An Observation about the UEFI FAT32 Partition

In This Posting, I remarked that I had wiped the laptop I named ‘Maverick’, and replaced its Windows 8.1 O/S with a UEFI-enabled Linux, resulting in a computer I now name ‘Klystron’. This is a healthy computer which has a long road ahead of it, including any software I need to install.

But before I wiped ‘Maverick’, I did have a look at it with the Linux partition management tool named ‘gparted’. I found that Maverick had numerous partitions, for which there was no drive letter, which it came shipped with from the seller.

Those original partitions included one, which was a FAT32, and which performed the same function as the FAT32 partition does, that is needed for a UEFI-capable Linux install. So there is no system-software reason, for which the BIOS would treat my FAT32 partition any differently, from how it treated the original one.

That partition has a subfolder, which contains an .EFI File, which is ultimately the boot-loader.

It is possible for these compiled, binary EFI Files to contain statically-linked EFI signatures. Only, because these signatures cannot be found loosely in some sort of bin, it also follows that if the signature in question forms a chain, such a cryptographic chain needs to be complete in itself, and must lead to its master key, which is white-listed by the BIOS.

(Edit : ) The practical consequence of this would have been, that If we wanted to set up dual-boot, it would be feasible after all, first to allow our Windows setup-disk partition the HD, but to tell this setup-disk only to use the space partially, leaving the rest unallocated. After Windows set itself up, the next step would have been, to set up Linux ourselves, and to allow Linux to avail itself of the FAT32 partition, which Windows left.

The reason I still did not go this route, was the fact that on Maverick, the Windows partition was already almost half in use. I do not think it would have been safe, to tell ‘gparted’ just to shrink one of its NTFS partitions, because there have been compatibility issues, between how Windows and Linux implement NTFS. It has happened to me in the past, that I told ‘gparted’ to shrink even an ‘ext4′ file system (that belonged to Linux), and that having done so left that file-system unusable.

So the NTFS partitions on Maverick had their final size, while using up most of my HD space. And so to make a dual-boot machine, would also have required a fresh install of Windows, which was out of reach for the moment.

(Edit : ) I am noticing some fog about the subject, of whether it is possible to find not only executable EFI Files, but also Keys, in this FAT32 partition, which is also referred to as the EFI System Partition, or “ESP”. The issue I read arises here:

Quoted Article

The main problem I see with this, is the idea that public keys can simply be dropped into this partition, without themselves needing to be signed by the Master Private Keys, making those self-signed. The idea that this exists, strikes me as a massive security hole in Secure Boot…

(Edit : ) It turns out that the world is not such a strange place after all. Reading further down in the above article, I found that the only purpose in storing the Keys in the FAT32 partition, the ‘ESP’, was to make them visible to the BIOS before the O/S has loaded, so that we can tell our BIOS to Clear the previous Keys, and then to Set new Keys.

So the firmware must be told the new keys after all… This makes more sense…