Language Selection

English French German Italian Portuguese Spanish

Management of UEFI secure booting

Filed under
Microsoft

The FSF have released a statement on UEFI secure boot. It explains the fundamental issue here, which isn't something as simple as "will OEMs let me install Linux". It's "Does the end user have the ability to manage their own keys".

Secure boot is a valuable feature. It does neatly deal with the growing threat of pre-OS malware. There is an incentive for it to be supported under Linux. I discussed the technical aspects of implementing support for it here - it's not a huge deal of work, and it is being worked on. So let's not worry about that side of things. The problem is with the keys.

Secure boot is implemented in a straightforward way. Each section of a PE-COFF file is added together and a hash taken[1]. This hash is signed with the private half of a signing key and embedded into the binary. When you attempt to execute a file under UEFI, the firmware attempts to decrypt the embedded hash. This requires that the firmware have a either a copy of the public half of the signing key in its key database, or for there to be a chain of trust from the signing key to a key in its key database. Once it has the decrypted hash, it generates its own hash of the binary and compares them. If they match, the binary is executed.

What happens if it doesn't match?




More in Tux Machines

4MLinux 12.0 Beta Arrives with Better Support for Watching and Downloading YouTube Videos

Zbigniew Konojacki had the pleasure of announcing today, March 28, on his Twitter account that the development cycle towards the 4MLinux 12.0 computer operating system has started with the Beta release for the 4MLinux Allinone Edition, 4MLinux Core, and 4MLinux distributions. Read more

Gorgeous Live Voyager X Distro Brings Xfce 4.12 to Ubuntu 14.04 LTS - Video and Screenshot Tour

On March 27, 2015, French developer Rodolphe Bachelart, the creator of the Live Voyager series of GNU/Linux distributions based on Ubuntu/Xubuntu, was proud to announce the immediate availability for download of a new computer operating system, Live Voyager X 14.04.4 LTS. Read more

Head 2 Head: Android OS vs. Chrome OS

A large part of Google’s OS success hasn’t been because of its awesomeness. No. Frankly, we think nothing speaks louder than the almighty dollar in this world. But both are “free,” right? So this is tie? Not really. Although Android is technically free since Google doesn’t charge device makers for it, there are costs associated with getting devices “certified.” Oh, yeah, and then there’s Apple and Microsoft, both of which get healthy payouts from device makers through patent lawsuits. Microsoft reportedly makes far more from Android sales than Windows Phone sales. You just generally don’t see the price because it’s abstracted by carriers. Chrome OS, on the other hand, actually is pretty much free. A top-ofthe-line Chromebook is $280, while a top-of-the-line Android phone full retail is usually $600. We’re giving this one to Chrome OS because if it’s generally cheaper for the builder, it’s cheaper for you. Read more