[Linux-aus] Fwd: What is LA's response to UEFI Secure Boot?

Adam Nielsen a.nielsen at shikadi.net
Sun Aug 5 20:13:15 EST 2012 

> I very much recommend that anyone who missed Matt Garrett's LCA2012 talk on
> UEFI and secure boot take a look at it:
>
> http://www.youtube.com/watch?v=V2aq5M3Q76U&playnext=1&list=PL29F2E5E2064A6539&feature=results_main
>
> [Spoiler: we may be worried about the wrong thing]

Thanks for the link, I hadn't seen that.  So it seems the problem is not being 
able to add our own keys (this is possible now), rather the issue is that with 
the lack of standardisation it could be very difficult for an inexperienced PC 
user to figure out how to add a key that would enable them to boot a 
non-Windows OS.

If this press release is going to have a call to action, what is that going to 
be?  All manufacturers to ensure their level 1 phone support can walk users 
through the procedure across their entire range of PCs?  All manufacturers to 
include standardised instructions with their computers explaining how to add 
keys?  A request to have a standard method for adding keys?  Would we have to 
make our own public domain UEFI module first that does this, and then 
encourage manufacturers to adopt it for use with their systems?

This is assuming every distro will have keys readily available which won't 
change too often.  Maybe better instructions would be a standardised way of 
disabling secure boot, such as holding the X key during boot?

One thing that I'm unsure of - Matt Garrett said in the talk that any code 
getting control over the system can add its own keys (e.g. one to allow 
executing a malicious Windows bootloader.)  So any key that loaded a Linux 
kernel would likely be blacklisted, since someone could easily write a module 
which adds malicious keys to the UEFI key DB.

So the only option for booting Linux seems to be to disable Secure Boot, 
assuming that prevents the UEFI key DB from being modified.

If this is correct, it looks like it won't ever be possible to boot Linux with 
Secure Boot enabled, while retaining the freedom of being able to compile and 
install your own kernel and/or modules.

I guess this means the call to action needs to be an easy, vendor independent 
way of disabling Secure Boot then?

But thinking about it, why can't we just get a signed "bootloader" which 
simply offers the user the ability to disable secure boot and then reboots the 
PC?  We could stick that on the usual bootable media, and if someone tries to 
boot it with Secure Boot enabled, it will prompt them to switch it off.  If it 
is off, it'll continue with the Linux install.  That's pretty easy, and would 
only require a one-off signing from Microsoft or whoever.

Is there anyone more familiar with UEFI who can chime in on the feasibility of 
this?

Cheers,
Adam.

More information about the linux-aus mailing list