Trying out UEFI boot security on a recent Linux system
Hardware Platforms
All the systems we investigated allow changes to the certificate stores on which the Secure Boot process is based. For this purpose, however, you often need additional software, such as the EFI Tools, which are available under a free license. Using UEFI Setup, you can load the keys originally shipped by the manufacturer into the certificate store on all systems to revert to the initial state as defined by the manufacturer. Also, the UEFI Setup interface lets you change to the Setup mode in all cases and thus modify the certificate store.
Out of the systems we tested, only the Dell system supported targeted insertion or removal of individual certificates or hashes using UEFI Setup. For all computers, it was at least possible, however, to modify the certificate store in Setup mode using the EFI tools.
All systems provided the ability to disable Secure Boot. Furthermore, all the manufacturers provided the certificates required by the Windows Hardware Certification Requirements, including the optional Microsoft Corporation UEFI CA 2011 certificate. Some manufacturers additionally installed their own certificates.
The software pre-installed on the EFI partition is essentially no more than diagnostic software by the vendors.
The user can influence the Secure Boot functionality on any system. Users can disable Secure Boot, switch to Setup mode, and load their own key material. You can use the UEFI setup for this process. In most cases, however, you need to resort to other tools, such as EFI Tools.
Practical Test
To check the extent to which current operating systems can run on the selected hardware platforms while using Secure Boot, we performed a number of test installations on each platform. We also checked to see whether the system starts properly after installation and is thus basically functional.
If the operating system supported Secure Boot, we analyzed its implementation. If Secure Boot support was not present, we took additional steps to make the system suitable for enabling Secure Boot.
We tested the following operating systems:
- Microsoft Windows 8 Pro
- Red Hat Enterprise Linux 6.4
- Ubuntu 13.04
- Debian 7.1.0
- Fedora 19
- FreeBSD 9.2
Results
In spite of the relatively new technology and the comprehensive specification, Secure Boot works on all tested platforms with the operating systems we used. Starting a signed UEFI application such as a bootloader works, provided that the appropriate certificate is included in the db certificate store of the UEFI firmware. Launching such an application is denied if a suitable certificate does not exist in the certificate store. Similarly, verification of UEFI applications based on hashes works well.
Furthermore, it is possible to install and run the Windows 8 Pro, Ubuntu 13.04, and Fedora 19 operating system with Secure Boot enabled. The other operating systems we looked at – Red Hat Enterprise Linux 6.4, FreeBSD 9.2, and Debian 7.1.0 – do not support Secure Boot and are therefore installed with Secure Boot disabled. However, we found that we could modify these systems relatively easily to support Secure Boot.
We found significant differences in how the various systems actually integrated the Secure Boot security enhancements. For instance, the security gains are low if you use Ubuntu 13.04. Although the bootloader is verified, an effective review of the kernel, including its modules, does not take place. In contrast, Fedora 19 not only verifies the bootloader but also the kernel and its modules.
FreeBSD is planning an implementation similar to the one already introduced by Fedora. Although Windows 8 Pro also performs a check of the bootloader and the kernel, an assessment of the effectiveness of protective measures is considerably more difficult than in the Linux systems we examined. The difficulty is mainly due to the complex procedure for verifying loadable kernel components such as drivers. To detect malicious software, Microsoft relies on collaboration between the kernel and anti-malware products.
The effectiveness of the protections depends on the quality of the product you use. We didn't include Microsoft's recent ELAM technology in this study because of its complexity. Furthermore, the changes listed below for Debian 7.1.0, which can also be performed on Red Hat Enterprise 6.4 and FreeBSD 9.2, only offer minor security gains. The results of these tests appear in Table 2.
Table 2
Test Results
Windows 8 Pro | Red Hat Enterprise Linux 6.4 | Debian 7.1.0 | FreeBSD 9.2 | Ubuntu 13.04 | Fedora 19 |
|
---|---|---|---|---|---|---|
Is Secure Boot support in operation? |
Yes |
No |
No |
No |
Yes |
Yes |
Is Secure Boot supported during installation? |
Yes |
No |
No |
No |
Yes |
Yes |
Is retroactive support by Shim possible? |
– |
Yes |
Yes |
Yes |
– |
– |
Effective handling of the verification chain |
Bootloader, kernel (conditionally) |
Shim |
Shim |
Shim |
Shim, Grub |
Shim, Grub2, kernel, kernel modules |
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
Fedora 39 Beta is Now Available for Testing
For fans and users of Fedora Linux, the first beta of release 39 is now available, which is a minor upgrade but does include GNOME 45.
-
Fedora Linux 40 to Drop X11 for KDE Plasma
When Fedora 40 arrives in 2024, there will be a few big changes coming, especially for the KDE Plasma option.
-
Real-Time Ubuntu Available in AWS Marketplace
Anyone looking for a Linux distribution for real-time processing could do a whole lot worse than Real-Time Ubuntu.
-
KSMBD Finally Reaches a Stable State
For those who've been looking forward to the first release of KSMBD, after two years it's no longer considered experimental.
-
Nitrux 3.0.0 Has Been Released
The latest version of Nitrux brings plenty of innovation and fresh apps to the table.
-
Linux From Scratch 12.0 Now Available
If you're looking to roll your own Linux distribution, the latest version of Linux From Scratch is now available with plenty of updates.
-
Linux Kernel 6.5 Has Been Released
The newest Linux kernel, version 6.5, now includes initial support for two very exciting features.
-
UbuntuDDE 23.04 Now Available
A new version of the UbuntuDDE remix has finally arrived with all the updates from the Deepin desktop and everything that comes with the Ubuntu 23.04 base.
-
Star Labs Reveals a New Surface-Like Linux Tablet
If you've ever wanted a tablet that rivals the MS Surface, you're in luck as Star Labs has created such a device.
-
SUSE Going Private (Again)
The company behind SUSE Linux Enterprise, Rancher, and NeuVector recently announced that Marcel LUX III SARL (Marcel), its majority shareholder, intends to delist it from the Frankfurt Stock Exchange by way of a merger.