Back in the dark ages of computing, say 2011, Microsoft announced they would implement Secure Boot, which is a protocol included in the UEFI, Unified Extensible Firmware Interface(BIOS successor), in Windows 8 – which had not been implemented previously. The purpose of Secure Boot is to ensure that the software, or operating system, being loaded on a computer is genuine, unchanged, and secure. In short, it’s forms a chain of trust from the moment you power on your computer until the OS is loaded while preventing root kits, boot kits, and other nefarious software from infecting your computer.
In simplified terms it works like this:
- A digitally signed certificate list is loaded into UEFI when computer is manufactured
- Computer powers on and checks the certificate of the UEFI
- If the UEFI is authentic it loads as expected
- If the UEFI is not authentic an attempt is made to restore an authentic version of UEFI
- UEFI checks the bootloader to see if its’ certificate is correct
- If correct UEFI hands off to the bootloader
- If the certificate does not match an error is displayed and the OS does not load
- The bootloader checks the kernel and if everything checks out loads it
This interaction is similar to the way a secure https website negotiates with your browser to form a secure connection when you do online banking. Sounds like a great idea, doesn’t it? It is, but…
Linux fans pull out torches and pitchforks
The Linux community at the time chose to view the implementation of Secure Boot as an attempt by Microsoft to prevent users from installing Linux on their computers instead of looking at the bigger security picture. Even though Microsoft didn’t invent Secure Boot, nor did Microsoft really control the protocol, they were up in arms and ready for a fight because they didn’t have a method of including their own certificates in the UEFI! Leading the charge were many Linux insiders and community leaders.
As an example, Matthew Garrett of Red Hat had this to say at the time:
- 8220;As things stand, Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems”… and
- “Microsoft can require that hardware vendors include their keys. Their competition can’t.”
Various users from around the internet also had their say:
- ZDNet – “Why on earth Red Hat and others are bowing to microsoft on this? Is there anybody that really thinks UEFI is all about security instead of keeping a monopoly and messing up with the rest of us?”
- ZDNnet – “Microsoft’s tactic now is to exploit that same fear along with vendors to push technology that patch a hole they built, so I’m not using that on my kernel as it’s already safe.”
Never mind that Secure Boot could generally be completely disabled by the end user or that Microsoft provided a certificate for use by the Linux Foundation to create their own Secure Boot implementation. Talk about not seeing the forest for the trees!
Ubuntu secure boot isn’t so secure
So it’s now 2016. We have an overall view of Secure Boot and we know the Linux crowd wasn’t happy about it, but they’ve adapted. Business as usual, but not quite…
It was recently discovered that Ubuntu fails to check the signature of the loaded kernel during the Secure Boot process, which could allow an individual to load a malicious kernel – not a good thing for Linux users. Unfortunately, a few circumstances contribute to form what may be a perfect storm of sorts, which could be disastrous for everyone – not a good thing for PC users. In essence Ubuntu breaks the security shell of Secure Boot for those who have chosen to use it and those with OEM installs of Windows 8, 8.1, and 10.
- Linux software is generally open source, meaning the source code is available to individuals and easily modifiable.
- The Linux bootloader, GRUB, can boot Windows also (a dual boot scenario is an example).
By failing to check integrity of their kernel Ubuntu has single handedly broken the chain of trust that is Secure Boot and because of the two reasons listed above it could easily be re-purposed to attack other operating systems (read that as Windows systems).
In a strange change of attitude Matthew Garrett tweeted this on January 6th (caution: NSFW):
- “Holy F***ing S**t” https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1475954/comments/1 … and
- “This isn’t a decision that affects just Ubuntu users—*everybody* who uses UEFI Secure Boot has their security weakened by this.”
What does this mean to you
Well, as a believer in the premise behind Secure Boot and a supporter of Linux, I’m not happy about it. Knowledgeable users, users of home built systems, and users of older systems are no less secure because of this, however, once someone devises a method to use this in the wild I can see some affect on those with little computer knowledge or a belief that Secure Boot will help protect them.
Ubuntu promises a fix in their next release (16.04 LTS) in April, but this will have no affect on older versions out in the wild. My hope, and it isn’t pretty, is that Microsoft steps in and blacklists the affected certificates to block the affected OS’s, and associated bootloaders, from being installed.
As always be aware of what you download and install!