zlacker

[parent] [thread] 4 comments
1. Genbox+(OP)[view] [source] 2022-03-05 15:00:30
Most manufactures decided to include Microsoft's signing key into firmware. That is not something Microsoft is in control of. Pre-loaded (factory) keys are much harder for Linux as it seems every distro wants their own signing key, and from an administration perspective, that is not easy to keep track of.

Everyone can load their own signing keys into firmware. However, if you want something that "just works", Microsoft signs a package called Shim[1] that can be loaded on most computers due to the pre-loaded keys.

A relationship with Microsoft is not needed in any way or form to have Secure Boot.

[1] https://launchpad.net/ubuntu/+source/shim

replies(2): >>jart+ox >>hulitu+gm3
2. jart+ox[view] [source] 2022-03-05 18:16:56
>>Genbox+(OP)
What's stopping the bad guys from using that shim to boot their own code? Is there a date when the shim expires and Microsoft has to renew it?
replies(1): >>Genbox+sf1
◧◩
3. Genbox+sf1[view] [source] [discussion] 2022-03-05 23:09:20
>>jart+ox
Well, it is a chain of trusted components that are responsible for loading the next component in the chain.

UEFI with Secure Boot enabled will only load the stage 1 bootloader if it is signed with the firmware trusted certificate. We don't know if this component is malicious, we just know it is signed by the certificate.

The stage 1 bootloader (shim) will then be responsible for loading the next component (stage 2 bootloader). It will only boot the component if it is signed with a trusted (chosen by the user/distro) certificate.

The bad guys can't insert themselves into this process, as they either have to be trusted by the UEFI firmware (protected by an owner password), signed by Microsoft (to replace the shim) or be signed by the distro's certificate.

As long as the chain is unbroken it is secure.

replies(1): >>jart+Qi1
◧◩◪
4. jart+Qi1[view] [source] [discussion] 2022-03-05 23:34:52
>>Genbox+sf1
That's only possible if Microsoft signs a public key the distro owner controls and then embeds it inside a special build of their shim. In that case the distro owner can distribute any Linux Kernel they want, but they need authorization from Microsoft beforehand. Therefore you can't publish a UEFI Linux desktop without being in league with the adversary.
5. hulitu+gm3[view] [source] 2022-03-06 20:37:43
>>Genbox+(OP)
> Most manufactures decided to include Microsoft's signing key into firmware. That is not something Microsoft is in control of.

AFAIK if a manufacturer wants to sell Windows PC, it has to support secure boot.

[go to top]