The story of how James Bottomley of the Linux Foundation tried to sign a bootloader for UEFI secure boot at Microsoft

    Hardware certified by Microsoft as compatible with Windows 8 must necessarily support the UEFI secure boot technology, which does not allow unsigned code to be downloaded. This creates big problems for anyone who wants to install on a certified hardware other than Windows OS. The Linux Foundation consortium announced in October this year that all Linux distributions will be able to use the universal preloader, which will be signed by Microsoft and will allow relatively painless loading of alternative systems.

    The bootloader has long been written and debugged, but has not yet been signed by Microsoft. Why? The path to obtaining the coveted certificate with the key turned out to be unusually long and thorny. How this happened, says in his blogLinux Foundation Board Member James Bottomley.

    To sign the bootloader, you need to register with the Microsoft System Software Certification Authority ( sysdev ), and for this you need to have a signed Verisign certificate confirming that you are you. The price of the certificate is 99 US dollars. When creating an account in sysdev, you must sign the Microsoft executable file sent with the key from the certificate. Only after that the account is activated.

    After that, you need to sign a paper agreement, which, among many other conditions, prohibits signing the code under copyleft licenses (GPL and the like). Having studied the document, Linux Foundation lawyers came to the conclusion that it is basically harmless in this particular case, but generally speaking, it can cause problems for those who want to sign something more serious than a small bootloader.

    After that, the signing process begins. But you can’t just take it and download any executable file! It must be packed in a Microsoft Cabinet container. Fortunately, lcab allows you to do this under Linux. Then the packed file must be signed with the Verisign key, which can be done using osslsigncode. The file downloader is written in Silverlight, and no Moonlight helps. So James Bottomley had to download the file from under in virtual Windows 7. Just before starting the download, you must once again confirm that the executable file is not licensed under GPLv3 or another similar license.

    After downloading, the file is processed in seven stages. The first attempt to download hung at step 6 - “signing files”. A letter to Microsoft support after 6 days of waiting revealed that the signing process was interrupted with an error indicating that the code being signed is not a valid Win32 application. Bottomley noted that this is the correct 64-bit executable code for UEFI, and it’s rather strange to require compatibility with Win32 from it, the support service did not respond.

    However, on the second attempt, the file was somehow downloaded. A signed bootloader came to the Linux Foundation mailbox, and it worked fine on a computer with secure boot enabled, but the Microsoft website said that the file could not be signed.

    Perplexed, James Bottomley once again wrote to the support team, and received an answer that the file cannot be used because it is signed “incorrectly” and you need to wait for further instructions. Bottomley suggests that the problem is that the file is signed with a Microsoft universal (non-revocable) key for UEFI driver manufacturers, and not a separate key for Linux Foundation.

    So far, the process has stopped. The Linux Foundation will publish the bootloader on its site as soon as Microsoft signs it. The first computers with Windows 8 are already on sale ...


    Also popular now: