Language Selection

English French German Italian Portuguese Spanish

Why UEFI secure boot is difficult for Linux

Filed under
Linux

I wrote about the technical details of supporting the UEFI secure boot specification with Linux. Despite me pretty clearly saying that this was ignoring issues of licensing and key distribution and the like, people are now using it to claim that Linux could support secure boot with minimal effort. In a sense, they're right. The technical implementation details are fairly straightforward. But they're not the difficult bit.

Secure boot requires that all code that can touch hardware be trusted

Right now, if you can run unstrusted code before the OS then you can subvert the OS. Secure boot gives you a mechanism for making sure you only run trusted code, which protects against that. So your UEFI drivers have to be signed, your bootloader has to be signed, and your bootloader must only load a signed kernel. If you've only booted trusted code then you know that your OS is safe. But, unlike trusted boot, secure boot provides no way for you to know that only trusted code was executed. That has to be ensured by OS policy.

Rest here




More in Tux Machines

Intel's Latest Linux Graphics Code Competes Against OS X 10.9

Tests I carried out last month with a Haswell-based Apple MacBook Air showed Linux largely smashing OS X 10.9 with the latest open-source graphics driver code on Linux over Apple's OpenGL driver. Today I'm testing the latest OS X 10.9.4 state against the newest Linux kernel and Intel Mesa driver code on Ubuntu while this time using an older Sandy Bridge era Apple Mac Mini. Read more

Raspberry Pi powered juggling performance

Flashing pins are spinning tens of feet into the air on a pitch dark stage. It's a juggling performance. All of the pins are perfectly synchronized to flash different colors in time to the music. It's part of the magic of theater and a special night out with friends to enjoy a distraction from daily life. Part of the magic—and why it's called magic—is that the audience doesn't know how these secrets are made backstage. Read more

Munich Reversal Turnaround, Linus on the Desktop, and Red Hat Time Protocol

Monday we reported that Munich was throwing in the Linux towel, but today we find that may not be exactly the case. In other news, Linus Torvalds today said he still wants the desktop. There are lots of other LinuxCon links and a few gaming posts to highlight. And finally today, Red Hat's Eric Dube explains RHEL 7's new time protocol. Read more

NHS open-source Spine 2 platform to go live next week

Last year, the NHS said open source would be a key feature of the new approach to healthcare IT. It hopes embracing open source will both cut the upfront costs of implementing new IT systems and take advantage of using the best brains from different areas of healthcare to develop collaborative solutions. Meyer said the Spine switchover team has “picked up the gauntlet around open-source software”. The HSCIC and BJSS have collaborated to build the core services of Spine 2, such as electronic prescriptions and care records, “in a series of iterative developments”. Read more