Windows 8 Secure Boot: A Roundup of Linux Distros’ Plans

116

There’s been no end to the controversy generated in the Linux community by Microsoft’s Windows 8 Secure Boot plans, and scarcely a week goes by without the discussion or announcement by one distribution or another of some new possible approach.

The problem, of course, stems from Microsoft’s decision to enable the Secure Boot technology in the Unified Extensible Firmware Interface (UEFI) in Windows 8 hardware, meaning that only operating systems with the right digital signature will be able to boot. While it will apparently be possible to disable Secure Boot on x86 Windows machines — or for users to enroll their own keys — that won’t be the case on ARM-based hardware.

Since the topic arose last fall, both the Linux Foundation and the Free Software Foundation have weighed in with their own views on the matter, and a community effort has also been launched to help developers work around the technology. Several distros, meanwhile, have crafted their own approaches.

Here’s a quick rundown of where things stand.

Fedora’s Approach: A Microsoft Key

Fedora logoBack in May Fedora was the first to speak out about its planned approach, which primarily involves paying $99 to Verisign for unlimited use of Microsoft signing services, allowing its first stage boot loader to be signed with a Microsoft key.

While Fedora did explore the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it, that strategy was ultimately rejected for several reasons, including the near impossibility of getting all vendors to do so, according to Red Hat developer Matthew Garrett. 

Paying for a Microsoft key, on the other hand, “ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions,” Garrett explained. “If there are better options then we haven’t found them.”

Fedora later announced a second “custom mode” alternative scheme whereby “a site will create their own keys and deploy them in system firmware, and will do their own signing of binaries with it.” 

Ubuntu’s Approach: An Ubuntu Key

Ubuntu logoThough Canonical founder Mark Shuttleworth has indicated that plans for Ubuntu are still a work in progress, those published (PDF) so far involve using an Ubuntu-specific key. Canonical chose to do it this way in part because of the fact that Ubuntu is relatively commonly preinstalled on PC hardware, it says — a fact that sets it apart from most other distributions.

Another key difference in Canonical’s approach is that Ubuntu will use Intel’s efilinux rather than the GRUB 2 boot loader because of concerns about licensing under GPLv3.

SUSE’s Approach: A Hybrid Strategy

SUSE logoLast but not least, SUSE Linux spoke out earlier this month with its own approach, which in many ways combines a bit of each of Fedora’s and Ubuntu’s tactics.

Essentially, SUSE plans to start with a shim based on the Fedora shim loader, and to make two versions of it available: one signed with SUSE’s own key, similar to what Canonical is planning, and another signed with a key provided by Microsoft. In either case, by default the shim will verify that GRUB 2 is trusted using an independent SUSE certificate embedded in its body, though “Machine Owner Keys” will be able to override that default SUSE key as well.

Whether openSUSE will follow SUSE’s approach isn’t yet clear.

The Controversy Continues

Fedora’s approach drew considerable criticism early on from many who viewed  it as a sort of capitulation to Microsoft. The Free Software Foundation, on the other hand, has said it prefers it over what Ubuntu has planned. 

In the meantime, James Bottomley, chair of the Linux Foundation’s Technical Advisory Board, has created a platform for further work on the problem that uses a boot system based on Intel’s Tianocore, which is an open source implementation of UEFI.

Finally, it’s also worth mentioning an entirely different kind of solution that sidesteps all this brouhaha altogether: completely open hardware from vendors like ZaReason.