Dons Deals

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 31 December 2012

Secure Boot Bootloader for Linux Distributions Available Now

Posted on 08:26 by Unknown
I've been waiting and hoping for this to happen for about a year now. So, this is very good news to me. I've been running Fedora and Debian Linux as my main OS's since 2005. As well as many other Rescue Linux Distros. When I work on Restoring broken Windows Systems and Data Recovery, etc. And I sure didn't want to be stuck using Old Hardware, Forever! Or have to change to a Linux Distro, that I rally don't care for (Ubuntu etc). Fedora has decided to buy keys from Microsoft. So, I'm good there, for now. But, what about all of the other, smaller Linux Distros, that I use??? So, indeed... This is very good news to me!:) I'm a bit behind in finding out. About a month or so. But, that's ok. I'm not quite ready to by that New Hardware yet anyway. Check out and download, mjg59's, Secure Boot bootloader for distributions available now...

Don

Handling UEFI Secure Boot in smaller distributions

Oct. 7th, 2012 04:06 pm
mjg59The plan for supporting UEFI Secure Boot in Fedora is still pretty much as originally planned, but it's dependent upon building a binary which has the Fedora key embedded, and then getting that binary signed by Microsoft. Easy enough for us to do, but not necessarily practical for smaller distributions. There's a few possible solutions for them.

  • Require that Secure Boot be disabled

    Not ideal. The UI for doing this is going to vary significantly between machines, making it difficult to document. It also means that the security benefits of Secure Boot are lost.

  • Require that the machine be placed in Setup Mode

    Clearing the enrolled Platform Key results in the system transitioning into Setup Mode, and from then on new keys can be enrolled into the key database until a new Platform Key is enrolled. Distributions could ship an unsigned bootloader that then writes the distribution keys into the database - James Bottomley has an example here. This means that the distribution can still benefit from Secure Boot, but otherwise has the same downside that the UI for doing this will vary between machines.

  • Ship with a signed bootloader that can add keys to its own database

    This is more interesting. Suse's bootloader design involves the bootloader having its own key database, distinct from those provided by the UEFI specification. The bootloader will execute any second stage bootloaders signed with a key in that database. Since the bootloader is in charge of its own key enrolment, the bootloader is free to impose its own policy - including enrolling new keys off a filesystem.

I've taken Suse's code for key management and merged it into my own shim tree with a few changes. The significant difference is a second stage bootloader signed with an untrusted key will cause a UI to appear, rather than simply refusing to boot. This will permit the user to then navigate the available filesystems, choose a key and indicate that they want to enrol it. From then on, the bootloader will trust binaries signed with that key.

Read More...
http://mjg59.dreamwidth.org/17542.html



Secure Boot bootloader for distributions available now

Nov. 30th, 2012 07:51 pm
mjg59I'm pleased to say that a usable version of shim is now available for download. As I discussed here, this is intended for distributions that want to support secure boot but don't want to deal with Microsoft. To use it, rename shim.efi to bootx64.efi and put it in /EFI/BOOT on your UEFI install media. Drop MokManager.efi in there as well. Finally, make sure your bootloader binary is called grubx64.efi and put it in the same directory.

Now generate a certificate and put the public half as a binary DER file somewhere on your install media. On boot, the end-user will be prompted with a 10-second countdown and a menu. Choose "Enroll key from disk" and then browse the filesystem to select the key and follow the enrolment prompts. Any bootloader signed with that key will then be trusted by shim, so you probably want to make sure that your grubx64.efi image is signed with it.

If you want, you're then free to impose any level of additional signing restrictions - it's entirely possible to use this signing as the basis of a complete chain of trust, including kernel lockdowns and signed module loading. However, since the end-user has explicitly indicated that they trust your code, you're under no obligation to do so. You should make it clear to your users what level of trust they'll be able to place in their system after installing your key, if only to allow them to make an informed decision about whether they want to or not.

Read More...
http://mjg59.dreamwidth.org/20303.html

Secure Boot bootloader for distributions available now


Matthew Garrett provided an overview of his UEFI Secure Boot "shim" workaround - Google Search
mjg59 | Secure Boot bootloader for distributions available now
Shimming your way to Linux on Windows 8 PCs | ZDNet
Index of /~mjg59/shim-signed
mjg59 | Handling UEFI Secure Boot in smaller distributions

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • ZigBee - a specification for a suite of high level communication protocols used to create personal area networks built from small low-power digital radios
    ZigBee From Wikipedia, the free encyclopedia Jump to: navigation , search ZigBee ...
  • Open Sorce Hardware - The Wandboard is a low cost board based on the i.MX6 multicore ARM Cortex-A9 family of processors. In consists of a core module based on the EDM standard and a simple to extend baseboard
    Here's an Open Source Wandboard - Freescale i.MX6 ARM Cortex-A9 Opensource Community Development Board. The Wandboard is a low ...
  • 1967 Chevy Camaro Complete Rebuild - Videos, HowStuffWorks Videos "NAPA Videos"
    Video Playlist - West Coast Customs Shop, Completely Tears Down a 1967 Chevy Camaro and then does a Complete Rebuild...
  • Installing and Updating GRUB 2 in Fedora Linux
    This Page has allot of info on Installing, Updating and Trouble Shooting Grub 2 in Fedora Linux. There are some good How To's for...
  • Dynaco Stereo 400 Power Amplifier - Dead Channel Fix - Dynaco Repairs For PC-28 Amplifier Boards
    My Dynaco Stereo 400 Amp... The Page Below these e-mails with Kevin Boales. Looks like the one that I found. Back in ...
  • Open source PLC's - PLC (programmable logic controller)
    Here's some Great Looking Open source PLC Projects. The OSPLC Small & Large Bricks are open-source PLC (programmable logic ...
  • Running a PXE Boot Server in Parted Magic
    Here's some good info on Running PXE Boot Server in Parted Magic... Don PXE – Parted Magic PXE PXE: the "classic" way ...
  • Building a Brushless Motor Controller using an ATmega Chip - by Davide Gironi
    Here's a very in depth Article on Building a Brushless Motor Controller using an ATmega Chip - by Davide Gironi... Do...
  • How To Clean or Replace The (potentiometer or "pot") Controls On Your Guitar Amplifier
    How To Clean The Controls On Your Amplifier 3 Author: Teslaphonics ...
  • VUE32 - open source controller for the peripherals of an electric car
    This open source controller for the peripherals of an electric car. Looks like it could save an EV Builder allot of time and ...

Blog Archive

  • ►  2013 (354)
    • ►  December (12)
    • ►  November (33)
    • ►  October (23)
    • ►  September (46)
    • ►  August (52)
    • ►  July (36)
    • ►  June (45)
    • ►  May (17)
    • ►  April (38)
    • ►  March (19)
    • ►  February (22)
    • ►  January (11)
  • ▼  2012 (145)
    • ▼  December (27)
      • Secure Boot Bootloader for Linux Distributions Ava...
      • To fix or not to fix - EEVblog - Lecroy 9384C Osci...
      • How to Clean a Coffee Maker - 8 steps from WikiHow
      • AjaXplorer File Sharing for Web and Local Network ...
      • Merry Christmas to all...
      • Viktor's DIY: Lil Bang (Sound Trigger for Cameras)
      • Viktor's DIY: Zeus: trigger your camera with light...
      • Viktor's DIY - Solid State Relay Switched Mains Rig
      • Open-source alternatives to Instagram Picture Apps...
      • PCB Fab Tutorial - Comprehensive Guide to Home PCB...
      • An Open Hardware Laptop - Building my Own Laptop b...
      • Apache Mahout - Scalable machine learning and data...
      • Beautiful Custom Made Hickory Wood Computer Desk!
      • Monitoring your server with tmux - Linux User
      • Bird Buggy - Parrot driven autonomous Buggy
      • Ekiga Open Source Softphone like Skype - Ekiga 4.0...
      • OpenDisc is a Collection of Free and Open Source S...
      • VALO-CD.net - Free and Open Source Apps CD ISO Image
      • The New TI XMS430FR5969IRGZR - MSP430 Ultra-Low Po...
      • BeagleBone Intro - info and video on the Beagleboa...
      • I received my free sample of the, XMS430FR5969IRGZ...
      • MSP430 bit banged USB 1.1 by Mecrisp - Native code...
      • New features in Linux Mint 14 Nadia - With Mate an...
      • 3D Printing Objects in Homes and Small Shops - Lin...
      • MySQL Commands for the Linux Command Line for Data...
      • And Now, for Something Completely Different - Plan...
      • Line 6 Soundscape M20 Digital Mixer and Stagescape...
    • ►  November (31)
    • ►  October (14)
    • ►  September (15)
    • ►  August (48)
    • ►  July (10)
Powered by Blogger.

About Me

Unknown
View my complete profile