2013: Installing Linux on Windows 8 PC is still a pain

2013: Installing Linux on Windows 8 PC is still a pain

Summary: It's still very hard to install Linux on Windows 8 PCs, and it's next to impossible to install Linux on Windows RT devices like the Microsoft Surface RT.

SHARE:
asus-uefi-200x162
Want to run Linux on your Windows 8 PC? Get used to looking at your PC's firmware settings screen.

In security's name, Microsoft has made it difficult to install Linux, or any other operating system, including older versions of Windows, on Windows 8 PCS. In addition, Microsoft has made it all but impossible to install Linux on Windows RT devices such as the Surface RT.

Microsoft has done this by adding a feature to UEFI (Unified Extensible Firmware Interface), the next generation of BIOS, called secure boot. Its avowed purpose is to prevent rootkits, malicious programs that run before the operating system boots, from running.

So far, so good as even the Free Software Foundation (FSF), an organization with no love for Microsoft recently admitted.

When done correctly, "Secure Boot" is designed to protect against malware by preventing computers from loading unauthorized binary programs when booting. In practice, this means that computers implementing it won't boot unauthorized operating systems -- including initially authorized systems that have been modified without being re-approved.

This could be a feature deserving of the name, as long as the user is able to authorize the programs she wants to use, so she can run free software written and modified by herself or people she trusts. However, we are concerned that Microsoft and hardware manufacturers will implement these boot restrictions in a way that will prevent users from booting anything other than Windows. In this case, we are better off calling the technology Restricted Boot, since such a requirement would be a disastrous restriction on computer users and not a security feature at all.

Therefore, the FSF is urging "all computer makers implementing UEFI's so-called 'Secure Boot' to do it in a way that allows free software operating systems to be installed. To respect user freedom and truly protect user security, manufacturers must either allow computer owners to disable the boot restrictions, or provide a sure-fire way for them to install and run a free software operating system of their choice. We commit that we will neither purchase nor recommend computers that strip users of this critical freedom, and we will actively urge people in our communities to avoid such jailed systems."

That's all well and good, but what in practice is the actual state of getting Linux to run on Windows 8 PCs?

First, by far the easiest way to get Linux running on a Windows 8 PC is to disable Secure Boot. That has two problems. First, it leaves you open to rootkits, which are a real security threat.

The other difficulty with it is that while most major original equipment manufacturers (OEM)s have not made Secure Boot mandatory on PCs, they also haven't made it at all easy to figure out how to turn it off.

There is no universal way to switch Secure Boot off. I can only suggest that before booting your system you open up your firmware's setup. How you'll do that varies according to your PC's motherboard settings. Once in your firmware settings, look for a settings such as "Secure Boot Parameters" or "Boot Mode." After you've found this control, switch it to off or disabled. Or, you may have the option to support legacy or BIOS booting. Any of these choices should let you boot Linux or other operating systems.

Let's say you want Secure Boot and Linux, what then? Well, as I've reported, the Linux Foundation, Fedora, and Ubuntu are all working on the problem... but as UEFI Secure Boot Linux expert Matthew Garrett recently reported, we're still a long way from a universal Linux installation fix for Windows 8 PCs.

Garrett reported:

Ubuntu 12.10

The 64-bit version of Ubuntu 12.10 ships with an older version of Shim that's been signed by Microsoft. It should boot out of the box on most systems, but it doesn't have some of the most recent EFI patches that improve compatibility on some machines. Grab it [Ubuntu] here.

Fedora 18

Fedora 18 isn't quite released yet, but the latest 64-bit test builds include a Microsoft signed copy of the current version of Shim, including the MOK functionality described here. Fedora 18 has some additional EFI support patches that have just been merged into mainline, which should improve compatibility on some machines - especially ones with Radeon graphics. It also has improved support for booting on Macs. You can get it [Fedora]  here, but do bear in mind that it's a test release.

Sabayon

According to the [Sabayon] wiki, Sabayon now supports UEFI Secure Boot out of the box. I don't know if the current CD images do, though. My understanding is that it's based on the Microsoft signed Shim I discussed here, and you'll have to manually install the key once you've booted the install media. Straightforward enough.

Other distributions

Suse will be using a version of Shim signed by Microsoft, but I don't think it's in any pre-release versions yet. Debian have just merged UEFI support into their installer, but don't have any UEFI Secure Boot support at the moment. I'm not sure what other distributions are planning on doing, but let me know and I'll update the list.

The Linux Foundation loader

The Linux Foundation have still to obtain a signed copy of their bootloader. There's no especially compelling reason to use it - the use case it supports is where you have users who can follow instructions sufficiently to press "y" but not to choose to enroll a key. The most interesting feature it has is the ability to use the MOK database via the usual UEFI LoadImage and StartImage calls, which means bootloaders like gummiboot work. Unfortunately it implements this by hooking into low-level functionality that's not actually required to be present, so relying on this may be somewhat dubious.

As for Window ARM devices, Microsoft has always said that anything running Windows RT must have Secure Boot activated so you don't have the option of turning it off. But, you could still run Linux on it anyway right? Wrong.

Garrett recently explained, "The Microsoft Surface is a fairly attractive bit of tablet hardware, and as a result people have shown interest in running Linux on it. The immediate problem is that (like many ARM devices) it has a locked-down firmware that will only run signed binaries - unlike many other ARM devices, this is implemented using an existing standard (UEFI Secure Boot). Microsoft provide a signing service for UEFI binaries, so it's tempting to think that getting around this restriction would be as simple as taking an existing Linux bootloader, signing it and then booting. Unfortunately Microsoft's signing service signs binaries using a different key (the 'Microsoft Windows UEFI Driver Publisher' key) to the one used to sign Windows, and the Surface doesn't carry that key. Booting Linux on these devices would involve finding a flaw in the firmware and using that to run arbitrary code."

In other words, you'd have to crack Secure Boot itself. While I have no doubt that Secure Boot will be broken in time—there's no such thing as perfect computer security—I also have no doubt that Microsoft will immediately patch any such holes. In short, Surface is a locked-down system, and it's likely to stay that way.

What about the Surface with Windows 8 Pro? This tablet, which is due out in January uses an Intel architecture so, in theory, Microsoft could let you turn Secure Boot off on these devices. In practice, I wouldn't bet a plugged nickel on being able to disable its Secure Boot.

So, where are we? First, forget about running Linux on any Surface device. Someone will eventually hack a way into these tablets, but it will always be a non-starter.

As for Windows 8 PCs, the easiest way to run Linux is to disable Secure Boot. Better still, just buy a PC with Linux already on it or, at least buy a PC without Windows 8. If you do decide to try to run Linux with Secure Boot on a Windows 8 PC... well good-luck to you. It's still not easy, and I'm certain it's going to be troublesome throughout 2013. 

Related Stories:

Topics: Linux, Hardware, Laptops, Tablets, PCs, Windows, Microsoft Surface, Windows 8

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

307 comments
Log in or register to join the discussion
  • Where's the article about installing Linux on an iPad?

    There isn't any. Why? You can't. In fact, you have to jailbreak the thing to install unauthorized iOS software and that is a crapshoot based on which version of iOS and which iPad you have. But where's the outrage. But not installing Linux on the Surface gets a ZDNet article.

    Don't know what is more annoying - the barrage of fiscal cliff talk now that the gifts have been unwrapped or the constant drone by the penguin partrol of "Mean Old Microsoft won't let me do . Get over it. This has gone on for a decade now and ironically, Linux is winning because the main players (take for example Google) are simply going their own way and moving on. Besides, isn't the desktop supposed to be so passe'??? Now when you can get out and market and SELL a Linux box you CAN'T install Windows on - then we'll have something to talk about.
    jwspicer
    • iPad? You have good Android hardware out there which is better.

      But PC that is good and was NOT designed for WINDOWS? Well not in "notebook/desktop" segment.

      So you are more likely to want Win8 PC for Linux than iPad. And future forecasts are good for tablets. On PC Wintel will dictate for a bit longer.
      przemoli
    • Didn't see any outrage on this article

      Merely a straightforward description of the situation. There may even be a case for not allowing end users to change operating systems on the equipment they purchased; it's just that I haven't seen one.

      And I am annoyed that Apple locks down its hardware so tight; I consider it to be a good reason not to buy Apple hardware. I do own an iPod Touch, but it was a gift.
      John L. Ries
      • The benefits of malware free computing

        Techies like you and others that frequent this forum may hate Apple's walled garden, but ordinary users, the vast majority, apparently love the security and freedom from malware this rewards them with. They are selling so many of the new iPhones they can't make them fast enough. Even their Mac computers are selling like hot cakes, because they too are now part of the walled garden, and therefore protected from all the criminal software.
        arminw
        • That makes it easy

          Clearly, I dislike Apple's and MS' walled garden approach because I'm a snob who looks down on just plain folks and refuses to get with the program.

          Good to know.
          John L. Ries
    • So buy a Nexus 7 and a System 76

      Microsoft has likely done Linux a huge favor here.

      Prior to Restricted Boot, you could actually get a Windows PC cheaper than an equivalent Linux PC because of all of the paid crapware installed with Windows. Wiping the drive and installing Linux was so trivial that it constrained pre-loaded Linux to a relatively small market niche.

      Now that the slumbering giant is trying to lock its barn doors, companies such as System 76 have a much stronger market case - they make running Linux much easier that after-market installs. That's worth money.

      Meanwhile, in the more vibrant mobile segment, Google's Nexus line is specifically designed to be hacker friendly, so loading a Linux image is still quite straightforward. Even so, I hope Ubuntu's January 2 announcement will bring Ubuntu for Android devices to market soon. My aging phablet really needs a high-quality replacement that can support general purpose computing.
      ricegf
      • Windows is nothing but stand-alone...

        ...computer OS. I have bought my latest pc's without any OS. I want to make my own decision what's the OS inside that PC.
        Matsi66
      • to ricegf

        Or, ZaReason, from whom I will get my next laptop after deciding which flavor of Linux I want as a dual-boot with Win7 or XP. I will ship them the Win OS, and maybe also the Linux flavor, and they will build the computer to my specs. System 76 won't build using anything but Ubuntu, which I' m not sure I like. (Not bashing Ubuntu, just that its drivers etc. aren't suitable for my needs.)

        Linux is the future now. No doubt in my mind. I'm not altogether happy about that, but hopefully Linux will COMMERCIALIZE so that business users like me can have a contractural relationship and support. I'm not interested in hacking code. I got a job already. But I need an OS which doesn't obfuscate computing. MS is guilty of that, and this UEFI thingy was el colmo for me.
        brainout
        • Yet you (inadvertently?) brought up an interesting point

          OEM's sell Windows based machines because they know the vast majority want that, so they go from a finacial point working around that. It's not that they hate Linux, or are being forced by MS to sell Windows PC's.

          But you point out that "System 76 won't build using anything but Ubuntu" which is done specifically for finacial reasons - they don't see it as profitable to try and build/stock/support around 6 or 7 different Linux distros, so they settle on the Linux variant that is the most popular, the one that people are most likely to buy - Ubuntu.
          They are not forced to go Ubuntu, just putting together that what most people want.

          IMHO, I think Windows is the better OS, but at the same time if OEM's think that UEFI based Windows machine will sell much better, then they'll go that route. If they think that having the ability to turn it off so that some people can put Linux on it, they'll do that.

          Either way, they'll do what the market dictates, and not what the minority prefer.
          William Farrel
          • So wrong......

            The OEM's will dance to Microsoft's tune because they will not not risk losing access to Windows in these tough economic times. Microsoft requires the secure boot to get Win8 certified, just as it is required for the Surface. OEM's can not afford two separate production runs of models with secure boot or not, so Microsoft will force the OEM to eventually the no secure boot option by making it financially impossible.

            Time for more anti-trust actions if that occurs.
            linux for me
          • Actually, MS does not require it for Win 8

            I'd appreciate a bit of proof on the claim that MS requires it to sell Windows 8. In fact, in previous SJVN articles, discussion showed MS specifically mandates that the ability to turn off UEFI exist on all systems where Win 8 is installed.

            If your comment is average for Linux supporters, no wonder the desktop is still under 2%
            Cynical99
          • Ability to turn off, yes

            But it has to be turned on when selling it to be Windows 8 certified.

            By the way, anybody ever been hit by one of those root kits or whatever this secure boot is supposed to protect us from?
            lepoete73
          • Yes Lepoete73...

            If you have to ask if anyone has "ever been hit by one of thoe root kits or whatever" then you should probably not be participating in the conversation. Do a little research and see what people and corporations have done with root kits, you could start with Wikipedia, they have a nice explaination there.

            And then maybe Google up Sony BMG Root Kit and see what happens when a major corporation decides that your system security comes in second to their ebility to manage their content on your computer.
            toe cutter
          • Except that Sony would probably also have a valid MS certificate.

            "And then maybe Google up Sony BMG Root Kit and see what happens when a major corporation decides that your system security comes in second to their ebility to manage their content on your computer."

            I don't see how Secure Boot could prevent a repeat of the Sony BMG root-kit, because Sony would be able to sigh its malware with a valid MS certificate.
            Zogg
          • Couple of years ago

            if you played a SONY CD on your computer it tried to install a rootkit.
            fairportfan
          • And it would still succeed today.

            Because Sony would be able to buy a valid key from MS to sign the root-kit with.
            Zogg
          • rootkits?

            By the way, anybody ever been hit by one of those root kits or whatever this secure boot is supposed to protect us from?

            Nope. 12 years of heavy computer usage, 10 of them using Linux. I've never seen a rootkit and there have been times when Ive installed software downloaded from exceedingly questionable sources.

            This whole "we're just protecting you from the nasty criminals" is a pile of doodoo. If they were that serious about protecting their customers they would swap to a Unix code base or at least ape the Unix security model.

            Microsoft are dangerous liars. They care nothing for anyone or anything other than maintaining their monopoly.
            salparadyse
        • You can always get support from Red Hat

          That is their entire business.
          jessepollard
          • As well as SUSE Enterprise Linux

            Similar business model, as Linux is free, they sell support and Red Hat is making tons of money with this business model.

            Support pays more than the software itself. Very expensive software like Oracle includes support.
            lepoete73
        • RE: to ricegf

          Actually, Google has done the most commercializing. I've seen Chromebook and Nexus 7 ads quite often as of late, and I love it.
          Richard Estes