Fedora Linux Moves Forward with UEFI Secure Boot Plans
By Katherine Noyes, PCWorld
Windows 8’s Secure Boot technology has been a hot topic this summer, causing no end of discussion and debate among the various Linux distributions, which are struggling to figure out the best approach for getting around it.
The latest news? The Fedora project on Monday voted to move forward with its plan, meaning that its upcoming Fedora 18 will support the Secure Boot technology enabled in the Unified Extensible Firmware Interface (UEFI) in Microsoft’s forthcoming Windows 8.
‘They Will Validate the Next Stage’
For those who missed it, we’ve already seen that part of Fedora’s scheme involves paying $99 to Verisign for unlimited use of Microsoft signing services. That, in turn, will allow Fedora’s first stage boot loader, or “shim,” to be signed with a Microsoft key.
Under a second, alternative part of the scheme, “a site will create their own keys and deploy them in system firmware, and will do their own signing of binaries with it,” the project explains.
Either way, “shim, Grub2, and the kernel will detect that they are started in what UEFI describes as ‘user mode’ with Secure Boot enabled, and upon detecting this they will validate the next stage with a Fedora-specific cryptographic public key before starting it,” the Fedora team explains.
Grub2 will apparently operate much the way it would if you had set a supervisory password in your configuration.
“Once the kernel is booted, it will also detect that it is in Secure Boot mode, which will cause several things to be true: it will validate the boot command line to only allow certain kernel settings, it will check loaded modules for signatures and refuse to load them if they are unsigned, and it will refuse any operations from userland which cause userland-defined DMA,” the project notes.
Arriving in Late October
Windows 8’s Oct. 26 arrival date is still a long while off, of course–as is Fedora 18’s November release date.
Still, Linux distributions have much to figure out to ensure that users will be able to run their favorite Linux flavor on the hardware of their choice.
It’s going to be interesting to watch what the other distributions come up with. Meanwhile, my favorite part may well be the Fedora project’s contingency plan: “Gin. We may do that anyway.”