UEFI Secure Boot: the Story Behind and Where Linux Stands

UEFI Secure Boot: The story behind and where Linux stands

Dr. Udo Seidel Linux-Strategy @ Amadeus To my Mum

LinuxTag 2013 2 Agenda

● Introduction ● Keys and Signatures ● Linux and Opportunities ● What else? ● Summary

LinuxTag 2013 3 Introduction

LinuxTag 2013 4 Me ;-)

● Teacher of mathematics & physics ● PhD in experimental physics ● Started with Linux in 1996 ● Linux/UNIX trainer ● Solution engineer in HPC and CAx environment ● Head of the Linux Strategy team @Amadeus

LinuxTag 2013 5 Basic Input Output System

● Around for a while ● Insecure

● Easy to hack ● Executes anything ● Problems with big disks

LinuxTag 2013 6 (U)EFI

● Unified Extensible Firmware Interface ● First version called EFI

● HP Itanium systems ● UEFI kind of EFI NG ● Replaces BIOS ● Emulates BIOS ● See talk from Thorsten Leemhuis

LinuxTag 2013 7 Secure Boot

● Part of UEFI Specification v2.2+ ● Addresses BIOS security issues ● Mandate by Microsoft

● For Windows 8 ● Not only x86 ● See keynote from Matthew Garrett

LinuxTag 2013 8 Keys and Signatures

LinuxTag 2013 9 Trust

● Parties

● Platform ● Firmware ● Operating System ● Technique

● Asymmetric keys ● Public one part of implementation

LinuxTag 2013 10 Key master

● Platform Key (PK) ● Key Exchange Key (PK) ● Signature database (db) ● Forbidden signature database (dbx) ● Signed EFI executables

LinuxTag 2013 11 EFI instead of ELF

● Subset of PE32 specification ● Portable Executable (PE) ● See also Common Object File Format (COFF) ● PE/COFF header

● Optional part ● List of pointers ● Signatures tailing file

LinuxTag 2013 12 Firmware

● Legacy (CSM) ● UEFI

● Without Secure Boot OR ● With Secure Boot – Setup modus – User modus

LinuxTag 2013 13 Typical scenario

● Since last autumn ● UEFI Secure Boot

● Enabled if not even forced ● Microsoft 'keys' implemented

Linux locked out ?!?

LinuxTag 2013 14 Linux: Options and Opportunities

LinuxTag 2013 15 Options

● Setup modus ● Replace keys ● MS signed Linux bootloader

LinuxTag 2013 16 Option I – Setup modus

● Insecure ● Not always possible ● Facing backward

LinuxTag 2013 17 Option II – Replace keys

● Linux distribution ...

● ... specific ● ... independent ● 3rd party support needed ● Tools needed

LinuxTag 2013 18 Replacing keys – more details

● X.509 certificates ● Generation via openssl ● Tools for EFI binary signing ● Multi O/S configuration tricky

LinuxTag 2013 19 Replacing keys – tools

● pesign ● sbsigntools ● efitools

LinuxTag 2013 20 Option III – MS signed bootloader

● MS support needed ● Again: Linux distribution ...

● ... specific ● ... independent ● Bootloader maintenance?

LinuxTag 2013 21 MS signed bootloader - Idea

● Phased bootloader ● Small & static ● Between UEFI and Linux bootloader

LinuxTag 2013 22 MS signed bootloader – Loader.efi

● Linux Foundation ● To enable ALL Linux bootloaders ● No additional security ● Recently reworked ● Helper tools

● Preloader.efi ● Hashtool.efi

LinuxTag 2013 23 MS signed bootloader – the SHIM

● Originally RedHat'ish ● First version quite static ● Does not support all bootloaders

● Yes: eLILO, GRUB, GRUB2 ● No: Gummiboot, efilinux

LinuxTag 2013 24 Machine Owner

● Originally from SUSE ● Machine Owner Keys (MOK) ● Integrated in SHIMv2

LinuxTag 2013 25 Extending SB trust chain

● Several certificates

● Microsoft ● Linux distribution ● Signed bootloader ● Signed kernel core binary ● Signed kernel modules ● ..?!?

LinuxTag 2013 26 Distributor approaches

● Enterprise

● In place: Ubuntu LTS ● Announced: SUSE ● Unknown: RedHat, Oracle ● Community

● In place: Ubuntu, Fedora, openSUSE, ... ● Announced: ... ● Unknown: Debian and derivatives

LinuxTag 2013 27 What else?

LinuxTag 2013 28 ARM

● UEFI Forum since 2008 ● More strict Microsoft mandate ● UEFI ARM boards available but ...

LinuxTag 2013 29 Problems

● Samsung: firmware death ● Toshiba: Missing keys ● Lenovo: Only Windows 8 and RHEL ● Microsoft: leaked keys

LinuxTag 2013 30 Summary

LinuxTag 2013 31 Take aways

● Linux almost ready

● In general ● Enterprise sector ● Opportunity not pain ● Homework to be done

LinuxTag 2013 32 References

● http://www.uefi.org ● http://mjg59.dreamwidth.org ● http://blog.hansenpartnership.com ● http://www.sxc.hu

LinuxTag 2013 33 Thank you!

LinuxTag 2013 34 UEFI Secure Boot: The story behind and where Linux stands

Dr. Udo Seidel Linux-Strategy @ Amadeus

LinuxTag 2013 35