[plug] How does "signing" work?

James Devenish devenish at guild.uwa.edu.au
Fri Jun 20 17:25:29 WST 2003 

In message <200306201700.25303.derekfountain at yahoo.co.uk>
on Fri, Jun 20, 2003 at 05:00:25PM +0800, Derek Fountain wrote:
> "there appears to be no legal impediment that can prevent systems vendors from 
> requiring kernels to be signed by a private key before they can be run"

Preamble: I don't know what "systems vendors" means, nor why it would be
necessary to say that there is "no legal impediment", I also don't know
what the Intel boot process is (i.e. the thing that people refer to as
the BIOS, which I guess is the equivalent to what is commonly called
"firmware").

> What actually happens, say on a step by step basis, to enforce this "signing" 
> enforcement? What technology actually prevents me from running an unsigned 
> kernel (or whatever) if I want to?

When the "general computer" boots, its firmware will be in charge of
bootstrapping the system. At the appropriate time (e.g. after doing
hardware checks), it will load some (first-stage) executable objects
from an input device for which the device driver is in the firmware's
limited repertoire (it could be read-only or read-write, local or
networked, etc.). Those objects are then executed and they may load
device drivers to allow reading of a second-stage executable such as a
UNIX kernel (which would itself have the ability to reading the rest of
theOS via your hard disk's filesystem).

If look back to the loading of the first-stage executable, it is
essentially a process whereby the ("immutable") firmware loads
executable objects into RAM and executes them. The firmware can
obviously decide not to load, or to load but not execute, those objects.
It would generally do so on the basis of validity -- does the format
match the current hardware, for instance. It is easy to imagine that
some 'checksum' system could also be employed: scan the objects and make
sure they appear to be intact.  The next step could be to perform
cryptographic analysis of the objects to make sure that they were signed
by a signer that is known to the firmware (presumably the firmware
manufacturer and its business partners of the season). To answer your
question: since the CPU and firmware reside on the same board and are
thus "inseparable" (you could take the CPU out of the board but then you
wouldn't have anywhere to run the CPU), and the CPU relies on the
firmware to load the operating system, the firmware has control over
what operating system is loaded.

More information about the plug mailing list