Another way around Linux's Windows SecureBoot problem

Here's the problem: A Windows 8 PC must be locked down with the UEFI (Unified Extensible Firmware Interface) set with Microsoft's secure boot on. In turn, that means you won't be able to easily install Linux or any other operating system, such as Windows 7 or XP, on a Windows 8 system. Since the vast majority of desktop Linux installations start with a PC running Windows that's going to be a real headache. So, what can you do about it?

Well, Fedora, Red Hat's community Linux distribution decided to co-operate with Microsoft's key signing service, Verisign. Thus, in the Fedora plan, Fedora will create its own Windows 8 system compatible UEFI secure boot key using Microsoft's own system.

This made a lot of Linux fans unhappy. Matthew Garrett, a Red Hat developer, explained that “it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions.”  Linus Torvalds, Linux's founder and guiding light, take: was  "I'm certainly not a huge UEFI fan, but at the same time I see why you might want to have signed bootup etc.”

Canonical, Ubuntu Linux's parent company, came up with its own answer. Canonical's secure boot solution (PDF Link) is to “provide keys and signed boot images for use with secure boot functionality.” In short, Ubuntu will come up with its own independent key that's compatible with the “Windows 8 Hardware Certification Requirements [WIN8HCR]."

Garrett complained that this is essentially Microsoft's same lock-in scheme “except with an Ubuntu key instead of a Microsoft one.” Mark Shuttleworth, Ubuntu's founder, responded, that he didn't think either plan was ideal, but “Secure Boot retains flaws in its design that will ultimately mandate that Microsoft's key is on every PC (because of core UEFI driver signing). That, and the inability of Secure Boot to support multiple signatures on critical elements means that options are limited but we continue to seek a better result.”

Wait a moment there. Will the advent of Windows 8 really mean that Microsoft's secure boot lock-in will be on every PC? Cathy Malmrose, CEO of the Linux PC vendor ZaReason doesn't think it should.

Malmrose told me “With UEFI's Secure Boot around the corner, we are hoping to raise awareness that Linux distributors don't need to sign with Microsoft [or use their secure boot. Computers that are rooted with open bootloader are available. That's what we ship.”

She knows, “UEFI's Secure Boot is implemented at OEM (originial equipment manufacturer)  level, all new PCs purchased (with the intent of loading your favorite distro) will have Secure Boot." This cripples them as far as Malmrose is concerned.

“Yes, you can disable it. But 'disabling' something that's 'secure' makes you bad.” Besides as Malmose told me, “the keystroke(s) needed to get Linux to run on machines post-2012 will be simple at first, becoming increasingly complex at a non-shocking rate. It's a monumental shift at OEM level.” Malmrose fears that this will desktop Linux “too difficult to new users, [and this will cause] slow death by suffocation” for Linux.

So what can Linux users do instead?  Malmrose thinks we can avoid a "Greek Tragedy “ by recognizing that Linux needs hardware vendors, like ZaReason, “who can keep things open, [who keep our collective foot in the door at the factories.” Malmrose insists that it isn't about her particular company. “There is 0 profit.* If we ever did have profit, we would donate to support the EFF, FSF, Software Freedom Conservancy, LinuxFests, GNOME Foundation, various conferences, the works. Hopefully someday there will be but most months it's a stretch to make payroll.”

So why take this stance? Cory Doctorow, in describing ZaReason, put it well, “ZaReason's mission isn't just to make free/open hardware: it's to ensure that there is always a free-as-in-free-speech option for your computing needs.”

She's right. We need to support Linux-friendly hardware vendors. There is no law that says computers with UEFI must use Secure Boot. Yes, Microsoft may want it that way, but if we support companies that offer open systems we can still get open hardware to go with our open-source software.

Related Stories:

Shuttleworth on Ubuntu Linux, Fedora, and the UEFI problem

Linus Torvalds on Windows 8, UEFI, and Fedora

Microsoft to lock out other operating systems from Windows 8 ARM PCs & devices

Linux Foundation proposes to use UEFI to make PCs secure and free

Microsoft to stop Linux, older Windows, from running on Windows 8 PCs