UEFI and Secure Boot
No Free Boots
ByThe imminent Windows 8 implementation of UEFI with Secure Boot adds an extra layer of complexity for some Linux users. We look at the problem and two solutions from Fedora and Canonical.
In an effort to provide additional security to Windows 8 on x86- and ARM-based devices, a new requirement for Microsoft ODMs is that all Windows 8-certified machines have the Unified Extensible Firmware Interface (UEFI) with the Secure Boot option on, creating problems for any Linux distribution that wants to run on such devices.
What is EFI?
The EFI system has slowly been making headway in recent years, and right now, EFI firmware is compatible with Windows supporting the GUID Partition Table (GPT), OS X/Intel, and Linux 2.6 and beyond machines. EFI is seen as a superior hardware/software interface to BIOS because it is platform-agnostic and runs in 32- or 64-bit mode and because GPT machines can handle boot partitions of up to 9.4 zettabytes (9.4x1021).
However, the benefits of EFI, and the later UEFI specification, are not particularly impressive to Linus Torvalds. As far back as 2006, Torvalds stated that many of the the EFI features were simply duplicating what BIOS had already done.
Torvalds wrote at the time. “… the problem with EFI is that it actually superficially looks much better than the BIOS, but in practice it ends up being one of those things where it has few real advantages, and often just a lot of extra complexity because of the ‘new and improved’ interfaces that were largely defined by a committee.”
Despite this disgruntlement, EFI and UEFI are supported by any kernel past 2.6, so implementing Linux on such devices is not a problem.
What is the problem is Microsoft’s other requirement for any Windows 8-certified client: The system must support Secure Boot. This hardened boot means that “all firmware and software in the boot process must be signed by a trusted Certificate Authority (CA),” according to Arie van der Hoeven, Microsoft Principal Lead Program Manager.
Red Hat developer Matthew Garrett first brought the issue to the Linux community’s attention in September 2011, when he revealed Microsoft’s plan to lock down the boot process, which Microsoft rightly points out has become a high-value target vector for injecting malware onto Windows PCs. To combat this, Microsoft will be requiring that all Windows 8 devices have the hardened boot, which means a certificate-signed operating system is the only thing that will run on such a system.
You can’t replace the UEFI system on the device with other, unencrypted, firmware. If all parts of the chain need to have a CA signature, then swapping out a machine’s signed EFI layer with, say, an unsigned BIOS or EFI would not work.
Nor is it feasible to require users to simply turn off the Secure Boot option. While technical users could easily manage this if they wanted to boot Linux on a Windows 8-certified machine, it’s still an extra step that would be less than desirable – all the more so if a user had to turn Secure Boot back on every time they wanted to boot Windows 8 on the same machine. And asking beginning users to do this would be non-optimal in the extreme.
So what are the Linux distros doing about the problem? Thus far, public statements have only been issued by the Fedora Project and Canonical for the respective Fedora and Ubuntu distros, and those proposed solutions are, perhaps predictably, different.
Fedora’s Proposed Solution
Given that their developers were among the first to point out the problem, it should be no surprise that Fedora’s team came out with the first public suggestion to work around the UEFI/Secure Boot problem.
Rather than create a Fedora-specific key that could unlock the UEFI Secure Boot feature (but only for Fedora), Garrett and his team suggested a more open two-stage bootloader approach.
After paying a one-time $99 certification fee to VeriSign for a Microsoft-signed certificate, the first-stage bootloader will have one job: boot to a second bootloader that’s signed with a Fedora key and have the second bootloader (a modified version of GRUB 2.0) roll into Fedora or whatever the user chooses.
This approach has the advantage of not letting Fedora getting a leg up over any other distro, since other distros can just pay that $99 fee for a Microsoft certificate and make their own two-stage bootloader approach.
There are other advantages. Garrett wrote: “The first stage bootloader should change very rarely, and we don’t envisage updating it more than once per release cycle. It shouldn’t be much of a burden on release management.”
Canonical’s Approach
Weeks after Fedora’s announced approach, Canonical’s founder hinted at the vendor’s solution for Ubuntu: providing an Ubuntu-specific signed key that would be accepted by Secure Boot-enabled machines.
Mark Shuttleworth wrote on the ubuntu-devel mailing list: “We’ve been working to provide an alternative to the Microsoft key, so that the entire free software ecosystem is not dependent on Microsoft’s goodwill for access to modern PC hardware.”
Two days later, the Canonical team revealed its full plans: dropping the use of the GRUB 2.0 bootloader by default on systems with Secure Boot enabled, as well as providing their own Ubuntu-signed key.
Why drop GRUB 2.0? A legal – not technical – concern that a manufacturer mistake could end up requiring Canonical to have to reveal their private key.
Ubuntu developer Steve Langasek wrote in a detailed announcement, “… in the event that a manufacturer makes a mistake and delivers a locked-down system with a GRUB 2 image signed by the Ubuntu key, we have not been able to find legal guidance that we wouldn’t then be required by the terms of the GPLv3 to disclose our private key in order that users can install a modified boot loader. At that point our certificates would of course be revoked and everyone would end up worse off.”
The Canonical solution will use one element common to Fedora: The key will be used to authorize the bootloader, not Linux itself.
For users booting from CD, a loader image signed by Microsoft’s Winqual key will chain to the UEFI bootloader efilinux, which will be signed by Ubuntu’s key, so the Winqual key won’t have to be signed every time a change is made to efilinux.
For machines with Ubuntu preinstalled, the process is similar, just more baked in. “Machines that ship as ‘Ubuntu certified’ will be required to have an Ubuntu key configured in their UEFI signature databases. The intention here is to allow these systems to receive updates for the revoked signature database, in order to be protected against known-compromised UEFI binaries,” Langasek wrote. “We are not planning to provide an alternative to Microsoft’s signing infrastructure, only an additional key; so we have no current plans to implement a signing service using the Ubuntu key.”
The Final Solution
Neither of these solutions are perfect. Fedora’s approach seems to be geared toward booting Linux on new, out-of-the-box Windows 8 machines, whereas Canonical’s method is tailored toward booting preloaded Ubuntu devices and at the same time letting the user have rights to modify the installation (exactly mirroring the Microsoft approach).
Other distros with strong desktop pursuits, notably openSUSE and Linux Mint, have yet to be heard from.
Whatever solution is used, the real requirements for solving the UEFI problem will have to walk the fine line between ease of use and not breaking a user’s machine with a faulty certificate.
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.