Linux foundations – Making UEFI Secure Boot Work With Open Platforms

Posted: October 30, 2011 in Open Source News

Linux Foundation – “Secure boot” is a technology described by recent revisions of the UEFI specification; it offers the prospect of a hardware-verified, malware-free operating system bootstrap process that can improve the security of many system deployments. Linux and other open operating systems will be able to take advantage of secure boot if it is implemented properly in the hardware. This document is intended to describe how the UEFI secure boot specification can be implemented to interoperate well with open systems and to avoid adversely affecting the rights of the owners of those systems while providing compliance with proprietary software vendors’ requirements.

Last month when Matthew Garrett raised the issue it was feared that Microsoft’s requirements for Windows 8 would see OEMs shipping firmware which only had Microsoft’s platform key (PK) installed and which would only be able to securely boot Windows 8. Microsoft responded to the concerns saying they weren’t attempting to lock out any other operating systems, but it was pointed out that, intentional or not, this would be the effect of their current plans. The Free Software Foundation then launched a call for OEMs to implement an open and fair version of UEFI Secure Boot, but did not offer any technical suggestions on how that would be achieved. But Linux foundation has provided a document to acheive it.

The Linux Foundation paper calls Microsoft’s plans “counter to the UEFI recommendation that the platform owner be the PK controller” and says that it is “a legitimate choice for an informed user to make voluntarily”. Both papers suggest that all platforms which enable Secure Boot should ship in “setup mode” which would give the system owner control of the Secure Boot system. Initial startup of an operating system should then detect that setup mode and install a KEK (key-exchange-key) and PK to enable Secure Boot. The system would then securely boot that operating system. When a user needed to take control of their system’s secure boot, a “reset” option for UEFI’s keys would allow those keys to be cleared and a different operating system installed. Microsoft’s Windows 8 could also be pre-installed in the same way; the UEFI reset would then unlock the machine for other operating systems.

To learn more about the recommendations , download the PDF below.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s