Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Thu 21 Aug 2014, 06:21
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Secure Boot bootloader for Linux
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [8 Posts]  
Author Message
Terryphi


Joined: 02 Jul 2008
Posts: 759
Location: West Wales, Britain.

PostPosted: Sat 08 Dec 2012, 10:07    Post subject:  Secure Boot bootloader for Linux  

Linux developer Matthew Garrett has released a version of his Shim Secure Boot bootloader that allows any Linux distribution to be launched on Secure Boot systems without the need to disable UEFI Secure Boot. As Garrett's Shim binary has been signed by Microsoft, the Secure Boot bootloader will be executed by almost any type of UEFI firmware.

http://www.h-online.com/open/news/item/Secure-Boot-bootloader-for-Linux-1761089.html

_________________
Classic Opera 12.16 browser SFS package for Precise, Slacko, Racy, Wary, Lucid, Quirky, etc available here Smile
Back to top
View user's profile Send private message Visit poster's website 
Monsie


Joined: 01 Dec 2011
Posts: 633
Location: Kamloops BC Canada

PostPosted: Sun 09 Dec 2012, 07:34    Post subject: Secure Boot bootloader for Linux  

Note that Mathew Garrett's Shim is source code that will have to be compiled and include the location of the signed key for the Shim to verify before allowing the boot loader to run.

While one advantage of keeping the Secure Boot feature allows a user to dual boot or multi-boot other operating systems along with Windows 8, another is so that supposedly the computer cannot be booted from a portable OS on a flash drive in the event the computer is stolen... thus preventing a thief from accessing the main hard drive(s) and stealing one's data.

I don't fully understand how Secure Boot is supposed to work vis a vis the boot loader. Is there a new signed key generated each time the Shim is compiled? What is to prevent a thief from downloading Garrett's Shim and using it in conjunction with a portable operating system on a flash drive so as to access one's data on a stolen notebook?

Monsie

_________________
My username is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.
Back to top
View user's profile Send private message 
Terryphi


Joined: 02 Jul 2008
Posts: 759
Location: West Wales, Britain.

PostPosted: Sun 09 Dec 2012, 10:57    Post subject: Re: Secure Boot bootloader for Linux  

Monsie wrote:
Note that Mathew Garrett's Shim is source code that will have to be compiled and include the location of the signed key for the Shim to verify before allowing the boot loader to run.

Monsie


Source code and signed binaries are available. Garrett explains that Linux distributors simply need to sign their UEFI bootloader (grubx64.efi) with a separate key, include this key on their installation medium and tell their users where to find the key when the Shim asks for it.

_________________
Classic Opera 12.16 browser SFS package for Precise, Slacko, Racy, Wary, Lucid, Quirky, etc available here Smile
Back to top
View user's profile Send private message Visit poster's website 
8-bit


Joined: 03 Apr 2007
Posts: 3364
Location: Oregon

PostPosted: Sun 09 Dec 2012, 14:59    Post subject:  

If it gets to the point where one cannot disable UEFI in the PCs BIOS, that could come in very handy to be able to boot ones OS of choice.
I had read that some new HP pcs have UEFI and one has to go into BIOS and select Legacy Boot to get around it.
That is not to say that the option will be there in the future.
So I have downloaded all the files you referenced just to have them on hand.
But in having to compile the source, can one use Puppy's compiler or would one have to invest in a Windows compiler?
Back to top
View user's profile Send private message 
Terryphi


Joined: 02 Jul 2008
Posts: 759
Location: West Wales, Britain.

PostPosted: Sun 09 Dec 2012, 15:32    Post subject:  

8-bit,

A binary is available at Mathew Garrett's site so there is no need to compile the Shim. It is the second stage which Puppy developers need to consider.

This is all unfamiliar to me but it seems that Puppy developers would have to "sign their UEFI bootloader (grubx64.efi) with a separate key, include this key on their installation medium and tell their users where to find the key when the Shim asks for it."

_________________
Classic Opera 12.16 browser SFS package for Precise, Slacko, Racy, Wary, Lucid, Quirky, etc available here Smile
Back to top
View user's profile Send private message Visit poster's website 
Monsie


Joined: 01 Dec 2011
Posts: 633
Location: Kamloops BC Canada

PostPosted: Mon 10 Dec 2012, 05:34    Post subject: Secure Boot bootloader for Linux  

Oops, somehow I missed seeing the signed binary files, so thanks for clarifying.

I am still not too sure about how secure the Secure Boot process is...

The Wiki about UEFI mentions about Secure Boot:
Quote:
Secure boot can also be placed in "Custom" mode, where additional public keys can be added to the system that do not match the private key.


Again, I wonder how easy it would be for thieves to access the data from a stolen notebook if they can boot up from a portable operating system.

In such a scenario, my initial thoughts are that one might be better off using True Crypt or similar software to protect ones data. That said, I learned from the Wiki there are other benefits from UEFI:
Quote:
UEFI firmware provides several technical advantages over a traditional BIOS system:

Ability to boot from large disks (over 2 TiB) with a GUID Partition Table, GPT.
CPU-independent architecture
CPU-independent drivers
Flexible pre-OS environment, including network capability
Modular design

Note that I removed the footnote references from the quote, but in any event, the Wiki article is here.
So, I am assuming that if one disables UEFI, the system reverts to legacy bios setup in which case one loses those advantages.

Monsie

_________________
My username is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.
Back to top
View user's profile Send private message 
8-bit


Joined: 03 Apr 2007
Posts: 3364
Location: Oregon

PostPosted: Mon 10 Dec 2012, 15:02    Post subject:  

Depending on the BIOS, if one removed the internal battery for a bit and then put it back in, the BIOS settings would have been wiped out including any BIOS password allowing one to change the BIOS settings.
Security only takes one so far.
If I wanted data from a hard drive, I could remove it from the laptop and use a portable USB case to access data on that drive on another PC running any OS I chose.
So relying on UEFI for complete security only goes so far.
Encryption is still a good option.
But even with it, there are differences in the quality depending on the type of encryption software used.
It is best to keep sensitive data on external media carried separately from the laptop and not keep any personal sensitive data on the laptop other than say some hidden file identifying you as the owner and possibly contact information if it is found.

If you want to hear crazy, that would have been me when I had a PC, (now junk and gone), that had a small graphic file on it that contained nothing more than my written signature.
And that file no longer exists in any form as I overwrote it a few times before deleting it and then the hard drive it was on was destroyed by me also.
Back to top
View user's profile Send private message 
Barkin


Joined: 12 Aug 2011
Posts: 690

PostPosted: Tue 11 Dec 2012, 04:44    Post subject:  

8-bit wrote:
Depending on the BIOS, if one removed the internal battery for a bit and then put it back in, the BIOS settings would have been wiped out including any BIOS password allowing one to change the BIOS settings ...

If I wanted data from a hard drive, I could remove it from the laptop and use a portable USB case to access data on that drive on another PC running any OS I chose.

I recently discovered my (Dell) computer has a hard-drive password option (accessible via BIOS settings). Unlike the BIOS passwords it is not reset by removing the CMOS battery.
An external OS, like Puppy on a USB stick, won't allow access to the Hard drive either, (unless the correct password is input).

Allegedly ( I haven't tried this) removing the Hard-drive from the computer and putting it in a caddy or another computer won't circumvent the hard-drive password-protection either.

[ NB: the data on the hard drive is not encrypted by this method ].
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [8 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0695s ][ Queries: 11 (0.0086s) ][ GZIP on ]