Trying out UEFI boot security on a recent Linux system

Hardware Platforms

All the systems we investigated allow changes to the certificate stores on which the Secure Boot process is based. For this purpose, however, you often need additional software, such as the EFI Tools, which are available under a free license. Using UEFI Setup, you can load the keys originally shipped by the manufacturer into the certificate store on all systems to revert to the initial state as defined by the manufacturer. Also, the UEFI Setup interface lets you change to the Setup mode in all cases and thus modify the certificate store.

Out of the systems we tested, only the Dell system supported targeted insertion or removal of individual certificates or hashes using UEFI Setup. For all computers, it was at least possible, however, to modify the certificate store in Setup mode using the EFI tools.

All systems provided the ability to disable Secure Boot. Furthermore, all the manufacturers provided the certificates required by the Windows Hardware Certification Requirements, including the optional Microsoft Corporation UEFI CA 2011 certificate. Some manufacturers additionally installed their own certificates.

The software pre-installed on the EFI partition is essentially no more than diagnostic software by the vendors.

The user can influence the Secure Boot functionality on any system. Users can disable Secure Boot, switch to Setup mode, and load their own key material. You can use the UEFI setup for this process. In most cases, however, you need to resort to other tools, such as EFI Tools.

Practical Test

To check the extent to which current operating systems can run on the selected hardware platforms while using Secure Boot, we performed a number of test installations on each platform. We also checked to see whether the system starts properly after installation and is thus basically functional.

If the operating system supported Secure Boot, we analyzed its implementation. If Secure Boot support was not present, we took additional steps to make the system suitable for enabling Secure Boot.

We tested the following operating systems:

  • Microsoft Windows 8 Pro
  • Red Hat Enterprise Linux 6.4
  • Ubuntu 13.04
  • Debian 7.1.0
  • Fedora 19
  • FreeBSD 9.2

Results

In spite of the relatively new technology and the comprehensive specification, Secure Boot works on all tested platforms with the operating systems we used. Starting a signed UEFI application such as a bootloader works, provided that the appropriate certificate is included in the db certificate store of the UEFI firmware. Launching such an application is denied if a suitable certificate does not exist in the certificate store. Similarly, verification of UEFI applications based on hashes works well.

Furthermore, it is possible to install and run the Windows 8 Pro, Ubuntu 13.04, and Fedora 19 operating system with Secure Boot enabled. The other operating systems we looked at  – Red Hat Enterprise Linux 6.4, FreeBSD 9.2, and Debian 7.1.0  – do not support Secure Boot and are therefore installed with Secure Boot disabled. However, we found that we could modify these systems relatively easily to support Secure Boot.

We found significant differences in how the various systems actually integrated the Secure Boot security enhancements. For instance, the security gains are low if you use Ubuntu 13.04. Although the bootloader is verified, an effective review of the kernel, including its modules, does not take place. In contrast, Fedora 19 not only verifies the bootloader but also the kernel and its modules.

FreeBSD is planning an implementation similar to the one already introduced by Fedora. Although Windows 8 Pro also performs a check of the bootloader and the kernel, an assessment of the effectiveness of protective measures is considerably more difficult than in the Linux systems we examined. The difficulty is mainly due to the complex procedure for verifying loadable kernel components such as drivers. To detect malicious software, Microsoft relies on collaboration between the kernel and anti-malware products.

The effectiveness of the protections depends on the quality of the product you use. We didn't include Microsoft's recent ELAM technology in this study because of its complexity. Furthermore, the changes listed below for Debian 7.1.0, which can also be performed on Red Hat Enterprise 6.4 and FreeBSD 9.2, only offer minor security gains. The results of these tests appear in Table 2.

Table 2

Test Results

 

Windows 8 Pro

Red Hat Enterprise Linux 6.4

Debian 7.1.0

FreeBSD 9.2

Ubuntu 13.04

Fedora 19

Is Secure Boot support in operation?

Yes

No

No

No

Yes

Yes

Is Secure Boot supported during installation?

Yes

No

No

No

Yes

Yes

Is retroactive support by Shim possible?

Yes

Yes

Yes

Effective handling of the verification chain

Bootloader, kernel (conditionally)

Shim

Shim

Shim

Shim, Grub

Shim, Grub2, kernel, kernel modules

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus