UEFI and UEFI SecureBoot + Linux, is the nightmare over?

During the last weeks, I spent several nights playing with UEFI and its extension called UEFI SecureBoot. I must admit that I have mixed feelings about UEFI in general; on one hand, you have a nice and modern “BIOS replacement” that can boot .efi files with no need for a bootloader like GRUB, on the other hand, some hardware, not even the most exotic one, is not yet glitch-free. But that’s what happens with new stuff in general. I cannot go much into detail without drifting away from the main topic, but surely enough, a simple google search about UEFI and Linux will point you to the problems I just mentioned above.

But hey, what does it all mean for our beloved Gentoo-based distro named Sabayon? Since DAILY ISO images dated 20121224, Sabayon can boot off UEFI systems, through DVD and USB (thanks to isohybrid –uefi) and, surprise surprise, with SecureBoot turned on!. I am almost sure that we’re the first Linux distro supporting SecureBoot out of the box (update: using shim!) and I am very proud of it. This is of course thanks to Matthew Garrett’s shim UEFI loader that is chainloading our signed UEFI GRUB2 image.

The process is simple and works like this: you boot an UEFI-compatible Sabayon ISO image off DVD or USB, if SecureBoot is turned on, shim will launch MokManager, that you can use to enroll our distro key, called sabayon.der and available on our image under the “SecureBoot” directory. Once you enrolled the key, on some systems, you’re forced to reboot (I had to on my shiny new Asus Zenbook UX32VD), but then, the magic happens.

There is a tricky part however. Due to the way GRUB2 .efi images are generated (at install time, with settings depending on your partition layout and platform details), I have been forced to implement a nasty way to ensure that SecureBoot can still accept such platform-dependent images: our installer, Anaconda, now generates a hardware-specific SecureBoot keypair (private and public key), then our modified grub2-install version, automatically signs every .efi image it generates with that key, which is placed into the EFI Boot Partition under EFI/boot/sabayon ready to be enrolled by shim at the next boot.
This is sub-optimal, but after several days of messing around, it turned out that it’s the most reliable, cleanest and easiest way to support SecureBoot after install without disclosing our private key we use to sign our install media. Another advantage is that our distro keypair, once enrolled, will allow any Sabayon image to boot, while we still allow full control over the installed system to our users (by generating a platform-specific private key at install time).

SecureBoot is not that evil after all, my laptop came with Windows 8 (which I just ripped off completely) and SecureBoot disabled by default and lets anyone sign their own .efi binaries from the “BIOS”. I don’t see how my freedom could be affected by this, though.

About lxnay

the creator of Sabayon Linux, Entropy Package Manager {Eit, Equo, Rigo}, Molecule release media buildsystem, Matter Portage buildbot/tinderbox and only God knows what else...

13 responses to “UEFI and UEFI SecureBoot + Linux, is the nightmare over?

  1. Colin Watson

    “first Linux distro supporting SecureBoot out of the box” – congratulations for getting it working, but I’m afraid Ubuntu 12.10 beat you to it 🙂

    • Ouch 🙂 You are right, Ubuntu does use its own (old) version of shim signed by Microsoft directly.
      Comparing us to Ubuntu is a bit unfair, we don’t have all those $$$ nor paid employees.

  2. lushb0x

    I think what he meant was “The first Distro that actually feels like Linux”

  3. Serafean

    Actually the real danger of secureboot lies in the tablet (read ARM) platform. There every OEM is required to enable it, and not provide any way to disable it (speaking of the windows platform, of course). Should %MS% tablets become popular, loading them with a custom OS would be impossible. Heck even installing a version of windows not from the manufacturer’s website might be trouble…

    On the other hand, having recently been introduced to UEFI, I must admit it’s pretty nice.

  4. Jeff

    I personally don’t feel like the nightmare is over. It may be over if you use Sabayon or Ubuntu, but if you use pretty much any other distro these days, it’s still a massive headache.

    I prefer Gentoo and i have 2 laptops that are UEFI-only (no BIOS emulation support) and on the “full” laptop, i’m dual-booting Ubuntu 12.10 and Gentoo and using Ubuntu’s bootloader to boot into Gentoo (and spending at little time as possible in Ubuntu). On my other laptop (which is a netbook) i sort of felt defeated and didn’t want to dual-boot a netbook, so i just put Sabayon on it.

    I think the nightmare is only over when, on EVERY distro, either the installer supports UEFI with no headaches or, for distros like Archlinux and Gentoo where there is no installer, installing on to UEFI is as easy as: `emerge grub:2 && grub2-uefi-install /dev/sda`

  5. UEFI is hideous. It’s as big or bigger than some Linux distros. Why on Earth would you want a firmware that’s a big and complicated as a full blown OS just to boot a full blown OS? That’s complete insanity. There has to be a better way. ARM based systems don’t seem to require all this complexity just to get to the desktop.

    Perhaps the real issue is with Intel’s legacy x86 instruction set that still makes up the core of it’s CPUs. Maybe we should all move on and drop more than just i386 support?

  6. tic

    where can I find an UEFI iso image to create a bootable usb pendrive? I am unable to find it!

  7. Great work!!! It’s nice that UEFI support with secureboot can work out of the box on gnu/linux and I hope that also other distributions and especially gentoo (because it’s my primary choice) can build up on your experience and success story.

  8. Steve

    To be honest getting the problem with dual booting with Win8 on UEFI systems that doesn’t involve installing additional repositories and running additional programs (boot-repair) and having to then manually edit files because of long standing critical bugs in GRUB2 needs to be fixed first.

    For many people the introduction to Linux will come through dual booting and right now with new Win8 based laptops its a bit of a farce – never mind the problems with buggy UEFI systems (like Samsung)

  9. Len

    If it ain’t broke don’t fix it! BIOS has served us all very well over the years. I fail to see why manufatcurers should be rolling over so easily with UEFI, frequently pandering to Big Brother aka M$ by selling PC’s with locked UEFI’s. It has a very bad smell to me, especially as there seems to be so many very unhappy Windoze 8 users, many of whom have been forced to bur a new PC with Windoze 8 pre-installed without any freedom of choice in the matter!

  10. Len

    Just spotted this extract!
    On x86 systems Microsoft needs computers to be compatible with older versions of Windows. On x86 systems the Microsoft Hardware Certification says that manufacturers must include an option to disable UEFI SecureBoot, and must allow the owner to load his own keys. However on systems with an ARM processor Microsoft doesn’t need to worry about hardware being compatible with versions of Windows because there are no versions of Windows for ARM. On ARM systems Microsoft has mandated that MANUFACTURERS ARE FORBIDDEN TO INCLUDE ANY OPTION TO DISABLE UEFI SECUREBOOT. On ARM systems Microsoft has mandated that MANUFACTURERS ARE FORBIDDEN TO INCLUDE ANY POSSIBILITY OF OWNERS LOADING THEIR OWN KEYS.

    Microsoft has made it crystal clear that they can and will use UEFI to lock computers AGAINST their owners and to anti-competively lock out any possibility to load alternate operating systems when they do not have to worry about compatibility with older versions of Windows.

    Currently ARM processors are primarily used in smartphones, however at least one manufacturer, Qualcomm, has announced they will be manufacturing ARM based PCs. Microsoft has mandated that owners of these PCs be denied any possibility of disabling the system and denied any possibility of loading your own keys.

    Microsoft has announced the Windows 7 End Of Life date to be January 14, 2020. On that date Microsoft is no longer concerned with x86 computers being compatible with pre-UEFI operating systems. On that date Microsoft can drop the “Disable SecureBoot” legacy support. On that date there is every reason to expect Microsoft take their ARM-style no-legacy-support terms and impose them on all PC manufacturers.

    Your “If you don’t like it, disable it” is already false on some systems today, and there is good reason to suspect Microsoft may forbid it on all systems in a few years.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

hello, twitter

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 583 other followers


%d bloggers like this: