SlideShare una empresa de Scribd logo

Lt2013 uefisb.talk

Udo Seidel
Udo Seidel

1) UEFI Secure Boot is a security feature of the UEFI specification that verifies bootloaders and operating systems are signed with approved cryptographic keys to ensure integrity. 2) Linux distributions have several options for working with UEFI Secure Boot, including using a setup mode, replacing the default cryptographic keys, or using a Microsoft-signed bootloader. 3) While UEFI Secure Boot initially posed challenges for Linux, projects are working to sign Linux bootloaders so they are verified by Secure Boot, enabling Linux to be installed on most new computers while maintaining security.

Tecnología
1 de 35
Descargar para leer sin conexión
UEFI Secure Boot: The story behind and where Linux stands Dr. Udo Seidel Linux-Strategy @ Amadeus
LinuxTag 2013 2 To my Mum
LinuxTag 2013 3 Agenda ● Introduction ● Keys and Signatures ● Linux and Opportunities ● What else? ● Summary
LinuxTag 2013 4 Introduction
LinuxTag 2013 5 Me ;-) ● Teacher of mathematics & physics ● PhD in experimental physics ● Started with Linux in 1996 ● Linux/UNIX trainer ● Solution engineer in HPC and CAx environment ● Head of the Linux Strategy team @Amadeus
LinuxTag 2013 6 Basic Input Output System ● Around for a while ● Insecure ● Easy to hack ● Executes anything ● Problems with big disks
LinuxTag 2013 7 (U)EFI ● Unified Extensible Firmware Interface ● First version called EFI ● HP Itanium systems ● UEFI kind of EFI NG ● Replaces BIOS ● Emulates BIOS ● See talk from Thorsten Leemhuis
LinuxTag 2013 8 Secure Boot ● Part of UEFI Specification v2.3 ● Addresses BIOS security issues ● Mandate by Microsoft ● For Windows 8 ● Not only x86 ● See keynote from Matthew Garrett
LinuxTag 2013 9 Keys and Signatures
LinuxTag 2013 10 Trust ● Parties ● Platform ● Firmware ● Operating System ● Technique ● Asymmetric keys ● Public one part of implementation
LinuxTag 2013 11 Key master ● Platform Key (PK) ● Key Exchange Key (PK) ● Signature database (db) ● Forbidden signature database (dbx) ● Signed EFI executables
LinuxTag 2013 12 EFI instead of ELF ● Subset of PE32 specification ● Portable Executable (PE) ● See also Common Object File Format (COFF) ● PE/COFF header ● Optional part ● List of pointers ● Signatures tailing file
LinuxTag 2013 13 Firmware ● Legacy (CSM) ● UEFI ● Without Secure Boot OR ● With Secure Boot – Setup modus – User modus
LinuxTag 2013 14 Typical scenario ● Since last autumn ● UEFI Secure Boot ● Enabled if not even forced ● Microsoft 'keys' implemented Linux locked out ?!?
LinuxTag 2013 15 Linux: Options and Opportunities
LinuxTag 2013 16 Options ● Setup modus ● Replace keys ● MS signed Linux bootloader
LinuxTag 2013 17 Option I – Setup modus ● Insecure ● Not always possible ● Facing backward
LinuxTag 2013 18 Option II – Replace keys ● Linux distribution ... ● ... specific ● ... independent ● 3rd party support needed ● Tools needed
LinuxTag 2013 19 Replacing keys – more details ● X.509 certificates ● Generation via openssl ● Tools for EFI binary signing ● Multi O/S configuration tricky
LinuxTag 2013 20 Replacing keys – tools ● pesign ● sbsigntools ● efitools
LinuxTag 2013 21 Option III – MS signed bootloader ● MS support needed ● Again: Linux distribution ... ● ... specific ● ... independent ● Bootloader maintenance?
LinuxTag 2013 22 MS signed bootloader - Idea ● Phased bootloader ● Small & static ● Between UEFI and Linux bootloader
LinuxTag 2013 23 MS signed bootloader – Loader.efi ● Linux Foundation ● To enable ALL Linux bootloaders ● No additional security ● Recently reworked ● Helper tools ● Preloader.efi ● Hashtool.efi
LinuxTag 2013 24 MS signed bootloader – the SHIM ● Originally RedHat'ish ● First version quite static ● Does not support all bootloaders ● Yes: eLILO, GRUB, GRUB2 ● No: Gummiboot, efilinux
LinuxTag 2013 25 Machine Owner ● Originally from SUSE ● Machine Owner Keys (MOK) ● Integrated in SHIMv2
LinuxTag 2013 26 Extending SB trust chain ● Several certificates ● Microsoft ● Linux distribution ● Signed bootloader ● Signed kernel core binary ● Signed kernel modules ● ..?!?
LinuxTag 2013 27 Distributor approaches ● Enterprise ● In place: Ubuntu LTS ● Announced: SUSE ● Unknown: RedHat, Oracle ● Community ● In place: Ubuntu, Fedora, openSUSE, ... ● Announced: ... ● Unknown: Debian and derivatives
LinuxTag 2013 28 What else?
LinuxTag 2013 29 ARM ● UEFI Forum since 2008 ● More strict Microsoft mandate ● UEFI ARM boards available but ...
LinuxTag 2013 30 Problems ● Samsung: firmware death ● Toshiba: Missing keys ● Lenovo: Only Windows 8 and RHEL ● Microsoft: leaked keys
LinuxTag 2013 31 Summary
LinuxTag 2013 32 Take aways ● Linux almost ready ● In general ● Enterprise sector ● Opportunity not pain ● Homework to be done
LinuxTag 2013 33 References ● http://www.uefi.org ● http://mjg59.dreamwidth.org ● http://blog.hansenpartnership.com ● http://www.sxc.hu
LinuxTag 2013 34 Thank you!
LinuxTag 2013 35 UEFI Secure Boot: The story behind and where Linux stands Dr. Udo Seidel Linux-Strategy @ Amadeus

Recomendados

Hacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionHacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionLevente Kurusa
 
FOSDEM2015: Porting Tizen:Common to open source hardware devices
FOSDEM2015: Porting Tizen:Common to open source hardware devicesFOSDEM2015: Porting Tizen:Common to open source hardware devices
FOSDEM2015: Porting Tizen:Common to open source hardware devicesPhil www.rzr.online.fr
 
gnome-shell on nexus 7
gnome-shell on nexus 7gnome-shell on nexus 7
gnome-shell on nexus 7Bin Li
 
Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...
Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...
Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...Ron Munitz
 
Linux Introduction - Yousefpour - Rahnema College
Linux Introduction - Yousefpour - Rahnema CollegeLinux Introduction - Yousefpour - Rahnema College
Linux Introduction - Yousefpour - Rahnema CollegeMasoud Yousefpour
 
Iotivity tizen-fosdem-2015
Iotivity tizen-fosdem-2015Iotivity tizen-fosdem-2015
Iotivity tizen-fosdem-2015Phil www.rzr.online.fr
 
X86 ROM Cooking 101 (Android Builders Summit 2014)
X86 ROM Cooking 101 (Android Builders Summit 2014)X86 ROM Cooking 101 (Android Builders Summit 2014)
X86 ROM Cooking 101 (Android Builders Summit 2014)Ron Munitz
 
Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)
Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)
Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)Ron Munitz
 

Recomendados

Hacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionHacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionLevente Kurusa
 
FOSDEM2015: Porting Tizen:Common to open source hardware devices
FOSDEM2015: Porting Tizen:Common to open source hardware devicesFOSDEM2015: Porting Tizen:Common to open source hardware devices
FOSDEM2015: Porting Tizen:Common to open source hardware devicesPhil www.rzr.online.fr
 
gnome-shell on nexus 7
gnome-shell on nexus 7gnome-shell on nexus 7
gnome-shell on nexus 7Bin Li
 
Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...
Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...
Introduction to Android ROM cooking, part of my AnDevCon workshop (AnDevCon S...Ron Munitz
 
Linux Introduction - Yousefpour - Rahnema College
Linux Introduction - Yousefpour - Rahnema CollegeLinux Introduction - Yousefpour - Rahnema College
Linux Introduction - Yousefpour - Rahnema CollegeMasoud Yousefpour
 
Iotivity tizen-fosdem-2015
Iotivity tizen-fosdem-2015Iotivity tizen-fosdem-2015
Iotivity tizen-fosdem-2015Phil www.rzr.online.fr
 
X86 ROM Cooking 101 (Android Builders Summit 2014)
X86 ROM Cooking 101 (Android Builders Summit 2014)X86 ROM Cooking 101 (Android Builders Summit 2014)
X86 ROM Cooking 101 (Android Builders Summit 2014)Ron Munitz
 
Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)
Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)
Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)Ron Munitz
 
Ubuntu Quick Guide
Ubuntu Quick GuideUbuntu Quick Guide
Ubuntu Quick GuideAnuchit Chalothorn
 
Fuzzdbunit slideshare
Fuzzdbunit slideshareFuzzdbunit slideshare
Fuzzdbunit slidesharepmjroth
 
gnu و fsf پروژه های پیشنهادی
gnu و fsf پروژه های پیشنهادی gnu و fsf پروژه های پیشنهادی
gnu و fsf پروژه های پیشنهادی Shiraz LUG
 
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Nullbyte Security Conference
 
29 2-92
29 2-9229 2-92
29 2-92Isfahanlug
 
Tizen Web App 개발
Tizen Web App 개발Tizen Web App 개발
Tizen Web App 개발xcoda
 
Open Source Firmware - oSC19
Open Source Firmware - oSC19Open Source Firmware - oSC19
Open Source Firmware - oSC19Daniel Maslowski
 
asyncio
asyncioasyncio
asyncioaschlapsi
 
EuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD SystemsEuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD SystemsVinícius Zavam
 
Linux install fest
Linux install festLinux install fest
Linux install festAltin Ukshini
 
Introduction to FOSS world
Introduction to FOSS worldIntroduction to FOSS world
Introduction to FOSS worldNarendra Sisodiya
 
GNU/LINUX - Day 1
GNU/LINUX - Day 1GNU/LINUX - Day 1
GNU/LINUX - Day 1Quotient Technology Inc.
 
LinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLubomir Rintel
 
Fos sintro pres-dav
Fos sintro pres-davFos sintro pres-dav
Fos sintro pres-davParin Sharma
 
Aide
AideAide
AideTorstein Hansen
 
The ABC of Linux (Linux for Beginners)
The ABC of Linux (Linux for Beginners)The ABC of Linux (Linux for Beginners)
The ABC of Linux (Linux for Beginners)plarsen67
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistroAll Things Open
 
Fedora 12 Introduction
Fedora 12 IntroductionFedora 12 Introduction
Fedora 12 IntroductionRatnadeep Debnath
 
Introduction and course Details of Embedded Linux Platform Developer Training
Introduction and course Details of Embedded Linux Platform Developer TrainingIntroduction and course Details of Embedded Linux Platform Developer Training
Introduction and course Details of Embedded Linux Platform Developer TrainingVeda Solutions - Embedded Systems & Linux Device Drivers Training
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesMender.io
 
Grub and dracut ii
Grub and dracut iiGrub and dracut ii
Grub and dracut iiplarsen67
 
Rapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBRapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBSamsung Open Source Group
 

Más contenido relacionado

La actualidad más candente

Fuzzdbunit slideshare
Fuzzdbunit slideshareFuzzdbunit slideshare
Fuzzdbunit slidesharepmjroth
 
gnu و fsf پروژه های پیشنهادی
gnu و fsf پروژه های پیشنهادی gnu و fsf پروژه های پیشنهادی
gnu و fsf پروژه های پیشنهادی Shiraz LUG
 
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Nullbyte Security Conference
 
Tizen Web App 개발
Tizen Web App 개발Tizen Web App 개발
Tizen Web App 개발xcoda
 
Open Source Firmware - oSC19
Open Source Firmware - oSC19Open Source Firmware - oSC19
Open Source Firmware - oSC19Daniel Maslowski
 
EuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD SystemsEuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD SystemsVinícius Zavam
 
LinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLubomir Rintel
 
Fos sintro pres-dav
Fos sintro pres-davFos sintro pres-dav
Fos sintro pres-davParin Sharma
 

La actualidad más candente (15)

Ubuntu Quick Guide
Ubuntu Quick GuideUbuntu Quick Guide
Ubuntu Quick Guide
 
Fuzzdbunit slideshare
Fuzzdbunit slideshareFuzzdbunit slideshare
Fuzzdbunit slideshare
 
gnu و fsf پروژه های پیشنهادی
gnu و fsf پروژه های پیشنهادی gnu و fsf پروژه های پیشنهادی
gnu و fsf پروژه های پیشنهادی
 
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
 
29 2-92
29 2-9229 2-92
29 2-92
 
Tizen Web App 개발
Tizen Web App 개발Tizen Web App 개발
Tizen Web App 개발
 
Open Source Firmware - oSC19
Open Source Firmware - oSC19Open Source Firmware - oSC19
Open Source Firmware - oSC19
 
asyncio
asyncioasyncio
asyncio
 
EuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD SystemsEuroBSDCon 2021 - (auto)Installing BSD Systems
EuroBSDCon 2021 - (auto)Installing BSD Systems
 
Linux install fest
Linux install festLinux install fest
Linux install fest
 
Introduction to FOSS world
Introduction to FOSS worldIntroduction to FOSS world
Introduction to FOSS world
 
GNU/LINUX - Day 1
GNU/LINUX - Day 1GNU/LINUX - Day 1
GNU/LINUX - Day 1
 
LinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB device
 
Fos sintro pres-dav
Fos sintro pres-davFos sintro pres-dav
Fos sintro pres-dav
 
Aide
AideAide
Aide
 

Similar a Lt2013 uefisb.talk

The ABC of Linux (Linux for Beginners)
The ABC of Linux (Linux for Beginners)The ABC of Linux (Linux for Beginners)
The ABC of Linux (Linux for Beginners)plarsen67
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistroAll Things Open
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesMender.io
 
Grub and dracut ii
Grub and dracut iiGrub and dracut ii
Grub and dracut iiplarsen67
 
Rapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBRapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBSamsung Open Source Group
 
Nimble - iOS dependency management
Nimble - iOS dependency managementNimble - iOS dependency management
Nimble - iOS dependency managementNimble
 
Embedded platform choices
Embedded platform choicesEmbedded platform choices
Embedded platform choicesTavish Naruka
 
Embedded linux build systems
Embedded linux build systems Embedded linux build systems
Embedded linux build systems Mender.io
 
Post Mortem Debugging in Embedded Linux Systems
Post Mortem Debugging in Embedded Linux Systems Post Mortem Debugging in Embedded Linux Systems
Post Mortem Debugging in Embedded Linux Systems GlobalLogic Ukraine
 
The RULE project: efficient computing for all GNU/Linux users
The RULE project: efficient computing for all GNU/Linux usersThe RULE project: efficient computing for all GNU/Linux users
The RULE project: efficient computing for all GNU/Linux usersMarco Fioretti
 
Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018Mender.io
 
Part 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionPart 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionJoachim Jacob
 
Chimera Linux: A BSD-LLVM distro from scratch
Chimera Linux: A BSD-LLVM distro from scratchChimera Linux: A BSD-LLVM distro from scratch
Chimera Linux: A BSD-LLVM distro from scratchIgalia
 
The eID on Linux in 2015
The eID on Linux in 2015The eID on Linux in 2015
The eID on Linux in 2015Wouter Verhelst
 
ACL on Linux - Part 1
ACL on Linux - Part 1ACL on Linux - Part 1
ACL on Linux - Part 1GLC Networks
 

Similar a Lt2013 uefisb.talk (20)

The ABC of Linux (Linux for Beginners)
The ABC of Linux (Linux for Beginners)The ABC of Linux (Linux for Beginners)
The ABC of Linux (Linux for Beginners)
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux Distro
 
Fedora 12 Introduction
Fedora 12 IntroductionFedora 12 Introduction
Fedora 12 Introduction
 
Introduction and course Details of Embedded Linux Platform Developer Training
Introduction and course Details of Embedded Linux Platform Developer TrainingIntroduction and course Details of Embedded Linux Platform Developer Training
Introduction and course Details of Embedded Linux Platform Developer Training
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSes
 
Grub and dracut ii
Grub and dracut iiGrub and dracut ii
Grub and dracut ii
 
Rapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBRapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USB
 
Nimble - iOS dependency management
Nimble - iOS dependency managementNimble - iOS dependency management
Nimble - iOS dependency management
 
Embedded platform choices
Embedded platform choicesEmbedded platform choices
Embedded platform choices
 
Embedded linux build systems
Embedded linux build systems Embedded linux build systems
Embedded linux build systems
 
Vpm
VpmVpm
Vpm
 
Post Mortem Debugging in Embedded Linux Systems
Post Mortem Debugging in Embedded Linux Systems Post Mortem Debugging in Embedded Linux Systems
Post Mortem Debugging in Embedded Linux Systems
 
The RULE project: efficient computing for all GNU/Linux users
The RULE project: efficient computing for all GNU/Linux usersThe RULE project: efficient computing for all GNU/Linux users
The RULE project: efficient computing for all GNU/Linux users
 
Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018
 
Part 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionPart 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': Introduction
 
Internet of Smaller Things
Internet of Smaller ThingsInternet of Smaller Things
Internet of Smaller Things
 
Chimera Linux: A BSD-LLVM distro from scratch
Chimera Linux: A BSD-LLVM distro from scratchChimera Linux: A BSD-LLVM distro from scratch
Chimera Linux: A BSD-LLVM distro from scratch
 
The eID on Linux in 2015
The eID on Linux in 2015The eID on Linux in 2015
The eID on Linux in 2015
 
Understanding The Boot Process
Understanding The Boot ProcessUnderstanding The Boot Process
Understanding The Boot Process
 
ACL on Linux - Part 1
ACL on Linux - Part 1ACL on Linux - Part 1
ACL on Linux - Part 1
 

Más de Udo Seidel

ceph openstack dream team
ceph openstack dream teamceph openstack dream team
ceph openstack dream teamUdo Seidel
 
adp.ceph.openstack.talk
adp.ceph.openstack.talkadp.ceph.openstack.talk
adp.ceph.openstack.talkUdo Seidel
 
Gluster.community.day.2013
Gluster.community.day.2013Gluster.community.day.2013
Gluster.community.day.2013Udo Seidel
 
Lt2013 glusterfs.talk
Lt2013 glusterfs.talkLt2013 glusterfs.talk
Lt2013 glusterfs.talkUdo Seidel
 
Ostd.ksplice.talk
Ostd.ksplice.talkOstd.ksplice.talk
Ostd.ksplice.talkUdo Seidel
 
Cephfsglusterfs.talk
Cephfsglusterfs.talkCephfsglusterfs.talk
Cephfsglusterfs.talkUdo Seidel
 
Linuxtag.ceph.talk
Linuxtag.ceph.talkLinuxtag.ceph.talk
Linuxtag.ceph.talkUdo Seidel
 
Osdc2012 xtfs.talk
Osdc2012 xtfs.talkOsdc2012 xtfs.talk
Osdc2012 xtfs.talkUdo Seidel
 
Linuxconeurope2011.ext4btrfs.talk
Linuxconeurope2011.ext4btrfs.talkLinuxconeurope2011.ext4btrfs.talk
Linuxconeurope2011.ext4btrfs.talkUdo Seidel
 
Osdc2011.ext4btrfs.talk
Osdc2011.ext4btrfs.talkOsdc2011.ext4btrfs.talk
Osdc2011.ext4btrfs.talkUdo Seidel
 
Linuxkongress2010.gfs2ocfs2.talk
Linuxkongress2010.gfs2ocfs2.talkLinuxkongress2010.gfs2ocfs2.talk
Linuxkongress2010.gfs2ocfs2.talkUdo Seidel
 

Más de Udo Seidel (12)

ceph openstack dream team
ceph openstack dream teamceph openstack dream team
ceph openstack dream team
 
kpatch.kgraft
kpatch.kgraftkpatch.kgraft
kpatch.kgraft
 
adp.ceph.openstack.talk
adp.ceph.openstack.talkadp.ceph.openstack.talk
adp.ceph.openstack.talk
 
Gluster.community.day.2013
Gluster.community.day.2013Gluster.community.day.2013
Gluster.community.day.2013
 
Lt2013 glusterfs.talk
Lt2013 glusterfs.talkLt2013 glusterfs.talk
Lt2013 glusterfs.talk
 
Ostd.ksplice.talk
Ostd.ksplice.talkOstd.ksplice.talk
Ostd.ksplice.talk
 
Cephfsglusterfs.talk
Cephfsglusterfs.talkCephfsglusterfs.talk
Cephfsglusterfs.talk
 
Linuxtag.ceph.talk
Linuxtag.ceph.talkLinuxtag.ceph.talk
Linuxtag.ceph.talk
 
Osdc2012 xtfs.talk
Osdc2012 xtfs.talkOsdc2012 xtfs.talk
Osdc2012 xtfs.talk
 
Linuxconeurope2011.ext4btrfs.talk
Linuxconeurope2011.ext4btrfs.talkLinuxconeurope2011.ext4btrfs.talk
Linuxconeurope2011.ext4btrfs.talk
 
Osdc2011.ext4btrfs.talk
Osdc2011.ext4btrfs.talkOsdc2011.ext4btrfs.talk
Osdc2011.ext4btrfs.talk
 
Linuxkongress2010.gfs2ocfs2.talk
Linuxkongress2010.gfs2ocfs2.talkLinuxkongress2010.gfs2ocfs2.talk
Linuxkongress2010.gfs2ocfs2.talk
 

Último

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Último (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Lt2013 uefisb.talk

  • 1. UEFI Secure Boot: The story behind and where Linux stands Dr. Udo Seidel Linux-Strategy @ Amadeus
  • 3. LinuxTag 2013 3 Agenda ● Introduction ● Keys and Signatures ● Linux and Opportunities ● What else? ● Summary
  • 5. LinuxTag 2013 5 Me ;-) ● Teacher of mathematics & physics ● PhD in experimental physics ● Started with Linux in 1996 ● Linux/UNIX trainer ● Solution engineer in HPC and CAx environment ● Head of the Linux Strategy team @Amadeus
  • 6. LinuxTag 2013 6 Basic Input Output System ● Around for a while ● Insecure ● Easy to hack ● Executes anything ● Problems with big disks
  • 7. LinuxTag 2013 7 (U)EFI ● Unified Extensible Firmware Interface ● First version called EFI ● HP Itanium systems ● UEFI kind of EFI NG ● Replaces BIOS ● Emulates BIOS ● See talk from Thorsten Leemhuis
  • 8. LinuxTag 2013 8 Secure Boot ● Part of UEFI Specification v2.3 ● Addresses BIOS security issues ● Mandate by Microsoft ● For Windows 8 ● Not only x86 ● See keynote from Matthew Garrett
  • 9. LinuxTag 2013 9 Keys and Signatures
  • 10. LinuxTag 2013 10 Trust ● Parties ● Platform ● Firmware ● Operating System ● Technique ● Asymmetric keys ● Public one part of implementation
  • 11. LinuxTag 2013 11 Key master ● Platform Key (PK) ● Key Exchange Key (PK) ● Signature database (db) ● Forbidden signature database (dbx) ● Signed EFI executables
  • 12. LinuxTag 2013 12 EFI instead of ELF ● Subset of PE32 specification ● Portable Executable (PE) ● See also Common Object File Format (COFF) ● PE/COFF header ● Optional part ● List of pointers ● Signatures tailing file
  • 13. LinuxTag 2013 13 Firmware ● Legacy (CSM) ● UEFI ● Without Secure Boot OR ● With Secure Boot – Setup modus – User modus
  • 14. LinuxTag 2013 14 Typical scenario ● Since last autumn ● UEFI Secure Boot ● Enabled if not even forced ● Microsoft 'keys' implemented Linux locked out ?!?
  • 15. LinuxTag 2013 15 Linux: Options and Opportunities
  • 16. LinuxTag 2013 16 Options ● Setup modus ● Replace keys ● MS signed Linux bootloader
  • 17. LinuxTag 2013 17 Option I – Setup modus ● Insecure ● Not always possible ● Facing backward
  • 18. LinuxTag 2013 18 Option II – Replace keys ● Linux distribution ... ● ... specific ● ... independent ● 3rd party support needed ● Tools needed
  • 19. LinuxTag 2013 19 Replacing keys – more details ● X.509 certificates ● Generation via openssl ● Tools for EFI binary signing ● Multi O/S configuration tricky
  • 20. LinuxTag 2013 20 Replacing keys – tools ● pesign ● sbsigntools ● efitools
  • 21. LinuxTag 2013 21 Option III – MS signed bootloader ● MS support needed ● Again: Linux distribution ... ● ... specific ● ... independent ● Bootloader maintenance?
  • 22. LinuxTag 2013 22 MS signed bootloader - Idea ● Phased bootloader ● Small & static ● Between UEFI and Linux bootloader
  • 23. LinuxTag 2013 23 MS signed bootloader – Loader.efi ● Linux Foundation ● To enable ALL Linux bootloaders ● No additional security ● Recently reworked ● Helper tools ● Preloader.efi ● Hashtool.efi
  • 24. LinuxTag 2013 24 MS signed bootloader – the SHIM ● Originally RedHat'ish ● First version quite static ● Does not support all bootloaders ● Yes: eLILO, GRUB, GRUB2 ● No: Gummiboot, efilinux
  • 25. LinuxTag 2013 25 Machine Owner ● Originally from SUSE ● Machine Owner Keys (MOK) ● Integrated in SHIMv2
  • 26. LinuxTag 2013 26 Extending SB trust chain ● Several certificates ● Microsoft ● Linux distribution ● Signed bootloader ● Signed kernel core binary ● Signed kernel modules ● ..?!?
  • 27. LinuxTag 2013 27 Distributor approaches ● Enterprise ● In place: Ubuntu LTS ● Announced: SUSE ● Unknown: RedHat, Oracle ● Community ● In place: Ubuntu, Fedora, openSUSE, ... ● Announced: ... ● Unknown: Debian and derivatives
  • 29. LinuxTag 2013 29 ARM ● UEFI Forum since 2008 ● More strict Microsoft mandate ● UEFI ARM boards available but ...
  • 30. LinuxTag 2013 30 Problems ● Samsung: firmware death ● Toshiba: Missing keys ● Lenovo: Only Windows 8 and RHEL ● Microsoft: leaked keys
  • 32. LinuxTag 2013 32 Take aways ● Linux almost ready ● In general ● Enterprise sector ● Opportunity not pain ● Homework to be done
  • 33. LinuxTag 2013 33 References ● http://www.uefi.org ● http://mjg59.dreamwidth.org ● http://blog.hansenpartnership.com ● http://www.sxc.hu
  • 35. LinuxTag 2013 35 UEFI Secure Boot: The story behind and where Linux stands Dr. Udo Seidel Linux-Strategy @ Amadeus