[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: the ghost of UEFI and Micr0$0ft

Hello Doug,

Doug <dmcgarrett@optonline.net> wrote:
> I read the referenced post.  It looks to me like Fedora will boot
> without hassle, because they paid off Microsoft, and obtained a key,
> but everything else, not having a key, will not.

Yes. More precisely, they want to get a small piece of software
signed by Microsoft, so that the computer will boot this small piece
of software. It will then continue to load a Fedora-signed Grub,
which loads a Fedora-signed kernel, which only loads Fedora-signed

> If I don't understand
> it, then please explain in plain words how one could boot anything
> else without modifying the BIOS.

‘Modifying the BIOS’ only includes changing settings within the BIOS,
not flashing/upgrading the BIOS. It is comparable to changing the
boot device or something like that.

> If you can boot anything without a
> key, then what is different than what we have now?

You will have to disable secure boot or add the key used to sign the
bootloader to your computer.

> (I don't care
> about modifying the BIOS, and so far I have not heard of a virus
> that attacks Linux, but I'm aware that it is possible--just not worth
> anyone's trouble to write, for such a small installed base.)

The problem here is that ‘we’ want a chain of trust from the BIOS to
the desktop, so that malware cannot infect the kernel before it
loads[1]. This means that the BIOS/UEFI must only load stuff that is
deemed ‘safe’, which in turn - obviously - should only load other
stuff that is also safe [2]. Hence, a Linux distribution that wants
to boot by default from such devices must get signed by a key that is
contained within the UEFI by default - for example, Microsoft’s [3].

In any case, the key point to remember is:
a) You can turn off secure boot completely.
b) Secure boot allows you to control more closely what software runs
   on your computer [4].
c) By reducing the possibilities to attack Windows [5], you also help
   to reduce spam, DDoS attacks etc.

Best regards,


[1] This happens with Windows at the moment and is also a possibility
with Linux - maybe not on the botnet-scale, but imagine someone
changing the installed kernel on your computer’s unencrypted boot
device to a malicious kernel that tries to send the passphrase for
the encrypted hard drive to the attacker.
[2] This will be: Grub, the Linux kernel and Linux kernel modules.
These are all signed by Fedora (in their release), but they want to
make it easy for you to build your own secure-boot kernels and grubs:
Lower stages will accept any key contained within the UEFI key store
(such as those you add yourself).
[3] The alternative would have been to either get manufacturers to
include a Red Hat key (easy, but not fair for other distributions) or
set up an independent foundation. However, auditing and signing code,
handling of revocations etc. is probably more expensive than $99.
[4] You can/should be able to remove all keys from the UEFI key store
and then add only your own: This way, only software signed by _you_
will boot off your computer.
[5] Windows cannot defend itself against software that was loaded
before Windows took over (neither can Linux).
No amount of careful planning will ever replace dumb luck.
http://chubig.net                          telnet nightfall.org 4242

Attachment: signature.asc
Description: PGP signature

Reply to: