Lightly rearchitecting how we do UEFI Secure Boot on Linux so it's easier to use TPMs: https://t.co/GOtNqqgZeh
— Matthew Garrett (@mjg59) July 18, 2017
Secure Boot chain-loading bootloader (Microsoft-signed binary)
This package provides a minimalist boot loader which allows verifying signatures of other UEFI binaries against either the Secure Boot DB/DBX or against a built-in signature database. Its purpose is to allow a small, infrequently-changing binary to be signed by the UEFI CA, while allowing an OS distributor to revision their main bootloader independently of the CA. This package contains the version of the bootloader binary signed by the Microsoft UEFI CA.
I just now came across a blog post written by Peter Jones from LAST MONTH on that “Microsoft Secure Boot Golden Key” news reports that is worth reading. Peter owns the Linux shim, so he knows a bit about UEFI’s boot process.
Especially because I’ve had nearly nothing useful in this blog on this post:
Also note other articles in Peter’s blog: he makes regular canary posts about the state of his Shim code. I wish all of the boot/firmware code required all contributes to have canaries!
David Hartsock has a blog post on the state of Ubuntu Secure Boot for those who have not been paying attention to things:
Ubuntu Secure Boot Threatens All PCs
We’re all doomed! Scary, right? Well, maybe, but I should explain a bit first. […]
This from September, I only just noticed it. 😦
Matthew Garrett has updated GRUB bootloader with support for Trusted Boot, on TPM v1 or v2 systems!
In a follow-up to the above tweet, Matthew also states:
“I need to add equivalent code to Shim now lucky me”
So I need to check if that happened, and if Debian and other distros are using this version of GRUB and Shim…
I wish somebody — Wikipedia, the Linux Foundation, the Linux kernel security wiki, the UEFI Forum, etc. — were tracking the various hardware/firmware security features of various vendors, and what system components (grub and shim in this case) had support for the various technologies, with a table of red/green boxes. Then we could more easily see things like tboot only supporting BIOS and not UEFI, etc..
Peter Jones of Red Hat has an interesting post on Linux, UEFI, Secure Boot, and Linux shim maintenance.
If you use Linux and it’s UEFI Secure Boot shim, you may want to read this.