News

Linux Community Offers Secure Boot Ideas

• By Kurt Mackie
• 10/31/2011

The Linux Foundation, along with Red Hat and Canonical, has staked out positions on how the so-called "secure boot" procedure should be implemented in computer firmware.

Their positions were described in two recently published white papers this month. Secure boot is a procedure for firmware in devices that's part of the Unified Extensible Firmware Interface (UEFI) specification. The UEFI standard is already used in all ARM-based processors. While BIOS still predominates in the firmware of new x86 PCs, Microsoft is looking to tap the potential security benefits of UEFI in future Windows 8 PCs and devices. Microsoft's comments about embracing secure boot at its Build developer conference in September caused an open source Linux community backlash of sorts.

While secure boot is optional to use, as described in the UEFI spec, Microsoft wants it to be required by default in new PCs and devices sold that run Windows 8. It will be required of system vendors as part of the Windows 8 logo program.

If Microsoft's requirement stands, the Linux community fears that Linux might be prevented from running on such PCs or devices because the firmware won't recognize the Certificate Authority of the Linux OS. Secure boot potentially offers benefits to users by preventing "bootkits" or rootkits from cloaking system modifications, but the Linux Community feels that Microsoft's insistence on requiring it will cut them off. Firmware vendors will just produce for the bulk device market dominated by Windows, and will ignore support for Linux, they contend.

"Unfortunately, Microsoft's recommended implementation of secure boot removes control of the system from the hardware owner, and may prevent open source operating systems from functioning," according to the "UEFI Secure Boot Impact on Linux" white paper (PDF) by Red Hat and Canonical. "The Windows 8 requirement for secure boot will pressure OEMs to implement secure boot in this fashion."

Linux hobbyists will be less free to experiment and modify their Linux OSes with secure boot turned on by default, the Linux community has argued. Microsoft has countered this line of argument by pointing to a switch in the current Windows 8 developer preview that will let users turn off secure boot via the operating system, allowing Linux or any other OS to be run in a dual-boot scenario. However, this position was somewhat rejected in the Red Hat-Canonical white paper.

"If secure boot must be disabled before an alternate operating system can be booted, then those alternatives will become restricted to technically-minded users who are able to reconfigure their firmware to disable secure boot," the white paper argues. Moreover, the Linux base of nontechnical users might be diminished, it warned.

Red Hat and Canonical are recommending that secure boot "be easily disabled and enabled through a firmware configuration interface." They also want OEMs to disclose a standardized way of configuring keys in firmware. Finally, they propose shipping devices with a setup mode enabled, where the OS can install the keys and not just the firmware vendor.

The Linux Foundation's white paper, "Making UEFI Secure Boot Work With Open Platforms" (PDF), offers a similar argument to that of Red Hat and Canonical. Systems should ship with a setup mode that will enable the addition of keys to the firmware, the white paper argues.

In the future, the Linux Foundation wants an independent Certificate Authority created to issue key-exchange keys (KEKs). It also wants a firmware mechanism that would enable the booting of OSes on removable media, such as DVDs and CD ROMs.

The two white papers don't seem to be wholly on the same page. For instance, the white paper by Red Hat and Canonical expressed additional fears about lockdowns that will compel people to buy hardware or software.

"Controlling the boot environment may make it possible for software to be reliably tied to a specific piece of hardware," the white paper states. "This creates the opportunity for a 'forced obsolescence' scenario, where hardware upgrades are necessary to install future versions of system software, or vice versa."

Red Hat and Canonical also expressed fears about firmware validation being tied to applications sold through approved app stores. It could be used to ensure "recurring revenue from all end user purchases."

Time will tell whether these concerns will play out as described in the white papers. However, most computer users likely will be glad to have secure boot enabled by default given the prevalence of malware attacks against Windows systems. They also likely would favor a vetting process for applications if the end result is that the applications they use are more secure.

The Linux Foundation appears to be taking a more subdued position compared with early Red Hat arguments.

"Some observers have expressed concerns that secure boot could be used to exclude open systems from the market, but, as we have shown above, there is no need for things to be that way," the Linux Foundation's white paper concludes. "If vendors ship their systems in the setup mode and provide a means to add new KEKs to the firmware, those systems will fully support open operating systems while maintaining compliance with the Windows 8 logo requirements."