2013: Installing Linux on Windows 8 PC is still a pain

In security's name, Microsoft has made it difficult to install Linux, or any other operating system, including older versions of Windows, on Windows 8 PCS. In addition, Microsoft has made it all but impossible to install Linux on Windows RT devices such as the Surface RT.

Microsoft has done this by adding a feature to UEFI (Unified Extensible Firmware Interface), the next generation of BIOS, called secure boot. Its avowed purpose is to prevent rootkits, malicious programs that run before the operating system boots, from running.

So far, so good as even the Free Software Foundation (FSF), an organization with no love for Microsoft recently admitted.

When done correctly, "Secure Boot" is designed to protect against malware by preventing computers from loading unauthorized binary programs when booting. In practice, this means that computers implementing it won't boot unauthorized operating systems -- including initially authorized systems that have been modified without being re-approved.

This could be a feature deserving of the name, as long as the user is able to authorize the programs she wants to use, so she can run free software written and modified by herself or people she trusts. However, we are concerned that Microsoft and hardware manufacturers will implement these boot restrictions in a way that will prevent users from booting anything other than Windows. In this case, we are better off calling the technology Restricted Boot, since such a requirement would be a disastrous restriction on computer users and not a security feature at all.

Therefore, the FSF is urging "all computer makers implementing UEFI's so-called 'Secure Boot' to do it in a way that allows free software operating systems to be installed. To respect user freedom and truly protect user security, manufacturers must either allow computer owners to disable the boot restrictions, or provide a sure-fire way for them to install and run a free software operating system of their choice. We commit that we will neither purchase nor recommend computers that strip users of this critical freedom, and we will actively urge people in our communities to avoid such jailed systems."

That's all well and good, but what in practice is the actual state of getting Linux to run on Windows 8 PCs?

First, by far the easiest way to get Linux running on a Windows 8 PC is to disable Secure Boot. That has two problems. First, it leaves you open to rootkits, which are a real security threat.

The other difficulty with it is that while most major original equipment manufacturers (OEM)s have not made Secure Boot mandatory on PCs, they also haven't made it at all easy to figure out how to turn it off.

There is no universal way to switch Secure Boot off. I can only suggest that before booting your system you open up your firmware's setup. How you'll do that varies according to your PC's motherboard settings. Once in your firmware settings, look for a settings such as "Secure Boot Parameters" or "Boot Mode." After you've found this control, switch it to off or disabled. Or, you may have the option to support legacy or BIOS booting. Any of these choices should let you boot Linux or other operating systems.

Let's say you want Secure Boot and Linux, what then? Well, as I've reported, the Linux Foundation, Fedora, and Ubuntu are all working on the problem... but as UEFI Secure Boot Linux expert Matthew Garrett recently reported, we're still a long way from a universal Linux installation fix for Windows 8 PCs.

Garrett reported:

Ubuntu 12.10

The 64-bit version of Ubuntu 12.10 ships with an older version of Shim that's been signed by Microsoft. It should boot out of the box on most systems, but it doesn't have some of the most recent EFI patches that improve compatibility on some machines. Grab it [Ubuntu] here.

Fedora 18

Fedora 18 isn't quite released yet, but the latest 64-bit test builds include a Microsoft signed copy of the current version of Shim, including the MOK functionality described here. Fedora 18 has some additional EFI support patches that have just been merged into mainline, which should improve compatibility on some machines - especially ones with Radeon graphics. It also has improved support for booting on Macs. You can get it [Fedora]  here, but do bear in mind that it's a test release.

Sabayon

According to the [Sabayon] wiki, Sabayon now supports UEFI Secure Boot out of the box. I don't know if the current CD images do, though. My understanding is that it's based on the Microsoft signed Shim I discussed here, and you'll have to manually install the key once you've booted the install media. Straightforward enough.

Other distributions

Suse will be using a version of Shim signed by Microsoft, but I don't think it's in any pre-release versions yet. Debian have just merged UEFI support into their installer, but don't have any UEFI Secure Boot support at the moment. I'm not sure what other distributions are planning on doing, but let me know and I'll update the list.

The Linux Foundation loader

The Linux Foundation have still to obtain a signed copy of their bootloader. There's no especially compelling reason to use it - the use case it supports is where you have users who can follow instructions sufficiently to press "y" but not to choose to enroll a key. The most interesting feature it has is the ability to use the MOK database via the usual UEFI LoadImage and StartImage calls, which means bootloaders like gummiboot work. Unfortunately it implements this by hooking into low-level functionality that's not actually required to be present, so relying on this may be somewhat dubious.

As for Window ARM devices, Microsoft has always said that anything running Windows RT must have Secure Boot activated so you don't have the option of turning it off. But, you could still run Linux on it anyway right? Wrong.

Garrett recently explained, "The Microsoft Surface is a fairly attractive bit of tablet hardware, and as a result people have shown interest in running Linux on it. The immediate problem is that (like many ARM devices) it has a locked-down firmware that will only run signed binaries - unlike many other ARM devices, this is implemented using an existing standard (UEFI Secure Boot). Microsoft provide a signing service for UEFI binaries, so it's tempting to think that getting around this restriction would be as simple as taking an existing Linux bootloader, signing it and then booting. Unfortunately Microsoft's signing service signs binaries using a different key (the 'Microsoft Windows UEFI Driver Publisher' key) to the one used to sign Windows, and the Surface doesn't carry that key. Booting Linux on these devices would involve finding a flaw in the firmware and using that to run arbitrary code."

In other words, you'd have to crack Secure Boot itself. While I have no doubt that Secure Boot will be broken in time—there's no such thing as perfect computer security—I also have no doubt that Microsoft will immediately patch any such holes. In short, Surface is a locked-down system, and it's likely to stay that way.

What about the Surface with Windows 8 Pro? This tablet, which is due out in January uses an Intel architecture so, in theory, Microsoft could let you turn Secure Boot off on these devices. In practice, I wouldn't bet a plugged nickel on being able to disable its Secure Boot.

So, where are we? First, forget about running Linux on any Surface device. Someone will eventually hack a way into these tablets, but it will always be a non-starter.

As for Windows 8 PCs, the easiest way to run Linux is to disable Secure Boot. Better still, just buy a PC with Linux already on it or, at least buy a PC without Windows 8. If you do decide to try to run Linux with Secure Boot on a Windows 8 PC... well good-luck to you. It's still not easy, and I'm certain it's going to be troublesome throughout 2013. 

Related Stories:

• Shimming your way to Linux on Windows 8 PCs
• Linux Foundation UEFI Secure Boot key for Windows 8 PCs delays explained
• Ubuntu Linux adopts new UEFI boot problem approach
• Shuttleworth on Ubuntu Linux, Fedora, and the UEFI problem
• Another way around Linux's Windows SecureBoot problem