Friday, November 23, 2012

Secure Boot on openSUSE, a battleplan

At openSUSE Conference in Prague last month, we had a BoF about Secure Boot, where I describe the various tasks which are needed to ensure openSUSE can support Secure Boot. They are listed on my slides, but I thought it would be more useful to describe them here.

Before we begin, if you need some refresh about Secure Boot, I suggest the blog posts from Olaf Kirch and Vojtěch Pavlík on SUSE Blog (overview, details and approach to it) and of course, all the war stories of Matthew Garrett on this topic ;)

To have openSUSE installable (and runnable) on a Secure Boot enabled system, without any additional user intervention (like adding your own key in UEFI firmware or disabling Secure Boot), we need to do the following to the distribution :

  • to the kernel (many of those features are in 3.7 or in upcoming 3.8):
    • convert the kernel as a EFI executable (it will be used to store kernel signature)
    • UEFI variable access
    • UEFI clock support (nice to have)
    • UEFI getvideomode (if we want flicker-free boot)
    • UEFI reboot (we already have 4 other way to reboot a system, why not add yet another one ;)
    • KMS drivers (for old chipsets like Matrox, AST).
    • sign main kernel
    • sign all in-tree kernel modules
    • generate a private/public key pair to be used out of tree modules
    • add Secure Boot support in KExec / KDump and Xen (optional)
    • disable hibernation in Secure Boot mode (or have a secure way to save / restore suspended system)
    • add signature check in kernel
  • to bootloader:
    • package shim loader
    • modify grub2 so it uses shim loader to check kernel signature at boot
  • to Build Service:
    • to be able to build external kernel modules (think KMP) using the private/public key generated at kernel build
    • but do not allow this key to be used for any random KMP build (otherwise, you defeat the purpose of signing the module)
  • to userspace tools:
    • package xf86-video-modesettings, for graphics chipset with non-accelerated KMS drivers
    • add support for signature check in modutils / kmod
    • package tools to sign kernel / modules
    • package tools to manage UEFI variables and keys
  • to the installer / DVD image
    • maybe display some warnings about installing a system in Secure Boot mode (not 100% sure we should do this)
    • maybe signing the initial installer (and make sure it can't load non-signed modules)
    • ensure the DVD image has shim + grub2 as bootloader when booting on UEFI system
  • and we also need to do the signing part:
    • if we want Secure Boot to be transparent to users, we need our shim loader to be signed by the authority handling UEFI key, ie Microsoft
    • this requires some legal paperwork (getting MS developer account, getting a Authenticode certificate, etc..), some obligation (making sure you can't circumvent Secure Boot once Linux is booted) and once it is done, sending shim loader to be signed by MS and package the result.
As you can see, this is a lot of work but I think we will be able to have everything in order for next openSUSE release !