Uefi secure boot locks some free software

UEFI Secure Boot locks some free software

Monthly delays in the release of free operating systems for the bootloader shim prepare developers and software companies considerable problems. This applies above all non-linux operating systems away from the large linux distributions, which can not deliver certain patches and new software versions because of the long processing times.

"Principal" at microsoft

Most current desktop pcs, notebooks and servers as well as many embedded systems with x86 processors start with uefi secure boot to strong safety. The cryptographic "principal" however, has de facto microsoft in the hand.

Although secure boot can be switched off in many systems in the bios setup and some uefi bios implementations allow you to import your own certificates for yourself signed bootloaders into the firmware. The latter is complicated and expensive, the former peak the security.

In practice, therefore, it is important for free software to start with microsoft signature in secure boot standard mode.

Shim review

Secure boot should make computer safer by exiting only cryptographically signed bootloaders. Even free operating systems can be safely started in secure boot mode, for example by using the bootloader shim.

In order to ensure the trustworthiness, such free operating systems have to fulfill a number of requirements and go through a program through the shim review board. Ultimately, microsoft signs the bootloader from shim review board as well-founded bootloader. The exact "uefi signing requirements" describes microsoft in its tech community.

Review problems

For several years, there has always been criticism that shim reviews can take a long time. But since the safety cheek boothhole has been experienced, the problem has faved.

For operating systems that do not use linux kernel, the situation is particularly difficult. A prerequisite for a successful shim review is, not proof that the kernel-lockdown works. This refers to that the kernel started in secure boot mode charges only signed kernel modules at runtime, whose signature matches the stored secure boot key in the firmware. Otherwise, secure boat was ultimately flexed.

However, members of the shim review board are currently looking for the kernel lockdown fashion with others as linux kernels.

Thus, a very difficult situation has arisen. According to a github ie entry, the shim developers are currently working on a potential solution for the problem. Dates were not mentioned.

Even with patches against the boothole luck, some linux distributions have been subject to problems that also affect their respective shims.

Leave a Reply

Your email address will not be published. Required fields are marked *