Fedora gets its plans together for UEFI Secure Boot

Those of us using GNU/Linux have probably heard about the UEFI Secure Boot scheme and how it demonstrates Microsoft's strong grasp on PC hardware vendors. If you are not quite sure what UEFI Secure Boot is yet, I highly advise reading up on it as new PCs will begin to have this feature enabled by default in the near future to comply with Microsoft's requirements for Windows 8. Yes, a software company is controlling hardware companies. Luckily though, the feature can be disabled so that we will still be able to install GNU/Linux on the same x86 hardware. Matthew Garrett from Red Hat summarizes the UEFI Secure Boot issue on his blog.

So what can we expect? Fortunately, the same old steps with an additional step when we purchase a new PC to disable the UEFI Secure Boot feature then install Fedora. Even though it's still early, as information has crept out this has been one option mentioned. The alternative option is that we will be able to leave UEFI Secure Boot enabled, and use a Microsoft/Verisign provided key to actually use the feature and install Fedora. It seems that Fedora is going to pay the one-time $99 fee to obtain the key necessary from Verisign to take advantage of the UEFI Secure Boot feature for its users. Even though I'm against Fedora/Red Hat having to pay Microsoft anything at all, a one-time $99 fee seems reasonable enough. Fedora's stance is that it's better to pay the one-time $99 fee for its users, to make it easier for them to install Fedora Linux, especially new users. It makes sense to me, and is what it is.

Initially, there was some fear about the UEFI Secure Boot feature locking out operating systems other than Windows, but those fears can be pushed away now. There are still fears that Microsoft will change the UEFI Secure Boot requirements at some point in the future, but for now there's no worry.

To me, the entire UEFI Secure Boot feature may have good intentions but I think it is just adding more complexity to PC hardware that really doesn't need to be there. In my everyday work, Windows malware still shows up as one of the leading problems in Windows, which is not really addressed by this new feature because malware will still get through. The technology is designed to mesh the operating system more tightly to the hardware, and prevent drivers and other modules from loading unless they are signed with a key that is installed in to the PC's firmware. In the world of Windows, I am curious as to how this will work considering there thousands of third parties writing drivers for the operating system. Drivers that are not signed with a key that is installed in the PC's firmware will not be allowed to load and execute. Personally I think the situation with Windows is messy enough now just having so many third parties all in the mix. Now, we add one more layer of complexity to the picture and I think this will add extra problems and user frustration. I can see this being handled much better in GNU/Linux since all drivers and modules are usually included within the kernel for the GNU/Linux distribution being used. The kernel comes with "batteries included" so that everything should just work right out of the box. But, time will tell as it is still early since no hardware has been released to the market with the UEFI Secure Boot feature on it (at least, not that I have heard of).

I am also NOT a fan of Microsoft trying to tightly tie its software to the hardware at the PC vendor. PC hardware should be kept independent of the software that is loaded on it. OK so what if the vendor puts a silly Windows sticker on the case, it can be removed along with the Windows license sticker. No big deal. But when we start modifying the PC's built in firmware as UEFI Secure Boot does, to me this is crossing over the line.

I can tell you for sure that if or when I purchase a new PC in the future with the UEFI Secure Boot feature enabled, I will promptly be disabling that feature at the same time that I'm throwing the Windows installation media in the garbage can. Personally I'd rather just get back to using my PC without having too many potential problems in the way and over-complex features that could be doing more harm than good.