Linux 6.9 Makes A Change To Satisfy Microsoft For EFI x86 Shim Loader Signing

Written by Michael Larabel in Linux Kernel on 13 March 2024 at 08:02 PM EDT. 18 Comments
LINUX KERNEL
The EFI updates were merged today for the ongoing Linux 6.9 merge window. This cycle the EFI kernel code is seeing enhancements for confidential computing as well as for satisfy Microsoft's requirements for getting them to sign the x86 shim loader again for UEFI Secure Boot handling.

The EFI changes for Linux 6.9 allow using the Confidential Computing (CC) protocol should the TCG2 protocol not be supported, such as the case for Intel Trusted Domain Extensions (TDX) confidential virtual machines. The Microsoft change is around ensuring mappings are not both writable and executable when running in the EFI boot services. Ensuring not writable and executable is good security practice in general but important for getting Microsoft to re-sign the x86 shim loader so that Linux distributions will play nicely on Secure Boot enabled systems.

Secure Boot system


The merge request by Ard Biesheuvel notes:
- Measure initrd and command line using the CC protocol if the ordinary TCG2 protocol is not implemented, typically on TDX confidential VMs

- Avoid creating mappings that are both writable and executable while running in the EFI boot services. This is a prerequisite for getting the x86 shim loader signed by MicroSoft again, which allows the distros to install on x86 PCs that ship with EFI secure boot enabled.

- API update for struct platform_driver::remove()
This new EFI code is good to go for Linux 6.9 that will debut as stable around the middle of 2024.
18 Comments
Related News
Linux 6.9-rc5 Released: The Diffstat "Looks A Bit Wonky" But Not Bad
Linux 6.9-rc5 Picking Up Fixes For Intel FRED, BHI & GFNI/VAES Checks
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"
Linus Torvalds Injects Tabs To Thwart Kconfig Parsers Not Correctly Handling Them
Linux 6.9-rc4 Brings More Bcachefs Fixes, Native BHI Mitigation
Linux 6.10 To Account For NUMA Node When Allocating Per-CPU Cpumasks
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Fedora Linux 40 Cleared For Release Next Week
Fedora Linux 40 Available For Download As A Wonderful Upgrade
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
GNU Portability Library's Tool Rewritten In Python For 8~100x Better Performance