mjg59 | Supporting UEFI secure boot on Linux: the details

(Update January 18th 2012 - you probably want to read this for details on why the technical details described below are not the difficult bit of the problem)

An obvious question is why Linux doesn't support UEFI secure booting. Let's ignore the issues of key distribution and the GPL and all of those things, and instead just focus on what would be required. There's two components - the signed binary and the authenticated variables.

The UEFI 2.3.1 spec describes the modification to the binary format required to produce a signed binary. It's not especially difficult - you add an extra entry to the image directory, generate a hash of the entire binary other than the checksum, the certificate directory entry and the signatures themselves, encrypt that hash with your key and embed the encrypted hash in the binary. The problem has been that there was a disagreement between Microsoft and Intel over whether this signature was supposed to include the PKCS header or not, and until earlier this week the only widely available developer firmware (Intel's) was incompatible with the only widely available signed OS (Microsoft's). There's further hilarity in that the specification lists six supported hash algorithms, but the implementations will only accept two. So pretty normal, really. Developing towards a poorly defined target is a pain. Now that there's more clarity we'll probably have a signing tool before too long.

Authenticated variables are the other part of the puzzle. If a variable requires authentication, the operating system's attempt to write it will fail unless the new data is appropriately signed. The key databases (white and blacklists) are examples of authenticated variables. The signing actually takes place in userspace, and the handoff between the kernel and firmware is identical for both this case and the unauthenticated case. The only problem in Linux's support here is that our EFI variable support was written to a pre-1.0 version of the EFI specification which stated that variables had a maximum size of 1024 bytes, and this limitation ended up exposed to userspace. So all we really need to do there is add a new interface to let arbitrary sized variables be written.

Summary: We don't really support secure boot right now, but that's ok because you can't buy any hardware that supports it yet. Adding support is probably about a week's worth of effort at most.

Flat | Top-Level Comments Only

From: (Anonymous)

(says it all)

From:

mjg59

Not inherently. It's actually reasonably hard to do - inserting new keys requires that those keys themselves be signed by the private half of one of the keys in the KEK database, so you'd need to give your key to someone who *does* have an entry there (either the OEM or Microsoft), have them sign it and then pass that into the variable database.

From: (Anonymous)

Any possibility of creating a web of trust system for this?

From: (Anonymous)

Didn't the videos from the Microsoft conference say that they would use a certificate CA (or more than one probably) just like with SSL and current code signing for drivers and software ?

From:

mjg59

Right now, Microsoft and the OEMs are the CAs, and there's no requirement that a system carry any root certificates other than Microsoft's. Imagine if your browser only came with Godaddy's certificate and you couldn't install any others.

From: (Anonymous)

Do they intend for a manufacturer of, let's say a NIC and it's driver to talk to have their driver signed by Microsoft or by the OEM ?

From:

mjg59

That's not entirely clear yet, but it has to be signed by someone who has a key in the machine's database.

From: (Anonymous)

I will be suprised if Microsoft does not offer a way to digitally sign drivers for secure boot. They already have the WHQL program.

And seeing as Microsoft keys are the only ones guaranteed to be present on all systems, third parties will likely prefer this over any program set up by individual or coalition of OEMs.

From: (Anonymous)

...and of course, the mere existence of such a counter-signed key makes that key just as powerful, and valuable, as the root keys (if a piece of malware was somehow signed by that new key, it would just have to carry the signed key-update-request around with it).

If you want the issuance of countersigned keys to be viable in practice, there needs to be provision in the spec for the signed key update request to be limited in scope - say to a particular motherboard serial number and/or date range.

From: (Anonymous)

This seems odd. Why can't I as the owner just manually enter the keys that I trust (equivalent to my ssh authorized keys file)?

From:

mjg59

Because the spec doesn't allow you to do that once there's a KEK installed.

From: (Anonymous)

You apparently miss the point of the original post. The poster wants to know why they don't make it so that you can decide what keys are trusted and add your own. Saying that they don't make it that way doesn't answer the question. I suspect that there is no good answer to the question. In fact, your answer suggests there is no good answer, since it is the equivalent of the standard, "because I said so," reply (or in this case, because the UEFI implementers said so).

From: (Anonymous)

Because the Media Conglomerates who want this, along with Microsoft and the hardware manufacturers *don't trust you*.

The whole purpose of secure boot is to stop you from copying DRM'd media. It doesn't work because the pirates won't use secure boot, and then everybody uses those pirate copies even on systems with secure boot, IE it's completely f***ing useless, except that Linux won't always run with it and Microsoft of course likes that.

If we're not careful politicians will make this insidious crap a mandatory requirement.

From:

mjg59

No. Secure boot is not a DRM mechanism. It has no concept of attestation. It is vitally important that nobody permit the idea that it's a DRM mechanism to prevail.

From: (Anonymous)

mocosoft now was release a opinion, here lasted
http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx

umm seems a tramp..

From: (Anonymous)

I believe that a new generation of information wars is coming up - CIA and FBI will together compromise _NOT_ the software, rather HARDWARE, and the story with UEFI (an attempt to kick off LINUX and SOLARIS) is the only beginning.

Look for the mobile coverage outage news in the Net. And for the blackout in Chile.
Thees were hardware Trojans, NOT software viruses.

This is the only beginning. The USA President Barack Obama is the terrorist Number One in the world, but this is not clear to everyone

Masha Lukyanova

From: (Anonymous)

Dear (other) Anonymous, this is not a subject you can use for your own delirium :D

@ Matthew: how does Coreboot enter in this picture?

From:

mjg59

It doesn't really. The requirement for firmware updates to be cryptographically signed means that installing Coreboot on a system will mean physically replacing the flash.

From: (Anonymous)

What are the odds the DMCA will be invoked against "owners" (physical holders) of the hardware un-jailing their systems and getting jailed themselves?

They could say it allows overriding DRM or even put a poem in the firmware to force it to be considered a DMCA violation because access to a copyrighted work has been obtained by circumvention.

5 years in prison and being a felon (look at the Perl guy who was banned from Canada for life) is enough to scare almost everyone off of Linux. Not to mention the reality of how physically brutalized the average geek would be in prison - 5 hours would be enough to destroy him.

From: (Anonymous)

I still do not see the point. Windows is a piece of crap. We know that. Windows needs this? Honestly what Windows needs is a full reboot. But Microsoft cannot afford to build anything good (even WP7 is built off WM6.5) at this point, and they know this.

With security, we've been running reactively for a very long time and I do not really see the issue. In fact, reactive is how humans are. When we get sick, we respond appropriately. Look up projects like ABACUS, where computers could potentially heal themselves on detection of 'misuse'. We also run retroactively. We have the best of both worlds. Preventing boot-ups because the system detected 'misuse'? That would NEVER fly with me and NEVER would fly with anyone else. What is Microsoft trying to do here? INCREASE downtime? Microsoft has costed the world over 100 billion USD in security problems. When are they going to give that back?

And also, let's just imagine that we had keys and all nice things worked out (as some people seem to state here). So now I have to find some 'authority' who can give me the keys to do WHAT I WANT to with MY (potentially custom built) machine? That is absolute nonsense! Any of you are suggesting that there be 'Linux keys', or 'Ubuntu keys' (yuck) means that you do not see an underlying problem. Sure, today for some odd reason we trust CA's like VeriSign to secure our websites (honestly I still find this a strange deal). Why? Why should we trust anyone other than ourselves in this regard? Who made them king?

In a hacker sense: if a motherboard has this functionality, hack it to death and REMOVE IT ENTIRELY. Do not even have a bit of this. It's absolute nonsense!

In another sense: I should NEVER have to do anything like just mentioned just to do get the OS I want running, nor should I have to do any key fiddling.

The fight will go on. In fact, I hope UEFI+secure boot turn out to be a disaster and the security problems for Windows users go UP instead of down. Go on malware writers! Keep doing what you do until Microsoft is bankrupt!

Things the way they are just fine if you ask me, if you NEVER use Windows. Linux (almost any distro) and Mac OS X are 2 fine operating systems that don't need this crap.

From: (Anonymous)

@anonymous, if it's my PC, I want to make sure it hasn't been tampered with (by anyone other than me). It's as simple as that. If you think secure boot is a problem then you probably leave your front door open at night and wouldn't mind if unwanted guests wandered in and messed with your stuff. To suggest that Linux and Mac OS don't have these issues is either a) naïve, or b) an enticement to others to use those other OS platforms until they become popular enough that they are interesting malware targets. Either way, the problem is not unique to Windows. I'll say it again--I want secure boot because I want to be in control of my machine.

From: (Anonymous)

So "to be in control of [your] machine", you want it to prevent you from installing anything but Windows ?

Interesting.

From: (Anonymous)

HEADSHOT!

From: (Anonymous)

Checka, checka, check it out
They load the clip in omnicolour
Said they pack the 9, they fire it at prime time
Sleeping gas, every home was like Alcatraz
And motherfuckers lost their minds

No escape from the mass mind rape
Play it again jack and then rewind the tape
And then play it again and again and again
Until your mind is locked in
Believin' all the lies that they're tellin' you
Buyin' all the products that they're sellin' you
They say jump and you say how high
You're brain-dead
You've gotta fuckin' bullet in your head

Just victims of the in-house drive-by
They say jump, you say how high
Just victims of the in-house drive-by
They say jump, you say how high

Uggh! Yeah! Yea!

(You're) Standin' in line
Believin' the lies
(You're) bowin' down to the flag
You got a bullet in your head

Lyrics here: http://www.sing365.com/music/lyric.nsf/Bullet-In-The-Head-lyrics-Rage-Against-The-Machine/DEE35258A53EA716482568A50012B22C

Video clip (Warn' FLASH): http://www.youtube.com/watch?v=9TDgkOOlbwg

From: (Anonymous)

Secure boot doesn't give you control of your machine. It gives the person who creates the signatures control. Unless you have the power to create and trust your own signatures, you don't have control.

This doesn't stop tampering from going on. It just stops your machine from running after it's been tampered with. In theory, this gives you the opportunity to reverse the tampering. In practice, we'll see.

I don't generally trust firmware/hardware based encryption. Without the ability for the user to modify the key database himself it takes away more control of the machine, and in no way is it guaranteed to be unhackable (though it may afterward be unfixable). Give the user the ability to control the key database, and then I might trust it a bit more.

From: (Anonymous)

If you think secure boot is a problem then you probably leave your front door open at night and wouldn't mind if unwanted guests wandered in and messed with your stuff.

So as an analogy, secureboot hands your keys over to a bunch of strangers and you then have to trust them with your house.... stupid idea - I trust me, not some bunch of corporations whose main aim is to make money, my security is way down their list of priorities.

And what makes you think trojans won't run quite happily within the secureboot environment - they're trojans, they'll simply masquerade as something else. Secureboot != anti-virus.

From:

mjg59

They'll masquerade as something else while maintaining the same digital signature? If you've broken RSA then there's more profitable things to do with that than just trojan people's boot process.

From: (Anonymous)

Most trojans are perfectly fine with running in userspace. So, I don't think it will solve anything. And hey, who needs Intel architectures to run Linux? It runs on everything else already. All this does is make sure servers won't run on Intel architectures.

From: (Anonymous)

Seems like a very trouble some stuff here, a chicken or egg problem, as a computer user, I'm not paranoid enough to use this "feature". On industrial level, I believe this might be a choice.

Moving to Windows 8 is a hard choice for most users - new investment, brand new pc and not able to upgrade to Windows 9 or a better OS - is a curse.

What I expect is - this feature will have an option to disable it, if it does not, then we will see it in court.
So, in short, its pretty much useless and back to the 80s BIOS stuff. I also suspect this will be enabled by default by major manufacturers and ignored by 99% of computer users, until Win 9 comes out/switching OS/PC needs rescue they realized they need the D F Manuals.

Windows OEM manufacturer will get blamed and users at a losing side, OEM manuf is playing with fire.

Lets watch in 2 years time
http://www.google.com.my/search?hl=en&q;=disabling+EUFI
Current: 444,000 results

Early problem winner goes to-
http://forums.lenovo.com/t5/W-Series-ThinkPad-Laptops/W520-UEFI-and-Bitlocker/td-p/439857

From: (Anonymous)

I would like to hear your view on how this efi and secure booting will effect retailers like new egg. if a piece of hardware needs to be signed by the oem secure boot key wouldn't that lock out anyone who bought a oem computer from like dell from using parts not bought though the dell store at 100%+ mark-ups?

From: (Anonymous)

Mr. Garret,

So far everyone is discussing a problem, but I think what most people would love to hear is potential solutions to this.

What would you point as a potential solution for this mess ?

All the best,
NM

From: (Anonymous)

Demand will continue for old fashioned BIOS based motherboards and smart people will continue to select and build their own machines running BSD or Linux of course. Stupid sheeple will continue to be stupid sheeple and use Winblows from Microscum. In several years time someone will find a solution to this crisis for the Linux community and then your smart friends will be able to install Linux once again on your Dell after your fed up with malware.

6 Years on Linux and 0 malware infections and I go where I want on the net and no Winblows users can say that so epicfail to Microscum and their crappy business model/products.

LOL Linux doesn't even have antivirus because their are NONE - Yet MS claims they are secure LOL I feel sorry for the sheeple!

From: (Anonymous)

Microscum? Winblows? Really? Did I get knocked unconscious and wake up in 1996?

From: (Anonymous)

IF we did away with MS, then many people like myself who spend time every day grousing about how Bill was the anti-Christ, could get a life and have new things to talk about, at least until some new company became a monopoly and was worthy of all our attention.

From: (Anonymous)

http://mjg59.dreamwidth.org/5552.html?thread=102832#cmt102832 and http://mjg59.dreamwidth.org/5850.html seem to state Matthew's solution - ship systems with no keys installed.

From: (Anonymous)

I wrote an article about this on ISN:
http://software.intel.com/en-us/forums/showthread.php?t=87355

This is really about losing the ability to modify both the hardware and the software -- in other words, you cannot use your own PC in a way you want. People who say "there will be Linux/Ubuntu keys" forget that they most likely won't be able to compile their own bootloader and/or kernel and sign them.

Instead of punishing those who abuse PCs for cyber crime they want to make sure that it is impossible to commit it. If they used the same principles in real life, firing a weapon would require a signed key for every bullet.

From: (Anonymous)

It sounds like the certificates referenced in hardware are there forever. Is that true? What mechanism is in place to revoke and reissue new keys if one of them is compromised? Assuming that "normal people" will never upgrade their BIOS, doesn't this lead us to the same security problem we have now?

I guess the problem revolves around the signing key which is unlikely to make its way into the public. What if it does? Also, what happens when the certificates expire? Surely I'm either insane for asking these questions or they have already been addressed (or both)..

From:

mjg59

I think the assumption here is that the keys don't expire, but yes, there is a mechanism for blacklisting either keys or individual signatures. A KEK-signed update can be pushed and flashed at runtime without requiring the user to do a full BIOS update - on Windows I'd expect that to happen as part of Windows Update, Linux distributions will obviously have to figure out some mechanism.

From:

bkerensa [launchpad.net]

So far I think there is not much benefit to gain from UEFI... Yeah it replaces outdated BIOS but at the same time it fixes something that has worked fine for decades.

From: (Anonymous)

What about ship systems with UEFI but without the secure boot extension ?

So, if you want to install Windows 8, it will install the extension, but it can also be uninstalled ?

Flat | Top-Level Comments Only

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

(Anonymous) - Is there any way for the end-user to load their own keys?
(Anonymous) - seem a tramp, here lasted on sun 24 sep 2011
(Anonymous) - (no subject)
(Anonymous) - In all honesty
(Anonymous) - (no subject)
(Anonymous) - (no subject)
(Anonymous) - (no subject)
(Anonymous) - Spread the word...
(Anonymous) - What happens if one of the supported keys gets leaked/discovered?
bkerensa [launchpad.net] - UEFI and Linux
(Anonymous) - solution ?

Expand Cut Tags

No cut tags