[personal profile] mjg59
I'm pleased to say that a usable version of shim is now available for download. As I discussed here, this is intended for distributions that want to support secure boot but don't want to deal with Microsoft. To use it, rename shim.efi to bootx64.efi and put it in /EFI/BOOT on your UEFI install media. Drop MokManager.efi in there as well. Finally, make sure your bootloader binary is called grubx64.efi and put it in the same directory.

Now generate a certificate and put the public half as a binary DER file somewhere on your install media. On boot, the end-user will be prompted with a 10-second countdown and a menu. Choose "Enroll key from disk" and then browse the filesystem to select the key and follow the enrolment prompts. Any bootloader signed with that key will then be trusted by shim, so you probably want to make sure that your grubx64.efi image is signed with it.

If you want, you're then free to impose any level of additional signing restrictions - it's entirely possible to use this signing as the basis of a complete chain of trust, including kernel lockdowns and signed module loading. However, since the end-user has explicitly indicated that they trust your code, you're under no obligation to do so. You should make it clear to your users what level of trust they'll be able to place in their system after installing your key, if only to allow them to make an informed decision about whether they want to or not.

This binary does not contain any built-in distribution certificates. It does contain a certificate that was generated at build time and used to sign MokManager - you'll need to accept my assurance that the private key was deleted immediately after the build was completed. Other than that, it will only trust any keys that are either present in the system db or installed by the end user.

A couple of final notes: As of 17:00 EST today, I am officially (rather than merely effectively) no longer employed by Red Hat, and this binary is being provided by me rather than them, so don't ask them questions about it. Special thanks to everyone at Suse who came up with the MOK concept and did most of the implementation work - without them, this would have been impossible. Thanks also to Peter Jones for his work on debugging and writing a signing tool, and everyone else at Red Hat who contributed valuable review feedback.

+1 @ Wake Up!

Date: 2012-12-02 06:49 pm (UTC)
From: (Anonymous)
I agree playing follow-the-leader with M$ cannot end up being more pleasant than the leapfrog/unicorn game. Let's face it, M$ effectively owns the hardware companies. The Windows tax proves this. End of story barring legal action. When "Tiles 2.0" comes out and my neighbor must throw their Tiles 1.0 PC into the dumpster, I'll nab it and disable secure boot.

Re: +1 @ Wake Up!

Date: 2012-12-02 07:04 pm (UTC)
From: (Anonymous)
Yeah, that's the ticket. Rummage around in the trash to dig out your neighbors forcibly obsoleted Windows 8 box. That will address the entire issue for sure......

That plays right into Microsoft's whole hope for this garbage. Slowly pressure Linux and it's users back into their definition of Linux as a "hobby OS" used by people too cheap to buy new computers and software.

Hope that works out for ya.....

BTW, clue to you. Microsoft does not own the hardware companies....but it would like to have that kind of control. Stevie B has nightly wet dreams in that direction.

Only real solution is legal action, not dumpster diving.

Re: +1 @ Wake Up!

Date: 2012-12-03 12:04 am (UTC)
From: (Anonymous)
Granted legal action and international standards are potentially the most effective. Trouble is, legal action is (a) expensive -- lawyers always make sure they're the biggest winners -- and (b) take a long time. For starters, who's going to foot the bill? Especially given the ever-present temptation to devise yet another inexpensive (relatively) work-around to M$'s moving target.

Until the legal path comes to fruition, interim solutions are needed. For this dumpster diver, the preference is just saying "no", but clearly that won't work for all.

Re: +1 @ Wake Up!

Date: 2012-12-03 12:36 am (UTC)
From: (Anonymous)
"For starters, who's going to foot the bill?"

You're already footing the bill.

Re: +1 @ Wake Up!

Date: 2012-12-30 02:39 pm (UTC)
From: (Anonymous)

He who for others digs a pit, will one day find themselves in it.

What that says is that hackers will find a way to blacklist Microsoft and change all of the MS keys, including the backdoor ones. Instead of UEFI blacklisting an uncertified distribution, it will be MS and MS Windows that will be blacklisted. And I forecast that it will happen in 2013 when the hackers will also change the Bios vendor's backdoor keys to further changes. The bios had better be a plug-in chip.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags