Linux Foundation Comes Up With SecureBoot Plan
Posted by Michael Larabel on October 10, 2012
The Linux Foundation has shared their plan for how they intend to deal with UEFI SecureBoot for running Linux on PCs that have this Microsoft-pushed feature for trying to secure the system boot process.
James Bottomley has shared the LF UEFI SecureBoot plan on the behalf of the Linux Foundation and its Technical Advisory Board. The plans were shared via his blog and effectively comes down to: "The Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system). The pre-bootloader will employ a “present user” test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it."
As soon as the Linux Foundation is able to obtain a SecureBoot key from Microsoft, they will release this new pre-bootloader on their web-site.
Bottomley adds, "The current pre-bootloader is designed as an enabler only in that, by breaking the security verification chain at the actual bootloader, it provides no security enhancements over booting linux with UEFI secure boot turned off. Its sole purpose is to allow Linux to continue to boot on platforms that come by default with secure boot enabled."
"It is designed to be as small as possible, leaving all the work to the real bootloader. The real bootloader must be installed on the same partition as the pre-bootloader with the known path loader.efi (although the binary may be any bootloader including Grub2). The pre-bootloader will attempt to execute this binary and, if that succeeds, the system will boot normally." The source to this UEFI SecureBoot pre-bootloader is currently available, but not exactly useful until the Linux Foundation receives its proper key.
Meanwhile, Ubuntu already has their own SecureBoot plans and other distributions have also been brewing their own plans.
James Bottomley has shared the LF UEFI SecureBoot plan on the behalf of the Linux Foundation and its Technical Advisory Board. The plans were shared via his blog and effectively comes down to: "The Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system). The pre-bootloader will employ a “present user” test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it."
As soon as the Linux Foundation is able to obtain a SecureBoot key from Microsoft, they will release this new pre-bootloader on their web-site.
Bottomley adds, "The current pre-bootloader is designed as an enabler only in that, by breaking the security verification chain at the actual bootloader, it provides no security enhancements over booting linux with UEFI secure boot turned off. Its sole purpose is to allow Linux to continue to boot on platforms that come by default with secure boot enabled."
"It is designed to be as small as possible, leaving all the work to the real bootloader. The real bootloader must be installed on the same partition as the pre-bootloader with the known path loader.efi (although the binary may be any bootloader including Grub2). The pre-bootloader will attempt to execute this binary and, if that succeeds, the system will boot normally." The source to this UEFI SecureBoot pre-bootloader is currently available, but not exactly useful until the Linux Foundation receives its proper key.
Meanwhile, Ubuntu already has their own SecureBoot plans and other distributions have also been brewing their own plans.
Discuss this article in our forums, IRC channel, or email the author. You can also follow our content via RSS and on social networks like Facebook, Identi.ca, and Twitter (@Phoronix and @MichaelLarabel). Subscribe to Phoronix Premium to view our content without advertisements, view entire articles on a single page, and experience other benefits.
Copyright © 2004 - 2013 by Phoronix Media.
All trademarks used are properties of their respective owners. All rights reserved. Legal Disclaimer & Disclosure.
Powered by the Phoronix Content Management System (PHXCMS-7.4).
All trademarks used are properties of their respective owners. All rights reserved. Legal Disclaimer & Disclosure.
Powered by the Phoronix Content Management System (PHXCMS-7.4).