LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Ubuntu details its UEFI secure boot plans

Ubuntu details its UEFI secure boot plans

Posted Jun 29, 2012 16:07 UTC (Fri) by giraffedata (subscriber, #1954)
In reply to: Ubuntu details its UEFI secure boot plans by naptastic
Parent article: Ubuntu details its UEFI secure boot plans

The system can ask (1) itself, and (2) the boot binary, whether that binary has permission to boot, and it seems like both those things should be gullible. What am I missing?

I think you're wrong about asking itself being gullible. Microsoft's public key is in ROM on the machine, and since there's no way for a worm to change ROM, I think it's entirely nongullible for the machine to ask itself whether the thing it's loading is approved by Microsoft.

(Log in to post comments)

Ubuntu details its UEFI secure boot plans

Posted Jun 29, 2012 23:14 UTC (Fri) by jmorris42 (subscriber, #2203) [Link]

> Microsoft's public key is in ROM on the machine

Except that it won't be. It will be in flash. And odds are most motherboards won't even implement basic protections to disable writes after POST/BIOS because they all want to keep the cute Windows based BIOS update features. And besides, how else is a revoked key list going to get updated?

But it really doesn't matter if Ubuntu gets away with their hack of the letter of the spec. I suspect lawyers will get brought into it before it is over but if they win it will be game over. Try again with a new & improved lockdown for Windows 9.

Ubuntu details its UEFI secure boot plans

Posted Jun 29, 2012 23:43 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

Most EFI systems already lock down the flash such that it's only writeable in system management mode, and the SMM code validates writes before passing them on.

Ubuntu details its UEFI secure boot plans

Posted Jul 3, 2012 19:38 UTC (Tue) by jmorris42 (subscriber, #2203) [Link]

Most early flash BIOS machines had emergency reflash from a boot floppy, write protect jumpers, etc. All that went away as mass production happened. I'd expect the same to happen here, top of the line boards for workstations and servers will still tend to do the right thing but cheap consumer products won't.

The cheap ones will also stop allowing the user to rekey or disable the secure boot. On the good side there will be exploits aplenty since it will just be security theater to appease the Hollywierd content gods and vendor locks to stop casual Linux use. It is a feature no customer is likely to ask for and no sales will depend on it being effective, so they will make it as cheap as Microsoft will let them qualify for the Windows 8 sticker with.

Ubuntu details its UEFI secure boot plans

Posted Jul 3, 2012 19:41 UTC (Tue) by mjg59 (subscriber, #23239) [Link]

You don't qualify for the Windows 8 sticker without the ability to rekey and disable secure boot.

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 2:56 UTC (Wed) by giraffedata (subscriber, #1954) [Link]

You don't qualify for the Windows 8 sticker without the ability to rekey and disable secure boot.

I don't think that's so. From what I can tell from various reports on the web, Microsoft defines a "custom mode" in which the user has the ability to rekey and disable secure boot, but it is optional for Windows 8 certified computers. And for ARM systems, it isn't even an option -- custom mode is prohibited.

For those where it's optional, I predict manufacturers will provide it, and other commentators seem to agree, but there is still an objection to the Windows 8 certification program because it's not easy enough to enter custom mode - the computer is required to ship in "standard mode" (boots only Microsoft-approved things) by default and you have to go into a machine setup dialog to do it (obviously, standard mode doesn't let an installer program just switch out of standard mode programmatically).

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 3:07 UTC (Wed) by naptastic (subscriber, #60139) [Link]

All of this begs the question: Is anyone seeking an injunction against this behavior, which is clearly an antitrust violation?

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 3:30 UTC (Wed) by raven667 (subscriber, #5198) [Link]

Check out section System.Fundamentals.Firmware.UEFISecureBoot in document http://msdn.microsoft.com/en-us/library/windows/hardware/... especially paragraphs 17 and 18 which state that custom mode and enable/disable are mandatory on x86.

You might want to be more skeptical of some of the "various reports on the web", the sites you have been reading clearly aren't doing even the most basic of research and are probably not worth your time to read. Stick to LWN 8-)

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 3:32 UTC (Wed) by mjg59 (subscriber, #23239) [Link]

> I don't think that's so.

'MANDATORY. On non-ARM systems, the platform MUST implement the ability for a
physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:'

Followed by a requirement that it be possible to clear PK, which guarantees you the ability to enrol whatever set of keys you want.

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 4:08 UTC (Wed) by Fowl (subscriber, #65667) [Link]

"Custom mode" must be user (not programmatically) accessible in order to certify.

On the other hand, it only requires the ability to disable secure boot, not re-key it.

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 4:15 UTC (Wed) by mjg59 (subscriber, #23239) [Link]

Argh no really the entire point of custom mode is that it allows re-keying. It's distinct from being able to just disable secure boot.

Ubuntu details its UEFI secure boot plans

Posted Jul 5, 2012 21:01 UTC (Thu) by jmorris42 (subscriber, #2203) [Link]

I wasn't referring to official policy, I'm in the real world discussing what will actually happen. Most motherboard vendors have trouble making a lot of 'mandatory' things that customers actually care about work. Just how much effort do you think they will put into making this stuff work beyond what is required to boot Windows 8 and get the little sticker?

How many motherboards have you fought to make power management work on? How about the temp/voltage/fan sensors? Last I heard working ACPI is also a requirement for the Windows logo program.

Now add in the fact that Microsoft is almost certain to be quietly 'encouraging' motherboard makers to break this particular feature. Raise your hand if you don't think an OEM would instantly get into the double secret marketing co-op program and qualify for special pricing or marketing kickbacks for discouraging OS migration?

Ubuntu details its UEFI secure boot plans

Posted Jul 5, 2012 21:05 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

This functionality is required to get the little sticker, and ACPI functionality is tested by Microsoft. The problem with ACPI is that it's only tested under Windows, and our implementation isn't identical to Windows. That's not a concern at this level of firmware. Plus, like I said, this is functionality that's already present in the firmware that OEMs get. They'd need to actively put work into removing it.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds