UEFI secure booting
Sep. 20th, 2011 02:01 pm![[personal profile]](http://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mjg59Since there are probably going to be some questions about this in the near future:
The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.
There is no centralised signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.
This impacts both software and hardware vendors. An OS vendor cannot boot their software on a system unless it's signed with a key that's included in the system firmware. A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware. If you install a new graphics card that either has unsigned drivers, or drivers that are signed with a key that's not in your system firmware, you'll get no graphics support in the firmware.
Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.
A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.
Now, obviously, we could provide signed versions of Linux. This poses several problems. Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by ever OEM.
There's no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code. However, experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market. It's almost certainly the case that some systems will ship with the option of disabling this. Equally, it's almost certainly the case that some systems won't.
It's probably not worth panicking yet. But it is worth being concerned.
The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.
There is no centralised signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.
This impacts both software and hardware vendors. An OS vendor cannot boot their software on a system unless it's signed with a key that's included in the system firmware. A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware. If you install a new graphics card that either has unsigned drivers, or drivers that are signed with a key that's not in your system firmware, you'll get no graphics support in the firmware.
Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.
A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.
Now, obviously, we could provide signed versions of Linux. This poses several problems. Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by ever OEM.
There's no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code. However, experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market. It's almost certainly the case that some systems will ship with the option of disabling this. Equally, it's almost certainly the case that some systems won't.
It's probably not worth panicking yet. But it is worth being concerned.
![[identity profile]](http://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
I already hate windows 8 :-P
Date: 2011-09-22 01:57 am (UTC)So, what are the rest of you waiting to start using Linux 100% of the time!?
Re: I already hate windows 8 :-P
Date: 2011-10-28 08:16 pm (UTC)For Linux to do what I want 100% of the time. Windows currently does this. Please give me a more compelling reason to switch OS other than the fact you hate Microsoft.
I call double FUD here.
Date: 2011-09-22 10:44 am (UTC)When you enable a TPM for the first time, it starts off entirely keyless. An operating system must initialize & seize ownership over the TPM and start generating a chain of trusts. After this, the OS itself places keys inside the TPM. To date, these are private keys generated by your operating systems, though perhaps the calculations are offloaded to the TPM. Absolutely nothing will prevent you from rearming the TPM, dumping the keys it knows, installing a new OS, and mounting new keys generated by that OS.
“Secure boot” as it is in Windows Vista and 7, is the TPM chip examining specific pieces of data about the operating systems last known trusted hardware state, and a copy of the decryption key for the OS volume. The TPM can be configured in a wide variety of ways through the operating system to monitor for changes, and can also be configured to ignore any change you feel doesn’t matter. Has your computers intrusion detection been triggered? Yes=Block Key Release / No Secure OS Boot. Has your computers firmware configuration or version changed? Yes=Block Key Release / No Secure OS Boot. Was the OS kernel changed without informing the TPM first? Yes=Block Key Release / No Secure OS Boot. Etc.
No Secure OS Boot means that the encrypted, protected OS partition cannot be decrypted without a recovery key, because the rest of the hardware can no longer prove it is in a known valid trusted state. This means the TPM will refuse to divulge the keys require to decrypt the secure OS partition. Any other OS can boot that does not require the TPM unleash its decryption keys will still work just fine. However, those unknown unprotected operating systems will not be able to access the encrypted volume without the recover key and password, which are both required to tell the Secure OS to accept hardware level / MBR level changes as valid.
The fact is, *you*, if you are the owner of the computer in question, *want* your operating system to check for these changes, because it will protect your data from offline attacks. If anything, the only piece of information I may have been able to decipher here is that perhaps the TPM 2.0 supports more than one secure OS environment being initialized at the same time, and that there are going to be a bunch of new PCR validation options that end-users can choose to enable to form a stronger requirement before the TPM trusts the hardware enough to release decryption keys.
So far as I’m concerned, the folks who don’t want an OS/TPM checking for these changes either doesn’t know what they are on about, or are possibly the enemy an end user should be protecting themselves from.
Re: I call double FUD here.
Date: 2011-09-22 11:04 am (UTC)The only real flaw with TPM right now is how non-obvious it can be to determine what exactly caused the TPM to fail. It’s not in your face once you boot with a recovery key, so it can be difficult to know if it was a false positive without a lot of hunting.
If you know you didn't cause your TPM to fail, it then becomes likely that either an attack against you has been successful, or you've had a hardware/software failure.
Re: I call double FUD here.
From: (Anonymous) - Date: 2011-09-22 11:07 am (UTC) - ExpandRe: I call double FUD here.
Date: 2011-09-22 11:35 am (UTC)Antitrust?
Date: 2011-09-22 11:29 am (UTC)dual booting Jolicloud
Date: 2011-09-22 04:24 pm (UTC)http://blogs.msdn.com/b/b8/archive/2011/0
Re: dual booting Jolicloud
Date: 2011-09-22 04:32 pm (UTC)Re: dual booting Jolicloud
From: (Anonymous) - Date: 2011-09-24 12:47 am (UTC) - ExpandWhat about removeable media boot?
Date: 2011-09-22 04:39 pm (UTC)Re: What about removeable media boot?
Date: 2011-09-22 04:40 pm (UTC)no subject
Date: 2011-09-22 07:55 pm (UTC)no subject
Date: 2011-09-27 06:07 am (UTC)I then will either buy a business-line system or a system without Windows. If Windows does not start with this feature enabled I will definately and permanently switch to FreeBSD, Linux, ReactOS and or Haiku.
flash the bios
Date: 2011-09-23 04:08 am (UTC)Re: flash the bios
Date: 2011-09-23 06:37 am (UTC)PROMOTING E-WASTE
Date: 2011-09-23 09:39 pm (UTC)Think of all the computers that shipped with Windows 2000, 98SE, or ME on them. If they all used secure boot how many of them would still be useful now that Microsoft no longer has a working solution for those machines? But because other OS solutions were not locked out, we have been able to create open source solutions like Replacement for Windows (R4W) specifically to fill that void and keep these still useful machines from becoming e-waste at a point in time when we don't have a very good track record of responsible disposal.
References:
- CBS News: http://www.cbsnews.com/video/watch/?id=4
- R4W : http://webpath.net/it/r4w/
What about VM?
Date: 2011-09-24 08:37 am (UTC)So how would be one able to install Win8 for testing purposes on a virtual machine/cloud instance?
Re: What about VM?
Date: 2011-09-24 02:01 pm (UTC)Surprised
Date: 2011-09-24 01:20 pm (UTC)no subject
Date: 2011-09-25 11:34 am (UTC)Why didn't linux get into the UEFI forum before now? Here's a statement of intent from 2005 http://www.uefi.org/news/UEFI_PR1.0.pdf - this isnt something which has should be a surprise to OS developers.
Encription and Export Law
Date: 2011-09-26 11:40 am (UTC)China and there are laws regarding encriptions,
If microsoft forces this, PC venders are going to have
a lot of headaches just trying to import or export a PC
to a certain countries.
Sou usuário Linux e o microsoft windows (ruim windows) Que Fôda-se!
Chego a não acreditar em tantas burrices da microsoft -> (merda soft).
E não sei porquê que fabricantes idiotas 'de hardware' aceitam restringir seus produtos para serem 'Somente' utilizados com a porcaria do windows logo.
Sei que isso tem haver com dinheiro..... mas será que os fabricantes iriam lucrar mais se seus produtos fossem de 'Utilização Livre'? Sim! Com certeza venderiam mais hardwares!
A única coisa que eu apoio sobre a microsoft é o X-BOX 360.
'Isso é somente porque o X-BOX 360 Utiliza Hardware da AMD em seu console!'
EULA
Date: 2011-10-02 07:16 am (UTC)There's many people who build their own desktop and install Linux in them. Its too bad if the main components will need windows to boot.
Will M$ be able to convince US courts and authorities that this is for economical (virus spread) and employment (safeguard people jobs due to windows piracy) reasons ?
UEFI
Date: 2011-10-05 11:57 am (UTC)i fear problems with the new boot
Date: 2011-10-21 03:39 am (UTC)I don't want a pretty boot - I want a boot that works when the mouse/video card driver/network driver/whatever is not working right. This means a low-tech, basic boot that does not use any of the advanced/pretty capabilities that might not be working at all. I don't want seamless and pretty logo - I want the ugly DOS type messages that give me a chance to figure out what went wrong. This new boot system is very pretty and very nice to use on the rare occasions when I am booting a perfectly functional PC, say when I turned it off because I was away for several days. Otherwise, I am really afraid that it will fail just when I need it.
Microsoft BUILD conference
Date: 2011-10-24 07:14 am (UTC)http://www.windows8update.com/category/m
Microsoft BUILD Conference Pictures and information
http://www.windows8update.com/category/m
UEFI can be bypassed
Date: 2011-11-02 10:01 pm (UTC)So to install GNU/Linux in worst scenario you will need:
1. Create an iso which is signed (add Pkek for the iso) burn it.
2. Boot from that CD
3. Install GNU/Linux
4. Boot windows
5. Add Pkek and Create binary patch for for bootloader with this Pkek
6. Patch bootloader
7. Boot GNU/Linux from patched bootloader
8. Delete Windows
9. Be Free
And also booloader can have hardcoded standard Pkek (something like 00000000000, if allowed) and only run from windows simple program that will add this to whitelist so Grub can run.
Re: UEFI can be bypassed
Date: 2011-11-03 03:30 pm (UTC)Re: UEFI can be bypassed
From:Enterprise Users and Win 7
Date: 2012-01-15 04:15 pm (UTC)They want a war, we got a war!
Date: 2012-06-01 11:49 pm (UTC)Locked bootloader????
PC??????
What the F***'in BULLS**T
Just like Apple and idevices and Motorola locking their bootloader
All of the hackers out there! keep them old computers
All the people who can probably fake sign the certificate, be prepared!
We are going to bypass this once and for all!
If this is going to happen, ...
F*** You Microsoft!!!!!!!!!!
Think you are all bad with your rich, snotty, bratty, greedy self!??
Haogh? Haogh? Haogh?
Well prepare for war!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Any One who wants to join me email me at:
tcf38012@gmail.com
We will call ourselfs the TFG - The Tech Freedom Group
~ TCF38012
http://www.geekpayload.in/
Update: They want a war, we got a war!
Date: 2012-06-02 12:06 am (UTC)Golly Dang, How much requirements are you expecting?
But there is some awesome ones that make me want to buy it, like GPS
But anyways, Still mad about the secure booting process
One more requirment that can stop this war, a switch of the booting process!
Secure Booting on or off
Update - No War: They want a war, we got a war!
Date: 2012-06-02 12:21 am (UTC)So There has to be a switch.
If it comes out with a switch, then microsoft, I am sorry about what i said.
@mjg59 Suggestion: Calm Your Guests down by updating this article.
UEFI may not be secure.
Date: 2012-06-16 06:12 pm (UTC)This level of communications is what virus writers have been waiting for. The BIOS can now be exploited. Virus could be loaded on your Video card or any hardware with firmware. Your CPU micocode could become corrupted forcing you to shell out $100 to $3000 depending on what type of cpu you use.
If you want to trust your computer to Microsoft and the creators of UEFI go ahead.. However I advise you keep enough money around to replace your whole computer.