The Linux Foundation's UEFI Secure Boot Pre-Bootloader Delayed 179
hypnosec writes "The Linux Foundation's plans for releasing a signed pre-bootloader that will enable users to install Linux alongside Windows 8 systems with UEFI have been reportedly delayed. The Foundation proposed a signed pre-bootloader that will chain-load a bootloader which, in turn, will boot the desired operating system, thus keeping Linux installations for novice users as simple as it was before. Further, this particular component is meant for small-time Linux distros which otherwise wouldn't have the required expertise or resources to develop their own system to tackle the secure boot issue. This was going as per plans up until Linux kernel maintainer James Bottomley disclosed that he has been having rather bizarre experiences with Microsoft sysdev centre. Bottomley said, 'The first time I sent the loader through, it got stuck (it still is, actually). So I sent another one through after a week or so. That actually produced a download, which I've verified is signed (by the MS UEFI key) and works, but now the Microsoft sysdev people claim it was "improperly" signed and we have to wait for them to sort it out. I've pulled the binary apart, and I think the problem is that it's not signed with a LF [Linux Foundation] specific key, it's signed by a generic one rooted in the UEFI key. I'm not sure how long it will take MS to get their act together but I'm hoping its only a few days."
Update: 11/21 14:22 GMT by U L : See the Original weblog post, and one interesting tidbit: Microsoft banned bootloaders licensed under the GPLv3 and "similar open source licenses."
Re:Present user test? (Score:4, Informative)
Likely to be much less of an issue on proper server hardware; most server vendors know full well a significant amount of the hardware they shift will never run Windows.
Microsoft banned GPL in UEFI binaries .. (Score:5, Informative)
'When you get to this stage, you also have to certify that the binary " to be signed must not be licensed under GPLv3 or similar open source licenses". I assume the fear here is key disclosure but it's not at all clear (or indeed what "similar open source licences" actually are).'
Re:Not surprised at all (Score:5, Informative)
Secure Boot was designed to block malware from successfully inserting itself into the boot chain to bypass OS security measures, and that's it. Beyond that it's up to the OS to block malware from running in ring 0 or ring 3, which comes down to AV scanning, code signing, and any privilege escalation exploits abused by malware. Secure Boot closes off one important vector for malware, not all of them.
support free software & hardware and prices dr (Score:2, Informative)
Stop buying MS hardware! Prices will drop...
The free software and open source software advocates merely need to stop buying hardware dependent on and designed for proprietary operating systems. There are options that are becoming very popular. The major issue right now is there are a lot of people too cheap to realize the difference between a $400 POS laptop with Microsoft Windows which has higher specs and your typical higher quality laptops smaller companies are shipping with Linux. Even if the hardware is lower spec'd at a higher price doesn't mean it is a rip off. What your getting is significantly better in a number of different areas.
As an example your not going to be dealing with wireless issues related to digital restrictions. HP, Dell, Lenovo, and Toshiba ship laptops that prevent the replacement of incompatible wireless cards with third party options. This is because they make money off selling replacement cards to users whose wireless cards have died after the warranty period.
There are other good examples such as the loss of support because manufacturers have discontinued the proprietary drivers/firmware for your hardware.
While System76, ZaReason, and most others are shipping good quality hardware they do need to improve in certain areas. Right now pretty much every typical user is being disadvantaged by bad policies or simply the lack of a policy that advocates the use of chipsets which are free software friendly where such chipsets are available. A quick search will turn up a lot of customers who are running into issues because of these non-free drivers/firmware dependencies. And from what I'm reading nobody cares. People are just being shafted.
The only company which seems to be making a difference in this area is ThinkPenguin. ThinkPenguin is funding a number of major and minor distributions, the Free Software Foundation, and investing in the manufacture of hardware which is free software friendly. This amongst many other projects to bring better support for hardware to users around the world. And this irregardless of the distribution. If you want to run Ubuntu one day and switch to Trisquel the next you actually can (Trisquel is a distribution that doesn't ship drivers/firmware/and other software dependent on non-free software- there are many other distributions with similar policies). Even Debian doesn't ship with non-free drivers/firmware any more. They have released a derived kernel even which removes pieces from the mainline kernel.
Ultimately it is the actions of people using such distributions which funds the ecosystem which improves support for hardware that works with Linux rather than against it.
Standardizing on a binary application interface is not the answer. Supporting free software is.
And I'm not a loony. I'm not saying get rid of all the non-free stuff. There being distributions which support bad hardware will help in introducing people to free software. What I'm saying is be conscious of the negative effects of your actions when purchasing hardware down the road. Encourage distributions to inform users of the technical (and optionally ethical) issues of using such hardware. If you can avoid hardware dependent on non-free code do so.
Linux will not take off without wider availability of such hardware because the average user isn't going to stat up a terminal window to install some proprietary driver. They aren't going to apply some hack because the manufacturer refuses to fix a bug. The source code needs to be maintained (not just included) in the mainline kernel and/or similar. That is what leads to the best hardware which works out of the box. And this is not to say that the code itself is necessarily better. However it certainly doesn't hurt it when anybody can submit fixes, improvements, etc.
Re:Microsoft banned GPL in UEFI binaries .. (Score:5, Informative)
It says:
"I use public key cryptography to sign my code to assure its authenticity. Is it true that GPLv3 forces me to release my private signing keys?
No. The only time you would be required to release signing keys is if you conveyed GPLed software inside a User Product, and its hardware checked the software for a valid cryptographic signature before it would function. In that specific case, you would be required to provide anyone who owned the device, on demand, with the key to sign and install modified software on his device so that it will run. If each instance of the device uses a different key, then you need only give each purchaser the key for his instance."
Re:Not surprised at all (Score:5, Informative)
As of now we know that Win8 is vulnerable to a huge chunk of malware designed for older versions of Windows. This "UEFI Secure Boot" does not prevent it at all. I suspected earlier that UEFI Secure Boot wasn't designed to make PCs more secure but rather to lock down PCs, so novice users trying to check out some Linux distribution will have tough time doing so. This fiasco makes me sure that this was the case and makes me wonder why antitrust authorities don't do anything about this. This is potentially more harmful than MSIE case after all.
If you(and others here) really want to educate yourself instead of spreading karmawhoring FUD, please read on.
Here are some references about boot malware which UEFI secure boot will prevent.
http://www.chmag.in/article/sep2011/rootkits-are-back-boot-infection [chmag.in]
http://www.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows/ [theregister.co.uk]
http://www.computerworld.com/s/article/9217953/Rootkit_infection_requires_Windows_reinstall_says_Microsoft [computerworld.com]
I recommend reading atleast the first link.
Here's one juicy bit:
TDL4 is the most recent high tech and widely spread member of the TDSS family rootkit, targeting x64 operating systems too such as Windows Vista and Windows 7. One of the most striking features of TDL4 is that it is able to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled.
When the driver is loaded into kernel-mode address space it overwrites the MBR (Master Boot Record) of the disk by sending SRB (SCSI Request Block) packets directly to the miniport device object, then it initializes its hidden file system. The bootkit’s modules are written into the hidden file system from the dropper.
The TDL4 bootkit controls two areas of the hard drive one is the MBR and other is the hidden file system created at the time of malware deployment. When any application reads the MBR, the bootkit changes data and returns the contents of the clean MBR i.e. prior to the infection, and also it takes care of Infected MBR by protecting it from overwriting.
The hidden file system with the malicious components also gets protected by the bootkit. So if any application is making an attempt to read sectors of the hard disk where the hidden file system is stored, It will return zeroed buffer instead of the original data.
The bootkit contains code that performs additional checks to prevent the malware from the cleanup. At every start of the system TDL4 bootkit driver gets loaded and initialized properly by performing tasks as follows: Reads the contents of the boot sector, compares it with the infected image stored in hidden file system, if it finds any difference between these two images it rewrites the infected image to the boot sector. Sets the DriverObject field of the miniport device object to point to the bootkit’s driver object and also hooks the DriverStartIo field of the miniport’s driver object. If kernel debugging is enabled then this TDL4 does not install any of it’s components.
TDL4 Rootkit hooks the ATAPI driver i.e. standard windows miniport drivers like atapi.sys. It keeps Device Object at lowest in the device stack, which makes a lot harder to dump TDL4 files.
All these striking features have made TDL4 most notorious Windows rootkit and it is also very important to mention that the key to its success is the boot sector infection.
Another bit:
The original MBR and driver component are stored in encrypted form using the same encryption. Driver component hooks ATAPI's DriverStartIo
Re:Wtf? (Score:4, Informative)
They are already doing this.
On ARM, in order to use the windows logo marketing crap (you know those stupid stickers all over that otherwise nice looking laptop you last bought), there can be NO way to disable sec boot. Manufactures will cave.
So, Yes. When they feel they can get away with it on x86 (no more winxp etc. out there), they will likely follow the path they ALREADY took with arm.
So, not paranoia on all of our part, but burying your head in the sand on yours.
MS has engaged in some of the most evil bus practices of any company (intentionally breaking standards so folks on wincrap have to use MS solutions for those components that should be inter-operable, stealing code, waiting out the victims money reserves in court, suing the victim back (if victim somehow was able to survive long enough to win in court, (if above failed) buying victim companies and dismantalling them, trying to sneak in fake error messages with code that detected running competitors products, senior folks like Bill G trying to steal from other senior folks while they lie in a hospital bed-- at the time, presumed to be dying, a really fucked up company. Now that apple is trying to be more evil than MS, MS seems to be doing its part to try to capture back the title of do only evil.