[Discuss] UEFI secure boot pre-loader security considered further Re: Fwd: [linux_forensics] Did you see this ? - Linux Foundation Announces Secure Boot Solution ....

Rich Pieri richard.pieri at gmail.com
Fri Nov 2 15:26:31 EDT 2012


On Fri, 02 Nov 2012 10:17:21 -0400
Jerry Feldman <gaf at blu.org> wrote:

> The bottom line here is that UEFI will prevent some Linux users from
> installing Linux, especially in the near future. I suspect that all

No, it will not. Anyone who tells you otherwise is either lying or has
bought into the anti-Microsoft propaganda. There is no truth to the
claim that UEFI Secure Boot will lock users out of running the OS of
their choice.

If you buy x86 hardware with the Windows 8 sticker then it MUST be
possible to disable UEFI Secure Boot. Microsoft will not allow the
manufacturer to ship the hardware with Windows 8 otherwise. I keep
hearing about how manufacturers will "forget" to include the option.
No, they won't forget, or they'll correct it with a hotfix, because if
they forget and don't fix then Microsoft will pull their Windows 8
certifications and the OEMs don't get to ship Windows 8 until they
undergo the certification process again.

If you buy x86 hardware without the Windows 8 sticker then it won't
have UEFI Secure Boot enabled or it will be a switch for specific
operating systems that have signed boot loaders. In none of these cases
does UEFI Secure Boot prevent the installation and operation of the OS
of your choice.

In the case of ARM hardware that ships with Windows 8, which is Windows
Phone and Surface/RT, you can't run Linux on any of it anyway due to
lack of hardware support. UEFI Secure Boot has nothing to do with that.

> major distros will be able to install on a UEFI system with very
> little user interaction. However, we also need to gain some knowledge
> so that when we do encounter UEFI at installfests, we know what to do.

I am writing this right now on a Dell (Alienware) notebook running
Windows 7. The system firmware has UEFI Secure Boot which Windows 7
does not recognize. I use a Clonezilla live USB image to perform
backups with this firmware on the system. I sometimes try out new Linux
live CD spins on it. None of these recognize or support UEFI Secure
Boot and none of them are blocked by it. Why? Because it's turned off.

You shut it off in the EFI configuration screen. That's it. Press
whatever key sequence during POST, shuffle over to the appropriate
settings tab, and set it to "OFF". Save and reboot.

Do the same thing on servers -- although why you'd buy a server with
Windows 8 on it is beyond me. The Windows 8 trust chain runs from the
firmware all the way up through the kernel going multi-user (maybe
further; I'm not sure about that). Each step of the startup process
validates the signature on the next step before executing it. Linux has
no such trust chain so there's no point to having UEFI Secure Boot
enabled on Linux computers. Just turn it off.

In the oddball case where you need Secure Boot and you can't use one of
the Big Three-provided signed boot loaders then install your own
certificates in the UEFI protected storage and use that to sign your
otherwise standard boot loader. The example that I'm looking at
requires three commands with the Windows 8 SDK (because if you're even
looking at this option then you have Windows 8) to generate the
certificates and one to sign an EFI executable. Installing the certs
from the EFI shell is a simple process: Enroll KEK, Enroll PK. Copy the
self-signed EFI loader to the correct place and you're done.

-- 
Rich P.



More information about the Discuss mailing list