Linux developers working on Windows UEFI secure boot problem

Linux developers working on Windows UEFI secure boot problem

Summary: With Windows 8 PCs with UEFI secure boot locks on their way, Linux developers are working on addressing its problems.


We all know that Windows 8 PCs will come locked up tight Microsoft's UEFI (Unified Extensible Firmware Interface) secure boot on. This will prevent you from easily installing  Linux or any other operating system, such as Windows 7 or XP, on a Windows 8 system. What we don't know is exactly how original equipment manufacturers (OEM)s will be implementing UEFI, never mind secure boot, on these new machines. To address this problem, James Bottomley, chair of the Linux Foundation's Technical Advisory Board, has released a version of the Intel Tianocore UEFI boot image and some code that Linux programmers can use to get around Windows 8's  Secure Boot restrictions.

Intel Tianocore is an open-source image of Intel's UEFI. Until recently this image didn't have the Authenticode that Microsoft uses for Secure Boot (PDF Link) but now Tinocore includes this functionality as well.

Bottomley's work is important because, as Bottomley says, it will “widen the pool of people who are playing with UEFI Secure boot.  The Linux Foundation Technical Advisory Board have been looking into this because it turns out to be rather difficult to lay your hands on real UEFI Secure Boot enabled hardware.”

It's not just Linux developers. In my conversations with original equipment manufacturers (OEM)s many of them have also had trouble laying their hands on this hardware. With Windows 8 being released to manufacturing (RTM) in early August That makes me wonder just how many Windows 8 systems actually will be rolling out in the 3rd and 4th quarters. That, of course, leaves aside the entire question of how much demand will there really be for Windows 8 PCs anyway.

In the meantime, Bottomley is “releasing this now because interest in UEFI Secure Boot is rising, particularly amongst the Linux Distributions which don't have access to  UEFI secure boot hardware, so having a virtual platform should allow them to experiment with coming up with their own solutions.”

Bottomley warns Linux developers that “This is very alpha.  The Tianocore firmware that does secure boot is only a few weeks old, and the signing tools weren't really working up until yesterday, so this is very far from rock solid.”

Still, Bottomley has been able to “lock down the secure boot virtual platform with my own PK [Platform Key] and KEK [Key Exchange Key] and verified that I can generate signed efi binaries that will run on it (and that it will refuse to run unsigned efi binaries).  Finally I've demonstrated that I can sign elilo.efi (this has to be built specially because of the bug in gnu-efi) and have it boot an unsigned linux kernel when the platform is in secure mode (I've booted up to an initrd root prompt).”

In other words, he's been able to create his own secured binaries that will boot and work on a UEFI Linux secured system. It's a big step to making it easier for developers to make use of UEFI security with their own keys, ala what Canonical is doing with Ubuntu.

Is that an ideal path? Maybe, maybe not, but it is a practical one.

If you want to give it a try, you can download it from an openSUSE server in RPM format for x86 64-bit processors. You'll also need Bottomley fix for building efi binaries on Linux. This includes an “example of how to use the fixed script and a builder for a LockDown.efi binary that will take a secure boot platform in setup mode and install a PK and KEK and enable secure boot” and other utilities.

Good luck in building Linux for Windows 8 Secure Boot systems. It's not easy, but we're on our way.

Related Stories:

Another way around Linux's Windows SecureBoot problem

Shuttleworth on Ubuntu Linux, Fedora, and the UEFI problem

Linus Torvalds on Windows 8, UEFI, and Fedora

Microsoft to lock out other operating systems from Windows 8 ARM PCs

Linux Foundation proposes to use UEFI to make PCs secure and free

Topics: Linux, Hardware, Laptops, Microsoft, PCs, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Microsoft hurts themselves

    I like most developers have multiple versions of Windows installed on a single machine (partitioned drives) for testing code. At minimum I (we) need to go back to XP at a minimum because as much as MS doesn't like it, there are millions of XP machines out there.
    • So you still develop for XP only?

      You need to move on buddy, if you still are focusing on developing for XP. Almost everything will run on Windows 8 and Windows 7, if you still need XP then stay with XP ...

      For development, get the 64bit Windows 8 with Hyper-V. It should get XP support someway or other. It is just freaking good !
      • Do you have a job?

        I'm only asking because it seems you have no idea about development, given you claim everything runs on Windows 7. Even more remarkable is your comment about Windows 8, which isn't even out yet. So it's quite obvious everything doesn't run on Windows 7 and 8.

        Once you are old enough to work, and if you can even get a job given your surprising level of ignorance, you will be shocked at how many companies use Windows XP.

        Of course, you will then be free to raise your issues about discontinuing Windows XP development with the IT director. Good luck with that.
    • You forget something

      Previous versions of Windows will still work because of one of the most anticipated features of Windows 8: Hyper-V.
      • So MS are doing it again

        Foiling the competition by bundling 3rd party functionality?
        • Ok I have to ask....

          Is it a problem if you get more than you expected from an OS?

          Are you still able to install a competitors VM product if you like it better?

          What's the problem here?
          • The problem is not

            getting more than you expected from an OS. The problem is getting less than you expected from hardware: people are not complaining about Windows SUPPORTING secure boot - they complained about crippling or hardware is required by MS for Win8 compliant sticker.
          • @vgrig, you're being kind

            But if disabling secure boot manages to brickwall your OEM system, then essentially your hardware is crippled by more than just the Win8 compliant sticker being involved.
          • Steven is that you spreading more fud?

            Signing on as CaviarBlack really isn't kosher, so please sign in as you. No one could post stuff this stupid except of course, for Steven!
          • Uncalled for

            If you have issue with any commentators contact the editor.
          • That's right, Steven

            What Cynical99 said.

            You be good sock puppet, neah.


      • Been testing..

        We've been testing older versions of Windows in VM and while it's pretty good there are still some rough edges. For us the problem comes in when new code fails or does something unexpected and we are left trying to figure out if its the code, an incompatibility with a previous version, or the VM environment.

        Booting into the actual previous version(s) takes one possiblity, (the VM environment) out of the picture for trouble shooting purposes.
      • It is still Hype V

        It is still not there. Before few SPs it will be useless
        Van Der
    • You also forget this:

      XP is out of mainstream support. Microsoft hasn't put out new features for almost 3 years now. And it's in steady decline and there are more Windows 7 PC's in use than there are XP systems (that was announced at last years BUILD conference). When support completely ends in 2014, they've already said there are no more security updates for it either, so writing software for it is pointless considering that anybody still using it is going to make the Internet a lot less safe.
      • Corporate usage.

        Will still be using XP.
        • State and local Governments

          are still using it also. At my day job with the State of California, my 9-month old PC came with XP loaded due to software problems with Windows 7. This PC will not be replaced for at least another 3 years, so I will be living with XP for at least that long.
      • Doesn't matter

        "XP is out of mainstream support. Microsoft hasn't put out new features for almost 3 years now."

        There are still millions of PC's running WinXP in the business world. We are supporting XP, Vista (yes thre are a lot of them out there running just fine). Win 7 and soon Win 8.

        Of course we'd love to to drop XP and Vista and just play in the Win 7 and Win 8 playground, it would certainly make our work a lot simpler. Unfortuantely we don't dictate what the world uses any more than Microsoft does.
      • We have special purpose optical scanners . . .

        . . . attached to XP systems where I work . . . unsupported in Win7. We will be running XP for a very long time.
        • Invitation to Botnets

          Without security updates or access to the source code, your network will be host to a botnet "for a very long time". You can avoid vendor lock-in with Linux, of course. A Linux driver for your optical scanner probably exists and scanning programs like Tesseract already exist.

          Your hardware shouldn't last longer than your software.
          Ben Francis
          • specialized systems

            While I am usually all for recommending Linux usage, specialized hardware and software is not one of those times. Our company has specialized hardware and software as well, and Linux equivalents to these things often just don't exist.