Linux control over Secure Boot
Better Boots

The Shim bootloader lets Linux users regain some control over the Secure Boot process.
The UEFI Secure Boot feature ensures that only software with a valid digital signature launches on a computer. UEFI searches for a bootloader on the SSD or hard disk, verifies the digital signature from one of the certificates stored with UEFI, and, if the digital signature is valid, loads and activates the code.
The bootloader searches for the operating system, verifies the digital signature, and launches the operating system. Once the operating system is launched, it only loads kernel modules and drivers that have a valid digital signature.
The idea is that, if all components only load code from trustworthy sources, it is much more difficult for malware authors hiding away in the grubby corners of the Internet to smuggle their software into the boot process.
One problem with UEFI Secure Boot for Linux developers and users is the control that Microsoft maintains over the system. Microsoft's market power means that every hardware manufacturer burns its own certificate as a Platform Key (PK), and then the Microsoft certificate is securely deposited into the Key Exchange Key (KEK) database and (authorized) database (DB) key on the motherboard (Figure 1). Therefore, x86 PCs and laptops initially only boot software with a signature by the grace of Microsoft.

Shim: An Alternative Approach
The thought of the Linux kernel needing a digital signature from Microsoft was too much for many Linux users, so Matthew Garrett created a program called the Shim bootloader, an open source alternative that integrates its own certificates. Ubuntu, Red Hat, SUSE, and Debian generate their own versions of Shim that include certificates issued by their companies.
Verisign/Symantec digitally signs the bootloader in Microsoft's stead so that the UEFI firmware will load Shim. Once Shim is loaded, it operates independently of the Microsoft verification chain. Shim has built-in certificate management that lets the owner of the computer store certificates called machine owner keys (MOKs).
Recovering Autonomy
Shim lets large distributors such as Ubuntu, SUSE, and Red Hat win back control of hardware. Using the Canonical certificate stored in Shim, for instance, Ubuntu distros sign the GRUB 2 bootloader. The firmware boots Shim, Shim boots GRUB 2, and GRUB 2 boots the operating system (Figure 2).
The user doesn't notice Secure Boot at first. For example, if you install Ubuntu on a computer with Secure Boot enabled, the installation routine places the signed Shim bootloader and GRUB 2 on the SSD or hard disk and installs the digitally signed kernel, along with verifiable modules and drivers. If Secure Boot is not enabled, the operating system installer copies the various components onto the computer without a digital signature.
Switching Off
If you try to install VirtualBox on a Secure Boot Linux machine, the host computer might object and refuse to load the necessary kernel module because it has no valid digital signature. This behavior occurs in all third-party packages that provide their own modules or drivers. With physical access to the computer, you can inelegantly deactivate the verification of digital signatures by the Linux kernel with Shim by typing the command:
sudo mokutil --disable-validation
The mokutil
tool requires you to enter a one-time password. After that, mokutil
does not deactivate the check itself, but it sets up the Shim bootloader so that it asks for the password at the next reboot and performs the desired configuration after the correct password is input. After a reboot, Shim expects you to enter the one-time password within a short time frame.
In Shim, select Change Secure Boot state in the selection box (Figure 3). After entering the previously defined one-time password, the compulsory verification of digital signatures is deactivated. However, deactivating verification means that you lose the protection offered by Secure Boot. (You can also switch off Secure Boot directly in the UEFI setup.)
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
LibreOffice 7.5 has Arrived and is Loaded with New Features and Improvements
The favorite office suite of the Linux community has a new release that includes some visual refreshing and new features across all modules.
-
The Next Major Release of Elementary OS Has Arrived
It's been over a year since the developers of elementary OS released version 6.1 (Jólnir) but they've finally made their latest release (Horus) available with a renewed focus on the user.
-
KDE Plasma 5.27 Beta Is Ready for Testing
The latest beta iteration of the KDE Plasma desktop is now available and includes some important additions and fixes.
-
Netrunner OS 23 Is Now Available
The latest version of this Linux distribution is now based on Debian Bullseye and is ready for installation and finally hits the KDE 5.20 branch of the desktop.
-
New Linux Distribution Built for Gamers
With a Gnome desktop that offers different layouts and a custom kernel, PikaOS is a great option for gamers of all types.
-
System76 Beefs Up Popular Pangolin Laptop
The darling of open-source-powered laptops and desktops will soon drop a new AMD Ryzen 7-powered version of their popular Pangolin laptop.
-
Nobara Project Is a Modified Version of Fedora with User-Friendly Fixes
If you're looking for a version of Fedora that includes third-party and proprietary packages, look no further than the Nobara Project.
-
Gnome 44 Now Has a Release Date
Gnome 44 will be officially released on March 22, 2023.
-
Nitrux 2.6 Available with Kernel 6.1 and a Major Change
The developers of Nitrux have officially released version 2.6 of their Linux distribution with plenty of new features to excite users.
-
Vanilla OS Initial Release Is Now Available
A stock GNOME experience with on-demand immutability finally sees its first production release.