The Linux Foundation has released a document outlining ways in which the UEFI secure boot specification can be used to support the installation of Linux and other open operating systems on UEFI-enabled hardware. As long as hardware vendors set up their systems in the proper way, UEFI should be no obstacle to using Linux or other alternate operating systems on forthcoming systems, they say.
UEFI, which is an alternative to the BIOS system that currently runs on most modern PCs and acts as the low-level instruction set for the machines. The UEFI system has gained quite a bit of attention in recent months after Microsoft revealed that Windows 8 would include support for the system and that any client machine running the next version of Windows must have the secure boot process enabled by default. Microsoft is touting UEFI as a much more secure alternative to BIOS and says that it will help defend users against some of the advanced, low-level malware and rootkits that have emerged in recent years and have the ability to remain persistent on infected machines after cleanings and OS reinstalls.
The revelation of UEFI requirements from Microsoft caused a stir in the open-source community, with some advocates saying that the UEFI requirements in Windows 8 would prevent them from loading alternative operating systems on new machines. However, in the paper explaining the way the system can be used by open platforms, the Linux Foundation says that’s not necessarily the case.There are ways that UEFI-enabled machines can be configured that will allow OEMs and users to install other OSes.
“To enable proper operation with open systems, all UEFI secure boot platforms should ship in setup mode, with no Platform Key installed. This enables the Platform Owner to take control of the platform securely by installing their own platform key or allowing the Operating System install process to do so,” the paper, which was written by Linux Foundation board members James Bottomley and Jonathan Corbet, says.
“The UEFI secure boot facility is designed to be readily usable by both proprietary and open operating systems to improve the security of the bootstrap process. Some observers have expressed concerns that secure boot could be used to exclude open systems from the market, but, as we have shown above, there is no need for things to be that way. If vendors ship their systems in the setup mode and provide a means to add new KEKs to the firmware, those systems will fully support open operating systems while maintaining compliance with the Windows 8 logo requirements.”
The UEFI specification calls for the use of a platform key that is installed and controlled by the owner of the hardware, as well as key-exchange keys that can be installed by OEMs and OS vendors. During the boot process, UEFI will only load software and other components that have been signed by one of these keys. One of the benefits of this process is that it’s designed to prevent malware and other unwanted components from loading. But critics worry that, when it’s implemented by Microsoft in Windows 8 machines, the company will use it to prevent third-party operating systems and applications from being loaded.
Microsoft officials say that won’t be happening.
“At the end of the day, the customer is in control of their PC. Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision,” Microsoft’s Tony Mangefeste wrote in a blog post in September.
To help address some of the chain of trust issues that arise when a legitimate, alternate operating system is present on a machine and a user wants to boot it but doesn’t already have a key installed in the signature database on the machine, the Linux Foundation authors propose an interesting solution.
“We therefore propose that all the interested parties establish a Certificate Authority whose key should be placed in the UEFI firmware table by default; this authority would become responsible for handing out signed KEKs to UEFI device vendors (for their UEFI drivers), UEFI OEM platform vendors (for their firmware images) and OS vendors (for securely booting their OSs). The operation of such a CA would have to be platform- and OS-neutral and would have to adhere to the usual standards of trust and security (presumably by having a controlling board made up of representatives from the various parties), but it would solve a greater part of the driver and OS verification problem because anything signed with an unrevoked KEK traceable back to the CA root key would be automatically trusted by the UEFI firmware for secure boot,” they write.