Getting Linux to boot and install on PCs locked down with Windows 8's UEFI (Unified Extensible Firmware Interface) Secure Boot is still a major headache. However, Matthew Garrett, a well-known Linux developer who's been working on fixing the Secure Boot problem, has just released a working UEFI boot solution for Linux distributors. This should enable many more versions of Linux to run on Secure Boot-imprisoned PCs.
Garrett, formerly a Red Hat programmer and now a security developer at Nebula, an OpenStack private-cloud company, announced on November 30th that he was "pleased to say that a usable version of shim is now available for download. … This is intended for distributions that want to support secure boot but don't want to deal with Microsoft."
This approach is not the same as the one that Garrett devised for use with Fedora Linux. That approach uses a Fedora-specific key that's based on a Microsoft/Verisign-supplied Secure Boot key.
While that meant dealing with Microsoft, it was as Garrett had written earlier, "Easy enough for us [Red Hat] to do, but not necessarily practical for smaller distributions." It's also, as The for Linux distributions, really not that easy at all.
What Garrett has done with his shim approach is to create a signed boot-loader that can add keys to its own database. This is built on SUSE's bootloader design. In the SUSE design, the boot-loader has its own key database, besides the UEFI specification's key database. The SUSE boot-loader then executes any second-stage boot-loaders signed with a key in that database. Since the boot-loader is in charge of its own key enrollment, the boot-loader is free to impose its own policy, including enrolling new keys off a Linux distribution's installation file-system.
Garrett has added the a user-interface to the SUSE second-stage boot-loader. With this, instead of stopping when a here-to-fore untrusted key appears, the user can navigate the available file-systems, choose a key and indicate that they want to add it to the key database. From that time on, the boot-loader will trust binaries signed with that key.
What this means is that Linux, or other operating systems, can "take an existing signed copy of shim and put it on their install media, along with a file containing their key. If a user attempts to boot then the boot will fail because the second stage boot-loader isn't signed with a trusted key, but the user can then use the navigator and select the distribution's key file. After providing confirmation and rebooting, the second stage boot-loader's signature will now be recognized and the installer will boot."
So, for example, with this shim program in place, a user can choose to trust your distro's key and proceed to boot and install it on their Windows 8 PC. Additional security can also be added to this approach to beat back automated attacks.
The shim method is meant for developers to make it easy for end-users to boot and install Linux. It's not meant for Joe or Jane user at home. That said, it should lead to many more distributions being easier to use on Windows 8 PCs.
It does have one disadvantage though for some Linux distributors. Since the shim is a pre-compiled binary, distributions such as Debian, which insist on having full source code availability, may choose not to use it.
Last, but not least, as I've long predicted, implementations of UEFI are making it difficult to boot systems into Linux even when everything else is set correctly. For example, Garrett himself recently ran into a case with a Windows 8 Lenovo Thinkcentre M92p, which installed Fedora, but then wouldn't boot it. In this case, it turned out that UEFI system was checking the descriptive string for each operating system and refusing to run any that didn't call itself either "Windows Boot Manager" or "Red Hat Enterprise Linux."
So, while Garrett's shim will soon be bring many more varieties of Linux to many more Windows 8 PCs, UEFI Secure Boot will remain a significant worry for anyone wanting to run Linux or other alternative operating systems on Windows 8 PCs.