Tweet
Background on Secure Boot
Newer computers, made since around 2008 include UEFI BIOS (Unified Extensible Firmware Interface). One of the new features of UEFI is ‘Secure Boot’ which does not allow loading of drivers or operating systems that do not have a valid digital signature. This stops malicious software and unauthorized operating systems from being loaded. Typically computer manufacturers allow secure boot to be turned off. But all Windows 8 'logo certified' computers are required to ship with Microsoft Secure Boot enabled and without an option to disable it.
How this impacts on MemTest86
Initially the Memtest86 V5 beta release was not signed and thus blocked from running on machines with secure boot enabled. The behaviour in this case was either a blank black screen or in some cases falling back to run V4 of the MemTest86 software.
How to disable secure boot
There are detailed steps available from Microsoft here to disable and enable secure boot.
Getting MemTest86 V5 to work with secure boot
Obviously we want MemTest86 V5 to work on as many machines as possible and work without the need to re-config UEFI BIOS settings. Especially since the process to turn off secure boot might be obscure or non existent.
The process we are going through to get MemTest86 signed with a digital signature is,
Restrictions
Among other things, Microsoft place the following restrictions on the package to be signed.
MemTest86 V5 License - Open source impact
Secure boot and open source don't play nicely together. Complicated solutions have been developed where a 'shim loader' can be used to load a real loader, which then loads the operating system. But it seems likely that the shim loader then has to do chain checking of signatures before it would be approved. So it isn't a ideal solution and still doesn't allow 3rd parties to use the MemTest86 code to build a full working solution. So at least for the moment we are leaving MemTest V5 as closed source. However the older non UEFI MemTest V4 release will remain open source GPL licensed however.
Impact on future releases
Every patch we make on the V5 software, no matter how minor, will result in the whole package needing to be certified and signed again. This is going to slow down the release cycle and will probably mean people will have to live with bugs in the software longer than would have otherwise been the case. We have had a long beta period, so lets just hope there aren't too many bugs in V5.
Newer computers, made since around 2008 include UEFI BIOS (Unified Extensible Firmware Interface). One of the new features of UEFI is ‘Secure Boot’ which does not allow loading of drivers or operating systems that do not have a valid digital signature. This stops malicious software and unauthorized operating systems from being loaded. Typically computer manufacturers allow secure boot to be turned off. But all Windows 8 'logo certified' computers are required to ship with Microsoft Secure Boot enabled and without an option to disable it.
How this impacts on MemTest86
Initially the Memtest86 V5 beta release was not signed and thus blocked from running on machines with secure boot enabled. The behaviour in this case was either a blank black screen or in some cases falling back to run V4 of the MemTest86 software.
How to disable secure boot
There are detailed steps available from Microsoft here to disable and enable secure boot.
Getting MemTest86 V5 to work with secure boot
Obviously we want MemTest86 V5 to work on as many machines as possible and work without the need to re-config UEFI BIOS settings. Especially since the process to turn off secure boot might be obscure or non existent.
The process we are going through to get MemTest86 signed with a digital signature is,
- Sign a legal agreement with Microsoft, as Microsoft has effectively got themselves into a position where they can dictate what software you can and can't run on your PC.
- Purchase a new code signing certificate. (Most existing certificates are not suitable). It seems like we will need to pay each year to have this 'renewed'.
- Sign all our .EFI binaries
- Package up all the .efi binaries into a Microsoft format .CAB file.
- Submit the package to Microsoft via their 'Dashboard'.
- Wait
- Wait some more
- Fill out a Microsoft survey regarding the nature of the software you want to run.
- Wait
- Wait some more
- After about 5 weeks find out that the submission has failed for some unknown reason and without any explanation as to why.
- Try again
- Have some correspondence with Microsoft about possible buffer overflows on input files leading to root kit like security issues (a valid concern, but we think we are OK on this point).
- Wait some more.
- Update: We received signed binaries back from Microsoft 3/Dec/2013. So after a bit more testing we should be good to go for the V5 release.
Restrictions
Among other things, Microsoft place the following restrictions on the package to be signed.
- Modules to be signed must be ship-quality and should have already been tested using the Secure Boot Windows HCK manual tests.
- Modules to be signed must not allow untrusted code to execute. So you can't get a boot loader or similar package signed.
- Modules to be signed must not be licensed under GPLv3 or similar open source licenses. So a lot of open source code software is going to be blocked.
MemTest86 V5 License - Open source impact
Secure boot and open source don't play nicely together. Complicated solutions have been developed where a 'shim loader' can be used to load a real loader, which then loads the operating system. But it seems likely that the shim loader then has to do chain checking of signatures before it would be approved. So it isn't a ideal solution and still doesn't allow 3rd parties to use the MemTest86 code to build a full working solution. So at least for the moment we are leaving MemTest V5 as closed source. However the older non UEFI MemTest V4 release will remain open source GPL licensed however.
Impact on future releases
Every patch we make on the V5 software, no matter how minor, will result in the whole package needing to be certified and signed again. This is going to slow down the release cycle and will probably mean people will have to live with bugs in the software longer than would have otherwise been the case. We have had a long beta period, so lets just hope there aren't too many bugs in V5.