Weekly Edition
Return to the Security page
| |||||||||||||
Ubuntu details its UEFI secure boot plansUEFI Secure boot is expected to interfere with many users' desire to replace Windows or dual-boot it with Linux, because Microsoft is mandating that secure boot be enabled on Windows 8 machines at the time of sale. On June 5, we reported on Fedora's plans for handling the secure boot mechanism in UEFI. Ubuntu has subsequently announced its own plans, which take a different approach. To recap, the secure boot feature constrains the hardware only to boot software that has been signed by a known cryptographic key. The point is that booting only signed, trusted binaries prevents attacks through boot-time malware that could be undetectable after the infected system is up and running. Microsoft is requiring hardware vendors to have secure boot enabled if they want to include the official logo for the upcoming Windows 8, although x86 vendors are also required to allow the machine's owner to turn off secure boot entirely or to install new keys. That option is regarded as insufficient for several reasons, notably that there may be users who are required (e.g., by office rules) to keep secure boot switched on, and that entering new keys for every alternative OS is likely to be an arduous process (even more so for the scenario where one needs to boot a temporary OS, such as from a CD or USB key). Fedora's strategy is to enroll in Microsoft's developer program, which allows the project to purchase an approved $99 key through Verisign, a key which will be recognized by UEFI secure boot. The key will be used to sign the shim bootloader, which is a "trivial UEFI first-stage bootloader" whose only job is to boot GRUB2. Fedora will also sign the GRUB2 bootloader and the kernel, although the latter two binaries can be signed with the Fedora project's own keys. Ubuntu's planCanonical posted a brief announcement about its own secure boot plan on the company blog on June 22, although the details were to be found in Steve Langasek's message to the ubuntu-devel mailing list. Canonical has generated its own signing key which will be pre-loaded on machines that ship with Ubuntu already installed. Ubuntu CDs will ship with a shim bootloader (the same shim bootloader used by Fedora) signed by one of the existing Microsoft-certified keys, much like the Fedora plan. After that point, however, the distribution is taking a markedly different approach to the trusted bootloader chain. An Ubuntu system will boot into the efilinux bootloader, which will in turn boot an unsigned kernel image. Under Fedora's plan, the shim bootloader verifies the integrity of GRUB2 before loading it, and GRUB2 in turn verifies the integrity of the kernel. Canonical says that their reading of the specification makes it clear that their secure boot responsibilities stop at the bootloader, and do not extend to the kernel:
We believe that the intention of secure boot is to protect against
malicious use or modification of pre-boot code, before the
ExitBootServices UEFI service is invoked. Currently, this call is
performed by the boot loader, before the kernel is executed.
Therefore, we will only be requiring authentication of boot loader binaries. Ubuntu will not require signed kernel images or kernel modules. The decision to use efilinux has its own justification. Because GRUB2 is licensed under the GPLv3, Canonical determined that machines with Ubuntu pre-installed are subject to the "User Product" provisions of GPLv3, which requires that the distributor provide the user with all authorization keys required to install the software. The company consulted with the FSF about that topic, and were warned that the authorization key clause would probably (although not definitely...) apply. Thus, if a hardware vendor shipped an Ubuntu system and did not include a way for users to install keys of their own, Canonical would be compelled to disclose its key. Revealing the signing key would undermine the point of secure boot and "at that point our certificates would of course be revoked and everyone would end up worse off." Signatures, revocation, and other fine printUbuntu's decision to use its own key for pre-installed machines has spawned relatively little debate, but there is a sharp disagreement over the decision not to sign kernel images. Red Hat's Matthew Garrett (who authored the Fedora secure boot plan) argued that signing only the bootloader is insufficient:
How are you going to prevent your bootloader from being used to launch a
trojaned Fedora kernel, for instance? This is the kind of decision that
doesn't just affect Ubuntu, it has ramifications for the security model
that other distributions use. This makes it impossible to implement any
kind of signed userspace unless the user explicitly revokes the Ubuntu
bootloader first or uses their own trust chain.
Jamie Strandboge replied that "the UEFI specification and the Windows 8 logo requirements is that Secure Boot is designed to protect early boot only," and that signing the kernel and large portions of userspace is unattractive for several reasons, "not least of which is that it reduces the utility of the distribution." Strandboge also contended that signing the kernel does not offer a significant level of protection over signing the bootloader, because the existence of any exploitable bootloader undermines the trust chain for all OS vendors. The argument goes that if DistroX's signed bootloader is vulnerable, malware authors could use it to create a malicious live CD image that will boot even on a machine that normally runs DistroY's secure bootloader with its signed kernel. Thus, signing the kernel image is useful for creating a trusted environment for user space, but it does not strengthen the protection of secure boot itself. There is also the open question of how key-revocations and other updates to the secure boot world will work in practice. Both Fedora and Ubuntu plan to make use of a "shim" bootloader so that they can issue updates to the main bootloader without getting the updates signed by Microsoft. But the distributions will also need to issue revocations for vulnerable, signed bootloader and/or kernel images, and the process by which the OS vendor pushes those updates out has yet to be determined. Although most multi-boot discussions revolve around dual-booting Windows and a single Linux distribution, that is hardly the only scenario. Canonical said that it will not offer its own signing key to sign the bootloaders of other distributions or vendors, which some feared would make it impossible to install, for example, Fedora on a machine that comes with Ubuntu pre-installed. However, the owners of machines pre-loaded with Ubuntu will still be able to install Fedora or other OSes in tandem, because the company will require its OEMs to include the Microsoft key in the secure boot key database alongside the Ubuntu key. As Windows 8 draws near, the questions about UEFI secure boot and its impact on users continue to swirl. Clearly there are risks in handing the ultimate say in booting one's machine to a third party (particularly a rival OS vendor like Microsoft), and even though two of the largest distributions have crafted a plan for dealing with secure boot's restrictions, how much of an imposition the final product is still hinges on unknowns like the revocation and update process. But the biggest question that remains is whether it is wise to tacitly endorse secure boot by playing its games in first place. On that, the community may never arrive at a single answer. (Log in to post comments)
Ubuntu's approach sounds better - if it works Posted Jun 28, 2012 9:22 UTC (Thu) by epa (subscriber, #39769) [Link]
If Ubuntu can get away with their plan, and not have their key revoked by the capricious gods of key revocation, then it sounds like a better approach to not require signed kernels. Or am I getting confused, and this will apply only to machines with Ubuntu preinstalled, while installing Ubuntu on a stock UEFI machine that originally shipped with Windows will still require all the shenanigans that Fedora goes through?
A machine that comes with Ubuntu pre-installed could still run Fedora or Windows or any other operating system, since the Ubuntu bootloader can surely be configured to boot other Linux distributions or OSes. It is not really necessary to include Microsoft's key or anyone else's. Indeed, it might be wise for Canonical to spin out their initial signed bootloader as a separate project, becoming the upstream for many other distributions. Then hardware vendors need include only a single key in order to boot pretty much any Linux distro.
Ubuntu's approach sounds better - if it works Posted Jun 28, 2012 11:17 UTC (Thu) by Jonno (subscriber, #49613) [Link] > Or am I getting confused, and this will apply only to machines with Ubuntu preinstalled, while installing Ubuntu on a stock UEFI machine that originally shipped with Windows will still require all the shenanigans that Fedora goes through? Sort of. User-installed Ubuntu machines will boot a Verisign-signed shim bootloader, which will only launch an Canonical-signed efilinux bootloader (so the signed shim bootloader won't be useful to other distributions). However, unlike the Fedora-signed Grub 2 bootloader, the Canonical-signed efilinux bootloader will in turn launch any Linux kernel. OEM installations will include the Canonical public key in UEFI flash, and will launch the Canonical-signed efilinux bootloader directly, making the shim bootloader unnecessary. End users with a motherboard that allows adding new keys could conceivably also add the Canonical key and boot efilinux directly (or for that matter add the Fedora key and boot Grub 2 directly), making theoretically possible to remove the Verisign key. Note, however, that not all motherboards will offer that functionality. The Windows 8 logo requirements only state that you have to make it possible to add/remove keys or to disable secure boot entirely. I fully expect most consumer motherboards to only offer a simple disable option, while at least some enterprise motherboards will only offer the ability to add/remove keys (to satisfies corporate secure boot policies).
Ubuntu's approach sounds better - if it works Posted Jun 28, 2012 14:12 UTC (Thu) by epa (subscriber, #39769) [Link]
If Canonical's efilinux bootloader is happy to launch any Linux kernel, it can indeed be used to run any other Linux distribution, unless the other distribution depends on some special bootloader magic beyond the usual initrd and parameter passing.
But even in that case, isn't there some kexec type mechanism where the Linux kernel can be made to boot a different kernel or perhaps even GRUB2? My point is that if you can boot an arbitrary Linux kernel, with a little bit of programming work you can boot any other kernel. So Canonical's signed bootloader could be used by other distributions, even Fedora.
Ubuntu's approach sounds better - if it works Posted Jun 29, 2012 16:03 UTC (Fri) by giraffedata (subscriber, #1954) [Link] If Canonical's efilinux bootloader is happy to launch any Linux kernel, it can indeed be used to run any other Linux distribution And I assume it can be used to launch any other program at all, Linux or not. For example, an infected Windows kernel. So a smart Windows virus would install Canonical's signed efilinux bootloader along with its infected Windows kernel and defeat Microsoft's strategy to secure Windows 8 computers altogether. So this should mean that Microsoft would not sign a key for Canonical, or should revoke it once Microsoft finds out Canonical is using it this way. Or maybe I'm just still confused about how UEFI works.
Turn off "secure" boot Posted Jun 28, 2012 9:42 UTC (Thu) by rwmj (subscriber, #5474) [Link]
I think the best answer is that we encourage end users to not buy hardware that has this anti-user feature. If they have to buy such hardware, turn "secure" boot off.
Turn off "secure" boot Posted Jun 28, 2012 16:32 UTC (Thu) by wookey (subscriber, #5501) [Link]
Quite. It seems like a really good reason not to buy an ARM device with Windows 8 on.
And is there a real practical problem that all this faffing about with keys solves? It seems to me that pre-boot infections are a very rare thing, and this cure it a lot worse than the disease. Perhaps I am wrong about that?
Secure boot could be useful in the same way that encrypting your machines disk, but only if _you_ have control. I remain doubtful that manufacturers are going to provide that control, and that could start to be a serious problem when buying new kit. We all resented the 'microsoft tax' on much PC and laptop x86 hardware to date, but you did at least get control of the hardware once it was in your hands. We seem to be heading for a world where that may no longer be true.
Buy carefully!
Turn off "secure" boot Posted Jun 28, 2012 19:29 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
> It seems to me that pre-boot infections are a very rare thing, and this cure it a lot worse than the disease. Perhaps I am wrong about that?
Yes.
Turn off "secure" boot Posted Jun 28, 2012 19:39 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
That is to say, yes, you're wrong about it being very rare - attacks on the boot process are becoming more common. Whether the cure is worse is more of a value judgement.
Turn off "secure" boot Posted Jun 28, 2012 21:45 UTC (Thu) by wookey (subscriber, #5501) [Link]
Some evidence would help convince. Is this something that only affects Windows people which is why I've never heard of a case?
Turn off "secure" boot Posted Jun 28, 2012 21:47 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
Improvements in Windows security have meant that the boot process is an easier target. http://www.slideshare.net/daniel_bilar/matrosov-2012-reco... is a description of this in the real world, but there are several others out there.
Turn off "secure" boot Posted Jun 28, 2012 19:41 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
the problem is that Microsoft is requiring this feature on any hardware that is going to be certified as supporting Windows 8
There is going to be very little PC hardware produced that deliberatly opts not to be able to support Windows 8, even the vendors that sell linux pre-installed will be buying motherboards from vendors that want to sell the same motherboards to Windows users.
simply opting not to buy hardware with this feature is not likely to be a realistic option, the best we can hope for is that vendors have the option, but default to having it turned off.
Turn off "secure" boot Posted Jun 29, 2012 15:53 UTC (Fri) by giraffedata (subscriber, #1954) [Link] I think the best answer is that we encourage end users to not buy hardware that has this anti-user feature. But answer to what? I believe the challenge that Ubuntu and Fedora are answering is the challenge of running Ubuntu or Fedora on hardware that has this feature.
Ubuntu details its UEFI secure boot plans Posted Jun 29, 2012 5:03 UTC (Fri) by naptastic (subscriber, #60139) [Link]
My technical understanding of this may be wrong, so please educate me. This whole thing seems like the Content Scrambling System of 1996. A computer just starting to boot can't check the Internet for someone's public keys, and even if it could, that could be spoofed. The system can ask (1) itself, and (2) the boot binary, whether that binary has permission to boot, and it seems like both those things should be gullible. What am I missing?
Ubuntu details its UEFI secure boot plans Posted Jun 29, 2012 16:07 UTC (Fri) by giraffedata (subscriber, #1954) [Link] The system can ask (1) itself, and (2) the boot binary, whether that binary has permission to boot, and it seems like both those things should be gullible. What am I missing? I think you're wrong about asking itself being gullible. Microsoft's public key is in ROM on the machine, and since there's no way for a worm to change ROM, I think it's entirely nongullible for the machine to ask itself whether the thing it's loading is approved by Microsoft.
Ubuntu details its UEFI secure boot plans Posted Jun 29, 2012 23:14 UTC (Fri) by jmorris42 (subscriber, #2203) [Link]
> Microsoft's public key is in ROM on the machine
Except that it won't be. It will be in flash. And odds are most motherboards won't even implement basic protections to disable writes after POST/BIOS because they all want to keep the cute Windows based BIOS update features. And besides, how else is a revoked key list going to get updated?
But it really doesn't matter if Ubuntu gets away with their hack of the letter of the spec. I suspect lawyers will get brought into it before it is over but if they win it will be game over. Try again with a new & improved lockdown for Windows 9.
Ubuntu details its UEFI secure boot plans Posted Jun 29, 2012 23:43 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
Most EFI systems already lock down the flash such that it's only writeable in system management mode, and the SMM code validates writes before passing them on.
Ubuntu details its UEFI secure boot plans Posted Jul 3, 2012 19:38 UTC (Tue) by jmorris42 (subscriber, #2203) [Link]
Most early flash BIOS machines had emergency reflash from a boot floppy, write protect jumpers, etc. All that went away as mass production happened. I'd expect the same to happen here, top of the line boards for workstations and servers will still tend to do the right thing but cheap consumer products won't.
The cheap ones will also stop allowing the user to rekey or disable the secure boot. On the good side there will be exploits aplenty since it will just be security theater to appease the Hollywierd content gods and vendor locks to stop casual Linux use. It is a feature no customer is likely to ask for and no sales will depend on it being effective, so they will make it as cheap as Microsoft will let them qualify for the Windows 8 sticker with.
Ubuntu details its UEFI secure boot plans Posted Jul 3, 2012 19:41 UTC (Tue) by mjg59 (subscriber, #23239) [Link]
You don't qualify for the Windows 8 sticker without the ability to rekey and disable secure boot.
Ubuntu details its UEFI secure boot plans Posted Jul 4, 2012 2:56 UTC (Wed) by giraffedata (subscriber, #1954) [Link] You don't qualify for the Windows 8 sticker without the ability to rekey and disable secure boot. I don't think that's so. From what I can tell from various reports on the web, Microsoft defines a "custom mode" in which the user has the ability to rekey and disable secure boot, but it is optional for Windows 8 certified computers. And for ARM systems, it isn't even an option -- custom mode is prohibited. For those where it's optional, I predict manufacturers will provide it, and other commentators seem to agree, but there is still an objection to the Windows 8 certification program because it's not easy enough to enter custom mode - the computer is required to ship in "standard mode" (boots only Microsoft-approved things) by default and you have to go into a machine setup dialog to do it (obviously, standard mode doesn't let an installer program just switch out of standard mode programmatically).
Ubuntu details its UEFI secure boot plans Posted Jul 4, 2012 3:07 UTC (Wed) by naptastic (subscriber, #60139) [Link]
All of this begs the question: Is anyone seeking an injunction against this behavior, which is clearly an antitrust violation?
Ubuntu details its UEFI secure boot plans Posted Jul 4, 2012 3:30 UTC (Wed) by raven667 (subscriber, #5198) [Link]
Check out section System.Fundamentals.Firmware.UEFISecureBoot in document http://msdn.microsoft.com/en-us/library/windows/hardware/... especially paragraphs 17 and 18 which state that custom mode and enable/disable are mandatory on x86.
You might want to be more skeptical of some of the "various reports on the web", the sites you have been reading clearly aren't doing even the most basic of research and are probably not worth your time to read. Stick to LWN 8-)
Ubuntu details its UEFI secure boot plans Posted Jul 4, 2012 3:32 UTC (Wed) by mjg59 (subscriber, #23239) [Link]
> I don't think that's so.
'MANDATORY. On non-ARM systems, the platform MUST implement the ability for a
Followed by a requirement that it be possible to clear PK, which guarantees you the ability to enrol whatever set of keys you want.
Ubuntu details its UEFI secure boot plans Posted Jul 4, 2012 4:08 UTC (Wed) by Fowl (subscriber, #65667) [Link]
"Custom mode" must be user (not programmatically) accessible in order to certify.
On the other hand, it only requires the ability to disable secure boot, not re-key it.
Ubuntu details its UEFI secure boot plans Posted Jul 4, 2012 4:15 UTC (Wed) by mjg59 (subscriber, #23239) [Link]
Argh no really the entire point of custom mode is that it allows re-keying. It's distinct from being able to just disable secure boot.
Ubuntu details its UEFI secure boot plans Posted Jul 5, 2012 21:01 UTC (Thu) by jmorris42 (subscriber, #2203) [Link]
I wasn't referring to official policy, I'm in the real world discussing what will actually happen. Most motherboard vendors have trouble making a lot of 'mandatory' things that customers actually care about work. Just how much effort do you think they will put into making this stuff work beyond what is required to boot Windows 8 and get the little sticker?
How many motherboards have you fought to make power management work on? How about the temp/voltage/fan sensors? Last I heard working ACPI is also a requirement for the Windows logo program.
Now add in the fact that Microsoft is almost certain to be quietly 'encouraging' motherboard makers to break this particular feature. Raise your hand if you don't think an OEM would instantly get into the double secret marketing co-op program and qualify for special pricing or marketing kickbacks for discouraging OS migration?
Ubuntu details its UEFI secure boot plans Posted Jul 5, 2012 21:05 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
This functionality is required to get the little sticker, and ACPI functionality is tested by Microsoft. The problem with ACPI is that it's only tested under Windows, and our implementation isn't identical to Windows. That's not a concern at this level of firmware. Plus, like I said, this is functionality that's already present in the firmware that OEMs get. They'd need to actively put work into removing it.
|
|||||||||||||