Parece que en un oculto intento por detener la posible victoria de la comunidad Linux en contra del secure boot para computadoras con arquitectura ARM, la responsable de Windows no facilita el camino.
Microsoft no ha querido dar “firmas” (autorizar en palabras finas) el UEFI open source que The Linux Foundation ha preparado para que la instalación de OS basados en el kernel de Linux puedan ser instalados en computadoras ARM que ya tienen Windows 8 según revela James Bottomley de la fundación de Linux.
Adventures in Microsoft UEFI Signing
As I explained in my previous post, we have the code for the Linux Foundation pre-bootloader in place. However, there was a delay while we got access to the Microsoft signing system.
The first thing you have to do is pay your $99 to Verisign (now Symantec) and get a verified by Verisign key. We did this for the Linux Foundation, and all they want to do is call head office to verify. The key comes back in a URL that installs it in your browser, but the standard Linux SSL tools can be used to extract this and create a usual PEM certificate and key. This is nothing to do with UEFI signing, but it’s used to validate to the Microsoft sysdev system that you are who you say you are. Before you can even create a sysdevaccount, you have to prove this by signing an executable they give you and upload it. They make strict requirements that you sign it on a specific Windows platform, but sbsign worked just as well and bingo our account is created.
Once the account is created, you still can’t upload UEFI binaries for signature without first signing a paper contract. The agreements are pretty onerous, include a ton of excluded licences (including all GPL ones for drivers, but not bootloaders). The most onerous part is that the agreements seem to reach beyond the actual UEFI objects you sign. The Linux Foundation lawyers concluded it is mostly harmless to the LF because we don’t ship any products, but it could be nasty for other companies. According to Matthew Garrett, Microsoft is willing to negotiate special agreements with distributions to mitigate some of these problems.
Once the agreements are signed then the real technical fun begins. You don’t just upload a UEFI binary and have it signed. First of all you have to wrap the binary in a Microsoft Cabinet file. Fortunately, there is one open source project that can create cabinet files called lcab. Next you have to sign the cabinet file with your Verisign key. Again, there is one open source project that can do this: osslsigncode. For anyone else needing these tools, they’re now available in my openSUSE Build Service UEFI repository. The final problem is that the file upload requires silverlight. Unfortunately, moonlight doesn’t seem to cut it and even with the version 4 preview, the upload box shows up blank, so time to fire up windows 7 under kvm. When you get to this stage, you also have to certify that the binary “to be signed must not be licensed under GPLv3 or similar open source licenses”. I assume the fear here is key disclosure but it’s not at all clear (or indeed what “similar open source licences” actually are).
Once the upload is done, the cabinet file goes through seven stages. Unfortunately, the first test upload got stuck in stage 6 (signing the files). After about 6 days, I sent a support email in to Microsoft asking what was going on. The response: “The error code thrown by our signing process is that your file is not a valid Win32 application? Is it valid Win32 application?”. Reply: obviously not, it’s a valid UEFI 64 bit binary. No further response …
Tried again. This time I got a download email for the signed file and the dashboard says the signing failed. Downloaded and verified. The binary works on the secure boot platform and is signed with the key
subject=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher
issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011Asked support why the process was indicating failed but I had a valid download and, after a flurry of emails, got back “Don’t use that file that is incorrectly signed. I will get back to you.” I’m still not sure what the actual problem is, but if you look at the Subject of the signing key, there’s nothing in the signing key to indicate the Linux Foundation, therefore I suspect the problem is that the binary is signed with a generic Microsoft key instead of a specific (and revocable) key tied to the Linux Foundation.
However, that’s the status: We’re still waiting for Microsoft to give the Linux Foundation a validly signed pre-bootloader. When that happens, it will get uploaded to the Linux Foundation website for all to use.
Como recordarán, The Linux Foundation prácticamente estará llevando de la mano con Microsoft para buscar que su mini bootloader pueda ir en paz en conjunto al UEFI que es lo que en realidad permite que Windows 8 pueda cargar en menos de 10 segundos pero no permite la instalación de otros sistemas operativos ya que el bootloader está restringido por razones que se desconocen fuera de tratar de frenar el aumento de público usando Linux.
El problema de que Microsoft no quiere dar por firmado el mini bootloader se trata que el mecanismo no cumple con un estándar donde los componentes del bootloader deben llevar componentes de Windows, pero el problema en realidad es que en realidad, la falta de Silverlight propietariamente para Linux dificulta subir el archivo CAB que incluye el bootloader y Moonlight (emulador de Silverlight), el proyecto independiente que ha intentado emular a la plataforma de contenido web de Microsoft no funciona para esto.
Recientemente The Linux Foundation había considerado hacer la competencia a Microsoft en establecer propios estándares y crear su propio sistema de autorizaciones pero por las condiciones actuales del mercado y el alto costo que requerirá implementarlo se abandonó.
