uefi secure boot - linuxtag · uefi secure boot: the story behind and where linux stands dr. udo...
TRANSCRIPT
UEFI Secure Boot: The story behind and where Linux stands
Dr. Udo SeidelLinux-Strategy @ Amadeus
LinuxTag 2013 2
To my Mum
LinuxTag 2013 3
Agenda
● Introduction● Keys and Signatures● Linux and Opportunities● What else?● Summary
LinuxTag 2013 4
Introduction
LinuxTag 2013 5
Me ;-)
● Teacher of mathematics & physics● PhD in experimental physics● Started with Linux in 1996● Linux/UNIX trainer● Solution engineer in HPC and CAx environment● Head of the Linux Strategy team @Amadeus
LinuxTag 2013 6
Basic Input Output System
● Around for a while● Insecure
● Easy to hack● Executes anything
● Problems with big disks
LinuxTag 2013 7
(U)EFI
● Unified Extensible Firmware Interface● First version called EFI
● HP Itanium systems● UEFI kind of EFI NG
● Replaces BIOS● Emulates BIOS ● See talk from Thorsten Leemhuis
LinuxTag 2013 8
Secure Boot
● Part of UEFI Specification v2.2+● Addresses BIOS security issues● Mandate by Microsoft
● For Windows 8● Not only x86
● See keynote from Matthew Garrett
LinuxTag 2013 9
Keys and Signatures
LinuxTag 2013 10
Trust
● Parties● Platform● Firmware● Operating System
● Technique● Asymmetric keys● Public one part of implementation
LinuxTag 2013 11
Key master
● Platform Key (PK)● Key Exchange Key (PK)● Signature database (db)● Forbidden signature database (dbx)● Signed EFI executables
LinuxTag 2013 12
EFI instead of ELF
● Subset of PE32 specification● Portable Executable (PE)● See also Common Object File Format (COFF)● PE/COFF header
● Optional part● List of pointers
● Signatures tailing file
LinuxTag 2013 13
Firmware
● Legacy (CSM)● UEFI
● Without Secure Boot
OR● With Secure Boot
– Setup modus– User modus
LinuxTag 2013 14
Typical scenario
● Since last autumn ● UEFI Secure Boot
● Enabled if not even forced● Microsoft 'keys' implemented
Linux locked out ?!?
LinuxTag 2013 15
Linux: Options and Opportunities
LinuxTag 2013 16
Options
● Setup modus● Replace keys● MS signed Linux bootloader
LinuxTag 2013 17
Option I – Setup modus
● Insecure● Not always possible● Facing backward
LinuxTag 2013 18
Option II – Replace keys
● Linux distribution ...● ... specific● ... independent
● 3rd party support needed● Tools needed
LinuxTag 2013 19
Replacing keys – more details
● X.509 certificates● Generation via openssl● Tools for EFI binary signing● Multi O/S configuration tricky
LinuxTag 2013 20
Replacing keys – tools
● pesign● sbsigntools● efitools
LinuxTag 2013 21
Option III – MS signed bootloader
● MS support needed● Again: Linux distribution ...
● ... specific● ... independent
● Bootloader maintenance?
LinuxTag 2013 22
MS signed bootloader - Idea
● Phased bootloader● Small & static● Between UEFI and Linux bootloader
LinuxTag 2013 23
MS signed bootloader – Loader.efi
● Linux Foundation● To enable ALL Linux bootloaders● No additional security● Recently reworked● Helper tools
● Preloader.efi● Hashtool.efi
LinuxTag 2013 24
MS signed bootloader – the SHIM
● Originally RedHat'ish● First version quite static● Does not support all bootloaders
● Yes: eLILO, GRUB, GRUB2● No: Gummiboot, efilinux
LinuxTag 2013 25
Machine Owner
● Originally from SUSE● Machine Owner Keys (MOK)● Integrated in SHIMv2
LinuxTag 2013 26
Extending SB trust chain
● Several certificates● Microsoft● Linux distribution
● Signed bootloader● Signed kernel core binary● Signed kernel modules● ..?!?
LinuxTag 2013 27
Distributor approaches
● Enterprise● In place: Ubuntu LTS● Announced: SUSE● Unknown: RedHat, Oracle
● Community● In place: Ubuntu, Fedora, openSUSE, ...● Announced: ...● Unknown: Debian and derivatives
LinuxTag 2013 28
What else?
LinuxTag 2013 29
ARM
● UEFI Forum since 2008● More strict Microsoft mandate● UEFI ARM boards available but ...
LinuxTag 2013 30
Problems
● Samsung: firmware death● Toshiba: Missing keys● Lenovo: Only Windows 8 and RHEL● Microsoft: leaked keys
LinuxTag 2013 31
Summary
LinuxTag 2013 32
Take aways
● Linux almost ready● In general● Enterprise sector
● Opportunity not pain● Homework to be done
LinuxTag 2013 33
References
● http://www.uefi.org● http://mjg59.dreamwidth.org● http://blog.hansenpartnership.com● http://www.sxc.hu
LinuxTag 2013 34
Thank you!
LinuxTag 2013 35
UEFI Secure Boot:The story behind and where Linux stands
Dr. Udo SeidelLinux-Strategy @ Amadeus