Secure Boot bootloader for distributions available now

[mjg59]

I'm pleased to say that a usable version of shim is now available for download. As I discussed here, this is intended for distributions that want to support secure boot but don't want to deal with Microsoft. To use it, rename shim.efi to bootx64.efi and put it in /EFI/BOOT on your UEFI install media. Drop MokManager.efi in there as well. Finally, make sure your bootloader binary is called grubx64.efi and put it in the same directory.

Now generate a certificate and put the public half as a binary DER file somewhere on your install media. On boot, the end-user will be prompted with a 10-second countdown and a menu. Choose "Enroll key from disk" and then browse the filesystem to select the key and follow the enrolment prompts. Any bootloader signed with that key will then be trusted by shim, so you probably want to make sure that your grubx64.efi image is signed with it.

If you want, you're then free to impose any level of additional signing restrictions - it's entirely possible to use this signing as the basis of a complete chain of trust, including kernel lockdowns and signed module loading. However, since the end-user has explicitly indicated that they trust your code, you're under no obligation to do so. You should make it clear to your users what level of trust they'll be able to place in their system after installing your key, if only to allow them to make an informed decision about whether they want to or not.

This binary does not contain any built-in distribution certificates. It does contain a certificate that was generated at build time and used to sign MokManager - you'll need to accept my assurance that the private key was deleted immediately after the build was completed. Other than that, it will only trust any keys that are either present in the system db or installed by the end user.

A couple of final notes: As of 17:00 EST today, I am officially (rather than merely effectively) no longer employed by Red Hat, and this binary is being provided by me rather than them, so don't ask them questions about it. Special thanks to everyone at Suse who came up with the MOK concept and did most of the implementation work - without them, this would have been impossible. Thanks also to Peter Jones for his work on debugging and writing a signing tool, and everyone else at Red Hat who contributed valuable review feedback.

Comments

Non-secure boot fallback.

[jordanu [launchpad.net]]

What will the shim do if booted on a UEFI system with secure boot disabled?

Ideally I'd like to configure things so that if someone boots my media (Super GRUB2 Disk) without secure boot there is no user intervention required to get to SG2D, so I would like it to just load the grubx64.efi automatically in that case.

Re: Non-secure boot fallback.

[mjg59]

Signature validation gets disabled if secure boot is disabled.

[(Anonymous)]

Does this only work for Linux or will this work for FreeBSD as well?

[mjg59]

It'll boot grub (or any EFI application that happens to be called grubx64.efi...), so sure.

Would you mind doing a post on what you did to get a signed shim.

[(Anonymous)]

After the trouble the Linux Foundation has it would be interested it see the successful method. Particularly if it can be made done without using windows.

I don't mean to be mean but if someone does not trust you. Providing the process and list of costs say here you can do this yourself if you don't trust me.
.

Re: Would you mind doing a post on what you did to get a signed shim.

[mjg59]

Sure. I don't believe that it's possible without Windows for the final upload - it really needs Silverlight. Running IE under Wine may be sufficient, but I couldn't be bothered. Anyway.

1. Go to sysdev.microsoft.com and log in with a Live account.
   
2. Follow the link to the Verisign (now Symantec) page for creating a new company account. Ignore the use of the word company - you can do this as an individual.
   
3. Follow the instructions and purchase an individual key for code signing. You'll be emailed a form to attach a copy of your notarised ID to, so get that filled in and signed and send them back a copy by email.
   
4. Export the key from your browser as a .p12 file.
   
5. Go back to sysdev.microsoft.com and download the zip file containing winsign.exe. Use pesign or sbsign and the key you exported to sign this file, and then upload it to sysdev.microsoft.com to enable your account.
   
6. Sign the legal agreements - this just involves you typing your name into a box.
   
7. Put the file you want to get signed into a cab file. lcab will do this,
   
8. Sign the cab file with your Verisign key. osslsigncode will do this.
   
9. Upload the file to sysdev.microsoft.com. The uploader is Silverlight for no obviously good reason.
   
10. Wait for the upload to be processed. I think this happens a couple of times a week, so be prepared to wait a few days (I had to)
    
11. You'll get an email when signing is complete. Download the cab file and use cabextract to retrieve your signed binary.
    

Total cost is $99 plus however much it costs to get something notarised where you are.

thank you

[(Anonymous)]

Matt, thank you and everyone involved for having gone through the trouble for us too. Shame on Microsoft for "innovating" in making that trouble.

--
Michael Shigorin

Re: thank you

[(Anonymous)]

its been my pleasure

Microsoft signed? Is that "secure"?

[(Anonymous)]

If Microsoft signs it couldn't they als sign malware to be authentic? How is that secure? Ok, Microsoft wouldn't do something like doing bat things to comeptitor like linux but keys can get lost or a "admin" at Microsoft goes beserk.

Re: Microsoft signed? Is that "secure"?

[http://apebox.org/wordpress/]

They could accidentally sign malware as authentic, but there is support for blacklisting specific signed binaries to ban them from booting, and provision in the Secure Boot spec for distributing the blacklist updates via Windows Update (and other OSes may implement it too)

UEFI

[(Anonymous)]

Will this be in the SuSe distros?

Re: UEFI

[(Anonymous)]

SUSE will use the very same code - big thanks to Matthew for developing it. We won't be using the just released signed binary though, we prefer to do the signing process ourselves, if only to be able to produce updates easily when needed. --Vojtech Pavlik (@suse)

thank you

[(Anonymous)]

thank you.

Will MS revoke it?

[(Anonymous)]

More importantly, can they?

Re: Will MS revoke it?

[mjg59]

They can, but unless there's any security issues with it, I have no reason to think that they will.

ARM systems support?

[(Anonymous)]

This appears to be an x86 solution/work-around. What about ARM systems? Are you working on a version for that?

Re: ARM systems support?

[mjg59]

No, I'm not currently working on ARM. The technical side is easy (it basically just needs the relocation code to work for ARM as well), but it's not yet clear what the signing situation looks like there.

Good luck

[(Anonymous)]

I'm sure I speak for more than just me in wishing you all the best in your new endeavors! Keep on bloggin'!

-Rubberman

archival time

[retired_paranoid]

Since this might be subject to disappearing, do you have any objections to it being posted someplace else if it does "go away"?

Re: archival time

[mjg59]

Why might it go away? If there's a problem with it, it'll be revoked and it won't matter whether you have the binary. In any case, it's under a BSD license, so feel free to redistribute as you wish.

So Linux devs/users pay MS ...

[(Anonymous)]

Basically then Linux developers (and end-users who want to use their own Certificates) basically are blackmailed into paying Microsoft $99 to use their operating system of choice on hardware they purchased in a more secure manner.

Work-arounds are all well and good, and many large kudos for this one, but something is seriously wrong with this picture and needs a rather large complaint filed with the FTC.

Re: So Linux devs/users pay MS ...

[mjg59]

Only if you want to distribute to other people and don't want them to have to perform the certificate installation. Otherwise, you just use this and pay nothing.

How about doing this in reverse?

[(Anonymous)]

DoD or other major buyer wants a "computer" that can't boot insecurely, but the OS they are using isn't MS.

A defense contractor sells the DoD what amounts to a commodity Intel or AMD x64 computer that's locked down to only boot a specific, DoD-approved software stack - a stack that is NOT based on MS-Windows.

The DoD buys the computers but the project is eventually scrapped before full deployment.

To make these computers more attractive at auction, the DoD gets the defense contractor or the motherboard manufacturer to sign a version of Matthew's bootloader or something similar.

This bootloader can now be used to boot ... wait for it ... Windows. Or any other OS.

The DoD now gets "used computer" prices at auction instead of "scrap metal" prices.

Secure Boot bootloader for distributions available now

[(Anonymous)]

I have a better idea, don't purchase these systems until a more equitable solution is worked out. One that does not invest all the power in one company.

Wake up!

[(Anonymous)]

I've heard all the BS excuses. The issue is not about whether computing should move on from the older Bios technology to the "Secure Boot". The real issue is who is allowed to control this newer method.

The current situation is no different than allowing for instance Ford to have some sort of signing key that allows all car engines manufactured worldwide the ability to start. Believing that any single company should have this kind of power over its competitors is insane no matter whether the controlling company is Microsoft, RedHat, Oracle or whoever.

As was predicted before this whole mess started to come into effect there are already problems for users of alternative operating systems. Its only going to get worse from here on.

While its nice that you have come up with a work around, a work around is all it is and it can be made unusable at any point and my guess is that is exactly what will happen with your method and any other future method. Microsoft will interfere with anything that works. Bet on it.

No, the real solution is to remove Microsoft's ability to control this process and hand it over to an international unbiased standards body. If they do not do it willingly then legal action is required. NOTHING ELSE WILL WORK PERMANENTLY. No other solution will serve to address the freedom of consumers to use computers and operating systems as the consumer wishes.

WAKE UP!

Re: Wake up!

[(Anonymous)]

You are absolutely right.

The way around it is to not have dual boot with Windows. In fact, the problem is more severe. A hacker could lockup your computer bios code to the extent that it will not boot any software.

Therefore, as it is now, bios hardware will require a jumper to re-initialize the bios flash memory so that the bios software could be boot strapped.

If the bios has a bug, ask the question about how to get a bios update. Can this be done without changing signatures? The answer is NO.

Hardware vendors are the losers here. And perhaps we are lucky that MS is becoming insignificant as a desktop software provider. So, eventually, MS and it's dream of continuing for another few years as a predominant vendor is over. One will go to the Web for business software, games, and everything else. The Android tablet, or its successor (one from Linux with vendor neutrality will take over).

+1 @ Wake Up!

[(Anonymous)]

I agree playing follow-the-leader with M$ cannot end up being more pleasant than the leapfrog/unicorn game. Let's face it, M$ effectively owns the hardware companies. The Windows tax proves this. End of story barring legal action. When "Tiles 2.0" comes out and my neighbor must throw their Tiles 1.0 PC into the dumpster, I'll nab it and disable secure boot.

Re: +1 @ Wake Up!

[(Anonymous)]

Yeah, that's the ticket. Rummage around in the trash to dig out your neighbors forcibly obsoleted Windows 8 box. That will address the entire issue for sure......

That plays right into Microsoft's whole hope for this garbage. Slowly pressure Linux and it's users back into their definition of Linux as a "hobby OS" used by people too cheap to buy new computers and software.

Hope that works out for ya.....

BTW, clue to you. Microsoft does not own the hardware companies....but it would like to have that kind of control. Stevie B has nightly wet dreams in that direction.

Only real solution is legal action, not dumpster diving.

Pointers on signing

[(Anonymous)]

I'm trying to use this, but it's unclear to me precisely how to sign my .efi files. The source code includes a script to generate certificates, but it's not clear to me how to use them to sign binaries. Googling hasn't turned up much useful (it's mostly sites about setting up OpenSSL with Apache). Thanks for any pointers.

Re: Pointers on signing

[mjg59]

Use either pesign or sbsigntool - sbsigntool is probably easier, but pesign has more features.

Thanks

[(Anonymous)]

Thanks for taking the time to develop this. While I hope that my distributions of choice pick this up, but I'm not exactly excited to buy hardware with these restrictions.

How about a 32 bit system ?

[deckard026354]

Matthew great work.

Do you have a 32 bit UEFI binary ? I have a 32 bit UEFI system that is/will have secure boot on it and - thus would really like to ensure it works with shim before release.

Re: How about a 32 bit system ?

[mjg59]

There's currently no 32-bit support - it'd need relocation code adding, and I don't have a 32-bit environment to test that code.

Network (PXE) boot

[(Anonymous)]

How does this interact with PXE? If I set my machine to PXE boot (as most BIOSes do by default if there is no local media), what happens?

What about if I want to run from Read-only media, and do an unattended reboot?

Re: Network (PXE) boot

[mjg59]

shim should (in theory) retrieve the second stage bootloader from the network if it's pulled from the network itself. It'll work fine with read-only media, and you can reboot without manual intervention once the key is installed.

Where do I find mokManager.efi

[(Anonymous)]

I'm hoping this will help me get around an issue I'm dealing with on the ASUS S405C.

Re: Where do I find mokManager.efi

[mjg59]

It's in this archive, but it's useless unless you're using that copy of shim.

And how about grub-install generated .efi files?

[(Anonymous)]

Ok, this is for sure a great way to make live distro images boot.
But what about grub-install (grub-mkimage...) grubx64.efi files?
These files seem to contain information about where is the "root" (grub root) partition, in particular the variables "root" and "prefix" change from system to system.
So, if this file changes from system to system and is generated during the install process, how is one supposed to have it signed without disclosing the private key?

Re: And how about grub-install generated .efi files?

[mjg59]

If the end user's creating them, the end user can enrol their own key. If the distribution's creating them, just ship a pre-built one and over-ride root and prefix in the config file.

Signatures for the source/binary

[(Anonymous)]

Could you please sign the binaries/source with your gpg key?

Re: Signatures for the source/binary

[mjg59]

Sure, why not.

Surface

[https://www.google.com/accounts/o8/id?id=AItOawldvJA2LJPNJUjvgZGPdYsueUSDpvXfizQ]

Any chance we could get you to build this for an ARM target, for testing on the MS Surface and other UEFI tablets? Thanks.

Re: Surface

[mjg59]

I suspect Surface doesn't carry the third-party signing key. Doing an ARM build would involve writing the relocation code (it's not just a rebuild), so I'd like some verification that db contains the "Third Party Marketplace Root" key first.

Fabio

[(Anonymous)]

Matthew,
could you version shim-signed.tgz on the http server?

Thanks.

ReactOS support

[(Anonymous)]

Hi. Is ReactOS supported? https://reactos.org/

And Haiku OS? https://www.haiku-os.org/

If they are not supported, could anyone add support to boot them successfully in Secure Boot enabled machines?