Introduction

This page contains information about enabling FreeBSD to boot on UEFI systems where Secure Boot has been enabled.

Secure Boot requires that all boot-time code prior to the UEFI ExitBootServices call, be signed by a private key whose public key counterpart is known to the boot firmware.

Currently the only key that is guaranteed to be present in any given system is Microsoft's.

Additionally, to be certified for the Windows 8 logo program, systems must be have Secure Boot enabled, although they must provide a way to disable it and they must allow the user to add keys to the system. Microsoft also provides a service where binaries can be forwarded to them for signing with their key.

Existing Implementations

Fedora

The Fedora approach is detailed here.

In short, Fedora uses a boot shim which is signed using Microsoft's key. This shim then loads GRUB2, verifying it against a Fedora-issued certificate contained in the shim. GRUB2 boots in a locked down mode and loads the Linux kernel, verifying its signature against the Fedora key and enforcing certain constraints against any arguments provided to the kernel. The fact that boot occurred under Secure Boot is flagged.

During runtime, the Linux kernel will refuse to load modules that are not signed and will also refuse to allow any operation that would allow user-initiated DMA.

Ubuntu

The Ubuntu approach is detailed here.

In short, Ubuntu uses the same shim as Fedora but instead of using GRUB2, it loads a customised version of Intel's efilinux loader which then loads the kernel. Ubuntu takes a much more relaxed reading of the UEFI Secure Boot guidelines in that they have decided that since the restrictions only pertain to code executed prior to the ExitBootServices there is no need to perform verification of the kernel or restrict its operation post-boot.

Proposals for FreeBSD

Matthew Garrett's shim loader (source on Github), as used by both Ubuntu and Fedora, is under a license that appears to be compatible with the BSDL. I believe we should adopt this approach and use it to load a signed version of FreeBSD's EFI loader. The FreeBSD project should obtain a key, held by the FreeBSD Foundation, to use in verification and it should be used to sign releases.

In terms of whether we follow Fedora's locked-down runtime approach or Ubuntu's less restrictive approach, I believe we should permit both.

For a first stage, we should acquire the necessary keys and develop the necessary code to allow a system to boot using a Microsoft-signed shim and a FreeBSD-signed EFI loader. We should also users to generate their own keys, enrol them in the firmware and sign their own shim and/or loader.

The second stage would be to allow kernels and kernel modules to be signed and to permit the system to be fully locked down as per the Fedora approach. I believe this should be optional but supported. Additionally, certain elements could be enabled or disabled but only by a signed loader configuration. It may be worth investigating whether the user-facing components of this could be done using TrustedBSD MAC.

Contact

Repository

There is no code for this project yet as it is still in the planning stages.

Tasks

Secure boot, unrestricted runtime

Acquire FreeBSD signing key

Not started

Port shim loader

Done

Add mechanism to sign loader.efi

Done

Work out to what extend loader.efi needs to be locked down, including forth code

Not started

Add documentation on creating and enrolling custom keys

In progress

Add tools for signing boot1.efi, loader.efi and shim

Done

Secure boot, restricted runtime

Add tools for signing kernel and modules

Not started

Add code to loader.efi for kernel and module signature verification

Not started

Add code to kernel for module signature verification

Not started

Add code to kernel for prevention of user-initiated DMA

Not started

Additional Resources


CategoryTodo CategoryProject CategoryStale

SecureBoot (last edited 2021-07-13T02:52:31+0000 by KubilayKocak)