Here’s Microsoft’s plan: Every new PC sold with Windows 8 will be locked up tight with Microsoft’s UEFI (
Unified Extensible Firmware Interface) secure boot on. Microsoft says that this is to help secure your PCs from rootkits and malware. It also happens to stop you from easily installing Linux or any other operating system, such as Windows 7 or XP, on a Windows 8 system. Thanks Microsoft. We really needed that kind of protection!
To get you up to speed, the first thing you need to know is that UEFI is the 21st century replacement for your PC’s basic input/output system (BIOS). When you turn your computer on these are the first computing services that turn on. These enable your operating system to then boot up. PC vendors have slowly been replacing BIOS with the more flexible UEFI for years now. Modern Macs, for example, all use UEFI.
UEFI isn’t just a more advanced version of the BIOS. It’s a mini operating system in its own right. Exactly what a UEFI does depends on how your chip vendor, PC OEM, and operating system vendors implement it. If a company wants to install Windows 8, they must use Windows’ Secure Boot function, which blocks other operating systems from being booted and thus installed.
Linux developers have no problem with secure boot in and of itself. Indeed, as The Linux Foundation white paper, Making UEFI Secure Boot Work With Open Platforms (
PDF), states, “Linux and other open operating systems will be able to take advantage of secure boot if it is implemented properly in the hardware.”
The problem is that Microsoft requires vendors to implement secure boot in such a way that it makes it very hard to install Linux. It’s possible that hardware companies will simply give us the option of turning off secure boot during the UEFI setup similar to the way you can now use your BIOS to choose if you want to boot from your hard drive or a DVD or USB Flash drive. We don’t know yet though. Even though Windows 8 PCs will start shipping this fall it’s still not clear how many vendors will implement secure boot. The easy way will be for them to not give users the option of turning it off.
At least on x86 PCs, we may have the option of turning secure boot off. On Windows 8 on ARM (aka Windows RT), there will be no such choice. Microsoft’s Windows Hardware Certification Requirements for Windows 8 client and server systems states that while Windows 8 Secure Boot can be disabled on Intel systems, “Disabling Secure [Boot] must not be possible on ARM systems.
Trying to boot Linux on UEFI
So what can we do? Well, for starters, we need to get Linux booting on UEFI. Period. Because, with the exception of Macs, few PCs use UEFI instead of BIOS, there’s been little effort to getting Linux to boot straight from UEFI.
Most people today who want to run Linux on a Mac use the Compatibility Support Module (CSM), which provides
BIOS emulation on the Mac. This method is messy, doesn’t work that well, and I’m quite certain will fail miserably on Secure Boot Windows 8 PCs.
There are other, better ways, of doing this. The best of them that I’ve found to date is Rod Smith’s
guide to EFI-Booting Ubuntu on a Mac. Others, like Linux kernel developer Greg Kroah-Hartman, are also working on it.
While annoying, this is a relatively trivial problem. The heavy lifting comes with trying to deal with Secure Boot.
Secure Boot and Linux
In the best of all possible worlds, Microsoft and its partners would implement Secure Boot in the ways that the Linux Foundation says would work with Linux. Well, that’s not going to happen.
So, instead we have three different paths. At this point, there’s no telling which one is going to work out. In fact, we may end up using all of them. This is less than ideal, but with Microsoft’s continued dominance of the field, Linux developers have to do the best they can with a difficult situation.
First, Linux developers need to get a better handle on the problem. To do this, James Bottomley, chair of the Linux Foundation’s Technical Advisory Board, has released a
Intel Tianocore UEFI boot image and some code that Linux programmers can use to get around Windows 8’s Secure Boot restrictions.
Intel Tianocore is an open-source image of Intel’s UEFI. Until recently this image didn’t have the Authenticode that Microsoft uses for Secure Boot (
PDF) but now it does include this functionality as well. Getting this into developers’ hands will “widen the pool of people who are playing with UEFI Secure boot.”
This will let programmers who don’t have access to UEFI secure boot hardware have a “virtual platform [that] should allow them to experiment with coming up with their own solutions.” But, Bottomley warns developers that “This is very alpha. The Tianocore firmware that does secure boot is only a few weeks old, and the signing tools weren’t really working up until yesterday, so this is very far from rock solid.”
Even so, with it developers can lock down the secure boot virtual platform with their own secured binaries that will boot and work on a UEFI Linux secured system. This is a major step forward in making it easier for developers to make use of UEFI security with their own keys.
This is the first approach: Create UEFI Secure Boot keys for your particular distribution. This is what Canonical is doing with Ubuntu. Some people, like the Free Software Foundation, hate this approach.
Fedora, Red Hat’s community Linux distribution decided to work with Microsoft’s key signing service, Verisign. So, in the Fedora plan, Fedora will create its own Windows 8 system compatible UEFI secure boot key using Microsoft’s own system.
That has also gone over like a lead balloon in many open-source circles. Matthew Garrett, a Red Hat developer, defends it, saying that “it’s cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions.”
Frankly, as Ubuntu’s founder Mark Shuttleworth said, neither plan is great, but “Secure Boot retains flaws in its design that will ultimately mandate that Microsoft’s key is on every PC (because of core UEFI driver signing). That, and the inability of Secure Boot to support multiple signatures on critical elements means that options are limited but we continue to seek a better result.”
There is still another way though: Use open hardware with open source software. This is the path Cathy Malmrose, CEO of the Linux PC vendor ZaReason would like to see followed.
As Malmrose said “With UEFI’s Secure Boot around the corner, we are hoping to raise awareness that Linux distributors don’t need to sign with Microsoft [or use their secure boot]. Computers that are rooted with open bootloader are available. That’s what we ship.” True, “UEFI’s Secure Boot is implemented at OEM (original equipment manufacturer) level, all new PCs purchased (with the intent of loading your favorite distro)
will have Secure Boot.”
Malmrose isn’t happy with disabling it or using Fedora or Ubuntu’s methods. “Yes, you can disable it. But ‘disabling’ something that’s ‘secure’ makes you bad.” She also fears that in the long run, “the keystroke(s) needed to get Linux to run on machines post-2012 will be simple at first, becoming increasingly complex at a non-shocking rate. It’s a monumental shift at OEM level.” Malmrose fears that this will make desktop Linux “too difficult to new users, [and this will cause] slow death by suffocation” for Linux.
So, here’s where we are today with Linux on Windows 8 PCs:
1. Hope that the OEMs will simply let you disable Secure Boot during the pre-boot up. If they do, then installing Linux on a Windows 8 PC won’t be much harder than it is today on Windows 7 systems. This will not, however, be an option on Windows RT ARM-powered systems.
2. Use a Linux, like Fedora, that provides a Secure Boot compatible key using Microsoft’s own Windows 8 signing tools
3. Use a Linux, like Ubuntu, that provides its own Secure Boot compatible key.
4. Avoid Windows 8 systems entirely and use open hardware instead.
Some Linux distributors, such as openSUSE, haven’t decided what they’re going to do yet.
I wish I could tell you that it’s all going to be easy or give you a magic series of steps that you’ll be able to take to get your Linux of choice running on your laptop or desktop. I can’t. There will be no easy way to run Linux on Windows 8 PCs and we still don’t know how OEMs will be handling Secure Boot.
I see a long, hard road ahead for Linux desktop users with post-2012 PCs. If I find a shortcut, I’ll be sure to let you know.