skip to content W3C SVG

Secure boot and trusted boot

As explained on the OpenPOWER foundation website:

Trusted Boot is the measurement (hashing) of system firmware boot components and the creation of secure cryptographic artifacts that unambiguously demonstrate that particular firmware has been executed by the system. Trusted Boot artifacts can be used to remotely verify system integrity or to seal secrets to that they are only available after certain firmware has executed. Secure Boot is the cryptographic signing and verification of firmware boot components, failure of which is flagged for system administrator investigation and action, including logging an error and halting the system boot. Secure Boot prevents the system from executing either accidentally or maliciously modified firmware.

The chain of verification ensures that an attacker didn’t plan a uefikit/bootkit/rootkit/… on the machine, see the slides of UEFI Firmware Rootkits: Myths and Reality from Alex Matrosov and Eugene Rodionov for more details.

OpenBSD is able to boot from UEFI since 2015, and it’s apparently possible to use a secure-boot up to the bootloader. But it seems highly unlikely that it will ever be upstreamed, given Theo de Raddt’s stance on the topic:

De Raadt foresees issues for “secure” boot in Europe. “I expect that the Intel/Microsoft plans will face big problems in Europe,” he said. “It would be interesting to see a bunch of consumer-unfriendly laptop vendors locked out of European markets, wouldn’t it?” He did not see any positives in the move. “I sense that disaster is coming, and hope that someone has the moral strength to do the right thing,” he said. “I fully understand that Red Hat and Canonical won’t be doing the right thing, they are traitors to the cause, mostly in it for the money and power. They want to be the new Microsoft.”

The way Ubuntu and Red hat are implementing Secure Boot is by having a signed shim (from Microsoft), allowing them to sign whatever image they want, and of course, users are able to use their own keys for the root-of-trust.

In February 2020, Julius Zint posted a proof-of-concept on openbsd-misc@ to use trusted-boot on OpenBSD.

While the tandem Secure Boot and Trusted Boot might look scary from a Free software point of view, it does offer some interesting security guarantees. It’s a bit disappointing to see that OpenBSD not only rejects it, but has flawed understanding of it.