Today I’m going to reveal a little bit Secure bootthe security feature that accompanies UEFI, which has been and is heavily criticized from outside Microsoft circles, and that, although on paper it is supposed to be a standard, the way the Redmond giant promoted it was seen by many as a way to try to push out alternative operating systems from the market, starting with Linux and FreeBSD, which are the main rivals of Windows in the compatibility spectrum.

When it comes to Secure Boot, we find ourselves in two worlds that coexist with this feature in very different ways. On the one hand, we have Windows users who have never had to worry about compatibility because Microsoft has de facto served all hardware manufacturers.

On the other hand, there are alternative operating systems, starting with Linux. Here the position around Secure Boot has been diluted and diversified, to the extent that the feature currently has multiple defenders. Put simply, there are currently three camps: those who reject Secure Boot outright, those who oppose not the concept but the way it is managed, and those who have fully embraced it.

The use of Secure Boot in Linux was not without controversy and harsh anger, as in Ubuntu its implementation was found to be insecure due to the fact that it skipped the boot function, while within the development of the Linux kernel itself, the inclusion of the Lockdown module was up in the air for seven years because those responsible disagreed on whether to bind Secure Boot or not. In case anyone was wondering, Linus Torvalds was against it, while Matthew Garrett, creator of Lockdown, was in favor.

Recently, systemd, which is basically the framework that determines how most major Linux distributions work, has been seen moving forward in adopting security mechanisms implemented at the motherboard level, which include the Windows-required TPM. 11. Will we see Linux in the future that will require a TPM to work? The community has enough power to prevent this for now.

as we see the sauce around Secure Boot is outside of Windows, and there’s not much to say when Microsoft’s system behaves like a good football referee here. If he does his job well, he doesn’t bother to talk (or write) about it.

What is Secure Boot

Secure Boot is a security standard developed by members of the PC industry. in order to ensure that the software running on the computer is trusted by the manufacturer.

When the computer is turned on, the motherboard firmware checks the signature of every software running on the computer, including UEFI firmware drivers, EFI applications, and the operating system. If the signature check is successful, the computer completes the boot process and the firmware passes the check to the operating system.

It is important to note that Secure Boot it does not encrypt data storage and is TPM independentalthough it is able to work together with the module required by Windows 11. Basically, Secure Boot just makes sure that the software has the required signature to be authorized to run on the computer.

Windows 8 and UEFI push

Microsoft sowed controversy with Windows 8, the failed converged operating system. Its best-remembered feature is the Modern UI, known as Metro in its development stages, a tiled interface for the Start menu that almost nobody liked. This rejection, which limited the spread of the system, caused Steve Sinofsky to quit Microsoft.

Another controversial aspect of Windows 8 was the app store, which was accused of trying to monopolize software distribution through a channel completely controlled by Microsoft. This caused many to raise their voices, including Valve and Epic Games. Who would have thought that years later, these two video game companies would become bitter rivals after the other launched its own store in 2018.

But what really matters in this post was that Microsoft required OEMs to use UEFI and enable Secure Boot if they wanted to be certified for Windows 8. This move by Microsoft surprised almost everyone responsible for Linux distributions, who not only did not have support for Secure Boot, which can be disabled in the vast majority of cases, but were also unable to boot to UEFI because GRUB, the so-called most used bootloader on this system, did not support this firmware interface.

Microsoft’s demand for UEFI and Secure Boot was a big push for both technologies and cost the Redmond giant a lawsuit that failed because x86 machines where Secure Boot cannot be disabled are not common.

With the passage of time and the availability of a third-party Secure Boot key for Linux, the landscape surrounding the open source operating system has changed considerably. years there are distributions like Ubuntu and Fedora that offer good support for Secure Bootbut if using an NVIDIA graphics card with its official driver, the security feature must still be disabled.

However, despite improvements in Linux support, there are quite a few users of this system who currently continue to think that UEFI and Secure Boot are two technologies that Microsoft will hijack and that are only responding to its interests. As a result, the first thing they do in order to use the operating system of their choice without barriers is to disable Secure Boot.

Although the ways you came UEFI are questionable, not everything contributed by the firmware interface was bad because, among other things It served to standardize the GPT partition table against the old MBR, allowing for better integration between the operating system and motherboards (or their firmware). and in Linux it opened doors fwupda daemon that allows firmware used by hardware, from computers to peripherals, to be updated, but even though the support it offers is improving, few manufacturers offer support through it.

The nuances between UEFI and Secure Boot

The campaign against Secure Boot has also turned against UEFI. This has led many people to believe that the two are the same, but the reality is that the former works as a feature of the latter and can also be disabled, while the latter must be supported by the operating system in an enforced manner if not. a kind of legacy support is available.

To sum up a lot, UEFI (Unified Extensible Firmware Interface) is a set of specifications written by the UEFI Forum that defines the platform firmware architecture used to boot and its interface to interact with the operating system.. It was created to replace old BIOSes while maintaining compatibility at least temporarily. The original Extensible Firmware Interface (EFI) specification, which is basically the old name, was developed by Intel.

I have already defined what Secure Boot is in the previous sections, so I will limit myself to the fact that it is the mechanism that is responsible for verifying the authenticity and legitimacy of the software that will run on the computer, using a verification mechanism. for this through digital signatures.

How Secure Boot works

How Secure Boot works is easier to explain with a diagram than with words. One of the most important parts of the security feature is the Allow DB (DB) and Disallow DB (DBX) databases.which can be translated as database enable and database disable.

DB stores values hash and keys for trusted bootloaders and EFI applications that the machine’s firmware allows it to load. DBX stores keys and hash revoked, compromised and untrustworthy. In case you want to retrieve a code signed by one of the keys present in DBX or that hash matches a DBX record, the platform will take care of stopping the boot process.

The following diagram shows the process that Red Hat Enterprise Linux goes through to comply with the various steps and requirements of Secure Boot. This scheme should be similar in any other distribution, especially those that use systemd.

First it checks if the public certificate is present in the Allow DBsomething that, if the answer is yes, allows you to move on to the next one bootloader check: GRUB 2. If the bootloader signature is valid, same thing happens with kernel (Linux), which in the case of another positive result results in the fulfillment of the Secure Boot sequence and booting of the system. The logic with Windows is essentially the same, but this diagram from Red Hat shows an example using individual components rather than a general overview.

Obviously, none of this testing process is done if the user has disabled Secure Boot in their motherboard settings, and this is the best option if one wants to test Linux distributions or other operating systems via UEFI with no more restrictions than necessary support such firmware interface.

How to view the Secure Boot settings on the motherboard

Secure Boot configuration can generally be found in Security/Safety or Boot/Boots. Depending on the motherboard, the user may find more generic configurations or others more oriented towards Windows, which is, after all, the operating system for which more than 90% of the world’s computers are manufactured.

Desktops allow disabling Secure Boot fairly easily and without any additional hurdles for users, but when it comes to laptops, or at least that’s what happened to me with my current Acer laptop, disabling Secure Boot requires setting a password to access the BIOS. .

Conclusion

As we can see, Secure Boot is a feature that on paper gives users positive things, but when it comes down to it, it turns out to have some holes that at least partially justify the arguments of its detractors.

Like it or not, Secure Boot is here to stay and it can be seen in things like its expansion in IoT, a sector completely dominated by Linux in general and Ubuntu in particular. However, that its use is optional and that it can be disabled is still very important, since not all distributions support this feature properly, something to which we need to add other underground profile systems, such as those derived from Illumos.

Cover image: Pexels and Pixabay