Linux gets secure boot options, will play nice with Windows 8 PCs

Many hardcore PC users have been worried about how they might get Linux-based operating systems to run on PCs with Windows 8 installed as the main OS. This is due to the fact that Windows 8 uses the Unified Extensible Firmware Interface (UEFI) in place of the BIOS that previous versions of Windows have used.

Basically, UEFI Secure Boot is designed to make Windows 8 more secure, but it could also keep some Linux-based operating systems from being booted up on Windows 8 PCs. Well known Linux company Red Hat has already announced plans to provide the appropriate keys for Red Hat Enterprise Linux and Fedora to run on Windows 8 PCs.

This week, the Linux Foundation claims it has come up with a way for Linux, and indeed any open source-based OS, to run on PCs with UEFI Secure Boot setups such as Windows 8. In a post on their web site, the foundation states:

In a nutshell, the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system). The pre-bootloader will employ a “present user” test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it.

The source code for the pre-bootloader is already available for download. The Linux Foundation states, "The process of obtaining a Microsoft signature will take a while, but once it is complete, the pre-bootloader will be placed on the Linux Foundation website for anyone to download and make use of." It added that it " ... sees the pre-bootloader it is releasing as a stop-gap measure that will give all distributions time to come up with plans that take advantage of UEFI secure boot."

Source: The Linux Foundation

Report a problem with article
Previous Story

How much is Microsoft betting on Windows 8? Nearly $2 billion, Forbes says

Next Story

League of Legends now has 32 million active players

50 Comments

Commenting is disabled on this article.

I wonder... if the only signed thing in there is a pre-bootloader, what's the point of having Secure Boot enabled? From what I can see that pre-bootloader could be chainloading malware so to speak (whatever that "present user" test is if the malware has infected the bootloader you're chainloading into you're screwed).

I though the point in having Secure Boot activated was to have an authenticated path from hardware to the OS itself. If you ask me, you may as well disable Secure Boot altogether if you're going to use that.

Why do we keep making secure boot a microsoft problem? it's part of UEFI not like MS is locking you out, its the UEFI spec locking you out when an OS takes advantage of that spec... anyone can make a secure bootable OS.. this isn't microsoft being anti-competative, its MS taking advantage of something the UEFI spec made available... and if some country decides to fine MS over that, they are fineing the wrong people

torrentthief said,
I wonder if the Linux Foundation are getting this key for free or if they have to pay for each copy of linux.

Maybe they have to pay a one time small fee but more would expose MS to problem with anti-competitive laws outside of USA and Canada (where anti-competitive behaviours is now perfectly legal).

LaP said,

anti-competitive laws outside of USA and Canada (where anti-competitive behaviours is now perfectly legal).

Sadly, that's completely true antitrust behaviour seems to be rewarded in the US not sanctioned as it should be. Microsoft is the perfect example.

torrentthief said,
I wonder if the Linux Foundation are getting this key for free or if they have to pay for each copy of linux.

Last I heard it was a very very cheap one time fee.

simplezz said,

Sadly, that's completely true antitrust behaviour seems to be rewarded in the US not sanctioned as it should be. Microsoft is the perfect example.

I'm sounding like a broken record but... Any Linux distro can apply for a Secure Boot key for a one time fee of $99. Secure Boot is part of the UEFI spec and MS are just supporting the feature. UEFI was created by many independent companies. MS did not create Secure Boot. There is absolutely nothing anti-competitive about this!

Go educate yourself before you spread more FUD.

NoClipMode said,
Secure Boot is part of the UEFI spec and MS are just supporting the feature. UEFI was created by many independent companies. MS did not create Secure Boot. There is absolutely nothing anti-competitive about this!
Bull****. There are eleven enterprises at the UEFI forum. One of these enterprises is Microsoft. The other ones are hardware manufacturers, firmware suppliers and Apple.

tiagosilva29 said,
Bull****. There are eleven enterprises at the UEFI forum. One of these enterprises is Microsoft. The other ones are hardware manufacturers, firmware suppliers and Apple.
"A true axis of evil"! DUN DUN DUUUUUNNNNN...

They didn't want to have to rely on Microsoft to give them a key, and wanted a more open way for things to work. Seems that didn't pan out, and they'll just have to live with it.

~Johnny said,
They didn't want to have to rely on Microsoft to give them a key, and wanted a more open way for things to work. Seems that didn't pan out, and they'll just have to live with it.

There is an open way. Any Linux distro can apply for their own key. MS did not make Secure Boot as it's part of the UEFI spec. Its entirely up to OEM's to support other keys on their systems so the Linux people should be bitching about this, not Microsoft.

NoClipMode said,
MS did not make Secure Boot as it's part of the UEFI spec. Its entirely up to OEM's to support other keys on their systems so the Linux people should be bitching about this, not Microsoft.
There are eleven enterprises at the UEFI forum. One of these enterprises is Microsoft. The other ones are hardware manufacturers, firmware suppliers and Apple. A true axis of evil.

NoClipMode said,

There is an open way. Any Linux distro can apply for their own key. MS did not make Secure Boot as it's part of the UEFI spec. Its entirely up to OEM's to support other keys on their systems so the Linux people should be bitching about this, not Microsoft.


'apply for their own key'
Why yes they can, but they have to pay for that right, and it's not cheap, so for something people do in their spare time making them no money (losing money due to the repo hosting etc.) it's a no-go.

I remember the Linux Foundation was all up in arms because Microsoft decided to use Secure Boot and they said they were unable to compete with that etc etc yada yada yada - 8 months later and talking to MS they find it is after all possible. If only they would have started talking first instead of shouting over the rooftops that MS was anticompetitive etc ... dorks!

Microsoft still controls the keys. That's bad for everyone. I'd be more comfortable if an independent organisation controlled them.

simplezz said,
Microsoft still controls the keys. That's bad for everyone. I'd be more comfortable if an independent organisation controlled them.

MS don't control the keys, they just have their own key. And Secure Boot don't even have anything to do with Microsoft. Its part of the UEFI spec that was made by a bunch of independent organisations and MS are simply supporting the feature. Anyone can get a key. And it's up to OEM's to allow other keys on their systems.

NoClipMode said,
And Secure Boot don't even have anything to do with Microsoft. Its part of the UEFI spec that was made by a bunch of independent organisations (...)
Eleven enterprises. One of these enterprises is Microsoft.

If you read the article, you'd know that the user intervention requirement is intentional, to prevent malicious software misusing the pre-bootloader. I see that as rather a lot -better- than "Shim".

FloatingFatMan said,
If you read the article, you'd know that the user intervention requirement is intentional, to prevent malicious software misusing the pre-bootloader. I see that as rather a lot -better- than "Shim".

Yeah but that really sucks. What if you need to reboot the computer remotely? What if it crashes and reboots on its own and then you try to access it remotely? You're out of luck. I guess the major Linux distributions could each get their own signed bootloader, but this is all a hassle. Is there a way to disable secure boot on these systems?

mrp04 said,
Is there a way to disable secure boot on these systems?

Yes, especially needed for servers as you say.
It can be turned off, I am not sure what all the tears are about now.
Yes MS didnt make it mandatory but all the dells will allow it to unlock anyway.

Being able to disable secure boot IS a requirement for motherboards bought seperately, but OEM's are in no way required to allow it for pre-built systems.

FloatingFatMan said,
Being able to disable secure boot IS a requirement for motherboards bought seperately, but OEM's are in no way required to allow it for pre-built systems.

spot on, the only possible issue here is OEM's not providing the option but I really can't see it occuring too much, maybe some machines designed for enterprise use (as it'll be a bonus for the it staff), but standard machines should/will have the option.

FloatingFatMan said,
If you read the article, you'd know that the user intervention requirement is intentional, to prevent malicious software misusing the pre-bootloader. I see that as rather a lot -better- than "Shim".
Well, sort of. Shim uses the same approach as the Linux Foundation method, except if you enroll the key, the user intervention requirement goes away.
The big advantage of this over the Linux Foundation approach is that once a hash has been enrolled the need for physical end-user presence is removed - ie, if you enrol the hash, you don't need to hit a key every time you boot. This is still slightly sub-optimal in that if you update your bootloader you'll need to enrol a new hash, but that can be partially automated by calling MokUtil in the postinst - the user then simply needs to confirm that they want to enrol the hash, rather than having to choose it manually. Completely transparent updates are going to require a signed bootloader and an enrolled signing key.
http://mjg59.dreamwidth.org/18149.html

cork1958 said,
Yay!!

Does anyone dual boot still?


Not me, Its either or. Mostly if I was going to do something in another OS then I'd just virtualize the machine.

The Laughing Man said,

Not me, Its either or. Mostly if I was going to do something in another OS then I'd just virtualize the machine.

I have a dual-boot configuration that I can also virtualize (at least the Linux inside Windows part )

cork1958 said,
Yay!!

Does anyone dual boot still?

Im dual-booting now because my capture card software won't work on Windows 8.

cork1958 said,
Yay!!

Does anyone dual boot still?

Yes. I spend 99% of my time in Linux, but I do occasionally load up Windows 7 for software testing or playing Skyrim or other games that I can't currently get on Linux. Though that will happen less often I imagine once Steam gets going.

cork1958 said,
Yay!!

Does anyone dual boot still?

Yes, either to save my Windows installations or to get the music off my CDs. It's very simple:
1. Insert the CD
2. Drag-and-drop the .wav files on the desktop.

It's a good thing that they aren't allied with the record labels like Microsoft...

cork1958 said,
Yay!!

Does anyone dual boot still?

Yep. Dual booting Arch Linux and Windows 7 here. Linux for general stuff, and Windows for gaming.

simplezz said,

Yes. I spend 99% of my time in Linux, but I do occasionally load up Windows 7 for software testing or playing Skyrim or other games that I can't currently get on Linux. Though that will happen less often I imagine if Steam gets going.

FTFY.

Tpiom said,

Yes, either to save my Windows installations or to get the music off my CDs. It's very simple:
1. Insert the CD
2. Drag-and-drop the .wav files on the desktop.

It's a good thing that they aren't allied with the record labels like Microsoft...

Really? This is why people use Linux?

You realize you can do both inside Windows, right?

thenetavenger said,

Really? This is why people use Linux?

You realize you can do both inside Windows, right?

It's easier to save during Linux. All the rescue/recovery modes/CDs Microsoft have released have proved utterly useless in the past.

And yes, you can rip music using Windows but it's more complicated than drag and drop.

EDIT: There are of course more reason, like experimenting with it so that one day I can switch to it without any problems

sounds like the backdoor trojan and virus writers have been looking for to install their malware.

EVEN before windows 8 is officially released!

Tpiom said,

And yes, you can rip music using Windows but it's more complicated than drag and drop.

You mean the "Rip CD" button on Windows Media player (you can save as WAV, MP3 or WMA) it hard to press? I bet having to convert and tag those WAV files by hand is going to be twice as easy.

francescob said,

You mean the "Rip CD" button on Windows Media player (you can save as WAV, MP3 or WMA) it hard to press? I bet having to convert and tag those WAV files by hand is going to be twice as easy.


The irony is, nobody actually wants to save the audio in WAV format--you convert it to something else, even if it's just FLAC. So no matter what, you eventually launch an audio tool.

Keeping that in mind, that means this guy is actually ADDING a step to the process from Linux:

1) Copy WAV from CD.
2) Launch audio app.
3) Convert WAV to ___.

vs.

1) Launch audio app.
2) Rip CD directly to ___.

What's worse, the shorter two-step process IS possible from Linux, Windows, Mac, anywhere really. The process is equally easy from any OS, yet this guy invented a scenario to make it seem somehow easier from Linux than elsewhere. Weird stuff.

Joshie said,
The process is equally easy from any OS, yet this guy invented a scenario to make it seem somehow easier from Linux than elsewhere. Weird stuff.

Some men just want to watch the Audio CDs burn.

Mike Frett said,

Nope, ditched dirty Windows long ago, no need for it or it's Insecurities.


Please tell me you don't think linux is by default some mega secure OS because it's not, if you want to secure linux you need to know a LOT about it's fundamentals and how to configure them, which is also what you need to know about windows to secure it.