Slashdot Mirror

← Back to Stories (view on slashdot.org)

Matthew Garrett Makes Available Secure Bootloader For Linux Distros

Posted by timothy on from the working-with-the-work-around dept.

TrueSatan writes "Matthew Garrett, formerly of Red Hat, is providing a shim bootloader that will allow installation/booting of secure boot enabled computers. The shim is designed to chain boot GRUB (Grand Universal Bootloader) without the need for a distribution to obtain a key from Microsoft. Garrett asks that further contacts regarding the shim be made to him and not to Red Hat as he no longer works there and they may not have knowledge of the product."

32 of 274 comments (clear)

  1. Yay! by wgoodman · · Score: 5, Interesting

    I'm really proud of him and I really hope that there is no ensuing lawsuit for violating some sort of propitiatory BS.

    1. Re:Yay! by Anonymous Coward · · Score: 5, Funny

      violating some sort of propitiatory BS

      Yeah I really hate all that appeasing the gods BS, too.

    2. Re:Yay! by Anonymous Coward · · Score: 4, Interesting

      He violated nothing. The better question to ask is "who the hell does MS think it is?" They don't and cannot control the HW manufacturers. Nothing stops independent HW dealers in Asia or wherever from selling directly to consumers. Look at Google, Amazon, and other large companies. They design and buy their HW direct from the manufacturer, cutting out the middle man. Cutting out the middle man is ALWAYS the right thing to do. No one is entitled to a profit. No one has the right to demand I buy from them and their overly-capitalist markup system. Screw all that.

      I am going to start looking into buying from the source, even as a consumer. I have the right to buy from the source just like a company. I'm tired of dealing with the MS tax on computers. MS was and is a monopoly. I have used Linux as my home desktop/laptop system since 1998 and now this is happening. Screw any and all who would attempt to even try and dictate my actions with HW I've paid money for.

    3. Re:Yay! by Anonymous Coward · · Score: 5, Insightful

      You should never care if it is an AC.

      It is the message that is important, not the messenger. Why, after 11 years of using this site, should I register an account? My words stay the same. All it would be good for is group validation through karma whoring. I'd rather be ignored out of irrational bias than lauded for conforming to groupthink.

    4. Re:Yay! by Anonymous Coward · · Score: 5, Funny

      Cutting out the middle man is ALWAYS the right thing to do.

      Next time you're sick, I'll call the undertaker.

    5. Re:Yay! by TheRealGrogan · · Score: 4, Interesting

      Here's what's funny. The chainloaded "Grub" boot loader is actually circumventing the secure boot, because it has its own "OS kernel-like" functionality until it passes control over to the kernel components that it's booting. Grub was used to circumvent Microsoft's DRM, and now it will be used to circumvent their secure boot nonsense. I love it.

      Grub is way more complex, knowledgeable (figuratively speaking... it's got high level filesystem drivers etc.) and functional than any bootloader Microsoft would envision. They'll be crying foul. Not only will this be used to boot Linux, but it will also allow booting any other OS without signing.

  2. Kudos by cheesybagel · · Score: 4, Funny

    The man delivered! I really hate not being able to use GRUB or some other bootloader anymore. Why the heck can't I choose what to install on the computer I bought with my own money? Imagine you were Linux Torvalds trying to write your own operating system but in a computer with UEFI enabled.

    The way to get the key is also particularly weird. It's like Microsoft has gone out of their way to make it so you need to use Windows to get a key. .CAB files, Silverlight applications, .exe to generate a key, etc.

    You can't even choose not to enable UEFI anymore. I bought a 3 TB hard disk recently and the BIOS isn't able to see anything above 2 TB on a non-UEFI system without GPT partitions.

    1. Re:Kudos by recoiledsnake · · Score: 4, Informative

      First UEFI != UEFI Secure Boot.

      Second, you can turn off Secure Boot in the settings. So, I am guessing the young Mr. Torvalds would be smart enough to do that.

      Third, the keys are editable, i.e you can remove Microsoft's key and add your own or Linux's key if you don't trust Microsoft and that'll stop your machine from ever booting Windows. Thus, you're really in control of your computer. The defaults are setup that way to stop undetectable bootkits infecting your mom's computers because just wants to run Excel and doesn't know or care about signing keys and hashes.

      There is so much FUD and misinformation being spread by stupid people.

      --
      This space for rent.
    2. Re:Kudos by bmo · · Score: 4, Informative

      But to get your own key, you have to shell out 99 bucks.

      That's fucking galling. It's a tax.

      --
      BMO

    3. Re:Kudos by jonwil · · Score: 4, Informative

      No.
      The $99 fee is if you want to get stuff signed with the default Microsoft keys (or rather, with a chain-of-trust that ties back to the default Microsoft keys)

      Anyone can load new keys into the UEFI boot key-store no problems via the BIOS options.

    4. Re:Kudos by cheesybagel · · Score: 4, Interesting

      The Microsoft key comes pre-loaded with every BIOS. Try installing your own key in the UEFI boot key store and see how easy that is. Microsoft users just pop in a DVD and install. Linux users can't do that.

    5. Re:Kudos by greenbird · · Score: 4, Informative

      Second of all, it isn't that bad, There are GUI screens navigatable with a mouse(unlike BIOS) where you can input/remove keys. Perhaps you have ideas to make it easier while still maintaining security, instead of just kneejerk bashing and conspiracy theories of "OH THEY'RE GONNA GET US OMG".

      It's a much bigger deal than apologists are making it out to be. It's a big step in making the switch to Linux MUCH more difficult.

      For the last ten years or so Linux has been easier to install on a raw machine then Windows. Microsoft finally came up with a way to reverse that. And of course it has nothing to do with making their OS easier to install.

      Also no more booting a live CD/DVD so you can try things out or show them to someone. No more Knoppix STD when you're trying to figure out what crap your mom got on her computer this time or recover data from a flaked hard drive. Etc, etc...

      --
      Who is John Galt?
  3. Fuck secure boot. by bmo · · Score: 4, Insightful

    I find it disappointing that instead of actively fighting secure boot and making a BIG PUBLIC STINK about it and embarrassing everyone involved in implementing this, the community is aquiescing to the concept and "working with it."

    Stallman is right, guys, and anyone endorsing Trusted Computing 2.0 by either actively participating in the distribution of it, or tacit approval needs to be publicly humiliated and embarassed into doing the right thing.

    Secure boot was never about protecting the end user.

    --
    BMO

    1. Re:Fuck secure boot. by budr · · Score: 3, Insightful

      What BMO said. Where's a +10 when you need it.

    2. Re:Fuck secure boot. by zakeria · · Score: 4, Insightful

      exactly; this is just another attempt to stifle and forthcoming competition in the OS development arena and at the same time helping to cement the belief in people that the PC only has one true OS that should be running on the machine namely Microsoft Windows!

    3. Re:Fuck secure boot. by bmo · · Score: 4, Informative

      " Microsoft requires OEMs shipping Windows 8 to provide both options for the user to turn secure boot off completly AND for the user to install new keys of their choice."

      A half truth is a whole lie.

      Stop lying.

      The other half of the truth is that on ARM devices, Secure Boot is ABSOLUTELY REQUIRED AND MUST NEVER BE TURNED OFF

      Shill.

      --
      BMO

    4. Re:Fuck secure boot. by Multiplicity · · Score: 4, Informative

      No, no, no. You got it wrong.

      I hate this whole kerfuffle as much as everybody, but the part about not being able to load self signed keys isn't correct. You can load self-signed keys into the UEFI boot key-store right from the UEFI UI. Of course that will prevent Windows 8+ from booting, but that's another story. You can disable it altogether, with the same result.

      So you can either disable secure boot or have your own chain of trust separated from Microsoft and boot other OSes. BUT if you want to boot Windows 8+ you have to enable it and use Microsoft's chain of trust, and is in THAT case, when you want to also boot other OSes you must have the other OSes bootloaders signed by Microsoft.

      This shim bootloader represents a convenience to the users of that specific case (which indeed is the most common one). They have a "generic" Microsoft-signed bootloader along with some tools to extend a chain of trust from that bootloader to another one, and this second one won't have to get through the dreaded certification process (which indeed forces you to use Windows).

      The problem here is NOT UEFI / SECURE BOOT. The problem is MICROSOFT CERTIFICATION PROGRAM. That's where they boicott the whole industry, and where they should be given a fight. That stupid certification process they combined with a twisted use of the new capabilities of UEFI. Make no mistakes, shouldn't UEFI exist today, they would still be looking for ways to exploit their certification program to make manufacturers do anything they want, just so they can bless them with being "Win compatible". THAT is the great lie right there, by which they have the industry inexplicably grabbed by the balls.

      The solution of course would be everyone giving the finger to Microsoft on their fucking certification program, and a more open competition would arise. I very much want to see how long they last on that environment.

    5. Re:Fuck secure boot. by mjg59 · · Score: 5, Informative

      "With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?"

      openssl req -new -nodes x509 -outform DER -out sig.crt -keyout signing_key.priv

      And then enrol it with mokutil or MokManager from shim.

  4. Re:How does this work? by Kergan · · Score: 5, Informative

    In simplistic terms, it's a bit like on iOS devices: they'll only boot software that is signed by Apple, thus preventing low-level viruses and such from tampering with the OS.

    In more complicated terms, I'll defer to the wiki page.

  5. Re:How does this work? by schitso · · Score: 4, Insightful

    thus preventing people from using their hardware as they see fit.

    FTFY

  6. Re:Clarification by MysteriousPreacher · · Score: 5, Funny

    Micro$oft and Windoze? Have you recently emerged from 15 years in stasis? To bring you up to date...

    Madonna is still shit and now looks like Iggy Pop.
    9/11
    Year of Linux on the desktop is imminent
    The president's black
    The Rolling Stones aren't dead
    We sent cool shit to Mars
    World didn't end but will end again later this month

    --
    -- Using the preview button since 2005
  7. Doesn't work by Anonymous Coward · · Score: 4, Insightful

    I happen to have a computer with Secure Boot enabled by default. Matthew Garrett's boot loader doesn't work while Secure Boot is enabled. The reason being that the machine will not (repeat not) boot from any device except the hard drive unless Secure Boot is first disabled. The steps to load any OS, with or without Secure Boot support, goes like this:

    Enter into UEFI control panel.
    Disable Secure Boot
    Enable Legacy boot options
    Enable specific Legacy device, such as DVD drive
    Save settings and reboot.
    Change boot device to DVD

    If Secure Boot is turned on, "Legacy" devices can not be used to boot the computer. Therefore having this boot loader doesn't do any good on machines with Secure Boot enabled. It has to be turned off just to access the installation media.

    1. Re:Doesn't work by mjg59 · · Score: 4, Informative

      If your system currently has Windows 8 installed, then do this:

      1) Insert the install media
      2) Mouse to the bottom right
      3) Select "Settings"
      4) Click "Power"
      5) While holding down shift, click "Restart"
      6) Click "Use a device"
      7) Click your install media

      This is a little more involved than ideal, but it's got the huge benefit that it's consistent between systems rather than requiring you to use different hotkeys for different platforms.

  8. Re:Clarification by Nerdfest · · Score: 4, Insightful

    Of course you can add to that list:
      - Microsoft still doing things to suppress competition.
      - Apple has joined them.

    They earned that dollar sign. The OS is a bit better behaved than 15 years ago, although NT was pretty quick.

  9. Re:Do not disagree with Garrett by Anonymous Coward · · Score: 3, Interesting

    Why does it matter? Because it could ruin your reputation, even wreck your career?
    http://www.itwire.com/business-it-news/open-source/57290-garrett-slams-tso-as-rape-apologist

    Garrett is scum.

  10. Must ship with a way to turn off Secure Boot by tepples · · Score: 4, Informative

    Computers that ship with Windows 8 for x86 or x86-64 must ship with Secure Boot turned on but (importantly) must ship with a way to turn it off.

  11. Secure Boot in custom mode by tepples · · Score: 3, Informative

    With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?

    By setting Secure Boot to custom mode and installing the self-signed key. Microsoft requires makers of x86 and x86-64 PCs to allow neutering Secure Boot as a condition for Windows 8 certification, just like Google requires a device to have Android Debug Bridge open as a condition for access to the Google Play Store. The strict game-console-style lockdown is only for Windows RT.

  12. Re:Clarification by serviscope_minor · · Score: 4, Funny

    And Duke Nukem Forever was released.

    --
    SJW n. One who posts facts.
  13. Re:How does this work? by scheme · · Score: 4, Informative

    Right, because you have no right to do that with a device you supposedly own.

    The specs already require that the x86 EFI allows you to load your own key. This is just something to let you install and use linux or other OSes without having to go through the process of loading your own keys into the bios and instead using the ms key that's already been loaded.

    --
    "When you sit with a nice girl for two hours, it seems like two minutes. When you sit on a hot stove for two minutes, it
  14. Re:Making No Sense by mjg59 · · Score: 4, Informative

    Given that I've been working with the Microsoft people who manage the signing for the best part of a year now, I'm pretty sure they know who I am and what I was getting signed.

  15. Re:How does this work? by LordLimecat · · Score: 4, Insightful

    Why couldnt the romanian hackers use the signed chainloader to load their code?

  16. Re:How does this work? by AdamWill · · Score: 5, Informative

    Try reading the OP.

    This is a build of shim that's signed by Microsoft. It has particular properties. It is intended to be distributed by small Linux distros, with their own key as config data. When you boot it, it offers you the option to trust a single specific key - the key it was provided to you with. You have to specifically perform a certain operation to trust the key.

    What all this wiggling achieves is allow to say 'I trust the entity that provided me with this key to provide an operating system for my machine'. The safeguards prevent it from being used for malware, unless you're _really_ dumb and, when this screen pops up on your system after you install something you didn't think was an operating system, you carefully jump through all the hoops to allow it to nerf your system.

    So Microsoft is happy because the malware path is very unlikely to occur, and the Linux distributor is happy because if the person really is installing an alternative OS, all they have to do is navigate a menu once in order to say that OS's key is trusted, and from then on, that OS can function with SB enabled indefinitely.

    Clear?