Sorry, you need to enable JavaScript to visit this website.

Using MOK and UEFI Secure Boot with SUSE Linux

BrianRichardson's picture

For some reason, people still think UEFI Secure Boot doesn’t work with Linux. In reality, Linux has some innovative uses for Secure Boot, such as the Machine Owner Key (MOK) in SUSE.

A Machine Owner Key (MOK) is a type of key that a user generates and uses to sign an EFI binary. The point of a MOK is to give users the ability to run locally-compiled kernels, boot loaders not delivered by the distribution maintainer, and so on.

-- http://www.rodsbooks.com/efi-bootloaders/secureboot.html

SUSE presented the MOK concept at last September’s Intel Developer Forum (IDF) in San Francisco. MOK is a way for the machine owner to have ownership over the platform’s boot process, so they can install a custom kernel or kernel modules and still work with UEFI Secure Boot. MOK has been part of the SUSE UEFI Secure Boot feature plan for quite some time.

If the user (machine owner) wants to replace any components of the boot process, Machine Owner Keys (MOKs) are to be used. The mokutils tool will help with signing components and managing MOKs.

The enrollment process begins with rebooting the machine and interrupting the boot process (e.g., pressing a key) when shim loads. shim will then go into enrollment mode, allowing the user to replace the default SUSE key with keys from a file on the boot partition. If the user chooses to do so, shim will then calculate a hash of that file and put the result in a Boot Services Only variable. This allows shim to detect any change of the file made outside of Boot Services and thus avoid tampering with the list of user-approved MOKs.

-- From ‘Secure Boot’ in the SLES 11 Administration Guide

Users with local access can manually enroll keys for items they trust in the SUSE Linux boot process. This is a localized version of the KEK/db system used for the UEFI Certificate Authority (UEFI CA). By relying on the signed shim loader, platform owners can self-sign a custom Linux kernel or kernel drivers without going through the UEFI CA process.

For more information, check out the Intel/SUSE presentation from IDF 2013 or the SUSE Secure Boot Certificate page. Both pages include a video demonstration of MOK enrollment on SLES 11.

Brian Richardson is a Senior Technical Marketing Engineer with Intel’s Software and Services Group (SSG). Brian worked in BIOS & UEFI for 15 years before coming to Intel in August 2011. Along with contributing to firmware.intel.com, Brian presents at Intel Developer Forum and UEFI Forum Plugfests. Brian’s opinions aren’t always the same as Intel’s, even when he’s blogging on firmware.intel.com.

Comments

clonazepam for insomnia clonazepam for sleep aid . rivotril online pharmacy klonazapam 0.5 clonazepam 5 mg clonazepam 2mg of clonazepam colazapam . clonazepam wikipedia alprazolam online clonazepam memory loss clonazepam 2mg price. clonotril tablet uses clonazepam orally disintegrating tablet 0.5 mg clonazepam depression clonazepam tabs .