Open Source projects and Secure boot - natural enemies or friends?
A lot of Linux distributions support UEFI Secure Boot. One of these is Debian with the latest release, Buster (10).
Secure Boot is part of Unified Extensible Firmware Interface (UEFI). Its purpose is to enhance boot security. This is done by validating the operating system, its drivers and the firmware. Secure Boot protects these crucial parts to prevent a malware injection and thus protecting against firmware and/or pre-loader attacks.
openSUSE was one of the first distributions. The experimental support started back in 2013.
Every hardware vendor adds their own keys onto the machine, the so-called Platform Key (PK). In addition machines compatible with Windows 8.1 or newer have Microsofts UEFI key installed. Anyone trying to boot a custom bootloader or Linux kernel will not succeed when Secure Boot is turned on. To get their custom binaries accepted they have to deploy their own keys onto the machine itself. This is feasible on a rather small amount of (virtual) machines. IT administrators in a large company do not tend to do this legwork. Larger companies also tend to have an operating system provisioning solution.
Basically there are two ways to implement a Secure boot compatible operating system provisioning. One is the just mentioned creation of own Secure Boot keys. These keys have to be deployed on every Secure Boot compatible machine to use any self-signed binary or bootloader. The second approach is to get Microsoft to sign binaries.
opsi, short for Open PC Server Integration, is an open-source framework to provision operating systems, deploy software and gather information about the hard- and software. opsi uses an Ubuntu-based bootimage along with a custom kernel to provision the desired operating system. However, this custom kernel is not signed off by Microsofts UEFI key or any other vendor PK, but is still being able to boot into Secure Boot mode. This presentation will outline the story of implementing Secure Boot in this specific open source project. It will also show what needs to be done to get a Microsoft signed binary. In addition, this presentation will feature all the steps taken and sketch out the pitfalls of this signing process.