UEFI Secure Boot – Windows 8 vs Linux
Last week, Microsoft showcased Windows 8 PCs with super fast boot thanks to the Unified Extensible Firmware Interface (UEFI). The latest UEFI standard, released on April 8, includes a secure boot protocol which will be required for Windows 8 clients. Secure UEFI is intended to thwart rootkit infections by requiring keys before allowing executables or drivers to be loaded onto the device. Problem is, such keys can also be used to keep the PC’s owner from wiping out the current OS and installing another option such as Linux.
It all started with slide 11 in one Powerpoint presentation entitled “Delivering a secure and fast boot experience with UEFI” presented by Arie van der Hoeven, Principal Lead Program Manager Microsoft Corporation during Build conference:
- Current issues with boot
- Growing class of malware targets the boot path
- Often the only fix is to reinstall the operating system
- UEFI and secure boot harden the boot process
- All firmware and software in the boot process must be signed by a trusted Certificate Authority (CA)
- Required for Windows 8 client
- Does not require a Trusted Platform Module (TPM)
- Reduces the likelihood of bootkits, rootkits and ransomware
and a blog entry by Matthew Garrett, a mobile Linux developer at Red Hat.
Here’s the contentious part:
Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.
A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.
He carries on saying signed copy of Linux could be provided, but there are licensing issues such as the bootloader must not comply to GPL v3 (as Grub 2 does) or the keys should also be released.
Finally, he explains that this is only a potential issue (depending how the keys are handled) and there is no need to panic just yet, but we should still be concerned.
In you want to study this issue yourself, you can download UEFI Specification Version 2.3.1 and read the chapter27 entitled ” Security – Secure Boot, Driver Signing and Hash”. That’s 68 pages of technical documentation and probably requires a few hours (days?) of reading to clearly understand it.
Here’s how Secure Boot is described in the UEFI specification:
This protocol is intended to provide access for generic authentication information associated with specific device paths. The authentication information is configurable using the defined interfaces. Successive configuration of the authentication information will overwrite the previously configured information. Once overwritten, the previous authentication information will not be retrievable.
According to this description, It would appear that it’s possible to overwrite the keys, but it’s not the case as another part of the specification requires that the Platform Keys (PK) must be stored in non-volatile storage which is tamper and delete resistant and only the othe other type of Keys (Key Exchange Keys) can be modified but be tampered resistant.
For details about secure boot protocol communication between the bootloader and the OS, you can refer to chapters 27.5 Firmware/OS Key Exchange: creating trust relationships and 27.6 Firmware/OS Key Exchange: passing public keys.
At the end of the day, this will probably be a non issue, as users who want to load Linux can simply buy a computer with a UEFI bootloader without Windows 8 Secure Boot. For those who want to dual boot Linux and Windows 8, then they would have to make sure they can obtain the keys from the vendors and sign Linux for those keys in order to be able to install and boot Linux.