"We, at SUSE, are currently working on cryptographic technology of signing both hibernation images and kexec images to allow the use of these features even in secure boot mode, without compromising the security model," Pavlik (pictured above) said, in response to queries.
Secure boot is a feature of the Unified Extensible Firmware Interface or UEFI, the replacement for the BIOS on the motherboard.
Microsoft's implementation of secure boot in Windows 8 uses cryptographic keys to authenticate the kernel that is being loaded. Microsoft has implemented secure boot and requires that it be turned on on all hardware that is pre-installed with Windows 8. Hence anyone who wishes to boot an image on such hardware would need to obtain a key from Microsoft.
|
The use of hibernation does not satisfy the secure boot security model because the image that returns from hibernation cannot be verified. And the system call kexec allows one to replace the running kernel with a different program.
Attempts by Red Hat developers to get code into the mainline kernel, that would enable a kernel running in secure boot-mode to dynamically load keys, resulted in a spray by Linux creator Linus Torvalds earlier this year.
Pavlik, who has been a central figure in developing a way to boot Linux on a secure boot-enabled system, responded to other questions about secure boot at length; his edited responses are below.
iTWire: We've had secure boot out in the public space for more than six months now. Is it still regarded as a security feature or something that locks one in?
Vojtech Pavlik: There has been a lot of effort put into taming secure boot by the Linux community. What once was a clear threat to the freedom associated with the PC platform and by some perceived as the beginning of an end of hobbyist computing, has been turned into a feature that does offer some advantages.
The major milestones that allowed this were making the "Secure Boot Off" option a mandatory part of platforms certified for Windows 8. The other was the development and the adoption of the MOK concept, which gives the owner of the computer full control of what software they want to run, even in a secure boot environment.
Concerns and limitations still remain, though. A major one is that the UEFI CA, the central signing authority, is run by Microsoft, who, through that, exert significant control over the PC platform. Another is whether the level of protection that secure boot adds is worth the limitations it imposes on the system.
Linux distributions are still struggling to live with Windows 8. Secure boot may be over as a hurdle for some, but to install something easily is still not possible. When do you see this changing?
I can't talk about other distributions, obviously. openSUSE 13.1 will share the polished UEFI and secure boot implementation from SLES11 SP3, and will configure it through the usual installation procedure. We intend to include the ability to dual boot Windows seamlessly. openSUSE release 13.1 is slated for November of this year.
Certain features in the Linux kernel like hibernation and kexec have to be turned off to satisfy Microsoft's requirements for secure boot. Are you comfortable with this?
In fact, it's not Microsoft's requirements, it's the Secure Boot security model that is the reason why hibernation (suspend to disk) and kexec have to be disabled when Secure Boot mode is on. Without disabling them, Secure Boot wouldn't hold water, it'd be possible to circumvent its protection too easily.
We at SUSE are currently working on cryptographic technology of signing both hibernation images and kexec images to allow the use of these features even in Secure Boot mode, without compromising the security model. We'll be submitting that to upstream projects, once it's verified to work. (maybe try to get them in openSUSE first, that'd be a great feature to advertise and a good place to test). On a side note, to my best knowledge, Microsoft's own hibernation implementation in Windows 8 is not cryptographically protected.
Have you ever given thought to providing an easy means for openSUSE to turn off secure boot? After all, Windows 8 will continue to function.
Turning secure boot off should be possible from the UI of every UEFI firmware. And our experience on machines available in the market confirms that. It's not necessarily easy for an inexperienced user, and it's not standardised how this should be done, but the option is there.
To make the process easier and the same for all users, openSUSE could provide an "ignore secure boot" switch in the shim loader. It wouldn't turn off secure boot per se, but it would allow booting a system without any restrictions. This switch would still meet all security and certification requirements per the secure boot security model. However, I'm not at all convinced it's such a good idea to provide it: an unexpecting user could be tricked into disabling secure boot even when that wasn't their intent.
What has been the reaction from users of openSUSE to getting it installed on secure boot systems?
There has been surprisingly little. After all, secure boot in openSUSE 12.3 is marked as experimental and there aren't that many machines in the wild that would need secure boot, so for 12.3 I assume the most common, and most reasonable reaction is just to disable secure boot in the firmware.
Any plans to provide a GUI so that users can add their own keys to a system?
At this point we have a nice command line interface and the addition of keys will be automatically initiated when installing packages that need extra keys - like proprietary graphics drivers. Having a YaST interface for key management is certainly planned, but I can't say when exactly it'll be made available.