You are not logged in.

#1 2012-12-01 18:37:09

srs5694
Member
From: Woonsocket, RI
Registered: 2012-11-06
Posts: 719
Website

MJG's signed Shim for UEFI Secure Boot now available

There have been a number of posts about EFI and Secure Boot recently, so I thought some people might be interested in this:

http://mjg59.dreamwidth.org/20303.html

That's Matthew Garrett's announcement of a signed binary version of his Shim boot loader. Basically, this program will boot on a computer with Secure Boot active in its default mode (with Microsoft's keys in the firmware) and then launch another boot loader (called grubx64.efi, although it could be something other than GRUB in that filename) that you sign with your keys. The end result is something that's more secure than disabling Secure Boot entirely and easier than installing your own Secure Boot keys. I haven't yet tried this version of the binary, so I can't provide help beyond pointing you to MJG's own blog, but I thought some people might want to know about it.

FWIW, although you could sign and launch my rEFInd boot manager with this version of Shim, the current version (0.4.7) won't be very useful when signed in this way, since it doesn't yet "talk" to Shim. I'm working on changing that, so that rEFInd will launch binaries signed in a way that Shim supports.

Offline

#2 2012-12-01 19:31:37

jasonwryan
Forum & Wiki Admin
From: .nz
Registered: 2009-05-09
Posts: 18,101
Website

Re: MJG's signed Shim for UEFI Secure Boot now available

Moving to GNU/Linux discussion...


Arch + dwm   •   Mercurial repos  •   Github

Registered Linux User #482438

Online

#3 2012-12-02 21:15:14

demizer
Member
From: Santa Clara
Registered: 2010-03-03
Posts: 108
Website

Re: MJG's signed Shim for UEFI Secure Boot now available

srs5694 wrote:

FWIW, although you could sign and launch my rEFInd boot manager with this version of Shim, the current version (0.4.7) won't be very useful when signed in this way, since it doesn't yet "talk" to Shim. I'm working on changing that, so that rEFInd will launch binaries signed in a way that Shim supports.

Are you the developer of rEFInd? If so, I have a brand new Dell XPS 13 laptop with secure boot that I can run some tests on with this shim. I want to make a HCL article on the wiki for this laptop. Yesterday I gleefully wiped windows 8 from the drive and deleted the boot list for Windows boot manager and now have it booting arch with zfs. I have secure boot off but I would like to play around with installing arch with secure boot on so I can record it somewhere in the wiki.

I am still learning about EFI as this is my first PC with UEFI. So far, it seems very nice. Secure boot, so far, is not the devil the community is making it out to be. But of course, I can disable it on my machine.

Thanks!

Last edited by demizer (2012-12-02 21:16:48)

Offline

#4 2012-12-03 02:07:43

srs5694
Member
From: Woonsocket, RI
Registered: 2012-11-06
Posts: 719
Website

Re: MJG's signed Shim for UEFI Secure Boot now available

demizer wrote:

Are you the developer of rEFInd? If so, I have a brand new Dell XPS 13 laptop with secure boot that I can run some tests on with this shim.

Yes, I'm rEFInd's maintainer. As it happens, I've just posted the first preliminary version of the program that "talks" to Shim to the rEFInd git repository. It's still source-only at the moment -- I want to do some more testing locally before releasing even a preliminary binary version. If you're familiar with building from source code, though, you could try the git version now along with Shim. You'll need to generate your own key, sign the rEFInd binary, and install it as grub.efi (yuck!). In theory, it should then launch anything signed with a UEFI key for your platform (like a Windows 8 boot loader) or anything signed with Shim's built-in key or the key you created, but not launch random other binaries.

Ultimately I'll release a version of rEFInd that's signed with my own MOK, the public version of which I'll distribute with rEFInd. I may distribute MJG's signed Shim binary along with rEFInd, or maybe even pay the $99 so I can get my own version signed that launches refind_x64.efi rather than grub.efi. I'll also adapt the installation script to set this all up automatically. For now, though, it's early days....

Offline

#5 2012-12-04 07:25:42

kristof
Member
From: Sweden
Registered: 2012-10-03
Posts: 5

Re: MJG's signed Shim for UEFI Secure Boot now available

A signed bootloader is nice, but unless the Arch developers start distributing a version of the kernel that's also signed with a MOK, secure boot isn't being fully utilized.

Offline

#6 2012-12-04 16:27:40

srs5694
Member
From: Woonsocket, RI
Registered: 2012-11-06
Posts: 719
Website

Re: MJG's signed Shim for UEFI Secure Boot now available

kristof wrote:

A signed bootloader is nice, but unless the Arch developers start distributing a version of the kernel that's also signed with a MOK, secure boot isn't being fully utilized.

Largely true, but:

  • Secure Boot is here, and seems likely to stay. Given this fact, all Linux distributions (including Arch) need a way to cope with it. There are basically two choices: Provide instructions on how to deal with it (difficult because of system-to-system differences) or provide signed binaries (a boot loader at a minimum, or preferably a boot loader and kernel).

  • It's possible to "provide" a signed binary by generating the key locally and signing it locally. This could be done by scripts in the installation process, for example. Of course, that still leaves a need to get the installer booted on a Secure Boot system, but that could be handled with the Linux Foundation's pre-bootloader.

  • To be truly effective, Secure Boot really requires support all the way up the software chain. Signing a kernel does no good if the kernel can load unsigned modules, for instance. Fedora's taking steps to provide such security, but Ubuntu seems to be going with a more relaxed approach. In truth, Linux isn't as bothered by malware as is Linux, so it's unclear that going with a Fedora-esque approach is really helpful; but OTOH, it's conceivable that malware authors will start using Linux as a vector to install boot-time malware if Windows becomes sufficiently locked down, so maybe some paranoia is in order.

At the moment and as a practical matter, technical Linux users (including most Arch users) will find it quicker and easier to disable Secure Boot than to use shim. As shim and various support tools (signing utilities, boot managers, etc.) mature, though, this may not be the case. It may also be desirable or even necessary to leave Secure Boot enabled, in which case adopting shim now may make sense. Likewise if you want to learn about it now so that you can use it in the future.

Offline

#7 2012-12-04 17:04:56

Jristz
Member
From: America/Santiago
Registered: 2011-06-11
Posts: 903

Re: MJG's signed Shim for UEFI Secure Boot now available

As far I read on the mailisting if I read correctly noone of the Dev neither TUs have a SecureBoot-UEFI Machine.
This make less probable and more buggy to implement the Shim solution in short/middle time


Well, I suppose that this is somekind of signature, no?

Offline

#8 2012-12-06 03:14:34

kristof
Member
From: Sweden
Registered: 2012-10-03
Posts: 5

Re: MJG's signed Shim for UEFI Secure Boot now available

Jristz wrote:

As far I read on the mailisting if I read correctly noone of the Dev neither TUs have a SecureBoot-UEFI Machine.
This make less probable and more buggy to implement the Shim solution in short/middle time

The shim is not the most complicated software on the planet. Even if the Arch devs can't develop it because of hardware constraints, we can.

Offline

Board footer

Powered by FluxBB