Biz & IT —

Fedora could seek Microsoft code signing to contend with secure boot

A bootloader signed by MS would make Fedora easy to install on Windows 8 PCs.

This penguin is also contemplating boots.
This penguin is also contemplating boots.

Future versions of Fedora could come with a bootloader that is signed by Microsoft, a move that would ensure that the Linux distribution is easy to install on computers with the secure boot mechanism. The proposal was described in a blog entry this week by Red Hat kernel developer Matthew Garrett.

Microsoft’s compatibility certification criteria for Windows 8 requires PC vendors to adopt UEFI and enable secure boot. The transition to signed bootloaders will help protect users against certain kinds of malware, but it could also pose an obstacle for for users who want to run third-party operating systems.

In a hardware environment with secure boot, the code that bootstraps the operating system must be signed with a key that corresponds with a certificate stored in the computer’s firmware. The computer will refuse to execute code that lacks a trusted signature. The purpose of this mechanism is to prevent arbitrary, untrusted code from running during startup and tampering with the operating system.

In order to accommodate Linux and the long tail of other operating systems, PC vendors are required to provide a path for end users to install their own custom secure boot certificates or disable secure boot entirely. These options will satisfy the needs of enthusiasts who don’t want to sacrifice the freedom and flexibility that have historically been available on x86 hardware.

That solution is not without problems, however. Disabling secure boot would leave the user exposed to some malware threats. More importantly, the process of installing a custom certificate will likely not be easy enough for non-technical and inexperienced users. That means it isn’t an acceptable compromise for Linux distributions that want to offer the lowest possible barrier to entry for new users.

According to Garrett, the simplest solution is for the Fedora project to use Microsoft’s signing service to sign the Linux distribution’s bootloader. Enrolling in the signing service will require Fedora to make a one-time payment of $99 to Verisign.

Garrett’s plan calls for using the signing service on a lightweight bootloader shim that will be responsible for initiating GNU’s GRUB bootloader. Isolating the signature to a very thin bootloader initialization layer will make it so that the Fedora developers won’t have to deal with Microsoft’s manual signing process every time that they want to push out an update to GRUB.

In order for the technical advantages of the secure boot mechanism to be fully realized, however, all of the code in the platform that has direct interaction with hardware has to be trustworthy, too. A malicious party could theoretically use the Linux kernel’s low-level hardware access to compromise a Windows installation on the same computer or tamper with the firmware.

If that is possible on a Fedora system with a signed bootloader, then Fedora’s signing privileges would be revoked and the operating system would no longer be able to run in a secure boot environment. To prevent such a scenario from occurring, Fedora will set up its own signing system that will be applied to the kernel and other security-sensitive layers of the stack below the Microsoft-signed bootloader initialization layer.

As Garrett acknowledged in his blog post, it’s not really clear yet if this approach can be made to accommodate third-party Linux drivers that are maintained outside of the kernel source code. Although the practice of maintaining drivers outside of the tree is strongly discouraged in Linux development, the reality is that there are still some important drivers that are developed in that fashion—particularly proprietary graphics drivers.

Code signing and secure boot represent a transition to a more appliance-like computing model. Although that trend is distressing to sophisticated Linux enthusiasts who value technical freedom and autonomy, the clear security advantages are a boon to regular end users who need all the help that they can get to minimize the threat landscape. Fedora’s proposed solution isn’t ideal, but it’s a compromise that will work.

Channel Ars Technica