Ubuntu details its UEFI secure boot plans
UEFI Secure boot is expected to interfere with many users' desire to replace Windows or dual-boot it with Linux, because Microsoft is mandating that secure boot be enabled on Windows 8 machines at the time of sale. On June 5, we reported on Fedora's plans for handling the secure boot mechanism in UEFI. Ubuntu has subsequently announced its own plans, which take a different approach.
To recap, the secure boot feature constrains the hardware only to boot software that has been signed by a known cryptographic key. The point is that booting only signed, trusted binaries prevents attacks through boot-time malware that could be undetectable after the infected system is up and running. Microsoft is requiring hardware vendors to have secure boot enabled if they want to include the official logo for the upcoming Windows 8, although x86 vendors are also required to allow the machine's owner to turn off secure boot entirely or to install new keys. That option is regarded as insufficient for several reasons, notably that there may be users who are required (e.g., by office rules) to keep secure boot switched on, and that entering new keys for every alternative OS is likely to be an arduous process (even more so for the scenario where one needs to boot a temporary OS, such as from a CD or USB key).
Fedora's strategy is to enroll in Microsoft's developer program, which allows the project to purchase an approved $99 key through Verisign, a key which will be recognized by UEFI secure boot. The key will be used to sign the shim bootloader, which is a "trivial UEFI first-stage bootloader" whose only job is to boot GRUB2. Fedora will also sign the GRUB2 bootloader and the kernel, although the latter two binaries can be signed with the Fedora project's own keys.
Ubuntu's plan
Canonical posted a brief announcement about its own secure boot plan on the company blog on June 22, although the details were to be found in Steve Langasek's message to the ubuntu-devel mailing list. Canonical has generated its own signing key which will be pre-loaded on machines that ship with Ubuntu already installed. Ubuntu CDs will ship with a shim bootloader (the same shim bootloader used by Fedora) signed by one of the existing Microsoft-certified keys, much like the Fedora plan.
After that point, however, the distribution is taking a markedly different approach to the trusted bootloader chain. An Ubuntu system will boot into the efilinux bootloader, which will in turn boot an unsigned kernel image. Under Fedora's plan, the shim bootloader verifies the integrity of GRUB2 before loading it, and GRUB2 in turn verifies the integrity of the kernel. Canonical says that their reading of the specification makes it clear that their secure boot responsibilities stop at the bootloader, and do not extend to the kernel:
Therefore, we will only be requiring authentication of boot loader binaries. Ubuntu will not require signed kernel images or kernel modules.
The decision to use efilinux has its own justification. Because GRUB2
is licensed under the GPLv3, Canonical determined that machines with
Ubuntu pre-installed are subject to the "User Product" provisions of
GPLv3, which requires
that the distributor provide the user with all authorization keys
required to install the software. The company consulted with the FSF
about that topic, and were warned that the authorization key clause
would probably (although not definitely...) apply. Thus, if a hardware vendor shipped an Ubuntu system and did not include a way for users to install keys of their own, Canonical would be compelled to disclose its key. Revealing the signing key would undermine the point
of secure boot and "at that point our certificates would of course
be revoked and everyone would end up worse off.
"
Signatures, revocation, and other fine print
Ubuntu's decision to use its own key for pre-installed machines has spawned relatively little debate, but there is a sharp disagreement over the decision not to sign kernel images. Red Hat's Matthew Garrett (who authored the Fedora secure boot plan) argued that signing only the bootloader is insufficient:
Jamie Strandboge replied
that "the UEFI specification and the Windows 8 logo requirements
is that Secure Boot is designed to protect early boot only,
"
and that signing the kernel and large portions of userspace is
unattractive for several reasons, "not least of which is that it
reduces the utility of the distribution.
"
Strandboge also contended that signing the kernel does not offer a significant level of protection over signing the bootloader, because the existence of any exploitable bootloader undermines the trust chain for all OS vendors. The argument goes that if DistroX's signed bootloader is vulnerable, malware authors could use it to create a malicious live CD image that will boot even on a machine that normally runs DistroY's secure bootloader with its signed kernel. Thus, signing the kernel image is useful for creating a trusted environment for user space, but it does not strengthen the protection of secure boot itself.
There is also the open question of how key-revocations and other updates to the secure boot world will work in practice. Both Fedora and Ubuntu plan to make use of a "shim" bootloader so that they can issue updates to the main bootloader without getting the updates signed by Microsoft. But the distributions will also need to issue revocations for vulnerable, signed bootloader and/or kernel images, and the process by which the OS vendor pushes those updates out has yet to be determined.
Although most multi-boot discussions revolve around dual-booting Windows and a single Linux distribution, that is hardly the only scenario. Canonical said that it will not offer its own signing key to sign the bootloaders of other distributions or vendors, which some feared would make it impossible to install, for example, Fedora on a machine that comes with Ubuntu pre-installed. However, the owners of machines pre-loaded with Ubuntu will still be able to install Fedora or other OSes in tandem, because the company will require its OEMs to include the Microsoft key in the secure boot key database alongside the Ubuntu key.
As Windows 8 draws near, the questions about UEFI secure boot and its impact on users continue to swirl. Clearly there are risks in handing the ultimate say in booting one's machine to a third party (particularly a rival OS vendor like Microsoft), and even though two of the largest distributions have crafted a plan for dealing with secure boot's restrictions, how much of an imposition the final product is still hinges on unknowns like the revocation and update process. But the biggest question that remains is whether it is wise to tacitly endorse secure boot by playing its games in first place. On that, the community may never arrive at a single answer.
| Index entries for this article | |
|---|---|
| Security | Secure boot |
Posted Jun 28, 2012 9:22 UTC (Thu)
by epa (subscriber, #39769)
[Link] (3 responses)
A machine that comes with Ubuntu pre-installed could still run Fedora or Windows or any other operating system, since the Ubuntu bootloader can surely be configured to boot other Linux distributions or OSes. It is not really necessary to include Microsoft's key or anyone else's. Indeed, it might be wise for Canonical to spin out their initial signed bootloader as a separate project, becoming the upstream for many other distributions. Then hardware vendors need include only a single key in order to boot pretty much any Linux distro.
Posted Jun 28, 2012 11:17 UTC (Thu)
by Jonno (subscriber, #49613)
[Link] (2 responses)
> Or am I getting confused, and this will apply only to machines with Ubuntu preinstalled, while installing Ubuntu on a stock UEFI machine that originally shipped with Windows will still require all the shenanigans that Fedora goes through? Sort of. User-installed Ubuntu machines will boot a Verisign-signed shim bootloader, which will only launch an Canonical-signed efilinux bootloader (so the signed shim bootloader won't be useful to other distributions). However, unlike the Fedora-signed Grub 2 bootloader, the Canonical-signed efilinux bootloader will in turn launch any Linux kernel. OEM installations will include the Canonical public key in UEFI flash, and will launch the Canonical-signed efilinux bootloader directly, making the shim bootloader unnecessary. End users with a motherboard that allows adding new keys could conceivably also add the Canonical key and boot efilinux directly (or for that matter add the Fedora key and boot Grub 2 directly), making theoretically possible to remove the Verisign key. Note, however, that not all motherboards will offer that functionality. The Windows 8 logo requirements only state that you have to make it possible to add/remove keys or to disable secure boot entirely. I fully expect most consumer motherboards to only offer a simple disable option, while at least some enterprise motherboards will only offer the ability to add/remove keys (to satisfies corporate secure boot policies).
Posted Jun 28, 2012 14:12 UTC (Thu)
by epa (subscriber, #39769)
[Link] (1 responses)
But even in that case, isn't there some kexec type mechanism where the Linux kernel can be made to boot a different kernel or perhaps even GRUB2? My point is that if you can boot an arbitrary Linux kernel, with a little bit of programming work you can boot any other kernel. So Canonical's signed bootloader could be used by other distributions, even Fedora.
Posted Jun 29, 2012 16:03 UTC (Fri)
by giraffedata (guest, #1954)
[Link]
And I assume it can be used to launch any other program at all, Linux or not. For example, an infected Windows kernel. So a smart Windows virus would install Canonical's signed efilinux bootloader along with its infected Windows kernel and defeat Microsoft's strategy to secure Windows 8 computers altogether.
So this should mean that Microsoft would not sign a key for Canonical, or should revoke it once Microsoft finds out Canonical is using it this way.
Or maybe I'm just still confused about how UEFI works.
Posted Jun 28, 2012 9:42 UTC (Thu)
by rwmj (subscriber, #5474)
[Link] (7 responses)
Posted Jun 28, 2012 16:32 UTC (Thu)
by wookey (guest, #5501)
[Link] (4 responses)
And is there a real practical problem that all this faffing about with keys solves? It seems to me that pre-boot infections are a very rare thing, and this cure it a lot worse than the disease. Perhaps I am wrong about that?
Secure boot could be useful in the same way that encrypting your machines disk, but only if _you_ have control. I remain doubtful that manufacturers are going to provide that control, and that could start to be a serious problem when buying new kit. We all resented the 'microsoft tax' on much PC and laptop x86 hardware to date, but you did at least get control of the hardware once it was in your hands. We seem to be heading for a world where that may no longer be true.
Buy carefully!
Posted Jun 28, 2012 19:29 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link] (3 responses)
Yes.
Posted Jun 28, 2012 19:39 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link] (2 responses)
Posted Jun 28, 2012 21:45 UTC (Thu)
by wookey (guest, #5501)
[Link] (1 responses)
Posted Jun 28, 2012 21:47 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link]
Posted Jun 28, 2012 19:41 UTC (Thu)
by dlang (guest, #313)
[Link] (1 responses)
There is going to be very little PC hardware produced that deliberatly opts not to be able to support Windows 8, even the vendors that sell linux pre-installed will be buying motherboards from vendors that want to sell the same motherboards to Windows users.
simply opting not to buy hardware with this feature is not likely to be a realistic option, the best we can hope for is that vendors have the option, but default to having it turned off.
Posted Jun 29, 2012 15:53 UTC (Fri)
by giraffedata (guest, #1954)
[Link]
But answer to what? I believe the challenge that Ubuntu and Fedora are answering is the challenge of running Ubuntu or Fedora on hardware that has this feature.
Posted Jun 29, 2012 5:03 UTC (Fri)
by naptastic (guest, #60139)
[Link] (26 responses)
Posted Jun 29, 2012 16:07 UTC (Fri)
by giraffedata (guest, #1954)
[Link] (25 responses)
I think you're wrong about asking itself being gullible. Microsoft's public key is in ROM on the machine, and since there's no way for a worm to change ROM, I think it's entirely nongullible for the machine to ask itself whether the thing it's loading is approved by Microsoft.
Posted Jun 29, 2012 23:14 UTC (Fri)
by jmorris42 (guest, #2203)
[Link] (24 responses)
Except that it won't be. It will be in flash. And odds are most motherboards won't even implement basic protections to disable writes after POST/BIOS because they all want to keep the cute Windows based BIOS update features. And besides, how else is a revoked key list going to get updated?
But it really doesn't matter if Ubuntu gets away with their hack of the letter of the spec. I suspect lawyers will get brought into it before it is over but if they win it will be game over. Try again with a new & improved lockdown for Windows 9.
Posted Jun 29, 2012 23:43 UTC (Fri)
by mjg59 (subscriber, #23239)
[Link] (23 responses)
Posted Jul 3, 2012 19:38 UTC (Tue)
by jmorris42 (guest, #2203)
[Link] (22 responses)
The cheap ones will also stop allowing the user to rekey or disable the secure boot. On the good side there will be exploits aplenty since it will just be security theater to appease the Hollywierd content gods and vendor locks to stop casual Linux use. It is a feature no customer is likely to ask for and no sales will depend on it being effective, so they will make it as cheap as Microsoft will let them qualify for the Windows 8 sticker with.
Posted Jul 3, 2012 19:41 UTC (Tue)
by mjg59 (subscriber, #23239)
[Link] (21 responses)
Posted Jul 4, 2012 2:56 UTC (Wed)
by giraffedata (guest, #1954)
[Link] (18 responses)
I don't think that's so. From what I can tell from various reports on the web, Microsoft defines a "custom mode" in which the user has the ability to rekey and disable secure boot, but it is optional for Windows 8 certified computers. And for ARM systems, it isn't even an option -- custom mode is prohibited.
For those where it's optional, I predict manufacturers will provide it, and other commentators seem to agree, but there is still an objection to the Windows 8 certification program because it's not easy enough to enter custom mode - the computer is required to ship in "standard mode" (boots only Microsoft-approved things) by default and you have to go into a machine setup dialog to do it (obviously, standard mode doesn't let an installer program just switch out of standard mode programmatically).
Posted Jul 4, 2012 3:07 UTC (Wed)
by naptastic (guest, #60139)
[Link]
Posted Jul 4, 2012 3:30 UTC (Wed)
by raven667 (subscriber, #5198)
[Link]
You might want to be more skeptical of some of the "various reports on the web", the sites you have been reading clearly aren't doing even the most basic of research and are probably not worth your time to read. Stick to LWN 8-)
Posted Jul 4, 2012 3:32 UTC (Wed)
by mjg59 (subscriber, #23239)
[Link] (13 responses)
'MANDATORY. On non-ARM systems, the platform MUST implement the ability for a
Followed by a requirement that it be possible to clear PK, which guarantees you the ability to enrol whatever set of keys you want.
Posted Mar 23, 2015 8:15 UTC (Mon)
by spaetz (guest, #32870)
[Link] (12 responses)
Posted Mar 23, 2015 16:08 UTC (Mon)
by paulj (subscriber, #341)
[Link] (11 responses)
http://cdn.arstechnica.net/wp-content/uploads/2015/03/win...
"Win10 Mobile: Must not allow secure boot to be turned off on retail device".
Thank you to all those who helped make SecureBoot a reality for Linux. I look forward to a future where I have to follow shady instructions on forums on how to hack around SecureBoot on a SecureBoot-mandatory PC device in order to be able to install my own copy of Linux.
Posted Mar 23, 2015 17:20 UTC (Mon)
by zlynx (guest, #2285)
[Link] (9 responses)
Posted Mar 23, 2015 21:22 UTC (Mon)
by paulj (subscriber, #341)
[Link] (6 responses)
Posted Mar 23, 2015 21:58 UTC (Mon)
by raven667 (subscriber, #5198)
[Link] (5 responses)
A system where you can't control the boot keys is not a system that you own, you are only renting, any system that you own you can do whatever you want with. If we can't convince MS to require owner-modifyable SecureBoot settings as part of their validation testing for the good of the community then this should be kicked up to the legislature of whatever region you are in and the right thing to do is to try and pass a law forbidding the notion that you are "buying" a computer if you don't have the access to own it, or forbidding the notion of rentable computers entirely.
Posted Mar 24, 2015 8:10 UTC (Tue)
by paulj (subscriber, #341)
[Link] (4 responses)
Further, at least some of the point of SecureBoot seems to be to give MS (or more likely partners) a false sense of security that the copy of Windows that is booted is the code that MS shipped. The whole point of SecureBoot is to *not boot* some code, unless signed and not blacklisted. As Microsoft states in their SecureBoot FAQ (emphasis mine):
I don't know if MS Windows 8 refuses to boot on platforms with SecureBoot disabled, however if SecureBoot on is mandatory for Windows 10 it surely can refuse to boot if it detects SecureBoot is off. (Course, a malicious firmware can just pretend, but then SecureBoot isn't about security for you or I - its about control).
There are SecureBoot shims for Linux available which I gather will boot anything. They exist just to provide a properly signed image that MS-signed SecureBoot will accept, and then boot whatever. However, you have to wonder how long this will be tolerated by Microsoft. This SecureBoot shim can be blacklisted with the firmware at any time, by any SecureBoot OS (e.g. Windows could do so say).
It is quite clear what Microsofts' aim is with SecureBoot. They state it openly. Their aim is to be able to control what software is allowed to boot on any windows-capable system. First they had to get the technical infrastructure in place, with them controlling the key. That is now done, on the back of "it won't be mandatory (except on ARM, cough)". Next they will work to have more and more systems, and classes of systems, ship with mandatory SecureBoot. This is the logical outcome (SecureBoot doesn't make much sense otherwise), and it is their stated goal for this technology. So believe them!
Posted Mar 24, 2015 15:54 UTC (Tue)
by raven667 (subscriber, #5198)
[Link] (3 responses)
It doesn't actually do that, it's completely misdesigned if that were the case, it's intended to stop the boot process if the low level boot code has been trojaned so that you can boot into a recovery partition and wipe away the trojan without requiring a support call or a trip to the computer shop to have a technician do it for you. Ideally you can get an anti-malware system started early to clean out the higher level OS components which have a greater attack surface area. SecureBoot doesn't provide any reliable way to attest whether the OS has been booted correctly, aside from the fact that the OS booted at all, unlike TPM which tries to measure the running state to see if anything has been changed.
Posted Mar 24, 2015 17:19 UTC (Tue)
by paulj (subscriber, #341)
[Link] (1 responses)
What others involved in the Linux side of SecureBoot have said is that it is there to prevent persistent exploits. This is for a narrow definition of machine. E.g. on Fedora UEFI validates the SB shim's signature. The SB Shim validates the Fedora signature on the kernel. The kernel validates signatures on any modules are loaded.
In theory they could go further and also have the kernel validate signatures of ELF objects, at least for certain classes of ELF objects (by user, by SELinux label, whatever).
That's quite a chain of software that can be verified as "Secure", from bootloader to modules (already) and potentially even to (select) user-space binaries - no technical barrier. I don't know the details of the Windows solution, but I gather they also have signed drivers that are checked, so I assume they have a similar chain of trust.
Now, this chain of trust is still rooted in a firmware that can't be validated by the OS, but that's hard. The chain on Linux includes a good bit of software which almost certainly has a multitude of unknown security bugs.
So, I don't know quite know what you mean by “It doesn't actually do that, it's completely misdesigned if that were the case, it's intended to stop the boot process if the low level boot code has been trojaned”.
From what I can tell, SecureBoot *is* being used to validate (to an extent) that kernel and driver code is signed with a trusted key - certainly on Linux, and I thought somewhat on Windows too. So it is being used to try validate that the booted code (inc OS) is the vendor shipped code.
I also agree SecureBoot doesn't do much to actually prevent or detect after boot whether or not the OS actually:
a) Is the code that was meant to be booted
b) Has not been subverted.
Even assuming the firmware itself was not exploited. Yet, this seems to be the hope some have for SecureBoot. Also, I think just measuring the code is insufficient. It ignores the other, essential, part of computing: The state. And exploits often originate in the state!
Either we're actually in agreement or one of us is confused. ;)
Posted Mar 26, 2015 15:00 UTC (Thu)
by raven667 (subscriber, #5198)
[Link]
Sure, that's why they didn't go down that road, SecureBoot is narrowly scoped so as to be easier to implement and less disruptive. There already exists the TPM for trying to validate a running system.
> VM/BluePill attack
SecureBoot doesn't attempt to stop people from running VMs, that would be silly, but that is the problem people worry about with kexec or grub if malware can _transparently_ rewrite the whole boot process using signed tools (bootloader, kernel, userspace) in a way that doesn't require user intervention and that the end user and anti-malware software can't trivially detect. It's no problem if no one actually builds widely deployed malware that uses this tactic, but if it starts get widely used to deploy malware then you would probably want to revoke the bootloader at the top of that chain, but that may not be possible, as we've seen in an analogous instance with X.509 CAs who have poor validation practices, sometimes they are too much trouble to revoke.
If the signed grub or whatever didn't have a way to boot arbitrary things without user intervention, even if it just had some forced wait in a menu/splash screen or required an interactive OK before booting something arbitrary so that it would be obvious it was there, that might be enough to make it unattractive for malware.
> Either we're actually in agreement or one of us is confused. ;)
As a co-worker always says, "blame me, it scales well".
Posted Mar 25, 2015 22:54 UTC (Wed)
by mathstuf (subscriber, #69389)
[Link]
I thought TPM was the reverse problem: does the software trust the hardware?
Posted Mar 23, 2015 22:02 UTC (Mon)
by spaetz (guest, #32870)
[Link]
It is also telling how quickly the "taken for granted" compatability as eg touted here https://lwn.net/Articles/497949/ will be vanish.
Posted Mar 26, 2015 2:19 UTC (Thu)
by nix (subscriber, #2304)
[Link]
i.e. they'll treat Secure Boot just like they treat every other remotely technical property of the machine and let you discover it for yourself.
Posted Mar 23, 2015 18:06 UTC (Mon)
by raven667 (subscriber, #5198)
[Link]
I can understand why MS no longer cares about certifying that new hardware can run Win7 because they don't have interest in selling that configuration, but they can be helpful in using their position as the biggest power in the desktop/laptop ecosystem to keep that ecosystem open. Certainly there is going to continue to be devices where SecureBoot is configurable because there is a sufficient market for them but it'd be nice to not require people to have to buy "Pro" or "Developer" versions of machines to fully control their software.
Posted Jul 4, 2012 4:08 UTC (Wed)
by Fowl (subscriber, #65667)
[Link] (1 responses)
On the other hand, it only requires the ability to disable secure boot, not re-key it.
Posted Jul 4, 2012 4:15 UTC (Wed)
by mjg59 (subscriber, #23239)
[Link]
Posted Jul 5, 2012 21:01 UTC (Thu)
by jmorris42 (guest, #2203)
[Link] (1 responses)
How many motherboards have you fought to make power management work on? How about the temp/voltage/fan sensors? Last I heard working ACPI is also a requirement for the Windows logo program.
Now add in the fact that Microsoft is almost certain to be quietly 'encouraging' motherboard makers to break this particular feature. Raise your hand if you don't think an OEM would instantly get into the double secret marketing co-op program and qualify for special pricing or marketing kickbacks for discouraging OS migration?
Posted Jul 5, 2012 21:05 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link]
Ubuntu's approach sounds better - if it works
Ubuntu's approach sounds better - if it works
Ubuntu's approach sounds better - if it works
Ubuntu's approach sounds better - if it works
If Canonical's efilinux bootloader is happy to launch any Linux kernel, it can indeed be used to run any other Linux distribution
Turn off "secure" boot
Turn off "secure" boot
Turn off "secure" boot
Turn off "secure" boot
Turn off "secure" boot
Turn off "secure" boot
Turn off "secure" boot
Turn off "secure" boot
I think the best answer is that we encourage end users to not buy hardware that has this anti-user feature.
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
The system can ask (1) itself, and (2) the boot binary, whether that binary has permission to boot, and it seems like both those things should be gullible. What am I missing?
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
You don't qualify for the Windows 8 sticker without the ability to rekey and disable secure boot.
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:'
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
UEFI has a global variable called "SecureBoot" which indicates whether the firmware operates in SecureBoot mode or not. So a bootloader can certainly tell with a UEFI call.
Ubuntu details its UEFI secure boot plans
“Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.”
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
Ubuntu details its UEFI secure boot plans
