Windows 8: UEFI Secure Boot System for Linux

Martin Brinkmann
Oct 12, 2012
Updated • Jan 16, 2013
Windows, Windows 8
|
8

When Microsoft announced Secure Boot for Windows 8, it received lots of flak from the Linux community because of fears that secure boot would effectively shut out Linux distributions on PCs running the operating system. The biggest problem in regards to Secure Boot was that Microsoft gave OEMs the power the decide whether to include an off-switch for Secure Boot or not. Disabling Secure Boot in UEFI frees the PC from restrictions, so that operating systems that do not support Secure Boot can be installed and run on the PC.

The primary purpose of the protocol is to prevent the loading of unsigned drivers or operating system loaders. It needs to be mentioned that Secure Boot is only available on PCs that use UEFI, while PCs that use BIOS are not affected by this at all.

The Linux Foundation today announced that they have found a way to make Linux and other open source distributions work with Secure Boot.

In a nutshell, the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system).

The source code for the pre-bootloader is available in git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git.

The Linux Foundation notes that it may take a while to obtain a signature from Microsoft. Once it has been acquired, the pre-bootloader will be made available on the Linux Foundation website from where it can be downloaded freely.

The bootloader will run a "present user" test to protect the system against attacks targeting the boot process. It is not clear how this will work out, and if it will lead to certain access restrictions. The loader does not offer any security enhancements over booting Linux with UEFI Secure Boot turned off.

It is good news for PC users who want to run a dual or triple boot system on a PC with UEFI that includes Windows 8 and at least one Linux distribution or open source operating system.

Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Anthony Johnson said on October 27, 2012 at 1:41 pm
    Reply

    On the day Win8 was released, I tried to boot from a USB flash drive Ubuntu 12.04 and FreeBSD 9 on four new Win8 labelled PCs: 3 Toshibas (L855 models) and 1 Sony Vaio. All four failed to boot with a dialogue stating ” Checking Media……,..,,,,,,FAILED.
    On each model I could still access the bios and disable Secure Boot and use CSM legacy instead of UEFI. After that, I could boot successfully into Linux or FreeBSD.
    In Win8 itself there is in settings “Advanced Startup” but these option did not allow me to boot Linux/FreeBSD. Through the BIOS I could.

  2. Curtis said on October 14, 2012 at 9:21 am
    Reply

    I wonder why there isn’t an anti-trust lawsuit emerging out of this debacle. After all, why should OEMs cater to one company only? This is more of a monopoly than anything M$ ever did with IE.

  3. Ross Presser said on October 12, 2012 at 9:08 pm
    Reply

    Won’t Microsoft refuse to provide a key, based on the purpose of the preloader — which is to defeat Secure Boot completely? It sounds like this preloader would load any boot loader whatsoever, even one that loaded a pirated version of Windows 8 itself.

    1. Martin Brinkmann said on October 12, 2012 at 9:43 pm
      Reply

      Good question, no idea to be honest. It seems to me that the Linux Foundation has applied for a key. Not sure if their application has to meet certain criteria to be accepted. Will be interesting to see how this turns out.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.