UEFI Secure Boot: The story behind and where Linux stands
Dr. Udo Seidel Linux-Strategy @ Amadeus To my Mum
LinuxTag 2013 2 Agenda
● Introduction ● Keys and Signatures ● Linux and Opportunities ● What else? ● Summary
LinuxTag 2013 3 Introduction
LinuxTag 2013 4 Me ;-)
● Teacher of mathematics & physics ● PhD in experimental physics ● Started with Linux in 1996 ● Linux/UNIX trainer ● Solution engineer in HPC and CAx environment ● Head of the Linux Strategy team @Amadeus
LinuxTag 2013 5 Basic Input Output System
● Around for a while ● Insecure
● Easy to hack ● Executes anything ● Problems with big disks
LinuxTag 2013 6 (U)EFI
● Unified Extensible Firmware Interface ● First version called EFI
● HP Itanium systems ● UEFI kind of EFI NG ● Replaces BIOS ● Emulates BIOS ● See talk from Thorsten Leemhuis
LinuxTag 2013 7 Secure Boot
● Part of UEFI Specification v2.2+ ● Addresses BIOS security issues ● Mandate by Microsoft
● For Windows 8 ● Not only x86 ● See keynote from Matthew Garrett
LinuxTag 2013 8 Keys and Signatures
LinuxTag 2013 9 Trust
● Parties
● Platform ● Firmware ● Operating System ● Technique
● Asymmetric keys ● Public one part of implementation
LinuxTag 2013 10 Key master
● Platform Key (PK) ● Key Exchange Key (PK) ● Signature database (db) ● Forbidden signature database (dbx) ● Signed EFI executables
LinuxTag 2013 11 EFI instead of ELF
● Subset of PE32 specification ● Portable Executable (PE) ● See also Common Object File Format (COFF) ● PE/COFF header
● Optional part ● List of pointers ● Signatures tailing file
LinuxTag 2013 12 Firmware
● Legacy (CSM) ● UEFI
● Without Secure Boot OR ● With Secure Boot – Setup modus – User modus
LinuxTag 2013 13 Typical scenario
● Since last autumn ● UEFI Secure Boot
● Enabled if not even forced ● Microsoft 'keys' implemented
Linux locked out ?!?
LinuxTag 2013 14 Linux: Options and Opportunities
LinuxTag 2013 15 Options
● Setup modus ● Replace keys ● MS signed Linux bootloader
LinuxTag 2013 16 Option I – Setup modus
● Insecure ● Not always possible ● Facing backward
LinuxTag 2013 17 Option II – Replace keys
● Linux distribution ...
● ... specific ● ... independent ● 3rd party support needed ● Tools needed
LinuxTag 2013 18 Replacing keys – more details
● X.509 certificates ● Generation via openssl ● Tools for EFI binary signing ● Multi O/S configuration tricky
LinuxTag 2013 19 Replacing keys – tools
● pesign ● sbsigntools ● efitools
LinuxTag 2013 20 Option III – MS signed bootloader
● MS support needed ● Again: Linux distribution ...
● ... specific ● ... independent ● Bootloader maintenance?
LinuxTag 2013 21 MS signed bootloader - Idea
● Phased bootloader ● Small & static ● Between UEFI and Linux bootloader
LinuxTag 2013 22 MS signed bootloader – Loader.efi
● Linux Foundation ● To enable ALL Linux bootloaders ● No additional security ● Recently reworked ● Helper tools
● Preloader.efi ● Hashtool.efi
LinuxTag 2013 23 MS signed bootloader – the SHIM
● Originally RedHat'ish ● First version quite static ● Does not support all bootloaders
● Yes: eLILO, GRUB, GRUB2 ● No: Gummiboot, efilinux
LinuxTag 2013 24 Machine Owner
● Originally from SUSE ● Machine Owner Keys (MOK) ● Integrated in SHIMv2
LinuxTag 2013 25 Extending SB trust chain
● Several certificates
● Microsoft ● Linux distribution ● Signed bootloader ● Signed kernel core binary ● Signed kernel modules ● ..?!?
LinuxTag 2013 26 Distributor approaches
● Enterprise
● In place: Ubuntu LTS ● Announced: SUSE ● Unknown: RedHat, Oracle ● Community
● In place: Ubuntu, Fedora, openSUSE, ... ● Announced: ... ● Unknown: Debian and derivatives
LinuxTag 2013 27 What else?
LinuxTag 2013 28 ARM
● UEFI Forum since 2008 ● More strict Microsoft mandate ● UEFI ARM boards available but ...
LinuxTag 2013 29 Problems
● Samsung: firmware death ● Toshiba: Missing keys ● Lenovo: Only Windows 8 and RHEL ● Microsoft: leaked keys
LinuxTag 2013 30 Summary
LinuxTag 2013 31 Take aways
● Linux almost ready
● In general ● Enterprise sector ● Opportunity not pain ● Homework to be done
LinuxTag 2013 32 References
● http://www.uefi.org ● http://mjg59.dreamwidth.org ● http://blog.hansenpartnership.com ● http://www.sxc.hu
LinuxTag 2013 33 Thank you!
LinuxTag 2013 34 UEFI Secure Boot: The story behind and where Linux stands
Dr. Udo Seidel Linux-Strategy @ Amadeus
LinuxTag 2013 35