Announcement

Collapse
No announcement yet.

Shimming your way to Linux on Windows 8 PCs

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Shimming your way to Linux on Windows 8 PCs

    I found an article on zdnet, about a new boot loader called "Shim".

    Is this something that Ubuntu might use?

    Also I found this intresting. Would we want to do this? Is there any real security to this?
    This is intended for distributions that want to support secure boot but don't want to deal with Microsoft."


    http://www.zdnet.com/shimming-your-w...cs-7000008246/

    Is secure boot still an issue, have they fixed the problem?
    Rob
    Tags: None
    • Top
    • Bottom
    #2
    I think it is worth putting Matthew's explanation on how to install his shim here. Meanwhile, our resident expert on UEFI can comment:
    I'm pleased to say that a usable version of shim is now available for download. As I discussed here, this is intended for distributions that want to support secure boot but don't want to deal with Microsoft. To use it, rename shim.efi to bootx64.efi and put it in /EFI/BOOT on your UEFI install media. Drop MokManager.efi in there as well. Finally, make sure your bootloader binary is called grubx64.efi and put it in the same directory.

    Now generate a certificate and put the public half as a binary DER file somewhere on your install media. On boot, the end-user will be prompted with a 10-second countdown and a menu. Choose "Enroll key from disk" and then browse the filesystem to select the key and follow the enrolment prompts. Any bootloader signed with that key will then be trusted by shim, so you probably want to make sure that your grubx64.efi image is signed with it.

    If you want, you're then free to impose any level of additional signing restrictions - it's entirely possible to use this signing as the basis of a complete chain of trust, including kernel lockdowns and signed module loading. However, since the end-user has explicitly indicated that they trust your code, you're under no obligation to do so. You should make it clear to your users what level of trust they'll be able to place in their system after installing your key, if only to allow them to make an informed decision about whether they want to or not.

    This binary does not contain any built-in distribution certificates. It does contain a certificate that was generated at build time and used to sign MokManager - you'll need to accept my assurance that the private key was deleted immediately after the build was completed. Other than that, it will only trust any keys that are either present in the system db or installed by the end user.

    A couple of final notes: As of 17:00 EST today, I am officially (rather than merely effectively) no longer employed by Red Hat, and this binary is being provided by me rather than them, so don't ask them questions about it. Special thanks to everyone at Suse who came up with the MOK concept and did most of the implementation work - without them, this would have been impossible. Thanks also to Peter Jones for his work on debugging and writing a signing tool, and everyone else at Red Hat who contributed valuable review feedback.
    And, he explains how the Linux Foundation is doing it, and how someone could do it their way if they wanted to:
    Re: Would you mind doing a post on what you did to get a signed shim.

    Date: 2012-12-01 07:33 am (UTC)

    From: mjg59Sure. I don't believe that it's possible without Windows for the final upload - it really needs Silverlight. Running IE under Wine may be sufficient, but I couldn't be bothered. Anyway.
    1. Go to sysdev.microsoft.com and log in with a Live account.
    2. Follow the link to the Verisign (now Symantec) page for creating a new company account. Ignore the use of the word company - you can do this as an individual.
    3. Follow the instructions and purchase an individual key for code signing. You'll be emailed a form to attach a copy of your notarised ID to, so get that filled in and signed and send them back a copy by email.
    4. Export the key from your browser as a .p12 file.
    5. Go back to sysdev.microsoft.com and download the zip file containing winsign.exe. Use pesign or sbsign and the key you exported to sign this file, and then upload it to sysdev.microsoft.com to enable your account.
    6. Sign the legal agreements - this just involves you typing your name into a box.
    7. Put the file you want to get signed into a cab file. lcab will do this,
    8. Sign the cab file with your Verisign key. osslsigncode will do this.
    9. Upload the file to sysdev.microsoft.com. The uploader is Silverlight for no obviously good reason.
    10. Wait for the upload to be processed. I think this happens a couple of times a week, so be prepared to wait a few days (I had to)
    11. You'll get an email when signing is complete. Download the cab file and use cabextract to retrieve your signed binary.




    Total cost is $99 plus however much it costs to get something notarised where you are.
    Last edited by GreyGeek; Dec 04, 2012, 05:49 PM.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.
    • Top
    • Bottom

    Comment

      #3
      For those users who wish to use Secure Boot and also achieve the simplest, broadest cross-distribution support, Matthew's tool is ideal.
      • Top
      • Bottom

      Comment

      Previous template Next
      Working...
      X