Partner Gives Microsoft Assist in Windows 8 'Secure Boot' Controversy
- By Kurt Mackie
- October 22, 2012
A new "secure boot" firmware protocol supported in Windows 8 has its doubters, but Microsoft ISV Wave Systems is prepared to assure organizations that the system really works.
The Lee, Mass.-based trusted computing vendor announced a partnership with Microsoft in February that will provide "attestation" and computer health reporting services for Windows 8 systems. Wave, which provides its solutions to OEMs, also contributed a lot of input to Microsoft that went into Windows 8's security model.
"We, Wave, are a trusted computing software provider and in the unique position as a software vendor and in the industry in that we've provided a lot of the industry capabilities around a lot of the Windows 8 security architectures, based on the Trusted Computing standards," said Brian Berger, executive vice president at Wave Systems and a board member of the Trusted Computing Group, in a phone interview this month. "And so Wave has shipped over 110 million copies of security software based on those standards through the OEM channels."
Secure boot, which is also called "trusted boot" by Microsoft, is part of a Unified Extensible Firmware Interface (UEFI) specification. It isn't Microsoft's technology. The spec describes a way to sign bootloaders via a Certificate Authority before the operating system loads. The idea is to prevent rootkits (otherwise known as "bootkits") from taking control at the firmware level, something that currently goes undetected, even by the best anti-malware software. Newer systems shipping with Windows 8 likely will have secure boot turned on by default, mostly because Microsoft is requiring that capability in its recommendations to OEMs.
Secure Boot and Linux
Clearly, secure boot has benefits that most computer users would want. However, developers and hobbyists testing Linux OSes on PCs fear that Microsoft's requirement for chip builders to turn on secure boot in Windows RT systems by default will make it impossible to sign Linux OSes, thereby making it unlikely that mass-produced computers will be capable of duel-booting Windows and Linux OSes. In response, the nonprofit Linux Foundation appears to be moving forward with a plan to obtain a "pre-bootloader" from Microsoft that will work with any Linux or non-Linux OS distribution, according to a description by James Bottomley, chief technology officer of server virtualization at Parallels and a Linux kernel maintainer of the SCSI subsystem.
"In a nutshell, the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system)," Bottomley explained in a blog post. "The pre-bootloader will employ a 'present user' test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems."
When available, this prebootloader will be available for anyone to download and use, according to Bottomley's post.
Microsoft's stipulation to chipmakers about turning on secure boot by default will have fewer restrictions for Linux developers on x86/x64 systems. That's because Windows 8 will have a setting to disable secure boot, should anyone want to do such a thing. And it looks like they will be able to get signed certificates.
"I can't really speak to Microsoft's plans or architectures," Berger said. "We [Wave] look at how do we provide solutions on a Microsoft platform, whether Windows 8 or Windows RT -- can we get UEFI modules signed by Microsoft or other third-party signing authorities? And the answer is 'Yes' to that part. And in the case of a third party who has their own bootloader to perform a dual boot, they should be able to get that signed by Microsoft or another third party by the authority for UEFI. We haven't seen that as a barrier to entry."
Berger did acknowledge the limitation for turning off secure boot on the Windows RT side, but said it would affect only some developers.
"Our understanding of secure boot disablement is that it can be done on x86 architectures -- UEFI can be turned off by the user by going to the BIOS setup," Berger said. "On the [Windows] RT side, our understanding [is] that secure boot cannot be disabled."
Windows 8 and Trusted Platform Support
Despite the grumbling heard on the Linux side, Berger was upbeat about Microsoft's implementation of security in Windows 8. He noted that the Wave Endpoint Monitor (WEM) product will provide notification to enterprises about the security of their Windows 8 platforms. Microsoft provided an opening for third-party vendors, such as Wave, to tap into the Windows 8 security plumbing, and even that of Windows 7 with its "legacy BIOS."
"The value of secure boot and WEM is about notification of your standing of your platform state and its integrity," Berger said. "Microsoft has done a great job of bringing more security to the platform going forward. We at Wave look at that and say, 'They've using the key components of the industry standards group -- good going; allowing third parties to integrate into those areas -- good story there; for us as an ISV, providing more value on top of the operating system for the end user, for the IT organization -- is all good.' We're doing it on Windows 7 today, actually all of this stuff."
WEM measures the platform state before the operating system loads. The company is currently working with OEMs on implementing it with Windows 8. Wave's product also will enable integration with so-called "early launch anti malware" (ELAM) software vendors. Windows 8 will enable antimalware vendors to the check boot loader firmware during an ELAM phase of the bootup. Wave's product isn't providing antimalware itself, but it does deliver the notifications if something's wrong at the ELAM stage.
Wave also provides support for self-encrypting drive (SED) technology, which allows drive manufacturers to add cryptographic capabilities to hard drives, based on the Opal Storage Specification of the Trusted Computing Group. Wave's technology ensures the compliance of SEDs and works with rotating media, solid-state drives and even hybrid drives, according to Berger.
Wave recently announced a cloud service via its EMBASSY Remote Administration Server (ERADS) product that supports SEDs. ERADS provides lifecycle management for the trusted platform module (TPM) of drives and it can also manage Microsoft BitLocker deployments, Berger explained.
"It provides a very clean solution for organizations who want mixed environments with different security needs," Berger said. "Whether they want VPN or network access control solutions or platforms as a token or they want data at rest using self-encrypting drives or they like encryption based on BitLocker, maybe on desktop machines, we have one solution that has one console for all. And that same solution has the plug-in for WEM. So now we have the platform integrity component."
Some organizations are looking at BitLocker, a Microsoft drive encryption technology, as an alternative security approach to using self-encrypting drives. However, self-encrypting drives are still the security measure of choice for mobile workers, according to Berger.
In general, Berger sees Microsoft as having baked TPM support into the operating system with Windows 8. He added that trusted computing is becoming a category by itself, and that's changing how platform security is being built.