[Linux-aus] Fwd: What is LA's response to UEFI Secure Boot?
Adam Nielsen
a.nielsen at shikadi.net
Sun Aug 5 20:13:15 EST 2012
> I very much recommend that anyone who missed Matt Garrett's LCA2012 talk on
> UEFI and secure boot take a look at it:
>
> http://www.youtube.com/watch?v=V2aq5M3Q76U&playnext=1&list=PL29F2E5E2064A6539&feature=results_main
>
> [Spoiler: we may be worried about the wrong thing]
Thanks for the link, I hadn't seen that. So it seems the problem is not being
able to add our own keys (this is possible now), rather the issue is that with
the lack of standardisation it could be very difficult for an inexperienced PC
user to figure out how to add a key that would enable them to boot a
non-Windows OS.
If this press release is going to have a call to action, what is that going to
be? All manufacturers to ensure their level 1 phone support can walk users
through the procedure across their entire range of PCs? All manufacturers to
include standardised instructions with their computers explaining how to add
keys? A request to have a standard method for adding keys? Would we have to
make our own public domain UEFI module first that does this, and then
encourage manufacturers to adopt it for use with their systems?
This is assuming every distro will have keys readily available which won't
change too often. Maybe better instructions would be a standardised way of
disabling secure boot, such as holding the X key during boot?
One thing that I'm unsure of - Matt Garrett said in the talk that any code
getting control over the system can add its own keys (e.g. one to allow
executing a malicious Windows bootloader.) So any key that loaded a Linux
kernel would likely be blacklisted, since someone could easily write a module
which adds malicious keys to the UEFI key DB.
So the only option for booting Linux seems to be to disable Secure Boot,
assuming that prevents the UEFI key DB from being modified.
If this is correct, it looks like it won't ever be possible to boot Linux with
Secure Boot enabled, while retaining the freedom of being able to compile and
install your own kernel and/or modules.
I guess this means the call to action needs to be an easy, vendor independent
way of disabling Secure Boot then?
But thinking about it, why can't we just get a signed "bootloader" which
simply offers the user the ability to disable secure boot and then reboots the
PC? We could stick that on the usual bootable media, and if someone tries to
boot it with Secure Boot enabled, it will prompt them to switch it off. If it
is off, it'll continue with the Linux install. That's pretty easy, and would
only require a one-off signing from Microsoft or whoever.
Is there anyone more familiar with UEFI who can chime in on the feasibility of
this?
Cheers,
Adam.
More information about the linux-aus
mailing list