The Linux Foundation's UEFI Secure Boot Pre-Bootloader Delayed

← Back to Stories (view on slashdot.org)

The Linux Foundation's UEFI Secure Boot Pre-Bootloader Delayed

Posted by Soulskill on Tuesday November 20, 2012 @10:18PM from the threatening-to-become-post-bootloader dept.

hypnosec writes "The Linux Foundation's plans for releasing a signed pre-bootloader that will enable users to install Linux alongside Windows 8 systems with UEFI have been reportedly delayed. The Foundation proposed a signed pre-bootloader that will chain-load a bootloader which, in turn, will boot the desired operating system, thus keeping Linux installations for novice users as simple as it was before. Further, this particular component is meant for small-time Linux distros which otherwise wouldn't have the required expertise or resources to develop their own system to tackle the secure boot issue. This was going as per plans up until Linux kernel maintainer James Bottomley disclosed that he has been having rather bizarre experiences with Microsoft sysdev centre. Bottomley said, 'The first time I sent the loader through, it got stuck (it still is, actually). So I sent another one through after a week or so. That actually produced a download, which I've verified is signed (by the MS UEFI key) and works, but now the Microsoft sysdev people claim it was "improperly" signed and we have to wait for them to sort it out. I've pulled the binary apart, and I think the problem is that it's not signed with a LF [Linux Foundation] specific key, it's signed by a generic one rooted in the UEFI key. I'm not sure how long it will take MS to get their act together but I'm hoping its only a few days." Update: 11/21 14:22 GMT by U L : See the Original weblog post, and one interesting tidbit: Microsoft banned bootloaders licensed under the GPLv3 and "similar open source licenses."

27 of 179 comments (clear)

Min score:

Reason:

Sort:

Somebody should sue Microsoft anyway by Anonymous Coward · 2012-11-20 22:33 · Score: 5, Insightful

At least in Europe they'd succeed.
1. Re:Somebody should sue Microsoft anyway by SampleFish · 2012-11-21 17:35 · Score: 3, Insightful
  
  Why is MS the one signing the bootloader in the first place? Shouldn't there be a neutral root authority like there is for any other certificate in the world? To make Linux developers ask Microsoft to sign their bootloaders sounds like a very clear conflict of interest.
Not surprised by gagol · 2012-11-20 22:35 · Score: 3, Insightful

Somehow, thay can sign town of apps and drivers on a regular basis, but signing teeny tiny code for FSF got screwed... It only validate, in my opinion, this whole secure boot shit was meant to give alternative OS a hard time.

--
Tomorrow is another day...
1. Re:Not surprised by Ynot_82 · 2012-11-20 22:43 · Score: 5, Funny
  
  town of apps
  So that's why they called their UI Metro.
  Always wondered about that
2. Re:Not surprised by wonkey_monkey · 2012-11-20 22:51 · Score: 5, Funny
  
  Good catch, typing in bed is never optimal...
  You're holding it wr- nevermind.
  
  --
  systemd is Roko's Basilisk.
3. Re:Not surprised by mwvdlee · 2012-11-20 23:02 · Score: 3, Insightful
  
  Something about contributing to stupidity instead of malice.
  I'm guessing since MS has to sign these bootloaders for relatively few cases, they're doing it atleast part manually.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Let me get this straight by DMiax · 2012-11-20 22:44 · Score: 5, Insightful

So, instead of signing with a scrap key that vendors will ignore they signed essentially with the original one, so that this bootloader will work on any PC that follows the standard? This is so awesome I don't even know at what to laugh first.
I wish LF just released this bootloader and defuse all this "secure boot" crap. Of course they will play nice and allow Microsoft to save their face... Microsoft incompetence is just appalling. They will probably end up signing malware by accident at some point, but at least you won't be able to run Linux on your PC, so mission accomplished.
Wtf? by ickleberry · 2012-11-20 22:45 · Score: 5, Insightful

We have to ask Microsoft for permission now before they give us a key that lets us install Linux on our own machines?

This is seriously not good, lads. They still have the monopoly so we should sue them till the last toothpick in their Redmond HQ are belong to us.
1. Re:Wtf? by turkeyfeathers · 2012-11-21 00:11 · Score: 5, Insightful
  
  Or just disable secure boot, which is amazingly easy to do in the first place.
  For now.
2. Re:Wtf? by Anonymous Coward · 2012-11-21 05:05 · Score: 4, Informative
  
  They are already doing this.
  On ARM, in order to use the windows logo marketing crap (you know those stupid stickers all over that otherwise nice looking laptop you last bought), there can be NO way to disable sec boot. Manufactures will cave.
  So, Yes. When they feel they can get away with it on x86 (no more winxp etc. out there), they will likely follow the path they ALREADY took with arm.
  So, not paranoia on all of our part, but burying your head in the sand on yours.
  MS has engaged in some of the most evil bus practices of any company (intentionally breaking standards so folks on wincrap have to use MS solutions for those components that should be inter-operable, stealing code, waiting out the victims money reserves in court, suing the victim back (if victim somehow was able to survive long enough to win in court, (if above failed) buying victim companies and dismantalling them, trying to sneak in fake error messages with code that detected running competitors products, senior folks like Bill G trying to steal from other senior folks while they lie in a hospital bed-- at the time, presumed to be dying, a really fucked up company. Now that apple is trying to be more evil than MS, MS seems to be doing its part to try to capture back the title of do only evil.
Not surprised at all by boorack · 2012-11-20 22:51 · Score: 4, Interesting

As of now we know that Win8 is vulnerable to a huge chunk of malware designed for older versions of Windows. This "UEFI Secure Boot" does not prevent it at all. I suspected earlier that UEFI Secure Boot wasn't designed to make PCs more secure but rather to lock down PCs, so novice users trying to check out some Linux distribution will have tough time doing so. This fiasco makes me sure that this was the case and makes me wonder why antitrust authorities don't do anything about this. This is potentially more harmful than MSIE case after all.
1. Re:Not surprised at all by rsmith-mac · 2012-11-20 23:32 · Score: 5, Informative
  
  As of now we know that Win8 is vulnerable to a huge chunk of malware designed for older versions of Windows.
  
  Secure Boot was designed to block malware from successfully inserting itself into the boot chain to bypass OS security measures, and that's it. Beyond that it's up to the OS to block malware from running in ring 0 or ring 3, which comes down to AV scanning, code signing, and any privilege escalation exploits abused by malware. Secure Boot closes off one important vector for malware, not all of them.
2. Re:Not surprised at all by Wattos · 2012-11-21 00:01 · Score: 4, Interesting
  
  Maybe the "Secure" in "UEFI Secure Boot" referes to securing Microsofts Monopoly and existence in the OS market?
3. Re:Not surprised at all by Paul+Jakma · 2012-11-21 00:11 · Score: 4, Insightful
  
  What people really want is that their running code is verified to be running the way it is supposed to be. This requires formal proofs of code operation - which is notoriously difficult (and impossible to do generally with arbitrary software). SecureBoot does not give that, it only attests the code image *started* as the one it was supposed to be, according to the trust anchor. SecureBoot can however make the lives of ordinary users difficult. For now, we have the ability to use our own trust anchor, or none at all. Microsoft can't yet afford to block users from running all the non-SecureBoot OSes - as these include older Windows releases.
  It's sad that so many Linux distributions and foundations are going along with this.
  
  --
  I use Friend/Foe + mod-point modifiers as a karma/reputation system.
4. Re:Not surprised at all by Anonymous Coward · 2012-11-21 00:21 · Score: 5, Insightful
  
  Secure Boot closes off one nowadays almost completely irrelevant vector for malware, not all of them.
  FTFY.
5. Re:Not surprised at all by recoiledsnake · 2012-11-21 01:04 · Score: 5, Informative
  
  As of now we know that Win8 is vulnerable to a huge chunk of malware designed for older versions of Windows. This "UEFI Secure Boot" does not prevent it at all. I suspected earlier that UEFI Secure Boot wasn't designed to make PCs more secure but rather to lock down PCs, so novice users trying to check out some Linux distribution will have tough time doing so. This fiasco makes me sure that this was the case and makes me wonder why antitrust authorities don't do anything about this. This is potentially more harmful than MSIE case after all.
  If you(and others here) really want to educate yourself instead of spreading karmawhoring FUD, please read on.
  Here are some references about boot malware which UEFI secure boot will prevent.
  http://www.chmag.in/article/sep2011/rootkits-are-back-boot-infection
  http://www.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows/
  http://www.computerworld.com/s/article/9217953/Rootkit_infection_requires_Windows_reinstall_says_Microsoft
  I recommend reading atleast the first link.
  Here's one juicy bit:
  
  TDL4 is the most recent high tech and widely spread member of the TDSS family rootkit, targeting x64 operating systems too such as Windows Vista and Windows 7. One of the most striking features of TDL4 is that it is able to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled.
  When the driver is loaded into kernel-mode address space it overwrites the MBR (Master Boot Record) of the disk by sending SRB (SCSI Request Block) packets directly to the miniport device object, then it initializes its hidden file system. The bootkit’s modules are written into the hidden file system from the dropper.
  The TDL4 bootkit controls two areas of the hard drive one is the MBR and other is the hidden file system created at the time of malware deployment. When any application reads the MBR, the bootkit changes data and returns the contents of the clean MBR i.e. prior to the infection, and also it takes care of Infected MBR by protecting it from overwriting.
  The hidden file system with the malicious components also gets protected by the bootkit. So if any application is making an attempt to read sectors of the hard disk where the hidden file system is stored, It will return zeroed buffer instead of the original data.
  The bootkit contains code that performs additional checks to prevent the malware from the cleanup. At every start of the system TDL4 bootkit driver gets loaded and initialized properly by performing tasks as follows: Reads the contents of the boot sector, compares it with the infected image stored in hidden file system, if it finds any difference between these two images it rewrites the infected image to the boot sector. Sets the DriverObject field of the miniport device object to point to the bootkit’s driver object and also hooks the DriverStartIo field of the miniport’s driver object. If kernel debugging is enabled then this TDL4 does not install any of it’s components.
  TDL4 Rootkit hooks the ATAPI driver i.e. standard windows miniport drivers like atapi.sys. It keeps Device Object at lowest in the device stack, which makes a lot harder to dump TDL4 files.
  All these striking features have made TDL4 most notorious Windows rootkit and it is also very important to mention that the key to its success is the boot sector infection.
  Another bit:
  The original MBR and driver component are stored in encrypted form using the same encryption. Driver component hooks ATAPI's DriverStartIo
  
  --
  This space for rent.
6. Re:Not surprised at all by AmiMoJo · 2012-11-21 01:51 · Score: 3, Interesting
  
  Actually UEFI does prevent a huge amount of it, and most important all the worst stuff that was beyond the ability of AV software to get rid of. Remember all those fake anti-virus scams? They installed a rootkit that changed the low level SATA driver which is loaded very early in the boot process. UEFI prevents an OS modified in that way from booting and the Windows 8 recovery system can detect and fix it.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
7. Re:Not surprised at all by hAckz0r · 2012-11-21 02:00 · Score: 3, Interesting
  
  Yes they can and will. That is all a part of the 'forced upgrade' plan to wealth. Microsoft will do most anything to make running an old OS more painful so you will be forced to buy from them again and again. I listen to the trials and tribulations of my coworkers trying to keep their ageing xp machines running on a daily basis. One is forced by M$ to keep the machine off the net because M$ decided that his license (part of a larger sitewide license) is now counterfit. Its used for malware testing so it does not belong on the net in the first place, but restoring and re-patching it every time it is used is a royal pain.
8. Re:Not surprised at all by marcosdumay · 2012-11-21 02:48 · Score: 4, Insightful
  
  Is there something about UEFI and secureboot that causes many folks' brains to be absolutely switched off?
  No. But it seems there are a few points that you are making an effort to ignore. Because you just quoted them, but still don't acknowledge them.
  
  --
  Rethinking email
Re:Present user test? by jimicus · 2012-11-20 22:59 · Score: 3, Informative

Likely to be much less of an issue on proper server hardware; most server vendors know full well a significant amount of the hardware they shift will never run Windows.
Microsoft banned GPL in UEFI binaries .. by dgharmon · 2012-11-20 23:04 · Score: 5, Informative

Microsoft has also banned any GNU GPLv3 licences for these binaries.

'When you get to this stage, you also have to certify that the binary " to be signed must not be licensed under GPLv3 or similar open source licenses". I assume the fear here is key disclosure but it's not at all clear (or indeed what "similar open source licences" actually are).'

--
AccountKiller
1. Re:Microsoft banned GPL in UEFI binaries .. by bWareiWare.co.uk · 2012-11-20 23:36 · Score: 4, Interesting
  
  This restriction is imposed by the GPLv3 not by Microsoft. They are just being helpful in letting you know, they can't give specifics for all other licensees out there.
2. Re:Microsoft banned GPL in UEFI binaries .. by l3v1 · 2012-11-21 00:46 · Score: 4, Insightful
  
  What? GPLv3 doesn't allow a binary of the software to be signed with a key? Do you have a citation for that? Cause it sounds... interesting.
  
  --
  I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
3. Re:Microsoft banned GPL in UEFI binaries .. by l3v1 · 2012-11-21 00:49 · Score: 4, Informative
  
  Nevermind, I looked around myself: http://www.gnu.org/licenses/gpl-faq.html#GiveUpKeys
  
  It says:
  
  "I use public key cryptography to sign my code to assure its authenticity. Is it true that GPLv3 forces me to release my private signing keys?
  
  No. The only time you would be required to release signing keys is if you conveyed GPLed software inside a User Product, and its hardware checked the software for a valid cryptographic signature before it would function. In that specific case, you would be required to provide anyone who owned the device, on demand, with the key to sign and install modified software on his device so that it will run. If each instance of the device uses a different key, then you need only give each purchaser the key for his instance."
  
  --
  I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Disabling secure boot and dual booting? by efornara · 2012-11-20 23:16 · Score: 3, Interesting

I know that new laptops shipping with Windows 8 preloaded have to allow the user to disable secure boot.
Now that some laptops are out there, does anyone know if disabling secure boot will still let you run Windows, ideally even after its partition has been resized? Or will the preinstalled Windows just refuse to boot if secure boot has been switched off?
Need to replace UEFI with CoreBoot by LinuxNeverWindows · 2012-11-20 23:50 · Score: 5, Interesting

The way of breaking that monopoly is to replace UEFI on machines with CoreBoot (http://www.coreboot.org/Welcome_to_coreboot). This still does not support enough hardware but given a bit of support from Linux friendly companies (e.g. Clevo, IBM etc) it could be done. To see CoreBoot in action have a look at the Samsung ChromeBook with CoreBoot (http://www.youtube.com/watch?v=RypqMqtTPs8).
Microsoft as gatekeeper by lasermike026 · 2012-11-21 00:09 · Score: 4, Insightful

Microsoft as gatekeeper to PC hardware is a non-starter. You can not have one company determine who will and will not use a PC. When I mean use I mean loading the operating system of the user's choice. That is using a computer, running the programs and operating system that the owner of the computer wants. One company determining how a user will use their computer best example of a monopoly.