UEFI secure boot

UEFI (replaces BIOS) has a firmware validation process that will operate a hardware detect by Trusted Platform Module(TPM) , called UEFI Secure Boot, which is defined in Chapter 27 of the UEFI 2.3.1 specification.

Secure boot defines how platform firmware manages security certificates, validation of firmware, and a definition of the interface (protocol) between firmware and the operating system. Secure boot prevents “unauthorized” operating systems and software from loading during the startup process.

Secure Boot is a technology where the system firmware checks that the system boot loader is signed with a cryptographic key authorized by a database contained in the firmware.With adequate signature verification in the next-stage boot loader(s), kernel, and, potentially, user space, it is possible to prevent the execution of unsigned code.

Secure Boot is a form of Verified Booting. Boot path validation is also part of other technologies such as Trusted Boot. Boot path validation is indepedent of secure storage of cryptographic keys and remote attestation.it specifies the following:

  • a programming interface for cryptographically protected UEFI variables in non-volatile storage,
  • how the trusted X.509 root certificates are stored in UEFI variables,
  • validation of UEFI applications (boot loaders and drivers) using AuthentiCode signatures embedded in these applications, and
  • procedures to revoke known-bad certificates and application hashes.

UEFI Secure Boot does not require specialized hardware, apart from non-volatile (flash) storage which can be switched from read-write mode to read-only mode during system boot. This storage has to be used to store the UEFI implementation itself and some of the protected UEFI variables (including the trusted root certificate store).

From a user point of view, a system which has enabled UEFI Secure Boot and which is confronted with a tampered boot path simply stops working until UEFI Secure Boot is disabled or a signed next-stage boot loader is available on boot media. ( “Typical error message from UEFI Secure Boot” shows a typical error message.) Similarly, operating system installers without a cryptographically valid signature do not run and result in an error message. Users are not offered a way to override the boot loader decision to reject the signature, unlike the similar scenario with web server certificates. No certificate issuer information is provided to the user.

┌---------- Secure Boot Violation ----------┐
│                                           │
├-------------------------------------------┤
│ Invalid signature detected. Check Secure  │
│          Boot Policy in Setup             │
│                                           │
│                                           │
│                   [OK]                    │
└-------------------------------------------┘
Typical error message from UEFI Secure Boot

UEFI Secure Boot does not prevent the installation or removal of second-stage boot loaders or require explicit user confirmation of such changes. Signatures are verified during booting, and not when the boot loader is installed or updated. Therefore, UEFI Secure Boot does not stop boot path manipulations. It only prevents the system from executing a modified boot path once such a modification has occurred, and simplifies their detection.

时间: 2024-10-16 08:47:08

UEFI secure boot的相关文章

[Windows_UEFI & BIOS]详解 Secure Boot 和 Winows 8 及 UEFI启动 的关系

一.自由软件基金会的呼吁 上周,2012年将近结束的时候,自由软件基金会(FSF)发出呼吁,要求人们继续支持反Secure Boot垄断,希望签名者能达到5万人(目前是4万). 我觉得,这个呼吁很重要.如果我们不支持,未来就无法自由地使用硬件.安装自己想要的软件. 这绝非危言耸听.而且,由于这个事件直接与Windows 8操作系统有关,因此意味着一切已经迫在眉睫了. 下面,我根据自己的理解,谈谈这到底怎么回事.如果你是一个Linux爱好者,或者喜欢自己安装操作系统,下面的内容与你直接相关. 二.

UEFI、BIOS、Secure Boot的关系和知识介绍

从Windows 8操作系统时代开始,安装操作系统的方法也有了很大的改变,Windows 8采用了Secure Boot引导启动的方式,而不是过去Win XP和Win 7的Legacy启动方式,从而导致的问题是所有预装Windows 8/8.1系统的笔记本要安装Win7的话必须修改BIOS,给很多想更换操作系统的用户增加了一点小难度. 那么什么是Secure Boot呢?它和Windows 8还有UEFI启动有什么关系呢!接下来我们就来介绍下Secure Boot.UEFI.BIOS相关知识和各

使用Secure Boot后,导致VMware无法启动虚拟机

最初安装vmware时就报错 Gtk-Message: Failed to load module "canberra-gtk-module": libcanberra-gtk-module.so:cannot open shared object file: No such file or directory Gtk-Message: Failed to load module "pk-gtk-module": libpk-gtk-module.so: canno

Linux secure boot(安全启动)时添加Nvidia显卡驱动

开启Secure boot情况下,在Fedora 21下安装Nvidia 显卡驱动的方法. Nvidia显卡驱动可以从官网上下载最新版>> 点击进入 下载后添加可执行权限: #chmod +x NVIDIA-Linux*.run 注意,安装Nvidia显卡需要满足的两个条件是 1. nouveau(默认的显卡驱动)驱动程序必须禁用 2. Xserver(图形界面) 要停止运行 以上两个问题的解决方法如下: 首先按Ctrl + Alt + F2进入终端 输入root的帐号和密码后执行以下操作 1

secure boot(安全启动)下为内核模块签名

上一篇随笔中提到了如何在secure boot下安装Nvidia显卡驱动 >>上一篇随笔 如果不需要安装Nvidia显卡驱动,而且要生成密钥,可以参考>> 这篇文章 这里假设生成的密钥放在/usr/share/nvidia/下,分别是nvidia*.der(私钥),nvidia*.key(公钥) 这里以Virtualbox的内核模块为例. Virtualbox安装完成后,执行 #/etc/init.d/vboxdrv setup 后会提示编译成功,但是无法加载模块.同样是由于模块没

小米笔记本怎么关闭secure boot

关闭Secure Boot的步骤: 一.关闭 "快速启动" 功能 1.右键-开始菜单- 电源选项,进入后 点击"选择电源按钮的功能". 2.进入电源选项设置后,点击"更改当前不可用的设置",再把"启用快速启动(推荐)"前边的勾去掉 (若没有该选择则不需要操作,直接略过进行第二步). 二.重启电脑,进入BIOS 1.台式机:重启电脑后不断地按键盘右下角的"Del"键即可进入. 2.笔记本:重启电脑后不断地按&

在Ubuntu16.04上安装virtualbox后无法装载vboxdrv模块

首先按照:http://blog.csdn.net/ipsecvpn/article/details/52175279 这个网址上的教程安装, 安装完成后报错:大体意思就是vboxdrv没有被内核装载,modprobe vboxdrv也报错. 于是找到解决方案:https://askubuntu.com/questions/762254/why-do-i-get-required-key-not-available-when-install-3rd-party-kernel-modules 当我

安装Windows 7

-EndFragment--> 1.安装win7_64位步骤: https://www.douban.com/note/224102684/ 安装Win7系统为硬盘分区的方法 笨小康2012-07-0713:39:29 安装Win7系统为硬盘分区的方法 首先声明,给新硬盘分区的方法很多,很多安装盘都集成了相关软件,我之所以记录下这么复杂的过程,原因是我的笔记本硬盘换成了日立的750G,使用了采用AdvancedFormat(高级格式)技术的HDD,分区有一定的要求(4K,原来的都是512字节),

Win8.1 installation step

1.BIOS should for 64 bitage. Flash it int. Following is BIOS imo bios chip. BYTICRB_X64_R_SPI_0092_31_SeC_Enable.bin 2.BIOS setting: BIOS   Selection Configuration OS   Selection Device   Manager -> System Setup > Boot > OS Selection > Windows