Linus Torvalds on Windows 8, UEFI, and Fedora

Linus Torvalds on Windows 8, UEFI, and Fedora

Summary: Microsoft has made it so that Windows 8 approved PC can only run Windows 8. Fedora Linux has forged a way around it, but not everyone like their approach. Torvalds gives his thoughts on the issue.

TOPICS: Open Source

With Windows 8 UEFI take on secure boot there will be no easy way to boot Linux.

With Windows 8's UEFI take on secure boot there will be no easy way to boot Linux.

All Windows 8 licensed hardware will be shipping with secure boot enabled by default in their replacement for the BIOS, Unfied Extensible Firmware Interface (UEFI). So far, so good, who doesn't want more security? The fly in the soup is that by default only Windows 8 will run on these systems, so no Linux, no BSD, heck, no Windows XP for that matter. Fedora Linux, Red Hat's community distribution, has found a way: sign up with Microsoft, via Verisign to make their own Windows 8 system compatible UEFI secure boot key. A lot of Linux people hate this compromise. Linus Torvalds, the father of Linux, has another take: "I'm certainly not a huge UEFI fan, but at the same time I see why you might want to have signed bootup etc. And if it's only $99 to get a key for Fedora, I don't see what the huge deal is."

Matthew Garrett, a Red Hat developer, explained why Fedora has ended up with its Microsoft-based UEFI solution. "We explored the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it, but turned it down for a couple of reasons. First, while we had a surprisingly positive response from the vendors, there was no realistic chance that we could get all of them to carry it. That would mean going back to the bad old days of scouring compatibility lists before buying hardware, and that's fundamentally user-hostile. Secondly, it would put Fedora in a privileged position. As one of the larger distributions, we have more opportunity to talk to hardware manufacturers than most distributions do. Systems with a Fedora key would boot Fedora fine, but would they boot Mandriva? Arch? Mint? Mepis? Adopting a distribution-specific key and encouraging hardware companies to adopt it would have been hostile to other distributions. We want to compete on merit, not because we have better links to OEMs."

Fedora explored other options. "An alternative was producing some sort of overall Linux key. It turns out that this is also difficult, since it would mean finding an entity who was willing to take responsibility for managing signing or key distribution. That means having the ability to keep the root key absolutely secure and perform adequate validation of people asking for signing. That's expensive. Like millions of dollars expensive. It would also take a lot of time to set up, and that's not really time we had. And, finally, nobody was jumping at the opportunity to volunteer. So no generic Linux key."

In addition, the Linux Foundation had proposed a system by "Linux and other open operating systems will be able to take advantage of secure boot if it is implemented properly in the hardware. This consists of:

All platforms that enable UEFI secure boot should ship in setup mode where the owner has control over which platform key (PK) is installed. It should also be possible for the owner to return a system to setup mode in the future if needed.

  • The initial bootstrap of an operating system should detect a platform in the setup mode,
  • Install its own key-exchange key (KEK), and install a platform key to enable secure boot.
  • A firmware-based mechanism should be established to allow a platform owner to add new key-exchange keys to a system running in secure mode so that dual-boot systems can be set up.
  • A firmware-based mechanism for easy booting of removable media.
  • At some future time, an operating-system- and vendor-neutral certificate authority should be established to issue KEKs for third-party hardware and software vendors.

This all makes sense, but none of it has happened. So Fedora felt, since the next release of the distribution will be coming out at about the same time as Windows 8, that they had to do something.

What Fedora ended up doing was using Microsoft's secure boot key signing services through their sysdev portal for one-off $99 fee. Why? Because, "it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions. If there are better options then we haven't found them. So, in all probability, this is the approach we'll take. Our first stage bootloader will be signed with a Microsoft key."

This has flown as well in some Linux circles as a lead balloon. "How could you make a deal with the Devil!" "You've sold out!" And, for hard core developers, "I can't build my own Linux from your source code now without jumping through hoops!"

Setting the anger aside, there's something to all of this, but as Torvalds told me, "Yes, yes, the sky is falling, and I should be running around like a headless chicken in despair over signing keys. But as long as you can disable the key checking in order for kernel developers to be able to do their job, signed binaries really can be a (small) part of good security. I could see myself installing a key of my own in a machine that supports it."

That said, Torvalds doesn't think Microsoft's spin on Windows 8 UEFI secure boot is really going to do for security. "The real problem, I feel, is that clever hackers will bypass the whole key issue either by getting a key of their own (how many of those private keys have stayed really private again? Oh, that's right, pretty much none of them) or they'll just take advantage of security bugs in signed software to bypass it without a key at all."

Torvalds concluded, "Signing is a tool in the tool-box, but it's not solving all the security problems, and while I think some people are a bit too concerned about it, it's true that it can be mis-used."

And, in the meantime, all the Linux desktop vendors are going to have to address the UEFI issue. By year's end, many, if not most, mass-market PCs are going to be sold with Windows 8 and that in turn will mean there's no easy way to boot them into Linux.

Related Stories:

Microsoft to lock out other operating systems from Windows 8 ARM PCs & devices

Why is Microsoft locking out all other OSes from Windows 8 ARM PCs & devices?

Linux Foundation proposes to use UEFI to make PCs secure and free

Microsoft to stop Linux, older Windows, from running on Windows 8 PCs

Topic: Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So Linus does not have a problem with signing is the big takeaway?

    After his recent comments about the file system, Gnome, and now this, when will the pengunistas declare him a heretic?
    Your Non Advocate
    • Unlike some open source proponents ...

      ... (who apparently never grew out of the hippie era), Torvalds is not anti-business. In fact, he has always defended the right of business to use Linux provided they obey the terms of the GPL2 (he refuses to use GPL3).
      • So who is opposed... businesses using Linux? No free software advocates that I'm aware of.
        John L. Ries
    • there is a difference between a pragmatist and a heretic.

      But with your limited vocabulary I can't expect you to know that.
  • UEFI and Fedora

    Fedora Project looking out for there users.

    Kudos to Linus for speak out to what he believes.
  • Why not just chainboot from BCD?

    Why can't we just chainboot GRUB from the Windows BCD like you can do now? Is there something fundamental in UEFI which prevents that?
    • Yes

      The Windows 8 UEFI/BIOS prevents grub from even being accessible. It completely locks you out.
      • Which is why...

        I have never and will never give Microsoft a single cent.
        • I have never and will never give Microsoft a single cent

          You can add me to that list. I am proud to say I have also never
          given even one penny to Mafia$oft aka The devil in Redmond.

          This UEFI bios Lockout /Lockdown is nothing but another Micro$haft crime.

          Let's see what the US Justice Department & European watchdogs say.

          In the meantime here we go again with being forced by MicroKlunk to hack

          It's RIDICULOUS!
      • new grub

        Wouldn't a new version of grub/lilo be UEFI compatible, have it's own key, and then be able to boot which ever version of linux was installed. I must of missed something. It just wasn't explained clearly enough for me evidently.

        It's the boot loaders job to boot the O/S. It's the BIOS's job to boot the boot loader.

        Assume for arguments sake you have a UEFI machine with Win8 installed.
        you reboot, tell the BIOS your going to install another O/S, put the media in the PC and boot from it.
        It installs and now the BIOS knows about two O/S's. Is this right? Am i on the right track (or trail for our US counterparts) ?

        So, if this is the case, then a linux distro doesn't need a key, the boot loader does. I only know of two, LILO and GRUB. Are there more ? If so, it will still be less than the number of Linux Distro's. And LILO and GRUB CAN ALL share the one key, so the burdon on OEM's is lessened, they can carry just two preinstalled keys.

        possibly missing the point, in which case, another beer is in order.
      • @ZingerWot

        Not in Secure Boot mode.

        In Secure Boot mode, the UEFI/BIOS will only boot a boot-loader that is signed by a trusted key, that is with a key that is compatible with the one in the firmware -- otherwise the boot-process will freeze right there. Not even if it's an unsigned Windows bootloader, let alone LILO or GRUB or GRUB 2. The boot-loader in turn verifies that the kernel and any modules are signed by a trusted key (that's the whole point).

        And that's not in itself a problem. The problem comes in when OEMs (for -ahem- [i]whatever[/i] reason) make or use motherboards that have [i]only[/i] the Microsoft Windows key in firmware -- and no way for the user (a.k.a. "owner") to decide for themselves which/whose keys they will consider trustworthy, and manage them accordingly (ie. add, remove, revoke as seems appropriate)

        Microsoft cleverly didn't "require" OEMs to implement a sensible Secure Boot implementation, so between Laziness, incompetence and covert pressure, OEMs are free to implement half-baked, crippled implementations that have no Secure Boot management. After enough fuss was raised, MS "relented" and now requires that x86 Win 8 systems have [i]some[/i] mechanism for users/owners to disable Secure Boot. So Linux users can still boot with Lilo or Grub -- but only in non Secure Boot mode.

        As for having a "Linux key" Fedora/Red Hat looked into to that -- it would be hugely expensive to do properly ($millions) and require a bureaucracy to administer (revoke bad keys, etc), and still not eliminate the need for Linux users to check compatibility lists before buying systems or motherboards.

        You really should check Mathew Garrett's blog, starting with the post which SJVN linked in the article.
      • @Zinger

        You are missing the point. A system shipped with Win8 & secure boot enabled will boot Win8. If you put in a bootable CD with an unsigned boot loader, it will not boot the CD. If you tell the UEFI that you are going to install another OS, it will expect a KEK BEFORE you can install the alternate OS (no key = no install). And if the alternate OS is not signed, again it will not be allowed to install.
      • Signing Grub/LILO

        I think that ZingerWot is just asking "why can't the Linux community (Fedora, Ubuntu, BSD, Mint, etc.) all just use a signed boot loader?" It looks like Fedora is doing precisely that for itself. ZingerWot's question/proposal is to get either a $99 Microsoft signature, or their own for the generic boot loader (Fedora solution, but signed by perhaps the Linux Foundation).

        Once the bool loader is signed, it will/can boot any OS you may want (again, Fedora is proposing: "Mini Boot Loader" -> "Real Boot Loader" -> "OS"). However, I lack sufficient details of UEFI to know how feasible or desirable this would be.

        So far, I only see UEFI as having perhaps fewer red flags than the generalized BIOS TMP, but not much more to add to the game in terms of security. In terms of DRM and controlling what you can put on your shiny new computer, well, then MS has just made it potentially MUCH harder to pirate Windows on UEFI hardware. I see this as DRM, not security.
        Mr. Copro Encephalic to You
      • Won't this method work?

        You don't necessarily need to dual boot Windows and Linux on UEFI. Follow the guide to convert your UEFI to MBR-BIOS without loss of data. Or read about it here:
  • RER: Again, with the FUD

    "x64 Intel/AMD systems will have an off switch for secure boot."???

    Cylon, I seriously doubt that YOU can guarantee that EVERY OEM using x64 Intel/AMD chips will have a bios setting that will allow the user to turn off UEFI so they could boot another OS.

    GHack summed it up nicely:
    "<i>Microsoft employee Tony Mangefeste notes that `OEMs are free to choose how to enable this support', which means that OEM could make the decision to not implement the override in the UEFI configuration. This would then mean that customers would not be able to boot third party operating systems from the OEM machine.

    The only option that consumers have at this point is to find out about this in advance before making a purchase. I for one would never buy a system that prevents me from loading a third party OS.

    Your options to install Windows 8 are:
    *Install Windows 8 on a PC with BIOS.
    *Build your own new PC, or have it build for you.
    *Verify that the OEM PC with Windows 8 is offering an option to disable Secure Boot before purchasing it.</i>"

    It goes deeper than that, Cylon. RedHat's Matthew Garrett wrote:
    "<i>*Windows 8 certification requires that hardware ship with UEFI secure boot enabled.
    *Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we've already been informed by hardware vendors that some hardware will not have this option.
    *Windows 8 certification does not require that the system ship with any keys other than Microsoft's.
    *A system that ships with UEFI secure boot enabled and only includes Microsoft's signing keys will only securely boot Microsoft operating systems.
    The computer manufacturers have already shown, for the most part, that they will not do anything that displeases Microsoft for fear of having their per-copy license fee increased.

    Linux developers are rarely given specifications for proprietary hardware and even Intel merely throws them a barely workable STOCK video driver source file. Every FOSS developer of device drivers would have to buy a UEFI key for their drivers for each OEM. Proprietary device makers would see this as a golden opportunity to reap unearned profits they never before imagined. The opposite for software like OSs, and perhaps browsers. <b>No one should have the power to determine that for you or I.</b>

    Personally, I will never buy a PC that won't allow me to disable the UEFI, no matter how benevolent the Pollyannas feel Microsoft will be.
    • With x64 hardware it's pretty much guaranteed.

      However, With WoA devices, than no, you WILL NOT be able to wipe ARM tablets and install other operating systems (Not that you can anyway even with the option - The OS is tailored to the specific device), but x64 hardware will be no different than it is today. Microsoft very much knows there are users out there that dual boot. I, myself, dual boot. Not to mention, businesses will need the option to shut it off.
      However, to keep the majority of the user base [i]safer[/i], they need to enable it by default.

      See here: ZDNet . com/blog/bott/leading-pc-makers-confirm-no-windows-8-plot-to-lock-out-linux/4185
      The one and only, Cylon Centurion
    • Guarantees for Linux boot possibility exist on Windows aprroved hardware

      "Cylon, I seriously doubt that YOU can guarantee that EVERY OEM using x64 Intel/AMD chips will have a bios setting that will allow the user to turn off UEFI so they could boot another OS."

      That is actually a requirement for Windows 8 approved x86/x64 hardware. Without abiltiy to turn of the secure boot setting Microsoft won't call it Windows 8 approved.
    • @IE9

      I sure hope that secure boot can be disabled. With the backlash that Windows 8 will cause to users a lot will want to "downgrade" their computers and will need to disable secure boot to do so.

      Also, who ever looks on the computer when buying to make sure it has a "Windows certified" sticker on. OEMs will still be able to sell Windows 8 computers without the sticker if they want. People will see that it runs Windows and won't care to see a sticker.
    • A lot to do about changes and UEFI

      How many vendors of desktop computers are there that are of significance. Answer 2. Intel and AMD.
      How many motherboard manufacturers are there, and how many want to essentially manufacture the same motherboard for both vendors.
      How many bios vendors deal with these mother board vendors?

      I bet that the number 6 is probably the maximum number of motherboard/bios vendor pairs that are being developped for Intel /AMD.

      In the netbook / laptop arena, it is the same six.

      In the tablet arena, there will be android tablets which will be available that will not support Windows, even if windows is a vm boot.

      So, defeating UEFI or accepting Fedora's UEFI certificate if you, as I do, use Fedora is fine.
      And RedHat itself may choose to use the same Fedora certificate for its new updates. (thats $45 for each to share a certificate.). We might be able to add Centos, Scientific Linux as two more that may through negotiations, share the common certificate). $99/4 is not a lot of money.

      On the other side of the market, UBUNTU, Debian, Mint, and Debian/Ubuntu based systems could also share the $99.00 fee.

      It would be most fair if Microsoft also had to pay Verisign for a certificate for each of its major products.
    • @lepoete73

      Actually, Windows 8 will run on any capable hardware -- with or without Secure Boot.

      It's not that Windows 8 (x86) requires Secure Boot to boot and run, but rather that some hardware will only offer Secure Boot mode to Windows 8.

      So users who want to run or dual-boot Linux (or other alternatives to Windows 8) with the benefits of Secure Boot protection will be at the mercy of OEMs to implement proper, sensible (ie. not MS-only) key-management in the UEFI BIOS.

      Considering the incompetence/laziness of many OEMs (remember those motherboards that couldn't run Linux, until the devs told Linux to lie and tell the BIOS that it was Windows), and the vulnerability of OEMs to MS blandishments and pressures (remember the 2009 Computek in Taipei, when the Asus CEO publicly [i]apologised[/i] (sharing the stage with a MS veep) for demoing very nice little ARM-based Smartbooks that ran Linux and Android).

      The additional issue for ARM based hardware -- since Microsoft is forbidding Windows 8 ARM devices to disable Secure Boot -- is that those ARM devices will not boot any other OS than Windows 8.

      edit: of course, AFAIK, there's no impediment to OEMs making the "switch" to disable/enable "MS Secure Boot" a hardware jumper on the motherboard, rather than a UEFI/BIOS option, is there?