The three leading GNU/Linux distributions Fedora, SUSE and Ubuntu were working on solutions to run their distros on Microsoft’s UEFI Secure boot PCs. openSUSE gave inidcations of using Fedora’s solution Initially Ubuntu had come out with its own solution (weeks after Fedora proposed their plan) which met with controversies mainly because they decided to drop Grub 2 due to GPL licence. The FSF stepped in to clarify the doubts Canonical had over private key. Eventually Ubuntu also resorted to using Fedora’s solution in parts.
The un-unified efforts by these distributions did not go very well with the entire open source community. OpenBSD founder Theo de Raadt criticized both Canonical and Red Hat. “I fully understand that Red Hat and Canonical won’t be doing the right thing, they are traitors to the cause, mostly in it for the money and power. They want to be the new Microsoft.”
You can read our entire coverage of UEFI Secure Boot Here
Now The Linux Foundation has stepped in with a solution which will allow every (and not just one distro or only Linux distro) open source operating system to run on UEFI secure boot systems.
James Bottomley, Linux Foundation Technical Advisory Board, has laid out their plan with. He says that the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system).
Bottomley explains, “The pre-bootloader will employ a “present user” test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it. The process of obtaining a Microsoft signature will take a while, but once it is complete, the pre-bootloader will be placed on the Linux Foundation website for anyone to download and make use of.”
It’s great news for all GNU/Linux users that the foundation has taken it to themselves to ensure users are able to run any GNU/Linux (and other open source systems such as BSD) on their machines. One always thought that the Linux Foundation was more about enabling top developers to work on their projects (through funding), bring companies together through memberships to work on Linux and to organise events to bring people together. We never saw any direct solution or engagement with user. Well there has never been a bigger threat to Linux than what UEFI Secure Boot poses.
The foundation has already “published a variety of tools to permit users to take control of their secure boot platforms by replacing the Platform Key and managing (or replacing) the installed Key Exchange Keys here,” says Bottomley.
Yes, there are tools bot not every GNU/Linux user is techn savvy or capable of doing such things. And The Linux Foundation knows it very well so they thought it was very important “to find a solution that would enable people to continue to try out Linux and other Open Source Operating Systems in spite of the barriers UEFI Secure boot would place in their way and without requiring that they understand how to take control of their platforms,” says Bottomley.
To enable such users to try and run Linux, the foundation came out with this pre-booter which allows distributions to continue functioning in a secure boot environment.
The current pre-bootloader is designed as an enabler only in that, by breaking the security verification chain at the actual bootloader, it provides no security enhancements over booting linux with UEFI secure boot turned off. Its sole purpose is to allow Linux to continue to boot on platforms that come by default with secure boot enabled.
The pre-bootloader is designed to be as small as possible, leaving all the work to the real bootloader.
How It Will Work In Real Life?
The real bootloader must be installed on the same partition as the pre-bootloader with the known path loader.efi (although the binary may be any bootloader including Grub2). The pre-bootloader will attempt to execute this binary and, if that succeeds, the system will boot normally. If the loader.efi fails to load with a security error (because it is unsigned), the pre-bootloader will stop at a splash screen and ask the user to confirm, by selecting a menu option, that they wish to continue booting loader.efi.
If this confirmation (which is the “present user” test) is successful, the pre-bootloader will then execute loader.efi without security verification (if the user denies permission to boot, the pre-bootloader will signal failure and the UEFI boot sequence will continue on to the next boot path, if there is one). To facilitate repeat booting (and to make the pre-bootloader useful for booting hard disks as well as USB keys or DVDs) the pre-bootloader will also check to see if the platform is booting in Setup Mode and if it is, will ask the user for permission to install the signature of loader.efi into the authorized signatures database. If the user gives permission, the signature will be installed and loader.efi will then boot up without any present user tests on all subsequent occasions even after the platform is placed back into secure boot mode.
The present user test splash screen that appears in secure boot mode asking for permission to boot loader.efi will also direct the user to a Linux Foundation website where we will gather details of how to place platforms in setup mode and advise the user how to do this, either to install the signature of loader.efi or to take full control of the platform by replacing the Platform and Key Exchange Keys.
The foundation has made the pre-bootloader source code available on git which developers can download from here. git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
This solution will enable independent and small distributions as well as non Linux systems to run their operating systems on UEFI Secure boot machines which will start coming out soon as Microsoft launches its Windows 8.