Linux Developers Step Up to the Secure Boot Challenge
By Katherine Noyes
The prospect of Windows 8’s planned Secure Boot restrictions has caused no end of controversy in the Linux world, where distributors and users of the free and open source operating system have been struggling to figure out just what it’s all going to mean for those who don’t embrace Windows.
It wasn’t long ago that the Free Software Foundation spoke out for a second time on the topic, but recently there have been signs that a broader effort is in the works in the Linux community.
“The purpose of this email is to widen the pool of people who are playing with UEFI Secure boot,” began a message late last month from James Bottomley, chair of the Linux Foundation’s Technical Advisory Board.
The Intel Tianocore project just recently added the Secure Boot facility to its UEFI ROM images, he noted.
Also posted in a repository by Bottomley are a set of tools that can be used to sign EFI binaries, he said.
“The current state is that I’ve managed to lock down the Secure Boot virtual platform with my own PK and KEK and verified that I can generate signed EFI binaries that will run on it (and that it will refuse to run unsigned efi binaries),” Bottomley explained. “Finally I’ve demonstrated that I can sign elilo.efi … and have it boot an unsigned Linux kernel when the platform is in secure mode (I’ve booted up to an initrd root prompt).”
‘Far From Rock Solid’
The Linux Foundation Technical Advisory Board began looking into the situation “because it turns out to be rather difficult to lay your hands on real UEFI Secure Boot enabled hardware,” Bottomley pointed out.
This new contribution, however, is still “very alpha,” he warned. “The Tianocore firmware that does Secure Boot is only a few weeks old, and the sbsigning tools weren’t really working up until yesterday, so this is very far from rock solid.”