Red Hat Will Address Secure Boot Issue in Fedora 18
Fedora bypasses UEFI restrictions with Microsoft signing service.
As we have reported previously HPC and Linux magazine web sites, all Windows 8 licensed hardware will ship with the new UEFI secure boot enabled by default. In a nutshell, the UEFI specification associates the firmware with a signing key, which prevents users from installing a new operating system – such as Linux.
According to Red Hat developer Matthew Garrett, the company has been working on a plan for dealing with the situation. Although Red Hat explored several alternatives, Garrett reports that “Microsoft will be offering signing services through their sysdev portal.” The solution is not free; a US$ 99 fee is required to gain access. Garrett notes that the US$ 99 goes to Verisign, not Microsoft and that, once paid, you can sign as many binaries as you want.
Garrett states that this approach, which will be implemented in Fedora 18, “ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions.” Garrett also says that the solution “is not ideal, but of all the approaches we’ve examined we feel that this one offers the best balance between letting users install Fedora while still permitting user freedom.”
Steven J. Vaughn-Nichols at ZDNet spoke about this issue with Linus Torvalds, who doesn’t think Microsoft’s spin on Windows 8 UEFI secure boot is sufficient for security. Torvalds said, “The real problem, I feel, is that clever hackers will bypass the whole key issue either by getting a key of their own (how many of those private keys have stayed really private again? Oh, that’s right, pretty much none of them) or they’ll just take advantage of security bugs in signed software to bypass it without a key at all.” Stay tuned.