UEFI secure boot: Next generation booting or a controversial debate
by Aditya Balapure - Monday, 15 July 2013.
The main database is actually segmented into an Allowed and a Disallowed list. The Allowed list contains the trusted firmware modules while the Disallowed list contains hashes of malware-infected firmware and their execution is blocked to maintain the integrity and security of the system.

The original equipment manufacturer installs a unique signature and keys during the manufacturing process for the secure booting process. This trust relationship is built on a digital certificate exchange commonly known as Public Key Infrastructure (PKI). PKI is the core infrastructure of the secure boot feature in UEFI. The Public Key Infrastructure is a set of hardware and software policies used to create, manage and distribute digital certificates with the help of a Certificate Authority (CA).

The Secure Boot feature requires the firmware to have UEFI version 2.3.1 or higher. The secure booting feature mainly addresses rootkits and malware that may target system vulnerabilities even before the operating system loads. This feature even protects systems from bootloader attacks and firmware compromises. A cryptographic key exchange takes place at boot time to keep a check whether the operating system trying to boot is a genuine one and not compromised by malware or rootkits.

A while ago there was a dispute between Microsoft and the Free Software Foundation in which the latter accused the former of trying to use the secure boot feature of UEFI to prevent the installation of other operating systems such as different Linux versions by requiring the computers certified with Windows 8 getting shipped with secure boot enabled through a Microsoft private key. Microsoft controls the key signing authority and anyone who wanted to boot an operating system on the hardware certified for Microsoft Windows would have to buy Microsoft's private key at a lucrative price. The computer hardware would itself have a copy of Microsoft's public key and would use it to verify the integrity of the private key and check whether it is originally from Microsoft.

If any modifications are made, the verification would fail and the computer would fail to carry on the boot process any further. Microsoft then denied the fact that this strategy was built to prohibit the installation of other operating systems. It further said that it had the option to either disable the secure boot or allow the Windows 8 boot along with the secure boot feature. The developers of the open source community were concerned, since most Linux vendors did not have the power to get their certificates in the UEFI system. Red Hat, Ubuntu, and Suse would have no doubt implemented their certificates in the UEFI but the problem lies with communities like Slackware, NetBSD, and others.

The main concern was that there are many UEFI motherboard manufacturers and getting the certificates included in each of them would not be an easy task for non-commercial open source communities since it would require a lot of time and money. All the binaries needed to be signed in with certificates from the binaries' vendor, and this was indeed a tough task. And this certificate which signed those binaries had to be imported to the UEFI, which would enable that particular operating system to function securely. The problem would arise when a hardware vendor would not allow disabling Secure Boot from the setup menu and does not install certificates from other operating systems.

In that case, the users who buy the computers with such capability will not be able to make use of open source Linux operating systems either through dual boot or single boot Linux since the secure boot feature would need the certificate from that particular operating system. The protests have taken form of Facebook pages like “Stop the Windows 8 Secure Boot Implementation” and campaigns like “Will your computers Secure Boot turn out to be Restrictive Boot” being created.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th