Feeds

Open-sourcers suggest Linux secure boot block workarounds

If the boot fits ...

The smart choice: opportunity from uncertainty

The Linux Foundation has published a how-to guide for PC makers on implementing UEFI's Secure Boot functionality without preventing the post-sale installation of Linux on Windows 8 machines.

UEFI (the Unified Extensible Firmware Interface) secure boot specs currently under discussion would mean PCs would only boot from a digitally signed image. The framework is designed to guard against malware, most directly rootlets that activate as a PC boots. However critics argue the approach would effectively make it "impossible" to run “unauthorised” operating systems such as Linux and FreeBSD on Windows 8 PCs.

Any system that ships with only Microsoft keys will not boot a generic copy of Linux.

In its paper, Making UEFI Secure Boot Work With Open Platforms, the Linux Foundation offers a blueprint on how to implement UEFI. The Linux Foundation argues customers should be allowed to install their own keys, just the sort of thing Microsoft's Steven Sinofsky said should be left up to OEMs.

"All platforms that enable UEFI secure boot should ship in setup mode where the owner has control over which platform key (PK) is installed," the paper advises. "It should also be possible for the owner to return a system to setup mode in the future if needed."

The the Linux Foundation recommendations also cover how to support dual-boot systems and allowing Linux distros to be booted off a CD in the brave new world of secure boot.

Specifically a "firmware-based mechanism should be established to allow a platform owner to add new key-exchange keys to a system running in secure mode so that dual-boot systems can be set up" and a "firmware-based mechanism for easy booting of removable media".

The paper also advocates the future establishment of an operating-system-neutral and vendor-neutral certificate authority to issue keys to third-party hardware and software vendors.

Some observers have expressed concerns that secure boot could be used to exclude open systems from the market, but there is no need for things to be that way, the paper concludes. "If vendors ship their systems in the setup mode and provide a means to add new KEKs to the firmware, those systems will fully support open operating systems while maintaining compliance with the Windows 8 logo requirements."

Canonical and Red Hat jointly published a white paper (PDF) offering their take on suggested UEFI workarounds. OEMs should "allow secure boot to be easily disabled and enabled through a firmware configuration interface", but only given physical access to the system as a precaution against the misuse of the workaround by hackers. The paper, Secure Boot Impact on Linux, was co-authored by Red Hat Developer Matthew Garrett, who was among the first to flag up concerns over the technology. Hardware should ship in setup mode, the authors further recommend.

Like the Linux Foundation, Canonical and Red Hat see benefits to secure boot technology but only if it is changed to avoid OS lockout.

"Secure boot technology can be beneficial for increasing the security of Linux installations," Garrett et al conclude. "Linux distributions should gain secure boot compatibility in order to increase protection against malware and disk encryption circumvention, provided that users’ freedoms are protected.

"Unfortunately, the current implementation recommended for secure boot makes installation of Linux more difficult and may prevent users from modifying their own systems. So, we recommend that secure boot implementations are designed around the hardware owner having full control of the security restrictions." ®

Designing a Defense for Mobile Applications

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Do YOU work at Microsoft? Um. Are you SURE about that?
Nokia and marketing types first to get the bullet, says report
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
Big Blue Apple: IBM to sell iPads, iPhones to enterprises
iOS/2 gear loaded with apps for big biz ... uh oh BlackBerry
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.