Unified Extensible Firmware Interface (UEFI) secure boot is a major worry for GNU/Linux user as it will make it impossible for them to install their favourite distro on hardware with secure boot.
Microsoft is pushing for secure boot with Windows 8 which is slated to be out within a year. The restrictions Microsoft is pushing on the hardware vendors is undoubtedly something Linux user are concerned about. However, at the same time, experts like Linus Torvalds believe that Secure Boot is a good thing and instead of fighting with it we should sign our own modules. Linux is known for its security so secure boot does eliminate some real-world exploits where fraudulently modified early boot code has introduced vulnerabilities into the operating system.
If secure boot is so good, why is Linux community worried about it?
Red Hat’s Tim Burke explains, “A major shortcoming of the initial UEFI secure boot implementation was the lack of easy to use accommodations for operating systems other than Microsoft Windows, including the many variants of Linux.”
In order for other OSes to run on this hardware, the community and the company needed to find a solution, a practical solution. Red Hat/Fedora found a workable solution, which will make it easy for users to run the Linux of their choice.
Burke says, “Red Hat has worked for many months, in conjunction with industry consortium The Linux Foundation, hardware partners, and Microsoft to collaboratively develop a UEFI secure boot mechanism that allows user/customer choice and ease of use. Red Hat’s objective was to provide user freedom – to accommodate not just Red Hat Enterprise Linux and Fedora, but also to enable other Linux distributions, including roll-your-own. This was not an easy process, there were many tradeoffs and challenges. This is typically the case when it comes to security – balancing effectiveness of the defenses vs ease of use.”
How Secure Boot Works
The UEFI secure boot mechanism requires pairing of trusted keys with low-level operating system software (bootloaders) signed with the respective key.
The big challenge is how to both initially ship and later update the set of trusted keys stored in the system firmware. Requiring all users to manually perform this task would not meet the ease of use objectives. After all, with any security feature if it’s too hard to enable it, few will bother to use it and leave themselves exposed.
The resulting mechanism planned for getting the keys automatically distributed is to utilize Microsoft key signing and registry services. This obviates the need for every customer to have to round up a collection of keys for multiple operating systems and device drivers.
Matthew Garrett posted a blog about Red Hat’s solution which met with controversy. Tim has tried to explain things, removing any doubts one might have. In order to ensure uncompromised system while “Microsoft will provide keys for Windows, Red Hat will provide keys for Red Hat Enterprise Linux and Fedora, “says tim.
This is not a Fedora only solution any distributions (including Ubuntu) can participate at a nominal cost of $99 USD – allowing them to register their own keys for distribution to system firmware vendors.
Who Is Going To Pay?
It’s not the users who will have to pay any money. It’s Red Hat or Canonical (if they like this solution, as we have not heard anything from them about this subject) or any other Linux distribution which will have to pay that fee. Linux distributions run by individuals can raise donations to pay this fee.
What If I Am A Fedora Derivative?
In cases of Fedora derivatives, each derivative can participate by simply enrolling in the $99 one time fee to license UEFI.
For users performing local customization, they will have the ability to self-register their own trusted keys on their own systems at no cost.
Burke also takes aim at reports around Red Hat/Fedora’s solution:
Some conspiracy theorists bristle at the thought of Red Hat and other Linux distributions using a Microsoft initiated key registration scheme. Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative.
Windows 8 and Fedora 18 will be released around the same time, the time when the new hardware will be in the market. Keeping up with this progress, Fedora 18 is expected to come with the first UEFI secure boot implementation.