was a great Operating system, but frankly we overpriced things."

Programmer: "Does anybody use it?"

Interviewer: "No, not really. We use it in house on our pc based machines, but not on anything we use, because there's no up to date software for it ....<Programmer exits>....NEXT!"

1] OS/2 was designed specifically to be one OpSys that would run on everything from embedded through PC. mini and midi to a Mainframe. It wasn't just for PS/2.

2] It was sold and supported by IBM through 2010 when shortly after it was sold off like Thinkpads.

3) It most assuredly was NOT ever overpriced. It came stock with TCP/IP when Windows was still using lameass Netbui, had a full Office suite included at no extra cost, later with Warp 4 voice navigation and dictation, was the first commercial OS that was completely internet ready complete with modem dialer as well as ethernet connection, was server and client in one, first to come with Java and JavaDK, first to support media streaming, came with REXX programming language included, and even version 2.1 had 20+ floppies worth of free upgrades over 20 times while Win 3x was on just 4, and while win98 was just mostly a graphics overhaul, Warp 3 provided over 24 complete system upgrades for free as part of the original cost which wasn't more than Windows initial cost, had LVM and simoultaneous disk access when Win98 could only deal with one drive at a time, and much, much more.

IBMs fail was poor marketing. It was said that if IBM bought out a successful sushi business they would market it as "raw, dead fish" ;) Additionally they never committed to SOHO Desktop support and had no grasp of shiny graphics yet were humiliated when SOHO sales made Win95 a huge marketing success. Division among "the troops" and the resulting infighting doomed it before it even got past Warp 3. It was IBM's redheaded stepchild very early on. They blew it.

I'm not unfamiliar with OS/2. It was the best OS that nobody wanted. Yeah, they did everything short of giving it away in breakfast cereals, but it never sold. What they might have done was buy bankrupt & startup software companies and set them writing software & games for it.

I once read someone's definition of an elephant as "A mouse built to Government specifications." IBM can't usually do simple elagance - the management will build the elephant instead of the mouse. In OS/2 they had simple elegance, and imho didn't know how to repurpose it once the PS/2 bombed. You've heard of people having 'the Midas touch.' IBM have "the Jonah touch." Mind you, they do good mainframes.