Forgot your password?
typodupeerror
Security Microsoft Operating Systems Linux

Linux Foundation Offers Solution for UEFI Secure Boot 308

Posted by Soulskill
from the sidestep-and-ignore dept.
Ever since news broke last year that Microsoft would require Windows 8 machines to have UEFI secure boot enabled, there were concerns that it would be used to block the installation of other operating systems, such as Linux distributions. Now, reader dgharmon sends this quote from Ars Technica about a new defense against that outcome: "The Linux Foundation has announced plans to provide a general purpose solution suitable for use by Linux and other non-Microsoft operating systems. The group has produced a minimal bootloader that won't boot any operating system directly. Instead, it will transfer control to any other bootloader — signed or unsigned — so that can boot an operating system." The announcement adds, "The pre-bootloader will employ a 'present user'; test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it."
This discussion has been archived. No new comments can be posted.

Linux Foundation Offers Solution for UEFI Secure Boot

Comments Filter:
  • by Anonymous Coward on Friday October 12, 2012 @09:31AM (#41630117)

    As per subject

    • by GameboyRMH (1153867) <gameboyrmhNO@SPAMgmail.com> on Friday October 12, 2012 @09:33AM (#41630141) Journal

      Exactly. Malware authors can use this. So we've come full-circle and only gained a big heap of complexity. Which is the best we could hope for once this idiotic idea got going.

      • by Joce640k (829181) on Friday October 12, 2012 @09:53AM (#41630471) Homepage

        Exactly. Malware authors can use this.

        Not if everything in the startup chain has to be correctly signed ... something which a malware author can't do.

        • by GameboyRMH (1153867) <gameboyrmhNO@SPAMgmail.com> on Friday October 12, 2012 @10:00AM (#41630587) Journal

          They didn't seem to have any problem setting up boot sector viruses without UEFI secure boot, so if they can get a signed bootloader, why should they now? And signing the startup chain will remove even MORE user freedoms, it's a chicken-and-egg problem that won't end until the OS is at least as locked down as iOS.

        • Re: (Score:3, Interesting)

          If you've got a closed system of bits, then enough time, hardware, and interest should yield a way to jailbreak it.
          So the real value would seem to be found in upping the time, hardware, and interest requirements.
          What could well happen is that, in making Windows really painful to integrate with other systems, Redmond kills their sales.
          And wouldn't that just suck Puget Sound dry?
      • by Just Brew It! (636086) on Friday October 12, 2012 @10:03AM (#41630635)
        RTFA. I think you'd notice if your Windows PC suddenly started displaying a Linux Foundation splash screen and waiting for you to hit Enter before booting the OS.
        • by GameboyRMH (1153867) <gameboyrmhNO@SPAMgmail.com> on Friday October 12, 2012 @10:08AM (#41630725) Journal

          And what will the average noob user do? Hit Enter to use their computer or use a Windows recovery disk* to fix the bootloader? And if they do hit Enter and the computer apparently works fine, what do you think they'll do then?

          *Not sold with many PCs, must be burned from the hard disk

        • by Hatta (162192) on Friday October 12, 2012 @10:40AM (#41631197) Journal

          And I'd be really fucking pissed off if my Linux PC required a user present at the console to reboot. Seriously, how is this a fix?

          • by recoiledsnake (879048) on Friday October 12, 2012 @11:23AM (#41631723)

            Here we go with the hyperbolics without even RTFA'ing. You can choose to install the key in the store when UEFI is in setup mode so that you don't see the prompt again.

            http://www.linuxfoundation.org/news-media/blogs/browse/2012/10/linux-foundation-uefi-secure-boot-system-open-source [linuxfoundation.org]

            Or just fricking turn off secure boot.

          • by DRJlaw (946416) on Friday October 12, 2012 @11:40AM (#41631979)

            And I'd be really fucking pissed off if my Linux PC required a user present at the console to reboot. Seriously, how is this a fix?

            Because it is a fix for those who cannot or will not use the alternative of entering their own list of acceptable signing keys into the UEFI, which would not require a user present but draws a great hue and cry that it is "too complex" for the average Linux user to accomplish.

            1. Enter your keys into the UEFI key list, walk away; or
            2. Have a user present to acknowledge that they want to boot unsigned/signed-but-not-entered code; or
            3. Don't use a UEFI PC; but not
            4. Prevent the rest of the world from having access to a secure boot chain because you refuse to lift a finger yourself

          • by Cajun Hell (725246) on Friday October 12, 2012 @12:15PM (#41632461) Homepage Journal

            Take it easy dude. Let's try to remember what this whole thing is for.

            For all the bitching about secureboot, all currently known (yes, this can change) x86 machines which come with it, allow the user to turn it off. Remember the last 4 times you bought a new computer and, in fact, did diddle with stuff in the firmware, maybe to at least check the timings on your expensive Mushkin memory or whatever? Well, then, this whole article and the software it describes, isn't about you because you're going to turn off secure boot, making every aspect fo this boot loader irrelevant. You won't care about pressing enter, because you won't have to press enter.

            This is for users who won't do that. This is for people who are dumber or lazier than your grandma's ditzy bridge partner, for which we do not expect them to follow any directions or do anything "extra" prior to using their computer. They're not installing headless servers. They're not "picky" except in the sense that they don't want to have to read or understand anything longer than one sentence. They can, and will, press enter.

            The people who are opinionated enough to be "pretty fucking pissed" about pressing enter, will also tend to care enough to do what is needed in order to make pressing enter become unnecessary.

            If there are any people left who become furious about pressing enter, but also feel entitled enough to refuse to turn off secureboot, but also feel entitled enough to refuse to install some other secureboot loader, those people can and should go fuck themselves. Or they can go buy a Mac. Or they can boot Windows, and (think about it) they will never notice that they're not running Linux. Just lie to them and tell them Windows 8 is Linux, and they will believe you, and the lie will never have any consequences because behind the blank smile they gave you when you lied, they already forgot what you said.

        • by TheGratefulNet (143330) on Friday October 12, 2012 @11:15AM (#41631627)

          "system error: secure keyboard not found. hit any key to continue."

          (that was sort of a real error message back in the DOS days. all except the secure part.)

    • by Z00L00K (682162)

      And it's my computer and if my computer has features that I can't access, disable or modify - like the encryption chip - then I have a problem with that.

      If I need to change key depending on OS - then make it easy - like requesting a password for changing to another chain of keys.

    • by godrik (1287354)

      I don't want a secure boot. I just want to be able to boot whatever I feel like booting.

      • by blueg3 (192743)

        I don't want a secure boot. I just want to be able to boot whatever I feel like booting.

        Then... turn off secure boot?

        • by godrik (1287354)

          If it is possible, I'm fine with that. But it is good to know there are alternatives available.

    • by BLKMGK (34057)

      Did you miss the part about a present user test? It means someone will be presented a message and asked to approve before boot proceeds. Sounds like a good way to go to me however it will certainly screw up a server reboot lol.

    • by bmo (77928) on Friday October 12, 2012 @10:33AM (#41631105)

      Because secure boot has never been about securely booting.

      --
      BMO

    • by Sloppy (14984)

      Because the machine comes that way, yet you also want it to boot.

  • I worry more about my inability to install Linux on an iPad...
  • by Chrisq (894406) on Friday October 12, 2012 @09:37AM (#41630189)
    From TFA:

    To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge

    Doesn't this mean it is unsuitable for server use - or any "headless" operation such as MythTV?

    • by drinkypoo (153816)

      I hope they mean before it boots for the first time... because otherwise, yes, this is crap.

    • On servers you'll just have to disable the secure boot feature, no problem for sysadmins, and anyone running a home server should have the skill to do the same, although this could give MS and advantage on HTPCs and home servers run by noobs.

    • by LordNightwalker (256873) on Friday October 12, 2012 @10:07AM (#41630705)

      From TFA:

      To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge

      Doesn't this mean it is unsuitable for server use - or any "headless" operation such as MythTV?

      From TFA:

      To facilitate repeat booting (and to make the pre-bootloader useful for booting hard disks as well as USB keys or DVDs) the pre-bootloader will also check to see if the platform is booting in Setup Mode and if it is, will ask the user for permission to install the signature of loader.efi into the authorized signatures database. If the user gives permission, the signature will be installed and loader.efi will then boot up without any present user tests on all subsequent occasions even after the platform is placed back into secure boot mode.

      So they offer a solution for your problem, but user input is required for this as well.

      • by Chrisq (894406)

        From TFA:

        To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge

        Doesn't this mean it is unsuitable for server use - or any "headless" operation such as MythTV?

        From TFA:

        To facilitate repeat booting (and to make the pre-bootloader useful for booting hard disks as well as USB keys or DVDs) the pre-bootloader will also check to see if the platform is booting in Setup Mode and if it is, will ask the user for permission to install the signature of loader.efi into the authorized signatures database. If the user gives permission, the signature will be installed and loader.efi will then boot up without any present user tests on all subsequent occasions even after the platform is placed back into secure boot mode.

        So they offer a solution for your problem, but user input is required for this as well.

        OK, so what's to stop me installing a compromised version of Windows? If you can disable all warnings then isn't this bypassing any advantage of a secure boot?

        • OK, so what's to stop me installing a compromised version of Windows? If you can disable all warnings then isn't this bypassing any advantage of a secure boot?

          Well, if you insist on installing a compromised version of Windows and allow it to boot, isn't that your problem? As long as others can't trick you into installing it by sending you some malware, I consider it a non-issue.

    • by BLKMGK (34057)

      Yeah it does, and no I don't expect an option to skip the check else they would never sign it and revoke the key as has already been done in the driver world. If you've got a server or Myth box I would expect you to uncheck the option that requires secure boot and not sweat any of this as it wouldn't help you anyway since its currently only a Microsoft option.

    • Then either disable SecureBoot entirely, which makes you no worse off than you are now, or use a distribution that provides proper secureboot keys like Redhat. Companies, et al, who need to have secure operations should like this option very much.

  • mjg59.dreamwidth.org (Score:5, Informative)

    by bfree (113420) on Friday October 12, 2012 @09:41AM (#41630245)

    Linux Foundation approach to Secure Boot [dreamwidth.org]
    James Bottomley just published a description of the Linux Foundation's Secure Boot plan [hansenpartnership.com], which is pretty much as I outlined in the second point here [dreamwidth.org] - it's a bootloader that will boot untrusted images as long as a physically present end-user hits a key on every boot, and if a user switches their machine to setup mode it'll enrol the hash of the bootloader in order to avoid prompting again. In other words, it's less useful than shim. Just use shim instead.

    Further UEFI bootloader work [dreamwidth.org]
    A couple of people have asked whether we're planning on implementing the Linux Foundation approach of simply asking the user whether they want to boot an unsigned file. We've considered it, but at the moment are leaning towards "no" - it's simply too easy to use to trick naive users into running untrusted code. Users are trained to click through pretty much any security prompt that they see, and if an attacker replaces a legitimate bootloader with one that asks them to press "y" to make their computer work, they'll press "y". If that bootloader then launches a trojaned Windows bootloader that launches a trojaned Windows kernel, that's kind of a problem. This could be somewhat mitigated by limiting this feature to removable media, and we're seriously considering that, but there are still some risks associated. We might just end up writing the code but disabling it at build time, and then anyone who wants to distribute with that policy can do so at their own risk.

    • by pscottdv (676889)

      In other words, it's less useful than shim. Just use shim instead.

      You forgot to add this:

      For [shim] to be useful you'll need it to be signed by Microsoft, so you'll also need a WinQual account.

      • by bfree (113420)
        I'm not sure where your second quote comes from? Yes, shim (or the LF thing) needs to be signed by Microsoft, but the idea here of both these options is that one person/group gets the first-stage bootloader signed (i.e. shim) and then others can use it as a blob which can then be told by a physically present user to trust other items which are not signed by Microsoft. The "here" link in my first post provides a good chunk of extra info.
  • by Anonymous Coward on Friday October 12, 2012 @09:44AM (#41630293)

    The solution is simple. Simply do not purchase ANY computer that requires secure boot, or does not allow you do disable it!

    Personally, I think this is a "feature" that is going to come back and bite MS in the derriere.. At least I hope so! :-)

    • For newbies (Score:5, Insightful)

      by Chemisor (97276) on Friday October 12, 2012 @09:59AM (#41630553)

      Your solution of any value mostly to newbies who are incapable of going to the BIOS and typing in a new signing key (yes, all BIOS manufacturers worth buying, like ASUS, offer this option). I, for one, will not purchase any computer without secure boot. I like having a trusted hardware root. I like the fact that no malware can get in the boot process without my consent.

      • by BLKMGK (34057)

        Actually, if Linux could offer the users the ability to sign their own kernels and other boot pieces, then put the key into the BIOS it would provide greater security for Linux as well! Obviously the user would have to manage their signing key properly and kernel updates would be a hassle but the added security provided could be just as useful. Why not take advantage of this??

      • Re:For newbies (Score:5, Insightful)

        by Hatta (162192) on Friday October 12, 2012 @10:49AM (#41631299) Journal

        Yeah, that works great until Microsoft deprecates the option for Windows 9 or 10. They've already done so on Windows 8 ARM tablets, why wouldn't they do it on x86 PCs?

        • Re:For newbies (Score:4, Insightful)

          by Chemisor (97276) on Friday October 12, 2012 @11:41AM (#41631985)

          If motherboard manufacturers (not Microsoft) decide to not provide the option any more, we'll stop buying their boards. At this time this is a purely hypothetical and unlikely event, for that very reason. If and when it happens, we can complain and vote with our wallets; until then you're just spreading unjustified FUD.

          • by Hatta (162192)

            we'll stop buying their boards

            And just how much market clout do you think Linux desktop users have?

            If and when it happens, we can complain and vote with our wallets

            Yes, by buying specialty hardware that's likely to cost several times what mass market hardware does. The days of buying COTS hardware and just throwing Linux on it will be over.

            until then you're just spreading unjustified FUD.

            FUD, yes. Unjustified, no. There's plenty of reason to fear what Microsoft will do with secure boot. A lot of uncerta

      • by thegarbz (1787294) on Friday October 12, 2012 @11:04AM (#41631489)

        Malware getting in the boot process... So we're creating a system of immense complexity, incompatibilities, which creates an all out shitstorm in the IT world, all to target that 0.001% of malware that actually infects the boot process? What popular malware has done this?

        Is it even a credible threat?

        Don't forget to visit the TSA website and drop in a few dollars in the donation form while you're at it.

      • Re:For newbies (Score:4, Insightful)

        by StormReaver (59959) on Friday October 12, 2012 @11:20AM (#41631687)

        I like having a trusted hardware root.

        The problem is that Restricted Boot (euphemistically known as "Secure Boot") is not there to work in your best interest. It is there to work in Microsoft's best interest. It is just another tool in Microsoft's arsenal to make sure you can't use your computer in any manner not approved by Microsoft.

        Restricted Boot is not there to protect you. It is there to protect Microsoft from you leaving Microsoft. Any statement to the contrary is smoke and mirrors to confuse you.

    • by BLKMGK (34057)

      Pretty sure Microsoft has said that they expect there to be a BIOS option to turn it off. I expect it will be harder to find one that doesn't allow it to be turned off than on that will. I certainly wouldnt buy anything that didn't allow it to be deactivated!

  • So (Score:5, Funny)

    by Hatta (162192) on Friday October 12, 2012 @09:45AM (#41630309) Journal

    When I turn on my PC, it will boot the pre-boot loader, which will then boot grub, which will then boot my initrd which will finally boot Linux. Can we put any more steps in there?

    • Yes you'll have to press a key to approve the Linux bootloader, every time it boots. Not kidding, RTFA.

      • Re:So (Score:4, Insightful)

        by ledow (319597) on Friday October 12, 2012 @10:01AM (#41630607) Homepage

        Every time it CHANGES. RTFA properly.

      • Re:So (Score:4, Insightful)

        by bonniot (633930) on Friday October 12, 2012 @10:03AM (#41630645) Homepage Journal

        Yes you'll have to press a key to approve the Linux bootloader, every time it boots. Not kidding, RTFA.

        I don't think so. From TFA: "To facilitate repeat booting (and to make the pre-bootloader useful for booting hard disks as well as USB keys or DVDs) the pre-bootloader will also check to see if the platform is booting in Setup Mode and if it is, will ask the user for permission to install the signature of loader.efi into the authorized signatures database. If the user gives permission, the signature will be installed and loader.efi will then boot up without any present user tests on all subsequent occasions even after the platform is placed back into secure boot mode."

    • Well the first 'innovation' on this concept would be to have the pre-bootloader start loading init...
    • by ledow (319597)

      All of which will happen in a fraction of a second if you don't have boot prompts enabled.

      And all of which is nothing compared to the hoops that most system go through to get from switch-on to full operation on the CPU (real-> protected mode, etc.).

    • by sootman (158191)

      It's bootloaders all the way down!

  • This classic took Microsoft years to develop this technology and it takes the open source community less then a year I love the power of the open source community.
    • by ledow (319597)

      By buying a key from Microsoft.

      Yeah. Nice way to work around this horrendous locking-down technology and promoting openness of hardware and all software (from BIOS up). "Let's buy a key to their proprietary lock-in systems that they can revoke at any time."

    • You should keep reading the article until it no longer means what you currently think it means.

  • by GameboyRMH (1153867) <gameboyrmhNO@SPAMgmail.com> on Friday October 12, 2012 @09:57AM (#41630527) Journal

    Boot sector viruses are the rarest form of virus, require root permissions to infect, and aren't especially hard to remove. And we've handed over a big chunk of freedom and made things worse for everyone to fight this minor annoyance (yeah right). This is worse than the computer equivalent of the PATRIOT act.

  • by Meneth (872868)
    Does this fix the Windows 8 ARM tablet problem?
  • by 3seas (184403) on Friday October 12, 2012 @10:06AM (#41630681) Journal

    If we make it, we can break it. Making secure boot just more locks to keep honest people out and more headaches for honest people to deal with.

    Perhaps the real question here is why do people continue with Windows, when there are other options that have better general security?

  • by swm (171547) * <swmcd@world.std.com> on Friday October 12, 2012 @10:30AM (#41631035) Homepage

    the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system).

    The purpose of Secure Boot is to prevent people from booting non-Microsoft operating systems.
    Why on earth would Microsoft sign such a bootloader?

    The process of obtaining a Microsoft signature will take a while, [...]

    Anyone want to open an over/under line on when this happens?
    I'll put $100 on the first patch Tuesday following the heat death of the universe.

  • To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots.

    That seems like a LOT more of a pain in the butt than simply turning off the secure boot option. In fact, it would be a deal breaker for any of my Linux machines that must be able to reboot unattended every time. It's a "solution" to a trumped up problem. There are plenty of legit reasons to hate Microsoft, but this isn't one of them.


    The bottom line: UEFI secure boot is not going to be enabled on any machine shipping with Linux unless that distro has the keys themselves. That is most likely the only gr

    • by cpghost (719344) on Friday October 12, 2012 @11:06AM (#41631513) Homepage

      That seems like a LOT more of a pain in the butt than simply turning off the secure boot option.

      How long will motherboard BIOSes ship with the option to turn off UEFI secure boot? Maybe not tomorrow, but what about 1, 2 or 3 years down the road? That's the real issue here! The problem is that the PC commodity market is about to be turned into a walled garden controlled by, guess who? Microsoft in this case. That's pretty scary stuff actually, and I wouldn't wonder if the regulating authorities (at least in the EU) will sooner or later consider this as anti-competitive behavior.

EARTH smog | bricks AIR -- mud -- FIRE soda water | tequila WATER

Working...