Matthew Garrett Makes Available Secure Bootloader For Linux Distros 274
TrueSatan writes "Matthew Garrett, formerly of Red Hat, is providing a shim bootloader that will allow installation/booting of secure boot enabled computers. The shim is designed to chain boot GRUB (Grand Universal Bootloader) without the need for a distribution to obtain a key from Microsoft. Garrett asks that further contacts regarding the shim be made to him and not to Red Hat as he no longer works there and they may not have knowledge of the product."
Re:How does this work? (Score:5, Informative)
In simplistic terms, it's a bit like on iOS devices: they'll only boot software that is signed by Apple, thus preventing low-level viruses and such from tampering with the OS.
In more complicated terms, I'll defer to the wiki page [wikipedia.org].
Re:Making No Sense (Score:2, Informative)
Read his blog, he explains it all.
Basically, the Shim is signed with the Microsoft key, it will load on any system which trusts that key (i.e. every system out there).
The Shim will then load anything that's signed with any of the keys in the secure boot trust database, but it will also allow you to add keys to that trust database yourself.
For example: if you try to boot from a SuSe install DVD is will first start the Shim (which is trusted, because it's signed by Microsoft). The Shim will then ask you if you want to load whatever the DVD is trying to start, optionally installing the key used to sign what you're trying to start.
The end result is that John Q. User just needs to be told to push the 'Enroll key' button when he's installing SuSe/RedHat/Debian/... He doesn't need to be told how to disable Secure Boot, or how to install the SuSe/RedHat/Debian/... key into his system (which would be different for every system).
Re:Kudos (Score:4, Informative)
First UEFI != UEFI Secure Boot.
Second, you can turn off Secure Boot in the settings. So, I am guessing the young Mr. Torvalds would be smart enough to do that.
Third, the keys are editable, i.e you can remove Microsoft's key and add your own or Linux's key if you don't trust Microsoft and that'll stop your machine from ever booting Windows. Thus, you're really in control of your computer. The defaults are setup that way to stop undetectable bootkits infecting your mom's computers because just wants to run Excel and doesn't know or care about signing keys and hashes.
There is so much FUD and misinformation being spread by stupid people.
Re:Yay! (Score:2, Informative)
Re:Kudos (Score:5, Informative)
But to get your own key, you have to shell out 99 bucks.
That's fucking galling. It's a tax.
--
BMO
Re:Kudos (Score:5, Informative)
No.
The $99 fee is if you want to get stuff signed with the default Microsoft keys (or rather, with a chain-of-trust that ties back to the default Microsoft keys)
Anyone can load new keys into the UEFI boot key-store no problems via the BIOS options.
Re:Fuck secure boot. (Score:5, Informative)
" Microsoft requires OEMs shipping Windows 8 to provide both options for the user to turn secure boot off completly AND for the user to install new keys of their choice."
A half truth is a whole lie.
Stop lying.
The other half of the truth is that on ARM devices, Secure Boot is ABSOLUTELY REQUIRED AND MUST NEVER BE TURNED OFF
Shill.
--
BMO
Re:Fuck secure boot. (Score:4, Informative)
No, no, no. You got it wrong.
I hate this whole kerfuffle as much as everybody, but the part about not being able to load self signed keys isn't correct. You can load self-signed keys into the UEFI boot key-store right from the UEFI UI. Of course that will prevent Windows 8+ from booting, but that's another story. You can disable it altogether, with the same result.
So you can either disable secure boot or have your own chain of trust separated from Microsoft and boot other OSes. BUT if you want to boot Windows 8+ you have to enable it and use Microsoft's chain of trust, and is in THAT case, when you want to also boot other OSes you must have the other OSes bootloaders signed by Microsoft.
This shim bootloader represents a convenience to the users of that specific case (which indeed is the most common one). They have a "generic" Microsoft-signed bootloader along with some tools to extend a chain of trust from that bootloader to another one, and this second one won't have to get through the dreaded certification process (which indeed forces you to use Windows).
The problem here is NOT UEFI / SECURE BOOT. The problem is MICROSOFT CERTIFICATION PROGRAM. That's where they boicott the whole industry, and where they should be given a fight. That stupid certification process they combined with a twisted use of the new capabilities of UEFI. Make no mistakes, shouldn't UEFI exist today, they would still be looking for ways to exploit their certification program to make manufacturers do anything they want, just so they can bless them with being "Win compatible". THAT is the great lie right there, by which they have the industry inexplicably grabbed by the balls.
The solution of course would be everyone giving the finger to Microsoft on their fucking certification program, and a more open competition would arise. I very much want to see how long they last on that environment.
Must ship with a way to turn off Secure Boot (Score:5, Informative)
Secure Boot in custom mode (Score:4, Informative)
With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?
By setting Secure Boot to custom mode and installing the self-signed key. Microsoft requires makers of x86 and x86-64 PCs to allow neutering Secure Boot as a condition for Windows 8 certification, just like Google requires a device to have Android Debug Bridge open as a condition for access to the Google Play Store. The strict game-console-style lockdown is only for Windows RT.
Re:Kudos (Score:2, Informative)
First, that's to get your own binary get signed with the default installed Microsoft key, so it's meant for distributors, not users who can add/remove keys without any cost.
Also, if you think Microsoft is trying to make any money from the $99 you're sorely mistaken.
Read this and I hope you have enough reading comprehension skills to under the reasoning behind Microsoft's fee.
http://indiegames.com/2012/09/valves_solution_for_steam_gree.html [indiegames.com]
If there was no fee, every Russian malware author will apply thousand times to get boot keys defeating the whole thing, not to mention the money can be tracked down in the future if the key is maliciously used.
In other words, another bog standard stupid uninformed kneejerk karmawhoring typical retarded Slashdot anti-MS post from you. lurn2read. Don't you feel stupid making such idiotic posts?
Re:How does this work? (Score:5, Informative)
Right, because you have no right to do that with a device you supposedly own.
The specs already require that the x86 EFI allows you to load your own key. This is just something to let you install and use linux or other OSes without having to go through the process of loading your own keys into the bios and instead using the ms key that's already been loaded.
Re:Fuck secure boot. (Score:5, Informative)
"With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?"
openssl req -new -nodes x509 -outform DER -out sig.crt -keyout signing_key.priv
And then enrol it with mokutil or MokManager from shim.
Re:Kudos (Score:5, Informative)
Second of all, it isn't that bad, There are GUI screens navigatable with a mouse(unlike BIOS) where you can input/remove keys. Perhaps you have ideas to make it easier while still maintaining security, instead of just kneejerk bashing and conspiracy theories of "OH THEY'RE GONNA GET US OMG".
It's a much bigger deal than apologists are making it out to be. It's a big step in making the switch to Linux MUCH more difficult.
For the last ten years or so Linux has been easier to install on a raw machine then Windows. Microsoft finally came up with a way to reverse that. And of course it has nothing to do with making their OS easier to install.
Also no more booting a live CD/DVD so you can try things out or show them to someone. No more Knoppix STD when you're trying to figure out what crap your mom got on her computer this time or recover data from a flaked hard drive. Etc, etc...
Re:Doesn't work (Score:5, Informative)
If your system currently has Windows 8 installed, then do this:
1) Insert the install media
2) Mouse to the bottom right
3) Select "Settings"
4) Click "Power"
5) While holding down shift, click "Restart"
6) Click "Use a device"
7) Click your install media
This is a little more involved than ideal, but it's got the huge benefit that it's consistent between systems rather than requiring you to use different hotkeys for different platforms.
Re:Making No Sense (Score:5, Informative)
Given that I've been working with the Microsoft people who manage the signing for the best part of a year now, I'm pretty sure they know who I am and what I was getting signed.
Re:How does this work? (Score:5, Informative)
Try reading the OP.
This is a build of shim that's signed by Microsoft. It has particular properties. It is intended to be distributed by small Linux distros, with their own key as config data. When you boot it, it offers you the option to trust a single specific key - the key it was provided to you with. You have to specifically perform a certain operation to trust the key.
What all this wiggling achieves is allow to say 'I trust the entity that provided me with this key to provide an operating system for my machine'. The safeguards prevent it from being used for malware, unless you're _really_ dumb and, when this screen pops up on your system after you install something you didn't think was an operating system, you carefully jump through all the hoops to allow it to nerf your system.
So Microsoft is happy because the malware path is very unlikely to occur, and the Linux distributor is happy because if the person really is installing an alternative OS, all they have to do is navigate a menu once in order to say that OS's key is trusted, and from then on, that OS can function with SB enabled indefinitely.
Clear?