Nathaniel McCallum of Red Hat has an interesting blog post about UEFI boot loaders, and security issues.
See the FOSDEM slides for some of the features listed in the Phoronix article.
Here’s one interesting presentation for the upcoming OpenIoT and Embedded Linux Conference:
Marrying U-Boot, uEFI and grub2 – Alexander Graf, SUSE
Booting is hard. Booting in the ARM world is even harder. State of the art are a dozen different boot loaders that may or may not deserve that name. Each gets configured differently and each has its own pros and cons. As a distribution this is a nightmare. Configuring each and every one of them complicates code that really should be very simple. To solve the problem, we can just add another layer of abstraction (grub2) on top of another layer of abstraction (uEFI) on top of another layer of abstraction (u-boot). Follow me on a journey on how all those layers can make life easier for the distribution and how much fun uEFI really is. After this talk, you will know how ARM systems boot, what uEFI really means, how uEFI binaries interact with firmware and how this enables convergence of the Enterprise and Embedded markets.
Alexander Graf, KVM Wizard, SUSE
Alexander started working for SUSE about 8 years ago. Since then he worked on fancy things like SUSE Studio, QEMU, KVM and openSUSE on ARM. Whenever something really useful comes to his mind, he tends to implement it. Among others he did Mac OS X virtualization using KVM, nested SVM, KVM on PowerPC and a lot of work in QEMU for openSUSE on ARM. He is the upstream maintainer of KVM for PowerPC, QEMU for PowerPC and QEMU for S390x.
What’s Hiding Inside the GNU Boot Loader? Searching for Bugs in Grub
PVS-Studio analyzer continues to explore and adapt to the Linux platform. Today we will take a look at the bugs that the tool managed to find in the Grub boot loader. In this article, we will talk about the results of analysis of the boot loader for Unix-like operating systems, known as Grub. This program was developed by Erich Boleyn and comes as part of the GNU Project. GRUB is a reference boot loader implementation compliant with the Multiboot specification and is able to boot any compliant operating system. The Grub project is written in C and has been already checked by other analyzers, including Coverity, so you wouldn’t expect to find any unchecked code fragments in a project like that. PVS-Studio analyzer, however, did manage to catch a few interesting bugs. […]
Interesting new project. I wish most modern Linux distros let you control keys in ways like this. Check out the entire web page on Github, nice read for Linux/UEFI even if you don’t plan on using cryptboot.
Encrypted boot partition manager with UEFI Secure Boot support
With encrypted boot partition, nobody can see or modify your kernel image or initramfs. GRUB boot loader supports booting from encrypted boot partition, but you would be still vulnerable to Evil Maid attacks. One possible solution is to use UEFI Secure Boot. Get rid of preloaded Secure Boot keys (you really don’t want to trust Microsoft and OEM), enroll your own Secure Boot keys and sign GRUB boot loader with your keys. Evil maid would be unable to boot modified boot loader (not signed by your keys) and whole attack is prevented. cryptboot simply makes this easy and manageable.
* Linux (x86_64)
* UEFI firmware with enabled Secure Boot
* separate /boot partition encrypted with LUKS
* grub (grub-efi on Debian based distributions)
And this article points out something else crazy: “but current TrustedGRUB2 doesn’t even support UEFI yet.“
‘Enterprise’ is the name of a UEFI boot loader that is meant to boot 1 or more Linux ISOs off a USB thumbdrive. The last release was back in 2015, but there is recent Github code activity. SevenBits created ‘Enterprise’, in addition to ‘Mac Linux USB Loader’, which sets up a bootable USB with Enterprise.
Enterprise (named after the Starship Enterprise from Star Trek) is an EFI program that is designed to assist in booting Linux distributions from USB sticks on UEFI-based PCs and Macs, something that is continously regarded as being near to impossible due to quirks in vendors’ EFI implementations and really quite poor support from Linux distributions. Using Enterprise, you can create bootable USB drives that boot on a UEFI-based computer without needing rEFIt or rEFInd to be installed. Originally designed to compliment ‘Mac Linux USB Loader’, Enterprise can also be used on its own to boot Linux on a variety of UEFI-based PCs and Macs. The purpose of Enterprise is as the first stage in a two-stage booting process for ‘Mac Linux USB Loader’-created USB drives. Enterprise is a custom UEFI boot manager designed to load Linux distributions, even those without UEFI booting support, directly from ISO files on UEFI-based computers. Enterprise provides an easy-to-use and simplistic interface that automates many of the tasks necessary to boot distributions of Linux from an ISO file. Enterprise supports booting multiple distributions, so you can have more than one distribution per USB stick and multiple configurations for each distribution. Enterprise requires a configuration file telling it about which distributions it should load. This configuration file is created automatically when you use tools like Mac Linux USB Loader, though it is possible to write your own file and configure Enterprise as one would configure other boot managers such as GRUB, gummiboot, and syslinux, albeit much more simply. Enterprise is under the LGPL; it pulls in code from other software projects (namely, gummiboot). It is written in portable C, and can be compiled to run on both 32-bit and 64-bit EFI firmware types.
Get ready to test your Intel x86 systems!
Megha Dey of Intel submitted an 8-part patch to LUV that enables it to build on x86.
LUV has been useful for 64-bit x64 systems, and now is getting useful for 32-bit x86 systems!
Including 32-bit versions of BITS and CHIPSEC!
Is this the first time that pre-compiled binaries of CHIPSEC for x86 systems have been available? Not sure. Anyway, if you build from source you can start now, otherwise, look for the LUV-live binary download site to start having 32- and 64-bit versions, hopefully
Excerpt from part 0 of the patch:
[PATCH 0/8] Build and run LUV on 32 bit platforms
Currently LUV can be built only for 64 bit target platforms. This patchset contains patches which make sure that LUV can be compiled and run on both 32 as well as 64 bit target platforms. This required reworking of the PE header checks, adding call wrappers used by the shim bootloader to store and restore context, making sure chainloader.c compiled for 32 bit systems, adding support to ensure correct direct directory structure for 32 bit case and removing bugs in chipsec so that it could build without any erros on 32 bit systems. Also, the bits recipe is updated to build the grub EFI image only for target builds.This patchset addresses the following issue:
grub: chainloader: shim: rework PE header checks
grub: shim: Add call wrappers for 32 bit systems
grub: shim: compile chainloader.c for 32bit system
luv : Correct directory structure for 32 bit case
luv: Add the ARCH parameter to chipsec Makefile
luv: chipsec : compile for 32 bit systems
bits: only build grub EFI image for target builds
bits: grub: specify location of images and modules for mkimage