Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
UEFI Secure Boot:The story behind and where Linux standsDr. Udo SeidelLinux-Strategy @ Amadeus
LinuxTag 2013 2To my Mum
LinuxTag 2013 3Agenda● Introduction● Keys and Signatures● Linux and Opportunities● What else?● Summary
LinuxTag 2013 4Introduction
LinuxTag 2013 5Me ;-)● Teacher of mathematics & physics● PhD in experimental physics● Started with Linux in 1996● Linux/UN...
LinuxTag 2013 6Basic Input Output System● Around for a while● Insecure● Easy to hack● Executes anything● Problems with big...
LinuxTag 2013 7(U)EFI● Unified Extensible Firmware Interface● First version called EFI● HP Itanium systems● UEFI kind of E...
LinuxTag 2013 8Secure Boot● Part of UEFI Specification v2.3● Addresses BIOS security issues● Mandate by Microsoft● For Win...
LinuxTag 2013 9Keys and Signatures
LinuxTag 2013 10Trust● Parties● Platform● Firmware● Operating System● Technique● Asymmetric keys● Public one part of imple...
LinuxTag 2013 11Key master● Platform Key (PK)● Key Exchange Key (PK)● Signature database (db)● Forbidden signature databas...
LinuxTag 2013 12EFI instead of ELF● Subset of PE32 specification● Portable Executable (PE)● See also Common Object File Fo...
LinuxTag 2013 13Firmware● Legacy (CSM)● UEFI● Without Secure BootOR● With Secure Boot– Setup modus– User modus
LinuxTag 2013 14Typical scenario● Since last autumn● UEFI Secure Boot● Enabled if not even forced● Microsoft keys implemen...
LinuxTag 2013 15Linux: Options and Opportunities
LinuxTag 2013 16Options● Setup modus● Replace keys● MS signed Linux bootloader
LinuxTag 2013 17Option I – Setup modus● Insecure● Not always possible● Facing backward
LinuxTag 2013 18Option II – Replace keys● Linux distribution ...● ... specific● ... independent●3rdparty support needed● T...
LinuxTag 2013 19Replacing keys – more details● X.509 certificates● Generation via openssl● Tools for EFI binary signing● M...
LinuxTag 2013 20Replacing keys – tools● pesign● sbsigntools● efitools
LinuxTag 2013 21Option III – MS signed bootloader● MS support needed● Again: Linux distribution ...● ... specific● ... ind...
LinuxTag 2013 22MS signed bootloader - Idea● Phased bootloader● Small & static● Between UEFI and Linux bootloader
LinuxTag 2013 23MS signed bootloader – Loader.efi● Linux Foundation● To enable ALL Linux bootloaders● No additional securi...
LinuxTag 2013 24MS signed bootloader – the SHIM● Originally RedHatish● First version quite static● Does not support all bo...
LinuxTag 2013 25Machine Owner● Originally from SUSE● Machine Owner Keys (MOK)● Integrated in SHIMv2
LinuxTag 2013 26Extending SB trust chain● Several certificates● Microsoft● Linux distribution● Signed bootloader● Signed k...
LinuxTag 2013 27Distributor approaches● Enterprise● In place: Ubuntu LTS● Announced: SUSE● Unknown: RedHat, Oracle● Commun...
LinuxTag 2013 28What else?
LinuxTag 2013 29ARM● UEFI Forum since 2008● More strict Microsoft mandate● UEFI ARM boards available but ...
LinuxTag 2013 30Problems● Samsung: firmware death● Toshiba: Missing keys● Lenovo: Only Windows 8 and RHEL● Microsoft: leak...
LinuxTag 2013 31Summary
LinuxTag 2013 32Take aways● Linux almost ready● In general● Enterprise sector● Opportunity not pain● Homework to be done
LinuxTag 2013 33References● http://www.uefi.org● http://mjg59.dreamwidth.org● http://blog.hansenpartnership.com● http://ww...
LinuxTag 2013 34Thank you!
LinuxTag 2013 35UEFI Secure Boot:The story behind and where Linux standsDr. Udo SeidelLinux-Strategy @ Amadeus
Upcoming SlideShare
Loading in …5
×

Lt2013 uefisb.talk

621 views

Published on

UEFI Secure Boot - The story behind and where Linux stands

Published in: Technology
  • Be the first to comment

Lt2013 uefisb.talk

  1. 1. UEFI Secure Boot:The story behind and where Linux standsDr. Udo SeidelLinux-Strategy @ Amadeus
  2. 2. LinuxTag 2013 2To my Mum
  3. 3. LinuxTag 2013 3Agenda● Introduction● Keys and Signatures● Linux and Opportunities● What else?● Summary
  4. 4. LinuxTag 2013 4Introduction
  5. 5. LinuxTag 2013 5Me ;-)● Teacher of mathematics & physics● PhD in experimental physics● Started with Linux in 1996● Linux/UNIX trainer● Solution engineer in HPC and CAx environment● Head of the Linux Strategy team @Amadeus
  6. 6. LinuxTag 2013 6Basic Input Output System● Around for a while● Insecure● Easy to hack● Executes anything● Problems with big disks
  7. 7. LinuxTag 2013 7(U)EFI● Unified Extensible Firmware Interface● First version called EFI● HP Itanium systems● UEFI kind of EFI NG● Replaces BIOS● Emulates BIOS● See talk from Thorsten Leemhuis
  8. 8. LinuxTag 2013 8Secure Boot● Part of UEFI Specification v2.3● Addresses BIOS security issues● Mandate by Microsoft● For Windows 8● Not only x86● See keynote from Matthew Garrett
  9. 9. LinuxTag 2013 9Keys and Signatures
  10. 10. LinuxTag 2013 10Trust● Parties● Platform● Firmware● Operating System● Technique● Asymmetric keys● Public one part of implementation
  11. 11. LinuxTag 2013 11Key master● Platform Key (PK)● Key Exchange Key (PK)● Signature database (db)● Forbidden signature database (dbx)● Signed EFI executables
  12. 12. LinuxTag 2013 12EFI instead of ELF● Subset of PE32 specification● Portable Executable (PE)● See also Common Object File Format (COFF)● PE/COFF header● Optional part● List of pointers● Signatures tailing file
  13. 13. LinuxTag 2013 13Firmware● Legacy (CSM)● UEFI● Without Secure BootOR● With Secure Boot– Setup modus– User modus
  14. 14. LinuxTag 2013 14Typical scenario● Since last autumn● UEFI Secure Boot● Enabled if not even forced● Microsoft keys implementedLinux locked out ?!?
  15. 15. LinuxTag 2013 15Linux: Options and Opportunities
  16. 16. LinuxTag 2013 16Options● Setup modus● Replace keys● MS signed Linux bootloader
  17. 17. LinuxTag 2013 17Option I – Setup modus● Insecure● Not always possible● Facing backward
  18. 18. LinuxTag 2013 18Option II – Replace keys● Linux distribution ...● ... specific● ... independent●3rdparty support needed● Tools needed
  19. 19. LinuxTag 2013 19Replacing keys – more details● X.509 certificates● Generation via openssl● Tools for EFI binary signing● Multi O/S configuration tricky
  20. 20. LinuxTag 2013 20Replacing keys – tools● pesign● sbsigntools● efitools
  21. 21. LinuxTag 2013 21Option III – MS signed bootloader● MS support needed● Again: Linux distribution ...● ... specific● ... independent● Bootloader maintenance?
  22. 22. LinuxTag 2013 22MS signed bootloader - Idea● Phased bootloader● Small & static● Between UEFI and Linux bootloader
  23. 23. LinuxTag 2013 23MS signed bootloader – Loader.efi● Linux Foundation● To enable ALL Linux bootloaders● No additional security● Recently reworked● Helper tools● Preloader.efi● Hashtool.efi
  24. 24. LinuxTag 2013 24MS signed bootloader – the SHIM● Originally RedHatish● First version quite static● Does not support all bootloaders● Yes: eLILO, GRUB, GRUB2● No: Gummiboot, efilinux
  25. 25. LinuxTag 2013 25Machine Owner● Originally from SUSE● Machine Owner Keys (MOK)● Integrated in SHIMv2
  26. 26. LinuxTag 2013 26Extending SB trust chain● Several certificates● Microsoft● Linux distribution● Signed bootloader● Signed kernel core binary● Signed kernel modules● ..?!?
  27. 27. LinuxTag 2013 27Distributor approaches● Enterprise● In place: Ubuntu LTS● Announced: SUSE● Unknown: RedHat, Oracle● Community● In place: Ubuntu, Fedora, openSUSE, ...● Announced: ...● Unknown: Debian and derivatives
  28. 28. LinuxTag 2013 28What else?
  29. 29. LinuxTag 2013 29ARM● UEFI Forum since 2008● More strict Microsoft mandate● UEFI ARM boards available but ...
  30. 30. LinuxTag 2013 30Problems● Samsung: firmware death● Toshiba: Missing keys● Lenovo: Only Windows 8 and RHEL● Microsoft: leaked keys
  31. 31. LinuxTag 2013 31Summary
  32. 32. LinuxTag 2013 32Take aways● Linux almost ready● In general● Enterprise sector● Opportunity not pain● Homework to be done
  33. 33. LinuxTag 2013 33References● http://www.uefi.org● http://mjg59.dreamwidth.org● http://blog.hansenpartnership.com● http://www.sxc.hu
  34. 34. LinuxTag 2013 34Thank you!
  35. 35. LinuxTag 2013 35UEFI Secure Boot:The story behind and where Linux standsDr. Udo SeidelLinux-Strategy @ Amadeus

×