My take on Secure UEFI booting.

Mon 11 June 2012
By mute

I just read the article and a lot of the comments about Fedora's plan to tackle booting under secure UEFI: Implementing UEFI Secure Boot in Fedora

Firstly, I do run Microsoft Windows. It's a good desktop. I also have Linux installed on several headless systems. It's a good server/router. Each have their places and strong points and each have their weaknesses.

I'm not against this. I do not believe Microsoft is doing it to be anti-competitive. If you have a chain of trust built and followed from the (mostly impractical anyway) unchangeable boot rom to the boot loader to the OS to the drivers, then a lot of malware injection points are eliminated. This method can be utilized by any operating system which wishes to do so. The article points out the $99 was paid to VeriSign, not Microsoft. So Microsoft is pushing the implementation, but the benefits are there for anyone wishing to incorporate them.

It's yet to be seen, by me anyway, and just my random article reads (no further scouring the web as research), how the vendors will allow user control. Of course, they will include by default the Microsoft public keys, because they want to ship with Windows 8 and be certified and have that sticker. If the Linux or any other community offered certification to hardware vendors and it was in demand, I'm certain they'd include those keys to. Microsoft is in the business of making money and they can control things like that with their money. Fine. Now, if the hardware came with no way to control the boot process outside of booting into Microsoft Windows, THEN you can call foul. But I don't see this happening.

Linux is just a kernel and is constantly evolving. It'll take time for the distributions to figure this out and push good things upstream. We're lucky and aren't targeted much by malware so we've been spoiled with uncontrolled access to our hardware. Some of this would need to be restricted to fit the secure booting model. The signed bootloader would only load a signed kernel. The signed kernel would only load a signed module. The access to raw memory and registers and other hardware goodies in /proc and /sys would need to go away from userspace. The distributions that care to incorporate this model would need to support and integrate more than just the defaults for everything to keep working in your secure booted environment. Out-of-tree drivers would need to be reviewed I suppose before Fedora or Debian or what-have-you decides they'll sign them, if they decide they will at all.

Of course, for some time I imagine many people would just fore-go the entire thing because Linux is chosen for freedom, a freedom where you can just compile up your own modules and have direct control over your system. If I end up with a system in a few years that has secure boot, and I'm able to pop in Linux DVD and install it without messing with my firmware settings, I most probably will. Later, if I end up needing something not available in the distro, I'd disable it. Fine. I would probably not go through the process of signing everything myself though. It's just not a security measure I feel I need. Hell, I don't even run any antivirus on my Windows clients anyway. :O

Comments