Linux developers working on Windows UEFI secure boot problem

We all know that Windows 8 PCs will come locked up tight Microsoft's UEFI (Unified Extensible Firmware Interface) secure boot on. This will prevent you from easily installing  Linux or any other operating system, such as Windows 7 or XP, on a Windows 8 system. What we don't know is exactly how original equipment manufacturers (OEM)s will be implementing UEFI, never mind secure boot, on these new machines. To address this problem, James Bottomley, chair of the Linux Foundation's Technical Advisory Board, has released a version of the Intel Tianocore UEFI boot image and some code that Linux programmers can use to get around Windows 8's  Secure Boot restrictions.

Intel Tianocore is an open-source image of Intel's UEFI. Until recently this image didn't have the Authenticode that Microsoft uses for Secure Boot (PDF Link) but now Tinocore includes this functionality as well.

Bottomley's work is important because, as Bottomley says, it will “widen the pool of people who are playing with UEFI Secure boot.  The Linux Foundation Technical Advisory Board have been looking into this because it turns out to be rather difficult to lay your hands on real UEFI Secure Boot enabled hardware.”

It's not just Linux developers. In my conversations with original equipment manufacturers (OEM)s many of them have also had trouble laying their hands on this hardware. With Windows 8 being released to manufacturing (RTM) in early August That makes me wonder just how many Windows 8 systems actually will be rolling out in the 3rd and 4th quarters. That, of course, leaves aside the entire question of how much demand will there really be for Windows 8 PCs anyway.

In the meantime, Bottomley is “releasing this now because interest in UEFI Secure Boot is rising, particularly amongst the Linux Distributions which don't have access to  UEFI secure boot hardware, so having a virtual platform should allow them to experiment with coming up with their own solutions.”

Bottomley warns Linux developers that “This is very alpha.  The Tianocore firmware that does secure boot is only a few weeks old, and the signing tools weren't really working up until yesterday, so this is very far from rock solid.”

Still, Bottomley has been able to “lock down the secure boot virtual platform with my own PK [Platform Key] and KEK [Key Exchange Key] and verified that I can generate signed efi binaries that will run on it (and that it will refuse to run unsigned efi binaries).  Finally I've demonstrated that I can sign elilo.efi (this has to be built specially because of the bug in gnu-efi) and have it boot an unsigned linux kernel when the platform is in secure mode (I've booted up to an initrd root prompt).”

In other words, he's been able to create his own secured binaries that will boot and work on a UEFI Linux secured system. It's a big step to making it easier for developers to make use of UEFI security with their own keys, ala what Canonical is doing with Ubuntu.

Is that an ideal path? Maybe, maybe not, but it is a practical one.

If you want to give it a try, you can download it from an openSUSE server in RPM format for x86 64-bit processors. You'll also need Bottomley fix for building efi binaries on Linux. This includes an “example of how to use the fixed script and a builder for a LockDown.efi binary that will take a secure boot platform in setup mode and install a PK and KEK and enable secure boot” and other utilities.

Good luck in building Linux for Windows 8 Secure Boot systems. It's not easy, but we're on our way.

Related Stories:

Another way around Linux's Windows SecureBoot problem

Shuttleworth on Ubuntu Linux, Fedora, and the UEFI problem

Linus Torvalds on Windows 8, UEFI, and Fedora

Microsoft to lock out other operating systems from Windows 8 ARM PCs

Linux Foundation proposes to use UEFI to make PCs secure and free