Microsoft Holding Keys To Linux Foundation’s Secure Boot Solution

Microsoft may have attracted some headlines and discussion on Slashdot for being a ‘sponsor’ at the Linux Foundation’s Europe event LinuxCon. But this sponsor is not giving the Linux Foundation any special treatment when it comes to UEFI Secure boot.

If you remember the Linux Foundation earlier announced their workaround for the UEFI Secure boot for the Linux community. That’s getting delayed.

James Bottomley, chair of the Linux Foundation’s Technical Advisory Board, explains in his blog the ‘technical’ and ‘paper’ challenges there are to get a Microsoft signed key and implement it.

He detailed the entire painful process to get a Microsoft signed key. While is extremely easy to pay $99 and get a Verisign verified key the rest of the process is quite daunting and challenging, which also requires one to use Microsoft technologies.

One has to sign a paper contract, which Bottomley calls quite onerous.

The agreements are pretty onerous, include a ton of excluded licences (including all GPL ones for drivers, but not bootloaders). The most onerous part is that the agreements seem to reach beyond the actual UEFI objects you sign. The Linux Foundation lawyers concluded it is mostly harmless to the LF because we don’t ship any products, but it could be nasty for other companies.

I have not looked into what these problems are but Bottomley writes that Red Hat’s Matthew Garrett says that Microsoft is willing to “negotiate special agreements with distributions to mitigate some of these problems.”

What these ‘special agreements’ are is not yet clear.

Once the paperwork is finished the more daunting task begins:

You don’t just upload a UEFI binary and have it signed. There are several stages and one stage requires the use of Silverlight (alas Moonlight doesn’t work) so you do need to be on a Windows machine to create a signed bootloader for Linux.

Microsoft has also banned any GNU GPLv3 licences for these binaries.

When you get to this stage, you also have to certify that the binary “to be signed must not be licensed under GPLv3 or similar open source licenses”.  I assume the fear here is key disclosure but it’s not at all clear (or indeed what “similar open source licences” actually are).

The foundation somehow managed to create and upload the file which had to go through seven stages and “unfortunately, the first test upload got stuck in stage 6 (signing the files).”

There were some email exchanges between Microsoft and Bottomley to sort the problem but at the moment the cart is stuck in mud.

We’re still waiting for Microsoft to give the Linux Foundation a validly signed pre-bootloader. When that happens, it will get uploaded to the Linux Foundation website for all to use.

Slideshow Image:

Now You Can Boot Any Linux Distro On UEFI Secure Boot PCs: The Linux Foundation Steps In

The three leading GNU/Linux distributions Fedora, SUSE and Ubuntu were working on solutions to run their distros on Microsoft’s UEFI Secure boot PCs. openSUSE gave inidcations of using Fedora’s solution Initially Ubuntu had come out with its own solution (weeks after Fedora proposed their plan) which met with controversies mainly because they decided to drop Grub 2 due to GPL licence. The FSF stepped in to clarify the doubts Canonical had over private key. Eventually Ubuntu also resorted to using Fedora’s solution in parts.

The un-unified efforts by these distributions did not go very well with the entire open source community. OpenBSD founder Theo de Raadt criticized both Canonical and Red Hat. “I fully understand that Red Hat and Canonical won’t be doing the right thing, they are traitors to the cause, mostly in it for the money and power. They want to be the new Microsoft.”

You can read our entire coverage of UEFI Secure Boot Here

Now The Linux Foundation has stepped in with a solution which will allow every (and not just one distro or only Linux distro) open source operating system to run on UEFI secure boot systems.

James Bottomley, Linux Foundation Technical Advisory Board, has laid out their plan with. He says that the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system).

Bottomley explains, “The pre-bootloader will employ a “present user” test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it.  The process of obtaining a Microsoft signature will take a while, but once it is complete, the pre-bootloader will be placed on the Linux Foundation website for anyone to download and make use of.”

It’s great news for all GNU/Linux users that the foundation has taken it to themselves to ensure users are able to run any GNU/Linux (and other open source systems such as BSD) on their machines. One always thought that the Linux Foundation was more about enabling top developers to work on their projects (through funding), bring companies together through memberships to work on Linux and to organise events to bring people together. We never saw any direct solution or engagement with user. Well there has never been a bigger threat to Linux than what UEFI Secure Boot poses.

The foundation has already “published a variety of tools to permit users to take control of their secure boot platforms by replacing the Platform Key and managing (or replacing) the installed Key Exchange Keys here,” says Bottomley.

Yes, there are tools bot not every GNU/Linux user is techn savvy or capable of doing such things. And The Linux Foundation knows it very well so they thought it was very important “to find a solution that would enable people to continue to try out Linux and other Open Source Operating Systems in spite of the barriers UEFI Secure boot would place in their way and without requiring that they understand how to take control of their platforms,” says Bottomley.

To enable such users to try and run Linux, the foundation came out with this pre-booter which allows distributions to continue functioning in a secure boot environment.

The current pre-bootloader is designed as an enabler only in that, by breaking the security verification chain at the actual bootloader, it provides no security enhancements over booting linux with UEFI secure boot turned off.  Its sole purpose is to allow Linux to continue to boot on platforms that come by default with secure boot enabled.

The pre-bootloader is designed to be as small as possible, leaving all the work to the real bootloader.

How It Will Work In Real Life?

Bottomley exmplains:

The real bootloader must be installed on the same partition as the pre-bootloader with the known path loader.efi (although the binary may be any bootloader including Grub2).  The pre-bootloader will attempt to execute this binary and, if that succeeds, the system will boot normally.  If the loader.efi fails to load with a security error (because it is unsigned), the pre-bootloader will stop at a splash screen and ask the user to confirm, by selecting a menu option, that they wish to continue booting loader.efi.

If this confirmation (which is the “present user” test) is successful, the pre-bootloader will then execute loader.efi without security verification (if the user denies permission to boot, the pre-bootloader will signal failure and the UEFI boot sequence will continue on to the next boot path, if there is one).  To facilitate repeat booting (and to make the pre-bootloader useful for booting hard disks as well as USB keys or DVDs) the pre-bootloader will also check to see if the platform is booting in Setup Mode and if it is, will ask the user for permission to install the signature of loader.efi into the authorized signatures database.  If the user gives permission, the signature will be installed and loader.efi will then boot up without any present user tests on all subsequent occasions even after the platform is placed back into secure boot mode.

The present user test splash screen that appears in secure boot mode asking for permission to boot loader.efi will also direct the user to a Linux Foundation website where we will gather details of how to place platforms in setup mode and advise the user how to do this, either to install the signature of loader.efi or to take full control of the platform by replacing the Platform and Key Exchange Keys.

The foundation has made the pre-bootloader source code available on git which developers can download from here. git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git

This solution will enable independent and small distributions as well as non Linux systems to run their operating systems on UEFI Secure boot machines which will start coming out soon as Microsoft launches its Windows 8.

Slideshow Image: