Freely subscribe to our NEWSLETTER

Wave, a Lee, Mass.-based trusted computing independent software vendor that was founded in 1988, is prepared to provide assurance to organizations that the secure boot system really works. The company announced a partnership with Microsoft in February that will provide "attestation" and computer health reporting services for Windows 8 systems. Wave, which provides its solutions to OEMs, also contributed a lot of input to Microsoft that went into Windows 8’s security model.

"We, Wave, are a trusted computing software provider and in the unique position as a software vendor and in the industry in that we’ve provided a lot of the industry capabilities around a lot of the Windows 8 security architectures, based on the Trusted Computing standards," said Brian Berger, executive vice president at Wave Systems and a board member of the Trusted Computing Group, in a phone interview conducted last week. "And so Wave has shipped over 110 million copies of security software based on those standards through the OEM channels."

Secure boot, which is also called "trusted boot" by Microsoft, is part of a Unified Extensible Firmware Interface (UEFI) specification. It isn’t Microsoft’s technology. The spec describes a way to sign bootloaders via a Certificate Authority before the operating system loads. The idea is to prevent rootkits (otherwise known as "bootkits") from taking control at the firmware level, something that currently goes undetected, even by the best antimalware software. Newer systems shipping with Windows 8 likely will have secure boot turned on by default, mostly because Microsoft is requiring that capability in its recommendations to OEMs.

Secure Boot and Linux
Clearly, secure boot has benefits that most computer users would want. However, developers and hobbyists testing Linux OSes on PCs fear that Microsoft’s requirement for chip builders to turn on secure boot in Windows RT systems by default will make it impossible to sign Linux OSes, thereby making it unlikely that mass-produced computers will be capable of duel-booting Windows and Linux OSes. In response, the nonprofit Linux Foundation appears to be moving forward with a plan to obtain a "pre-bootloader" from Microsoft that will work with any Linux or non-Linux OS distribution, according to a description by James Bottomley, chief technology officer of server virtualization at Parallels and a Linux kernel maintainer of the SCSI subsystem.

"In a nutshell, the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system)," Bottomley explained in a blog post. "The pre-bootloader will employ a ’present user’ test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems."

When available, this prebootloader will be available for anyone to download and use, according to Bottomley’s post.

Microsoft’s stipulation to chipmakers about turning on secure boot by default will have fewer restrictions for Linux developers on x86/x64 systems. That’s because Windows 8 will have a setting to disable secure boot, should anyone want to do such a thing. And it looks like they will be able to get signed certificates.

"I can’t really speak to Microsoft’s plans or architectures," Berger said. "We [Wave] look at how do we provide solutions on a Microsoft platform, whether Windows 8 or Windows RT — can we get UEFI modules signed by Microsoft or other third-party signing authorities? And the answer is ’Yes’ to that part. And in the case of a third party who has their own bootloader to perform a dual boot, they should be able to get that signed by Microsoft or another third party by the authority for UEFI. We haven’t seen that as a barrier to entry."

Berger did acknowledge the limitation for turning off secure boot on the Windows RT side, but said it would affect only some developers.

"Our understanding of secure boot disablement is that it can be done on x86 architectures — UEFI can be turned off by the user by going to the BIOS setup," Berger said. On the [Windows] RT side, our understanding that secure boot cannot be disabled."

Windows 8 and Trusted Platform Support

Despite the grumbling heard on the Linux side, Berger was upbeat about Microsoft’s implementation of security in Windows 8. He noted that the Wave Endpoint Monitor (WEM) product will provide notification to enterprises about the security of their Windows 8 platforms. Microsoft provided an opening for third-party vendors, such as Wave, to tap into the Windows 8 security plumbing, and even that of Windows 7 with its "legacy BIOS."

"The value of secure boot and WEM is about notification of your standing of your platform state and its integrity," Berger said. "Microsoft has done a great job of bringing more security to the platform going forward. We at Wave look at that and say, ’They’ve using the key components of the industry standards group — good going; allowing third parties to integrate into those areas — good story there; for us as an ISV, providing more value on top of the operating system for the end user, for the IT organization — is all good.’ We’re doing it on Windows 7 today, actually all of this stuff."