Open Source Market Segment LS
Open Source Market Segment RS
Wednesday, 03 July 2013 10:19

SUSE working on using kexec, hibernation on secure boot Featured


Developers at SUSE, the Linux company based in Germany, are working on cryptographic technology to allow the use of both hibernation and kexec by Linux on secure boot-enabled machines, according to Vojtech Pavlik, director of SUSE Labs and head of kernel development at the company.

"We, at SUSE, are currently working on cryptographic technology of signing both hibernation images and kexec images to allow the use of these features even in secure boot mode, without compromising the security model," Pavlik (pictured above) said, in response to queries.

Secure boot is a feature of the Unified Extensible Firmware Interface or UEFI, the replacement for the BIOS on the motherboard.

Microsoft's implementation of secure boot in Windows 8 uses cryptographic keys to authenticate the kernel that is being loaded. Microsoft has implemented secure boot and requires that it be turned on on all hardware that is pre-installed with Windows 8. Hence anyone who wishes to boot an image on such hardware would need to obtain a key from Microsoft.

Some GNU/Linux distributions have developed their own methods of booting on such hardware. However, installing such distributions alongside Windows 8 is still not an easy task for the average user.

The use of hibernation does not satisfy the secure boot security model because the image that returns from hibernation cannot be verified. And the system call kexec allows one to replace the running kernel with a different program.

Attempts by Red Hat developers to get code into the mainline kernel, that would enable a kernel running in secure boot-mode to dynamically load keys, resulted in a spray by Linux creator Linus Torvalds earlier this year.

Pavlik, who has been a central figure in developing a way to boot Linux on a secure boot-enabled system, responded to other questions about secure boot at length; his edited responses are below.

iTWire: We've had secure boot out in the public space for more than six months now. Is it still regarded as a security feature or something that locks one in?

Vojtech Pavlik: There has been a lot of effort put into taming secure boot by the Linux community. What once was a clear threat to the freedom associated with the PC platform and by some perceived as the beginning of an end of hobbyist  computing, has been turned into a feature that does offer some  advantages.

The major milestones that allowed this were making the "Secure Boot Off" option a mandatory part of platforms certified for Windows 8. The other was the development and the adoption of the MOK concept, which gives the owner of the computer full control of what software they want to run, even in a secure boot environment.

Concerns and limitations still remain,  though. A major one is that the UEFI CA, the central signing authority, is  run by Microsoft, who, through that, exert significant control over the PC platform. Another is whether the level of protection that secure boot adds is  worth the limitations it imposes on the system.

Linux distributions are still struggling to live with Windows 8. Secure  boot may be over as a hurdle for some, but to install something easily is still not possible. When do you see this changing?

I can't talk about other distributions, obviously. openSUSE 13.1 will share the polished UEFI and secure boot implementation from SLES11 SP3, and will configure it through the usual installation procedure. We intend to include the ability to dual boot Windows seamlessly. openSUSE release 13.1 is slated  for November of this year.

Certain features in the Linux kernel like hibernation and kexec have to be turned off to satisfy Microsoft's requirements for secure boot. Are you comfortable with this?

In fact, it's not Microsoft's requirements, it's the Secure Boot security  model that is the reason why hibernation (suspend to disk) and kexec have to be disabled when Secure Boot mode is on. Without disabling them, Secure Boot wouldn't hold water, it'd be possible to circumvent its protection too easily.

We at SUSE are currently working on cryptographic technology of signing both hibernation images and kexec images to allow the use of these features even in Secure Boot mode, without compromising the security model. We'll be submitting that to upstream projects, once it's verified to work. (maybe try to get them in openSUSE first, that'd be a great feature to  advertise and a good place to test). On a side note, to my best knowledge, Microsoft's own hibernation implementation in Windows 8 is not cryptographically protected.

Have you ever given thought to providing an easy means for openSUSE to turn off secure boot? After all, Windows 8 will continue to function.

Turning secure boot off should be possible from the UI of every UEFI firmware. And our experience on machines available in the market confirms that. It's not necessarily easy for an inexperienced user, and it's not standardised how this should be done, but the option is there.

To make the process easier and the same for all users, openSUSE could provide an "ignore secure boot" switch in the shim loader. It wouldn't turn off secure boot per se, but it would allow booting a system without any restrictions. This switch would still meet all security and certification requirements per the secure boot security model. However, I'm not at all convinced it's such a good idea to provide it: an unexpecting user could be tricked into disabling secure boot even when that wasn't their intent.

What has been the reaction from users of openSUSE to getting it installed on secure boot systems?

There has been surprisingly little. After all, secure boot in openSUSE 12.3 is marked as experimental and there aren't that many machines in the wild that would need secure boot, so for 12.3 I assume the most common, and most reasonable reaction is just to disable secure boot in the firmware.

Any plans to provide a GUI so that users can add their own keys to a system?

At this point we have a nice command line interface and the addition of keys will be automatically initiated when installing packages that need extra keys - like proprietary graphics drivers. Having a YaST interface for key management is certainly planned, but I can't say when exactly it'll be made available.

Read 7476 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News