Trying out UEFI boot security on a recent Linux system
With Your Own Keys
The following section shows how to install and configure Debian 7.1.0 in a dual Secure Boot environment alongside Windows 8 Pro. The intent is for the Debian system to be operational, independent of certificates by Microsoft, with Secure Boot enabled and without affecting the operability of Windows 8 Pro. We do not want either of the two systems to be able to modify the UEFI certificate store.
Once installation of the operating systems is completed successfully, the bootloader on the Debian system needs to be signed or its hash added to the db certificate store. Signing the installed bootloader, however, would entail a significant disadvantage: When the system updates the bootloader, it does not have a valid signature or the hash is invalid, which means subsequent boot operations will fail. For this reason, we create another bootloader, which we call the Secure Boot preloader. We change the system configuration so that the Secure Boot preloader is executed by the UEFI firmware instead of the bootloader, which is set up during the installation of Debian. The Secure Boot preloader then loads the original bootloader without any further validation. As a result, only the preloader has to be signed. To set up the Secure Boot preloader, you can use the commands in Listing 1.
Listing 1
Creating a Preloader
Afterward, you need to sign the Secure Boot preloader with:
sbsign --key db.key --cert db.pem.crt/boot/efi/EFI/debian/secure-boot-preloader.efi
The sbsign
tool takes care of signing the bootloader; sbsign
comes with the sbsigntools
toolbox.
This command assumes the private key used for signing UEFI applications resides in the db.key
file and that the associated certificate resides in db.pem.crt
. The signing step should not take place on the affected system itself, but in a safe working environment, to keep the private key secure.
After setting up the bootloader, you need to modify the certificate store of the UEFI firmware. We used the EFI tools to modify the certificate store. To this end, you need to create a bootable USB stick containing the efitools package. A suitable image is provided by the author of efitools [2]. You can use the tool dd
to copy it to a USB stick then convert both the Microsoft Windows Production PCA 2011 certificate and the keys belonging to your own key material (PK, KEK, db) to a format that the UEFI firmware can process. The cert-to-efi-sig-list
command from the EFI Tools handles this conversion.
To make the changes to the certificate store, you now need to switch the Secure Boot system on the platform to Setup mode using UEFI Setup. The exact procedure for switching to Setup mode is platform specific.
After that, boot from the prepared USB stick. In the UEFI shell, enter the following commands to launch KeyTool. KeyTool provides a rudimentary text-based interface for modifying the UEFI certificate store:
fs0: cd EFI cd BOOT KEYTOOL.EFI
The menu item Edit Keys
opens a submenu that lets you modify the PK, KEK, db, dbx, and MOK list certificate stores as follows:
- MOK list – Remove any existing certificates and hashes.
- db – Remove any existing certificates and hashes; add the Microsoft Windows Production PCA 2011 certificate. Add your own certificate for signing UEFI applications. Alternatively, you can add a hash of the bootloader.
- dbx – No changes necessary.
- KEK – Remove any existing certificates and hashes; add your own KEK certificate.
- PK – Add the certificate for your own platform keys.
Note that the modification of the PK certificate store must be the last step, in that adding a platform key quits Setup mode and changes to User mode. Subsequent manipulation of the certificate store is then only possible using signed updates or deleting the platform keys with UEFI Setup. After this step, you can launch Debian with Secure Boot enabled.
Conclusions
The UEFI implementations of the platforms we investigated faithfully kept to the Secure Boot specification – or at least to the extent we investigated in this article. The Microsoft Windows Production 2011 PCA certificate required by Microsoft as part of Windows Hardware Certification Program and the optional Microsoft Corporation UEFI CA 2011 certificate are provided by all the PC vendors we investigated. The UEFI CA 2011 certificate basically ensures the functionality of operating systems from vendors other than Microsoft with Secure Boot enabled.
Many current operating systems, such as Windows 8 Pro, Ubuntu 13.04, and Fedora 19 already provide support for Secure Boot. The actual security benefit, however differs strongly among the operation systems we investigated. The investigated operating systems that do not natively support Secure Boot – more specifically, Debian 7.1.0 and Red Hat Enterprise Linux 6.4 – can be talked into running with Secure Boot enabled with very little effort on all investigated hardware platforms.
Secure Boot has the potential to protect a system against unauthorized tampering. Although a number of challenges exist and further measures are needed for complete protection, Secure Boot can still help the owner retain sovereignty over the IT system.
Another strength of Secure Boot is that the owner of the IT system can decide which specific protection measures they want to implement. Users can therefore create custom security solutions and optimize the overhead to security ratio.
One major disadvantage of Secure Boot is that you absolutely need UEFI. Developers currently have very little practical experience with security for UEFI-compatible firmware. Thus, there is a real risk that the potential safety benefits of Secure Boot will be compromised by (intentional or unintentional) implementation errors in the firmware. In particular, the flexible extensibility and the feature scope give manufacturers an easy option for implementing backdoors. Additionally, the success of any potential safety gain depends on the ability to integrate Secure Boot into the operating system. Although Secure Boot is freely configurable on all the platforms we investigated, future implementations might restrict this ability and bind devices to a vendor's software.
Acknowledgement
The study described in this article was conducted as part of a project for Germany's Federal Office for Information Security.
Infos
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
OSJH and LPI Release 2024 Open Source Pros Job Survey Results
See what open source professionals look for in a new role.
-
Proton 9.0-1 Released to Improve Gaming with Steam
The latest release of Proton 9 adds several improvements and fixes an issue that has been problematic for Linux users.
-
So Long Neofetch and Thanks for the Info
Today is a day that every Linux user who enjoys bragging about their system(s) will mourn, as Neofetch has come to an end.
-
Ubuntu 24.04 Comes with a “Flaw"
If you're thinking you might want to upgrade from your current Ubuntu release to the latest, there's something you might want to consider before doing so.
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.