Solution for Secure Boot Woes now Available

archive / Leave a Comment
For Linux distributions that want to work on the upcoming generation of Secure Boot-enabled computers, a solution is now available. We talked about Secure Boot and the challenges it poses to Linux distros—especially the smaller ones—before, but for those who aren’t aware of the controversies surrounding secure boot, let us clarify. Secure Boot is a feature of UEFI, which itself is the successor to the ageing BIOS. Secure Boot is intended to make it impossible for a virus to infect the boot process of a computer.The way it works is that it checks the digital signature on the boot code to ensure that the software is not tampered and has been signed by a trusted authority. If it is, the boot code is executed and the system starts, and if it hasn’t been signed, the boot process fails, and the system refuses to boot.The issue is that since Microsoft is dominant, most computers will only ship with Microsoft as the only trusted authority. As such these computers will only boot Microsoft-signed software, i.e. Windows 8.

The situation isn’t as grave as it may sound, since it is possible to turn off secure boot on x86 hardware, and even possible to get another boot loader signed by Microsoft. However while this is feasible for larger distros, for the smaller ones, this can be tougher problem.

Luckily there is now a solution for this as well and it is available for any distro to adopt. The solution manages to bypass the restriction imposed by Secure Boot in not booting code that is not signed by a trusted authority while still providing the kind of security secure boot does.

The way it works is by having a pre-bootloader shim that boots the actual boot loader. This boot loader is itself signed by Microsoft, and made available to all distros.

What this pre-boot loader does is to check if the real boot loader is signed by a supported key, just like Secure Boot does. However it also lets users enroll their own keys, allowing them to enrol’ the keys of any distro they want to boot into.

A small distro can then sign its own boot loader and provide the key on the install disk, allowing the user to choose what to trust rather than having the computer manufacturer choose that for them.

You can read more about this solution on this blog post by Matthew Garrett

Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *