Trying out UEFI boot security on a recent Linux system
Hardware Platforms
All the systems we investigated allow changes to the certificate stores on which the Secure Boot process is based. For this purpose, however, you often need additional software, such as the EFI Tools, which are available under a free license. Using UEFI Setup, you can load the keys originally shipped by the manufacturer into the certificate store on all systems to revert to the initial state as defined by the manufacturer. Also, the UEFI Setup interface lets you change to the Setup mode in all cases and thus modify the certificate store.
Out of the systems we tested, only the Dell system supported targeted insertion or removal of individual certificates or hashes using UEFI Setup. For all computers, it was at least possible, however, to modify the certificate store in Setup mode using the EFI tools.
All systems provided the ability to disable Secure Boot. Furthermore, all the manufacturers provided the certificates required by the Windows Hardware Certification Requirements, including the optional Microsoft Corporation UEFI CA 2011 certificate. Some manufacturers additionally installed their own certificates.
The software pre-installed on the EFI partition is essentially no more than diagnostic software by the vendors.
The user can influence the Secure Boot functionality on any system. Users can disable Secure Boot, switch to Setup mode, and load their own key material. You can use the UEFI setup for this process. In most cases, however, you need to resort to other tools, such as EFI Tools.
Practical Test
To check the extent to which current operating systems can run on the selected hardware platforms while using Secure Boot, we performed a number of test installations on each platform. We also checked to see whether the system starts properly after installation and is thus basically functional.
If the operating system supported Secure Boot, we analyzed its implementation. If Secure Boot support was not present, we took additional steps to make the system suitable for enabling Secure Boot.
We tested the following operating systems:
- Microsoft Windows 8 Pro
- Red Hat Enterprise Linux 6.4
- Ubuntu 13.04
- Debian 7.1.0
- Fedora 19
- FreeBSD 9.2
Results
In spite of the relatively new technology and the comprehensive specification, Secure Boot works on all tested platforms with the operating systems we used. Starting a signed UEFI application such as a bootloader works, provided that the appropriate certificate is included in the db certificate store of the UEFI firmware. Launching such an application is denied if a suitable certificate does not exist in the certificate store. Similarly, verification of UEFI applications based on hashes works well.
Furthermore, it is possible to install and run the Windows 8 Pro, Ubuntu 13.04, and Fedora 19 operating system with Secure Boot enabled. The other operating systems we looked at – Red Hat Enterprise Linux 6.4, FreeBSD 9.2, and Debian 7.1.0 – do not support Secure Boot and are therefore installed with Secure Boot disabled. However, we found that we could modify these systems relatively easily to support Secure Boot.
We found significant differences in how the various systems actually integrated the Secure Boot security enhancements. For instance, the security gains are low if you use Ubuntu 13.04. Although the bootloader is verified, an effective review of the kernel, including its modules, does not take place. In contrast, Fedora 19 not only verifies the bootloader but also the kernel and its modules.
FreeBSD is planning an implementation similar to the one already introduced by Fedora. Although Windows 8 Pro also performs a check of the bootloader and the kernel, an assessment of the effectiveness of protective measures is considerably more difficult than in the Linux systems we examined. The difficulty is mainly due to the complex procedure for verifying loadable kernel components such as drivers. To detect malicious software, Microsoft relies on collaboration between the kernel and anti-malware products.
The effectiveness of the protections depends on the quality of the product you use. We didn't include Microsoft's recent ELAM technology in this study because of its complexity. Furthermore, the changes listed below for Debian 7.1.0, which can also be performed on Red Hat Enterprise 6.4 and FreeBSD 9.2, only offer minor security gains. The results of these tests appear in Table 2.
Table 2
Test Results
Windows 8 Pro | Red Hat Enterprise Linux 6.4 | Debian 7.1.0 | FreeBSD 9.2 | Ubuntu 13.04 | Fedora 19 |
|
---|---|---|---|---|---|---|
Is Secure Boot support in operation? |
Yes |
No |
No |
No |
Yes |
Yes |
Is Secure Boot supported during installation? |
Yes |
No |
No |
No |
Yes |
Yes |
Is retroactive support by Shim possible? |
– |
Yes |
Yes |
Yes |
– |
– |
Effective handling of the verification chain |
Bootloader, kernel (conditionally) |
Shim |
Shim |
Shim |
Shim, Grub |
Shim, Grub2, kernel, kernel modules |
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.