Linux Foundation unveils a workaround for Win 8 Secure Boot
By Katherine Noyes PCWorld
Scarcely a week goes by these days without the emergence of some new approach to the vexing “Secure Boot” problem facing Linux users on Windows 8 hardware, and this week is no exception.
Not just one but two new discussions of the topic have popped up this week, in fact, beginning with a Sunday blog post from Red Hat developer Matthew Garrett, who first brought the problem to light.
Garrett has been involved in crafting Fedora’s approach, which involves “building a binary which has the Fedora key embedded, and then getting that binary signed by Microsoft,” he noted on Sunday. “Easy enough for us to do, but not necessarily practical for smaller distributions.”
Accordingly, the rest of Garrett’s post then goes on to detail three possible solutions for such smaller projects.
Now, the very latest news is that the Linux Foundation and its Technical Advisory Board have spoken out with a new plan designed to enable Linux to continue operating on Secure Boot-enabled machines.
‘A small pre-bootloader’
At the heart of the problem, of course, is that Windows 8 hardware will come with Secure Boot enabled in the Unified Extensible Firmware Interface (UEFI), meaning that only operating systems with an appropriate digital signature will be able to boot.
Distributions including Ubuntu, Fedora, and SUSE Linux have all described their own plans for working around the problem, which has been the focus of much attention from the Free Software Foundation as well. In July, meanwhile, James Bottomley, chair of the Linux Foundation’s Technical Advisory Board, kicked off an effort among Linux developers to brainstorm solutions to the problem.
Now, it appears we’re seeing the fruit of their labors.
“In a nutshell, the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system),” explained Bottomley in yesterday’s official announcement.
‘A stop-gap measure’
For security, the new pre-bootloader will employ a “present user” test “to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems,” Bottomley noted.
Once the Linux Foundation gets a Microsoft signature–something that “will take a while,” Bottomley admits–the pre-bootloader will be placed on the Linux Foundation website, where anyone can download and use it to boot a CD/DVD installer or LiveCD Linux distribution, or to boot an installed operating system in secure mode for any distribution.
In essence, the new pre-bootloader will be “a stop-gap measure that will give all distributions time to come up with plans that take advantage of UEFI secure boot,” Bottomley concluded.
Still, it’s worth noting that Red Hat’s Garrett published his own reaction to the news following the Linux Foundation’s announcement: “It’s less useful than shim,” he wrote, referring to the method used in Fedora’s approach. “Just use shim instead.”