Linux control over Secure Boot
Better Boots

The Shim bootloader lets Linux users regain some control over the Secure Boot process.
The UEFI Secure Boot feature ensures that only software with a valid digital signature launches on a computer. UEFI searches for a bootloader on the SSD or hard disk, verifies the digital signature from one of the certificates stored with UEFI, and, if the digital signature is valid, loads and activates the code.
The bootloader searches for the operating system, verifies the digital signature, and launches the operating system. Once the operating system is launched, it only loads kernel modules and drivers that have a valid digital signature.
The idea is that, if all components only load code from trustworthy sources, it is much more difficult for malware authors hiding away in the grubby corners of the Internet to smuggle their software into the boot process.
One problem with UEFI Secure Boot for Linux developers and users is the control that Microsoft maintains over the system. Microsoft's market power means that every hardware manufacturer burns its own certificate as a Platform Key (PK), and then the Microsoft certificate is securely deposited into the Key Exchange Key (KEK) database and (authorized) database (DB) key on the motherboard (Figure 1). Therefore, x86 PCs and laptops initially only boot software with a signature by the grace of Microsoft.

Shim: An Alternative Approach
The thought of the Linux kernel needing a digital signature from Microsoft was too much for many Linux users, so Matthew Garrett created a program called the Shim bootloader, an open source alternative that integrates its own certificates. Ubuntu, Red Hat, SUSE, and Debian generate their own versions of Shim that include certificates issued by their companies.
Verisign/Symantec digitally signs the bootloader in Microsoft's stead so that the UEFI firmware will load Shim. Once Shim is loaded, it operates independently of the Microsoft verification chain. Shim has built-in certificate management that lets the owner of the computer store certificates called machine owner keys (MOKs).
Recovering Autonomy
Shim lets large distributors such as Ubuntu, SUSE, and Red Hat win back control of hardware. Using the Canonical certificate stored in Shim, for instance, Ubuntu distros sign the GRUB 2 bootloader. The firmware boots Shim, Shim boots GRUB 2, and GRUB 2 boots the operating system (Figure 2).
The user doesn't notice Secure Boot at first. For example, if you install Ubuntu on a computer with Secure Boot enabled, the installation routine places the signed Shim bootloader and GRUB 2 on the SSD or hard disk and installs the digitally signed kernel, along with verifiable modules and drivers. If Secure Boot is not enabled, the operating system installer copies the various components onto the computer without a digital signature.
Switching Off
If you try to install VirtualBox on a Secure Boot Linux machine, the host computer might object and refuse to load the necessary kernel module because it has no valid digital signature. This behavior occurs in all third-party packages that provide their own modules or drivers. With physical access to the computer, you can inelegantly deactivate the verification of digital signatures by the Linux kernel with Shim by typing the command:
sudo mokutil --disable-validation
The mokutil
tool requires you to enter a one-time password. After that, mokutil
does not deactivate the check itself, but it sets up the Shim bootloader so that it asks for the password at the next reboot and performs the desired configuration after the correct password is input. After a reboot, Shim expects you to enter the one-time password within a short time frame.
In Shim, select Change Secure Boot state in the selection box (Figure 3). After entering the previously defined one-time password, the compulsory verification of digital signatures is deactivated. However, deactivating verification means that you lose the protection offered by Secure Boot. (You can also switch off Secure Boot directly in the UEFI setup.)
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
News
-
Another New Linux Laptop has Arrived
Slimbook has released a monster of a Linux gaming laptop.
-
Mozilla VPN Now Available for Linux
The promised subscription-based VPN service from Mozilla is now available for the Linux platform.
-
Wayland and New App Menu Coming to KDE
The 2021 roadmap for the KDE desktop environment includes some exciting features and improvements.
-
Deepin 20.1 has Arrived
Debian-based Deepin 20.1 has been released with some interesting new features.
-
CloudLinux Commits Over 1 Million Dollars to CentOS Replacement
An open source, drop-in replacement for CentOS is on its way.
-
Linux Mint 20.1 Beta has Been Released
The first beta of Linux Mint, Ulyssa, is now available for downloading.
-
Manjaro Linux 20.2 has Been Unleashed
The latest iteration of Manjaro Linux has been released with a few interesting new features.
-
Patreon Project Looks to Bring Linux to Apple Silicon
Developer Hector Martin has created a patreon page to fund his work on developing a port of Linux for Apple Silicon Macs.
-
A New Chrome OS-Like Ubuntu Remix is Now Available
Ubuntu Web looks to be your Chrome OS alternative.
-
System76 Refreshes the Galago Pro Laptop
Linux hardware maker has revamped one of their most popular laptops.