Ubuntu details its UEFI secure boot plans [LWN.net]

By Nathan Willis
June 27, 2012

UEFI Secure boot is expected to interfere with many users' desire to replace Windows or dual-boot it with Linux, because Microsoft is mandating that secure boot be enabled on Windows 8 machines at the time of sale. On June 5, we reported on Fedora's plans for handling the secure boot mechanism in UEFI. Ubuntu has subsequently announced its own plans, which take a different approach.

To recap, the secure boot feature constrains the hardware only to boot software that has been signed by a known cryptographic key. The point is that booting only signed, trusted binaries prevents attacks through boot-time malware that could be undetectable after the infected system is up and running. Microsoft is requiring hardware vendors to have secure boot enabled if they want to include the official logo for the upcoming Windows 8, although x86 vendors are also required to allow the machine's owner to turn off secure boot entirely or to install new keys. That option is regarded as insufficient for several reasons, notably that there may be users who are required (e.g., by office rules) to keep secure boot switched on, and that entering new keys for every alternative OS is likely to be an arduous process (even more so for the scenario where one needs to boot a temporary OS, such as from a CD or USB key).

Fedora's strategy is to enroll in Microsoft's developer program, which allows the project to purchase an approved $99 key through Verisign, a key which will be recognized by UEFI secure boot. The key will be used to sign the shim bootloader, which is a "trivial UEFI first-stage bootloader" whose only job is to boot GRUB2. Fedora will also sign the GRUB2 bootloader and the kernel, although the latter two binaries can be signed with the Fedora project's own keys.

Ubuntu's plan

Canonical posted a brief announcement about its own secure boot plan on the company blog on June 22, although the details were to be found in Steve Langasek's message to the ubuntu-devel mailing list. Canonical has generated its own signing key which will be pre-loaded on machines that ship with Ubuntu already installed. Ubuntu CDs will ship with a shim bootloader (the same shim bootloader used by Fedora) signed by one of the existing Microsoft-certified keys, much like the Fedora plan.

After that point, however, the distribution is taking a markedly different approach to the trusted bootloader chain. An Ubuntu system will boot into the efilinux bootloader, which will in turn boot an unsigned kernel image. Under Fedora's plan, the shim bootloader verifies the integrity of GRUB2 before loading it, and GRUB2 in turn verifies the integrity of the kernel. Canonical says that their reading of the specification makes it clear that their secure boot responsibilities stop at the bootloader, and do not extend to the kernel:

We believe that the intention of secure boot is to protect against malicious use or modification of pre-boot code, before the ExitBootServices UEFI service is invoked. Currently, this call is performed by the boot loader, before the kernel is executed.

Therefore, we will only be requiring authentication of boot loader binaries. Ubuntu will not require signed kernel images or kernel modules.

The decision to use efilinux has its own justification. Because GRUB2 is licensed under the GPLv3, Canonical determined that machines with Ubuntu pre-installed are subject to the "User Product" provisions of GPLv3, which requires that the distributor provide the user with all authorization keys required to install the software. The company consulted with the FSF about that topic, and were warned that the authorization key clause would probably (although not definitely...) apply. Thus, if a hardware vendor shipped an Ubuntu system and did not include a way for users to install keys of their own, Canonical would be compelled to disclose its key. Revealing the signing key would undermine the point of secure boot and "at that point our certificates would of course be revoked and everyone would end up worse off."

Signatures, revocation, and other fine print

Ubuntu's decision to use its own key for pre-installed machines has spawned relatively little debate, but there is a sharp disagreement over the decision not to sign kernel images. Red Hat's Matthew Garrett (who authored the Fedora secure boot plan) argued that signing only the bootloader is insufficient:

How are you going to prevent your bootloader from being used to launch a trojaned Fedora kernel, for instance? This is the kind of decision that doesn't just affect Ubuntu, it has ramifications for the security model that other distributions use. This makes it impossible to implement any kind of signed userspace unless the user explicitly revokes the Ubuntu bootloader first or uses their own trust chain.

Jamie Strandboge replied that "the UEFI specification and the Windows 8 logo requirements is that Secure Boot is designed to protect early boot only," and that signing the kernel and large portions of userspace is unattractive for several reasons, "not least of which is that it reduces the utility of the distribution."

Strandboge also contended that signing the kernel does not offer a significant level of protection over signing the bootloader, because the existence of any exploitable bootloader undermines the trust chain for all OS vendors. The argument goes that if DistroX's signed bootloader is vulnerable, malware authors could use it to create a malicious live CD image that will boot even on a machine that normally runs DistroY's secure bootloader with its signed kernel. Thus, signing the kernel image is useful for creating a trusted environment for user space, but it does not strengthen the protection of secure boot itself.

There is also the open question of how key-revocations and other updates to the secure boot world will work in practice. Both Fedora and Ubuntu plan to make use of a "shim" bootloader so that they can issue updates to the main bootloader without getting the updates signed by Microsoft. But the distributions will also need to issue revocations for vulnerable, signed bootloader and/or kernel images, and the process by which the OS vendor pushes those updates out has yet to be determined.

Although most multi-boot discussions revolve around dual-booting Windows and a single Linux distribution, that is hardly the only scenario. Canonical said that it will not offer its own signing key to sign the bootloaders of other distributions or vendors, which some feared would make it impossible to install, for example, Fedora on a machine that comes with Ubuntu pre-installed. However, the owners of machines pre-loaded with Ubuntu will still be able to install Fedora or other OSes in tandem, because the company will require its OEMs to include the Microsoft key in the secure boot key database alongside the Ubuntu key.

As Windows 8 draws near, the questions about UEFI secure boot and its impact on users continue to swirl. Clearly there are risks in handing the ultimate say in booting one's machine to a third party (particularly a rival OS vendor like Microsoft), and even though two of the largest distributions have crafted a plan for dealing with secure boot's restrictions, how much of an imposition the final product is still hinges on unknowns like the revocation and update process. But the biggest question that remains is whether it is wise to tacitly endorse secure boot by playing its games in first place. On that, the community may never arrive at a single answer.

Index entries for this article
Security	Secure boot

to post comments

Ubuntu's approach sounds better - if it works

Posted Jun 28, 2012 9:22 UTC (Thu) by epa (subscriber, #39769) [Link] (3 responses)

If Ubuntu can get away with their plan, and not have their key revoked by the capricious gods of key revocation, then it sounds like a better approach to not require signed kernels. Or am I getting confused, and this will apply only to machines with Ubuntu preinstalled, while installing Ubuntu on a stock UEFI machine that originally shipped with Windows will still require all the shenanigans that Fedora goes through?

A machine that comes with Ubuntu pre-installed could still run Fedora or Windows or any other operating system, since the Ubuntu bootloader can surely be configured to boot other Linux distributions or OSes. It is not really necessary to include Microsoft's key or anyone else's. Indeed, it might be wise for Canonical to spin out their initial signed bootloader as a separate project, becoming the upstream for many other distributions. Then hardware vendors need include only a single key in order to boot pretty much any Linux distro.

Ubuntu's approach sounds better - if it works

Posted Jun 28, 2012 11:17 UTC (Thu) by Jonno (guest, #49613) [Link] (2 responses)

> Or am I getting confused, and this will apply only to machines with Ubuntu preinstalled, while installing Ubuntu on a stock UEFI machine that originally shipped with Windows will still require all the shenanigans that Fedora goes through?

Sort of. User-installed Ubuntu machines will boot a Verisign-signed shim bootloader, which will only launch an Canonical-signed efilinux bootloader (so the signed shim bootloader won't be useful to other distributions).

However, unlike the Fedora-signed Grub 2 bootloader, the Canonical-signed efilinux bootloader will in turn launch any Linux kernel.

OEM installations will include the Canonical public key in UEFI flash, and will launch the Canonical-signed efilinux bootloader directly, making the shim bootloader unnecessary. End users with a motherboard that allows adding new keys could conceivably also add the Canonical key and boot efilinux directly (or for that matter add the Fedora key and boot Grub 2 directly), making theoretically possible to remove the Verisign key.

Note, however, that not all motherboards will offer that functionality. The Windows 8 logo requirements only state that you have to make it possible to add/remove keys or to disable secure boot entirely. I fully expect most consumer motherboards to only offer a simple disable option, while at least some enterprise motherboards will only offer the ability to add/remove keys (to satisfies corporate secure boot policies).

Ubuntu's approach sounds better - if it works

Posted Jun 28, 2012 14:12 UTC (Thu) by epa (subscriber, #39769) [Link] (1 responses)

If Canonical's efilinux bootloader is happy to launch any Linux kernel, it can indeed be used to run any other Linux distribution, unless the other distribution depends on some special bootloader magic beyond the usual initrd and parameter passing.

But even in that case, isn't there some kexec type mechanism where the Linux kernel can be made to boot a different kernel or perhaps even GRUB2? My point is that if you can boot an arbitrary Linux kernel, with a little bit of programming work you can boot any other kernel. So Canonical's signed bootloader could be used by other distributions, even Fedora.

Ubuntu's approach sounds better - if it works

Posted Jun 29, 2012 16:03 UTC (Fri) by giraffedata (guest, #1954) [Link]

If Canonical's efilinux bootloader is happy to launch any Linux kernel, it can indeed be used to run any other Linux distribution

And I assume it can be used to launch any other program at all, Linux or not. For example, an infected Windows kernel. So a smart Windows virus would install Canonical's signed efilinux bootloader along with its infected Windows kernel and defeat Microsoft's strategy to secure Windows 8 computers altogether.

So this should mean that Microsoft would not sign a key for Canonical, or should revoke it once Microsoft finds out Canonical is using it this way.

Or maybe I'm just still confused about how UEFI works.

Turn off "secure" boot

Posted Jun 28, 2012 9:42 UTC (Thu) by rwmj (subscriber, #5474) [Link] (7 responses)

I think the best answer is that we encourage end users to not buy hardware that has this anti-user feature. If they have to buy such hardware, turn "secure" boot off.

Turn off "secure" boot

Posted Jun 28, 2012 16:32 UTC (Thu) by wookey (guest, #5501) [Link] (4 responses)

Quite. It seems like a really good reason not to buy an ARM device with Windows 8 on.

And is there a real practical problem that all this faffing about with keys solves? It seems to me that pre-boot infections are a very rare thing, and this cure it a lot worse than the disease. Perhaps I am wrong about that?

Secure boot could be useful in the same way that encrypting your machines disk, but only if _you_ have control. I remain doubtful that manufacturers are going to provide that control, and that could start to be a serious problem when buying new kit. We all resented the 'microsoft tax' on much PC and laptop x86 hardware to date, but you did at least get control of the hardware once it was in your hands. We seem to be heading for a world where that may no longer be true.

Buy carefully!

Turn off "secure" boot

Posted Jun 28, 2012 19:29 UTC (Thu) by mjg59 (subscriber, #23239) [Link] (3 responses)

> It seems to me that pre-boot infections are a very rare thing, and this cure it a lot worse than the disease. Perhaps I am wrong about that?

Yes.

Turn off "secure" boot

Posted Jun 28, 2012 19:39 UTC (Thu) by mjg59 (subscriber, #23239) [Link] (2 responses)

That is to say, yes, you're wrong about it being very rare - attacks on the boot process are becoming more common. Whether the cure is worse is more of a value judgement.

Turn off "secure" boot

Posted Jun 28, 2012 21:45 UTC (Thu) by wookey (guest, #5501) [Link] (1 responses)

Some evidence would help convince. Is this something that only affects Windows people which is why I've never heard of a case?

Turn off "secure" boot

Posted Jun 28, 2012 21:47 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

Improvements in Windows security have meant that the boot process is an easier target. http://www.slideshare.net/daniel_bilar/matrosov-2012-reco... is a description of this in the real world, but there are several others out there.

Turn off "secure" boot

Posted Jun 28, 2012 19:41 UTC (Thu) by dlang (guest, #313) [Link] (1 responses)

the problem is that Microsoft is requiring this feature on any hardware that is going to be certified as supporting Windows 8

There is going to be very little PC hardware produced that deliberatly opts not to be able to support Windows 8, even the vendors that sell linux pre-installed will be buying motherboards from vendors that want to sell the same motherboards to Windows users.

simply opting not to buy hardware with this feature is not likely to be a realistic option, the best we can hope for is that vendors have the option, but default to having it turned off.

Turn off "secure" boot

Posted Jun 29, 2012 15:53 UTC (Fri) by giraffedata (guest, #1954) [Link]

I think the best answer is that we encourage end users to not buy hardware that has this anti-user feature.

But answer to what? I believe the challenge that Ubuntu and Fedora are answering is the challenge of running Ubuntu or Fedora on hardware that has this feature.

Ubuntu details its UEFI secure boot plans

Posted Jun 29, 2012 5:03 UTC (Fri) by naptastic (guest, #60139) [Link] (26 responses)

My technical understanding of this may be wrong, so please educate me. This whole thing seems like the Content Scrambling System of 1996. A computer just starting to boot can't check the Internet for someone's public keys, and even if it could, that could be spoofed. The system can ask (1) itself, and (2) the boot binary, whether that binary has permission to boot, and it seems like both those things should be gullible. What am I missing?

Ubuntu details its UEFI secure boot plans

Posted Jun 29, 2012 16:07 UTC (Fri) by giraffedata (guest, #1954) [Link] (25 responses)

The system can ask (1) itself, and (2) the boot binary, whether that binary has permission to boot, and it seems like both those things should be gullible. What am I missing?

I think you're wrong about asking itself being gullible. Microsoft's public key is in ROM on the machine, and since there's no way for a worm to change ROM, I think it's entirely nongullible for the machine to ask itself whether the thing it's loading is approved by Microsoft.

Ubuntu details its UEFI secure boot plans

Posted Jun 29, 2012 23:14 UTC (Fri) by jmorris42 (guest, #2203) [Link] (24 responses)

> Microsoft's public key is in ROM on the machine

Except that it won't be. It will be in flash. And odds are most motherboards won't even implement basic protections to disable writes after POST/BIOS because they all want to keep the cute Windows based BIOS update features. And besides, how else is a revoked key list going to get updated?

But it really doesn't matter if Ubuntu gets away with their hack of the letter of the spec. I suspect lawyers will get brought into it before it is over but if they win it will be game over. Try again with a new & improved lockdown for Windows 9.

Ubuntu details its UEFI secure boot plans

Posted Jun 29, 2012 23:43 UTC (Fri) by mjg59 (subscriber, #23239) [Link] (23 responses)

Most EFI systems already lock down the flash such that it's only writeable in system management mode, and the SMM code validates writes before passing them on.

Ubuntu details its UEFI secure boot plans

Posted Jul 3, 2012 19:38 UTC (Tue) by jmorris42 (guest, #2203) [Link] (22 responses)

Most early flash BIOS machines had emergency reflash from a boot floppy, write protect jumpers, etc. All that went away as mass production happened. I'd expect the same to happen here, top of the line boards for workstations and servers will still tend to do the right thing but cheap consumer products won't.

The cheap ones will also stop allowing the user to rekey or disable the secure boot. On the good side there will be exploits aplenty since it will just be security theater to appease the Hollywierd content gods and vendor locks to stop casual Linux use. It is a feature no customer is likely to ask for and no sales will depend on it being effective, so they will make it as cheap as Microsoft will let them qualify for the Windows 8 sticker with.

Ubuntu details its UEFI secure boot plans

Posted Jul 3, 2012 19:41 UTC (Tue) by mjg59 (subscriber, #23239) [Link] (21 responses)

You don't qualify for the Windows 8 sticker without the ability to rekey and disable secure boot.

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 2:56 UTC (Wed) by giraffedata (guest, #1954) [Link] (18 responses)

You don't qualify for the Windows 8 sticker without the ability to rekey and disable secure boot.

I don't think that's so. From what I can tell from various reports on the web, Microsoft defines a "custom mode" in which the user has the ability to rekey and disable secure boot, but it is optional for Windows 8 certified computers. And for ARM systems, it isn't even an option -- custom mode is prohibited.

For those where it's optional, I predict manufacturers will provide it, and other commentators seem to agree, but there is still an objection to the Windows 8 certification program because it's not easy enough to enter custom mode - the computer is required to ship in "standard mode" (boots only Microsoft-approved things) by default and you have to go into a machine setup dialog to do it (obviously, standard mode doesn't let an installer program just switch out of standard mode programmatically).

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 3:07 UTC (Wed) by naptastic (guest, #60139) [Link]

All of this begs the question: Is anyone seeking an injunction against this behavior, which is clearly an antitrust violation?

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 3:30 UTC (Wed) by raven667 (subscriber, #5198) [Link]

Check out section System.Fundamentals.Firmware.UEFISecureBoot in document http://msdn.microsoft.com/en-us/library/windows/hardware/... especially paragraphs 17 and 18 which state that custom mode and enable/disable are mandatory on x86.

You might want to be more skeptical of some of the "various reports on the web", the sites you have been reading clearly aren't doing even the most basic of research and are probably not worth your time to read. Stick to LWN 8-)

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 3:32 UTC (Wed) by mjg59 (subscriber, #23239) [Link] (13 responses)

> I don't think that's so.

'MANDATORY. On non-ARM systems, the platform MUST implement the ability for a
physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:'

Followed by a requirement that it be possible to clear PK, which guarantees you the ability to enrol whatever set of keys you want.

Ubuntu details its UEFI secure boot plans

Posted Mar 23, 2015 8:15 UTC (Mon) by spaetz (guest, #32870) [Link] (12 responses)

Flash from the not too distant future. Being able to turn off secure boot boot is no longer mandatory for windows 10 but only "optional". Surprise, surprise. Another turn of the screw.

Ubuntu details its UEFI secure boot plans

Posted Mar 23, 2015 16:08 UTC (Mon) by paulj (subscriber, #341) [Link] (11 responses)

Who, I say who, could have predicted that SecureBoot would change from "optional"? Also, note that the "SecureBoot mandatory" now changes from "ARM" to the more general "Mobile":

http://cdn.arstechnica.net/wp-content/uploads/2015/03/win...

"Win10 Mobile: Must not allow secure boot to be turned off on retail device".

Thank you to all those who helped make SecureBoot a reality for Linux. I look forward to a future where I have to follow shady instructions on forums on how to hack around SecureBoot on a SecureBoot-mandatory PC device in order to be able to install my own copy of Linux.

Ubuntu details its UEFI secure boot plans

Posted Mar 23, 2015 17:20 UTC (Mon) by zlynx (guest, #2285) [Link] (9 responses)

In this future of shady SecureBoot work-arounds why did you buy a PC that doesn't allow you to customize the boot keys? It would be like buying a laptop with integrated WiFi with no Linux driver.

Ubuntu details its UEFI secure boot plans

Posted Mar 23, 2015 21:22 UTC (Mon) by paulj (subscriber, #341) [Link] (6 responses)

So I'll have to choose between being able to boot my own Linux, or being able to boot major vendor's linux distros. Great to have to make that choice!

Ubuntu details its UEFI secure boot plans

Posted Mar 23, 2015 21:58 UTC (Mon) by raven667 (subscriber, #5198) [Link] (5 responses)

I don't think there is an either/or decision here, a SecureBoot signed bootloader doesn't care, and maybe can't even tell, if it's booted on a non-SecureBoot-enabled system, so if you can boot your own Linux you can certainly boot any OS you want.

A system where you can't control the boot keys is not a system that you own, you are only renting, any system that you own you can do whatever you want with. If we can't convince MS to require owner-modifyable SecureBoot settings as part of their validation testing for the good of the community then this should be kicked up to the legislature of whatever region you are in and the right thing to do is to try and pass a law forbidding the notion that you are "buying" a computer if you don't have the access to own it, or forbidding the notion of rentable computers entirely.

Ubuntu details its UEFI secure boot plans

Posted Mar 24, 2015 8:10 UTC (Tue) by paulj (subscriber, #341) [Link] (4 responses)

UEFI has a global variable called "SecureBoot" which indicates whether the firmware operates in SecureBoot mode or not. So a bootloader can certainly tell with a UEFI call.

Further, at least some of the point of SecureBoot seems to be to give MS (or more likely partners) a false sense of security that the copy of Windows that is booted is the code that MS shipped. The whole point of SecureBoot is to *not boot* some code, unless signed and not blacklisted. As Microsoft states in their SecureBoot FAQ (emphasis mine):

“Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.”

I don't know if MS Windows 8 refuses to boot on platforms with SecureBoot disabled, however if SecureBoot on is mandatory for Windows 10 it surely can refuse to boot if it detects SecureBoot is off. (Course, a malicious firmware can just pretend, but then SecureBoot isn't about security for you or I - its about control).

There are SecureBoot shims for Linux available which I gather will boot anything. They exist just to provide a properly signed image that MS-signed SecureBoot will accept, and then boot whatever. However, you have to wonder how long this will be tolerated by Microsoft. This SecureBoot shim can be blacklisted with the firmware at any time, by any SecureBoot OS (e.g. Windows could do so say).

It is quite clear what Microsofts' aim is with SecureBoot. They state it openly. Their aim is to be able to control what software is allowed to boot on any windows-capable system. First they had to get the technical infrastructure in place, with them controlling the key. That is now done, on the back of "it won't be mandatory (except on ARM, cough)". Next they will work to have more and more systems, and classes of systems, ship with mandatory SecureBoot. This is the logical outcome (SecureBoot doesn't make much sense otherwise), and it is their stated goal for this technology. So believe them!

Ubuntu details its UEFI secure boot plans

Posted Mar 24, 2015 15:54 UTC (Tue) by raven667 (subscriber, #5198) [Link] (3 responses)

> Further, at least some of the point of SecureBoot seems to be to give MS (or more likely partners) a false sense of security that the copy of Windows that is booted is the code that MS shipped.

It doesn't actually do that, it's completely misdesigned if that were the case, it's intended to stop the boot process if the low level boot code has been trojaned so that you can boot into a recovery partition and wipe away the trojan without requiring a support call or a trip to the computer shop to have a technician do it for you. Ideally you can get an anti-malware system started early to clean out the higher level OS components which have a greater attack surface area. SecureBoot doesn't provide any reliable way to attest whether the OS has been booted correctly, aside from the fact that the OS booted at all, unlike TPM which tries to measure the running state to see if anything has been changed.

Ubuntu details its UEFI secure boot plans

Posted Mar 24, 2015 17:19 UTC (Tue) by paulj (subscriber, #341) [Link] (1 responses)

Well, a low-level attack, e.g. VM/BluePill attack: Indeed, SecureBoot can't stop that because, as you describe, SecureBoot doesn't have a secure anchor to attest the running state. The VM can simply emulate SecureBoot.

What others involved in the Linux side of SecureBoot have said is that it is there to prevent persistent exploits. This is for a narrow definition of machine. E.g. on Fedora UEFI validates the SB shim's signature. The SB Shim validates the Fedora signature on the kernel. The kernel validates signatures on any modules are loaded.

In theory they could go further and also have the kernel validate signatures of ELF objects, at least for certain classes of ELF objects (by user, by SELinux label, whatever).

That's quite a chain of software that can be verified as "Secure", from bootloader to modules (already) and potentially even to (select) user-space binaries - no technical barrier. I don't know the details of the Windows solution, but I gather they also have signed drivers that are checked, so I assume they have a similar chain of trust.

Now, this chain of trust is still rooted in a firmware that can't be validated by the OS, but that's hard. The chain on Linux includes a good bit of software which almost certainly has a multitude of unknown security bugs.

So, I don't know quite know what you mean by “It doesn't actually do that, it's completely misdesigned if that were the case, it's intended to stop the boot process if the low level boot code has been trojaned”.

From what I can tell, SecureBoot *is* being used to validate (to an extent) that kernel and driver code is signed with a trusted key - certainly on Linux, and I thought somewhat on Windows too. So it is being used to try validate that the booted code (inc OS) is the vendor shipped code.

I also agree SecureBoot doesn't do much to actually prevent or detect after boot whether or not the OS actually:

a) Is the code that was meant to be booted

b) Has not been subverted.

Even assuming the firmware itself was not exploited. Yet, this seems to be the hope some have for SecureBoot. Also, I think just measuring the code is insufficient. It ignores the other, essential, part of computing: The state. And exploits often originate in the state!

Either we're actually in agreement or one of us is confused. ;)

Ubuntu details its UEFI secure boot plans

Posted Mar 26, 2015 15:00 UTC (Thu) by raven667 (subscriber, #5198) [Link]

> Now, this chain of trust is still rooted in a firmware that can't be validated by the OS, but that's hard.

Sure, that's why they didn't go down that road, SecureBoot is narrowly scoped so as to be easier to implement and less disruptive. There already exists the TPM for trying to validate a running system.

> VM/BluePill attack

SecureBoot doesn't attempt to stop people from running VMs, that would be silly, but that is the problem people worry about with kexec or grub if malware can _transparently_ rewrite the whole boot process using signed tools (bootloader, kernel, userspace) in a way that doesn't require user intervention and that the end user and anti-malware software can't trivially detect. It's no problem if no one actually builds widely deployed malware that uses this tactic, but if it starts get widely used to deploy malware then you would probably want to revoke the bootloader at the top of that chain, but that may not be possible, as we've seen in an analogous instance with X.509 CAs who have poor validation practices, sometimes they are too much trouble to revoke.

If the signed grub or whatever didn't have a way to boot arbitrary things without user intervention, even if it just had some forced wait in a menu/splash screen or required an interactive OK before booting something arbitrary so that it would be obvious it was there, that might be enough to make it unattractive for malware.

> Either we're actually in agreement or one of us is confused. ;)

As a co-worker always says, "blame me, it scales well".

Ubuntu details its UEFI secure boot plans

Posted Mar 25, 2015 22:54 UTC (Wed) by mathstuf (subscriber, #69389) [Link]

> unlike TPM which tries to measure the running state to see if anything has been changed.

I thought TPM was the reverse problem: does the software trust the hardware?

Ubuntu details its UEFI secure boot plans

Posted Mar 23, 2015 22:02 UTC (Mon) by spaetz (guest, #32870) [Link]

Because major vendors aren't going to bother making things easy for anybody not using Windows. So the selection of hardware devices working with Linux are going to shrink to a tiny selection of geek devices. Great.

It is also telling how quickly the "taken for granted" compatability as eg touted here https://lwn.net/Articles/497949/ will be vanish.

Ubuntu details its UEFI secure boot plans

Posted Mar 26, 2015 2:19 UTC (Thu) by nix (subscriber, #2304) [Link]

Because they won't tell you whether or not key customization is supported until you bought it and got it home and found you were screwed, and then it's more or less too late (huge inconvenience factor in going back and getting it replaced, and no guarantee at all that the next machine won't be just the same).

i.e. they'll treat Secure Boot just like they treat every other remotely technical property of the machine and let you discover it for yourself.

Ubuntu details its UEFI secure boot plans

Posted Mar 23, 2015 18:06 UTC (Mon) by raven667 (subscriber, #5198) [Link]

Well, the work on SecureBoot for Linux means that this should be a no-op for the major existing distros, they already use a bootloader shim that will continue to work. That doesn't mean that we shouldn't still condemn the practice of making the end-user configurability of SecureBoot optional, it should continue to be mandatory for the end user to retain control over their device. We should continue to encourage the proliferation of user controllable devices on Mobile as well, the Nexus line is fairly open and many others aren't bothering to prevent enduser modification.

I can understand why MS no longer cares about certifying that new hardware can run Win7 because they don't have interest in selling that configuration, but they can be helpful in using their position as the biggest power in the desktop/laptop ecosystem to keep that ecosystem open. Certainly there is going to continue to be devices where SecureBoot is configurable because there is a sufficient market for them but it'd be nice to not require people to have to buy "Pro" or "Developer" versions of machines to fully control their software.

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 4:08 UTC (Wed) by Fowl (subscriber, #65667) [Link] (1 responses)

"Custom mode" must be user (not programmatically) accessible in order to certify.

On the other hand, it only requires the ability to disable secure boot, not re-key it.

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 4:15 UTC (Wed) by mjg59 (subscriber, #23239) [Link]

Argh no really the entire point of custom mode is that it allows re-keying. It's distinct from being able to just disable secure boot.

Ubuntu details its UEFI secure boot plans

Posted Jul 5, 2012 21:01 UTC (Thu) by jmorris42 (guest, #2203) [Link] (1 responses)

I wasn't referring to official policy, I'm in the real world discussing what will actually happen. Most motherboard vendors have trouble making a lot of 'mandatory' things that customers actually care about work. Just how much effort do you think they will put into making this stuff work beyond what is required to boot Windows 8 and get the little sticker?

How many motherboards have you fought to make power management work on? How about the temp/voltage/fan sensors? Last I heard working ACPI is also a requirement for the Windows logo program.

Now add in the fact that Microsoft is almost certain to be quietly 'encouraging' motherboard makers to break this particular feature. Raise your hand if you don't think an OEM would instantly get into the double secret marketing co-op program and qualify for special pricing or marketing kickbacks for discouraging OS migration?

Ubuntu details its UEFI secure boot plans

Posted Jul 5, 2012 21:05 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

This functionality is required to get the little sticker, and ACPI functionality is tested by Microsoft. The problem with ACPI is that it's only tested under Windows, and our implementation isn't identical to Windows. That's not a concern at this level of firmware. Plus, like I said, this is functionality that's already present in the firmware that OEMs get. They'd need to actively put work into removing it.