Linux as a UEFI bootloader and kexecing windows
09-19, 16:45–17:15 (Europe/Stockholm), Main Room

As strange as it first seems, chainloading Windows from Linux might be the more secure way to boot the system. From within a minimal PXE booted runtime, the Linux shell scripts can perform a TPM-rooted remote attestation with the normal tpm2 tools, receive the BitLocker keys from the attestation server using the safeboot scripts and safely pass them to Microsoft’s bootloader in a UEFI ramdisk via a form of kexec. This specialized Linux kernel and initrd also makes an ideal OS install and recovery environment since it can use the vendor-provided UEFI device drivers to talk to the hardware, allowing a generic kernel to work on most devices without customization.

Trammell Hudson enjoys taking things apart and documenting how they work. He uses his reverse engineering skills to establish interoperability between devices and has released open source firmware for digital cameras, light-bulbs, laptops and many other consumer products.