Feeds

Open-sourcers suggest Linux secure boot block workarounds

If the boot fits ...

Combat fraud and increase customer satisfaction

The Linux Foundation has published a how-to guide for PC makers on implementing UEFI's Secure Boot functionality without preventing the post-sale installation of Linux on Windows 8 machines.

UEFI (the Unified Extensible Firmware Interface) secure boot specs currently under discussion would mean PCs would only boot from a digitally signed image. The framework is designed to guard against malware, most directly rootlets that activate as a PC boots. However critics argue the approach would effectively make it "impossible" to run “unauthorised” operating systems such as Linux and FreeBSD on Windows 8 PCs.

Any system that ships with only Microsoft keys will not boot a generic copy of Linux.

In its paper, Making UEFI Secure Boot Work With Open Platforms, the Linux Foundation offers a blueprint on how to implement UEFI. The Linux Foundation argues customers should be allowed to install their own keys, just the sort of thing Microsoft's Steven Sinofsky said should be left up to OEMs.

"All platforms that enable UEFI secure boot should ship in setup mode where the owner has control over which platform key (PK) is installed," the paper advises. "It should also be possible for the owner to return a system to setup mode in the future if needed."

The the Linux Foundation recommendations also cover how to support dual-boot systems and allowing Linux distros to be booted off a CD in the brave new world of secure boot.

Specifically a "firmware-based mechanism should be established to allow a platform owner to add new key-exchange keys to a system running in secure mode so that dual-boot systems can be set up" and a "firmware-based mechanism for easy booting of removable media".

The paper also advocates the future establishment of an operating-system-neutral and vendor-neutral certificate authority to issue keys to third-party hardware and software vendors.

Some observers have expressed concerns that secure boot could be used to exclude open systems from the market, but there is no need for things to be that way, the paper concludes. "If vendors ship their systems in the setup mode and provide a means to add new KEKs to the firmware, those systems will fully support open operating systems while maintaining compliance with the Windows 8 logo requirements."

Canonical and Red Hat jointly published a white paper (PDF) offering their take on suggested UEFI workarounds. OEMs should "allow secure boot to be easily disabled and enabled through a firmware configuration interface", but only given physical access to the system as a precaution against the misuse of the workaround by hackers. The paper, Secure Boot Impact on Linux, was co-authored by Red Hat Developer Matthew Garrett, who was among the first to flag up concerns over the technology. Hardware should ship in setup mode, the authors further recommend.

Like the Linux Foundation, Canonical and Red Hat see benefits to secure boot technology but only if it is changed to avoid OS lockout.

"Secure boot technology can be beneficial for increasing the security of Linux installations," Garrett et al conclude. "Linux distributions should gain secure boot compatibility in order to increase protection against malware and disk encryption circumvention, provided that users’ freedoms are protected.

"Unfortunately, the current implementation recommended for secure boot makes installation of Linux more difficult and may prevent users from modifying their own systems. So, we recommend that secure boot implementations are designed around the hardware owner having full control of the security restrictions." ®

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.