Feeds

Open-sourcers suggest Linux secure boot block workarounds

If the boot fits ...

Internet Security Threat Report 2014

The Linux Foundation has published a how-to guide for PC makers on implementing UEFI's Secure Boot functionality without preventing the post-sale installation of Linux on Windows 8 machines.

UEFI (the Unified Extensible Firmware Interface) secure boot specs currently under discussion would mean PCs would only boot from a digitally signed image. The framework is designed to guard against malware, most directly rootlets that activate as a PC boots. However critics argue the approach would effectively make it "impossible" to run “unauthorised” operating systems such as Linux and FreeBSD on Windows 8 PCs.

Any system that ships with only Microsoft keys will not boot a generic copy of Linux.

In its paper, Making UEFI Secure Boot Work With Open Platforms, the Linux Foundation offers a blueprint on how to implement UEFI. The Linux Foundation argues customers should be allowed to install their own keys, just the sort of thing Microsoft's Steven Sinofsky said should be left up to OEMs.

"All platforms that enable UEFI secure boot should ship in setup mode where the owner has control over which platform key (PK) is installed," the paper advises. "It should also be possible for the owner to return a system to setup mode in the future if needed."

The the Linux Foundation recommendations also cover how to support dual-boot systems and allowing Linux distros to be booted off a CD in the brave new world of secure boot.

Specifically a "firmware-based mechanism should be established to allow a platform owner to add new key-exchange keys to a system running in secure mode so that dual-boot systems can be set up" and a "firmware-based mechanism for easy booting of removable media".

The paper also advocates the future establishment of an operating-system-neutral and vendor-neutral certificate authority to issue keys to third-party hardware and software vendors.

Some observers have expressed concerns that secure boot could be used to exclude open systems from the market, but there is no need for things to be that way, the paper concludes. "If vendors ship their systems in the setup mode and provide a means to add new KEKs to the firmware, those systems will fully support open operating systems while maintaining compliance with the Windows 8 logo requirements."

Canonical and Red Hat jointly published a white paper (PDF) offering their take on suggested UEFI workarounds. OEMs should "allow secure boot to be easily disabled and enabled through a firmware configuration interface", but only given physical access to the system as a precaution against the misuse of the workaround by hackers. The paper, Secure Boot Impact on Linux, was co-authored by Red Hat Developer Matthew Garrett, who was among the first to flag up concerns over the technology. Hardware should ship in setup mode, the authors further recommend.

Like the Linux Foundation, Canonical and Red Hat see benefits to secure boot technology but only if it is changed to avoid OS lockout.

"Secure boot technology can be beneficial for increasing the security of Linux installations," Garrett et al conclude. "Linux distributions should gain secure boot compatibility in order to increase protection against malware and disk encryption circumvention, provided that users’ freedoms are protected.

"Unfortunately, the current implementation recommended for secure boot makes installation of Linux more difficult and may prevent users from modifying their own systems. So, we recommend that secure boot implementations are designed around the hardware owner having full control of the security restrictions." ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Google opens Inbox – email for people too stupid to use email
Print this article out and give it to someone techy if you get stuck
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.