Language Selection

English French German Italian Portuguese Spanish

Management of UEFI secure booting

Filed under
Microsoft

The FSF have released a statement on UEFI secure boot. It explains the fundamental issue here, which isn't something as simple as "will OEMs let me install Linux". It's "Does the end user have the ability to manage their own keys".

Secure boot is a valuable feature. It does neatly deal with the growing threat of pre-OS malware. There is an incentive for it to be supported under Linux. I discussed the technical aspects of implementing support for it here - it's not a huge deal of work, and it is being worked on. So let's not worry about that side of things. The problem is with the keys.

Secure boot is implemented in a straightforward way. Each section of a PE-COFF file is added together and a hash taken[1]. This hash is signed with the private half of a signing key and embedded into the binary. When you attempt to execute a file under UEFI, the firmware attempts to decrypt the embedded hash. This requires that the firmware have a either a copy of the public half of the signing key in its key database, or for there to be a chain of trust from the signing key to a key in its key database. Once it has the decrypted hash, it generates its own hash of the binary and compares them. If they match, the binary is executed.

What happens if it doesn't match?




More in Tux Machines

AT&T in Open Network Automation Platform (ONAP)

Librem 5 Phone Progress Report

  • Librem 5 Phone Progress Report – The First of Many More to Come!
    First, let me apologize for the silence. It was not because we went into hibernation for the winter, but because we were so busy in the initial preparation and planning of a totally new product while orienting an entirely new development team. Since we are more settled into place now, we want to change this pattern of silence and provide regular updates. Purism will be giving weekly news update posts every Tuesday, rotating between progress on phone development from a technology viewpoint (the hardware, kernel, OS, etc.) and an art of design viewpoint (UI/UX from GNOME/GTK to KDE/Plasma). To kickoff this new update process, this post will discus the technological progress of the Librem 5 since November of 2017.
  • Purism Eyeing The i.MX8M For The Librem 5 Smartphone, Issues First Status Update
    If you have been curious about the state of Purism's Librem 5 smartphone project since its successful crowdfunding last year and expedited plans to begin shipping this Linux smartphone in early 2019, the company has issued their first status update.

Benchmarking Retpoline-Enabled GCC 8 With -mindirect-branch=thunk

We have looked several times already at the performance impact of Retpoline support in the Linux kernel, but what about building user-space packages with -mindirect-branch=thunk? Here is the performance cost to building some performance tests in user-space with -mindirect-branch=thunk and -mindirect-branch=thunk-inline. Read more

An introduction to Inkscape for absolute beginners

Inkscape is a powerful, open source desktop application for creating two-dimensional scalable vector graphics. Although it's primarily an illustration tool, Inkscape is used for a wide range of computer graphic tasks. The variety of what can be done with Inkscape is vast and sometimes surprising. It is used to make diagrams, logos, programmatic marketing materials, web graphics, and even for paper scrapbooking. People also draw game sprites, produce banners, posters, and brochures. Others use Inkscape to draft web design mockups, detail layouts for printed circuit boards, or produce outline files to send to laser cutting equipment. Read more