Shuttleworth on Ubuntu Linux, Fedora, and the UEFI problem

Shuttleworth on Ubuntu Linux, Fedora, and the UEFI problem

Summary: Windows 8 PCs and tablets will lock out all other operating systems by default, and trying to find a way around it isn't easy as both Fedora and Ubuntu developers have discovered. Mark Shuttleworth, Ubuntu's founder, shares his thoughts on what Linux should do next about Windows 8's UEFI lock-in.


With Windows 8 UEFI secure boot there will be no easy way to boot Linux and Linux distributions are having a hard time coming up with a unified response.

Linux distributions are having a hard time coming up with a unified response to Windows 8 PC's boot-up lockout.

If you buy a Windows 8 or Windows RT computer or tablet, yes even Surface, it will come with secure boot enabled by default in their replacement for the BIOS, Unified Extensible Firmware Interface (UEFI). I doubt that will actually make them more secure, but it's always crystal clear that it will make it much harder to boot Linux or any other operating system, such as Windows XP or 7, on them. Fedora came up with a way to get around this problem and Ubuntu Linux has come up with its own solution to the Windows 8 lock box as well (PDF Link). Fedora's developers, however, don't like Ubuntu's answer.

In a blog posting Matthew Garrett, a developer for Red Hat, Fedora's parent company, wrote Ubuntu's UEFI requirements are “basically the same set of requirements as Microsoft have, except with an Ubuntu key instead of a Microsoft one.”

Garrett continued, “The significant difference between the Ubuntu approach and the Microsoft approach is that there's no indication that Canonical will be offering any kind of signing service. A system carrying only the Ubuntu signing key will conform to these requirements and may be certified by Canonical, but will not boot any OS other than Ubuntu unless the user disables secure boot or imports their own key database. That is, a certified Ubuntu system may be more locked down than a certified Windows 8 system.”

Garrett admits, “Practically speaking this probably isn't an issue for desktops, because you'll need to carry the Microsoft key in order to validate drivers on any PCI cards. But laptops are unlikely to run external option ROMs, so mobile hardware would be viable with only the Ubuntu key.”

He sees two possible solutions to this, but neither are ideal:

1. Canonical could offer a signing service. Expensive and awkward, but obviously achievable. However, this isn't a great solution. The Authenticode format used for secure boot signing only permits a single signature. Anything signed with the Ubuntu key cannot also be signed with any other key. So if, say, Fedora wanted to install on these systems without disabling secure boot first, you'd need to have two sets of install media - one signed with the Ubuntu key for Ubuntu hardware, one signed with the Microsoft key for Windows hardware.

2. Require that ODMs (original design manufacturer) include the Microsoft key as well as the Ubuntu key. This maintains compatibility with other operating systems.

“This kind of problem is why we didn't argue for a Fedora-specific signing key,” concluded Garrett. “While it would have avoided a dependence on Microsoft, it would have created an entirely different kind of vendor lock-in.”

All well and good but what does Canonical, Ubuntu's think about this. I asked Canonical and Ubuntu Linux founder Mark Shuttleworth for his thoughts on the matter.

First, Shuttleworth isn't happy with Ubuntu or Fedora's current answers to Microsoft's attempt to lock-in users to Windows 8. Shuttleworth said, “We've been working to provide an alternative to the Microsoft key, so that the entire free software ecosystem is not dependent on Microsoft's goodwill for access to modern PC hardware. We originally flagged the UEFI/Secure Boot transition as a major problem for free software, we lead the efforts to shape the specification in a more industry-friendly way, and we're pressing OEM partners for options that will be more broadly acceptable than Red Hat's approach.”

Indeed, the Red Hat/Fedora answer, which uses Microsoft's own secure boot key signing service, annoys many Linux users. But as Linus Torvalds, who has no low for how Microsoft is using UEFI to block Linux, recently told me, “Signing is a tool in the tool-box, but it’s not solving all the security problems, and while I think some people are a bit too concerned about it, it’s true that it can be mis-used.”

Shuttleworth wishes he has a better answer, but at this point he doesn't. He continued, “Secure Boot retains flaws in its design that will ultimately mandate that Microsoft's key is on every PC (because of core UEFI driver signing). That, and the inability of Secure Boot to support multiple signatures on critical elements means that options are limited but we continue to seek a better result.”

That better solution, Canonical commercial engineering director Victor Tuson Palau suggested last year, would include: “systems manufacturers including a mechanism for configuring your own list of approved software. This will allow you to run Windows 8 and Linux at the same time in your PC with Secure Boot “ON”. This should also include you being able to try new software from a USB stick or DVD.”

Palau added, “With the ability for users to configure Secure Boot, it will become harder for non-techie users to install, or even try, any other operating system besides the one that was loaded on the PC when you bought it. For this reason, we recommend that PCs include a User Interface to easily enable or disable Secure Boot.”

I think anyone who's serious about Linux desktop agreement would agree on these points. Linux developers would be better off co-ordinating their efforts to get ODMs and OEMs to work together on an open UEFI Secure Boot solution, such as the Linux Foundation proposed last year, than in bickering with each other. In the end, if we squabble among ourselves over the best ways to address Microsoft's attempt to lock Linux out of the desktop instead of working on a unified response to UEFI Secure Boot the only real winner will be Microsoft.

Related Stories:

Linus Torvalds on Windows 8, UEFI, and Fedora

Microsoft to lock out other operating systems from Windows 8 ARM PCs & devices

Why is Microsoft locking out all other OSes from Windows 8 ARM PCs & devices?

Linux Foundation proposes to use UEFI to make PCs secure and free

Microsoft to stop Linux, older Windows, from running on Windows 8 PCs

Topics: Microsoft, Hardware, Linux, Open Source, Operating Systems, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Let's hear Victor Tuson Palau!

    Because we need "open" security and not M$ jails!
    • I agree!

      "security through obscurity" never worked for M$!
      The DoJ must force the monopolist to publish the signing keys, so all OSes should be protected against malware.
      The Linux Geek
      • @Linux Geek

        That suggestion makes no sense at all. If Microsoft's private key is published, UEFI Secure Boot becomes utterly pointless -- more work for everybody, and no protection for anybody.

        SJVN's suggestion is much more sensible -- what we need is an industry-wide, sensible, OS-agnostic Secure Boot implementation specification.

        Even Windows-users should have no problem with that: as far as Windows-fans are concerned, Windows can easily out-compete Linux on merit -- and after all, we are supposed to be doing this whole Secure Boot thing to increase the users' security.
      • Re; If Microsoft's private key is published

        How long do you think it will stay unpublished ?

        If we are lucky it will be FULLY published to the general public, [b] before [/b] the criminals get sole access.
        The criminals WILL get it.
  • Stillll.... Much ado about nothing

    Let's read about UEFI and Windows 8 directly from Microsoft

    Sorry, given a choice between compromising security or having a more secure Windows 8 environment, I will listen to Sinofsky, not Shuttleworth.
    Your Non Advocate
    • You really don't get it

      "Security" is a thin disguise for lock-in, and provides next to nothing in the way of actual security. Why not allow the purchaser to choose the UEFI setting? Because M$lop requires OEMs do it they way that serves their lock-in interests.
      • You really don't get it

        "lock-in" through UEFI is really just uneducated FUD. You do not want Windows 8 or UEFI enabled? shut it off. This is another tinfoil hat conspiracy FUD.
        Your Non Advocate
      • I'm unsure

        Unsure if you're a complete muppet or deliberately blind to the issue.

        Which is:
        OEM's will make W8 compliant PC's and these will have to have UEFI locked. No one's saying (as in OEM declaration) if there is any way to shut such a gimmick off. However, the way Redhat and Ubuntu are fluffing around trying with said problem implies that there isn't going to be a way of turning UEFI locking off.

        About now it would probably be a sweet thing if a blogger with connections could find out the actual facts, so folk like you will have less opportunity of being like you are, and the rest of the world can know something useful if not helpful.
      • OEMs don't have to say

        Microsoft has said that it's something that can be turned off. Read their blog, they spell it out for you. Allow me to quote them:

        "At the end of the day, the customer is in control of their PC. Microsoft???s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision."
        Michael Alan Goff
        • Turned off, they don't say that

          They try to imply that but what comes through loud and clear is enthusiasts can buy hardware (aftermarket motherboards) without EUFI secureboot enabled.
          x-windows user
      • It make MS-execs feel more secure

        And allows them to devote their best efforts to serving stockholders, rather than coddling ingrate users.

        Now doesn't that make you feel better?
        John L. Ries
      • 1 minute

        Don't buy a windows 8 logo pc or turn off UEFI and run with less security than others, either decision will take about 1 minute
    • a choice between compromising security or having a more secure Windows 8

      You have already chosen to compromise security by choosing to use windows.
    • Comic...

      Yes.... you shall listen to the people who have been instrumental in killing the only thing/concept I liked from Microsoft, i.e., Courier tablet. And it is right said elsewhere in the posts that you don't get it.... as if locking completely would somehow enhance the security. Doh....
    • @facebook

      Who says that Secure Boot should belong to Microsoft, and that nobody else should be allowed to use it? Where's the sense in that? Where's the user choice in that?

      There's no reason for Microsoft to decide who's allowed to "lock" their own computer's boot-chain (let alone based on whether they're a Microsoft customer). The computer is mine, I should have control of the keys.

      It's rather like buying a house, but having to leave control of the locks to the electrician, so that my only options are either to use the builder's key, or else to not lock my own basement door.

      No one would put up with that, It's my house, and I get to decide who has keys. If I want to change or re-key the locks, that's up to me, not the electrician. Similarly it's my computer, and I get to decide who has keys. Not the OS company.

      It's not a question of a choice between "compromising security" (funny way to describe "allowing whatever OS the user prefers access to the Secure Boot mechanism") or having a secure Windows environment.

      This is simply because any sensible Secure Boot implementation will let the user run in Secure Boot mode with any OS that will support it. If an implementation won't allow the user to run in Secure Boot mode with any OS that will support it -- well then... the user's security is clearly NOT the point.
    • Re; Much ado about nothing

      That security becomes the very opposite of secure the moment the criminals get the keys [b] secretly [/b] !
      Then they will have you by "the short and curly".

      They WILL get it.
  • Um, no

    Aerowind wrote:
    [i]Wanting to install a different OS than what came with your system makes you a techy.[/i]

    For many, it's purely curiosity. For others, it's simply thinking outside of the box. The road to techy-dom is long and very few are born techy.
    Rabid Howler Monkey
    • Curiosity in the tech makes one a techy

      Being curious and wanting to experiment with different operating systems makes you a techy. A non-techy most likely doesn't even know you can install different operating systems.
    • Knowledge of tech makes one a techy

      Curiosity is certainly a predecessor to knowledge; however, knowledge comes with both time and experience. And for many Linux users, once they have successfully installed a desktop Linux distro on their PC, they simply use the PC as do most Windows users. End of story. Installing Linux on a PC for these users is a means to an end, not the end itself.

      Just one example, the Windows installer for Ubuntu Desktop. More here:
      Rabid Howler Monkey
  • Wow, way to generalize inaccurately

    Anyone should be able to do what he/she wants with one's own hardware. You should have the freedom to tinker, to study, to learn, and replacing one's OS, while maybe it's not common in your neck of the woods, is a very common task in many circles (university, IT, engineering).

    Try not to generalize the ignorance/inexperience of you and your friends and family (seriously, no offense intended, just the honest truth) to everyone else.