Feeds

Open-sourcers suggest Linux secure boot block workarounds

If the boot fits ...

Combat fraud and increase customer satisfaction

The Linux Foundation has published a how-to guide for PC makers on implementing UEFI's Secure Boot functionality without preventing the post-sale installation of Linux on Windows 8 machines.

UEFI (the Unified Extensible Firmware Interface) secure boot specs currently under discussion would mean PCs would only boot from a digitally signed image. The framework is designed to guard against malware, most directly rootlets that activate as a PC boots. However critics argue the approach would effectively make it "impossible" to run “unauthorised” operating systems such as Linux and FreeBSD on Windows 8 PCs.

Any system that ships with only Microsoft keys will not boot a generic copy of Linux.

In its paper, Making UEFI Secure Boot Work With Open Platforms, the Linux Foundation offers a blueprint on how to implement UEFI. The Linux Foundation argues customers should be allowed to install their own keys, just the sort of thing Microsoft's Steven Sinofsky said should be left up to OEMs.

"All platforms that enable UEFI secure boot should ship in setup mode where the owner has control over which platform key (PK) is installed," the paper advises. "It should also be possible for the owner to return a system to setup mode in the future if needed."

The the Linux Foundation recommendations also cover how to support dual-boot systems and allowing Linux distros to be booted off a CD in the brave new world of secure boot.

Specifically a "firmware-based mechanism should be established to allow a platform owner to add new key-exchange keys to a system running in secure mode so that dual-boot systems can be set up" and a "firmware-based mechanism for easy booting of removable media".

The paper also advocates the future establishment of an operating-system-neutral and vendor-neutral certificate authority to issue keys to third-party hardware and software vendors.

Some observers have expressed concerns that secure boot could be used to exclude open systems from the market, but there is no need for things to be that way, the paper concludes. "If vendors ship their systems in the setup mode and provide a means to add new KEKs to the firmware, those systems will fully support open operating systems while maintaining compliance with the Windows 8 logo requirements."

Canonical and Red Hat jointly published a white paper (PDF) offering their take on suggested UEFI workarounds. OEMs should "allow secure boot to be easily disabled and enabled through a firmware configuration interface", but only given physical access to the system as a precaution against the misuse of the workaround by hackers. The paper, Secure Boot Impact on Linux, was co-authored by Red Hat Developer Matthew Garrett, who was among the first to flag up concerns over the technology. Hardware should ship in setup mode, the authors further recommend.

Like the Linux Foundation, Canonical and Red Hat see benefits to secure boot technology but only if it is changed to avoid OS lockout.

"Secure boot technology can be beneficial for increasing the security of Linux installations," Garrett et al conclude. "Linux distributions should gain secure boot compatibility in order to increase protection against malware and disk encryption circumvention, provided that users’ freedoms are protected.

"Unfortunately, the current implementation recommended for secure boot makes installation of Linux more difficult and may prevent users from modifying their own systems. So, we recommend that secure boot implementations are designed around the hardware owner having full control of the security restrictions." ®

3 Big data security analytics techniques

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.