UEFI and Secure Boot
No Free Boots
ByThe imminent Windows 8 implementation of UEFI with Secure Boot adds an extra layer of complexity for some Linux users. We look at the problem and two solutions from Fedora and Canonical.
In an effort to provide additional security to Windows 8 on x86- and ARM-based devices, a new requirement for Microsoft ODMs is that all Windows 8-certified machines have the Unified Extensible Firmware Interface (UEFI) with the Secure Boot option on, creating problems for any Linux distribution that wants to run on such devices.
What is EFI?
The EFI system has slowly been making headway in recent years, and right now, EFI firmware is compatible with Windows supporting the GUID Partition Table (GPT), OS X/Intel, and Linux 2.6 and beyond machines. EFI is seen as a superior hardware/software interface to BIOS because it is platform-agnostic and runs in 32- or 64-bit mode and because GPT machines can handle boot partitions of up to 9.4 zettabytes (9.4x1021).
However, the benefits of EFI, and the later UEFI specification, are not particularly impressive to Linus Torvalds. As far back as 2006, Torvalds stated that many of the the EFI features were simply duplicating what BIOS had already done.
Torvalds wrote at the time. “… the problem with EFI is that it actually superficially looks much better than the BIOS, but in practice it ends up being one of those things where it has few real advantages, and often just a lot of extra complexity because of the ‘new and improved’ interfaces that were largely defined by a committee.”
Despite this disgruntlement, EFI and UEFI are supported by any kernel past 2.6, so implementing Linux on such devices is not a problem.
What is the problem is Microsoft’s other requirement for any Windows 8-certified client: The system must support Secure Boot. This hardened boot means that “all firmware and software in the boot process must be signed by a trusted Certificate Authority (CA),” according to Arie van der Hoeven, Microsoft Principal Lead Program Manager.
Red Hat developer Matthew Garrett first brought the issue to the Linux community’s attention in September 2011, when he revealed Microsoft’s plan to lock down the boot process, which Microsoft rightly points out has become a high-value target vector for injecting malware onto Windows PCs. To combat this, Microsoft will be requiring that all Windows 8 devices have the hardened boot, which means a certificate-signed operating system is the only thing that will run on such a system.
You can’t replace the UEFI system on the device with other, unencrypted, firmware. If all parts of the chain need to have a CA signature, then swapping out a machine’s signed EFI layer with, say, an unsigned BIOS or EFI would not work.
Nor is it feasible to require users to simply turn off the Secure Boot option. While technical users could easily manage this if they wanted to boot Linux on a Windows 8-certified machine, it’s still an extra step that would be less than desirable – all the more so if a user had to turn Secure Boot back on every time they wanted to boot Windows 8 on the same machine. And asking beginning users to do this would be non-optimal in the extreme.
So what are the Linux distros doing about the problem? Thus far, public statements have only been issued by the Fedora Project and Canonical for the respective Fedora and Ubuntu distros, and those proposed solutions are, perhaps predictably, different.
Fedora’s Proposed Solution
Given that their developers were among the first to point out the problem, it should be no surprise that Fedora’s team came out with the first public suggestion to work around the UEFI/Secure Boot problem.
Rather than create a Fedora-specific key that could unlock the UEFI Secure Boot feature (but only for Fedora), Garrett and his team suggested a more open two-stage bootloader approach.
After paying a one-time $99 certification fee to VeriSign for a Microsoft-signed certificate, the first-stage bootloader will have one job: boot to a second bootloader that’s signed with a Fedora key and have the second bootloader (a modified version of GRUB 2.0) roll into Fedora or whatever the user chooses.
This approach has the advantage of not letting Fedora getting a leg up over any other distro, since other distros can just pay that $99 fee for a Microsoft certificate and make their own two-stage bootloader approach.
There are other advantages. Garrett wrote: “The first stage bootloader should change very rarely, and we don’t envisage updating it more than once per release cycle. It shouldn’t be much of a burden on release management.”
Canonical’s Approach
Weeks after Fedora’s announced approach, Canonical’s founder hinted at the vendor’s solution for Ubuntu: providing an Ubuntu-specific signed key that would be accepted by Secure Boot-enabled machines.
Mark Shuttleworth wrote on the ubuntu-devel mailing list: “We’ve been working to provide an alternative to the Microsoft key, so that the entire free software ecosystem is not dependent on Microsoft’s goodwill for access to modern PC hardware.”
Two days later, the Canonical team revealed its full plans: dropping the use of the GRUB 2.0 bootloader by default on systems with Secure Boot enabled, as well as providing their own Ubuntu-signed key.
Why drop GRUB 2.0? A legal – not technical – concern that a manufacturer mistake could end up requiring Canonical to have to reveal their private key.
Ubuntu developer Steve Langasek wrote in a detailed announcement, “… in the event that a manufacturer makes a mistake and delivers a locked-down system with a GRUB 2 image signed by the Ubuntu key, we have not been able to find legal guidance that we wouldn’t then be required by the terms of the GPLv3 to disclose our private key in order that users can install a modified boot loader. At that point our certificates would of course be revoked and everyone would end up worse off.”
The Canonical solution will use one element common to Fedora: The key will be used to authorize the bootloader, not Linux itself.
For users booting from CD, a loader image signed by Microsoft’s Winqual key will chain to the UEFI bootloader efilinux, which will be signed by Ubuntu’s key, so the Winqual key won’t have to be signed every time a change is made to efilinux.
For machines with Ubuntu preinstalled, the process is similar, just more baked in. “Machines that ship as ‘Ubuntu certified’ will be required to have an Ubuntu key configured in their UEFI signature databases. The intention here is to allow these systems to receive updates for the revoked signature database, in order to be protected against known-compromised UEFI binaries,” Langasek wrote. “We are not planning to provide an alternative to Microsoft’s signing infrastructure, only an additional key; so we have no current plans to implement a signing service using the Ubuntu key.”
The Final Solution
Neither of these solutions are perfect. Fedora’s approach seems to be geared toward booting Linux on new, out-of-the-box Windows 8 machines, whereas Canonical’s method is tailored toward booting preloaded Ubuntu devices and at the same time letting the user have rights to modify the installation (exactly mirroring the Microsoft approach).
Other distros with strong desktop pursuits, notably openSUSE and Linux Mint, have yet to be heard from.
Whatever solution is used, the real requirements for solving the UEFI problem will have to walk the fine line between ease of use and not breaking a user’s machine with a faulty certificate.
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
The GNU Project Celebrates Its 40th Birthday
September 27 marks the 40th anniversary of the GNU Project, and it was celebrated with a hacker meeting in Biel/Bienne, Switzerland.
-
Linux Kernel Reducing Long-Term Support
LTS support for the Linux kernel is about to undergo some serious changes that will have a considerable impact on the future.
-
Fedora 39 Beta Now Available for Testing
For fans and users of Fedora Linux, the first beta of release 39 is now available, which is a minor upgrade but does include GNOME 45.
-
Fedora Linux 40 to Drop X11 for KDE Plasma
When Fedora 40 arrives in 2024, there will be a few big changes coming, especially for the KDE Plasma option.
-
Real-Time Ubuntu Available in AWS Marketplace
Anyone looking for a Linux distribution for real-time processing could do a whole lot worse than Real-Time Ubuntu.
-
KSMBD Finally Reaches a Stable State
For those who've been looking forward to the first release of KSMBD, after two years it's no longer considered experimental.
-
Nitrux 3.0.0 Has Been Released
The latest version of Nitrux brings plenty of innovation and fresh apps to the table.
-
Linux From Scratch 12.0 Now Available
If you're looking to roll your own Linux distribution, the latest version of Linux From Scratch is now available with plenty of updates.
-
Linux Kernel 6.5 Has Been Released
The newest Linux kernel, version 6.5, now includes initial support for two very exciting features.
-
UbuntuDDE 23.04 Now Available
A new version of the UbuntuDDE remix has finally arrived with all the updates from the Deepin desktop and everything that comes with the Ubuntu 23.04 base.