UEFI Secure Boot, Shim and Xen: Current Status and Developments
Daniel Kiper
Oracle
The UEFI Secure Boot protocol is used to verify the authenticity of a Portable Executable (PE) binary before it is loaded and executed. Usually, this is a second stage bootloader, e.g. GRUB2, or an operating system kernel. Fedora’s Shim and Linux Foundation’s PreLoader are extensions to UEFI Secure Boot which make the authentication process more flexible. This presentation will deal with the most important aspects of UEFI Secure Boot and Shim. Additionally, it will discuss how the Xen hypervisor’s boot process can be protected with UEFI Secure Boot and a Shim binary. The presentation will show what is needed to make UEFI Secure Boot and Shim usable when booting Xen with GRUB2.
⏭ | |
🔎 | Xen · Boot Integrity |
⬇ | Slides |
References
- Windows Secure Boot Key Creation and Management Guidance
- Linux UEFI SecureBoot mini-HOWTO
- Managing EFI Boot Loaders for Linux: Dealing with Secure Boot, Rod Smith (2018)
- Linux Foundation Secure Boot support released - what does it mean, Matthew Garrett (2013)
- RSA Signing is Not RSA Decryption
Specifications
- UEFI Specification Version 2.7
- Microsoft Portable Executable (PE) Format (2018)
- OSI X.509 Public-key and attribute certificate frameworks
- IETF RFC 5280: X.509 OSI PKI Certificate and CRL Profile (2008)
- IETF RFC 3447: PKCS #1 v2.1: RSA Cryptography Specifications (2003)
- IETF RFC 2315: PKCS #7: Cryptographic Message Syntax v1.5 (1998)
- NIST FIPS 180-4, Secure Hash Standard (SHS) (2015)