LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Garrett: Why UEFI secure boot is difficult for Linux

Garrett: Why UEFI secure boot is difficult for Linux

Posted Jan 18, 2012 19:23 UTC (Wed) by drag (subscriber, #31333)
In reply to: Garrett: Why UEFI secure boot is difficult for Linux by stumbles
Parent article: Garrett: Why UEFI secure boot is difficult for Linux

> It is not a necessary feature I want because it prevents nothing, secures nothing after boot.

If you do not have a secure way to boot your machine then you cannot verify what is running on it after boot unless you are absolutely sure that your machine has never been successfully attacked.

Plain and simple.

(Log in to post comments)

Garrett: Why UEFI secure boot is difficult for Linux

Posted Jan 18, 2012 23:08 UTC (Wed) by stumbles (guest, #8796) [Link]

Secure boot would not fix that anyway. All the little nasty viruses, keyloggers and their ilk can hide anywhere within an OS and if not in the OS, then choose your poison (application). Still not convinced this is anything more than a solution looking for a problem. At the very minimum it will be another attack avenue for the proprietary world.

Garrett: Why UEFI secure boot is difficult for Linux

Posted Jan 19, 2012 9:34 UTC (Thu) by mastro (subscriber, #72665) [Link]

Either the bad guys can run code as root on my machine or they don't.

If they don't, then my boot is already 100% secure because they can't change the boot sector of my disk, the bootloader configuration, the initrd, the kernel or the init scripts.

If they DO have root access, it's because they've found some remote exploit (I keep all my distros up-to-date with security updates, but zero-days are still possible) because I for sure didn't give them a legitimate account on my machine, much less physical access to it.

And if they have found a successful remote exploit, everything I do at boot is pointless, they'll still have full control of my machine. And that INCLUDES the possibility of preventing any security update from being successful while still giving to me the appearance of a completely updated and secure system unless I pay *very* close attention.

There's a reason why a compromised system must never be just *fixed*, it must be rebuilt from a clean install.

Look, the root of the problem is: the boot process must not be modifiable without the consent of the device's owner but must also easy to change for the owner if they want to.

The current boot process does achieve both these goals, UEFI "secure" boot doesn't.

Not even close.

Posted Jan 19, 2012 9:57 UTC (Thu) by khim (subscriber, #9252) [Link]

And that INCLUDES the possibility of preventing any security update from being successful while still giving to me the appearance of a completely updated and secure system unless I pay *very* close attention.

Bullshit. Either you are not looking around you don't undestand how it's done. I've already written about it.

You need secure boot and secure kernel update mechanism. That's all. Update mechanism can be much, MUCH, MUCH simpler then the full Linux kernel. You just send update with encrypted new random private key and then (when remote system acknoleged update and supposedly installed it) ask to sign a challenge with this new private key. If there are no response or if response is wrong then you know system was hosed and should be disconnected.

There's a reason why a compromised system must never be just *fixed*, it must be rebuilt from a clean install.

Right. But with secure boot you can keep you "clear install" on the same physical media as the rest of the system :-)

Look, the root of the problem is: the boot process must not be modifiable without the consent of the device's owner but must also easy to change for the owner if they want to.

The current boot process does achieve both these goals, UEFI "secure" boot doesn't.

Of course it does! You don't own Windows or iOS. You rent it. The real owner is Microsoft, Apple, etc. And UEFI boot absolutely does provide the required capability for the real owner (see above).

The real owners were long concerned by the fact that mere lessee can change the system without their consent. UEFI is solution for this problem. After public outcry they decided to allow this capability for some time on x86, but ARM is a new platform and it'll be created properly from the start: real owner will have the ability to rebuild the system while mere tenant will not. What's your problem?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds