Management of UEFI secure booting
Oct. 19th, 2011 10:05 am![[personal profile]](https://web.archive.org/web/20161209234706im_/http://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mjg59This post is made in a personal capacity. While it represents the outcome of multiple discussions on the topic with a variety of people, nothing written below should be construed as Red Hat's corporate position
The FSF have released a statement on UEFI secure boot. It explains the fundamental issue here, which isn't something as simple as "will OEMs let me install Linux". It's "Does the end user have the ability to manage their own keys".
Secure boot is a valuable feature. It does neatly deal with the growing threat of pre-OS malware. There is an incentive for it to be supported under Linux. I discussed the technical aspects of implementing support for it here - it's not a huge deal of work, and it is being worked on. So let's not worry about that side of things. The problem is with the keys.
Secure boot is implemented in a straightforward way. Each section of a PE-COFF file is added together and a hash taken[1]. This hash is signed with the private half of a signing key and embedded into the binary. When you attempt to execute a file under UEFI, the firmware attempts to decrypt the embedded hash. This requires that the firmware have a either a copy of the public half of the signing key in its key database, or for there to be a chain of trust from the signing key to a key in its key database. Once it has the decrypted hash, it generates its own hash of the binary and compares them. If they match, the binary is executed.
What happens if it doesn't match? Per the UEFI specification, the firmware can then prompt the user and ask if they want to execute it anyway. If the user accepts then the hash of the binary is remembered[4] and can continue to be executed in future. This is similar to what you get when you visit a self-signed https site, or when you connect to an ssh server for the first time - the user must explicitly state that they trust the software that is being booted.
This is a little awkward for a couple of reasons. First, it means that any updates to the bootloader would require the user to manually accept the binary again. Second, as we've seen with https, there's the risk of uesrs just blindly accepting things. If it's acceptable to do this off internal media[5] then malware could just rely on some number of users saying "yes". And thirdly, we've been told that Microsoft's Windows logo requirements forbid this option.
The first is problematic but manageable with appropriate documentation. The second is a real risk that makes this approach far less compelling. And the third is probably a showstopper.
So signed but untrusted binaries are probably out, on technological, UI and policy grounds. What else?
We can sign binaries with a trusted key. This gets us interoperability, but comes at a cost. The first issue here is that we still don't know what the process for getting a trusted key is going to be. One option is for something like a generic Linux key that's provided by all firmware vendors. As long as the OEM doesn't remove it, then that Linux key could be used to sign other keys that are used by individual Linux vendors. The main difficulty involved in this is having the Linux key be managed by an authority that OEMs can trust to only provide keys to trustworthy organisations and maintain control of the private half of the key. Remember, if any malware is signed with any of these keys, it'll boot on any machine carrying this key. It's a lot of trust. It's not obvious that there's an organisation with sufficient trust at the moment.
The second approach is for each Linux vendor to generate their own key and get every OEM to carry it. Let's rule this out on the basis that it's an approach that doesn't scale at all. Red Hat could probably get its key into a bunch of OEM systems. Canonical too. Oracle? Probably for the vendors they care about. It's likely to be much harder for everyone else, and you still end up with the risk that you've just bought a computer that'll boot Red Hat but not Ubuntu.
The third approach is for each Linux vendor to obtain a key from someone who's already trusted. The most obvious authority here is Microsoft. Ignoring the PR unpleasantness involved with Linux vendors having to do business with Microsoft to get signed, so far Microsoft haven't given us any indication that this will be possible.
So every approach that involves us signing with a trusted key comes with associated problems. There's also a common problem with all of them - you only get to play if you have your own trusted key. Corporate Linux vendors can probably find a way to manage this. Everyone else (volunteer or hobbyist vendors, end users who want to run their own OS, anyone who wants to use a modified bootloader or kernel) is shut out.
The obvious workaround is for them to just turn off secure boot. Ignoring the arguments over whether or not OEMs will provide that option[6], it benefits nobody for Linux installation to require disabling a legitimate security feature. It's also not likely to be in a standard location on all systems and may have different naming. It's a support nightmare. Let's focus on trying to find a solution that provides the security and doesn't have obvious scaling issues.
There's a pretty simple one. If the problem centres around installing signing keys, why not have a standardised way of installing signing keys?
What we've proposed for this is an extension of the current UEFI standard for booting off removable media. There's a standardised location for putting the bootloader for USB sticks or optical media. For 32-bit PCs, it's EFI/BOOT/BOOTIA32.EFI. For 64-bit, it's EFI/BOOT/BOOTX64.EFI. Our proposal is to specify a path for key storage on the media. If the user attempts to boot off an item of removable media and finds a key file, we would like the firmware to prompt the user to install the key. Once the key is installed, the firmware will attempt to boot the bootloader on the removable media.
How does this avoid the problems associated with prompting the user to boot untrusted binaries? The first is that there's no problem with updates. Because a key has been imported, as long as future bootloader updates are signed with the same key, they'll boot without prompting the user. The second is that it can be limited to removable media. If malware infects the system and installs itself onto the hard drive, the firmware won't prompt for key installation. It'll just refuse to boot and fall back on whatever recovery procedures the OEM has implemented. The only way it could get on the system would involve the user explicitly booting off removable media, which would be a significant hurdle. If you're at that stage then you can also convince the user to disable secure boot entirely.
This proposal has been brought up with the UEFI standards working group, and with the UEFI plugfest taking place next week we're hoping it'll be discussed. It seems to satisfy the dual requirements of maintaining system security and ensuring that users have the flexibility to choose what they run on their system. But as with all technical proposals, feedback is entirely welcome.
[1] Hilariously, Microsoft's signing tool gets this wrong by also adding the contents of gaps between sections in direct contravention of their own specification. This is fine for binaries generated by Microsoft's toolchain because they don't have any gaps, but since our binaries do contain gaps[2] and since the standard firmware implementation[3] does implement the specification correctly, any Linux-generated binaries signed with the Microsoft tool fail validation. Go team.
[2] Something that is, as far as we can tell, permitted by the PE-COFF specification
[3] Written by Intel, not Microsoft
[4] Note that this means that only the specific binary is considered trusted. No key is imported, and any other binaries signed with the same key will also need to be manually trusted in the same way.
[5] As would be required if you ever want to be able to update your bootloader
[6] And to forestall panic, at this point we expect that most OEMs will provide this option on most hardware, if only because customers will still want to boot Windows 7. We do know that some hardware will ship without it. It's not implausible that some OEMs will remove it in order to reduce their support burden. But for the foreseeable future, you'll be able to buy hardware that runs Linux.
The FSF have released a statement on UEFI secure boot. It explains the fundamental issue here, which isn't something as simple as "will OEMs let me install Linux". It's "Does the end user have the ability to manage their own keys".
Secure boot is a valuable feature. It does neatly deal with the growing threat of pre-OS malware. There is an incentive for it to be supported under Linux. I discussed the technical aspects of implementing support for it here - it's not a huge deal of work, and it is being worked on. So let's not worry about that side of things. The problem is with the keys.
Secure boot is implemented in a straightforward way. Each section of a PE-COFF file is added together and a hash taken[1]. This hash is signed with the private half of a signing key and embedded into the binary. When you attempt to execute a file under UEFI, the firmware attempts to decrypt the embedded hash. This requires that the firmware have a either a copy of the public half of the signing key in its key database, or for there to be a chain of trust from the signing key to a key in its key database. Once it has the decrypted hash, it generates its own hash of the binary and compares them. If they match, the binary is executed.
What happens if it doesn't match? Per the UEFI specification, the firmware can then prompt the user and ask if they want to execute it anyway. If the user accepts then the hash of the binary is remembered[4] and can continue to be executed in future. This is similar to what you get when you visit a self-signed https site, or when you connect to an ssh server for the first time - the user must explicitly state that they trust the software that is being booted.
This is a little awkward for a couple of reasons. First, it means that any updates to the bootloader would require the user to manually accept the binary again. Second, as we've seen with https, there's the risk of uesrs just blindly accepting things. If it's acceptable to do this off internal media[5] then malware could just rely on some number of users saying "yes". And thirdly, we've been told that Microsoft's Windows logo requirements forbid this option.
The first is problematic but manageable with appropriate documentation. The second is a real risk that makes this approach far less compelling. And the third is probably a showstopper.
So signed but untrusted binaries are probably out, on technological, UI and policy grounds. What else?
We can sign binaries with a trusted key. This gets us interoperability, but comes at a cost. The first issue here is that we still don't know what the process for getting a trusted key is going to be. One option is for something like a generic Linux key that's provided by all firmware vendors. As long as the OEM doesn't remove it, then that Linux key could be used to sign other keys that are used by individual Linux vendors. The main difficulty involved in this is having the Linux key be managed by an authority that OEMs can trust to only provide keys to trustworthy organisations and maintain control of the private half of the key. Remember, if any malware is signed with any of these keys, it'll boot on any machine carrying this key. It's a lot of trust. It's not obvious that there's an organisation with sufficient trust at the moment.
The second approach is for each Linux vendor to generate their own key and get every OEM to carry it. Let's rule this out on the basis that it's an approach that doesn't scale at all. Red Hat could probably get its key into a bunch of OEM systems. Canonical too. Oracle? Probably for the vendors they care about. It's likely to be much harder for everyone else, and you still end up with the risk that you've just bought a computer that'll boot Red Hat but not Ubuntu.
The third approach is for each Linux vendor to obtain a key from someone who's already trusted. The most obvious authority here is Microsoft. Ignoring the PR unpleasantness involved with Linux vendors having to do business with Microsoft to get signed, so far Microsoft haven't given us any indication that this will be possible.
So every approach that involves us signing with a trusted key comes with associated problems. There's also a common problem with all of them - you only get to play if you have your own trusted key. Corporate Linux vendors can probably find a way to manage this. Everyone else (volunteer or hobbyist vendors, end users who want to run their own OS, anyone who wants to use a modified bootloader or kernel) is shut out.
The obvious workaround is for them to just turn off secure boot. Ignoring the arguments over whether or not OEMs will provide that option[6], it benefits nobody for Linux installation to require disabling a legitimate security feature. It's also not likely to be in a standard location on all systems and may have different naming. It's a support nightmare. Let's focus on trying to find a solution that provides the security and doesn't have obvious scaling issues.
There's a pretty simple one. If the problem centres around installing signing keys, why not have a standardised way of installing signing keys?
What we've proposed for this is an extension of the current UEFI standard for booting off removable media. There's a standardised location for putting the bootloader for USB sticks or optical media. For 32-bit PCs, it's EFI/BOOT/BOOTIA32.EFI. For 64-bit, it's EFI/BOOT/BOOTX64.EFI. Our proposal is to specify a path for key storage on the media. If the user attempts to boot off an item of removable media and finds a key file, we would like the firmware to prompt the user to install the key. Once the key is installed, the firmware will attempt to boot the bootloader on the removable media.
How does this avoid the problems associated with prompting the user to boot untrusted binaries? The first is that there's no problem with updates. Because a key has been imported, as long as future bootloader updates are signed with the same key, they'll boot without prompting the user. The second is that it can be limited to removable media. If malware infects the system and installs itself onto the hard drive, the firmware won't prompt for key installation. It'll just refuse to boot and fall back on whatever recovery procedures the OEM has implemented. The only way it could get on the system would involve the user explicitly booting off removable media, which would be a significant hurdle. If you're at that stage then you can also convince the user to disable secure boot entirely.
This proposal has been brought up with the UEFI standards working group, and with the UEFI plugfest taking place next week we're hoping it'll be discussed. It seems to satisfy the dual requirements of maintaining system security and ensuring that users have the flexibility to choose what they run on their system. But as with all technical proposals, feedback is entirely welcome.
[1] Hilariously, Microsoft's signing tool gets this wrong by also adding the contents of gaps between sections in direct contravention of their own specification. This is fine for binaries generated by Microsoft's toolchain because they don't have any gaps, but since our binaries do contain gaps[2] and since the standard firmware implementation[3] does implement the specification correctly, any Linux-generated binaries signed with the Microsoft tool fail validation. Go team.
[2] Something that is, as far as we can tell, permitted by the PE-COFF specification
[3] Written by Intel, not Microsoft
[4] Note that this means that only the specific binary is considered trusted. No key is imported, and any other binaries signed with the same key will also need to be manually trusted in the same way.
[5] As would be required if you ever want to be able to update your bootloader
[6] And to forestall panic, at this point we expect that most OEMs will provide this option on most hardware, if only because customers will still want to boot Windows 7. We do know that some hardware will ship without it. It's not implausible that some OEMs will remove it in order to reduce their support burden. But for the foreseeable future, you'll be able to buy hardware that runs Linux.
![[identity profile]](https://web.archive.org/web/20161209234706im_/http://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
It isn't secure
Date: 2011-10-19 06:31 pm (UTC)Unless of course you add something preventing downgrades which itself would also have to be bug free.
Re: It isn't secure
Date: 2011-10-19 06:41 pm (UTC)no subject
Date: 2011-10-19 08:07 pm (UTC)Perhaps someone with the ear of the standardisation committee should suggest it?
Different software can share a key
From: (Anonymous) - Date: 2011-10-20 03:05 am (UTC) - ExpandRe: Different software can share a key
From: (Anonymous) - Date: 2011-10-20 06:57 am (UTC) - ExpandI've just upgraded and there's a problem
Date: 2011-10-20 08:47 pm (UTC)Re: I've just upgraded and there's a problem
From:Re: I've just upgraded and there's a problem
From: (Anonymous) - Date: 2011-10-21 12:30 pm (UTC) - ExpandRe: I've just upgraded and there's a problem
From: (Anonymous) - Date: 2011-10-22 08:44 am (UTC) - ExpandUSB-bootable tools?
Date: 2011-10-19 06:33 pm (UTC)Re: USB-bootable tools?
Date: 2011-10-19 06:45 pm (UTC)no subject
Date: 2011-10-19 08:13 pm (UTC)While not essential, it would be really good if the BIOS showed you the fingerprint while prompting for whether or not to absorb a key.
(Relatedly, it would be nice if more USB pendrives had physical write-protect.)
Re: USB-bootable tools?
Date: 2011-10-19 08:41 pm (UTC)no subject
Date: 2011-10-19 06:39 pm (UTC)Also, in very tightly controlled environments the sysadmin might want to wind up with only their locally-generated private key trusted by the OS, but I think I'm okay with that use case requiring the sysadmin to generate a custom installation image. They're probably doing that anyway.
no subject
Date: 2011-10-19 06:50 pm (UTC)no subject
Date: 2011-10-19 06:50 pm (UTC)In the "I'm building my own software" case, you've already got a chicken-and-egg problem where either a) you've already installed this machine and you're just updating things, or b) you have another machine you're building on. In both cases you can simply sign your new software with your own key and put it on the boot media next to bootx64.efi , and enroll it during the reboot you're planning to do anyway.
key managment
Date: 2011-10-19 06:58 pm (UTC)That is the core problem with Secure Boot.
Whoever controls the keystore, controls your hardware. And the only reasonable person to do this is the owner of the hardware, not the producer.
Otherwise you could just get a game console and hope the producer will not revoke your linux access.
One of you last blogs contained: "But they can't prevent their system from running Windows 8."
That is the other half to the keystore access: I not only want to add my own keys, I also want the ability to kick every other keys out, that I do not want to trust.
I like your idea with offering to import keys from a removable media, because this is a nice way to get the key of an installer CD or similar accepted, even without the user needing to read a manual. The system directly offers the choice, without the need to "call the support to get error xyz fixed". But from the security viewpoint this is still a weakness, if the user clicks "OK" without really reading what was asked: Every bootsector virus could now offer its key.
Wouldn't it be better to just include a mandatory key manager into the BIOS? Just "List all installed keys", "Delete selected key" and "Load new key from USB/CD/..." should be sufficient. And it might even be possible to drop into this management menu, if no (correctly) signed boot loader, but a new key file is found on a media.
Re: key managment
Date: 2011-10-19 07:18 pm (UTC)This again is a support nightmare - if a system ships with already installed keys, that means we need to instruct people on how to find this in their firmware (which is likely to vary among vendors), which keys to remove, how to add a key, etc.
Re: key managment
From: (Anonymous) - Date: 2011-10-20 02:53 am (UTC) - ExpandRe: key managment
Date: 2011-10-19 10:00 pm (UTC)Lennie
Re: key managment
From: (Anonymous) - Date: 2011-10-20 07:29 pm (UTC) - ExpandRe: key managment
Date: 2011-10-19 10:12 pm (UTC)no subject
Date: 2011-10-19 09:39 pm (UTC)no subject
Date: 2011-10-19 10:41 pm (UTC)What are the wider effects of revoking a key?
From: (Anonymous) - Date: 2011-10-20 03:59 pm (UTC) - ExpandRe: What are the wider effects of revoking a key?
From:So the OS can modify the keys?
From: (Anonymous) - Date: 2011-10-20 05:15 pm (UTC) - ExpandRe: So the OS can modify the keys?
From:Re: So the OS can modify the keys?
From: (Anonymous) - Date: 2011-10-20 06:20 pm (UTC) - ExpandRe: So the OS can modify the keys?
From: (Anonymous) - Date: 2011-10-20 06:59 pm (UTC) - Expandwhat about custom keys?
Date: 2011-10-20 02:44 am (UTC)What about custom keys? There can be a hardware switch/jumper which puts the computer BIOS to configuration mode and then you can add any kind of custom certificate you want.
Why is this Idea nowhere in the space? Your all three options are still related to signing. You are trying to solve the problem "their" way.
Just like their is a BIOS jumper to lock the changes to BIOS software. We can use the same jumper to boot into a BIOS configuration mode which allows the change.
This is very simple. It is very generic and it gives you the control to your PC.
And anyway, if you have access to the hardware, you should be able to do anything with it right?
Re: what about custom keys?
Date: 2011-10-20 03:05 am (UTC)Re: what about custom keys?
From: (Anonymous) - Date: 2011-10-20 06:00 am (UTC) - ExpandRe: what about custom keys?
From: (Anonymous) - Date: 2011-10-20 06:03 am (UTC) - ExpandRe: what about custom keys?
From: (Anonymous) - Date: 2011-10-20 07:06 am (UTC) - ExpandRe: what about custom keys?
From: (Anonymous) - Date: 2011-10-20 09:39 am (UTC) - ExpandRe: what about custom keys?
From: (Anonymous) - Date: 2011-10-23 08:45 am (UTC) - ExpandRe: what about custom keys?
From: (Anonymous) - Date: 2011-10-20 08:09 am (UTC) - ExpandRe: what about custom keys?
From: (Anonymous) - Date: 2011-10-20 07:35 pm (UTC) - ExpandRe: what about custom keys?
From: (Anonymous) - Date: 2011-11-03 11:43 pm (UTC) - ExpandRe: what about custom keys?
From:Re: what about custom keys?
From: (Anonymous) - Date: 2011-10-20 06:56 pm (UTC) - ExpandVendors? what about "write a bootloader"?
Date: 2011-10-20 03:49 pm (UTC)My idea would be for the BIOS to just check the signature and set a read-only "verified/unverified" flag that the OS can check, not deny booting altogether. That way I can still boot an unverified OS and the ones that care can do their own "is this line secure" verification at boot time.
Granted, this is a little more insecure (if someone subverts the windows kernel for instance to fake the secure bit to be "on" at all times, but by allowing applications to check the flag directly it would still be caught by antiviruses), but it's relatively easy to implement by vendors and MS's certification team might be convinced to accept it (maybe under threat by monopoly laws?).
FSF's reaction of just chaining themselves to trees until the problem goes away would only serve to provoke more sneers in our direction and discredit the free software community only further.
Re: Vendors? what about "write a bootloader"?
Date: 2011-10-20 05:27 pm (UTC)removable media are a pain
Date: 2011-10-20 09:34 pm (UTC)Re: removable media are a pain
Date: 2011-10-22 03:43 pm (UTC)About trust...
Date: 2011-10-21 08:59 am (UTC)Well... Personally I have a problem trusting Microsoft (and a couple of others) to care about the little user and not just about the big picture nessesary to follow the interest of investors.
I'm way past hating MS or thinking they want my soul or anything, but big companies seem to lose sight of a lot of things important to people who don't fit their profiles. It's not a matter of evil - just a mechanism that most huge companies suffer from IMHO.
A lot of these companies seem to act like it is ok to just put up a main seat in a country where they like the laws and follow these laws globally - ignoring local law (and sometimes even trying to enforce the laws they like in other parts of the world if it fits their own needs better than local law - double standard).
Anyway - My point is I don't belive MS or any other company with stratetical interests should be allowed to sit on the throne of this kind of signature. I have no simple solution though (and I don't belive it really exists).
I understand why MS wants to do this - from a security point of view - But I don't belive it will have much impact in real life unless it i dificult to disable. And if it is dificult to disable, it will be a MUST that other operating systems (like LINUX, BSD and others) have acceptable means of installing too - otherwise it will cause more trouble in the EU courtroom and hence cost everybody (both users, vendors, investors and all other taxpayers) a lot of money in the end.
Is any of this legal?
Date: 2011-10-21 01:11 pm (UTC)Which governments do you trust?
Date: 2011-10-25 06:58 am (UTC)Our Greek colleagues are already a bit cheesed off with Wall Street. How happy will they be if in future they won’t be able to install the software of their choice on their PCs, but the Turkish secret police will? See
http://www.lightbluetouchpaper.org/2011/1
Major Question
Date: 2011-11-21 12:21 am (UTC)If they can then wtf? They could do just as much good reviving the bios deny write to boot sector switch. I had in an old PC.
If you have a modern PC and you want security then don't install any extra software in fact strip down all the fat only do security updates and have no other software on your PC other than Virtualbox and run everything from a virtual environment. I would like to find an OS that's only purpose is to provide base Hardware support for Virtualbox.
Re: Major Question
Date: 2011-11-21 02:26 am (UTC)The "deny write to boot sector" option only does something if you're using the bios to access the disk. Nothing does that now.
Running older Windows may be possible with Windows 8 key
Date: 2011-12-14 07:15 pm (UTC)Re: Running older Windows may be possible with Windows 8 key
Date: 2011-12-14 07:23 pm (UTC)