Linked by Thom Holwerda on Fri 23rd Sep 2011 22:22 UTC, submitted by kragil
Windows The story about how secure boot for Windows 8, part of UEFI, will hinder the use of non-signed binaries and operating systems, like Linux, has registered at Redmond as well. The company posted about it on the Building Windows 8 blog - but didn't take any of the worries away. In fact, Red Hat's Matthew Garrett, who originally broke this story, has some more information - worst of which is that Red Hat has received confirmation from hardware vendors that some of them will not allow you to disable secure boot.
Thread beginning with comment 490793
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[5]: Bootloader anyone ?
by Alfman on Mon 26th Sep 2011 15:59 UTC in reply to "RE[4]: Bootloader anyone ?"
Alfman
Member since:
2011-01-28

lemur2,

"The reason why I said that 'that the keys will be stored in secure storage on the motherboard', plural of keys, is that as far as I know UEFI Secure boot can handle multiple different keys."

Where did you learn this? I can't find any information saying that multiple keys (hardcoded or not) will be supported?

Reply Parent Score: 2

RE[6]: Bootloader anyone ?
by Neolander on Mon 26th Sep 2011 16:59 in reply to "RE[5]: Bootloader anyone ?"
Neolander Member since:
2010-03-08

From UEFI spec 2.3.1, Section 27.5 "Firmware/OS Key Exchange: creating trust relationships", there is only a single "Platform Key", which the "platform owner" (= OEM, I guess) uses to sign authorized bootable code. Once an OS is booted, it can add extra "Key Exchange Keys", which it entrusts, to the public key database.

PS : Speaking of EFI, am I the only one annoyed by the way it mandates use of Microsoft's executable formats for loadable binaries ?

Edited 2011-09-26 17:14 UTC

Reply Parent Score: 1

RE[7]: Bootloader anyone ?
by Alfman on Mon 26th Sep 2011 17:32 in reply to "RE[6]: Bootloader anyone ?"
Alfman Member since:
2011-01-28

Neolander,

Thank you for the info. From what I understand though, the KEKs are just intermediate keys for use by the operating system (for example, to maintain blacklists which cannot be tampered with by the user). In particular, the KEKs need to be signed by the PK and are merely extending it's chain of trust rather than establishing an alternate chain of trust.

http://lwn.net/Articles/447381/

"Before a PK is loaded into the firmware, UEFI is considered to be in setup mode, which allows anyone to write a PK to the firmware. Writing the PK switches the firmware into user mode. Once in user mode, PKs and KEKs can only be written if they are signed using the private portion of the PK, though KEKs can be freely written during setup mode. Essentially, the PK is meant to authenticate the platform owner, while the KEKs are used to authenticate other components, like operating systems."


So I guess the answer to my stated question is yes, there are multiple keys. But the answer to what I was actually thinking is no, there will be no support for multiple authorities.

Reply Parent Score: 2

RE[6]: Bootloader anyone ?
by lemur2 on Mon 26th Sep 2011 23:10 in reply to "RE[5]: Bootloader anyone ?"
lemur2 Member since:
2007-02-17

lemur2, "The reason why I said that 'that the keys will be stored in secure storage on the motherboard', plural of keys, is that as far as I know UEFI Secure boot can handle multiple different keys." Where did you learn this? I can't find any information saying that multiple keys (hardcoded or not) will be supported?


http://mjg59.dreamwidth.org/5552.html

"The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.

There is no centralised signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable."

Reply Parent Score: 2