UEFI Secure Boot: The story behind and where Linux stands Dr. Udo Seidel Linux-Strategy @ Amadeus To my Mum LinuxTag 2013 2 Agenda ● Introduction ● Keys and Signatures ● Linux and Opportunities ● What else? ● Summary LinuxTag 2013 3 Introduction LinuxTag 2013 4 Me ;-) ● Teacher of mathematics & physics ● PhD in experimental physics ● Started with Linux in 1996 ● Linux/UNIX trainer ● Solution engineer in HPC and CAx environment ● Head of the Linux Strategy team @Amadeus LinuxTag 2013 5 Basic Input Output System ● Around for a while ● Insecure ● Easy to hack ● Executes anything ● Problems with big disks LinuxTag 2013 6 (U)EFI ● Unified Extensible Firmware Interface ● First version called EFI ● HP Itanium systems ● UEFI kind of EFI NG ● Replaces BIOS ● Emulates BIOS ● See talk from Thorsten Leemhuis LinuxTag 2013 7 Secure Boot ● Part of UEFI Specification v2.2+ ● Addresses BIOS security issues ● Mandate by Microsoft ● For Windows 8 ● Not only x86 ● See keynote from Matthew Garrett LinuxTag 2013 8 Keys and Signatures LinuxTag 2013 9 Trust ● Parties ● Platform ● Firmware ● Operating System ● Technique ● Asymmetric keys ● Public one part of implementation LinuxTag 2013 10 Key master ● Platform Key (PK) ● Key Exchange Key (PK) ● Signature database (db) ● Forbidden signature database (dbx) ● Signed EFI executables LinuxTag 2013 11 EFI instead of ELF ● Subset of PE32 specification ● Portable Executable (PE) ● See also Common Object File Format (COFF) ● PE/COFF header ● Optional part ● List of pointers ● Signatures tailing file LinuxTag 2013 12 Firmware ● Legacy (CSM) ● UEFI ● Without Secure Boot OR ● With Secure Boot – Setup modus – User modus LinuxTag 2013 13 Typical scenario ● Since last autumn ● UEFI Secure Boot ● Enabled if not even forced ● Microsoft 'keys' implemented Linux locked out ?!? LinuxTag 2013 14 Linux: Options and Opportunities LinuxTag 2013 15 Options ● Setup modus ● Replace keys ● MS signed Linux bootloader LinuxTag 2013 16 Option I – Setup modus ● Insecure ● Not always possible ● Facing backward LinuxTag 2013 17 Option II – Replace keys ● Linux distribution ... ● ... specific ● ... independent ● 3rd party support needed ● Tools needed LinuxTag 2013 18 Replacing keys – more details ● X.509 certificates ● Generation via openssl ● Tools for EFI binary signing ● Multi O/S configuration tricky LinuxTag 2013 19 Replacing keys – tools ● pesign ● sbsigntools ● efitools LinuxTag 2013 20 Option III – MS signed bootloader ● MS support needed ● Again: Linux distribution ... ● ... specific ● ... independent ● Bootloader maintenance? LinuxTag 2013 21 MS signed bootloader - Idea ● Phased bootloader ● Small & static ● Between UEFI and Linux bootloader LinuxTag 2013 22 MS signed bootloader – Loader.efi ● Linux Foundation ● To enable ALL Linux bootloaders ● No additional security ● Recently reworked ● Helper tools ● Preloader.efi ● Hashtool.efi LinuxTag 2013 23 MS signed bootloader – the SHIM ● Originally RedHat'ish ● First version quite static ● Does not support all bootloaders ● Yes: eLILO, GRUB, GRUB2 ● No: Gummiboot, efilinux LinuxTag 2013 24 Machine Owner ● Originally from SUSE ● Machine Owner Keys (MOK) ● Integrated in SHIMv2 LinuxTag 2013 25 Extending SB trust chain ● Several certificates ● Microsoft ● Linux distribution ● Signed bootloader ● Signed kernel core binary ● Signed kernel modules ● ..?!? LinuxTag 2013 26 Distributor approaches ● Enterprise ● In place: Ubuntu LTS ● Announced: SUSE ● Unknown: RedHat, Oracle ● Community ● In place: Ubuntu, Fedora, openSUSE, ... ● Announced: ... ● Unknown: Debian and derivatives LinuxTag 2013 27 What else? LinuxTag 2013 28 ARM ● UEFI Forum since 2008 ● More strict Microsoft mandate ● UEFI ARM boards available but ... LinuxTag 2013 29 Problems ● Samsung: firmware death ● Toshiba: Missing keys ● Lenovo: Only Windows 8 and RHEL ● Microsoft: leaked keys LinuxTag 2013 30 Summary LinuxTag 2013 31 Take aways ● Linux almost ready ● In general ● Enterprise sector ● Opportunity not pain ● Homework to be done LinuxTag 2013 32 References ● http://www.uefi.org ● http://mjg59.dreamwidth.org ● http://blog.hansenpartnership.com ● http://www.sxc.hu LinuxTag 2013 33 Thank you! LinuxTag 2013 34 UEFI Secure Boot: The story behind and where Linux stands Dr. Udo Seidel Linux-Strategy @ Amadeus LinuxTag 2013 35.