It seems safe to say that a sizable proportion of Linux PC users in the world today installed the free and open source operating system on hardware that originally came loaded with Windows. After all, while there are preloaded systems available, it often ends up being cheaper to buy a Windows PC and load Linux yourself.
Once Windows 8 starts shipping on PCs, however, that may no longer be possible. It turns out that a new feature included in the operating system in the name of security may also effectively make it impossible to load Linux on officially Windows 8-certified hardware.“It's probably not worth panicking yet,” wrote Red Hat developer Matthew Garrett in a Tuesday blog post on the topic. “But it is worth being concerned.”
'It Won't Be Installable'
The problem derives from Microsoft's decision to use a hardware-based secure boot protocol known as Unified Extensible Firmware Interface (UEFI) in Windows 8 rather than the traditional BIOS we're all familiar with. Microsoft principal lead program manager Arie van der Hoeven explained and demonstrated UEFI in a talk at the company's BUILD conference earlier this month, and that explanation is still available in the video below.
click here to download the video
Essentially, the technology is designed to protect against rootkits and other low-level attacks by preventing executables and drivers from being loaded unless they bear a cryptographic signature conferred by a dedicated UEFI signing key.“There is no centralised signing authority for these UEFI keys,” Garrett explained. “If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.”Microsoft has said it will require that Windows 8 logo machines ship with secure boot enabled. Most likely, Windows on such systems will be signed with a Microsoft key, Garrett predicted.
Other operating systems, such as Linux, won't include any such signatures in their current state, of course. So, unless deliberate measures are taken to make them available, “a system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux,” Garrett explained.
'Kernels Will Also Have to Be Signed'
Options for Linux include providing signed versions of the operating system, but there are several problems associated with that approach, Garrett pointed out.First, a non-GPL bootloader would be required. Grub 2 and Grub are released under the GPLv3 and GPLv2, respectively, he noted.Second, “in the near future the design of the kernel will mean that the kernel itself is part of the bootloader,” Garrett added. “This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical.”Finally, if Linux distributions sign for themselves, the required keys would have to be included by every OEM, he said.It may turn out to be the case that Microsoft will allow vendors to provide firmware support for disabling this feature and running unsigned code, Garrett acknowledged. Even so, however, it's unlikely that all hardware will ship with that option, he added, posing problems for at least some Linux users down the road.It remains to be seen how this situation will play out, of course. For my part, though, it sounds like one more good reason to choose hardware with Linux preinstalled.
Once Windows 8 starts shipping on PCs, however, that may no longer be possible. It turns out that a new feature included in the operating system in the name of security may also effectively make it impossible to load Linux on officially Windows 8-certified hardware.“It's probably not worth panicking yet,” wrote Red Hat developer Matthew Garrett in a Tuesday blog post on the topic. “But it is worth being concerned.”
'It Won't Be Installable'
The problem derives from Microsoft's decision to use a hardware-based secure boot protocol known as Unified Extensible Firmware Interface (UEFI) in Windows 8 rather than the traditional BIOS we're all familiar with. Microsoft principal lead program manager Arie van der Hoeven explained and demonstrated UEFI in a talk at the company's BUILD conference earlier this month, and that explanation is still available in the video below.
click here to download the video
Essentially, the technology is designed to protect against rootkits and other low-level attacks by preventing executables and drivers from being loaded unless they bear a cryptographic signature conferred by a dedicated UEFI signing key.“There is no centralised signing authority for these UEFI keys,” Garrett explained. “If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.”Microsoft has said it will require that Windows 8 logo machines ship with secure boot enabled. Most likely, Windows on such systems will be signed with a Microsoft key, Garrett predicted.
Other operating systems, such as Linux, won't include any such signatures in their current state, of course. So, unless deliberate measures are taken to make them available, “a system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux,” Garrett explained.
'Kernels Will Also Have to Be Signed'
Options for Linux include providing signed versions of the operating system, but there are several problems associated with that approach, Garrett pointed out.First, a non-GPL bootloader would be required. Grub 2 and Grub are released under the GPLv3 and GPLv2, respectively, he noted.Second, “in the near future the design of the kernel will mean that the kernel itself is part of the bootloader,” Garrett added. “This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical.”Finally, if Linux distributions sign for themselves, the required keys would have to be included by every OEM, he said.It may turn out to be the case that Microsoft will allow vendors to provide firmware support for disabling this feature and running unsigned code, Garrett acknowledged. Even so, however, it's unlikely that all hardware will ship with that option, he added, posing problems for at least some Linux users down the road.It remains to be seen how this situation will play out, of course. For my part, though, it sounds like one more good reason to choose hardware with Linux preinstalled.