Friday Mar 13, 2015

Secure Boot support with Oracle Linux 7.1

Update : as my PM team pointed out to me - it's listed as Tech Preview for OL7.1 not GA/production in the release notes - just making sure I add this disclaimer ;)

Another feature introduced with Oracle Linux 7.1 is support for Secure Boot.

If Secure Boot is enabled on a system (typically desktop, but in some cases also servers) - the system can have an embedded certificate (in firmware). This certificate can be one that's uploaded to the system by the admin or it could be one provided by the OEM/OS vendor. In many cases, in particular newer desktops, the system already contains the Microsoft key. (there can be more than one certificate uploaded...). When the firmware loads the boot loader, it verifies/checks the signature of this bootloader with the key stored in firmware before continuing. This signed bootloader (at this point trusted to continue) will then load a signed kernel, or signed second stage boot loader and verify it before starting and continuing the boot process. This creates what is called a chain of trust through the boot process.

We ship a 1st stage bootloader with Oracle Linux 7.1 which is a tiny "shim" layer that is signed by both Microsoft and Oracle. So if a system comes with Secure Boot support, and already ships the microsoft PK, then the shim layer will be started, verified, and if it passes verification, it will then load grub2 (the real bootloader). grub2 is signed by us (Oracle). The signed/verified shim layer contains the Oracle key and will validate that grub2 is ours (signed), if verification passes, grub2 will load the Oracle Linux kernel, and the same process takes place, our kernel is signed by us (Oracle) and grub2 will validate the signature prior to allowing execution of the kernel. Once the kernel is running, all kernel modules that we ship as part of Oracle Linux whether it's standard included kernel modules as part of the kernel RPM or external kernel modules used with Oracle Ksplice, are also signed by Oracle and the kernel will validate the signature prior to loading these kernel modules.

Enabling loading and verification of signed kernel modules is done by adding enforcemodulesig=1 to the grub kernel option line. In enforcing mode, any kernel module that is attempted to be loaded that's not signed by Oracle will fail to load.

If a system has Secure Boot support but a sysadmin wants to use the Oracle signature instead, we will make our certificate available to be downloaded securely from Oracle and then this can be uploaded into the firmware key database.

Tuesday Nov 05, 2013

Oracle Secure Global Desktop (SGD) 5.1

Last week, we released the latest update of Oracle Secure Global Desktop.

Release 5.1 introduces a number of bug fixes and smaller changes but the most interesting one is definitely increased support for html5-based client access. In SGD 5.0 we added support for Apple iPads using Safari to connect to SGD and display your session right inside the browser. The traditional model for SGD is that you connect using a webbrowser to the webtop and applications that are displayed locally using a local client (tta). This client gets installed the first time you connect. So in the traditional model (which works very well...) you need a webbrowser, java and the tta client. With the addition of html5 support, there's no longer a need to install a local client, in fact, there is also no longer a need to have java installed. We currently support Chrome as a browser to enable html5 clients. This allows us to enable html5 on the android devices and also on desktops running Chrome (Windows, MacOS X, Linux).

Connections will work transparently across proxy servers as well. So now you can run any SGD published app or desktop right from your webbrowser inside a browser window. This is very convenient and cool.


Wim Coekaerts is the Senior Vice President of Linux and Virtualization Engineering for Oracle. He is responsible for Oracle's complete desktop to data center virtualization product line and the Oracle Linux support program.

You can follow him on Twitter at @wimcoekaerts


« March 2015