Linux.com

Home

Windows 8 Secure Boot: A Roundup of Linux Distros' Plans

There's been no end to the controversy generated in the Linux community by Microsoft's Windows 8 Secure Boot plans, and scarcely a week goes by without the discussion or announcement by one distribution or another of some new possible approach.

The problem, of course, stems from Microsoft's decision to enable the Secure Boot technology in the Unified Extensible Firmware Interface (UEFI) in Windows 8 hardware, meaning that only operating systems with the right digital signature will be able to boot. While it will apparently be possible to disable Secure Boot on x86 Windows machines -- or for users to enroll their own keys -- that won't be the case on ARM-based hardware.

Since the topic arose last fall, both the Linux Foundation and the Free Software Foundation have weighed in with their own views on the matter, and a community effort has also been launched to help developers work around the technology. Several distros, meanwhile, have crafted their own approaches.

Here's a quick rundown of where things stand.

Fedora's Approach: A Microsoft Key

Fedora logoBack in May Fedora was the first to speak out about its planned approach, which primarily involves paying $99 to Verisign for unlimited use of Microsoft signing services, allowing its first stage boot loader to be signed with a Microsoft key.

While Fedora did explore the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it, that strategy was ultimately rejected for several reasons, including the near impossibility of getting all vendors to do so, according to Red Hat developer Matthew Garrett. 

Paying for a Microsoft key, on the other hand, “ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions,” Garrett explained. “If there are better options then we haven't found them.”

Fedora later announced a second “custom mode” alternative scheme whereby “a site will create their own keys and deploy them in system firmware, and will do their own signing of binaries with it.” 

Ubuntu's Approach: An Ubuntu Key

Ubuntu logoThough Canonical founder Mark Shuttleworth has indicated that plans for Ubuntu are still a work in progress, those published (PDF) so far involve using an Ubuntu-specific key. Canonical chose to do it this way in part because of the fact that Ubuntu is relatively commonly preinstalled on PC hardware, it says -- a fact that sets it apart from most other distributions.

Another key difference in Canonical's approach is that Ubuntu will use Intel's efilinux rather than the GRUB 2 boot loader because of concerns about licensing under GPLv3.

SUSE's Approach: A Hybrid Strategy

SUSE logoLast but not least, SUSE Linux spoke out earlier this month with its own approach, which in many ways combines a bit of each of Fedora's and Ubuntu's tactics.

Essentially, SUSE plans to start with a shim based on the Fedora shim loader, and to make two versions of it available: one signed with SUSE's own key, similar to what Canonical is planning, and another signed with a key provided by Microsoft. In either case, by default the shim will verify that GRUB 2 is trusted using an independent SUSE certificate embedded in its body, though “Machine Owner Keys” will be able to override that default SUSE key as well.

Whether openSUSE will follow SUSE's approach isn't yet clear.

The Controversy Continues

Fedora's approach drew considerable criticism early on from many who viewed  it as a sort of capitulation to Microsoft. The Free Software Foundation, on the other hand, has said it prefers it over what Ubuntu has planned. 

In the meantime, James Bottomley, chair of the Linux Foundation's Technical Advisory Board, has created a platform for further work on the problem that uses a boot system based on Intel's Tianocore, which is an open source implementation of UEFI.

Finally, it's also worth mentioning an entirely different kind of solution that sidesteps all this brouhaha altogether: completely open hardware from vendors like ZaReason.

 

Comments

Subscribe to Comments Feed
  • Win Secure Said:

    Another solution will be to just wait for the "hacked" version of Win 8. I mean since people in China (and probably elsewhere) hacked license keys out of Win 7… I'm going to predict that the ARM version of Win 8 will be equally hackable. (Oh and that Win 7 version without keys installed normally and runs fine, from what I saw during my visit.)

  • robert williams Said:

    Hi! I'm neither a software developer nor a hardware designer, but I *do* have some bit of experience when dealing with both bullies and/or terrorists. My two cents: The only solid, lasting solution is for tux vendors to push (hard) for open hardware while simultaneously funding to the greatest extent possible hardware manufacturing which actually favors linux. That is, hardware design & development directly sponsored/funded by linux!! One does not have to be 'militaristic' to seek acknowledgement of the fact that linux forms and runs the bulk of servers integral to the operation of the net. You must know what you are worth and demand same. As long as Stallman, the EFF, Torvalds, et al, merely seek intellectual acknowledgement without a wee bit of raw fear of absence from the game, mainline developers, users, builders involved in opensource ---- predominately linux --- will seek/receive partial invites to the party; and such validation/invitation to dine or play will be strewn out over the next 100 years while those whom advocate open source seek peaceful means of 'winning hearts and minds'. All the while, the advantage that Mr. Gates obtained from robbing his friend Paul Allen will remain fast in place. American manufacturing is very, very, lazy; extremely so when confronted with the prospect of temporary downslides in revenue. Particularly so when confronted with options which seek to --- and actually follow through --- empower end users, clients, over the desires and designs, both hardware and social of the corporations which serve us. Think of the 'Robber Barons' of the 20's and 30's such as Standard Oil, etc. Thanks for listening. Have A Healthy, Prosperous Day!! --- Robert

  • Yvan T. Said:

    Why the big fuss... According to many researches on the net there is more than 60% web servers that Run Linux than Windows. Also more and more small businesses are adopting Linux for their servers as opposed to Windows based ones. In real life money talk and is a very strong driving force. I do not think the server manufacturers will lock Linux out of these servers as it represent a growing market share. To restrict the OS running on their hardware is like shooting themselves in the foot.

  • Yvan Turcot Said:

    Why the big fuss... According to many researches on the net there is more than 60% web servers that Run on Linux than Windows. Also more and more small businesses are adopting Linux for their servers as opposed to Windows based ones. In real life money talk and is a very strong driving force. I do not think the server manufacturers will lock Linux out of these servers as it represent a growing market share. To restrict the OS running on their hardware is like shooting themselves in the foot.

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board