[personal profile] mjg59
I'm pleased to say that a usable version of shim is now available for download. As I discussed here, this is intended for distributions that want to support secure boot but don't want to deal with Microsoft. To use it, rename shim.efi to bootx64.efi and put it in /EFI/BOOT on your UEFI install media. Drop MokManager.efi in there as well. Finally, make sure your bootloader binary is called grubx64.efi and put it in the same directory.

Now generate a certificate and put the public half as a binary DER file somewhere on your install media. On boot, the end-user will be prompted with a 10-second countdown and a menu. Choose "Enroll key from disk" and then browse the filesystem to select the key and follow the enrolment prompts. Any bootloader signed with that key will then be trusted by shim, so you probably want to make sure that your grubx64.efi image is signed with it.

If you want, you're then free to impose any level of additional signing restrictions - it's entirely possible to use this signing as the basis of a complete chain of trust, including kernel lockdowns and signed module loading. However, since the end-user has explicitly indicated that they trust your code, you're under no obligation to do so. You should make it clear to your users what level of trust they'll be able to place in their system after installing your key, if only to allow them to make an informed decision about whether they want to or not.

This binary does not contain any built-in distribution certificates. It does contain a certificate that was generated at build time and used to sign MokManager - you'll need to accept my assurance that the private key was deleted immediately after the build was completed. Other than that, it will only trust any keys that are either present in the system db or installed by the end user.

A couple of final notes: As of 17:00 EST today, I am officially (rather than merely effectively) no longer employed by Red Hat, and this binary is being provided by me rather than them, so don't ask them questions about it. Special thanks to everyone at Suse who came up with the MOK concept and did most of the implementation work - without them, this would have been impossible. Thanks also to Peter Jones for his work on debugging and writing a signing tool, and everyone else at Red Hat who contributed valuable review feedback.

Re: ARM systems support?

Date: 2012-12-01 07:03 pm (UTC)
From: (Anonymous)
> What about ARM systems?
ARMs all have very different ideas on how this thing implemented. Many ARMs do not implement this "feature" at all. Some do implement it but can leave it inactive, depending on eFuse state in CPU itself. Some are restricted/locked though. Most notably some smart phones, etc. Especially those locked to particular operator and so on. In fact secure-boot-like techniques were here for an ages in ARMs and appeared much earlier to protect operator locks and other restrictions. Ages ago before UEFI made it to PC. Though this curtain rather uplifts these days when Linux-based things got popular and users started to demand root rights and unlocked bootloaders by writting petitions and so on.

This far you can expect most restricted devices to come from apple (I doubt they will allow you to boot your own code without hacks, ever) and MS (who wants to be like an apple). For other devices your mileage may vary. Yes, we have to be a little picky in choosing devices. iDevices from apple are clearly not our friend - they targetnig careless iDiots who could be easily fooled into locked-down trap. Whole device design serves to taking away user's freedom. So device does not serves user. It serves apple and their needs. As simple as that. In fact such devices are just trojan horses on their own. Yet not each and every human being can recognize that.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags