

Booting a Self-signed Linux Kernel - tanglesome
http://www.kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/

======
pilif
I'm confused, but maybe you can enlighten me: This article talks about using a
tool called KeyTool to manipulate the keys stored on the machine. But if
software is capable of doing that, wouldn't that defeat the whole purpose of
UEFI to begin with? How is it ensured that it's the user operating KeyTool and
not $MALWARE?

Why does KeyTool even run on a locked-down-by-MS machine? Have they signed it
as part of the Linux Foundation bootloader? Why would they do such a thing? I
don't mean for protecting-the-monopoly-reasons, but for straight security
reasons as this clearly circumvents anything they were trying to accomplish.

I seem to be missing a piece of information here.

~~~
richardwhiuk
You have to disable the Secure Boot protection before you can run KeyTool -
from the article:

    
    
      Traverse the BIOS settings and find the place where UEFI boot mode is specified, and turn it the “Secure Boot” option OFF."

------
emhs
This is an example of what I love about the open source community. Some argue
that signed boot was an attempt to force the open source community out by
holding the keys to the ability to boot, as it were. Some think it's just
relentless advancement of the forces of centralization and the establishment's
view on security. Regardless of all of that, we can now take advantage of it
to ensure our machines can _only_ boot our trusted, linux/bsd/home-built OSes.
I'm reminded of the car dealer crossroads from "In the beginning was the
command line".

Open Source FTW.

~~~
lisper
Unfortunately, the fact that you have to go through such an elaborate
procedure will deter many people from going open-source. Before secure boot,
installing Linux was relatively straightforward, and that is one of the
reasons for its success. Those days are drawing to a close.

~~~
xymostech
Why can't this procedure be standardized and made straightforward? It's hard
now, but hopefully in the future it will just be a typical part of installing
the operating system.

~~~
lisper
Because the procedure requires making changes to the BIOS, and that can't be
automated, or even standardized because different manufacturer's BIOSes are
different. Recall this passage from the post:

"Reboot the machine, and go into the BIOS. Usually this means pounding on the
F2 key as the boot starts up, but all machines are different, so it might take
some experimentation to determine which key your BIOS needs."

That will be a show-stopper for most people.

~~~
pilif
That procedure was only needed in order to show how booting a non-signed
kernel was made possible and later how that was turned off again.

The magic is in KeyTool and that doesn't require the user to alter the BIOS in
any way. You boot from that USB drive (sb-usb.img linked in the article) by
the usual methods of booting from an external drive. It will boot because its
bootloader is the Linux Foundation one that was signed by MS. Then you launch
keytool and change the key config.

At this point, your bios will boot a kernel you have signed.

The only BIOS intervention in the article was to first allow booting unsigned
kernels (not needed with that sb-usb thing) and then to turn it off again. At
least that was my impression.

~~~
Filligree
Ah, hold on.

Doesn't running keytool require you to turn off security in the bios first?

------
aray
Nice! It'd be good to pair this with some instructions on how to do safe key
management by yourself, because you'll only ever be as safe as you keep your
keys.

I would link to some here, but I don't even know of any best practices for
keeping personal keys safe. (Use smartcard/physical-backed keys?)

~~~
jlgaddis
> Use smartcard/physical-backed keys?

Basically, yes.

I'd be happy to share details of how I generated/store/backup my keys but be
forewarned that I went the "extremely paranoid" route.

~~~
philips
Please do. I haven't been able to find a vendor for smart cards in the US nor
do I know exactly what to buy.

------
cmsimike
I have to ask but I am not optimistic - would this get Linux booted on a
Surface RT?

------
plaguuuuuu
so.... why exactly does UEFI exist again....? seems useless

~~~
philips
It is a replacement for BIOS that first showed up on Itanium platforms. It
adds quite a bit of complexity but also opens the door for new features like
secure boot.

I won't argue whether it is useful but it is in nearly all new desktop
hardware including all Apple x86 hardware. It is here to stay.

