Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Disabling UEFI and dual booting Linux and Windows

State of Secure Boot detailed

  Red Hat and Fedora developer Matthew Garrett has detailed the "range
  of subtle changes" that have taken place since he began working on
  Secure Boot support. In a blog posting, Garrett gives an overview of
  the current implementation. He explains that the current approach, a
  shim bootloader, "cunningly called 'Shim'", contains a public key
  under their own control and is signed by Microsoft. The shim will only
  boot binaries signed with the public key and allows the developers to
  build and sign all other binaries themselves without going back to
  Microsoft to get bootloaders or other components signed.

  Garret points out that a locked-down boot environment and signed
  kernel do block modified bootloaders and booting attack code, but do
  nothing if, for example, an attacker uses a booted kernel to launch
  another kernel. To ensure that doesn't happen, direct hardware access
  from userspace is blocked and must go through kernel modules which
  have been signed by a key the kernel trusts.
  To assist other distributions, the shim will also notice if the second
  stage bootloader is signed with a key it doesn't recognise. If it is,
  users will have the option of enrolling a new key from install media
  and having it added to a trusted key list. There is also, now, the
  capability to deactivate signature validation in the shim so
  developers need not sign kernels they are developing; it requires a
  reboot and a user generated password to be activated.

Delays beset the Linux Foundation's Secure Boot workaround

  On Tuesday...James Bottomley, chair of the Linux Foundation's
  Technical Advisory Board, admitted that the effort was not progressing
  as quickly and smoothly as had been originally hoped.

  "We have the code for the Linux Foundation pre-bootloader in place,"
  Bottomley wrote in a blog post. "However, there was a delay while we
  got access to the Microsoft signing system.

  "I'm still not sure what the actual problem is, but ... I suspect that
  the binary is signed with a generic Microsoft key instead of a
  specific (and revocable) key tied to the Linux Foundation," Bottomley

Linux Foundation support for booting Linux on Windows 8 PCs delayed

  The plan was, as James Bottomley, Parallels' CTO of server
  virtualization and well-known Linux Kernel maintainer, explained on
  October 10th, 2012, to "obtain a Microsoft Key and sign a small
  pre-bootloader which will, in turn, chain load (without any form of
  signature check) a predesignated boot loader which will, in turn, boot
  Linux (or any other operating system)."

  This "pre-bootloader employ a 'present user' test to ensure that it
  cannot be used as a vector for any type of UEFI malware to target
  secure systems.
  Bottomley...told me "We're all done and dusted with the signed
  contract with Microsoft and the binary ready to release.  However,
  I've been having bizarre experiences with the Microsoft sysdev

  Specifically, "The first time I sent the loader through, it got stuck
  (it still is, actually). So I sent another one through after a week or
  so. That actually produced a download, which I've verified is signed
  (by the MS UEFI key) and works, but now the Microsoft sysdev people
  claim it was "improperly" signed and we have to wait for them to sort
  it out. I've pulled the binary apart, and I think the problem is that
  it's not signed with a LF [Linux Foundation] specific key, it's signed
  by a generic one rooted in the UEFI key."

I see the value in having signed boot loaders, but it seems rather
problematic that Microsoft has assumed the role of keymaster over the
keys that get installed into hardware manufactured by third parties, and
acting as a gateway to its operating system competitors. It seems
inevitable that if they don't hand over that responsibility to an
independent third party, they'll likely be facing another FTC lawsuit.


Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile:

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /