Another way around Linux's Windows SecureBoot problem

Another way around Linux's Windows SecureBoot problem

Summary: Yes, it's true that you won't be able to easily install Linux, or any other operating system, on Windows 8 PCs, but there is a way around the problem. Open hardware for open-source software.


Here's the problem: A Windows 8 PC must be locked down with the UEFI (Unified Extensible Firmware Interface) set with Microsoft's secure boot on. In turn, that means you won't be able to easily install Linux or any other operating system, such as Windows 7 or XP, on a Windows 8 system. Since the vast majority of desktop Linux installations start with a PC running Windows that's going to be a real headache. So, what can you do about it?

Well, Fedora, Red Hat's community Linux distribution decided to co-operate with Microsoft's key signing service, Verisign. Thus, in the Fedora plan, Fedora will create its own Windows 8 system compatible UEFI secure boot key using Microsoft's own system.

This made a lot of Linux fans unhappy. Matthew Garrett, a Red Hat developer, explained that “it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions.”  Linus Torvalds, Linux's founder and guiding light, take: was  "I'm certainly not a huge UEFI fan, but at the same time I see why you might want to have signed bootup etc.”

Canonical, Ubuntu Linux's parent company, came up with its own answer. Canonical's secure boot solution (PDF Link) is to “provide keys and signed boot images for use with secure boot functionality.” In short, Ubuntu will come up with its own independent key that's compatible with the “Windows 8 Hardware Certification Requirements [WIN8HCR]."

Garrett complained that this is essentially Microsoft's same lock-in scheme “except with an Ubuntu key instead of a Microsoft one.” Mark Shuttleworth, Ubuntu's founder, responded, that he didn't think either plan was ideal, but “Secure Boot retains flaws in its design that will ultimately mandate that Microsoft's key is on every PC (because of core UEFI driver signing). That, and the inability of Secure Boot to support multiple signatures on critical elements means that options are limited but we continue to seek a better result.”

Wait a moment there. Will the advent of Windows 8 really mean that Microsoft's secure boot lock-in will be on every PC? Cathy Malmrose, CEO of the Linux PC vendor ZaReason doesn't think it should.

Malmrose told me “With UEFI's Secure Boot around the corner, we are hoping to raise awareness that Linux distributors don't need to sign with Microsoft [or use their secure boot. Computers that are rooted with open bootloader are available. That's what we ship.”

She knows, “UEFI's Secure Boot is implemented at OEM (originial equipment manufacturer)  level, all new PCs purchased (with the intent of loading your favorite distro) will have Secure Boot." This cripples them as far as Malmrose is concerned.

“Yes, you can disable it. But 'disabling' something that's 'secure' makes you bad.” Besides as Malmose told me, “the keystroke(s) needed to get Linux to run on machines post-2012 will be simple at first, becoming increasingly complex at a non-shocking rate. It's a monumental shift at OEM level.” Malmrose fears that this will desktop Linux “too difficult to new users, [and this will cause] slow death by suffocation” for Linux.

So what can Linux users do instead?  Malmrose thinks we can avoid a "Greek Tragedy “ by recognizing that Linux needs hardware vendors, like ZaReason, “who can keep things open, [who keep our collective foot in the door at the factories.” Malmrose insists that it isn't about her particular company. “There is 0 profit.* If we ever did have profit, we would donate to support the EFF, FSF, Software Freedom Conservancy, LinuxFests, GNOME Foundation, various conferences, the works. Hopefully someday there will be but most months it's a stretch to make payroll.”

So why take this stance? Cory Doctorow, in describing ZaReason, put it well, “ZaReason's mission isn't just to make free/open hardware: it's to ensure that there is always a free-as-in-free-speech option for your computing needs.”

She's right. We need to support Linux-friendly hardware vendors. There is no law that says computers with UEFI must use Secure Boot. Yes, Microsoft may want it that way, but if we support companies that offer open systems we can still get open hardware to go with our open-source software.

Related Stories:

Shuttleworth on Ubuntu Linux, Fedora, and the UEFI problem

Linus Torvalds on Windows 8, UEFI, and Fedora

Microsoft to lock out other operating systems from Windows 8 ARM PCs & devices

Linux Foundation proposes to use UEFI to make PCs secure and free

Microsoft to stop Linux, older Windows, from running on Windows 8 PCs

Topics: Linux, Hardware, Laptops, Microsoft, PCs, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Not many really see it as a problem

    So you can't get Linux on a Surface tablet. How's that a problem?

    The question no one has been able to answer to any real satisfaction is why does computer hardware have to adhere to different standards then every other item in the world?

    It's not like I can bolt any Ford part onto my Chevy, or parts from one flat screen into another....
    William Farrel
    • It's not about Chevy / Ford -- It's about locking the hood of the car

      It's more about having access to the code, being able to own what you have bought. In the car analogy, it would be welding the hood of your car shut, or locking it in a way that only an authorized car garage could open, thus price gouging.

      It's about owning what you bought.
      Cathy Malmrose
      • If you want a Linux box

        go buy one. If you want a Windows box, go buy one. You own what you bought. One does not expect a sports car to haul a tonne of manure.
        • Keep hearing

          I keep hearing this excuse. Yes, you can buy other hardware AS LONG AS THAT OTHER HARDWARE EXISTS. *There* is the crux of the matter; we have to insure options exist. And as far as the supply chain is concerned, we may not **HAVE** that option. It's a combination of MS wanting to lock things in, combined with either conspiratioral or perhaps just cheap/lazy OEMs, and ending up at the cheap/lazy retailers. And everyone along the entire supply chain has been doing their part to make sure free-market alternatives don't get a foothold.
      • No, you got this wrong

        It would be like adding a latch to the hood so that you can only open the hood by pulling on a handle from the inside of the car instead of just being able to walk up to any car on the street and open its hood. Oh yeah, like every car out there today.

        Every major OEM has stated that the consumer will have the ability to turn off secure boot without affecting the Windows 8 Certification.
        • could you do everyone a favor and post

          a link to where you saw that information, thanks
          Over and Out
          • I posted even newer information below

            In response to applet's post. You have to download the hardware certification PDF which states, and I quote:
            18. Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup"

            Originally, MS left it up to the OEM to decide whether or not they wanted to include the ability to turn off secure boot. All major OEMs at that point stated they would. It is no longer relevant to post that link because MS has now stated that they MUST provide this ability if they want their hardware to be certified for Windows 8. And that is the quote to keep in mind here when SJVN talks about MS forcing all computer makers to do this: IF THEY WANT THEIR HARDWARE TO BE CERTIFIED FOR WINDOWS 8. It is not a requirement of Windows 8 that Secure Boot be available. It is only a requirement to put a little sticker on the box. No Secure Boot? No problem. OEMs can install Windows and sell it. No problem.
          • Soft power

            So of course MS will not grant incentives to OEMs who make Win8 certified products and effectively punish the rest. Riiiiight..... What about this Moon parcel, it is cheap you know....
          • interesting

            At the end of the day we'll see just how easy OEM's make it for the average person to set up his dual boot on there home systems running W-8. I've noticed on New Egg that many of the newer motherboards are being labeled as UEFI compliant. As long as I can get into the bios I'll figure a way around any road blocks put up.
            Over and Out
          • You just gave the reason for secure boot,

            but didn't even realize you did! "The average user" many of these
            elusive "average users" use a multi-boot system? I'm not talking about
            you or myself, but just the ordinary Joe or Jane Public. I doubt that there
            are more than just a handful of people that purchase any computer that
            decide to run multiple operating systems. That's who the target market
            for secure boot is...the some 90 percent or so of desktop/laptop buyers
            that just want a computer to do what ever it they want to do.
          • You doubt that the average public

            would want to install a dual boot system. You do have something of what many would call evidence to this conclusion.

            We also know it is you opinion to the facts you proclaim, there is no legitimate poll to what folks want if they know all the facts of the OS they use or the availability of any other OS.
          • foolish question

            "You doubt that the average public would want to install a dual boot system. You do have something of what many would call evidence to this conclusion"

            Average is the 98% that don't use Linux. That could be Apple or Windows.

            The average person buys a computer, takes it home, plugs it in and uses it. Dual Boot is not average.

            If you think Dual Boot is average, you live in a strange world!
          • Dual boot is the norm with Linux desktop users

            While most desktop Windows users don't use Linux, most Linux users probably also use Windows. There are just too many things you need Windows for. So dual-boot is the norm for Linux. A dedicated hardware vendor selling Linux-only machines is far outside of the norm.
          • Why would dual boot be the norm even with Linux DT users?

            I thought the holy grail of Linux was to be Grandma's computer. Now, if Steven's mother-in-law is the holy grail, surely she isn't a dual boot type!

            As for the normal computer user, Linux is not the norm. The norm is Apple or Windows. Linux is a distant third, far distant on the desktop.

            You do live in a strange world
          • Outside US Linux is the number 2 in desktop...

            ...and even in 2009 Steve Ballmer and the guys of Redmond addmitted that: "Linux is bigger than Mac".


            Just read the article, watch the picture by Microsoft. You'll surely see that M$ estimated that Linux had some 5% and Mac some 4% of pc's...

            I think it's time for you to take your US-specs away to watch this great big world with global eyes. Apple is very small player ouside countries like US, Canada and UK.
          • I consider myself an advanced user

            I code and develop on Linux. I also use my general purpose PC for everything entertainment related. I keep a Win 7 dual boot for the mere fact that I have a few games that are Windows only. Also, Netflix instant-watch is only compatible with Silverlight which only runs on Windows (and OSX). Other than that, I would have zero need whatsoever for Windows. Since I rarely ever game anymore, the *only* thing I use Windows for is the occasional NF movie. So I don't buy this notion that "Linux users need Windows for *many* things."

            If you're a gamer or use NF, you will probably need a Win dual-boot. Other than that, 90% of people who say they "need Windows" are simply lying or are unaware of all the FOSS alternatives out there. There are a few corner cases (like AutoCAD or proprietary business software), but they are the rarity, especially in home environments.
          • Agreed.

            I've done tech support on Windows systems for an extended circle of family and friends, and with one or two exceptions, there are five main things they do with a computer: Facebook (or other social media), YouTube, email, light gaming (such as Farmville), and general surfing.

            As a test, I swapped my daughter's XP install for Mint 14 with MATE. Same wallpaper, icons resized to match XP's, startup sounds from XP startup theme. Only icons on the desktop were Firefox, a shortcut to YouTube, a shortcut to her Yahoo! (AT&T) mail, and VLC Media Player.

            Took a week for her to call and ask what was up with Windows LOL. Apparently she noticed the difference when Update Manager popped up.
            Iman Oldgeek
          • Keep it secure without disabling.

            Why can't the BIOS just have a setting to prompt you when attempting to boot an non-signed system from removable media. That's the real problem for the average user - leaving a CD or thumbdrive connected that boots the next time you start your system. The user would be well served by an option to stop that (possibly with a password to allow it to proceed). Anything else is for the benefit of Microsoft and/or possibly content providers that want PC's to act like locked-down DVD or blueray players (with region codes respected, etc). I'm not even sure that secure boot will even accomplish that, but in any case, it doesn't help the owner of the PC one whit.
            little noodles
          • One thing that will definitely be lost...

            ...the ability to walk into a BestBuy, stick a Linux CD into a machine you're interested in buying, and find out whether it actually works with Linux. Sure, you can disable secure boot when you get the thing home, but if you don't know whether the thing will work, it's gonna be pretty hard to choose a machine to buy.
            little noodles
          • While probably true

            I doubt Best Buy really cares. They sell a machine as is. If you don't like it, go somewhere else.

            Since so many Linux users go to the store and plug in a stick to test Linux on their floor models, this will really cripple Best Buy, right?