UEFI Secure Boot: The story behind and where Linux stands

Dr. Udo SeidelLinux-Strategy @ Amadeus

LinuxTag 2013 2

To my Mum

LinuxTag 2013 3

Agenda

● Introduction● Keys and Signatures● Linux and Opportunities● What else?● Summary

LinuxTag 2013 4

Introduction

LinuxTag 2013 5

Me ;-)

● Teacher of mathematics & physics● PhD in experimental physics● Started with Linux in 1996● Linux/UNIX trainer● Solution engineer in HPC and CAx environment● Head of the Linux Strategy team @Amadeus

LinuxTag 2013 6

Basic Input Output System

● Around for a while● Insecure

● Easy to hack● Executes anything

● Problems with big disks

LinuxTag 2013 7

(U)EFI

● Unified Extensible Firmware Interface● First version called EFI

● HP Itanium systems● UEFI kind of EFI NG

● Replaces BIOS● Emulates BIOS ● See talk from Thorsten Leemhuis

LinuxTag 2013 8

Secure Boot

● Part of UEFI Specification v2.2+● Addresses BIOS security issues● Mandate by Microsoft

● For Windows 8● Not only x86

● See keynote from Matthew Garrett

LinuxTag 2013 9

Keys and Signatures

LinuxTag 2013 10

Trust

● Parties● Platform● Firmware● Operating System

● Technique● Asymmetric keys● Public one part of implementation

LinuxTag 2013 11

Key master

● Platform Key (PK)● Key Exchange Key (PK)● Signature database (db)● Forbidden signature database (dbx)● Signed EFI executables

LinuxTag 2013 12

EFI instead of ELF

● Subset of PE32 specification● Portable Executable (PE)● See also Common Object File Format (COFF)● PE/COFF header

● Optional part● List of pointers

● Signatures tailing file

LinuxTag 2013 13

Firmware

● Legacy (CSM)● UEFI

● Without Secure Boot

OR● With Secure Boot

– Setup modus– User modus

LinuxTag 2013 14

Typical scenario

● Since last autumn ● UEFI Secure Boot

● Enabled if not even forced● Microsoft 'keys' implemented

Linux locked out ?!?

LinuxTag 2013 15

Linux: Options and Opportunities

LinuxTag 2013 16

Options

● Setup modus● Replace keys● MS signed Linux bootloader

LinuxTag 2013 17

Option I – Setup modus

● Insecure● Not always possible● Facing backward

LinuxTag 2013 18

Option II – Replace keys

● Linux distribution ...● ... specific● ... independent

● 3rd party support needed● Tools needed

LinuxTag 2013 19

Replacing keys – more details

● X.509 certificates● Generation via openssl● Tools for EFI binary signing● Multi O/S configuration tricky

LinuxTag 2013 20

Replacing keys – tools

● pesign● sbsigntools● efitools

LinuxTag 2013 21

Option III – MS signed bootloader

● MS support needed● Again: Linux distribution ...

● ... specific● ... independent

● Bootloader maintenance?

LinuxTag 2013 22

MS signed bootloader - Idea

● Phased bootloader● Small & static● Between UEFI and Linux bootloader

LinuxTag 2013 23

MS signed bootloader – Loader.efi

● Linux Foundation● To enable ALL Linux bootloaders● No additional security● Recently reworked● Helper tools

● Preloader.efi● Hashtool.efi

LinuxTag 2013 24

MS signed bootloader – the SHIM

● Originally RedHat'ish● First version quite static● Does not support all bootloaders

● Yes: eLILO, GRUB, GRUB2● No: Gummiboot, efilinux

LinuxTag 2013 25

Machine Owner

● Originally from SUSE● Machine Owner Keys (MOK)● Integrated in SHIMv2

LinuxTag 2013 26

Extending SB trust chain

● Several certificates● Microsoft● Linux distribution

● Signed bootloader● Signed kernel core binary● Signed kernel modules● ..?!?

LinuxTag 2013 27

Distributor approaches

● Enterprise● In place: Ubuntu LTS● Announced: SUSE● Unknown: RedHat, Oracle

● Community● In place: Ubuntu, Fedora, openSUSE, ...● Announced: ...● Unknown: Debian and derivatives

LinuxTag 2013 28

What else?

LinuxTag 2013 29

ARM

● UEFI Forum since 2008● More strict Microsoft mandate● UEFI ARM boards available but ...

LinuxTag 2013 30

Problems

● Samsung: firmware death● Toshiba: Missing keys● Lenovo: Only Windows 8 and RHEL● Microsoft: leaked keys

LinuxTag 2013 31

Summary

LinuxTag 2013 32

Take aways

● Linux almost ready● In general● Enterprise sector

● Opportunity not pain● Homework to be done

LinuxTag 2013 33

References

● http://www.uefi.org● http://mjg59.dreamwidth.org● http://blog.hansenpartnership.com● http://www.sxc.hu

LinuxTag 2013 34

Thank you!

LinuxTag 2013 35

UEFI Secure Boot:The story behind and where Linux stands

Dr. Udo SeidelLinux-Strategy @ Amadeus