Slashdot Mirror
Ubuntu Lays Plans For Getting Past UEFI SecureBoot
An anonymous reader writes "Canonical has laid out their plans for handling UEFI SecureBoot on Ubuntu Linux. Similar to Red Hat paying Microsoft to get past UEFI restrictions, Canonical does have a private UEFI key. Beyond that they will also be switching from GRUB to the more liberal efilinux bootloader, and only require bootloader binaries be signed — and they want to setup their own signing infrastructure separate from Microsoft."
Does only the kernel need signing or is there more to it than that for Linux?
The soylentnews experiment has been a dismal failure.
Along with draconian DRM and anti privacy laws, UEFI SecureBoot is crippling the computer as a tool.
It will take generations and countless wars to undo the damage that is currently being done.
Shouldn't I be able to load my own private key (or that of my distribution of choice) in the UEFI interface and then sign the bootloader I want with it (or use that of said distribution)? Ideally changing the key would only be possible while a jumper on the board is set.
If I trust Ubuntu, then my computer would reject the Windows bootloader and vice versa. Isn't that how it should be?
It is the bootloader that needs signing. The problem is that any bootloader capable of loading more than one (signed) kernel would defeat the purpose of secureboot. I mean the official purpose, protection against rootkits, not the actual purpose.
The next step should be requiring a background check in order to have access to a compiler. Compilers are a subversive tool that is essential to creating malware, the cyberspace equivalent of a chemistry lab. Just as having an unauthorized chemistry lab should automatically make one suspect for creating drugs, explosives or chemical weapons, posession of an unauthorized compiler and of a machine that does not have a secure boot should make one suspect of cyberterrorism.
Of course, this is impossible right now, just as fifty years ago nobody would have taken such a dire view on chemistry. However, the next generation of people raised in fear of pedophiles and terrorists will work hard to make this a reality. And the generation after that will be the blessing of knowing that things have always been like this, since all authorized books will be in electronic format, periodically updated with the best and most recent knowledge about the past.
This smells of the war against terror. There are actually very few pieces of malware out in circulation which rely on rootkits invoked by the bootloader. It's something which we haven't really seen much of since the viruses of the DOS days. I'd rather take my chances with the malware than have the liberties of doing what I want with my computer taken away.
How do you presume they build their own laptops and x86 tablets?
The soylentnews experiment has been a dismal failure.
There are, however, easy-to-use piracy tools for Windows that do exactly that. I'm pretty sure it's a big chunk of MS motivation for the whole mess.
That's what I like about it. They're not even paying lip service to that bullshit official purpose. Red Hat made it sound like they have drank some of the Koolaide, with all their worrying about how the person who owns the computer might abuse an unsigned module to take control of their computer.
Once you're running your bootloader, then the issue is over. There is no need to further check for any other signatures or try to guarantee that the owner can't run their own code. You have satisfied the requirement and thereby gotten the computer to work.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I have multipl issues wih this whole uefi secureboot shebang.
How can it happen that one company (however large) can seemingly make most of the manufacturers to comply with their crazy ideas? The option to easily disable uefi secureboot _should_ be there on every and each motherboard (desktop, server or laptop). It should not be the manufacturer (and indirectly Microsoft) who decides what kernel and drivers (regardless f the operating system) a user or developer uses. How would anyone make custom kernels and/or modules (Linux) and/or drivers (e.g. Windows) if signing everything through a 3rd party signing service would be required every time? This is crazy.
Second, I don't like where Fedora/RH and Ubuntu are going with this. Aligning with MS on this issue is definitely not the right way to go and most people start to see this. Yet, nobody seems to want to find a way out, most seem to even have stopped protesting, or asking for mandatory secureboot disable options. There are not only 2 distros out there, there are a lot more of them, and most of them will not go along with MS-signing kernels and drivers. Also, if Ubuntu goes for a secureboot lockdown scheme, they might be good from the enterprise side, moving away from the average users, and that just might be what they want to do.
Some still say this whole thing is a non-issue and too much fuss about nothing, but if it were so, then please, for crying out loud, why is there so much smoke around about the planned existance or non-existance of a secureboot disable option? If manufacturers would just say disabling will be there always, this whole issue would just go away.
The biggest problem still is that most average users can't see the point in all this, simply don't care, thus unwillingly participating in making it worse for those, who do.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Seriously... I read the article the FIRST time this UEFI news was posted from http://mjg59.dreamwidth.org/12368.html, when it was regarding Red Hat, and the edit was already made back then. The money does not go to Microsoft! Why are people still saying this?
It is very misleading to write "Similar to Red Hat paying Microsoft to get past UEFI restrictions" when it is really not the truth.
"Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access edit: The $99 goes to Verisign, not Microsoft - further edit: once paid you can sign as many binaries as you want)"
my bias: I have Linux on all of my systems, no MS OS around here. Please, stop the inaccuracies and write what is true.
But no, instead they'll institute this ludicrous dance of keys which will impair the end user's boot experience (which is what UEFI should really be all about) without adding a gram of security (loadable modules at runtime = zero advantage from using "secure" boot).
Hi Guys & Gals,
before you all get worked up, please remember that Ubuntu was founded by Mark Shuttleworth. Mark became a billionaire by running Thawte. Thawte is a certificate authority for X.509 certificates.
My take is he knows a thing or two about such infrastructures and I also think he is a positive influence for the free software world.
have a good day!
"Booting our CDs will rely on a loader image signed by Microsoft's WinQual key, for much the same reasons as Fedora: it's a key that, realistically, more or less every off-the-shelf system is going to have,...
So that means if my bootcd's that I create or the ones that I have like Hiren's boot cd, bartpe or any other won't work anymore if its not signed by MS ? That means the IT world will get a kick in the balls with this... like Hiren's will pay for the key
Besides, Microsoft made it clear that arm computers which is loaded with windows 8 will make it impossible to disable the UEFI. in other words, no other OS will be possible. Is it me or it's a very bad idea for all of us...except Microsoft which is clear what their intent is with this crap.
This smells of the war against terror. There are actually very few pieces of malware out in circulation which rely on rootkits invoked by the bootloader.
Whether or not the reasons they gave are bogus, THIS isnt true. There are TONS of rootkits out there that screw with the bootloader, which is why MBRCheck should be a standard part of everyone's rootkit removal kit. If you ever see a machine with a virus, you must assume the bootloader has been tampered with.
Off the top of my head, Sinowal and TDSS come to mind.
The point isn't to protect against bootloader infections, per se. The problem is that if you use a protection mechanism based on one layer being signed (say, signed application code), then it's made irrelevant by attacking one layer lower. So you need to sign from the bottom-most layer all the way up. That means either a signed BIOS or one that can't be changed in software, a signed bootloader, a signed kernel, signed drivers, and signed application code. The purpose of the signed bootloader isn't to protect against bootloader malware that exists now, but to protect against the bootloader malware that would appear if you started relying on a signed kernel.
I'd rather take my chances with the malware than have the liberties of doing what I want with my computer taken away.
So turn off UEFI Secure Boot.
I meant for Microsoft to add that capability to its OWN OS. Obviously it could not enforce such a restriction in Linux; I would think there, if there were a need for such protection, someone could write a kernel module that did the same thing and was an optional component for hardened installations.
What Im saying is that rather than doing this at an EFI level and crippling all OSes, each OS maker should be responsible themselves for making sure that the MBR is untampered with.
Windows 9 will require you to insert your genitals between its spinning blades during the boot process...
Don't you worry, the secure boot system is anyway totally compromised to begin with. Anyone with a fake ID and 90 USD will be able to buy a trusted key from Microsoft. This is even more silly than the current CA system.
What you have to understand here, is that Ubuntu is only adding yet another layer of vendor lock. It's not better than the one from Microsoft.
The only REAL and TRUE freedom and equality would have been to ask all users to first type a fingerprint before they can use their computer for the first time. Having keys already installed in the BIOS by default is a pure travesty.
And don't tell me that too hard to do for the average user. There's in fact only 2 categories for which it is the case: blind people and those who shouldn't ever touch a computer anyway.
the bootloader can be configured to load a Linux kernel that chain-loads a compromised Windows kernel
That strikes me as an odd proposition.... The Windows kernel has a lot of requirements out of its bootloader. ...
While that may be true, GRUB has been booting Microsoft Windows for years now. It may have a lot of requirements, but obviously those requirements have been met.
What you might have forgotten is that boot loaders can simply call other boot loaders. It's call chaining, and it is exactly how GRUB boots Micorsoft Windows. You boot to GRUB, which might configure a thing or two (like hide Linux partitions), and then it boots NTLDR (or whatever the latest Microsoft loader is) and the Microsoft boot loader then satisfies all those requirements for the Microsoft Windows operating system.
It's absolutely possible, of course, but the sheer amount of hackery that is required to make it work is just mind boggling... at least to me. Can you link anything that explains your concept?
I won't link, but consider a mail forwarding service. They receive a letter, the might move it internally through a few mail boxes, and then eventually ship it out to you at your new address. What they don't know is that the new address could also be a mail forwarding service. Chaining two mail forwarding services together will still get the mail to the final destination address.
The above example pertains to boot loaders, except that you have the first boot loader set the environment to "boot something" which happens to not be an operating system (actually boot loaders can not differentiate between an OS and a boot loader, because at that level, there are just programs). Without the motherboard configured to only boot signed boot loaders, any number of intermediate boot loaders could be inserted which could then hijack the booting process, perhaps even to the point where they boot a pre-infected (by some means) operating system.
Hopefully this clears things up a bit. I know that boot loaders are only somewhat understood, even by those who use Linux quite a bit. I don't even pretend to be an expert, but it is clear to me that if you want to assure that a certain operating system is booted as it was delivered by the distributor, you need to control the entire boot process from power on to the kernel launch.
Linux's security model protects itself well post-kernel launch, but even Linux could be subverted by sloppy controls over the booting process.
The MBR lock actually only works for OSs that go through the BIOS calls. That means DOS and... well, that means DOS. The MBR-infecting viruses dated from the DOS days and spread via infected floppy. Leave one in your drive when you turn on the computer and it'd write to your MBR, and then to any floppy inserted.
"So turn off UEFI Secure Boot."
And how long before Microsoft and/or the OEMs start saying you can't do that?
It isn't just plausible its pretty damned obvious. Go to TPB and you'll see they have "Windows 7 all versions pre-activated" DVD which will give you ANY version from Basic to Ultimate and they all get full Windows Updates using the bootloader hack. Since the hack involves using legit OEM bootloaders to shut it down they'd have to blacklist so many OEM desktops and laptops it'd be chaos so they might as well consider Win 7 a total wash when it comes to piracy.
As someone who works in a little PC shop if anybody at MSFT with any clout reads this? i have the solution to Windows piracy without any secureboot crap, ready? Win HP at $50, Win HP family packs at $100. I saw guys who had NEVER had a legit version of Windows buy when you had Win 7 HP at $50, in fact while that was going on I don't remember seeing a pirate version around, they were all legit HP. You jacked up the price and now Craigslist is filled with $100 PCs with $300 copies of Win 7 Ultimate on them.
so take a lesson from valve MSFT, the carrot don't work. Are you forgetting what happened with Vista? You made it originally pretty damned pirate proof, even having a kill switch, remember? it BOMBED because its those same guys that actually know how to pirate that support your ass by telling their families what to buy and supporting them. lets face it you've never made your big money at retail anyway, so selling Win HP at $50 isn't gonna kill you but it WILL turn a lot of pirates into actual paying customers because at $50 frankly it isn't worth the hassle to pirate. I'll be the first to admit the reason my family is running Win 7 HP is the family packs and if it wasn't for the 3 for $100 deal they'd be running hacked pro, paying $100+ a machine for HP when the machines themselves cost $250-$350 a kit? Not worth it. there is a sweet spot MSFT, and I'd argue its Starter at $35, HP at $50, Pro and the family packs at $100.
ACs don't waste your time replying, your posts are never seen by me.
And also Windows malware that does exactly the same thing. At which point the Canonical key will be revoked, and all Linux distributions that relied on it will cease to function.
And how long before Microsoft and/or the OEMs start saying you can't do that?
Not very. And I don't have much hope given the hordes of people on the last article that honestly believed that Microsoft was being altruistic in this and that anyone questioning their motives was a conspiracy theorist/had a low IQ.
Jesus christ if they dropped a family pack version to $100 I'd buy it in a heartbeat! I've got three personal machines running Windows and I haven't bought a single license because Home Premium is $200. Never mind that I occasionally use something like XP Mode so having Ultimate was helpful. Actually right now a new Win7 HP license on Newegg is $100, presumably due a price drop in the wake of Win8. On the other hand, Win7 HP upgrade (from Vista or XP) is still $120.
It will take generations and countless wars to undo the damage that is currently being done.
Or it will take a signed bootloader that let you then load whatever you want.
That's what Canonical is paying for:
they get EFILinux signed.
EFILinux in turn can load pretty much any kernel you want.
- Either an official distro provided one.
- Or your own compiled linux kernel
- Or another system's kernel (*BSD, ReactOS, etc.)
- Or even a better/bigger bootloader like GRUB's stage2.
What we need now is the legislative framework so Microsoft can't revoke the bootloader without attracting a shitstorm of antimonopoly antitrust suits.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Also surprised with efilinux. It can load from block devices only, which omits network boot. I understand that grub2 GPL3 concerns make sense, but you would think they might go with elilo. It may be less 'active', but it is capable of doing more than efilinux, notably network deployment.
Canonical specifically stated that EFILinux could be used to a non-signed Grub2 (or maybe they could even sign it through their own infrastrucutre if they can make it GPLv3 compliant). On non-SecureUEFI machine, this is supposed to be the default behaviour they want to do (if EFILinux detects that Secure is disabled, it chains straight to Grub2).
The idea is to load the smallest possible bootloader in signed mode and then do everything else you want from that point onward.
Once EFILinux has chained to Grub2, you can do all the crazy cool stuff you want here.
Just think of EFILinux as a special type of stage1 that is compliant for SecureUEFI devices. (Well technically, the UEFI firmware is the stage1, but you got the idea).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Here's a link for an Office license for $0: http://www.libreoffice.org/
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
How/why would the chainloaded [modified] Windows boot manager refuse to run? The way UEFI Secure Boot works is that the UEFI BIOS will verify the signature on an EFI executable prior to passing control to it. The UEFI BIOS largely relinquishes control of the system to the bootloader when it executes it. The bootloader will itself call the next piece of code that runs, not the UEFI BIOS, which is why the bootloader needs to do its own signature verification on the OS (or second stage bootloader) to maintain the trust chain. But, the bootloader absolutely could pass control to something without verifying its signature. And, if that's a maliciously modified Windows bootloader, that second bootloader could be designed to execute a maliciously modified Windows kernel without verifying its signature first.