this post was submitted on 13 Oct 2023
211 points (99.5% liked)

Linux

48348 readers
416 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Been down the rabbit hole lately of UEFI Secure Boot issues, and decided to write an overview of how it works out-of-the-box in the excellent Debian-based Linux Mint LMDE 6.

Have mostly been researching this stuff as I was looking to replace GRUB entirely with systemd-boot on one of my systems. Will likely write a follow-up piece documenting that journey if I think it'd be interesting to some nerds out there.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 9 points 1 year ago (7 children)

Fun read.

So, is the implication here that ONLY Microsoft keys can be in the db, and thus they're the ultimate authority on who gets signed? Does Microsoft somehow own the UEFI standard?

Relatedly, can anyone elaborate on their reason for refusing to sign GRUB? I'm not following just from that short quote.

[–] [email protected] 16 points 1 year ago (4 children)

Microsoft doesn't own the standard. It's actually an open standard maintained and contributed to by a whole host of technology companies. This is contrary to the old BIOS method which was originally proprietary to IBM.

The fact they have such wide authority in signing is a product of how wide-reaching their market share it. They essentially mandate that OEMs include their signing keys in the signature database if their systems are to ship with Windows, thus making them a de facto authority on what gets signed. This was a point that made a lot of people in the FOSS community uncomfortable and still does to this day, although if one wants they can actually take full control of the Secure Boot process by replacing the Platform Key (PK) with their own. This gives ultimate control to the owner of the machine as they can then replace the Key Exchange Keys to allow them to replace Microsoft's keys within the signature database (db). This completely removes reliance on any third party signatures and enables ditching the first-stage Shim bootloader from the boot flow entirely, since the owner could just sign whichever bootloader they wanted to use directly with their own key in the database. As it would require manually signing everything from the bootloader to the kernel and its modules though, including re-signing them after updates, this is definitely a much more involved way of doing things although arguably even more secure as the system would be entirely locked down to only binaries signed by its owner at that point.

As to why they don't sign GRUB, it's about licensing. Since GRUB is GPLv3, there are provisions in the license that Microsoft interprets as potentially mandating them to disclose their private key to facilitate users installing modified versions of it. Ubuntu came to the same conclusion when contemplating how to deal with Secure Boot back in the day, where they wanted to provide an alternative to the Microsoft keys by having Canonical's keys also shipped with firmware, although proliferation of their keys is a lot less widespread and in some peoples' eyes not all that much different than just using VeriSign's service for the Microsoft keys anyway.

[–] cdombroski 2 points 1 year ago

although if one wants they can actually take full control of the Secure Boot process by replacing the Platform Key (PK) with their own.

Fun fact, actually replacing the platform key will often end up with the motherboard not being usable until you do a firmware install or nvram clear. This is because various modules (most relevantly GPUs) on the motherboard have their own signed firmware that's loaded at boot and if you replace the platform key they can't be loaded anymore as they don't have a valid signature. See: https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom

load more comments (3 replies)
load more comments (5 replies)