MJG's signed Shim for UEFI Secure Boot now available

There have been a number of posts about EFI and Secure Boot recently, so I thought some people might be interested in this:
http://mjg59.dreamwidth.org/20303.html
That's Matthew Garrett's announcement of a signed binary version of his Shim boot loader. Basically, this program will boot on a computer with Secure Boot active in its default mode (with Microsoft's keys in the firmware) and then launch another boot loader (called grubx64.efi, although it could be something other than GRUB in that filename) that you sign with your keys. The end result is something that's more secure than disabling Secure Boot entirely and easier than installing your own Secure Boot keys. I haven't yet tried this version of the binary, so I can't provide help beyond pointing you to MJG's own blog, but I thought some people might want to know about it.
FWIW, although you could sign and launch my rEFInd boot manager with this version of Shim, the current version (0.4.7) won't be very useful when signed in this way, since it doesn't yet "talk" to Shim. I'm working on changing that, so that rEFInd will launch binaries signed in a way that Shim supports.

kristof wrote:A signed bootloader is nice, but unless the Arch developers start distributing a version of the kernel that's also signed with a MOK, secure boot isn't being fully utilized.
Largely true, but:
Secure Boot is here, and seems likely to stay. Given this fact, all Linux distributions (including Arch) need a way to cope with it. There are basically two choices: Provide instructions on how to deal with it (difficult because of system-to-system differences) or provide signed binaries (a boot loader at a minimum, or preferably a boot loader and kernel).
It's possible to "provide" a signed binary by generating the key locally and signing it locally. This could be done by scripts in the installation process, for example. Of course, that still leaves a need to get the installer booted on a Secure Boot system, but that could be handled with the Linux Foundation's pre-bootloader.
To be truly effective, Secure Boot really requires support all the way up the software chain. Signing a kernel does no good if the kernel can load unsigned modules, for instance. Fedora's taking steps to provide such security, but Ubuntu seems to be going with a more relaxed approach. In truth, Linux isn't as bothered by malware as is Linux, so it's unclear that going with a Fedora-esque approach is really helpful; but OTOH, it's conceivable that malware authors will start using Linux as a vector to install boot-time malware if Windows becomes sufficiently locked down, so maybe some paranoia is in order.
At the moment and as a practical matter, technical Linux users (including most Arch users) will find it quicker and easier to disable Secure Boot than to use shim. As shim and various support tools (signing utilities, boot managers, etc.) mature, though, this may not be the case. It may also be desirable or even necessary to leave Secure Boot enabled, in which case adopting shim now may make sense. Likewise if you want to learn about it now so that you can use it in the future.

Similar Messages

  • UEFI - Secure Boot & System partition

    What is role of System partition in Windows 8.1 & 7 for configuring UEFI & secure boot. Is it possible to deploy OS using SCCM - OSD configured without System partition and configure UEFI & secure boot. 
    Thanks in advance. 

    Any Ideal if UEFI is compatible with sata or scsi drives ?. is it compatible with SSD ?.. 
    Thanks,
    Jijukar 
    my box has UEFI and it support secure boot, and it only has SATA
    so in short, yes it will work fine
    SSD and hard disks are both fine
    secure boot works best with a trusted platform module if available
    Place your rig specifics into your signature like I have, makes it 100x easier!
    Hardcore Games Legendary is the Only Way to Play!
    Vegan Advocate How can you be an environmentalist and still eat meat?

  • I just got the iphone 4 and my husband already had on. we share an itunes account and i signed up for i cloud and now ALL  of my husbands contacts are on my phone ... so I started to delete them (because i thought it would just be off my phone) and he cal

    i just got the iphone 4 and my husband already had on. we share an itunes account and i signed up for i cloud and now ALL  of my husbands contacts are on my phone ... so I started to delete them (because i thought it would just be off my phone) and he called screaming ..." please stop deleting ...  they are coming off my phone!" so two things ...  how can i get the contacts back ( i got up to j) AND is there a way to get them off just my phone

    Unfortunately there's no way to get back the contacts you deleted unless he backed them up somewhere else.  He'll just have to recreate them.  This happened because you are both syncing contacts with a shared iCloud account.  When you do this, the synced data is merged and any actions you take on one phone (such as deleting contacts) is also reflected on the other.  To fix this you both need to have separate iCloud accounts (you can continue to share the same Apple ID for purchasing from the iTunes and app stores).  To do this, on your phone go to Settings>iCloud and turn all data that is syncing with iCloud (contacts, calendars, etc.) to Off.  When prompted choose to keep the data on the iPhone.  After everything is turned off, scroll to the bottom and tap Delete Account.  (This will only delete the account from this phone, not from iCloud.  The other phone will not be effected by this.)  Next, set up a new iCloud account on your phone using a different Apple ID and turn iCloud data syncing for contacts, etc. back to On.  When prompted, choose Merge.  This will upload your data to your new account.  At this point you will have two different iCloud accounts, one for each phone, with identical data on them.
    You will then have to go to icloud.com on your computer and sign into each iCloud account separately and manually delete the unwanted data (such as deleting the your husband's contacts from your account, and vice versa).  These changes will be reflected on each phone.  When finished you will have individual iCloud accounts with just your own data on them.

  • [Request] UEFI Secure boot Bios for: GTX660

    My old motherboard died so i have replaced my computer, I now have:
    4690K
    32gig ram
    Asus Maximus hero Vii mobo.
    All set to using secure boot / UEFI.
    Have installed windows on a fresh GPT partition with secure boot and Im currently using the On Chip HD4600 graphics.
    My GTX660 is sat beside me on the desk. (It's *waving* , currently feeling neglected)   
    Im unable to boot to Win 8.1 with the card plugged in as the computer complains about a non UEFI device.
    Info from GFX card box:
    912-V287-001
    N660 TF 2GD5/OC
    PCI - E,N660,2G,GDDR5,Twin Frozr,OC,
    DL - DVI - I,DL - DVI - D,HDMI,DP,
    Power Cable,SLI
    S/N:602 - V287 - 04SB120902****
    I do not know the current BIOS on the card.
    1) As im currently unable to boot to windows with the card installed can the entire flash procedure be done from a DOS enviro?
    techpowerup.com/downloads/2257/nvflash-5-136 - I think it can.
    2) Can somone provide me with a suitable bios file please?
    3) Once I perform this flash will I be able to use this GTX660 an old non UEFI system? (I plan to sell this card on , and get a MSI GTX970 next paycheck)

    Use the attached.
    Decompress the provided .rar archive with Winrar: http://www.rarlab.com/download.htm
    Then flash the included file with Nvflash for dos: http://www.guru3d.com/files_details/nvflash_download.html
    To do so rename the included file to .rom and create a dos bootstick (https://forum-en.msi.com/index.php?topic=165175.0)
    Put nvflash and the vbios file on it and boot from the stick. Then type nvflash -4 -5 -6 gop.rom (if renamed vbios that way) and hit enter. Confirm the questions and let the tool flash
    Quote from: farrantcj on 06-June-15, 15:52:09
    3) Once I perform this flash will I be able to use this GTX660 an old non UEFI system? (I plan to sell this card on , and get a MSI GTX970 next paycheck)
    Old boards with a legacy bios will have no problem as the vbios is hybrid and can work in UEFI and legacy mode. Only older boards with a UEFI bios that is not GOP compliant might run into issues.

  • UEFI secure boot

    To my great surprise, I have just noticed that Ubuntu use a Microsoft signed version of grub that accept to boot unsigned kernel. https://wiki.ubuntu.com/SecurityTeam/SecureBoot. An attacker can easily use the Ubuntu signed version of grub together with an unsigned kernel to do all the evil things he wants. I don't understand how this has been accepted.
    Moreover it seems that secure boot has already been hacked http://securityaffairs.co/wordpress/254 … -uefi.html .
    Was security the real purpose of secure boot. I can't think so.
    Last edited by olive (2014-10-09 08:15:28)

    olive wrote:An attacker can easily use the Ubuntu signed version of grub together with an unsigned kernel to do all the evil things he wants.
    I always thought that this can be avoided by locking the boot entries and boot order in the UEFI/BIOS settings, and configuring a administrator password in the UEFI/BIOS that protects these settings.
    Even on a computer that does not use SecureBoot setting an administrator password for the UEFI/BIOS is a good idea to keep others from changing the settings.
    The fact that a lot of SecureBoot systems are vulnerable is no surprise to me given the large amount of bugs showing up in the UEFI firmwares. The UEFI bugs can be found in numerous threads on the forums.

  • Windows 7 Deployment via PXE to an UEFI + secure boot enabled Lenovo system.

    Hi Everyone,
    I was wondering if above was possible?. I have not yet put much energy this uefi and secure boot thingy - so just told our supporters to change bios settings back to Legacy with secure boot disabled on the pre Windows 8 delivered Lenovo systems.  
    Deployment system :
    SCCM 2012 SP1 is running on a Windows Server 2008R2
    Regards
    Anders Jensen
    Solved!
    Go to Solution.

    Thx

  • HT5312 I forgot the answers for my security questions, now I can't get into my AppleID. All because my rescue email address has been deactivated due to inactivity. Now what?

    Here is some bad luck.
    I forgot the answers for my security questions. I want to buy an app in the app store but Apple keeps asking me these questions I can't remember the answers to. All because my rescue email address has been deactivated due to inactivity. Now what?
    I tried to create my old email address again, but funny enough it told me that specific email address was already taken....

    You need to ask Apple to reset your security questions; ways of contacting them include clicking here and picking a method for your country, phoning AppleCare and asking for the Account Security team, and filling out and submitting this form.
    (100112)

  • HT204406 I signed up for iTunes Match and now I can't sync my Nano iPod.

    Hello,
    I recently signed up for I tunes Match and have succesfully added my iPhone 4 and iPad.
    But I can no longer sync my music into my iPod Nano.
    I assume it has something to do with iTunes Match???
    Can anyone help me?
    Thanks,
    Pete Chatelain

    Hi,
    Playing song are put into a temporary cache.
    Go to settings > general >usage > storage > Music. Delete from here.
    Jim

  • Security Update now Available

    A new security update is available on the update site.....

    Hi syntrak,
    You must have been busy this week. The update is about three days old. But it's good to remind everyone to continually check for updates. Good job!

  • SAP Cloud for Customer SCN space now available

    If you haven't already checked it out, we now have a dedicated space just for SAP Cloud for Customer:
    http://scn.sap.com/community/cloud-for-customer
    Come join the conversation and engage with product management, solution management, knowledge management, and development from the SAP Cloud for Customer organization.
    Cheers,
    John

    Thanks Sathya for the response.
    https://scn.sap.com/community/cloud/blog/2013/10/10/new-e-learning-for-i
    ntegration-of-sap-cloud-for-customer-with-sap-erp-and-sa
    p-crm-now-available  : Not working! => Please check & confirm.
    Just to give you our background...we are SAP Cloud Partners & VARs, hence we are building few prototypes for Customer Demos & POC.
    Per my understanding, its just one of the OnPrem system, either an ECC OnPrem or CRM OnPrem that you can integrate with one C4C tenant at a time, i.e. to one single tenant. In our case, we are trying to integrate ECC OnPrem with C4C system.
    We are in the process of deploying SAP PI as the middleware platform for integration between C4C & ECC/CRM OnPrem., which is going to take few more weeks.
    SAP HCI will be the other approach, but we are currently not familiar with that, hence we have a trial to start in coming week for SAP HCI, so this is going to take some time as well.
    Hence, WebService is the only currently available option for us to build these prototypes, POC for Customer Demos, to show working integration scenarios between ECC OnPrem & C4C system.
    We have been facing some technical issues after setting up necessary communication systems/arrangements on C4C system & trying to do a WS call from SDK also we get error when we do a ping test from within C4C system to check connection.
    Has SAP developed any WS integration between C4C & either of the ECC or CRM OnPrem system? Or is it just PI & HCI which SAP has for integration?
    I'd truly appreciate if you can guide us on creating few integration scenarios (Working ones of course ) using Webservice between C4C & ECC OnPrem system.
    Many Thanks
    Ankur

  • RE: Skype for Web (Beta) is now available to every...

    Any update as to when Web.skype.com will work for Chromebooks?
    I receive page: https://web.skype.com/en/wrongDevice
    Sorry, Skype for Web (Beta) isn’t available on this device yet. Please try it on your desktop computer instead.

    Please try Skype for Web again on your Chromebook now. It should work (without calling obviously since there's not plugin available).
    Follow the latest Skype Community News
    ↓ Did my reply answer your question? Accept it as a solution to help others, Thanks. ↓

  • Announcement: Kanaka for Mac 2.7 now available

    All - I am pleased to announce that Novell Kanaka for Mac 2.7 is now available.
    See my blog posting for more details - Important Notice
    Thanks,
    Glen Davis
    Novell Product Manager

    Rick B wrote:
    > Simon Flood wrote:
    >
    >> On 13/06/2012 22:45, Rick B wrote:
    >>
    >>> Says not authorized.
    >>
    >> When accessing Glen's blog entry? If so, try again as it's now been
    >> published.
    >>
    >> What you may find is that Novell Kanaka for Mac 2.7 does not appear to
    >> be listed in the Novell Customer Center. If that is the case see if you
    >> have two entries for Novell Kanaka for Mac 2.6 listed as one of those
    >> will likely lead to version 2.7.
    >>
    >> I've commented on Glen's blog entry plus reported this to the team
    >> responsible for NCC.
    >>
    >> HTH.
    >
    > Ok have the link now. When click on the "proceed to download" it says that
    > "We're sorry, we are unable to complete the download at this time.
    >
    > A problem occurred trying to retrieve the information for this download
    > build. Please try your download again later."
    >
    > Is it not posted yet?
    >
    > Thanks
    Seems to be working now.

  • I have an Office jet pro 8600. I signed up for an app. Now I want to get rid of it, but how

    How do I get rid of an app?

    Hi,
    Please use the following link (under "Manage Print Apps" to cancel/remove it:
      http://h10025.www1.hp.com/ewfrf/wc/document?docname=c02940901&cc=us&dlc=en&lc=en&product=5058336&tmp...
    You may also get this:
    My Print Apps
    To view and manage print apps for your printer, use the display on the printer itself. This website cannot manage print apps for your printer. In this case, you have to cancel from your printer.
    Regards.
    BH
    **Click the KUDOS thumb up on the left to say 'Thanks'**
    Make it easier for other people to find solutions by marking a Reply 'Accept as Solution' if it solves your problem.

  • For got security pin now phone is disabled

    I locked my phone and went into surgery and now i forgot my the pass code and my phone is disabled so how do I unlock my phone 5S

    See the following: Forgot passcode for your iPhone, iPad, or iPod touch, or your device is disabled - Apple Support

  • Upgraded to Yosemite, signed up for iCloud and an now want to close iCloud account. How do I do that?

    How do close an iCloud account in notebooks?

    I'm not completely certain what you are wanting to do but maybe: Apple Menu > System Preferences > iCloud > Sign Out?
    or downgrade your storage plan: iCloud storage upgrades and downgrades
    or other iCloud management: Manage your iCloud storage

Maybe you are looking for

  • Need help in Payroll Tax Balance Issue - Urgent

    Hi, Please help me with the following Tax and Balance issue. The system is on 12.0.3, South African Legislation. Issue : Salary has been restructured from Basic Salary to Total package structure in Dec 2008. Retro Pay was used to pay the difference a

  • F1 documentation is not visible

    Experts, Still last week it was internet explorer 6. My F1 documentation of ABAP key words in SE38 used to work properly. Now I am using Internet explorer 7 on my laptop. When I press F1, only the keywords on the ABAP keyword documentation are visibl

  • BAM Connection Jdeveloper 10.1.3.4  To 11g BAM

    Hi all, i am trying to connect jdev 10.1.3.4 and 11g BAM server .i followed the following document http://wiki.oracle.com/page/Oracle+SOA+Suite+10g+(BPEL)+and+BAM+11g+Integration i able to create BAM connection ,sensors and sensor actions also .., bu

  • Information Broadcasting Settings (Dynamic Change or User Exit)

    Hi, We are working on BI7 and we have a need to print a cost centre specific report on different cost centre specific printers. This relationship of user to cost center to printer is stored in a custom table(Ztable) as given below: User Id         Co

  • Can Tiger be installed on a new MacBook?

    I'm working at a school, and we have two template images (one for PPC, one for Intel) with a working installation of 10.4.10, all of the software we use, settings, all of that jazz; we deploy them using NetBoot and Bombich's NetRestore. Normally, we