An update on UEFI secure boot [LWN.net]

October 26, 2011

This article was contributed by Joe 'Zonker' Brockmeier.

The "secure boot" feature that will soon be appearing in PC firmware—partly due to a mandate from Microsoft—has garnered a number of different reactions. On one hand, you have the Free Software Foundation (FSF) calling for signatures to "stand up for your freedom to install free software". On the other hand, you have pundits accusing "Linux fanatics" of wanting to make Windows 8 less secure. The truth of the unified extensible firmware interface (UEFI) secure boot situation lies somewhere in between those two extremes, as might be guessed.

The problem started to come into focus earlier this year. The UEFI specification provides for an optional "secure boot" feature that makes use of a "platform key" (PK) and "key exchange keys" (KEKs) stored in a database in firmware. The corresponding private keys would be used to sign bootloaders, drivers, and operating systems loaded from disk, removable media, or over the network. The database could also contain blacklisted keys, in the event previously valid keys are revoked because they've fallen into malicious hands.

The idea is that only signed drivers and operating systems could be loaded. This could prove a useful feature, given that it could prevent malware from infecting the signed components — but it has also been seen as a threat against open source operating systems (like Linux) and could thwart attempts to jailbreak those systems.

When LWN covered the feature in June, there was concern that "a fair amount of pressure" would be applied by proprietary OS makers to enable this feature. That concern was realized when Microsoft announced that it intended to require secure boot to award the Windows 8 logo to OEMs. Since most OEMs are going to want to qualify for this, and the marketing funds that likely accompany the program, Microsoft requiring secure boot makes it more or less mandatory.

Problems

The first and most obvious problem with secure boot is that it has the potential to only allow Microsoft operating systems to boot. As Matthew Garrett wrote in September, "A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's. No other vendor has the same position of power over the hardware vendors."

But it's more complex than simply preventing non-Microsoft operating systems from booting on hardware with UEFI secure boot enabled. In all likelihood, users will be able to boot OSes of choice for the foreseeable future. But will they actually control their own hardware?

On October 19th, Garrett provided a follow-up to his earlier posts on secure boot, and said that the problem is whether the end user will have the ability to manage their own keys:

Every approach that involves us signing with a trusted key comes with associated problems. There's also a common problem with all of them — you only get to play if you have your own trusted key. Corporate Linux vendors can probably find a way to manage this. Everyone else (volunteer or hobbyist vendors, end users who want to run their own OS, anyone who wants to use a modified bootloader or kernel) is shut out.

As Garrett explains, the workaround is to turn off secure boot, but that's not very palatable:

It benefits nobody for Linux installation to require disabling a legitimate security feature. It's also not likely to be in a standard location on all systems and may have different naming. It's a support nightmare.

He suggested that, rather than requiring secure boot to be disabled, it would be better to work on how the feature could be properly supported for Linux installations.

Solutions

The solution? Garrett says that a proposal has been put forward to the UEFI Forum that would allow users to install their own keys from removable media. According to Garrett, this avoids problems that would have associated with booting untrusted binaries. Because it requires removable media, malware won't be able to trigger the key installation. Instead, the system with secure boot would simply refuse to boot and fall back to system recovery procedures.

The only way it could get on the system would involve the user explicitly booting off removable media, which would be a significant hurdle. If you're at that stage then you can also convince the user to disable secure boot entirely.

It is certainly possible that malware could infect USB keys or other removable media, but part of allowing users control is accepting some risk.

Meanwhile at the UEFI Forum

Mark Doran, president of the UEFI Forum, says that he's "trying to work with some folks in the Linux community, the Linux Foundation board for example, to see how Linux and other operating systems can participate in using this facility." He says that there are "a couple of ways that we could do that," but didn't offer specifics. Doran also said that, despite Microsoft being out front pushing for adoption, it was "absolutely intended for it to be implemented and implementable with any operating system."

Doran was also emphatic that he thought it unlikely that "many" systems would ship without the ability to turn off secure boot.

I would challenge you to find one of the theoretical systems that has no disable [feature]. I've taken a pretty good temperature, and I can't find anybody that's planning to build a system with no enable/disable feature, with the exception of kiosks.

The reason is pretty simple, says Doran. Too many vendors have to support legacy Windows. At least for the foreseeable future, none of the OEMs are likely to ship systems that can't boot older versions of Windows.

This echoes what Ed Bott reported when slinging mud at "Linux fanatics". Bott asked "a spokesperson for AMI" and the response was "AMI will advise OEMs to provide a default configuration that allows users to enable / disable secure boot, but it remains the choice of the OEM to do (or not do) so." So everyone reports that it's "unlikely" that systems will ship that don't have a disable feature — but that's not quite the same as guaranteeing that users will be able to control their systems. Being able to disable secure boot is better than nothing, but that feature, alone, does not enable Linux to make use of the secure boot capability.

History Repeating Itself?

The UEFI secure boot situation is not unlike the once-feared trusted platform module (TPM) or "trusted computing" features. When first introduced, the concept for TPM was that it could provide additional system security by verifying that only authorized code could run on a system. At first glance, this seemed like a good idea — except that it could be misused to secure a system against its owner.

Microsoft and a number of other companies argued strongly in favor of TPM, while digital rights advocates argued against it. The EFF's Seth Schoen wrote in 2003:

The TCPA [Trusted Computing Platform Alliance] security design allows software publishers to [...] create encrypted network protocols and file formats — with keys tucked away in hardware rather than accessible in memory. Thus, the same security features that protect your computer and its software against intruders can be turned against you.

As Schoen noted then, the EFF and others lobbied for user override, but it was initially resisted by the Trusted Computing Group (TCG). This time around, Microsoft and the UEFI Forum are saying that it's in the hands of the vendors to decide whether to implement a bypass to UEFI secure boot, and trying to downplay concerns about the implementations and the effects on users of other platforms.

Ultimately, trusted computing did not turn out to be the nightmare that many feared. We can probably thank the EFF and other organizations that lobbied against TPM that we aren't seeing widespread misuse of TPM against users.

Don't panic... yet

The worst-case scenario — a flood of "restricted boot" systems hitting the market that are incapable of booting Linux or anything other than signed Windows 8 — does seem unlikely. But we're a long way from Garrett's proposal as well. Users interested in complete control of their systems will need to keep an eye on this process, and make sure that OEMs are aware that having the ability to disable secure boot is not enough. In order to truly control your system, you must have a way to install your own trusted keys as well.

(Log in to post comments)

An update on UEFI secure boot

Posted Oct 27, 2011 8:39 UTC (Thu) by Fowl (subscriber, #65667) [Link]

Secure Boot must is only mandatory to "get the logo" ie. pass Microsoft's tests. As Windows 8 will be expected to run on hardware that currently runs Windows 7, it will run without secure boot. I can't see how it couldn't, even intentionally; it's not like bootloaders haven't lied in the past.

An update on UEFI secure boot

Posted Oct 27, 2011 9:47 UTC (Thu) by dgm (subscriber, #49227) [Link]

> Secure Boot must is only mandatory to "get the logo" ie. pass Microsoft's tests.

... for now. Looks like a wooden horse to me. What will happen when most systems do boot with UEFI secure boot? Probably Windows will start to refuse to run certain applications and open certain files if booted insecure, meaning users will not do that. From there to removing the disable feature is just a little step. Don't you have the feeling of being spoon-fed?

An update on UEFI secure boot

Posted Oct 27, 2011 11:44 UTC (Thu) by Fowl (subscriber, #65667) [Link]

I don't see how. Running Windows is preferable to Windows not running. I'm just concerned about the ux apocalypse OEMs are going to unleash.

An update on UEFI secure boot

Posted Oct 27, 2011 8:41 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

Windows 8 logo systems must be UEFI, but Windows 8 will boot fine with BIOS. It's probably worth remembering that there's no real concept of attestation in secure boot, so even if a future version requires both UEFI and the secure boot feature, it'd be easy to fake it up.

An update on UEFI secure boot

Posted Oct 27, 2011 14:20 UTC (Thu) by zonker (subscriber, #7867) [Link]

That could be - but I don't think that's what MSFT is aiming for here. I think they're primarily targeting "greymarket" Windows. But maybe you're right...

An update on UEFI secure boot

Posted Oct 27, 2011 15:28 UTC (Thu) by raven667 (subscriber, #5198) [Link]

That's true but we have to be careful that the secure boot infrastructure isn't mis-used, through incompetence or apathy, such that we have to resort to jail-breaking and other potentially illegal activity just to run our own software. This whole discussion started because a naive implementation of the MS Win8 Logo requirements could leave competitive systems on the Desktop out in the cold and MS isn't overflowing with concern about what happens outside their ecosystem.

An update on UEFI secure boot

Posted Oct 27, 2011 14:23 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

Secure boot is not trusted boot. It's impossible for any OS using it to know that it booted via a trusted path.

An update on UEFI secure boot

Posted Oct 27, 2011 15:05 UTC (Thu) by simlo (subscriber, #10866) [Link]

Let me see if I understand it correctly:

We have a boot chain:

firmware -> bootloader -> OS -> applications -> server

Each have some build in certificates to verify from left to right: The firmware have a certificate for the bootloader, the bootloader have certificate(s) for the kernel etc. In secure boot, if the signature doesn't match, stop the boot process.

To have "trusted computing" you also need to be able to verify from right to left: The server shall be able to be able to see that the application is correctly signed.

So to interpret the difference between secure boot and trusted computing:
The firmware can tell the bootloader that it was correctly signed. The bootloaded can tell the OS etc. But the bootloaded can lie to you in "secure boot": Secure boot might actually have been turned off in the firmware, but the bootloader have also been changed to lie to the OS that it was correctly signed.
Or the user can tell the server that the stack is correctly signed, because there is no way the server can verify it.

If that is the case, where is the security? It should be "simple" to either manipulate the firmware to switch off secure boot on specific systems, or trick the user into doing so, while flipping the bits in the bootloader, OS etc. It is harder to install malware on such a system, but far from impossible if you know which bits to flip - and hackers do. The only real things which makes it harder is to figure out how to disable secure boot on many different versions of the firmware. I bet you can manipulate the setting from software, if you know how.

An update on UEFI secure boot

Posted Oct 27, 2011 15:15 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

The security comes from the requirement that the user enter the BIOS to disable the feature. If the firmware is implemented in such a way that you can modify this from the OS then it's obviously circumventable, but the design is intended to be such that this is impossible.

An update on UEFI secure boot

Posted Oct 27, 2011 23:50 UTC (Thu) by giraffedata (subscriber, #1954) [Link]

The bootloader can tell the OS [that it was correctly signed] etc. But the bootloader can lie to you in "secure boot":

Not quite. The bootloader can't tell the OS that it was correctly signed and the OS can't ask. Implementing that function would be ridiculous, since the bootloader could lie. It would be like a prostitute asking a potential client if he is a cop.

That's the difference between secure boot and trusted computing. With trusted computing, the program can determine it is running on a platform the program trusts; with secure boot, the user can ensure everything running on his computer is something he trusts.

An update on UEFI secure boot

Posted Nov 20, 2011 20:51 UTC (Sun) by oak (guest, #2786) [Link]

That's where DRM comes in. The content is crypted so that only your firmware which has the correct keys can decrypt it. Firmware will do that only if boot was secured. "Content" can be anything; challenge from your internet bank, video stream, code loaded on game startup etc.

An update on UEFI secure boot

Posted Nov 20, 2011 21:11 UTC (Sun) by mjg59 (subscriber, #23239) [Link]

Given the way UEFI works, it'd be trivial for you to extract the decryption key in any such scenario.

An update on UEFI secure boot

Posted Oct 27, 2011 15:36 UTC (Thu) by raven667 (subscriber, #5198) [Link]

The issue is not if you will end up buying machines where you can't boot Linux because secure boot can't be switched off. That will not happen, among other things, due to anti-trust issues.

I think that is a real concern, not because of any malice on MS or the hardware vendors part but just due to apathy about non-MS desktop systems. It would be easy to load the MS keys into the hardware, flip on the secure-boot feature and not bother to make a UI for loading your own keys or turning the feature off, locking the hardware to only run Win8 (and possibly some OEM version of Win7 that's signed). That's not saying there wouldn't be vendors who do allow key modification or even cater to the Linux market but there was a real danger of the PC market getting locked up in the name of security and turning people into criminals who have to jail-break their machines.

Tablets

Posted Oct 27, 2011 18:43 UTC (Thu) by jmorris42 (subscriber, #2203) [Link]

No they won't lock us out of PCs and servers.... now.

But finding a phone with an open boot loader is a challenge today. Finding one that boots in a well described way amendable to replacing the OS is all but impossible. Same for tablets.

This tablets are where the smart people have decided all development is headed, see GNOME3 and Microsoft's Metro UI in Win8. Once they get people to accept tablets as sealed devices that get replaced instead of upgraded the desktop will accept the new reality. Or at least I'd bet that is the plan.

Up to now they have only been toying with us, because they aren't really trying too hard and because they are still learning themselves. So most popular devices get jailbroken eventually, even the mighty PlayStation 3 fell to the hackers. But give it a few more generations and let more and more functions get integrated into a single die and they will perfect locks that won't get broken before the product is obsolete. And they all dream of that day, if for different reasons some of which are are sometimes at cross purposes.

Microsoft dreams of zero piracy and zero competition. Hollywood dreams of charging for every view of their precious content. Government wants the 100% reliable snooping with no opt out and the ability to mandate... mostly because mandating is what the government DOES. The bankers dream of microtransactions for everything... all perfectly secure to ensure they get their taste. With a secure computing environment everyone wins... except the nominal owner of the machine. Of course even that idea is old, now you just get to use it because selling things instead of making you a continuing revenue stream is just so 20th Century.

An update on UEFI secure boot

Posted Nov 3, 2011 6:41 UTC (Thu) by njs (guest, #40338) [Link]

As I understand it, the sole point of "secure boot" is to let you run your *virus checker* at boot time, in such a way that your virus checker can't be disabled by malware.

If you don't have a securely signed virus-checker that you run directly from your boot-loader, then all this secure boot stuff is useless, AFAICT.

An update on UEFI secure boot

Posted Nov 6, 2011 22:40 UTC (Sun) by foom (subscriber, #14868) [Link]

I was thinking it was so that a "reinstall windows" button could reliably reinstall windows from the HD, without the possibility of any rootkits getting in the way.

An update on UEFI secure boot

Posted Nov 6, 2011 22:48 UTC (Sun) by njs (guest, #40338) [Link]

Good idea. I haven't seen that in any MS literature, but I haven't looked at much either. Though, "reliably" is probably the wrong word -- you could prevent a rootkit from infecting the backup partition, but it could easily trash the backup partition so that you still had to use a traditional reinstall method.

An update on UEFI secure boot

Posted Nov 7, 2011 0:23 UTC (Mon) by mjg59 (subscriber, #23239) [Link]

That's something it allows, yes. But it also allows you to assume that nothing has modified system state before you start the kernel, which means that if the first piece of userspace you start is a virus checker you know that the answers it gets from the kernel can be trusted.