Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Foundation Offers Solution for UEFI Secure Boot

Posted by Soulskill on from the sidestep-and-ignore dept.

Ever since news broke last year that Microsoft would require Windows 8 machines to have UEFI secure boot enabled, there were concerns that it would be used to block the installation of other operating systems, such as Linux distributions. Now, reader dgharmon sends this quote from Ars Technica about a new defense against that outcome: "The Linux Foundation has announced plans to provide a general purpose solution suitable for use by Linux and other non-Microsoft operating systems. The group has produced a minimal bootloader that won't boot any operating system directly. Instead, it will transfer control to any other bootloader — signed or unsigned — so that can boot an operating system." The announcement adds, "The pre-bootloader will employ a 'present user'; test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it."

5 of 308 comments (clear)

  1. Re:Virtualization by GameboyRMH · · Score: 4, Informative

    Not yet:

    https://www.virtualbox.org/ticket/7702

    But there's no reason it can't.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  2. mjg59.dreamwidth.org by bfree · · Score: 4, Informative

    Linux Foundation approach to Secure Boot
    James Bottomley just published a description of the Linux Foundation's Secure Boot plan, which is pretty much as I outlined in the second point here - it's a bootloader that will boot untrusted images as long as a physically present end-user hits a key on every boot, and if a user switches their machine to setup mode it'll enrol the hash of the bootloader in order to avoid prompting again. In other words, it's less useful than shim. Just use shim instead.

    Further UEFI bootloader work
    A couple of people have asked whether we're planning on implementing the Linux Foundation approach of simply asking the user whether they want to boot an unsigned file. We've considered it, but at the moment are leaning towards "no" - it's simply too easy to use to trick naive users into running untrusted code. Users are trained to click through pretty much any security prompt that they see, and if an attacker replaces a legitimate bootloader with one that asks them to press "y" to make their computer work, they'll press "y". If that bootloader then launches a trojaned Windows bootloader that launches a trojaned Windows kernel, that's kind of a problem. This could be somewhat mitigated by limiting this feature to removable media, and we're seriously considering that, but there are still some risks associated. We might just end up writing the code but disabling it at build time, and then anyone who wants to distribute with that policy can do so at their own risk.

    --

    Never underestimate the dark side of the Source

  3. Re:Unsuitable for server use? by LordNightwalker · · Score: 4, Informative

    From TFA:

    To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge

    Doesn't this mean it is unsuitable for server use - or any "headless" operation such as MythTV?

    From TFA:

    To facilitate repeat booting (and to make the pre-bootloader useful for booting hard disks as well as USB keys or DVDs) the pre-bootloader will also check to see if the platform is booting in Setup Mode and if it is, will ask the user for permission to install the signature of loader.efi into the authorized signatures database. If the user gives permission, the signature will be installed and loader.efi will then boot up without any present user tests on all subsequent occasions even after the platform is placed back into secure boot mode.

    So they offer a solution for your problem, but user input is required for this as well.

    --
    Install windows on my workstation? You crazy? Got any idea how much I paid for the damn thing?
  4. Re:So why even bother with secure boot by BLKMGK · · Score: 4, Informative

    Not exactly, it was signed with a weak key produced by one of their remote desktop solutions that allowed licensing of components. Microsoft has since revoked those keys and bumped up the minimum allowed key size to stop this in the future. This was NOT a case of someone stealing a Microsoft key left in the parking lot.....

    --
    Build it, Drive it, Improve it! Hybridz.org
  5. Re:just let microsoft die by Hatta · · Score: 4, Informative

    Apple's policies only affect Apple hardware. Microsoft is pushing this on everyone.

    --
    Give me Classic Slashdot or give me death!