The story of how the James Bottomley of the Linux Foundation tried to sign in Microsoft boot for UEFI secure boot
Iron, certified by Microsoft, as compatible with Windows 8, must necessarily support the “secure boot” technology of the UEFI secure boot, which does not allow downloading unsigned code. This creates a big problem for anyone who wants to put on non-Windows OS certified hardware. In October of this year, the Linux Foundation consortium announced that all Linux distributions will be able to use a universal preloader, which will be signed by Microsoft and will allow for relatively easy loading of alternative systems.
The loader has been written and debugged long ago, but Microsoft has not signed it yet. Why? The path to obtaining the coveted certificate with the key was unusually long and thorny. How this happened, says in his blog a member of the Board of the Linux Foundation, James Bottomley.
To sign the bootloader, you need to register with the Microsoft System Software Certification Authority ( sysdev ), and for this you need to have a Verisign signed certificate confirming that you are you. Certificate price - 99 US dollars. When creating an account in sysdev, you must sign the executable file sent by Microsoft with the key from the certificate. Only after this account is activated.
After that, you need to sign a paper contract, which, among many other conditions, prohibits signing the code under copyleft licenses (GPL and the like). After reviewing the document, Linux Foundation lawyers concluded that it is basically harmless in this particular case, but generally speaking, it can create problems for those who want to sign something more serious than a small downloader.
')
After this, the signing process itself begins. But you can not just take it, and download any executable file! It must be packaged in a Microsoft Cabinet container. Fortunately, the lcab program allows you to do this under Linux. Then the packaged file must be signed with the Verisign key, which can be done using osslsigncode . The file uploader is written in Silverlight, and no Moonlight helps. So James Bottomley had to download the file from under the virtual Windows 7. Immediately before starting the download, you must again confirm that the executable file is not licensed under GPLv3 or another similar license.
After downloading, the file is processed, consisting of seven steps. The first attempt to download hung up at stage number 6 - "signing files." A letter to Microsoft support after 6 days of waiting revealed that the signing process was interrupted with an error indicating that the code being signed was not a valid Win32 application. To Bottomley’s remark that this is a valid 64-bit executable code for UEFI, and it’s rather strange to require Win32 compatibility from it, the support service didn’t respond.
However, on the second attempt, the file was somehow downloaded. A signed bootloader came to the Linux Foundation mailbox, which worked fine on a computer with a secure boot enabled, but the Microsoft website reported that it was not possible to sign the file.
Puzzled, James Bottomley wrote again to the support service, and received a reply that the file could not be used because it was signed “incorrectly” and we must wait for further instructions. Bottomley suggests that the problem is that the file is signed by the universal (nondisable) Microsoft key for UEFI driver manufacturers, and not by a separate key for the Linux Foundation.
So far, this process has stopped. The Linux Foundation will publish the bootloader on its website as soon as Microsoft signs it. The first computers with Windows 8 are already on sale ...
The loader has been written and debugged long ago, but Microsoft has not signed it yet. Why? The path to obtaining the coveted certificate with the key was unusually long and thorny. How this happened, says in his blog a member of the Board of the Linux Foundation, James Bottomley.
To sign the bootloader, you need to register with the Microsoft System Software Certification Authority ( sysdev ), and for this you need to have a Verisign signed certificate confirming that you are you. Certificate price - 99 US dollars. When creating an account in sysdev, you must sign the executable file sent by Microsoft with the key from the certificate. Only after this account is activated.
After that, you need to sign a paper contract, which, among many other conditions, prohibits signing the code under copyleft licenses (GPL and the like). After reviewing the document, Linux Foundation lawyers concluded that it is basically harmless in this particular case, but generally speaking, it can create problems for those who want to sign something more serious than a small downloader.
')
After this, the signing process itself begins. But you can not just take it, and download any executable file! It must be packaged in a Microsoft Cabinet container. Fortunately, the lcab program allows you to do this under Linux. Then the packaged file must be signed with the Verisign key, which can be done using osslsigncode . The file uploader is written in Silverlight, and no Moonlight helps. So James Bottomley had to download the file from under the virtual Windows 7. Immediately before starting the download, you must again confirm that the executable file is not licensed under GPLv3 or another similar license.
After downloading, the file is processed, consisting of seven steps. The first attempt to download hung up at stage number 6 - "signing files." A letter to Microsoft support after 6 days of waiting revealed that the signing process was interrupted with an error indicating that the code being signed was not a valid Win32 application. To Bottomley’s remark that this is a valid 64-bit executable code for UEFI, and it’s rather strange to require Win32 compatibility from it, the support service didn’t respond.
However, on the second attempt, the file was somehow downloaded. A signed bootloader came to the Linux Foundation mailbox, which worked fine on a computer with a secure boot enabled, but the Microsoft website reported that it was not possible to sign the file.
Puzzled, James Bottomley wrote again to the support service, and received a reply that the file could not be used because it was signed “incorrectly” and we must wait for further instructions. Bottomley suggests that the problem is that the file is signed by the universal (nondisable) Microsoft key for UEFI driver manufacturers, and not by a separate key for the Linux Foundation.
So far, this process has stopped. The Linux Foundation will publish the bootloader on its website as soon as Microsoft signs it. The first computers with Windows 8 are already on sale ...
Source: https://habr.com/ru/post/159657/
All Articles