Secure Boot bootloader for Linux

For discussions about security.
Post Reply
Message
Author
User avatar
Terryphi
Posts: 761
Joined: Wed 02 Jul 2008, 09:32
Location: West Wales, Britain.

Secure Boot bootloader for Linux

#1 Post by Terryphi »

Linux developer Matthew Garrett has released a version of his Shim Secure Boot bootloader that allows any Linux distribution to be launched on Secure Boot systems without the need to disable UEFI Secure Boot. As Garrett's Shim binary has been signed by Microsoft, the Secure Boot bootloader will be executed by almost any type of UEFI firmware.

http://www.h-online.com/open/news/item/ ... 61089.html
[b]Classic Opera 12.16 browser SFS package[/b] for Precise, Slacko, Racy, Wary, Lucid, etc available[url=http://terryphillips.org.uk/operasfs.htm]here[/url] :)

User avatar
Monsie
Posts: 631
Joined: Thu 01 Dec 2011, 07:37
Location: Kamloops BC Canada

Secure Boot bootloader for Linux

#2 Post by Monsie »

Note that Mathew Garrett's Shim is source code that will have to be compiled and include the location of the signed key for the Shim to verify before allowing the boot loader to run.

While one advantage of keeping the Secure Boot feature allows a user to dual boot or multi-boot other operating systems along with Windows 8, another is so that supposedly the computer cannot be booted from a portable OS on a flash drive in the event the computer is stolen... thus preventing a thief from accessing the main hard drive(s) and stealing one's data.

I don't fully understand how Secure Boot is supposed to work vis a vis the boot loader. Is there a new signed key generated each time the Shim is compiled? What is to prevent a thief from downloading Garrett's Shim and using it in conjunction with a portable operating system on a flash drive so as to access one's data on a stolen notebook?

Monsie
My [u]username[/u] is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.

User avatar
Terryphi
Posts: 761
Joined: Wed 02 Jul 2008, 09:32
Location: West Wales, Britain.

Re: Secure Boot bootloader for Linux

#3 Post by Terryphi »

Monsie wrote:Note that Mathew Garrett's Shim is source code that will have to be compiled and include the location of the signed key for the Shim to verify before allowing the boot loader to run.

Monsie
Source code and signed binaries are available. Garrett explains that Linux distributors simply need to sign their UEFI bootloader (grubx64.efi) with a separate key, include this key on their installation medium and tell their users where to find the key when the Shim asks for it.
[b]Classic Opera 12.16 browser SFS package[/b] for Precise, Slacko, Racy, Wary, Lucid, etc available[url=http://terryphillips.org.uk/operasfs.htm]here[/url] :)

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#4 Post by 8-bit »

If it gets to the point where one cannot disable UEFI in the PCs BIOS, that could come in very handy to be able to boot ones OS of choice.
I had read that some new HP pcs have UEFI and one has to go into BIOS and select Legacy Boot to get around it.
That is not to say that the option will be there in the future.
So I have downloaded all the files you referenced just to have them on hand.
But in having to compile the source, can one use Puppy's compiler or would one have to invest in a Windows compiler?

User avatar
Terryphi
Posts: 761
Joined: Wed 02 Jul 2008, 09:32
Location: West Wales, Britain.

#5 Post by Terryphi »

8-bit,

A binary is available at Mathew Garrett's site so there is no need to compile the Shim. It is the second stage which Puppy developers need to consider.

This is all unfamiliar to me but it seems that Puppy developers would have to "sign their UEFI bootloader (grubx64.efi) with a separate key, include this key on their installation medium and tell their users where to find the key when the Shim asks for it."
[b]Classic Opera 12.16 browser SFS package[/b] for Precise, Slacko, Racy, Wary, Lucid, etc available[url=http://terryphillips.org.uk/operasfs.htm]here[/url] :)

User avatar
Monsie
Posts: 631
Joined: Thu 01 Dec 2011, 07:37
Location: Kamloops BC Canada

Secure Boot bootloader for Linux

#6 Post by Monsie »

Oops, somehow I missed seeing the signed binary files, so thanks for clarifying.

I am still not too sure about how secure the Secure Boot process is...

The Wiki about UEFI mentions about Secure Boot:
Secure boot can also be placed in "Custom" mode, where additional public keys can be added to the system that do not match the private key.
Again, I wonder how easy it would be for thieves to access the data from a stolen notebook if they can boot up from a portable operating system.

In such a scenario, my initial thoughts are that one might be better off using True Crypt or similar software to protect ones data. That said, I learned from the Wiki there are other benefits from UEFI:
UEFI firmware provides several technical advantages over a traditional BIOS system:

Ability to boot from large disks (over 2 TiB) with a GUID Partition Table, GPT.
CPU-independent architecture
CPU-independent drivers
Flexible pre-OS environment, including network capability
Modular design
Note that I removed the footnote references from the quote, but in any event, the Wiki article is here.
So, I am assuming that if one disables UEFI, the system reverts to legacy bios setup in which case one loses those advantages.

Monsie
My [u]username[/u] is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#7 Post by 8-bit »

Depending on the BIOS, if one removed the internal battery for a bit and then put it back in, the BIOS settings would have been wiped out including any BIOS password allowing one to change the BIOS settings.
Security only takes one so far.
If I wanted data from a hard drive, I could remove it from the laptop and use a portable USB case to access data on that drive on another PC running any OS I chose.
So relying on UEFI for complete security only goes so far.
Encryption is still a good option.
But even with it, there are differences in the quality depending on the type of encryption software used.
It is best to keep sensitive data on external media carried separately from the laptop and not keep any personal sensitive data on the laptop other than say some hidden file identifying you as the owner and possibly contact information if it is found.

If you want to hear crazy, that would have been me when I had a PC, (now junk and gone), that had a small graphic file on it that contained nothing more than my written signature.
And that file no longer exists in any form as I overwrote it a few times before deleting it and then the hard drive it was on was destroyed by me also.

User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

#8 Post by Barkin »

8-bit wrote:Depending on the BIOS, if one removed the internal battery for a bit and then put it back in, the BIOS settings would have been wiped out including any BIOS password allowing one to change the BIOS settings ...

If I wanted data from a hard drive, I could remove it from the laptop and use a portable USB case to access data on that drive on another PC running any OS I chose.
I recently discovered my (Dell) computer has a hard-drive password option (accessible via BIOS settings). Unlike the BIOS passwords it is not reset by removing the CMOS battery.
An external OS, like Puppy on a USB stick, won't allow access to the Hard drive either, (unless the correct password is input).

Allegedly ( I haven't tried this) removing the Hard-drive from the computer and putting it in a caddy or another computer won't circumvent the hard-drive password-protection either.

[ NB: the data on the hard drive is not encrypted by this method ].

Post Reply