Linux and Windows 8’s Secure Boot: What We Know So Far
By Katherine Noyes, PCWorld
Ever since it was first brought to light that Windows 8’s secure boot mechanism could cause problems for Linux users, speculation has been running rampant as to the exact nature of the difficulties that may arise.
Will it mean that Linux users can’t use Windows 8 PCs at all? Will users be able to disable secure boot in the Unified Extensible Firmware Interface (UEFI) protocol, effectively removing the problem?
Those and many related questions have been voiced repeatedly in the blogosphere over the past week or so, even as Linux Australia reportedly announced it’s considering petitioning the Australian Competition and Consumer Commission (ACCC) with a claim that Microsoft’s behavior is anti-competitive.
We probably won’t know for some time still exactly how this is going to unfold, since Windows 8 is still on the distant horizon. In the meantime, though, it looks like “Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems,” in the words of Red Hat developer Matthew Garrett.
Of course, there’s a big difference between “difficult” and “impossible,” and further comments have been made by both Garrett and Microsoft since my original coverage.
Wondering where things stand? Here’s a rundown of what appears to be the case so far.
1. Enabled by Default
Microsoft’s Windows Certification program will require that all certified Windows 8 systems have secure boot enabled by default, according to a blog post published late last week by Steven Sinofsky, president of Microsoft’s Windows division. To prevent malware from disabling the firmware’s security policies, Microsoft’s program will also require that firmware not allow “programmatic,” or software-level, control of secure boot, as well as stipulating that OEMs prevent any unauthorized attempts at changing the firmware in ways “that could compromise system integrity,” the blog post explained.
At the heart of Microsoft’s approach is the UEFI secure boot protocol, a BIOS alternative that “permits one or more signing keys to be installed into a system firmware,” Red Hat’s Garrett explained. “Once enabled, secure boot prevents executables or drivers from being loaded unless they’re signed by one of these keys.”
The problem for Linux, as I noted last week, is that it won’t have any such signature by default, meaning that it wouldn’t naturally be allowed to run on a Windows 8 certified machine.
Further, as Garrett says, “Windows 8 certification does not require that the system ship with any keys other than Microsoft’s. A system that ships with UEFI secure boot enabled and only includes Microsoft’s signing keys will only securely boot Microsoft operating systems.”
Linux currently doesn’t support UEFI secure booting, though that could change once hardware that uses it becomes available. “Adding support is probably about a week’s worth of effort at most,” Garrett added.
3. Disabling Secure Boot
UEFI can be modified to disable secure boot, at least in theory, and the Windows 8 tablet Microsoft demonstrated at its BUILD conference earlier this month did include the ability to do that.
However, “doing so comes at your own risk,” Sinofsky’s post asserted. Even more significant, his post noted that it’s up to OEMs to choose how to enable such capabilities.
Whatever method vendors choose to make it possible to disable secure boot, users will still have choices as a result, Sinofsky added, such as the option to run older operating systems if they want.
4. Depends on Hardware Makers
Microsoft’s overall message was to assuage concerns by asserting as Microsoft program manager Tony Mangefeste did, that “At the end of the day, the customer is in control of their PC.” This has been echoed by some in the tech press. The reality, though, is that it sounds like it will ultimately be up to PC makers to decide whether or not they give users the ability to disable secure boot.
In fact, there is no requirement that certified PC makers give users the capability to disable UEFI secure boot, Garrett notes. And not only that, but “we’ve already been informed by hardware vendors that some hardware will not have this option.”
The result, he wrote, is that “the end user is not guaranteed the ability to install extra signing keys in order to securely boot the operating system of their choice. The end user is not guaranteed the ability to disable this functionality. The end user is not guaranteed that their system will include the signing keys that would be required for them to swap their graphics card for one from another vendor, or replace their network card and still be able to netboot, or install a newer SATA controller and have it recognise their hard drive in the firmware. The end user is no longer in control of their PC.”
5. Options for Linux
So what are Linux users’ prospects, given all of this? Once again, it’s important to remember that this is all very preliminary, since Windows 8 won’t be out for a long time still.
Working with what we’ve seen so far, though, not buying a Windows 8 certified PC is certainly one obvious option for avoiding any potential problems, as is simply upgrading from Windows 7 on an existing dual-boot machine. Building your own machine is always an option as well.
Assuming Microsoft does allow hardware vendors to give users the option of disabling secure boot, it may also end up being a matter of shopping carefully to ensure that the Windows 8 machine you buy includes that capability.
Signed versions of Linux don’t sound likely, as I noted last week, due to licensing issues with the Grub and Grub 2 bootloaders and the fact that self-signed Linux keys would then have to be included by every PC maker–a logistical nightmare if ever there was one.
Of course, Linux fans tend to be pretty savvy users. If things do indeed continue on this path, I’m betting a variety of other workarounds will soon emerge.