• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

SecureBoot -- still not supported??

neutrino78x

New Member


Messages: 2

#1
Hi,

So I've been using FreeBSD since the 90s...I turn 40 next month...anyway, I saw articles from as far back as 2014 saying that FreeBSD was going to support SecureBoot...but now the SecureBoot page on FreeBSD.org says it is still not supported. Is that really the case?

I have a machine with SecureBoot, but it can be disabled. I'm tempted to disable it just for FreeBSD.

Anyway what's the status? :)
 

tingo

Daemon

Thanks: 275
Messages: 1,730

#2
Why don't you try to boot the newest FreeBSD release off a usb stick and find out for yourself?
Other people might be interested in / care for the SecureBoot support in FreeBSD, or they might not.
The only way to be sure is to test it yourself.
 

Sensucht94

Active Member

Thanks: 144
Messages: 182

#3
My guess is always that Secure Boot was first introduced to prevent users from installing anything but Windows and Windows Drivers upon a closed-source bloated ROM, the UEFI, whose developement is, in my opinion, ultimately carried out under Microsoft financement. If it weren't for possible issues with Intel Vt-d (mostly rumors I heard though), I had replaced my UEFI with coreboot+Seabios already.

Anyway, that's the staus of SecureBoot support, as of 09/18/17: https://wiki.freebsd.org/SecureBoot :)
 

Maelstorm

Active Member

Thanks: 92
Messages: 247

#4
Actually, all secure boot is, is that every piece of software that is used to start the machine is digitally signed. So you would sign the FreeBSD EFI Bootloader, loader, and the kernel. You can even use your own certificate to do it, generated via SSL. Furthermore, you need to add the keys to your PC's BIOS to recognize it as being valid.

Windows certified hardware only has Microsoft's keys installed in the UEFI BIOS, but that doesn't mean that you can't add more.

Further Reading:
http://www.linuxjournal.com/content/take-control-your-pc-uefi-secure-boot (Specifically for Linux, but good info)
https://wiki.freebsd.org/SecureBoot (FreeBSD Wiki which has some decent links as well.)

HTH
 

neutrino78x

New Member


Messages: 2

#5
maelstrom wrote:

This is actually a fascinating article dude! Thank you for showing me that. :)

My only objection to the procedure it discusses is, how would one boot to Windows after doing that? The procedure appears to involve deleting all the signatures and then adding your own custom ones. It appears that this would render your PC unable to boot Windows (unable to boot Windows while SecureBoot is enabled, anyway). Is there a way to sign the Windows boot binary? Is there a way to extract the signature of the Windows binary and add it to your custom list of approved signatures?

Looks like Sensucht94 confirms that FreeBSD still doesn't have a SecureBoot signature yet. So I go back to my original question...Why is that? Did somebody just give up on that project?

I dunno...SecureBoot seems like a good idea in theory. But they didn't make it easy for us to add approved signatures without deleting all the existing ones. Desktop PCs got by just fine without SecureBoot for 30+ years, I suppose there's no harm in disabling it so I could boot FreeBSD on this machine. :)

But the Linux distributions can use the Linux signature and boot with SecureBoot...couldn't FreeBSD register one with Microsoft so FreeBSD could also boot under SecureBoot along with Windows and Linux? :)
 

Maelstorm

Active Member

Thanks: 92
Messages: 247

#6
This past fall (2017) semester at Sac State, I attended a security seminar where the topic was secure boot. The person who gave the lecture is Tim Lewis, CTO of Insyde Software. They provide the BIOSes for a lot of the laptop manufacturers. It was an interesting lecture to say the least. Anyways, the BIOS chip has a file system on it. So you shouldn't have to delete everything there just to be able to dual boot Windows and FreeBSD/Linux. You could make a backup and add the certificate to the backup and then write it back into the BIOS. But, each BIOS and mainboard is different, so I don't really have an answer for you.

But going back to the original articles that I posted, I think the reason why FreeBSD doesn't have it is because (if you know how) it is relatively trivial to digitally sign the boot loader and kernel.

I don't know how to do it off the top of my head, but Windows does allow you to digitally sign files on the system. On Windows 10, the system checks the digital signatures of the installation packages and puts that info on the screen before you click OK. You can even extract the digital signature from the files in question.

EDIT:

Perhaps the developers can add to make buildkernel a make.conf(5) option to sign the bootloader and kernel with a specified certificate. That way, it would sign the bootloader and kernel everytime you build the kernel. The developers could also submit the public code signing certificate to the mainboard manufacturers so they can include it on the BIOS in the default configuration. I do not know why this hasn't been done yet...but it wouldn't be hard to do.
 

ralphbsz

Aspiring Daemon

Thanks: 325
Messages: 764

#7
If the FreeBSD source code contained the certificate that allows generating a signed bootloader/kernel, and ...

If anyone can modify the FreeBSD source code (because the source is freely available, after all), and ...

If BIOSes on motherboards (or laptops) have been taught the signature of the FreeBSD kernel and are willing to believe that it is secure and therefore boot it, then ...

Any hacker could create any destructive piece of software they want, put it in a customer FreeBSD kernel, sign it, and distribute, and computers would boot it thinking it is a harmless FreeBSD kernel.

Thereby reducing the idea of FreeBSD being able to securely booted ad absurdum. Or is my reasoning faulty?

The whole concept of "secure" anything requires trust. Trust requires a trust authority. Who do you want to be the authority for FreeBSD? The secure way of doing this would be to give the certificate only to Kirk McKusick (*), and after he blesses the kernel, he can sign it. (* Footnote: I'm using Kirk as an arbitrary example of an authority here, any other human or group of humans who are reliable and worthy could substitute.)
 

Maelstorm

Active Member

Thanks: 92
Messages: 247

#8
Your logic is flawless, and you make a good point. That's why I suggested that the administrator sign the kernel themselves with their own private certificate during the build process. I wish there was a way to install multiple certs in the bios without having to erase all of them before hand.