Windows 8: UEFI Secure Boot System for Linux - gHacks Tech News

Windows 8: UEFI Secure Boot System for Linux

When Microsoft announced Secure Boot for Windows 8, it received lots of flak from the Linux community because of fears that secure boot would effectively shut out Linux distributions on PCs running the operating system. The biggest problem in regards to Secure Boot was that Microsoft gave OEMs the power the decide whether to include an off-switch for Secure Boot or not. Disabling Secure Boot in UEFI frees the PC from restrictions, so that operating systems that do not support Secure Boot can be installed and run on the PC.

The primary purpose of the protocol is to prevent the loading of unsigned drivers or operating system loaders. It needs to be mentioned that Secure Boot is only available on PCs that use UEFI, while PCs that use BIOS are not affected by this at all.

The Linux Foundation today announced that they have found a way to make Linux and other open source distributions work with Secure Boot.

In a nutshell, the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system).

The source code for the pre-bootloader is available in git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git.

secure boot

The Linux Foundation notes that it may take a while to obtain a signature from Microsoft. Once it has been acquired, the pre-bootloader will be made available on the Linux Foundation website from where it can be downloaded freely.

The bootloader will run a "present user" test to protect the system against attacks targeting the boot process. It is not clear how this will work out, and if it will lead to certain access restrictions. The loader does not offer any security enhancements over booting Linux with UEFI Secure Boot turned off.

It is good news for PC users who want to run a dual or triple boot system on a PC with UEFI that includes Windows 8 and at least one Linux distribution or open source operating system.





  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Ross Presser said on October 12, 2012 at 9:08 pm
      Reply

      Won’t Microsoft refuse to provide a key, based on the purpose of the preloader — which is to defeat Secure Boot completely? It sounds like this preloader would load any boot loader whatsoever, even one that loaded a pirated version of Windows 8 itself.

      1. Martin Brinkmann said on October 12, 2012 at 9:43 pm
        Reply

        Good question, no idea to be honest. It seems to me that the Linux Foundation has applied for a key. Not sure if their application has to meet certain criteria to be accepted. Will be interesting to see how this turns out.

    2. Curtis said on October 14, 2012 at 9:21 am
      Reply

      I wonder why there isn’t an anti-trust lawsuit emerging out of this debacle. After all, why should OEMs cater to one company only? This is more of a monopoly than anything M$ ever did with IE.

    3. Anthony Johnson said on October 27, 2012 at 1:41 pm
      Reply

      On the day Win8 was released, I tried to boot from a USB flash drive Ubuntu 12.04 and FreeBSD 9 on four new Win8 labelled PCs: 3 Toshibas (L855 models) and 1 Sony Vaio. All four failed to boot with a dialogue stating ” Checking Media……,..,,,,,,FAILED.
      On each model I could still access the bios and disable Secure Boot and use CSM legacy instead of UEFI. After that, I could boot successfully into Linux or FreeBSD.
      In Win8 itself there is in settings “Advanced Startup” but these option did not allow me to boot Linux/FreeBSD. Through the BIOS I could.

    Leave a Reply