Back in the dark ages of computing, say 2011, Microsoft announced they would implement Secure Boot, which is a protocol included in the UEFI, Unified Extensible Firmware Interface(BIOS successor), in Windows 8 – which had not been implemented previously. The purpose of Secure Boot is to ensure that the software, or operating system, being loaded on a computer is genuine, unchanged, and secure. In short, it’s forms a chain of trust from the moment you power on your computer until the OS is loaded while preventing root kits, boot kits, and other nefarious software from infecting your computer.
In simplified terms it works like this:
- A digitally signed certificate list is loaded into UEFI when computer is manufactured
- Computer powers on and checks the certificate of the UEFI
- If the UEFI is authentic it loads as expected
- If the UEFI is not authentic an attempt is made to restore an authentic version of UEFI
- UEFI checks the bootloader to see if its’ certificate is correct
- If correct UEFI hands off to the bootloader
- If the certificate does not match an error is displayed and the OS does not load
- The bootloader checks the kernel and if everything checks out loads it
- etc.
This interaction is similar to the way a secure https website negotiates with your browser to form a secure connection when you do online banking. Sounds like a great idea, doesn’t it? It is, but…
Linux fans pull out torches and pitchforks
The Linux community at the time chose to view the implementation of Secure Boot as an attempt by Microsoft to prevent users from installing Linux on their computers instead of looking at the bigger security picture. Even though Microsoft didn’t invent Secure Boot, nor did Microsoft really control the protocol, they were up in arms and ready for a fight because they didn’t have a method of including their own certificates in the UEFI! Leading the charge were many Linux insiders and community leaders.
As an example, Matthew Garrett of Red Hat had this to say at the time:
- “As things stand, Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems”… and
- “Microsoft can require that hardware vendors include their keys. Their competition can’t.”
Various users from around the internet also had their say:
- ZDNet – “Why on earth Red Hat and others are bowing to microsoft on this? Is there anybody that really thinks UEFI is all about security instead of keeping a monopoly and messing up with the rest of us?”
- ZDNnet – “Microsoft’s tactic now is to exploit that same fear along with vendors to push technology that patch a hole they built, so I’m not using that on my kernel as it’s already safe.”
Never mind that Secure Boot could generally be completely disabled by the end user or that Microsoft provided a certificate for use by the Linux Foundation to create their own Secure Boot implementation. Talk about not seeing the forest for the trees!
Ubuntu secure boot isn’t so secure
So it’s now 2016. We have an overall view of Secure Boot and we know the Linux crowd wasn’t happy about it, but they’ve adapted. Business as usual, but not quite…
It was recently discovered that Ubuntu fails to check the signature of the loaded kernel during the Secure Boot process, which could allow an individual to load a malicious kernel – not a good thing for Linux users. Unfortunately, a few circumstances contribute to form what may be a perfect storm of sorts, which could be disastrous for everyone – not a good thing for PC users. In essence Ubuntu breaks the security shell of Secure Boot for those who have chosen to use it and those with OEM installs of Windows 8, 8.1, and 10.
- Linux software is generally open source, meaning the source code is available to individuals and easily modifiable.
- The Linux bootloader, GRUB, can boot Windows also (a dual boot scenario is an example).
By failing to check integrity of their kernel Ubuntu has single handedly broken the chain of trust that is Secure Boot and because of the two reasons listed above it could easily be re-purposed to attack other operating systems (read that as Windows systems).
In a strange change of attitude Matthew Garrett tweeted this on January 6th (caution: NSFW):
- “Holy F***ing S**t” https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1475954/comments/1 … and
- “This isn’t a decision that affects just Ubuntu users—*everybody* who uses UEFI Secure Boot has their security weakened by this.”
What does this mean to you
Well, as a believer in the premise behind Secure Boot and a supporter of Linux, I’m not happy about it. Knowledgeable users, users of home built systems, and users of older systems are no less secure because of this, however, once someone devises a method to use this in the wild I can see some affect on those with little computer knowledge or a belief that Secure Boot will help protect them.
Ubuntu promises a fix in their next release (16.04 LTS) in April, but this will have no affect on older versions out in the wild. My hope, and it isn’t pretty, is that Microsoft steps in and blacklists the affected certificates to block the affected OS’s, and associated bootloaders, from being installed.
As always be aware of what you download and install!
OK, Dave I can see your concern but if a user keeps Linux in a VM then how does the “secure boot” option become a problem? I can see how it might with a dual boot with using Grub as the bootloader.
It’s not about a particular user, dandl. It’s about the flaw being present in open source software, which means anyone can use it as a stepping stone for an exploit that will be viable against both linux and Windows PCs.
Well said Dave, in a world where criminals conduct nonstop progress in trying to break any and all security codes it seems incomprehensible that a valid organization like Linux would appear to make it easier for them. I too believe in the underlying reasons for Secure Boot and as long as Microsoft allows a user to disable or enable it I think it should be made iron clad and that unfortunately means that they should block any certificate that attempts to circumvent the process.
I have seen it before where some Linux fans join a group mentality against anything Microsoft without understanding the underlying problem first. I have just not seen it in this level of the Linux nation before. You would think the big guys would understand the seriousness to home users.
I have been using widows user and supporter since you had to know dos to boot to windows. Windows 10 was the deal breaker with me. It not only is very pushy in the way its promoted, but has resorted to almost forcing every one to use it. I am a over 25 year user of windows and I am so disgusted with Microsoft that I have gone to Linux Mint on one of my 3 desktops I have windows 8.1 on 2 of them and my laptop.
Their was a bit of a learning curve with them but I like 8.1. But after loading windows 10 on my newest computer after being hounded, loaded with hidden voluntary and in voluntary updates on windows 8.1 and checking out the inner workings of windows 10. I will get rid of my PCs and laptop rather than give in to Microsoft’s worst and most intrusive OS ever. I am amazed that every tech seems to be behind that push and it has really made me 2nd thought some techs I have followed for years on PCPitstop.
“I have seen it before where some Linux fans join a group mentality against anything Microsoft without understanding the underlying problem first.”
ahh, nothing like a circular strawman ad hom to prove your point. cheers, jim.
CIF I have been a fan of windows since a time when you use to have to know Dos and create a autoexe.bat file and a config.sys file and type win in dos to get to windows. So I am not against windows until Now I have used every windows program since 1989. 2.0 through windows 10. And until now never even considered any thing else Until the started shoving windows 10 down my throat. I tried it for about 3 months and many parts of it I liked. but I have 3 other computers besides my main pc and I have my reason for Keeping a 32 bit windows 7 computer. it still runs some programs in dos that I really don’t want to give up.
I have 2 computers running win 8.1 which I like really well 64 bit and my main PC I have tied widows 10 on from the beta day to the latest version. My dislike for windows 10 is that they are forcing every one to go to windows 10 even if they don’t want it. and I don’t. So what you said above is not correct in my case. Also going back to 8.1 is very difficult if you are not a tech which by the way I am for many years and have been building my own systems since the 286 dx I found you position insulting and narrow minded. I have never used Linux before this week in case windows Microsoft continues on the path they are heading. I will still have the things that are important to me. Ed
The responses to Windows 10 have me worried as I have been a user not a Tech
sense dos on 286 computers thru Windows 10 Upgrade.
I now have more interruptions errors than all the other OS programs put together
and I don’t know why. Can any one tell me why and if I should go back to Windows 7
or Windows 8.1 to stop the errors ?
Ron Brust: I have gone back to windows 8.1 64 bit and Windows 7 32bit with a dual boot to Linux Mint. ( first time with Linux ) from windows 10. I don’t think the errors are a result of windows 10 but I do believe any one who has Windows 10 after the free upgrade will be at Microsoft’s mercy It is a very invasive program more like spyware than and operating system. I personally like windows 8.1 and I keep widows 7 on one computer because I can still run some old programs I have had for many years.
There is a free download program called SFFIX you can try to run on win 10 if you like it If you go back to another operating System its your choice But do a CLEAN Install NOT return to 8.1 in windows 10 that is my opinion I will never use Win 10 again I tried it and will not use that program. 7 ,8, or 8.1 are my choice. Ed
There must be tens of thousands of us running Ubuntu (and Mint) Linux on old computers which were born well before SafeBoot, and the original BIOS makes a PC easy to boot up to bootable DVDs and bootable USB sticks, so that we might try different operating systems, and use bootable tools such as Clonezilla and Gparted. We are not quaking in our shoes at this announcement.