Tuesday, January 8, 2013

Leveraging UEFI Secure Boot beyond the loader

I've earlier noted some of the exciting work that the community has been doing with platforms around Microsoft(R) Windows8, including UEFI Secure Boot.  Some details are at http://channel9.msdn.com/Events/Windows-Ecosystem-Summit/2011Taipei/SYS-457T, for example.

In addition to the Windows roll-out, Brian Richardson noted the work of Peter Jones of the Fedora Project around "Package Signature Checking During Installation" @ http://fedoraproject.org/wiki/Features/PackageSignatureCheckingDuringInstall.  This work extends UEFI Secure Boot into the OS provisioning. Details include "Following the implementation of Features/SecureBoot, we can extend the Secure Boot keys as a root of trust provided by the hardware against which we can verify a signature on our key files, thus guaranteeing that they're from the same source as the boot media".  

This Fedora work, alongside the Microsoft release, further reinforces the tenet that boot firmware is by design OS-neutral. The plurality of hardware specifications like PCI & USB, firmware-oriented specifications like SMBIOS, UEFI, and ACPI, and finally, implementations like edk2, help to form the bridge between platforms and OS usages.

On a personal note, Peter is a great guy and continues to make valuable contributions into the OS usage of UEFI. This includes some of his work on multiple signatures we mentioned in chapter 4 of http://iweb.dl.sourceforge.net/project/edk2/General%20Documentation/A_Tour_Beyond_BIOS_into_UEFI_Secure_Boot_White_Paper.pdf, too.

The Fedora usages, along with efforts like Matt Flemming & Co. on UEFI loader development https://github.com/mfleming/efilinux, continue to strengthen open source infrastructure for these emergent UEFI platform firmware capabilities.

No comments: