Feeds

Open-sourcers suggest Linux secure boot block workarounds

If the boot fits ...

Intelligent flash storage arrays

The Linux Foundation has published a how-to guide for PC makers on implementing UEFI's Secure Boot functionality without preventing the post-sale installation of Linux on Windows 8 machines.

UEFI (the Unified Extensible Firmware Interface) secure boot specs currently under discussion would mean PCs would only boot from a digitally signed image. The framework is designed to guard against malware, most directly rootlets that activate as a PC boots. However critics argue the approach would effectively make it "impossible" to run “unauthorised” operating systems such as Linux and FreeBSD on Windows 8 PCs.

Any system that ships with only Microsoft keys will not boot a generic copy of Linux.

In its paper, Making UEFI Secure Boot Work With Open Platforms, the Linux Foundation offers a blueprint on how to implement UEFI. The Linux Foundation argues customers should be allowed to install their own keys, just the sort of thing Microsoft's Steven Sinofsky said should be left up to OEMs.

"All platforms that enable UEFI secure boot should ship in setup mode where the owner has control over which platform key (PK) is installed," the paper advises. "It should also be possible for the owner to return a system to setup mode in the future if needed."

The the Linux Foundation recommendations also cover how to support dual-boot systems and allowing Linux distros to be booted off a CD in the brave new world of secure boot.

Specifically a "firmware-based mechanism should be established to allow a platform owner to add new key-exchange keys to a system running in secure mode so that dual-boot systems can be set up" and a "firmware-based mechanism for easy booting of removable media".

The paper also advocates the future establishment of an operating-system-neutral and vendor-neutral certificate authority to issue keys to third-party hardware and software vendors.

Some observers have expressed concerns that secure boot could be used to exclude open systems from the market, but there is no need for things to be that way, the paper concludes. "If vendors ship their systems in the setup mode and provide a means to add new KEKs to the firmware, those systems will fully support open operating systems while maintaining compliance with the Windows 8 logo requirements."

Canonical and Red Hat jointly published a white paper (PDF) offering their take on suggested UEFI workarounds. OEMs should "allow secure boot to be easily disabled and enabled through a firmware configuration interface", but only given physical access to the system as a precaution against the misuse of the workaround by hackers. The paper, Secure Boot Impact on Linux, was co-authored by Red Hat Developer Matthew Garrett, who was among the first to flag up concerns over the technology. Hardware should ship in setup mode, the authors further recommend.

Like the Linux Foundation, Canonical and Red Hat see benefits to secure boot technology but only if it is changed to avoid OS lockout.

"Secure boot technology can be beneficial for increasing the security of Linux installations," Garrett et al conclude. "Linux distributions should gain secure boot compatibility in order to increase protection against malware and disk encryption circumvention, provided that users’ freedoms are protected.

"Unfortunately, the current implementation recommended for secure boot makes installation of Linux more difficult and may prevent users from modifying their own systems. So, we recommend that secure boot implementations are designed around the hardware owner having full control of the security restrictions." ®

Intelligent flash storage arrays

More from The Register

next story
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Bada-Bing! Mozilla flips Firefox to YAHOO! for search
Microsoft system will be the default for browser in US until 2020
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?