lt2013 uefisb.talk
DESCRIPTION
UEFI Secure Boot - The story behind and where Linux standsTRANSCRIPT
![Page 1: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/1.jpg)
UEFI Secure Boot: The story behind and where Linux stands
Dr. Udo SeidelLinux-Strategy @ Amadeus
![Page 2: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/2.jpg)
LinuxTag 2013 2
To my Mum
![Page 3: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/3.jpg)
LinuxTag 2013 3
Agenda
● Introduction● Keys and Signatures● Linux and Opportunities● What else?● Summary
![Page 4: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/4.jpg)
LinuxTag 2013 4
Introduction
![Page 5: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/5.jpg)
LinuxTag 2013 5
Me ;-)
● Teacher of mathematics & physics● PhD in experimental physics● Started with Linux in 1996● Linux/UNIX trainer● Solution engineer in HPC and CAx environment● Head of the Linux Strategy team @Amadeus
![Page 6: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/6.jpg)
LinuxTag 2013 6
Basic Input Output System
● Around for a while● Insecure
● Easy to hack● Executes anything
● Problems with big disks
![Page 7: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/7.jpg)
LinuxTag 2013 7
(U)EFI
● Unified Extensible Firmware Interface● First version called EFI
● HP Itanium systems● UEFI kind of EFI NG
● Replaces BIOS● Emulates BIOS ● See talk from Thorsten Leemhuis
![Page 8: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/8.jpg)
LinuxTag 2013 8
Secure Boot
● Part of UEFI Specification v2.3● Addresses BIOS security issues● Mandate by Microsoft
● For Windows 8● Not only x86
● See keynote from Matthew Garrett
![Page 9: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/9.jpg)
LinuxTag 2013 9
Keys and Signatures
![Page 10: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/10.jpg)
LinuxTag 2013 10
Trust
● Parties● Platform● Firmware● Operating System
● Technique● Asymmetric keys● Public one part of implementation
![Page 11: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/11.jpg)
LinuxTag 2013 11
Key master
● Platform Key (PK)● Key Exchange Key (PK)● Signature database (db)● Forbidden signature database (dbx)● Signed EFI executables
![Page 12: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/12.jpg)
LinuxTag 2013 12
EFI instead of ELF
● Subset of PE32 specification● Portable Executable (PE)● See also Common Object File Format (COFF)● PE/COFF header
● Optional part● List of pointers
● Signatures tailing file
![Page 13: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/13.jpg)
LinuxTag 2013 13
Firmware
● Legacy (CSM)● UEFI
● Without Secure Boot
OR● With Secure Boot
– Setup modus– User modus
![Page 14: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/14.jpg)
LinuxTag 2013 14
Typical scenario
● Since last autumn ● UEFI Secure Boot
● Enabled if not even forced● Microsoft 'keys' implemented
Linux locked out ?!?
![Page 15: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/15.jpg)
LinuxTag 2013 15
Linux: Options and Opportunities
![Page 16: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/16.jpg)
LinuxTag 2013 16
Options
● Setup modus● Replace keys● MS signed Linux bootloader
![Page 17: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/17.jpg)
LinuxTag 2013 17
Option I – Setup modus
● Insecure● Not always possible● Facing backward
![Page 18: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/18.jpg)
LinuxTag 2013 18
Option II – Replace keys
● Linux distribution ...● ... specific● ... independent
● 3rd party support needed● Tools needed
![Page 19: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/19.jpg)
LinuxTag 2013 19
Replacing keys – more details
● X.509 certificates● Generation via openssl● Tools for EFI binary signing● Multi O/S configuration tricky
![Page 20: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/20.jpg)
LinuxTag 2013 20
Replacing keys – tools
● pesign● sbsigntools● efitools
![Page 21: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/21.jpg)
LinuxTag 2013 21
Option III – MS signed bootloader
● MS support needed● Again: Linux distribution ...
● ... specific● ... independent
● Bootloader maintenance?
![Page 22: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/22.jpg)
LinuxTag 2013 22
MS signed bootloader - Idea
● Phased bootloader● Small & static● Between UEFI and Linux bootloader
![Page 23: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/23.jpg)
LinuxTag 2013 23
MS signed bootloader – Loader.efi
● Linux Foundation● To enable ALL Linux bootloaders● No additional security● Recently reworked● Helper tools
● Preloader.efi● Hashtool.efi
![Page 24: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/24.jpg)
LinuxTag 2013 24
MS signed bootloader – the SHIM
● Originally RedHat'ish● First version quite static● Does not support all bootloaders
● Yes: eLILO, GRUB, GRUB2● No: Gummiboot, efilinux
![Page 25: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/25.jpg)
LinuxTag 2013 25
Machine Owner
● Originally from SUSE● Machine Owner Keys (MOK)● Integrated in SHIMv2
![Page 26: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/26.jpg)
LinuxTag 2013 26
Extending SB trust chain
● Several certificates● Microsoft● Linux distribution
● Signed bootloader● Signed kernel core binary● Signed kernel modules● ..?!?
![Page 27: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/27.jpg)
LinuxTag 2013 27
Distributor approaches
● Enterprise● In place: Ubuntu LTS● Announced: SUSE● Unknown: RedHat, Oracle
● Community● In place: Ubuntu, Fedora, openSUSE, ...● Announced: ...● Unknown: Debian and derivatives
![Page 28: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/28.jpg)
LinuxTag 2013 28
What else?
![Page 29: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/29.jpg)
LinuxTag 2013 29
ARM
● UEFI Forum since 2008● More strict Microsoft mandate● UEFI ARM boards available but ...
![Page 30: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/30.jpg)
LinuxTag 2013 30
Problems
● Samsung: firmware death● Toshiba: Missing keys● Lenovo: Only Windows 8 and RHEL● Microsoft: leaked keys
![Page 31: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/31.jpg)
LinuxTag 2013 31
Summary
![Page 32: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/32.jpg)
LinuxTag 2013 32
Take aways
● Linux almost ready● In general● Enterprise sector
● Opportunity not pain● Homework to be done
![Page 33: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/33.jpg)
LinuxTag 2013 33
References
● http://www.uefi.org● http://mjg59.dreamwidth.org● http://blog.hansenpartnership.com● http://www.sxc.hu
![Page 34: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/34.jpg)
LinuxTag 2013 34
Thank you!
![Page 35: Lt2013 uefisb.talk](https://reader033.vdocument.in/reader033/viewer/2022060108/554f509cb4c905b9508b4d43/html5/thumbnails/35.jpg)
LinuxTag 2013 35
UEFI Secure Boot:The story behind and where Linux stands
Dr. Udo SeidelLinux-Strategy @ Amadeus