Secure Boot is a security standard developed by the PC industry to help ensure that your PC boots using only software that is trusted by the PC manufacturer. It is a feature included in UEFI (Unified Extensible Firmware Interface) which checks the boot loaders against the signatures in the database and only allows them to boot if they’re signed by a trusted source. But can you install third-party drivers with Secure Boot? The answer is yes, but with some considerations. This article will delve into the details of how this can be done.
Yes, you can install third-party drivers with Secure Boot, but they need to be signed with a trusted certificate. By creating your own key pair and enrolling it in the Secure Boot database, you can use third-party drivers while still benefiting from the security features of Secure Boot.
Understanding Secure Boot
Secure Boot is designed to prevent unauthorized code from running during the startup process, providing an added layer of security for your system. It’s part of the UEFI firmware interface, a replacement for the traditional BIOS system used in most PCs. Secure Boot uses a database of keys and certificates to verify the integrity of the boot loader and the operating system, preventing the system from loading if the software isn’t signed by a recognized authority.
Third-Party Drivers and Secure Boot
Third-party drivers are those not provided directly by the hardware manufacturer. These drivers can provide additional functionality or performance, but they also present a potential security risk. Secure Boot, by default, doesn’t trust these drivers because they aren’t signed by a recognized authority.
However, this doesn’t mean you can’t use third-party drivers with Secure Boot. You can, but the drivers need to be signed with a trusted certificate. This is where the Machine Owner Key (MOK) comes into play.
Machine Owner Key (MOK)
The Machine Owner Key is a security measure that allows you to add your own keys to the Secure Boot database. This means you can sign your third-party drivers with your own key, and Secure Boot will recognize them as trusted software.
To sign a driver, you’ll first need to create your own key pair using a tool like openssl. The command would look something like this:
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive common name/"In this command, openssl is the command line tool used to generate the key pair, req -new -x509 generates a new X.509 certificate request, -newkey rsa:2048 creates a new RSA key of 2048 bits, -keyout MOK.priv specifies the name of the private key file, -outform DER specifies the output format, -out MOK.der specifies the name of the certificate file, -nodes means “no DES”, which means the private key won’t be encrypted, -days 36500 specifies the validity of the certificate in days, and -subj "/CN=Descriptive common name/" sets the subject name of the certificate.
Signing the Driver
Once you have your key pair, you can sign your driver using the sbsign tool:
sbsign --key MOK.priv --cert MOK.der driver.ko --output driver-signed.koIn this command, sbsign is the command line tool used to sign the driver, --key MOK.priv specifies the private key file, --cert MOK.der specifies the certificate file, driver.ko is the driver you want to sign, and --output driver-signed.ko specifies the output file for the signed driver.
Enrolling the MOK
The final step is to enroll the MOK in your system’s UEFI firmware. You can do this using the mokutil tool:
mokutil --import MOK.derIn this command, mokutil is the command line tool used to manage MOKs, and --import MOK.der imports the certificate file into the MOK database.
After running this command, you’ll need to reboot your system. During the boot process, you’ll be prompted to enroll the MOK. Once the MOK is enrolled, Secure Boot will recognize your signed driver as trusted software.
Conclusion
While Secure Boot is designed to only trust software signed by recognized authorities, it does provide the flexibility to trust third-party drivers through the use of MOKs. By signing your drivers with your own key and enrolling the key in the Secure Boot database, you can use third-party drivers while still benefiting from the security features of Secure Boot. However, it’s important to only sign drivers from sources you trust, as signing a malicious driver could compromise your system’s security.
Secure Boot is a security standard developed by the PC industry to ensure that a computer boots using only trusted software that is authorized by the PC manufacturer. It is part of the UEFI firmware interface and checks the boot loaders against a database of signatures to verify their authenticity.
Yes, you can install third-party drivers with Secure Boot, but they need to be signed with a trusted certificate. By using the Machine Owner Key (MOK) feature, you can add your own keys to the Secure Boot database and sign your third-party drivers with your own key.
You can create your own key pair using a tool like openssl. The command would look something like this:
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive common name/"This command generates a new RSA key pair, specifies the names of the private key and certificate files, and sets the validity of the certificate.
Once you have your key pair, you can sign your driver using the sbsign tool. The command would look like this:
sbsign --key MOK.priv --cert MOK.der driver.ko --output driver-signed.koThis command signs the driver with your private key and certificate, and produces a signed driver file as output.
You can enroll the MOK in your system’s UEFI firmware using the mokutil tool. The command would look like this:
mokutil --import MOK.derThis command imports the certificate file into the MOK database. After running this command, you’ll need to reboot your system and follow the prompts during the boot process to enroll the MOK.
No, it’s important to only sign drivers from sources you trust. While signing a driver with your own key allows Secure Boot to recognize it as trusted software, signing a malicious or compromised driver could still compromise your system’s security. Exercise caution and only sign drivers from reputable sources.
