SlideShare ist ein Scribd-Unternehmen logo

Lt2013 uefisb.talk

Udo Seidel
Udo Seidel

1) UEFI Secure Boot is a security feature of the UEFI specification that verifies bootloaders and operating systems are signed with approved cryptographic keys to ensure integrity. 2) Linux distributions have several options for working with UEFI Secure Boot, including using a setup mode, replacing the default cryptographic keys, or using a Microsoft-signed bootloader. 3) While UEFI Secure Boot initially posed challenges for Linux, projects are working to sign Linux bootloaders so they are verified by Secure Boot, enabling Linux to be installed on most new computers while maintaining security.

Technologie
1 von 35
Downloaden Sie, um offline zu lesen
UEFI Secure Boot: The story behind and where Linux stands Dr. Udo Seidel Linux-Strategy @ Amadeus
LinuxTag 2013 2 To my Mum
LinuxTag 2013 3 Agenda ● Introduction ● Keys and Signatures ● Linux and Opportunities ● What else? ● Summary
LinuxTag 2013 4 Introduction
LinuxTag 2013 5 Me ;-) ● Teacher of mathematics & physics ● PhD in experimental physics ● Started with Linux in 1996 ● Linux/UNIX trainer ● Solution engineer in HPC and CAx environment ● Head of the Linux Strategy team @Amadeus
LinuxTag 2013 6 Basic Input Output System ● Around for a while ● Insecure ● Easy to hack ● Executes anything ● Problems with big disks
LinuxTag 2013 7 (U)EFI ● Unified Extensible Firmware Interface ● First version called EFI ● HP Itanium systems ● UEFI kind of EFI NG ● Replaces BIOS ● Emulates BIOS ● See talk from Thorsten Leemhuis
LinuxTag 2013 8 Secure Boot ● Part of UEFI Specification v2.3 ● Addresses BIOS security issues ● Mandate by Microsoft ● For Windows 8 ● Not only x86 ● See keynote from Matthew Garrett
LinuxTag 2013 9 Keys and Signatures
LinuxTag 2013 10 Trust ● Parties ● Platform ● Firmware ● Operating System ● Technique ● Asymmetric keys ● Public one part of implementation
LinuxTag 2013 11 Key master ● Platform Key (PK) ● Key Exchange Key (PK) ● Signature database (db) ● Forbidden signature database (dbx) ● Signed EFI executables
LinuxTag 2013 12 EFI instead of ELF ● Subset of PE32 specification ● Portable Executable (PE) ● See also Common Object File Format (COFF) ● PE/COFF header ● Optional part ● List of pointers ● Signatures tailing file
LinuxTag 2013 13 Firmware ● Legacy (CSM) ● UEFI ● Without Secure Boot OR ● With Secure Boot – Setup modus – User modus
LinuxTag 2013 14 Typical scenario ● Since last autumn ● UEFI Secure Boot ● Enabled if not even forced ● Microsoft 'keys' implemented Linux locked out ?!?
LinuxTag 2013 15 Linux: Options and Opportunities
LinuxTag 2013 16 Options ● Setup modus ● Replace keys ● MS signed Linux bootloader
LinuxTag 2013 17 Option I – Setup modus ● Insecure ● Not always possible ● Facing backward
LinuxTag 2013 18 Option II – Replace keys ● Linux distribution ... ● ... specific ● ... independent ● 3rd party support needed ● Tools needed
LinuxTag 2013 19 Replacing keys – more details ● X.509 certificates ● Generation via openssl ● Tools for EFI binary signing ● Multi O/S configuration tricky
LinuxTag 2013 20 Replacing keys – tools ● pesign ● sbsigntools ● efitools
LinuxTag 2013 21 Option III – MS signed bootloader ● MS support needed ● Again: Linux distribution ... ● ... specific ● ... independent ● Bootloader maintenance?
LinuxTag 2013 22 MS signed bootloader - Idea ● Phased bootloader ● Small & static ● Between UEFI and Linux bootloader
LinuxTag 2013 23 MS signed bootloader – Loader.efi ● Linux Foundation ● To enable ALL Linux bootloaders ● No additional security ● Recently reworked ● Helper tools ● Preloader.efi ● Hashtool.efi
LinuxTag 2013 24 MS signed bootloader – the SHIM ● Originally RedHat'ish ● First version quite static ● Does not support all bootloaders ● Yes: eLILO, GRUB, GRUB2 ● No: Gummiboot, efilinux
LinuxTag 2013 25 Machine Owner ● Originally from SUSE ● Machine Owner Keys (MOK) ● Integrated in SHIMv2
LinuxTag 2013 26 Extending SB trust chain ● Several certificates ● Microsoft ● Linux distribution ● Signed bootloader ● Signed kernel core binary ● Signed kernel modules ● ..?!?
LinuxTag 2013 27 Distributor approaches ● Enterprise ● In place: Ubuntu LTS ● Announced: SUSE ● Unknown: RedHat, Oracle ● Community ● In place: Ubuntu, Fedora, openSUSE, ... ● Announced: ... ● Unknown: Debian and derivatives
LinuxTag 2013 28 What else?
LinuxTag 2013 29 ARM ● UEFI Forum since 2008 ● More strict Microsoft mandate ● UEFI ARM boards available but ...
LinuxTag 2013 30 Problems ● Samsung: firmware death ● Toshiba: Missing keys ● Lenovo: Only Windows 8 and RHEL ● Microsoft: leaked keys
LinuxTag 2013 31 Summary
LinuxTag 2013 32 Take aways ● Linux almost ready ● In general ● Enterprise sector ● Opportunity not pain ● Homework to be done
LinuxTag 2013 33 References ● http://www.uefi.org ● http://mjg59.dreamwidth.org ● http://blog.hansenpartnership.com ● http://www.sxc.hu
LinuxTag 2013 34 Thank you!
LinuxTag 2013 35 UEFI Secure Boot: The story behind and where Linux stands Dr. Udo Seidel Linux-Strategy @ Amadeus

Empfohlen

Hacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionHacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionLevente Kurusa
 
FOSDEM2015: Porting Tizen:Common to open source hardware devices
FOSDEM2015: Porting Tizen:Common to open source hardware devicesFOSDEM2015: Porting Tizen:Common to open source hardware devices
FOSDEM2015: Porting Tizen:Common to open source hardware devicesPhil www.rzr.online.fr
 
gnome-shell on nexus 7
gnome-shell on nexus 7gnome-shell on nexus 7
gnome-shell on nexus 7Bin Li
 
Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...
Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...
Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...Ron Munitz
 
Linux Introduction - Yousefpour - Rahnema College
Linux Introduction - Yousefpour - Rahnema CollegeLinux Introduction - Yousefpour - Rahnema College
Linux Introduction - Yousefpour - Rahnema CollegeMasoud Yousefpour
 
Iotivity tizen-fosdem-2015
Iotivity tizen-fosdem-2015Iotivity tizen-fosdem-2015
Iotivity tizen-fosdem-2015Phil www.rzr.online.fr
 
X86 ROM Cooking 101 (Android Builders Summit 2014)
X86 ROM Cooking 101 (Android Builders Summit 2014)X86 ROM Cooking 101 (Android Builders Summit 2014)
X86 ROM Cooking 101 (Android Builders Summit 2014)Ron Munitz
 
Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)
Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)
Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)Ron Munitz
 

Empfohlen

Hacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionHacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionLevente Kurusa
 
FOSDEM2015: Porting Tizen:Common to open source hardware devices
FOSDEM2015: Porting Tizen:Common to open source hardware devicesFOSDEM2015: Porting Tizen:Common to open source hardware devices
FOSDEM2015: Porting Tizen:Common to open source hardware devicesPhil www.rzr.online.fr
 
gnome-shell on nexus 7
gnome-shell on nexus 7gnome-shell on nexus 7
gnome-shell on nexus 7Bin Li
 
Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...
Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...
Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...Ron Munitz
 
Linux Introduction - Yousefpour - Rahnema College
Linux Introduction - Yousefpour - Rahnema CollegeLinux Introduction - Yousefpour - Rahnema College
Linux Introduction - Yousefpour - Rahnema CollegeMasoud Yousefpour
 
Iotivity tizen-fosdem-2015
Iotivity tizen-fosdem-2015Iotivity tizen-fosdem-2015
Iotivity tizen-fosdem-2015Phil www.rzr.online.fr
 
X86 ROM Cooking 101 (Android Builders Summit 2014)
X86 ROM Cooking 101 (Android Builders Summit 2014)X86 ROM Cooking 101 (Android Builders Summit 2014)
X86 ROM Cooking 101 (Android Builders Summit 2014)Ron Munitz
 
Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)
Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)
Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)Ron Munitz
 
Ubuntu Quick Guide
Ubuntu Quick GuideUbuntu Quick Guide
Ubuntu Quick GuideAnuchit Chalothorn
 
Fuzzdbunit slideshare
Fuzzdbunit slideshareFuzzdbunit slideshare
Fuzzdbunit slidesharepmjroth
 
gnu و fsf پروژه های پیشنهادی
gnu و fsf پروژه های پیشنهادی gnu و fsf پروژه های پیشنهادی
gnu و fsf پروژه های پیشنهادی Shiraz LUG
 
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Nullbyte Security Conference
 
29 2-92
29 2-9229 2-92
29 2-92Isfahanlug
 
Tizen Web App 개발
Tizen Web App 개발Tizen Web App 개발
Tizen Web App 개발xcoda
 
Open Source Firmware - oSC19
Open Source Firmware - oSC19Open Source Firmware - oSC19
Open Source Firmware - oSC19Daniel Maslowski
 
asyncio
asyncioasyncio
asyncioaschlapsi
 
EuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD SystemsEuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD SystemsVinícius Zavam
 
Linux install fest
Linux install festLinux install fest
Linux install festAltin Ukshini
 
Introduction to FOSS world
Introduction to FOSS worldIntroduction to FOSS world
Introduction to FOSS worldNarendra Sisodiya
 
GNU/LINUX - Day 1
GNU/LINUX - Day 1GNU/LINUX - Day 1
GNU/LINUX - Day 1Quotient Technology Inc.
 
LinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLubomir Rintel
 
Fos sintro pres-dav
Fos sintro pres-davFos sintro pres-dav
Fos sintro pres-davParin Sharma
 
Aide
AideAide
AideTorstein Hansen
 
The ABC of Linux (Linux for Beginners)
The ABC of Linux (Linux for Beginners)The ABC of Linux (Linux for Beginners)
The ABC of Linux (Linux for Beginners)plarsen67
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistroAll Things Open
 
Fedora 12 Introduction
Fedora 12 IntroductionFedora 12 Introduction
Fedora 12 IntroductionRatnadeep Debnath
 
Introduction and course Details of Embedded Linux Platform Developer Training
Introduction and course Details of Embedded Linux Platform Developer TrainingIntroduction and course Details of Embedded Linux Platform Developer Training
Introduction and course Details of Embedded Linux Platform Developer TrainingVeda Solutions - Embedded Systems & Linux Device Drivers Training
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesMender.io
 
Grub and dracut ii
Grub and dracut iiGrub and dracut ii
Grub and dracut iiplarsen67
 
Rapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBRapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBSamsung Open Source Group
 

Weitere ähnliche Inhalte

Was ist angesagt?

Fuzzdbunit slideshare
Fuzzdbunit slideshareFuzzdbunit slideshare
Fuzzdbunit slidesharepmjroth
 
gnu و fsf پروژه های پیشنهادی
gnu و fsf پروژه های پیشنهادی gnu و fsf پروژه های پیشنهادی
gnu و fsf پروژه های پیشنهادی Shiraz LUG
 
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Nullbyte Security Conference
 
Tizen Web App 개발
Tizen Web App 개발Tizen Web App 개발
Tizen Web App 개발xcoda
 
Open Source Firmware - oSC19
Open Source Firmware - oSC19Open Source Firmware - oSC19
Open Source Firmware - oSC19Daniel Maslowski
 
EuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD SystemsEuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD SystemsVinícius Zavam
 
LinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLubomir Rintel
 
Fos sintro pres-dav
Fos sintro pres-davFos sintro pres-dav
Fos sintro pres-davParin Sharma
 

Was ist angesagt? (15)

Ubuntu Quick Guide
Ubuntu Quick GuideUbuntu Quick Guide
Ubuntu Quick Guide
 
Fuzzdbunit slideshare
Fuzzdbunit slideshareFuzzdbunit slideshare
Fuzzdbunit slideshare
 
gnu و fsf پروژه های پیشنهادی
gnu و fsf پروژه های پیشنهادی gnu و fsf پروژه های پیشنهادی
gnu و fsf پروژه های پیشنهادی
 
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
 
29 2-92
29 2-9229 2-92
29 2-92
 
Tizen Web App 개발
Tizen Web App 개발Tizen Web App 개발
Tizen Web App 개발
 
Open Source Firmware - oSC19
Open Source Firmware - oSC19Open Source Firmware - oSC19
Open Source Firmware - oSC19
 
asyncio
asyncioasyncio
asyncio
 
EuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD SystemsEuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD Systems
 
Linux install fest
Linux install festLinux install fest
Linux install fest
 
Introduction to FOSS world
Introduction to FOSS worldIntroduction to FOSS world
Introduction to FOSS world
 
GNU/LINUX - Day 1
GNU/LINUX - Day 1GNU/LINUX - Day 1
GNU/LINUX - Day 1
 
LinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB device
 
Fos sintro pres-dav
Fos sintro pres-davFos sintro pres-dav
Fos sintro pres-dav
 
Aide
AideAide
Aide
 

Ähnlich wie Lt2013 uefisb.talk

The ABC of Linux (Linux for Beginners)
The ABC of Linux (Linux for Beginners)The ABC of Linux (Linux for Beginners)
The ABC of Linux (Linux for Beginners)plarsen67
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistroAll Things Open
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesMender.io
 
Grub and dracut ii
Grub and dracut iiGrub and dracut ii
Grub and dracut iiplarsen67
 
Rapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBRapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBSamsung Open Source Group
 
Nimble - iOS dependency management
Nimble - iOS dependency managementNimble - iOS dependency management
Nimble - iOS dependency managementNimble
 
Embedded platform choices
Embedded platform choicesEmbedded platform choices
Embedded platform choicesTavish Naruka
 
Embedded linux build systems
Embedded linux build systems Embedded linux build systems
Embedded linux build systems Mender.io
 
Post Mortem Debugging in Embedded Linux Systems
Post Mortem Debugging in Embedded Linux Systems Post Mortem Debugging in Embedded Linux Systems
Post Mortem Debugging in Embedded Linux Systems GlobalLogic Ukraine
 
The RULE project: efficient computing for all GNU/Linux users
The RULE project: efficient computing for all GNU/Linux usersThe RULE project: efficient computing for all GNU/Linux users
The RULE project: efficient computing for all GNU/Linux usersMarco Fioretti
 
Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018Mender.io
 
Part 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionPart 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionJoachim Jacob
 
Chimera Linux: A BSD-LLVM distro from scratch
Chimera Linux: A BSD-LLVM distro from scratchChimera Linux: A BSD-LLVM distro from scratch
Chimera Linux: A BSD-LLVM distro from scratchIgalia
 
The eID on Linux in 2015
The eID on Linux in 2015The eID on Linux in 2015
The eID on Linux in 2015Wouter Verhelst
 
ACL on Linux - Part 1
ACL on Linux - Part 1ACL on Linux - Part 1
ACL on Linux - Part 1GLC Networks
 

Ähnlich wie Lt2013 uefisb.talk (20)

The ABC of Linux (Linux for Beginners)
The ABC of Linux (Linux for Beginners)The ABC of Linux (Linux for Beginners)
The ABC of Linux (Linux for Beginners)
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux Distro
 
Fedora 12 Introduction
Fedora 12 IntroductionFedora 12 Introduction
Fedora 12 Introduction
 
Introduction and course Details of Embedded Linux Platform Developer Training
Introduction and course Details of Embedded Linux Platform Developer TrainingIntroduction and course Details of Embedded Linux Platform Developer Training
Introduction and course Details of Embedded Linux Platform Developer Training
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSes
 
Grub and dracut ii
Grub and dracut iiGrub and dracut ii
Grub and dracut ii
 
Rapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBRapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USB
 
Nimble - iOS dependency management
Nimble - iOS dependency managementNimble - iOS dependency management
Nimble - iOS dependency management
 
Embedded platform choices
Embedded platform choicesEmbedded platform choices
Embedded platform choices
 
Embedded linux build systems
Embedded linux build systems Embedded linux build systems
Embedded linux build systems
 
Vpm
VpmVpm
Vpm
 
Post Mortem Debugging in Embedded Linux Systems
Post Mortem Debugging in Embedded Linux Systems Post Mortem Debugging in Embedded Linux Systems
Post Mortem Debugging in Embedded Linux Systems
 
The RULE project: efficient computing for all GNU/Linux users
The RULE project: efficient computing for all GNU/Linux usersThe RULE project: efficient computing for all GNU/Linux users
The RULE project: efficient computing for all GNU/Linux users
 
Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018
 
Part 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionPart 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': Introduction
 
Internet of Smaller Things
Internet of Smaller ThingsInternet of Smaller Things
Internet of Smaller Things
 
Chimera Linux: A BSD-LLVM distro from scratch
Chimera Linux: A BSD-LLVM distro from scratchChimera Linux: A BSD-LLVM distro from scratch
Chimera Linux: A BSD-LLVM distro from scratch
 
The eID on Linux in 2015
The eID on Linux in 2015The eID on Linux in 2015
The eID on Linux in 2015
 
Understanding The Boot Process
Understanding The Boot ProcessUnderstanding The Boot Process
Understanding The Boot Process
 
ACL on Linux - Part 1
ACL on Linux - Part 1ACL on Linux - Part 1
ACL on Linux - Part 1
 

Mehr von Udo Seidel

ceph openstack dream team
ceph openstack dream teamceph openstack dream team
ceph openstack dream teamUdo Seidel
 
adp.ceph.openstack.talk
adp.ceph.openstack.talkadp.ceph.openstack.talk
adp.ceph.openstack.talkUdo Seidel
 
Gluster.community.day.2013
Gluster.community.day.2013Gluster.community.day.2013
Gluster.community.day.2013Udo Seidel
 
Lt2013 glusterfs.talk
Lt2013 glusterfs.talkLt2013 glusterfs.talk
Lt2013 glusterfs.talkUdo Seidel
 
Ostd.ksplice.talk
Ostd.ksplice.talkOstd.ksplice.talk
Ostd.ksplice.talkUdo Seidel
 
Cephfsglusterfs.talk
Cephfsglusterfs.talkCephfsglusterfs.talk
Cephfsglusterfs.talkUdo Seidel
 
Linuxtag.ceph.talk
Linuxtag.ceph.talkLinuxtag.ceph.talk
Linuxtag.ceph.talkUdo Seidel
 
Osdc2012 xtfs.talk
Osdc2012 xtfs.talkOsdc2012 xtfs.talk
Osdc2012 xtfs.talkUdo Seidel
 
Linuxconeurope2011.ext4btrfs.talk
Linuxconeurope2011.ext4btrfs.talkLinuxconeurope2011.ext4btrfs.talk
Linuxconeurope2011.ext4btrfs.talkUdo Seidel
 
Osdc2011.ext4btrfs.talk
Osdc2011.ext4btrfs.talkOsdc2011.ext4btrfs.talk
Osdc2011.ext4btrfs.talkUdo Seidel
 
Linuxkongress2010.gfs2ocfs2.talk
Linuxkongress2010.gfs2ocfs2.talkLinuxkongress2010.gfs2ocfs2.talk
Linuxkongress2010.gfs2ocfs2.talkUdo Seidel
 

Mehr von Udo Seidel (12)

ceph openstack dream team
ceph openstack dream teamceph openstack dream team
ceph openstack dream team
 
kpatch.kgraft
kpatch.kgraftkpatch.kgraft
kpatch.kgraft
 
adp.ceph.openstack.talk
adp.ceph.openstack.talkadp.ceph.openstack.talk
adp.ceph.openstack.talk
 
Gluster.community.day.2013
Gluster.community.day.2013Gluster.community.day.2013
Gluster.community.day.2013
 
Lt2013 glusterfs.talk
Lt2013 glusterfs.talkLt2013 glusterfs.talk
Lt2013 glusterfs.talk
 
Ostd.ksplice.talk
Ostd.ksplice.talkOstd.ksplice.talk
Ostd.ksplice.talk
 
Cephfsglusterfs.talk
Cephfsglusterfs.talkCephfsglusterfs.talk
Cephfsglusterfs.talk
 
Linuxtag.ceph.talk
Linuxtag.ceph.talkLinuxtag.ceph.talk
Linuxtag.ceph.talk
 
Osdc2012 xtfs.talk
Osdc2012 xtfs.talkOsdc2012 xtfs.talk
Osdc2012 xtfs.talk
 
Linuxconeurope2011.ext4btrfs.talk
Linuxconeurope2011.ext4btrfs.talkLinuxconeurope2011.ext4btrfs.talk
Linuxconeurope2011.ext4btrfs.talk
 
Osdc2011.ext4btrfs.talk
Osdc2011.ext4btrfs.talkOsdc2011.ext4btrfs.talk
Osdc2011.ext4btrfs.talk
 
Linuxkongress2010.gfs2ocfs2.talk
Linuxkongress2010.gfs2ocfs2.talkLinuxkongress2010.gfs2ocfs2.talk
Linuxkongress2010.gfs2ocfs2.talk
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Lt2013 uefisb.talk

  • 1. UEFI Secure Boot: The story behind and where Linux stands Dr. Udo Seidel Linux-Strategy @ Amadeus
  • 3. LinuxTag 2013 3 Agenda ● Introduction ● Keys and Signatures ● Linux and Opportunities ● What else? ● Summary
  • 5. LinuxTag 2013 5 Me ;-) ● Teacher of mathematics & physics ● PhD in experimental physics ● Started with Linux in 1996 ● Linux/UNIX trainer ● Solution engineer in HPC and CAx environment ● Head of the Linux Strategy team @Amadeus
  • 6. LinuxTag 2013 6 Basic Input Output System ● Around for a while ● Insecure ● Easy to hack ● Executes anything ● Problems with big disks
  • 7. LinuxTag 2013 7 (U)EFI ● Unified Extensible Firmware Interface ● First version called EFI ● HP Itanium systems ● UEFI kind of EFI NG ● Replaces BIOS ● Emulates BIOS ● See talk from Thorsten Leemhuis
  • 8. LinuxTag 2013 8 Secure Boot ● Part of UEFI Specification v2.3 ● Addresses BIOS security issues ● Mandate by Microsoft ● For Windows 8 ● Not only x86 ● See keynote from Matthew Garrett
  • 9. LinuxTag 2013 9 Keys and Signatures
  • 10. LinuxTag 2013 10 Trust ● Parties ● Platform ● Firmware ● Operating System ● Technique ● Asymmetric keys ● Public one part of implementation
  • 11. LinuxTag 2013 11 Key master ● Platform Key (PK) ● Key Exchange Key (PK) ● Signature database (db) ● Forbidden signature database (dbx) ● Signed EFI executables
  • 12. LinuxTag 2013 12 EFI instead of ELF ● Subset of PE32 specification ● Portable Executable (PE) ● See also Common Object File Format (COFF) ● PE/COFF header ● Optional part ● List of pointers ● Signatures tailing file
  • 13. LinuxTag 2013 13 Firmware ● Legacy (CSM) ● UEFI ● Without Secure Boot OR ● With Secure Boot – Setup modus – User modus
  • 14. LinuxTag 2013 14 Typical scenario ● Since last autumn ● UEFI Secure Boot ● Enabled if not even forced ● Microsoft 'keys' implemented Linux locked out ?!?
  • 15. LinuxTag 2013 15 Linux: Options and Opportunities
  • 16. LinuxTag 2013 16 Options ● Setup modus ● Replace keys ● MS signed Linux bootloader
  • 17. LinuxTag 2013 17 Option I – Setup modus ● Insecure ● Not always possible ● Facing backward
  • 18. LinuxTag 2013 18 Option II – Replace keys ● Linux distribution ... ● ... specific ● ... independent ● 3rd party support needed ● Tools needed
  • 19. LinuxTag 2013 19 Replacing keys – more details ● X.509 certificates ● Generation via openssl ● Tools for EFI binary signing ● Multi O/S configuration tricky
  • 20. LinuxTag 2013 20 Replacing keys – tools ● pesign ● sbsigntools ● efitools
  • 21. LinuxTag 2013 21 Option III – MS signed bootloader ● MS support needed ● Again: Linux distribution ... ● ... specific ● ... independent ● Bootloader maintenance?
  • 22. LinuxTag 2013 22 MS signed bootloader - Idea ● Phased bootloader ● Small & static ● Between UEFI and Linux bootloader
  • 23. LinuxTag 2013 23 MS signed bootloader – Loader.efi ● Linux Foundation ● To enable ALL Linux bootloaders ● No additional security ● Recently reworked ● Helper tools ● Preloader.efi ● Hashtool.efi
  • 24. LinuxTag 2013 24 MS signed bootloader – the SHIM ● Originally RedHat'ish ● First version quite static ● Does not support all bootloaders ● Yes: eLILO, GRUB, GRUB2 ● No: Gummiboot, efilinux
  • 25. LinuxTag 2013 25 Machine Owner ● Originally from SUSE ● Machine Owner Keys (MOK) ● Integrated in SHIMv2
  • 26. LinuxTag 2013 26 Extending SB trust chain ● Several certificates ● Microsoft ● Linux distribution ● Signed bootloader ● Signed kernel core binary ● Signed kernel modules ● ..?!?
  • 27. LinuxTag 2013 27 Distributor approaches ● Enterprise ● In place: Ubuntu LTS ● Announced: SUSE ● Unknown: RedHat, Oracle ● Community ● In place: Ubuntu, Fedora, openSUSE, ... ● Announced: ... ● Unknown: Debian and derivatives
  • 29. LinuxTag 2013 29 ARM ● UEFI Forum since 2008 ● More strict Microsoft mandate ● UEFI ARM boards available but ...
  • 30. LinuxTag 2013 30 Problems ● Samsung: firmware death ● Toshiba: Missing keys ● Lenovo: Only Windows 8 and RHEL ● Microsoft: leaked keys
  • 32. LinuxTag 2013 32 Take aways ● Linux almost ready ● In general ● Enterprise sector ● Opportunity not pain ● Homework to be done
  • 33. LinuxTag 2013 33 References ● http://www.uefi.org ● http://mjg59.dreamwidth.org ● http://blog.hansenpartnership.com ● http://www.sxc.hu
  • 35. LinuxTag 2013 35 UEFI Secure Boot: The story behind and where Linux stands Dr. Udo Seidel Linux-Strategy @ Amadeus