[personal profile] mjg59
Since there are probably going to be some questions about this in the near future:

The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.

There is no centralised signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.

This impacts both software and hardware vendors. An OS vendor cannot boot their software on a system unless it's signed with a key that's included in the system firmware. A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware. If you install a new graphics card that either has unsigned drivers, or drivers that are signed with a key that's not in your system firmware, you'll get no graphics support in the firmware.

Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.

A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.

Now, obviously, we could provide signed versions of Linux. This poses several problems. Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by ever OEM.

There's no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code. However, experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market. It's almost certainly the case that some systems will ship with the option of disabling this. Equally, it's almost certainly the case that some systems won't.

It's probably not worth panicking yet. But it is worth being concerned.
Page 1 of 2 << [1] [2] >>

Just include the keys?

Date: 2011-09-20 07:51 pm (UTC)
From: (Anonymous)
Isn't the simplest, and most user friendly way, to just include the (Pkek) key, so the actual owner of the hardware can decide what to sign and trust themselves?

I wonder if that isn't just required by law in some countries if the user buys and owns the hardware.

Re: Just include the keys?

From: (Anonymous) - Date: 2011-09-20 08:09 pm (UTC) - Expand

Re: Just include the keys?

From: (Anonymous) - Date: 2011-09-21 03:48 am (UTC) - Expand

Re: Just include the keys?

From: (Anonymous) - Date: 2011-09-21 05:06 pm (UTC) - Expand

Doesn't this go against the MS recommendations?

From: (Anonymous) - Date: 2011-09-23 03:23 pm (UTC) - Expand

Blacklisting the Linux keys

Date: 2011-09-20 07:55 pm (UTC)
From: [identity profile] benanov.livejournal.com
I'm more concerned about the blacklist than I am the whitelist.

Re: Blacklisting the Linux keys

Date: 2011-09-22 12:44 am (UTC)
From: (Anonymous)
Why? You could just resign to evade a blacklist. A whitelist is much more serious in this case.

Re: Blacklisting the Linux keys

From: [identity profile] benanov.livejournal.com - Date: 2011-09-23 01:08 pm (UTC) - Expand

Re: Blacklisting the Linux keys

From: (Anonymous) - Date: 2011-09-24 12:25 am (UTC) - Expand

Buy Linux Machines

Date: 2011-09-20 09:41 pm (UTC)
From: (Anonymous)
All the more reason to stop buying Windows machines to load Linux onto them. Buy Linux machines from Linux hardware vendors.

Re: Buy Linux Machines

Date: 2011-09-20 11:22 pm (UTC)
From: (Anonymous)
We should make a list of Linux hardware vendors.

Re: Buy Linux Machines

From: (Anonymous) - Date: 2011-09-21 02:09 am (UTC) - Expand

Re: Buy Linux Machines

From: (Anonymous) - Date: 2012-02-16 02:35 pm (UTC) - Expand

Re: Buy Linux Machines

From: (Anonymous) - Date: 2011-09-21 01:23 pm (UTC) - Expand

Re: Buy Linux Machines

From: (Anonymous) - Date: 2011-09-21 04:22 pm (UTC) - Expand

Re: Buy Linux Machines

From: [identity profile] gonzalo-vc.myopenid.com - Date: 2011-09-22 02:01 am (UTC) - Expand

Hardware vendors

Date: 2011-09-20 09:58 pm (UTC)
From: (Anonymous)
I'm with you on the threat to Linux from UEFI firmware only accepting signed bootloaders, however this line is a bit of a leap for me:

"Microsoft requires that machines conforming to the Windows 8 logo program [...] ship with secure boot enabled"

So out of interest, how did you tie the Win 8 secure boot support/requirement to the logo program? Thanks.

Re: Hardware vendors

From: (Anonymous) - Date: 2011-09-22 11:11 pm (UTC) - Expand

Re: Hardware vendors

From: (Anonymous) - Date: 2011-09-21 09:34 pm (UTC) - Expand

not just Linux

Date: 2011-09-20 10:00 pm (UTC)
From: (Anonymous)
Why single out Linux? Secure boot will not let you load Windows 7 either.

There is an explicit provision for disabling secure boot in firmware, but it can't be automated, so as not to be exploited by malware.

Re: not just Linux

From: (Anonymous) - Date: 2011-09-20 10:44 pm (UTC) - Expand

Re: not just Linux

From: (Anonymous) - Date: 2011-09-20 10:59 pm (UTC) - Expand

Re: not just Linux

From: (Anonymous) - Date: 2011-09-21 03:36 am (UTC) - Expand

Re: not just Linux

From: (Anonymous) - Date: 2011-09-21 01:37 am (UTC) - Expand

Re: not just Linux

From: (Anonymous) - Date: 2011-09-21 02:29 pm (UTC) - Expand

Re: not just Linux

From: (Anonymous) - Date: 2011-09-21 07:54 pm (UTC) - Expand

Re: not just Linux

From: [personal profile] fxchip - Date: 2011-09-22 09:53 pm (UTC) - Expand

Re: not just Linux

From: (Anonymous) - Date: 2011-09-23 01:11 am (UTC) - Expand

GPLv3 and signing keys

Date: 2011-09-20 10:12 pm (UTC)
From: (Anonymous)
There is a lot of misunderstanding of the GPLv3 requirement for signing keys. The requirement that you provide "installation information" (which includes signing keys) applies to object code distributed for a "User Product" that is distributed AS PART OF a transaction in which the right of possession of the "User Product" changes hands.

A "User Product" is a tangible person property or goods designed for installation in a dwelling.

The gist of what GPLv3 is saying is that if you sell someone some hardware that includes GPLv3 firmware, you have to give them the keys to install new firmware of their choice.

Since Red Hat sells their software for use on other people's hardware, rather than selling their software bundled with hardware as part of the sale of that hardware, Red Hat can ship signed GPLv3 code without being obligated to provide the keys.

Re: GPLv3 and signing keys

From: (Anonymous) - Date: 2011-09-20 11:08 pm (UTC) - Expand

Re: GPLv3 and signing keys

From: (Anonymous) - Date: 2011-09-21 12:12 am (UTC) - Expand

Re: GPLv3 and signing keys

From: (Anonymous) - Date: 2011-09-24 04:36 am (UTC) - Expand

Re: GPLv3 and signing keys

From: [personal profile] cjwatson - Date: 2011-09-22 11:25 pm (UTC) - Expand

No OEM will sign GRUB and/or Linux

Date: 2011-09-20 11:28 pm (UTC)
From: [identity profile] koterpillar.myopenid.com
No sensible one, at least. The original purpose of this is preventing boot mode rootkits... and at least GRUB lets malware writers to boot whatever they want, essentially bypassing the protection. I would assume booting Linux with a crafted userspace will let the malware do its tricks too.

Re: No OEM will sign GRUB and/or Linux

Date: 2011-09-21 03:50 pm (UTC)
From: (Anonymous)
Oh yeah? And how many GRUB viruses are in the wild exactly?

Is it just me?

Date: 2011-09-21 12:01 am (UTC)
From: [identity profile] https://me.yahoo.com/a/89qTkqIEmdbNn8jxOaKhYrHQIRvOCDsZ7BbB#82a37
or it looks very like the system in place for dvd and bluray (which proved to be ineffective)?

I haven't checked the specs but if it is just an exchange of keys, it is just a matter of time before the keys are found (because people would have access to both firmware and OS), isn't it?

And what about new OS/driver versions? One machine = One OS, for life?

Re: Is it just me?

Date: 2011-09-21 01:51 pm (UTC)
From: (Anonymous)
I disagree. They depend on different cryptographic primitives.

Video discs hold encrypted content. In order to be useful to the end-user, the decryption key needs to be available somehow to the disc player. Skimming over a few levels of complexity, it is that decryption key (or the means to it) that was uncovered in DVDs and Bluray discs.

In this case, the system's security is based on signatures, not encryption. It uses asymmetric keys, not symmetric. The public key is released as part of the certificate, but the private key is not needed for end-user functionality. It is only needed to create the signatures, not check them for validity. As long as the vendor keeps the private key secure, it's foolproof, as it is mathematically impractical to forge a signature through brute force with typical key lengths.

In practice, companies fail in security all the time. Witness Diginotar. They essentially had their private key stolen due to their horrendous security practices. If BIOS vendors become the primary gatekeeper for preventing Linux from running on certain machines, they can expect to be the primary targets for black-hats looking for those private keys.

Remember Palladium? Then NGSCB and Trusted Computing? Microsoft has been trying to solve this "problem" for many years. Through TPMs and Intel's TXT, it is finally becoming a reality for them. That it makes loading Linux difficult is just a beneficial side effect for them.

Re: Is it just me?

From: (Anonymous) - Date: 2011-09-28 05:48 am (UTC) - Expand

Re: Is it just me?

From: (Anonymous) - Date: 2011-10-05 08:17 pm (UTC) - Expand

Re: Is it just me?

From: (Anonymous) - Date: 2012-02-16 02:44 pm (UTC) - Expand

GPLv3

Date: 2011-09-21 01:08 am (UTC)
From: [identity profile] dlitz.net

Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys.

No, it says this:

“Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source

It would suffice to provide instructions that say, "install a signed version of grub, and use that to add your own keys to the whitelist".

Well thats it for the current OEM status quo

Date: 2011-09-21 04:44 am (UTC)
From: (Anonymous)
Any OEM manufacturer who tries to enforce this without a hackaround will go out of business. Overnight.

Re: Well thats it for the current OEM status quo

Date: 2011-09-21 08:09 am (UTC)
reddragdiva: (Default)
From: [personal profile] reddragdiva
I'm thinking businesses who are still on XP. They might go for Windows 7, in a pinch. But turning their Outlook and Excel machine into a phone? I don't think they'll like that idea much.

Consumer PCs are, of course, likely fucked.

Re: Well thats it for the current OEM status quo

From: (Anonymous) - Date: 2011-09-21 05:17 pm (UTC) - Expand

Re: Well thats it for the current OEM status quo

From: (Anonymous) - Date: 2011-09-25 07:41 pm (UTC) - Expand

Will violate European antitrust law

Date: 2011-09-21 06:26 am (UTC)
From: (Anonymous)
European law forbids firms from using a dominant position in one market to gain one in another. For Microsoft to extend its operating system monopoly to hardware is squarely in the frame, and if the OEMs help it they will be acting as a cartel:

http://www.lightbluetouchpaper.org/2011/09/20/trusted-computing-2-0/

We beat this seven years ago with the campaign against Trusted Computing, in which the European Commission and the German government played important roles

Re: Will violate European antitrust law

Date: 2011-09-21 08:07 am (UTC)
reddragdiva: (Default)
From: [personal profile] reddragdiva
Can something be done about it in time, though? There's what the law seems to say, and then there's the quite separate problem of actually achieving action on it.

Kernel itself is part of the bootloader?

Date: 2011-09-21 06:45 am (UTC)
From: (Anonymous)
"in the near future the design of the kernel will mean that the kernel itself is part of the bootloader."

Can you please clarify what this means?

Re: Kernel itself is part of the bootloader?

Date: 2011-09-21 07:38 am (UTC)
From: (Anonymous)
https://lwn.net/Articles/458789/ has some ideas around that, specifically:

Harald had a proposal for improving the situation: rather than add complexity to boot loaders in an attempt to keep up with the kernel, why not just boot a simple generic Linux kernel and let it deal with the rest? His idea is to create a /firstboot directory with a simple filesystem and populate it with a single Linux kernel and an initramfs image whose sole purpose is to find the real kernel and boot that. This kernel will naturally understand Linux filesystems, and it will support a user space with enough power to run whatever scripts are needed to find other bootable images on the system. Meanwhile, the initial boot loader can be made to be as simple as possible and distributions can stop messing with the MBR.

Re: Kernel itself is part of the bootloader?

From: (Anonymous) - Date: 2011-09-21 08:21 am (UTC) - Expand

Re: Kernel itself is part of the bootloader?

From: (Anonymous) - Date: 2011-09-21 01:08 pm (UTC) - Expand

Re: Kernel itself is part of the bootloader?

From: (Anonymous) - Date: 2011-09-21 09:50 am (UTC) - Expand

Re: Kernel itself is part of the bootloader?

From: (Anonymous) - Date: 2011-09-21 03:41 pm (UTC) - Expand

GNU ROOT CA

Date: 2011-09-21 08:32 am (UTC)
From: (Anonymous)
Time for the open source community to register as a root CA :)

Think about the bullshit involved in having to get your distro key signed ;)

Network boot?

Date: 2011-09-21 08:33 am (UTC)
From: (Anonymous)
I might be missing a trick here, but what's happening with the likes of PXE? I'm guessing that would get tied in as well?

Presumably the net boot system would have to be signed if it were present, and then I'm guessing that anything downloaded would need to be signed as well?

Lilo?

Date: 2011-09-21 08:55 am (UTC)
From: (Anonymous)
As Lilo is BSD licensed rather than GPL, would it be possible to have a suitably signed version of that bootloader rather than using Grub?

Re: Lilo?

Date: 2011-09-21 11:17 am (UTC)
From: (Anonymous)
I'd prefer if we pummel the UEFI consortium and MS back in their cages and just kill this illegal Windows tying scheme dead before it hurts anyone.

"We" killed the Intel Processor Serial Number. "We" killed Palladium. "We" killed Trusted Computing. I'm sure "we" can kill this harebrained scheme too.

No need for contorted workarounds.

r_a_trip

Re: Lilo?

From: (Anonymous) - Date: 2011-09-21 02:36 pm (UTC) - Expand

Not a bad idea

From: (Anonymous) - Date: 2011-09-22 04:05 pm (UTC) - Expand

Hardware inside the EFI environment

Date: 2011-09-21 10:12 am (UTC)
From: (Anonymous)
Could someone tell me what that means?

"A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware."

If the right key is not found in the firmware, the hardware will not run at all, or will run in some limited funcionality?

Re: Hardware inside the EFI environment

Date: 2011-09-21 10:18 am (UTC)
From: (Anonymous)
I guess it means that the hardware will be unusable *in UEFI*. Most operating system do not use UEFI call for general hardware use, just as they do not use BIOS calls either. DOS uses BIOS calls, Linux does not.

Date: 2011-09-21 11:17 am (UTC)
From: [identity profile] pjc50.livejournal.com
Isn't this just the status quo on phone/tablet devices? Windows 8 is basicaly a phone/tablet OS targeted at that market. Undoubtably some of the devices will have screens and keyboards and look like desktop PCs, but will have finally abandoned the PC boot heritage. As on the mobile devices, you'll have to wait until the jailbreak becomes widely available and use that.

Don't forget that signed malware is not impossible (qv the DigiNotar CA compromise recently). It'll be entertaining once the signed malware gets in and blacklists the official Windows keys while whitelisting its own, resulting in a system where you can't remove the virus .. unless you re-jailbreak it.

Date: 2011-09-21 11:35 am (UTC)
From: [identity profile] ajaxxx.livejournal.com
Isn't this just the status quo on phone/tablet devices?

Why do you think that makes it acceptable?

(no subject)

From: (Anonymous) - Date: 2011-09-21 03:57 pm (UTC) - Expand

Date: 2011-09-21 02:13 pm (UTC)
From: (Anonymous)
I agree, much of the problem will be that future platforms will require a key pre-loaded before you can install a new OS or boot-loader.



Shouldn't we be getting concerned about the root signing authority? I would be very surprised if getting a key isn't restricted to either just M$ or open to anyone who will pay $MuchoDosh. In either case this new authority is what we have to work around...

linuxbios

Date: 2011-09-21 02:44 pm (UTC)
From: (Anonymous)
Just wondering if funding or growing the linuxbios project would be a nice in. As long as a machine can have the firmware swapped out, could it not be the advantage on future hardware?

BIOS setup save the day!

Date: 2011-09-21 03:13 pm (UTC)
From: (Anonymous)
What about going to BIOS setup and disable Secure Boot feature and install whatever you like?
Market will decide if PC sold without this BIOS feature will be well accepted by customers...
Stefano
stefano@righis.com

Re: BIOS setup save the day!

Date: 2011-09-21 05:42 pm (UTC)
From: (Anonymous)
Having to disable a scary BIOS option that says "Don't disable this for security reasons." in the on-screen help, is likely to dissuade many users from trying out Linux via a LiveCD. The failed Windows 8 boot when they stop trying out the LiveCD and reboot without resetting the flag may also persuade them that Linux broke their computer.

Assuming the BIOS permits the option - as mentioned elsewhere, remove the feature, and that's one less thing you have to debug on your budget PC, one less thing you have to provide support for - there will be a whole new class of boot failures when Windows 8 users flip the option for whatever reason.

Even those of us who are tech-savvy are going to get *really* annoyed flipping the state every time they switch OS. I do as much work as possible in Linux but alas, my employer requires that I boot Windows fairly regularly, just to get a DHCP lease for my hardware. I also like to play games, and faffing about with Wine is not what I would call conducive to leisure. New games will probably start requiring secure boot anyway so you can't cheat.

The shame of it is, the feature has a legitimate use, and is probably a good thing for Windows users, who let's face it, need more security.

The only acceptable implementation would be one which permitted you to add keys to the keystore at boot time, in the BIOS setup, via entry of a checksum-verified key block. Then you don't need to buy a "blessed" proprietary OS just to add keys. Alas, this would be an even more serious deterrent to any casual use of Linux on a given piece of hardware.

So all in all, I wouldn't prohibit this feature - that would seem to be against the Free Software ethos, after all. And it's going to be good for Windows users. But I would mandate that any implementation also provides...


  • Ability to add signing keys to the keystore via BIOS setup


    • Although it's obviously better to get an OSS friendly key in there from the get-go, so the common distros can get their bootloaders signed.


  • The ability to disable secure boot with one key at boot time


    • Perhaps with the ability to choose to boot a given volume in non-secure mode, from the usual BIOS boot
      choice menu.


    Re: BIOS setup save the day!

    From: [identity profile] grvrulz.wordpress.com - Date: 2011-09-21 06:50 pm (UTC) - Expand

    Re: BIOS setup save the day!

    From: (Anonymous) - Date: 2011-09-22 04:39 pm (UTC) - Expand

    Re: BIOS setup save the day!

    From: (Anonymous) - Date: 2011-10-28 08:11 pm (UTC) - Expand

    Date: 2011-09-21 06:06 pm (UTC)
    From: [identity profile] dgh.livejournal.com
    It seems possible that we'll see a compromise that involves being able to disable UEFI Secure Boot in exchange for not being able to boot Windows. I.e. UEFI will have some flag that Windows can access to check whether the boot was secure or not.

    (no subject)

    From: (Anonymous) - Date: 2011-09-21 08:01 pm (UTC) - Expand

    Linux in the Bootloader

    Date: 2011-09-21 06:11 pm (UTC)
    From: (Anonymous)
    "Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader"

    I tried googling this to no avail. Could you cite a source for this? That sounds like an excellent way to accelerate the boot process, but I don't believe I've heard any mention of that before.

    Date: 2011-09-21 08:04 pm (UTC)
    From: (Anonymous)
    Red Hat, Novell and Canonical are all members of the UEFI Forum, so they're aware of secure boot too.

    Why swim upstream?

    Date: 2011-09-21 11:31 pm (UTC)
    From: (Anonymous)
    Why fight it? Having a secure chain of trust as part of the boot system should be a security feature we embrace! We should add this feature to Linux faster than MS can ship Windows 8!

    You mean the whole open source world can't work out the logistics, code, and policy to make this happen?

    Re: Why swim upstream?

    From: (Anonymous) - Date: 2011-09-22 07:00 pm (UTC) - Expand

    Re: Why swim upstream?

    From: [personal profile] cjwatson - Date: 2011-09-22 11:21 pm (UTC) - Expand
    From: (Anonymous)
    Doesn't a lot of this depend on the device you are taling about? How is this different from an Android phone (or tablet) today that has a locked boot loader? It is a part of the "package" that is sold. Clearly, a "desktop" machine should have the ability to load (i.e. disable the security of the UEFI check) other OS's - just as SOME (but not all) android phones are able to be unlocked so we can load things like CyanogenMod, etc.

    BUT, there are other types of devices that are NOT going to be "open", and a MFG doesn't have the moral or legal imperative to make a device OPEN if they choose not to. YES - that will be a deciding factor for MANY, just as the choice to buy an Android over an iPhone is a choice some of us make in order to get the freedom we desire.

    BUT, I agree with the last statement - DON'T PANIC...We (collectively) are smart enough to find a way to work through this, and WIN8 is at least 12 Months away (maybe more).
    From: (Anonymous)
    One way outo to this is let this lock wors only in ARM systems

    Cause, how to develop applications this way? only throught MS Visual Studio ?
    Page 1 of 2 << [1] [2] >>

    Profile

    Matthew Garrett

    About Matthew

    Power management, mobile and firmware developer on Linux. Security developer at Nebula. Member of the Linux Foundation Technical Advisory Board. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

    Expand Cut Tags

    No cut tags