UEFI and "secure boot"

By Jake Edge
June 15, 2011

Hardware-based secure boot mechanisms are clearly useful for some users. By determining that firmware, bootloaders, and operating systems are not compromised, these mechanisms can protect systems against rootkits and other low-level attacks. Typically, the way that is done is by cryptographically signing the binaries in question such that they can be verified before being run. But disallowing unsigned binaries from running has a potentially problematic side effect: booting free operating systems becomes difficult or, in the worst case, impossible. It all depends on who holds the signing keys.

The Linux kernel has the integrity measurement architecture (IMA) and the proposed extended verification module (EVM) which could be combined with system hardware—such as the Trusted Platform Module (TPM)—to provide a secure boot environment. There have been concerns about these mechanisms as they can be used for both good and ill: either preventing rootkits and other tampering or preventing users from running code of their choice on their hardware. The unified extensible firmware interface (UEFI) specification has recently added some features that could be used similarly, leading to many of the same concerns. But there is also an additional wrinkle for systems that use the GRUB 2 bootloader.

UEFI is a relatively new standard for firmware that provides the boot environment for computer systems. For x86-64 systems (there are no plans to put UEFI in 32-bit x86 systems), it is aimed at replacing the 20+ year-old BIOS interface that is used to boot systems today. While BIOS is x86-specific, UEFI aims to be cross-architecture, and various vendors of ARM-based systems—Apple is rumored to be among them—have started adopting it. The UEFI 2.3.1 specification [agreement required] has a number of new features, one of which is the optional "secure boot" protocol. So far, UEFI 2.3.1 is not being shipped by any vendor and is only available on evaluation boards, but that will change in time.

The basic idea behind secure boot is to sign executables using a public-key cryptography scheme (RSA with 2048-bit keys with SHA-1 or SHA-256 as the hash). The public part of a "platform key" (PK) can be stored in the firmware for use as a root key. Additional "key exchange keys" (KEKs) can also have their public portion stored in the firmware in what is called the "signature database". That database contains public keys that can be used to verify different components that might be used by UEFI (e.g. drivers) as well as bootloaders, and operating systems that get loaded from external sources (disks, USB devices, network, and so on). The signature database will also contain "forbidden" signatures which correspond to a revocation list of previously valid keys. The signature database is meant to contain the current list of authorized and forbidden keys as determined by the UEFI organization.

Before a PK is loaded into the firmware, UEFI is considered to be in "setup" mode, which allows anyone to write a PK to the firmware. Writing the PK switches the firmware into "user" mode. Once in user mode, PKs and KEKs can only be written if they are signed using the private portion of the PK, though KEKs can be freely written during setup mode. Essentially, the PK is meant to authenticate the platform "owner", while the KEKs are used to authenticate other components, like operating systems.

All of this presents some problems for free software. If device makers create PKs and KEKs for the devices before shipping them to users, and do not provide the private portion of the keys, only entities listed in the signature database will be able to sign bootloaders and OSes. That is a fairly secure option for the device maker, but makes it difficult for those who might want to choose what code gets run on their hardware.

Secure boot is optional, but there is likely to be a fair amount of pressure applied by proprietary OS makers to enable it. One could imagine that those vendors might also provide a way to turn off secure boot (from a BIOS-like menu for example), but that is something that might be exploited by rootkits and other malware, so there may well be resistance to allowing that kind of option. Protecting users from rootkits and the like is certainly useful, but there is a competitive advantage as well. Hardware vendors can ensure that only the code they approve can run on the hardware, and proprietary OS vendors will be largely unaffected because their keys will be in the signature database. One would hope that the protection against malware is the primary motivation, but the ability to lock out free OSes is likely seen as a plus.

It is Linux and other free systems that could suffer most from secure boot implementations. While it would be possible for various distributions to get their keys added, that wouldn't help anyone who wanted to run a tweaked version of the "approved" bootloader or kernel. Distributors would not be able to release their private keys to allow folks to sign their own binaries either. Each key is just as valid as any other, so malware authors would just pick up those keys to sign their wares. Exposed keys would also find their way onto the forbidden list rather quickly one suspects.

But there is another potential pitfall here. The GRUB 2 bootloader, which is finding its way into some distributions, is licensed under GPLv3. One of the attributes of GPLv3 (the so-called "anti-Tivo-ization" language) requires that any keys needed to "install and execute modified versions of a covered work" must be disclosed just like the source code. So, any distribution that wanted to get a key and keep it private so that their systems will boot on locked-down hardware will not be able to do so if it uses GRUB 2.

Platform vendors are likely to use a key from UEFI as the PK, and distribute updated signature databases from the organization signed by that key. While any KEK that gets compromised will be added to the forbidden list, updating the firmware will presumably be optional so that existing hardware will still boot from code signed by compromised keys; newer hardware would get the updated forbidden list. But it would certainly be possible for an OS to "phone home" for the most recent signature database and refuse to run until the database in the firmware is current. That could be seen as reasonable protection (against malware signed by the compromised key) but would also be a fairly effective anti-jailbreaking feature.

It will be important for free software OSes (Linux distributions, the BSDs, etc.) and users to ensure that hardware vendors are aware of their needs here. Microsoft and Apple have no interest in enabling anything other than their own code to boot and run on tomorrow's hardware, and it wouldn't bother them at all to see free software get left out in the cold. In the consumer device space, it is certain that some vendors will take the opportunity to lock down their devices using UEFI, but in the server space, Linux has such a presence that one would guess some kind of solution (perhaps just an "off" switch) will be found. Desktop computers, on the other hand, are dominated by Microsoft (and to a lesser extent Apple), so our leverage there may be insufficient. If we don't keep an eye on it, your next desktop may simply refuse to boot your OS of choice.

[ I would like to thank Manoj Iyer for giving me a heads-up about this issue. ]

Index entries for this article
Security	Integrity management
Security	Secure boot
Security	Signing code

UEFI and "secure boot"

Posted Jun 16, 2011 3:08 UTC (Thu) by mjg59 (subscriber, #23239) [Link] (1 responses)

Based on my experience of the quality of EFI implementations so far:

I suspect that any current UEFI vendor who implements this will be free to ship GPLv3 bootloaders by virtue of being so indescribably inept that it'll be trivial for anyone to bypass the trusted path and boot their own bootloader.

UEFI and "secure boot"

Posted Jun 17, 2011 5:17 UTC (Fri) by khc (guest, #45209) [Link]

Can I nominate this for next week's security quote?

UEFI and "secure boot"

Posted Jun 16, 2011 5:48 UTC (Thu) by ras (subscriber, #33059) [Link]

Yeah, well as the article says, the only real problem with the proposal is the one it raises at the start:

> It all depends on who holds the signing keys.

Given the key is programmable this doesn't seem to be an issue. If I am an organisation that cares, I can just program it. If I like to run tweaked versions of Grub I can ignore it.

But then we have this:

> Platform vendors are likely to use a key from UEFI as the PK, and distribute updated signature databases from the organization signed by that key.

This is the nub of the issue. Is it a published policy, or just a guess?

It could lead to a world of pain for platform vendors. It in all probability would end up meaning only the version of Windows shipped by the vendor would boot.

UEFI and "secure boot"

Posted Jun 16, 2011 6:39 UTC (Thu) by mennucc1 (guest, #14730) [Link]

hopefully, UEFI hw will be shipped by OEM in "setup" mode, and , when the O.S. will be installed for the first time, it will write the PK in it; so people who want to use Linux will need to buy "virgin" hw with no O.S. on it: this will be fine for servers, but it may be a problem for notebooks (e.g. in Italy it is almost impossible to buy a notebook w/o Window$ preinstalled)

For crying out loud - WRITE ENABLE SWITCH!

Posted Jun 16, 2011 10:02 UTC (Thu) by NRArnot (subscriber, #3033) [Link] (1 responses)

The answer is as old as the hills, it's been used on mechanical devices ever since they got to be capable of amputating fingers. A scabbard for a knife or sword, a safety catch on a firearm, ....

In electronics form, it's the WRITE ENABLE switch, which I first saw on a DEC exchangeable-platter disk drive storing all of 20Mb on 15-inch FeO2-coated platters.

It doesn't have to be a switch, just something that can be done by the owner, given physical access to the hardware, and never by a piece of malicious software (at least, not until the hardware is a robot, in which case we'll have to re-discover what for a human is the small of his back).

Anyway, for a PC motherboard, there should be a SECURE BOOT DISABLE jumper, just as there is a password disable jumper for the better modern BIOSes. For other smart devices, something similar, requiring a simple but nontrivial amount of fiddling with the device.

For manufacturers worried about warranty returns, it might even be a one-way trip - protect the switch or jumper with one of those "warranty void if removed" security labels. Two levels of the same idea.

For crying out loud - WRITE ENABLE SWITCH!

Posted Jun 16, 2011 17:52 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

A lot of TPMs have a requirement for 'physical proof of presence' to do hardware reset. Usually, it requires pressing a certain key on hardware keyboard (with TPM hardwired to hardware keyboard controller).

UEFI and "secure boot"

Posted Jun 16, 2011 11:00 UTC (Thu) by dskoll (subscriber, #1630) [Link] (2 responses)

If we don't keep an eye on it, your next desktop may simply refuse to boot your OS of choice.

I can assure you that my next desktop will definitely boot the OS of my choice. Market pressure will ensure that there will always be some open systems.

Vendor-lockin-boot proposals have been made several times in the past and have never gone anywhere. I have no reason to believe this latest proposal will go anywhere either, at least not on commodity desktop machines.

UEFI and "secure boot"

Posted Jun 16, 2011 14:59 UTC (Thu) by bronson (subscriber, #4806) [Link]

Agreed. Many big Android device makers have announced that in the future their bootloaders will be unlocked (worth a quick Google). The carriers wanted lockin but the customers are saying no.

Non-Apple customers that is...

UEFI and "secure boot"

Posted Jun 17, 2011 19:29 UTC (Fri) by raven667 (subscriber, #5198) [Link]

It is going to depend a lot on the vendor and it may not get off the ground, we've been talking about general lockdown using the TPM for many years but it has yet to come to pass.

I would imagine that if this does become popular that it will be used mostly by big vendors who sell low end devices for home use, and Apple. Since the computer will not be entirely user-modifyable its more like a rental or a service. This could be used for appliance like systems where all maintenance is done by the vendor and only vendor-approved software, drivers are used. There is certainly a market for that kind of thing, as Apple is demonstrating.

In the highly unlikely event that general consumer hardware becomes widely keyed to only boot Windows that might actually boost Linux specific hardware vendors like System76 or Dell's N-Series lines as there is market demand for non-Windows systems but regular computers run non-Windows well enough that there isn't much of a market for systems built for non-Windows use.

Motherboard vendors will never pre-key such a thing as their customers are far more diverse, technical and demanding. Motherboard vendors don't necessarily cater to or test non-Windows use cases, they aren't going to go out of their way to alienate those customers either.

A lot of this TPM and UEFI tech makes sense if it is just set up during initial system install or first boot and is under control of the owner.

Old news?

Posted Jun 16, 2011 15:25 UTC (Thu) by jreiser (subscriber, #11027) [Link] (1 responses)

Is widely-distributed UEFI the only news here? The ASUS P5QPRO motherboard from 2008, three years ago, claims to support the necessary hardware. The common boot ROM BIOS does not support it, but the BIOS is flashable. Some Apple x86 hardware as old as 2006 allegedly has unused TPM hardware: http://www.osxbook.com/book/bonus/chapter7/tpmdrmmyth/. Linux itself has had driver/char/tpm for six or seven years. The implications of actual lockdown have been foreseen for a long time.

Old news?

Posted Sep 21, 2011 13:16 UTC (Wed) by kylegordon (guest, #80373) [Link]

From TFA: "The UEFI 2.3.1 specification [agreement required] has a number of new features, one of which is the optional "secure boot" protocol."

Given that UEFI 2.3.1 only came out in April 2011, I doubt your 5 year old Apple hardware has UEFI 2.3.1 compliant firmware.

TPM isn't UEFI, and a TPM can only be used to trust the boot system to allow you to decrypt data. It doesn't prevent you from booting a new/different OS.

UEFI and "secure boot"

Posted Jun 20, 2011 8:56 UTC (Mon) by marcH (subscriber, #57642) [Link] (1 responses)

As others have said above in various forms, I think this will go the very same way as DVD zoning or SIM-locking today. In the future your average grand ma will be "protected" from running random software on her smart phone, while LWN readers will quickly find the hardware switch/cheat code to bypass the restrictions. Think Microsoft and Apple as Hollywood and hardware manufacturers as... themselves.

The only question left is: will this void the warranty?

UEFI and "secure boot"

Posted Jun 25, 2011 5:38 UTC (Sat) by Hausvib6 (guest, #70606) [Link]

Of course it will, hw manufacturer will use every chance of voiding the hw warranty. Even today, replacing the preinstalled OS in laptop may void the warranty (depends on the goodwill of the manufacturer).

UEFI and "secure boot"

Posted Jun 20, 2011 8:59 UTC (Mon) by marcH (subscriber, #57642) [Link] (1 responses)

This question is unrelated (sorry) but it might meet the right public here.

Is UEFI just "Not Invented Here" considering that OpenFirmware (and others?) apparently offered the same features decades earlier?

UEFI and "secure boot"

Posted Jun 28, 2011 13:22 UTC (Tue) by leandro (guest, #1460) [Link]

Yes, OpenFirmware seemed to be not only much earlier but more elegant, and an open standard.

UEFI and "secure boot"

Posted Sep 7, 2011 0:34 UTC (Wed) by Trelane (subscriber, #56877) [Link]

http://www.h-online.com/security/news/item/Windows-8-to-i...

Even links back to this article. :)

UEFI and "secure boot"

Posted Sep 22, 2011 7:35 UTC (Thu) by adendexter (guest, #80393) [Link] (1 responses)

I am pretty sure the handset makers don't want boot locking but the carriers would prefer that due to the margins involved. The costs have gone up significantly if you consider and if you compare each Android Phone to 1 Apple Phone sold. iPhone will generate 10 times more revenue for the carrier and Apple than a Android phone. Although I must say as a Android user, the costs are less and its more adaptive.

Aden Dexter
Designs Review

UEFI and "secure boot"

Posted Sep 23, 2011 0:54 UTC (Fri) by njs (subscriber, #40338) [Link]

AFAICT, its the handset makers who are deciding whether or not to do boot locking (e.g., HTC ~never does, Motorola ~always does, and carriers sell both). That seems inconsistent with the idea that it's the carriers driving this decision.

The market will decide

Posted Sep 22, 2011 9:23 UTC (Thu) by dion (guest, #2764) [Link]

At the moment we all grudgingly pay the MS-tax for each new laptop, so there no real penalty for vendors who choose to ship only windows.

If UEFI secure boot starts being locked down by vendors, then there is suddenly a market force punishing the vendors who do that because all non-windows users will be unable to buy those machines and ignore the MS-tax.

Even if non-windows users are only 2% of the market is that a group of customers that every vendor will ignore?

Personally I'd rather have clear EU regulations that forbid locking down hardware in a way that prevents owners from re-keying and running their own software.