Language Selection

English French German Italian Portuguese Spanish

Management of UEFI secure booting

Filed under
Microsoft

The FSF have released a statement on UEFI secure boot. It explains the fundamental issue here, which isn't something as simple as "will OEMs let me install Linux". It's "Does the end user have the ability to manage their own keys".

Secure boot is a valuable feature. It does neatly deal with the growing threat of pre-OS malware. There is an incentive for it to be supported under Linux. I discussed the technical aspects of implementing support for it here - it's not a huge deal of work, and it is being worked on. So let's not worry about that side of things. The problem is with the keys.

Secure boot is implemented in a straightforward way. Each section of a PE-COFF file is added together and a hash taken[1]. This hash is signed with the private half of a signing key and embedded into the binary. When you attempt to execute a file under UEFI, the firmware attempts to decrypt the embedded hash. This requires that the firmware have a either a copy of the public half of the signing key in its key database, or for there to be a chain of trust from the signing key to a key in its key database. Once it has the decrypted hash, it generates its own hash of the binary and compares them. If they match, the binary is executed.

What happens if it doesn't match?




More in Tux Machines

Red Hat Enterprise Linux 7.1 Officially Released with Support for Linux Containers

Red Hat was proud to announce earlier today, March 5, the availability of the first maintenance release of its Red Hat Enterprise Linux 7 operating system for computers, used in numerous enterprises worldwide. Red Hat Enterprise Linux 7.1 contains a great amount of bug fixes and improvements over the previous release, as well as various new features. Read more Also: iSER target should work fine in RHEL 7.1

Help: Linux to the rescue of older operating systems

As you know, when someone offers free stuff, we give it a few weeks in order to give each group, organization or individual in need a chance to respond. That’s what we’ll do with Mary Greenfield’s generous offer to donate free fabric, so give it another week and then we’ll forward responses to her. One of the most rewarding aspects of writing this column is realizing that it generates discussion, and here’s a response to that question about updates for an older computer running Windows ME... Read more

Open source used to manage Figueres’ environment

The Spanish town of Figueres is relying on free and open source software to help manage its urban and natural environment. Fisersa Ecoserveis, an environmental company, is using a range of open source solutions to create, update and manage interactive geographic maps, used for monitoring and planning the city’s green spaces. Read more

I/O-rich SBC runs Linux on Cortex-A9 Sitara SoC

MYIR launched a “Rico” SBC for TI’s Cortex-A9 AM437x SoC, with an open Linux BSP, 4GB of eMMC flash, and coastline GbE, HDMI, and USB host and device ports. Read more