Linux UEFI Secure Boot

While Matthew Garrett has been gathering a lot of attention with his blog posts about UEFI Secure Boot, another Red Hat employee, Peter Jones, has been doing excellent work down in the trenches developing a utility (pesign) for securing signing of UEFI binaries on Linux platforms and a setup tool for enrolling your public key(s) in UEFI firmware.

Is Secure Boot breakable? Yes, of course, but it is not that easy to do. The technology underlying Secure Boot is battle tested and proven. Here is how it basically works. Assuming you have generated a 2048-bit RSA key, the signing process is as follows:

  • Add the public half of your 2048-bit RSA key to the firmware keystore.
  • Calculate a SHA256 hash for the PE/COFF binary you want signed.
  • Encrypt that hash using the private half of your 2048-bit RSA key.
  • Embed the encrypted hash in the binary at a known location.

The verification process works as follows when somebody tries to load and execute your binary on the firmware:

  • Calculate a SHA256 hash for defined parts (original) of the binary.
  • Extract the stored signed hash from the binary and decrypt it with the public key you stored in the firmware keystore.
  • Compare the two hashs. If they match, the binary is trusted and loaded.

If the two hashes match, you know that whoever signed the binary had access to the private half of a key you trust, and the binary hasn’t been modified since it was signed with that key.

Here is a link to the tentative plans for Fedora 18 UEFI Secure Boot. Hopefully, people will get involved with Peter and help develop and polish these tools so that the Linux community is not dependent on the existing Microsoft tools, i.e. MakeCert, Pvk2Pfx and Authenticode SignTool.

Comments are closed.