Shuttleworth on Ubuntu Linux, Fedora, and the UEFI problem

If you buy a Windows 8 or Windows RT computer or tablet, yes even Surface, it will come with secure boot enabled by default in their replacement for the BIOS, Unified Extensible Firmware Interface (UEFI). I doubt that will actually make them more secure, but it's always crystal clear that it will make it much harder to boot Linux or any other operating system, such as Windows XP or 7, on them. Fedora came up with a way to get around this problem and Ubuntu Linux has come up with its own solution to the Windows 8 lock box as well (PDF Link). Fedora's developers, however, don't like Ubuntu's answer.

In a blog posting Matthew Garrett, a developer for Red Hat, Fedora's parent company, wrote Ubuntu's UEFI requirements are “basically the same set of requirements as Microsoft have, except with an Ubuntu key instead of a Microsoft one.”

Garrett continued, “The significant difference between the Ubuntu approach and the Microsoft approach is that there's no indication that Canonical will be offering any kind of signing service. A system carrying only the Ubuntu signing key will conform to these requirements and may be certified by Canonical, but will not boot any OS other than Ubuntu unless the user disables secure boot or imports their own key database. That is, a certified Ubuntu system may be more locked down than a certified Windows 8 system.”

Garrett admits, “Practically speaking this probably isn't an issue for desktops, because you'll need to carry the Microsoft key in order to validate drivers on any PCI cards. But laptops are unlikely to run external option ROMs, so mobile hardware would be viable with only the Ubuntu key.”

He sees two possible solutions to this, but neither are ideal:

1. Canonical could offer a signing service. Expensive and awkward, but obviously achievable. However, this isn't a great solution. The Authenticode format used for secure boot signing only permits a single signature. Anything signed with the Ubuntu key cannot also be signed with any other key. So if, say, Fedora wanted to install on these systems without disabling secure boot first, you'd need to have two sets of install media - one signed with the Ubuntu key for Ubuntu hardware, one signed with the Microsoft key for Windows hardware.

2. Require that ODMs (original design manufacturer) include the Microsoft key as well as the Ubuntu key. This maintains compatibility with other operating systems.

“This kind of problem is why we didn't argue for a Fedora-specific signing key,” concluded Garrett. “While it would have avoided a dependence on Microsoft, it would have created an entirely different kind of vendor lock-in.”

All well and good but what does Canonical, Ubuntu's think about this. I asked Canonical and Ubuntu Linux founder Mark Shuttleworth for his thoughts on the matter.

First, Shuttleworth isn't happy with Ubuntu or Fedora's current answers to Microsoft's attempt to lock-in users to Windows 8. Shuttleworth said, “We've been working to provide an alternative to the Microsoft key, so that the entire free software ecosystem is not dependent on Microsoft's goodwill for access to modern PC hardware. We originally flagged the UEFI/Secure Boot transition as a major problem for free software, we lead the efforts to shape the specification in a more industry-friendly way, and we're pressing OEM partners for options that will be more broadly acceptable than Red Hat's approach.”

Indeed, the Red Hat/Fedora answer, which uses Microsoft's own secure boot key signing service, annoys many Linux users. But as Linus Torvalds, who has no low for how Microsoft is using UEFI to block Linux, recently told me, “Signing is a tool in the tool-box, but it’s not solving all the security problems, and while I think some people are a bit too concerned about it, it’s true that it can be mis-used.”

Shuttleworth wishes he has a better answer, but at this point he doesn't. He continued, “Secure Boot retains flaws in its design that will ultimately mandate that Microsoft's key is on every PC (because of core UEFI driver signing). That, and the inability of Secure Boot to support multiple signatures on critical elements means that options are limited but we continue to seek a better result.”

That better solution, Canonical commercial engineering director Victor Tuson Palau suggested last year, would include: “systems manufacturers including a mechanism for configuring your own list of approved software. This will allow you to run Windows 8 and Linux at the same time in your PC with Secure Boot “ON”. This should also include you being able to try new software from a USB stick or DVD.”

Palau added, “With the ability for users to configure Secure Boot, it will become harder for non-techie users to install, or even try, any other operating system besides the one that was loaded on the PC when you bought it. For this reason, we recommend that PCs include a User Interface to easily enable or disable Secure Boot.”

I think anyone who's serious about Linux desktop agreement would agree on these points. Linux developers would be better off co-ordinating their efforts to get ODMs and OEMs to work together on an open UEFI Secure Boot solution, such as the Linux Foundation proposed last year, than in bickering with each other. In the end, if we squabble among ourselves over the best ways to address Microsoft's attempt to lock Linux out of the desktop instead of working on a unified response to UEFI Secure Boot the only real winner will be Microsoft.

Related Stories:

Linus Torvalds on Windows 8, UEFI, and Fedora

Microsoft to lock out other operating systems from Windows 8 ARM PCs & devices

Why is Microsoft locking out all other OSes from Windows 8 ARM PCs & devices?

Linux Foundation proposes to use UEFI to make PCs secure and free

Microsoft to stop Linux, older Windows, from running on Windows 8 PCs