

Supporting UEFI secure boot on Linux: the details - Garbage
http://mjg59.dreamwidth.org/6054.html

======
kogir
I haven't read the latest UEFI spec, but if each machine:

* shipped with a randomly generated unique key in addition to any others

* had an option in the pre-boot firmware to generate new keys signed with this unique machine key

then users who wanted to make signed binaries for their machine could and
anyone who didn't care wouldn't. It would still protect from malware as long
and the process couldn't be performed outside the (trusted, verified) pre-boot
firmware.

There are great security advantages to trusted boot, no matter what operating
system you run, so I don't see why most UEFI vendors wouldn't support
something like this -- it enables secure boot for consumer and server systems
and would still allow OEMs to do all their own customization as signed UEFI
programs. Since most OEMs buy their BIOS and UEFI software from someone else,
as long as that someone else implements it it's easier for them to keep it
them remove it.

In the case of Intel they could make it all easily manageable via AMT.

~~~
tzs
I have wondered why they didn't do something like that, except I'd make it so
that it doesn't ship with the randomly generated key--you'd generate that on
the machine itself in the pre-boot environment.

That way (1) if your key is compromised you can discard it and generate a new
one, and (2) if you buy a used machine, you can generate a new key.

------
altrego99
If it is indeed possible for Linux to create a signing tool, won't
hackers/pirates be able to do the same? Doesn't that defeat the purpose? Or
will the signing be governed by a body, or will it cost to get the license for
it?

~~~
watmough
If I understand, the binaries need to also be signed by the private keys
belonging to the 'owner' of the firmware / machine.

This presumably means Intel and/or Microsoft.

The implication is that, to get on the machine in trusted mode, you have to be
approved by Microsoft and/or Intel, or else you are stuck running in untrusted
mode, which may in future make you a second class citizen, and in an extreme
case might prevent you from say, accessing your own banking records (spinning
a hypothetical).

If as a condition of an OEM agreement, Microsoft and Intel force a lock-down
of the boot firmware, then the potential controversy is that other operating
systems are excluded from ever running in trusted mode on that hardware.

It just occurred to me that this is similar to how the iPhone works. I can
sign locally, but only Apple can sign my app for wider distribution... unless
the recipient phone is jail-broken in which case that phone will quite easily
be detected as untrusted and could easily in future be denied access to the
network, or app store. There's clearly a reason the baseband is also encrypted
and signed.

