Linux Foundation proposes to use UEFI to make PCs secure and free

Linux Foundation proposes to use UEFI to make PCs secure and free

Summary: The Linux Foundation and friends are working on using UEFI so that computers can be both more secure and give users freedom of operating system choice instead of using Microsoft's secure boot plan to lock users into Windows 8.

SHARE:

UEFI, Secure Boot, and Freedom

UEFI, Secure Boot, and Freedom of choice

Microsoft's proposed use of Unfied Extensible Firmware Interface (UEFI) in Windows 8 could be used to block all other operating systems from Windows 8 systems. The Linux Foundation and partners have a better idea: Secure computers with UEFI and give users freedom of operating system choice.

In the Linux Foundation document, Making UEFI Secure Boot Work With Open Platforms (PDF Link), James Bottomley, CTO of Server Virtualization at Parallels and Linux Foundation Technical Advisory Board Chair Jonathan Corbet, Editor at LWN.net and fellow Linux Foundation Technical Advisory Board Member, after consulting with other Linux leaders, explain how "Linux and other open operating systems will be able to take advantage of secure boot if it is implemented properly in the hardware."

At the same time, Red Hat and Canonical, Ubuntu's parent company, have published UEFI Secure Boot Impact on Linux (PDF Link). This document presents a set of recommendations that will allow users the freedom to choose their software, while retaining the security features of UEFI Secure Boot, and complying with open source licenses used in distributions of Linux."

What's all this about? UEFI is the greatly improved, 21st century version of your PC's BIOS. Its job is initializing your PC's hardware and then handing hardware control over to your operating system. Microsoft plans to UEFI in Windows 8 certified systems to securely boot the system and avoid some malware. Good enough, but Winodws 8's UEFI-based secure boot could also be used to block other operating systems. In particular, Windows 8 clients must be certified with UEFI mod in a way that supports Windows 8's secure boot.

While some Microsoft fans claim that this isn't a problem and that "Linux fanatics want to make Windows 8 less secure," that's not the case. Linux developers see the advantages of UEFI secure boot protection. They just object to Microsoft's specific secure boot UEFI implementation proposals.

In the Linux Foundation document, Bottomley and Corbet explain that "'Secure boot' is a technology described by recent revisions of the UEFI specification; it offers the prospect of a hardware-verified, malware-free operating system bootstrap process that can improve the security of many system deployments. Linux and other open operating systems will be able to take advantage of secure boot if it is implemented properly in the hardware. This document is intended to describe how the UEFI secure boot specification can be implemented to interoperate well with open systems and to avoid adversely affecting the rights of the owners of those systems while providing compliance with proprietary software vendors' requirements."

To keep systems both secure and open, they propose operating system vendors and original equipment manufacturer should follow these recommendations:

  • All platforms that enable UEFI secure boot should ship in setup mode where the owner has control over which platform key (PK) is installed. It should also be possible for the owner to return a system to setup mode in the future if needed.
  • The initial bootstrap of an operating system should detect a platform in the setup mode,
  • install its own key-exchange key (KEK), and install a platform key to enable secure boot.
  • A firmware-based mechanism should be established to allow a platform owner to add new key-exchange keys to a system running in secure mode so that dual-boot systems can be set up.
  • A firmware-based mechanism for easy booting of removable media.
  • At some future time, an operating-system- and vendor-neutral certificate authority should be established to issue KEKs for third-party hardware and software vendors.

They then explain that this system could still work with Microsoft's Windows 8's plans. Since the UEFI secure boot system can be summarized in terms of a two-key system with "a PK, which is designed to be controlled by the Platform Owner (whoever owns the hardware) and a set of KEKs, which are designed to be controlled by the OEM and OS vendors. "Controlled" in this sense means that these keys are public/private key pairs; whoever knows the private key is the key controller, but to install the key, you only need the public piece, which means KEKs may be installed by anybody without controlling them."

Therefore, OEMs shipping Windows 8, or any other system, could ship the PC "with all the KEKs required to allow validation of the firmware and drivers installed in the signature database (section 27.6.1). The signature database will be inactive while the platform is in setup mode, but, once secure boot is activated, the firmware and all of the add in driver components must validate correctly for the platform to progress to boot the Operating System"

Then when you boot an a secure boot OS for the first time the system would detect that the platform is in setup mode and immediately switch the platform to the secure mode by installing a platform key after it has installed the KEK corresponding to the its own code." In the case of an open operating system this would "likely generate a new PK at first boot, install the public component and save the private component to external media for the user."

The Linux Foundation also points out that Microsoft's take on secure boot and UEFI, where a user puts all his or her trust into the Windows 8 system "runs counter to the UEFI recommendation that the platform owner be the PK controller and would ensure that the Windows operating system would then become the only bootable operating system on the platform." Nevertheless, the Linux Foundation doesn't want to turn this into a Windows-Linux fight.

Bottomley and Corbet state that if a user wants to let Microsoft lock them into Windows 8, "we must agree that it is a legitimate choice for an informed user to make voluntarily." In the Linux Foundation plan, OEMs and users can still do this. "It is enabled in our blueprint above by allowing the Microsoft OEM ignition system to install the OEM PK instead of generating a new PK specific to the installation. This can be achieved simply and securely because only the public half of the PK needs to be carried by the ignition system to affect this lockdown of the platform."

Red Hat and Canonical take a somewhat stronger view, but it's one that both Microsoft and OEMs should be able to live with. In addition to recommending hardware be shipped in setup mode. They recommend that:

  • All OEMs allow secure boot to be easily disabled and enabled through a firmware configuration interface.
  • All OEMs (with assistance from BIOS vendors) provide a standardized
  • mechanism for configuring keys in system firmware.

While this addresses the initial problem of certified Windows 8 PCs operating system lock up, it still leaves what Bottomley and Corbet say, is one of the "few shortcomings in the UEFI model (and it is a deliberate omission because of the complexity of running a certification system) is that there's no designated root of trust in the current proposals."

Bottomley and Corbet would like to address this problem by using a trust certification system that UEFI already allows: "X.509 [an ITU-I and IETF public key infrastructure security system] certificates to be present in the signature database. The X.509 trust model, which is the one upon which web server and browser security certificates are based, allows signatures and signing keys to be traced back to a single root of trust. This would allow for one (or more) Certificate Authority keys to be placed in the UEFI signature database and would then allow the designated Certificate Authorities to issue both KEKs (and even signing keys that allow the production of KEKs) to third parties that would still validate back to the original CA root of trust. The UEFI specification (section 27.7.1) even allows for the revocation of KEKs should the original authorized user have lost control of them, which is all the necessary machinery you need to operate a fully functional CA."

So, the Linux Foundation proposes "that all the interested parties establish a Certificate Authority whose key should be placed in the UEFI firmware table by default; this authority would become responsible for handing out signed KEKs to UEFI device vendors (for their UEFI drivers), UEFI OEM platform vendors (for their firmware images) and OS vendors (for securely booting their OSs). The operation of such a CA would have to be platform- and OS-neutral and would have to adhere to the usual standards of trust and security (presumably by having a controlling board made up of representatives from the various parties), but it would solve a greater part of the driver and OS verification problem because anything signed with an un-revoked KEK traceable back to the CA root key would be automatically trusted by the UEFI firmware for secure boot."

This lack of a Certificate Authority isn't a problem just for smaller operating system vendors. OEMs are also concerned about the costs of Windows 8's proposed UEFI secure boot and its lack of a X.509 certificate.

Even if operating system vendors and OEMs can't come to an agreement on a certificate authority, that doesn't have to block independent operating systems from UEFI secure boot protected systems. Bottomley and Corbet point out that "The establishment of an independent certificate authority for the creation of KEKs would make interoperation easier, but is not necessary for these platforms to support open systems." Instead, "In the absence of the establishment of a trust model, we therefore recommend that non-verifying external media be booted with a simple firmware based present user permission check when the system is in user mode with secure boot enabled."

So in the end, the Linux Foundation and its allies conclude that "while some observers have expressed concerns that secure boot could be used to exclude open systems from the market … there is no need for things to be that way. If vendors ship their systems in the setup mode and provide a means to add new KEKs to the firmware, those systems will fully support open operating systems while maintaining compliance with the Windows 8 logo requirements." The ball is now in Microsoft's court.

Related Stories:

Windows 8 to increase PC production costs

Microsoft isn't the enemy when it comes to blocking Linux on Windows 8 PCs

Free Software Foundation urges OEMs to say no to mandatory Windows 8 UEFI cage

Microsoft to stop Linux, older Windows, from running on Windows 8 PCs

Microsoft: Don't blame us if Windows 8's secure boot requirement blocks Linux dual-boot

Image by opensourceway, CC 2.0.

Topics: Software, Hardware, Linux, Microsoft, Open Source, Operating Systems, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

158 comments
Log in or register to join the discussion
  • Two problems

    First, MS want's PCs to be like a closed appliance. When something goes wrong just trash the box buy new and MS sells another license.

    Secondly, our anything but benevolent government is in complete police-state mode. They want access to all keys. If keys are decided by OEMs then they have them. If keys are chosen by users then it becomes more difficult for government.

    UEFI is a great thing if it is left to users to choose keys. This way we retain control of our own systems.
    Tim Patterson
    • Who's to say that the LF wants UEFI to block Windows installs?

      @Tim Patterson
      Force people onto Linux?
      William Farrell
      • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

        @William Farrell
        lol good one
        FlatbushE21
      • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

        @William Farrell

        LOL!
        none none
      • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

        @William Farrell LOL That's exactly their wish! Yeah everyone is just dying to be stuck with a hobbyist's 24/7 tinker toy. I'm sorry, but Linux has been struggling below 1% for decades and it's time for it to just fade away. I've toyed with it for years and never found it worth doing anything more than tinkering. Let it go.

        This does make me wonder, though. Every geek who wants to create a "new" OS takes the lazy way out and starts with the free Linux kernel. Has every geek in the world forgotten how to write a kernel? In the early days, there were literally dozens of OS kernels floating around, with new ones appearing all the time. It's far past time for a true uber geek to go "old school" and write something better from scratch. Perhaps the death of Linux would finally motivate the best of the best to replace it with totally new tech from THIS century. A completely new and modern OS might succeed where Linux has failed for decades.
        BillDem
      • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

        @BillDem: There are many that will beg to differ with your prose. I use Linux everyday at work and at home. It's the only OS I use for my job. Just because you are to inept to find a use for Linux other than "tinkering" doesn't mean Linux sucks and needs to go away, it means you have a bias and are allowing that bias to dictate your prose.
        Linux User 147560
      • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

        @Linux User 147560 "Just because you are to inept to find a use for Linux other than "tinkering"

        Clearly he's not too inept. What he states is right on the money. Linux is a giant pain in the ass to use for the vast majority of people, and it's only suited for computer nerds who love to tinker. Because the Linux OS needs constant tinkering to keep it running. Most people don't want to have f&ck around with their computer all the time because of some crappy OS.
        jhammackHTH
      • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

        @jhammackHTH
        "Clearly he's not too inept. What he states is right on the money. Linux is a giant pain in the ass to use for the vast majority of people, and it's only suited for computer nerds who love to tinker. Because the Linux OS needs constant tinkering to keep it running."

        You do realize this isn't evidence, just completely unsupported claims you're making, right? You do realize that when you make a claim or propose something, you're supposed to support that claim with facts, evidence and reasoning? You do realize that bold, inflammatory and unfounded assertions don't add anything to the discussion, right?
        jgm@...
    • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

      @Tim Patterson

      You do realize that Windows 8 has built in recovery technologies, right!? When something goes wrong (if it's not hardware related), simply roll back the installation. If it requires hardware replacement, simply re-install as you would do now.

      Neat, huh?
      The one and only, Cylon Centurion
      • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

        @Cylon Centurion Yeah, and System Restore has been proven to be so reliable, eh?
        JustCallMeBC
      • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

        @JustCallMeBC<br><br>"<I>The Developer Preview comes with two new recovery functions. Namely, Refresh and Reset, which both make a complete restore easier than a re-installation. The former keeps all settings & files of the user intact and only reverses all changes to Windows files to its original state and removes all installed programs and apps. The latter deletes all files and effectively re-installs Windows, but without any additional user input such as agreeing to license agreements or selecting a hard disk required. After a reset completes, the user will be asked for the product key and will then proceed to account creation.</I>"<br><br><img border="0" src="http://www.cnet.com/i/mb/emoticons/wink.gif" alt="wink">
        The one and only, Cylon Centurion
      • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

        @Cylon Centurion
        My Windows 7 never revert back to what it was after a friend plugged in a faulty USB.
        You sure know that in order to revert back, history or some backup files are necessary. Then, recovery cannot really help PC survive real fatal damages.
        Recovery is not time machine.
        UStupidKid
      • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

        @Cylon Centurion , since when did new PCs come with a Windows installer DVD?
        peter_erskine@...
      • Restore???

        @Cylon Centurion where and when has restore been reliable? Re-install windows...you must have days of free time to do that and upload the never ending list of updates...not as simple as you state young fella'
        Bradish@...
    • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

      @BillDem Linux PCs represent a massive portion of servers and supercomputers. I see what you're saying when it comes to desktops, but even then I think free alternative OSes raise the bar for the commercial ones.
      Imrhien
    • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

      @BillDem

      Do you suffer from diminished mental capacity? Lets do a quick list of things that run linux

      Android phones (currently ~46% of all phones in the US)
      Tivo
      91.8% of the Top 500 Super computers in the world.
      60% of all web servers in the world. (Including this one from what I can tell)
      So yeah.. Linux is way dead.. No body uses that.. Especially not those Red Hat guys.. they don't make a dime. And Facebook.. they use IIS.. totally.

      Linux might have low desktop penetration, but in the real world, where the real work gets done, Linux is everywhere...
      insanemal
      • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

        @insanemal Remember BillDem is the one who posted incessantly on this same topic in other articles that everyone commenting were "morons" because they could just "run Linux in VirtualBox", as if paying for, learning, using, and maintaining Windows 8 and running Linux at half speed in a VM with little or no 3D acceleration and no bare-metal access to hardware was a completely acceptable (and morally justifiable) alternative for Linux users. He never subscribes to posts and thus never comes back to address the (numerous) posts that refute his comments, so you're really wasting your time. He knows absolutely nothing about Linux but loves to comment on any post about it.
        jgm@...
      • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

        @insanemal

        "@BillDem
        Do you suffer from diminished mental capacity? Lets do a quick list of things that run linux"

        hehe :)
        12312332123
  • Your last sentence shows why you've been wrong all this time

    " If vendors ship their systems in the setup mode and provide a means to add new KEKs to the firmware, those systems will fully support open operating systems while maintaining compliance with the Windows 8 logo requirements.??? The ball is now in Microsoft???s court."

    No, the ball is now in the OEM's court. You agree that if the OEMs implement this plan, they will be in compliance with MS's certification requirements. This proves beyond any doubt that MS's certification requirements do not lock people into Windows 8. You said it yourself SJVN. Will you now be retracting all the things you've said on this matter?

    No, of course you won't. Regardless, the ball is not in MS's court. MS served the ball when it stated its certification requirements. Linux Foundation then passed the ball to the OEMs when they came up with an implementation method that served both MS's purposes and the LF's purposes. The ball is now in the OEM's court.
    toddybottom
    • RE: Linux Foundation proposes to use UEFI to make PCs secure and free

      @toddybottom

      Very true. I will also say that it is gratifying to see that the Linux Foundation is offering productive solutions to the problem rather than take the low road.
      Michael Kelly