UEFI Secure Boot

Posted on April 18, 2012 by David

What Is It?
It is a system where by unauthorised code (such as viruses and other malware) cannot be run on boot. This should make computers more secure but it also locks down the computer from running programs like the GRUB boot loader without some tinkering being done by the user. Microsoft are pushing for OEMs to use UEFI as standard for their Windows 8 operating system.

How Does It Work?
Put simply, it will include sets of cryptographic keys that allows the UEFI firmware to recognise if hardware drivers, operating systems and whatever else it needs have valid signatures and if they’re allowed to be run. These keys are called: Platform Key (PK), which is installed by the PC makers in the system firmware during manufacturing and “Key-Exchange Keye” (KEKs) which are controlled by OEMs and OS vendors (Microsoft being the major pushers for UEFI), these are used to validate the OS and drivers.

Is This So Bad?
The main advantage of Secure Boot is that systems become much more secure as malware that runs at boot, which even the best anti-virus program would struggle to eradicate, will no longer be able to start. However it will make it a lot more difficult to install another (Linux based) operating system on top of the pre-installed Windows 8 installation. Further to this, people who want to infect a user’s PC will find a way around this system just like they always do. Also one update a user runs that doesn’t have the correct key could render their OS unbootable as the Secure Boot will not recognise it as authorised

Other’s Views
The Linux Foundation (LF) and RedHat/Canonical (RH/C) have produced documents outlining their view on Secure Boot. RH/C want there to be an ability to disable Secure Boot restrictions in order to keep Linux running on such a vast range of hardware. LF and RH/C would like the ability to add new KEKs to the firmware to allow for other OS to be booted than Windows 8 but it would also satisfy the requirements for the coveted and lucrative Windows logo.

You can read both PDF documents at the following locations:
www.linuxfoundation.org/publications/making-uefi-secure-boot-work-with-open-platforms
http://ozlabs.org/docs/uefi-secure-boot-impact-on-linux.pdf

Conclusion
UEFI is a very good security feature that will enhance the safety of a user. However, unless the conditions RH/C and LF are added/utilised it is feasible that PCs could become closed systems with the only way to get an OS you want is to buy all the components and build one yourself. Which may not be a terrible thing anyway.

Post to Digg Digg This Post Post to Reddit Post to Reddit Post to StumbleUpon Stumble This Post Post to Technorati Post to Technorati

This entry was posted in Managed Hosting. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>