Windows 8 Secure Boot plans for Ubuntu revealed

Earlier this month, Red Hat revealed how it will allow its Red Hat Enterprise Linux and Fedora OS builds to run on a Windows 8 x86-based PC with Microsoft's Secure Boot system. According to Red Hat, "Microsoft will provide keys for Windows and Red Hat will provide keys for Red Hat Enterprise Linux and Fedora. Similarly other distributions can participate at a nominal cost of $99 USD - allowing them to register their own keys for distribution to system firmware vendors."

It was a solution that even received support from Linus Torvalds, the creator of Linux. Now another Linux OS company, Canonical, has revealed its own plans to offer the Ubuntu Linux system so it can run on Windows 8 on a dual boot system.

PCWorld.com reports that Canonical has published a set of Unified Extensible Firmware Interface (UEFI) requirements for PC makers. In a post on the Ubuntu website, team member Steve Langasek stated, " ... we've generated an Ubuntu signing key for use with UEFI. The private half of this key will be stored securely on our Launchpad infrastructure, which will be responsible for signing boot loader images and distributing them in the Ubuntu archive."

Unlike Red Hat, Canonical won't offer a signing service for Ubuntu Linux. In his own blog post, Canonical founder Mark Shuttleworth stated, "We've been working to provide an alternative to the Microsoft key, so that the entire free software ecosystem is not dependent on Microsoft's goodwill for access to modern PC hardware."

He ended his post with a bit of a slam against the Secure Boot concept, saying, "Secure Boot retains flaws in its design that will ultimately mandate that Microsoft's key is on every PC (because of core UEFI driver signing). That, and the inability of Secure Boot to support multiple signatures on critical elements means that options are limited but we continue to seek a better result."

Source: PCWorld.com

Report a problem with article
Previous Story

Weekend Poll: Surface, Windows Phone 8 or Windows 8?

Next Story

Siri loses some sex appeal, literally

49 Comments

Commenting is disabled on this article.

"Boot is a UEFI feature and not Windows related..". Some people hate Microsoft so much that even if Microsoft provides them a rescue helicopter in the middle of the sea, they would rather refuse it and die (or be eaten by sharks). I feel sorry for these guys. UEFI was designed to solve certain boot/rootkit issues. There is an Apple solution (don't know what it is, as they are mum about it) and there is an MS solution, that is willing to work with other certified distros. If that still isn't enough and you still need to put up some ****, than I don't know what to say anymore, because your ignorance really is beyond believe. As a security consultant, I choose the Microsoft way.

vhaakmat said,
...than I don't know what to say anymore, because your ignorance really is beyond believe. As a security consultant, I choose the Microsoft way.

The abusive arrogance that runs rampant around these parts(and poor grammar/spelling) is beyond "believe".

mzta cody said,

The abusive arrogance that runs rampant around these parts(and poor grammar/spelling) is beyond "believe".

Still he has a valid point. And this is coming from the IT security industry.

thenonhacker said,

Still he has a valid point. And this is coming from the IT security industry.


This comes from a guy that claims he is working in the IT security industry. Even if that claim is true, who's to say he is right? Does other security consultants agree with him?

sanke1 said,
This is to stop Windows bootloader activation hacks/cracks.

And it won't work. All it does is make things difficult for programs like grub.

sanke1 said,
This is to stop Windows bootloader activation hacks/cracks.

Correction: it only tries to stop them. We all know there will be cracks.

sanke1 said,
This is to stop Windows bootloader activation hacks/cracks.

Windows "8" is so bad that few people will even be bothered to pirate it.

Order_66 said,

Windows "8" is so bad that few people will even be bothered to pirate it.

Windows 8 is pretty cool actually. As long as Microsoft Excel works on it, I'm good.. and it does.

floopydoodle said,
This has nothing to do with Microsoft or Windows 8. Secure Boot is a UEFI feature and not Windows related.

It has if Microsoft is mandating OEM's to enable it by default. Who's to say there'll even be an option to disable it?

It's worrisome because it would give Microsoft an absolute monopoly on the desktop market.

simplezz said,
It's worrisome because it would give Microsoft an absolute monopoly on the desktop market.

If RHEL, Fedora and the various 'Buntus are able to be installed (and I would think others as well if they so chose), it's not really a monopoly though... they just need to make sure their software complies with the hardware. If I was genuinely worried about if my OS was or wasn't going to run on the hardware, I'd put more care into the hardware I purchased. Besides, I forget exactly but isn't the forced-on thing for the Windosw 8 certified ARM stuff only, and not the other devices or the desktops?

simplezz said,

It has if Microsoft is mandating OEM's to enable it by default. Who's to say there'll even be an option to disable it?

It's worrisome because it would give Microsoft an absolute monopoly on the desktop market.

Don't buy hardware that doesn't have the option to disable it.

simplezz said,

It has if Microsoft is mandating OEM's to enable it by default. Who's to say there'll even be an option to disable it?

It's worrisome because it would give Microsoft an absolute monopoly on the desktop market.

There's no "mandate" there's a option if OEMs want to get the logo on their hardware, there's also nothing saying it can't be turned off either. That is up to the OEM, if your OEM doesn't give you the option to turn it off that's on them and not MS.


We've been working to provide an alternative to the Microsoft key, so that the entire free software ecosystem is not dependent on Microsoft's goodwill for access to modern PC hardware.

This * 1000.

w8 is getting worse and worse every time i come on here to read about it. at this point ive lost all interest and will be sticking to w7.

smooth3006 said,
w8 is getting worse and worse every time i come on here to read about it. at this point ive lost all interest and will be sticking to w7.

So ensuring that the boot loader hasn't been tampered with is a bad idea to you?

Max Norris said,

So ensuring that the boot loader hasn't been tampered with is a bad idea to you?

What real world problem does it solve for me? And why can't it be turned off?

CJEric said,
What real world problem does it solve for me? And why can't it be turned off?

... the part that you quoted maybe? Stopping malware that sits in the boot loader in its tracks?

CJEric said,
And how often does that happen to you nowadays?

Me? It doesn't. In general? Quit a bit, apparently rootkits are a big issue or haven't you heard? It doesn't hurt you, and it's obviously not hurting Linux (you know, this article..) ... I don't get what you're griping about.

smooth3006 said,
w8 is getting worse and worse every time i come on here to read about it. at this point ive lost all interest and will be sticking to w7.

So you hate Windows 8 because it's more secure than its predecessors? Crazy.

Max Norris said,
I don't get what you're griping about.

I'd just like to see it that "the entire free software ecosystem is not dependent on Microsoft's goodwill for access to modern PC hardware."

CJEric said,
I'd just like to see it that "the entire free software ecosystem is not dependent on Microsoft's goodwill for access to modern PC hardware."

Erm you forgot to quote the beginning of that sentence, namely "We've been working to provide an alternative to the Microsoft key". You also apparently missed the part in the beginning where Red Hat is also providing keys, not Microsoft. Doesn't sound dependent in either case. Again, is this griping just because you can, never mind ignoring bits selectively? If these types of boards offend you so bad, exercise that right to choose you're apparently fond of and choose different hardware? Just a thought.

Max Norris said,

Erm you forgot to quote the beginning of that sentence, namely "We've been working to provide an alternative to the Microsoft key". You also apparently missed the part in the beginning where Red Hat is also providing keys, not Microsoft.

They're working to provide a solution for a problem that didn't exist before.

"options are limited but we continue to seek a better result"

CJEric said,
They're working to provide a solution for a problem that didn't exist before.

This "problem" is taking care of a real problem, namely malicious bootloaders. Again, if you don't like it, don't buy it. Or, I don't know, pick a distro that supports the new technology? Contrary to popular belief you are allowed to pick your hardware.

CJEric said,

What real world problem does it solve for me? And why can't it be turned off?

its upto the maker of the hardware to provide a BIOS option to turn off, MS don't stipulate that it can't be turned off, just that its on by default. Off the shelf motherboards will most likely have this option, while complete systems is anyones guess. Either way MS are not forcing it, what they have done is say if you want a certified for windows 8 logo, secure boot must be present and on by default. After that its the hardware makers decision to allow it to be switched off in the BIOS.

onto the point of it fixing an issue that doesn't exist, stop being stupid!

CJEric said,

What real world problem does it solve for me? And why can't it be turned off?

it can be turned off on non-ARM windows systems. This means genuine x86(x86_64) architecture can run just as well without secure boot as with.
know what you flame bro! this attempt is awfull

duddit2 said,

its upto the maker of the hardware to provide a BIOS option to turn off, MS don't stipulate that it can't be turned off, just that its on by default. Off the shelf motherboards will most likely have this option, while complete systems is anyones guess. Either way MS are not forcing it, what they have done is say if you want a certified for windows 8 logo, secure boot must be present and on by default. After that its the hardware makers decision to allow it to be switched off in the BIOS.

onto the point of it fixing an issue that doesn't exist, stop being stupid!

Exactly, guys, this is a part of the UEFI specification. NOT something MS created. They're just taking advantage of it. Control is in the hardware makers hands. All MS says is if you want the shinny Windows logo sticker/certification that it should be on by default. They're not saying ANYTHING else.

The only "issue" is that distros have to pay to get certificates, but they're NOT paying MS either. Hell, MS is paying to get certificates for secure boot as well.

Breakthrough said,
Couldn't you just buy motherboards without secure boot? Does this just apply to laptops and pre-built desktops?

Yep. Or you could just turn Secure Boot off.

rfirth said,

Yep. Or you could just turn Secure Boot off.

I thought that's where this whole controversy spawned from - the inability to disable it...? Especially with tablets, I thought the inability to disable it was an M$ requirement...

Breakthrough said,

I thought that's where this whole controversy spawned from - the inability to disable it...? Especially with tablets, I thought the inability to disable it was an M$ requirement...

It only applies to ARM devices, like the Microsoft Surface.

For non-ARM devices, you can turn it off at your own risk.

Miuku. said,
Solution; buy Apple hardware, no need to sign anything. Works like a charm.

Only if we're talking about Macs.
It seems that MS is trying to do what Apple did with the iDevices...

CJEric said,

Only if we're talking about Macs.
It seems that MS is trying to do what Apple did with the iDevices...

Not really, Secure Boot is a standard feature that's part of the UEFI spec, MS is just taking advantage of it to make Windows PCs more secure. Unlike some might think this ISN'T a feature MS just made on it's own and shoved on PCs.

You can also turn it off on x86 devices, dunno about ARM, probably not.

Simon. said,
How is Apple any better? Their computers are becoming less user serviceable as ever.

The difference is you can at least boot them with the choice of your OS without having to resort to 3rd party signing keys. The Apple implementation of the UEFI does not require signed keys as it does not require secure boot.

It's funny how for the last two decades now the PC users have been screaming their lungs out at how "free" their platform is and you're free to run whatever OS you wish on it.

Well, it seems like those days are coming to an abrupt end - what's your new chant? "They're just trying to make the computer more secure!!!!".

And let's not forget; Torvalds himself uses Apple hardware with Linux.

Miuku. said,
Solution; buy Apple hardware, no need to sign anything. Works like a charm.

Not just Apple hardware. My Z68 board supports UEFI and has no bootloader encryption problems.

Miuku. said,

Solution; buy Apple hardware, no need to sign anything. Works like a charm.


Tell ya what ... buy me a top of the range Mac Pro, and I'll agree with your comment.
Until then ... jog on!