Fedora gets its plans together for UEFI Secure Boot

Fedora gets its plans together for UEFI Secure Boot

Summary: Those of us using GNU/Linux have probably heard about the UEFI Secure Boot scheme and how it demonstrates Microsoft's strong grasp on PC hardware vendors. If you are not quite sure what UEFI Secure Boot is yet, I highly advise reading up on it as new PCs will begin to have this feature enabled by default in the near future to comply with Microsoft's requirements for Windows 8.

SHARE:
TOPICS: Open Source
10

Those of us using GNU/Linux have probably heard about the UEFI Secure Boot scheme and how it demonstrates Microsoft's strong grasp on PC hardware vendors. If you are not quite sure what UEFI Secure Boot is yet, I highly advise reading up on it as new PCs will begin to have this feature enabled by default in the near future to comply with Microsoft's requirements for Windows 8. Yes, a software company is controlling hardware companies. Luckily though, the feature can be disabled so that we will still be able to install GNU/Linux on the same x86 hardware. Matthew Garrett from Red Hat summarizes the UEFI Secure Boot issue on his blog.

So what can we expect? Fortunately, the same old steps with an additional step when we purchase a new PC to disable the UEFI Secure Boot feature then install Fedora. Even though it's still early, as information has crept out this has been one option mentioned. The alternative option is that we will be able to leave UEFI Secure Boot enabled, and use a Microsoft/Verisign provided key to actually use the feature and install Fedora. It seems that Fedora is going to pay the one-time $99 fee to obtain the key necessary from Verisign to take advantage of the UEFI Secure Boot feature for its users. Even though I'm against Fedora/Red Hat having to pay Microsoft anything at all, a one-time $99 fee seems reasonable enough. Fedora's stance is that it's better to pay the one-time $99 fee for its users, to make it easier for them to install Fedora Linux, especially new users. It makes sense to me, and is what it is.

Initially, there was some fear about the UEFI Secure Boot feature locking out operating systems other than Windows, but those fears can be pushed away now. There are still fears that Microsoft will change the UEFI Secure Boot requirements at some point in the future, but for now there's no worry.

To me, the entire UEFI Secure Boot feature may have good intentions but I think it is just adding more complexity to PC hardware that really doesn't need to be there. In my everyday work, Windows malware still shows up as one of the leading problems in Windows, which is not really addressed by this new feature because malware will still get through. The technology is designed to mesh the operating system more tightly to the hardware, and prevent drivers and other modules from loading unless they are signed with a key that is installed in to the PC's firmware. In the world of Windows, I am curious as to how this will work considering there thousands of third parties writing drivers for the operating system. Drivers that are not signed with a key that is installed in the PC's firmware will not be allowed to load and execute. Personally I think the situation with Windows is messy enough now just having so many third parties all in the mix. Now, we add one more layer of complexity to the picture and I think this will add extra problems and user frustration. I can see this being handled much better in GNU/Linux since all drivers and modules are usually included within the kernel for the GNU/Linux distribution being used. The kernel comes with "batteries included" so that everything should just work right out of the box. But, time will tell as it is still early since no hardware has been released to the market with the UEFI Secure Boot feature on it (at least, not that I have heard of).

I am also NOT a fan of Microsoft trying to tightly tie its software to the hardware at the PC vendor. PC hardware should be kept independent of the software that is loaded on it. OK so what if the vendor puts a silly Windows sticker on the case, it can be removed along with the Windows license sticker. No big deal. But when we start modifying the PC's built in firmware as UEFI Secure Boot does, to me this is crossing over the line.

I can tell you for sure that if or when I purchase a new PC in the future with the UEFI Secure Boot feature enabled, I will promptly be disabling that feature at the same time that I'm throwing the Windows installation media in the garbage can. Personally I'd rather just get back to using my PC without having too many potential problems in the way and over-complex features that could be doing more harm than good.

Topic: Open Source

Chris Clay

About Chris Clay

After administering Linux and Windows for over 17 years in multiple environments, my focus of this blog is to document my adventures in both operating systems to compare the two against each other. Past and present experiences have shown me that Linux can replace Windows and succeed in a vast variety of environments. Linux has proven itself many times over in the datacentre and is more than capable for the desktop.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • Just one point, the fee isn't to Microsoft - it's to VeriSign. Microsoft will be running the keyservers, so it's going to be costing them a lot more than $99!
    anonymous
  • Simon :

    Since it is still early there isn't much information. I was aware that Verisign is the one providing the keys. Can you elaborate on why you feel it will cost more than a one time fee of $99?
    Chris_Clay
  • I meant it would be costing Microsoft a lot more than $99 to run the servers, so all in all a bargain for Fedora!
    anonymous
  • We're already seeing signed malware in the wild, and I'm sure that Sony would have had access to a key to sign its infamous root-kit with too. Although I suspect the real reason behind Secure Boot is to keep Linux off its WOA tablets... ;-).
    Zogg
  • @Chris Rankin

    WOA tablets will be more expensive than Android tablets, and there won't be many (if any) Linux drivers for WOA systems, so why would any rational person want to put Linux on one?

    Do you have an insane desire to add to Microsoft's sales and profits by buying a WOA tablet to run Linux rather than buying an Android tablet or an iPad? If so, why?
    Jack Schofield
  • Chris - antimalware vendors love signed malware; once you know the key, you can avoid even brand new malware that you've never seen before because you know the key!
    Apex - the vast majority of drivers for any Windows PC do indeed come in the box; there are class drivers for the standard functionality of almost every modern device and peripheral, plus Windows Update distributes third-party drivers automatically. It's a great idea to force device makers to do a more professional job and meet minimum standards of security, but UEFI secure boot only applies to boot components and the majority of third-party drivers are not boot components (they're loaded at boot but they're not part of the boot path), so really most of this isn't relevant anyway. You might also want to do a little more research on the origins of the UEFI standard, which doesn't come from Microsoft.
    M
    Simon Bisson and Mary Branscombe
  • @apexwm

    You haven't mentioned the Advanced Boot Procedure in Windows 8 into order to boot other operating systems. The fact you have to boot into Windows 8 first on machines with UEFI Secure Boot. You then have to shutdown the Win 8 machine again (choosing reboot) , holding down the shift key. This is to enable the machine to reboot into the Advanced Boot Menu, where you then choose to boot the other operating system.

    To me, its a bit like banking with Cooperative* but having to enter a branch of Barclays, have a look round, then leave - each time I want to visit a branch of Cooperative to deposit cheques. Comes across as a 'persuasive' approach by MS to subtly change the user's viewpoint to think maybe its better just banking with Barclays.

    The constant nag/advert at boot for Windows 8, means as a Fedora user you can't actually forget about Windows altogether (neither can your users) and crucially, is requirement of auditing Windows licences, when your not actually using Windows 'as such'.

    I'm assuming MS hasn't designed this so on another reboot, it carries on booting the other OS until you say different. You'll need boot to Windows 8 first, everytime you want to boot another OS.

    I can see this requiring some sort of 'non branded' bootloader code having to be written and available for other OSs (probably by MS under a competition ruling), even if its not used by a Single Boot Windows 8 System. Just because it slows down the boot process is not a reason not to have it available to other OSs to use if need be, even if it is not used by Windows 8 itself.

    Cont...
    adamjarvis
  • Cont....

    I'm assuming the encryption key allows you get around this boot procedure (but no reason to say it would) when using Fedora on its own. Having both Win8/Fedora installed, would Fedora then give you the option of booting back into Windows 8 from its bootloader? Might entail a similar procedure in Fedora, of booting and reboot into Fedora advanced mode back into Win8, to obtain a dual boot system. There is the GPL issue too.

    Is UEFI Secure Boot on all Win 8 Devices? Will Arm Windows RT Only Tablets have the UEFI Secure Boot?, Seems more likely they will use different smaller proprietary boot systems. ie. Windows RT Only Tablet Devices (Intel or Arm) locked to Windows 8 Only.

    Signed Drivers locked to the hardware also brings about interesting point regarding future OS Versions, older OS Drivers might in fact be fully compatible with newer OS versions, but if HP/Dell etc don't reissue signed versions for that device, the future version of the OS won't work - you have 'artificially' obsolete hardware that wouldn't otherwise be.

    The campaign to force Asus to release the key for its secure boot for the Transformer Prime was successful. Really its about gettting awareness out there on this issue, because most Windows consumers aren't going to notice until 2-3 years down the line, and a minor new version of the OS is released, but can't be installed because of artificial restrictions.

    (* replace here with your own most loved/hated-sorry 'disliked' banks)
    adamjarvis
  • @Jack Schofield:
    > WOA tablets will be more expensive than Android tablets, and there won't be many (if any)
    > Linux drivers for WOA systems, so why would any rational person want to put Linux on one?

    People put Linux (or any alternative OS) on devices "because they can", and the lack of drivers is usually fixed by writing them - rather like with PCs. So I'm sure that someone somewhere would have considered it "fun" to boot Linux on a WOA tablet - if only Secure Boot weren't enabled.

    @Mary Branscombe
    > antimalware vendors love signed malware; once you know the key, you can avoid even
    > brand new malware that you've never seen before because you know the key!

    Eh? But so what? My point is that some malware authors have already figured out how to sign their code, so there's no reason to think that Secure Boot will stop them either.
    Zogg
  • Mary:

    "...UEFI secure boot only applies to boot components and the majority of third-party drivers are not boot components (they're loaded at boot but they're not part of the boot path)..."

    OK I can buy that. So I'm guessing that most of these drivers will be Microsoft or Intel provided for the x86 architecture. It's still early in the game and I'm sure more information will appear once these PCs are released to the market.

    "You might also want to do a little more research on the origins of the UEFI standard, which doesn't come from Microsoft."

    I was aware that the UEFI standard itself doesn't come from Microsoft, but controlling the firmware that gets loaded on the PCs does come from Microsoft. As I mentioned, I personally will be disabling the feature altogether on any PCs that I am involved with.

    adamjarvis :

    Thanks for the additional information on having to boot to Windows 8 first in order to get to the advanced boot menu. I agree that we will probably see many problems with this whole setup. We see problems now where Windows updates will blow away bootloaders that are installed on the system, so it will be interesting to see if we also see these issues with the advanced boot process as well. Disabling the Secure Boot feature and wiping the drive will be my first step when purchasing any new PC for myself or anybody else I know, so I'll be sure to get rid of the problems before they start. I understand that some may need to dual boot, but I'd prefer to run Windows in a virtual machine (if I happen to need it for anything) that way it can't touch the real disk in the system :)
    Chris_Clay