White Paper “Secure Boot” in UEFI firmware
by admin ·
Canonical and Red Hat have jointly published a white paper on “the facts, the Secure Boot” in UEFI firmware compiles and asks the manufacturer to provide an easy way to turn on and off the safety function.
Does Matthew Garrett of Red had since July in a series of blog posts written dealing with the UEFI firmware. A month ago, he pointed to the new “Secure Boot” functionality, which is guaranteed by the BIOS stored key that only correctly signed software can be booted. If the hardware manufacturer to keep it in control of the key, then vice versa, users lose full control over the device, in particular, they can boot any alternative or modified operating systems. The manufacturers who want to get a Windows-8 certification must implement “Secure Boot,” leaving it to them but if they make the function can be switched off and how they manage the keys.
The technical details are in the recently published White Paper (PDF) explains again. The authors, in addition to Karr Jeremy Garrett from Canonical and kernel developer James Bottomley, based on Garrett’s original analysis and assume that the functionality is in some cases desirable and useful. to the rather dubious advantages is that the manufacturers offer a precisely tuned combination of hardware and software, including a forced update, which, as seen in the Sony Playstation 3, are not always to the benefit of customers. Furthermore, the user may be impossible to install their own applications. Instead, he has all the applications from a manufacturer’s App Store relate, which therefore generates a steady income.
Among the disadvantages of “Secure Boot” is one of the authors reported that the choice of hardware depends on the availability of signed drivers, and the administration of the appropriate key, depending on how it is organized, time-or labor-intensive. Similarly, the choice of operating system may be restricted, as has been stated several times. A compromised key could have serious consequences. The necessary infrastructure for the keys is extensive. Vulnerabilities in key management from the user perspective would be no problem, but rather a welcome opportunity to circumvent the limitations of the system, as it is in cracking the Sony Playstation 3 and was able to experience Apple’s IOS hardware.
Nevertheless, the authors’ view Secure Boot “in principle to be useful. Its recommendation that the hardware manufacturers is to offer users a mechanism that allows to configure the keys themselves. Only then can the user to retain full control over its hardware. By default, no key should be pre-installed, and the installed operating system should take the initial configuration of the key. The method for doing this should be standardized. Since this is the less technical user but would overwhelm, the authors also demand that the manufacturer provide an easy way to turn on and off the safety function.