[personal profile] mjg59
I'm pleased to say that a usable version of shim is now available for download. As I discussed here, this is intended for distributions that want to support secure boot but don't want to deal with Microsoft. To use it, rename shim.efi to bootx64.efi and put it in /EFI/BOOT on your UEFI install media. Drop MokManager.efi in there as well. Finally, make sure your bootloader binary is called grubx64.efi and put it in the same directory.

Now generate a certificate and put the public half as a binary DER file somewhere on your install media. On boot, the end-user will be prompted with a 10-second countdown and a menu. Choose "Enroll key from disk" and then browse the filesystem to select the key and follow the enrolment prompts. Any bootloader signed with that key will then be trusted by shim, so you probably want to make sure that your grubx64.efi image is signed with it.

If you want, you're then free to impose any level of additional signing restrictions - it's entirely possible to use this signing as the basis of a complete chain of trust, including kernel lockdowns and signed module loading. However, since the end-user has explicitly indicated that they trust your code, you're under no obligation to do so. You should make it clear to your users what level of trust they'll be able to place in their system after installing your key, if only to allow them to make an informed decision about whether they want to or not.

This binary does not contain any built-in distribution certificates. It does contain a certificate that was generated at build time and used to sign MokManager - you'll need to accept my assurance that the private key was deleted immediately after the build was completed. Other than that, it will only trust any keys that are either present in the system db or installed by the end user.

A couple of final notes: As of 17:00 EST today, I am officially (rather than merely effectively) no longer employed by Red Hat, and this binary is being provided by me rather than them, so don't ask them questions about it. Special thanks to everyone at Suse who came up with the MOK concept and did most of the implementation work - without them, this would have been impossible. Thanks also to Peter Jones for his work on debugging and writing a signing tool, and everyone else at Red Hat who contributed valuable review feedback.

Wake up!

Date: 2012-12-02 06:24 pm (UTC)
From: (Anonymous)
I've heard all the BS excuses. The issue is not about whether computing should move on from the older Bios technology to the "Secure Boot". The real issue is who is allowed to control this newer method.

The current situation is no different than allowing for instance Ford to have some sort of signing key that allows all car engines manufactured worldwide the ability to start. Believing that any single company should have this kind of power over its competitors is insane no matter whether the controlling company is Microsoft, RedHat, Oracle or whoever.

As was predicted before this whole mess started to come into effect there are already problems for users of alternative operating systems. Its only going to get worse from here on.

While its nice that you have come up with a work around, a work around is all it is and it can be made unusable at any point and my guess is that is exactly what will happen with your method and any other future method. Microsoft will interfere with anything that works. Bet on it.

No, the real solution is to remove Microsoft's ability to control this process and hand it over to an international unbiased standards body. If they do not do it willingly then legal action is required. NOTHING ELSE WILL WORK PERMANENTLY. No other solution will serve to address the freedom of consumers to use computers and operating systems as the consumer wishes.


Re: Wake up!

Date: 2012-12-30 02:56 pm (UTC)
From: (Anonymous)
You are absolutely right.

The way around it is to not have dual boot with Windows. In fact, the problem is more severe. A hacker could lockup your computer bios code to the extent that it will not boot any software.

Therefore, as it is now, bios hardware will require a jumper to re-initialize the bios flash memory so that the bios software could be boot strapped.

If the bios has a bug, ask the question about how to get a bios update. Can this be done without changing signatures? The answer is NO.

Hardware vendors are the losers here. And perhaps we are lucky that MS is becoming insignificant as a desktop software provider. So, eventually, MS and it's dream of continuing for another few years as a predominant vendor is over. One will go to the Web for business software, games, and everything else. The Android tablet, or its successor (one from Linux with vendor neutrality will take over).


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags