Topic: Linux

Linux Foundation releases Windows Secure Boot fix

Summary: At long last, the Linux Foundation fix to Windows 8 Secure Boot lock-in is out, but it's not ready for ordinary users yet and not all Linux desktop fans are happy about it.

By Steven J. Vaughan-Nichols for Linux and Open Source | February 9, 2013 -- 22:05 GMT (14:05 PST)

Follow @sjvn

It took longer than anyone expected but the Linux Foundation fix for Windows 8 PC's UEFI (Unified Extensible Firmware Interface) Secure Boot lockout of other operating systems has finally arrived.

The Linux Foundation has set the foundation for Linux distros to easily boot on Windows 8 PCs. (Credit: The Linux Foundation)

James Bottomley -- Parallels' CTO of server virtualization, well-known Linux kernel maintainer, and the man behind the Linux Foundation's efforts to create an easy way to install and boot Linux on Windows 8 PCs -- announced on February 8 that the Linux Foundation UEFI secure boot system was finally out.

To finish this required security keys from Microsoft so that the Linux Foundation UEFI bootloader would work. These keys have now been included and these universal Linux bootloaders are ready to go. With these files you should be able to boot and install Linux on almost any Windows 8 PC.

I say "should" because this is the first release. As Bottomley himself wrote, "Let me know how this goes because I’m very interested to gather feedback about what works and what doesn’t work. In particular, there’s a worry that the security protocol override might not work on some platforms, so I particularly want to know if it doesn’t work for you."

You must also be an expert Linux user to even try to get this to work at this point. Today, all Bottomley has provided are the two key bootloading files: PreLoader.efi and HashTool.efi. These EFI files are Extensible Firmware Interface Firmware files. By themselves, they just set up a pre-boot environment that can then be used to boot Linux.

Bottomley has also "put together a mini-USB image that is bootable (just did it on to any USB key; the image is gpt partitioned, so use the whole disk device). It has an EFI shell where the kernel should be and uses gummiboot [a simple UEFI boot manger] to load" a Linux distribution.

If you couldn't follow those instructions, don't even try using this method yet. As Pēteris Krišjānis, an Ubuntu Linux tester, wrote on Bottomley's blog, "These instructions are for advanced users only. Users who want to install Linux distro on UEFI/Secure Boot computer will have to wait for distribution releases in April/May (Fedora/Ubuntu and related distros)." Krišjānis is right. Ordinary users should stay well away from this solution for now. It's really meant more for distribution developers. Their job will be to turn these esoteric instructions into something that requires little more than a user hitting an "OK" button.

In short, by May, it should be easy to boot and install the most popular Linux distributions on Windows 8 PCs. Today, we're still not there, but the developers now have the tools they need to get us there.

Others object to the Linux Foundation's attempt to work with Microsoft to get around Secure Boot's restrictions. One accused Bottomley of folding "to Microsoft UEFI and microsofts monopolistic decision to have OEMs use UEFI whether a consumer wants this or not under the guise of security when in fact its an effort to maintain control on MS part." Others used far harsher terms.

Unfortunately, these people are ignoring the simple fact that the vast majority of new PCs are being sold with Windows 8. This, in turn, means they're locked into that Windows 8 with UEFI Secure Boot Short of cracking UEFI security, something no one really wants to do in Linux development circles; the only viable choice has been to work within Secure Boot to get Linux to work. It's what Fedora, Ubuntu, openSUSE, and now the Linux Foundation, has chosen to do.

Is this ideal? No. As far as I'm concerned Secure Boot is far more about locking people into Windows than it is about security. For now though fixes like these are Linux's only viable options.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

38 comments

Log in or register to join the discussion

Don't agree

I don't believe Microsoft implemented Secure Boot to harass us. They felt it was the right thing to do and since we (Linux users) don't have an army of OEMs who make us ready made Linux computers, we have always had to go the self install route one way or another. Now it's a little more difficult for a while - get over it. If you want to be part of the minority you'll always make some sacrifices.

Master3
9 February, 2013 22:27

Reply 8 Votes
- What you said about being in the minority is true
  
  And a lot of us have made sacrifices to use what we want that don't really seem much like sacrifices any more, which is an indication that they were worth it.
  
  But that doesn't mean that we should take MS' preachments about security at face value or pretend that MS isn't using every trick they think they can get away with to keep users from defecting. Everything I've seen indicates that MS' top managers think they have every right to do just that.
  
  Eternal vigilance...
  
  John L. Ries
  9 February, 2013 23:58
  
  Reply 5 Votes
- In response to Master Wanyne, Master 3 or the Master du jour
  
  "I don't believe Microsoft implemented Secure Boot to harass us"
  
  Nor was the lengthly wait for MS support, who just delivered the secure key Feb. 6th. Good thing the Linux Foundation was much quicker than MS support or we would have to wait two or three months longer for this solution. Wink....
  
  coastin
  10 February, 2013 03:33
  
  Reply 4 Votes
- Linux and UEFI
  
  Master 3 , its not a problem as manufacturers like System76 are making new laptops and desktops for Linux now and we can order them to the UK, we all know the reason why Microsoft thought up the idea of UEFI and it was nothing to do with Security, but let them play there game and if people want to use Windows no problem enjoy yourselves. I love the fact that for some of us we believe in alternatives. I have been using Linux now for 4 years and i am an IT engineer of 29 years and work with Windows operating systems every day. If it came to me choosing between them Linux all the way for me thanks
  
  ScootyDUK42
  10 February, 2013 10:59
  
  Reply 3 Votes
  - The real reason?
    
    Are you suggesting UEFI only exists in windows to mess with Linux? That it is the single reason for UEFI being on windows is due to Linux?
    
    Emacho
    10 February, 2013 13:56
    
    Reply Vote
    - conspiracy killer: load Linux on a Surface Pro
      
      I hate hearing this BS. I'm a MCITP and a RHCSA. I work on both MS and Linux systems side by side all day long. I'd like to assist on putting the "Secure boot to destroy Linux" lies to rest.
      
      Case in point: On a Microsoft Surface Pro, you can simply go into the BIOS settings and disable settings to allow other Operating System installs
      
      You may want to take in consideration that other OEM's that block this customization due it purely from a consistency and support perspective: they are NOT going to help you install anything but Windows 8 on these devices. Linux isn't the issue, its Windows 7.
      
      hoytler
      11 February, 2013 02:10
      
      Reply Vote
An open arm to all sorts security risks

I'm glad I don't have Linux on my machine.

LBiege
9 February, 2013 22:28

Reply 2 Votes
- What specific risks?
  
  “An open arm to all sorts security risks”
  
  RickLively
  10 February, 2013 02:10
  
  Reply 3 Votes
- Name one
  
  -
  
  Natanael_L
  10 February, 2013 17:22
  
  Reply 3 Votes
I see whining is in full swing

So, the Linux foundation finally had to admit that working with MS to obtain keys was mandatory. All that hate built up in the Open Source folks was the main downfall. MS offered the keys to anyone, but the thought of working through MS to get keys was just too much.

Good heavens. MS and Apple control 98% of the desktop market. According to you, Steven, the desktop is over the hill and in decline. So why worry about the desktop, unless all the claims are false.

Then whining that MS handed over the keys so Linux can load on properly configured UEFI devices without issue seem to be as pointless as ever.

All it eally means is that the Linux foundation was so stubborn and blind to the future, it delayed compatibility and irritated more people.

Good luck Steven, all you've done is prove that the purists are more about hating MS than servicing the public they claim they want to free.

Even Android, the new flagship, couldn't find success until a multibillion dollar company took control and made it worth something. Even that success left a mess in versions, lack of updates and the rest.

Have fun being the whining monger you really

Cynical99
9 February, 2013 23:24

Reply 5 Votes
- Everybody's picking on PIPMS
  
  And it's all because of envy and hatred.
  
  Cynical says it, so it must be true (never mind that he might have ulterior motives for posting the above comment).
  
  John L. Ries
  10 February, 2013 00:05
  
  Reply 7 Votes
- More about hating microsoft?
  
  Yeah, we're just all "haters" of M$ for no real reason is one possibility.
  
  The other possiblity is that you are a hapless user of Windows products because you don't have the smarts to figure out how to install and use any other OS. You bought the box. You're not happy with it but you're stuck with it. You're feeling insecure at reading how virtually everyone else is able to pick up Linux, BSD, what ever and give it a spin. This pisses you off. So in your desperation you formulate the "haters of winners" theory and preach it as if associating yourself with your perceived winner, microsoft, you're a winner too.
  
  Which is more likely here.
  
  Fireal Laname
  10 February, 2013 02:18
  
  Reply 5 Votes
  - you are a hapless user of Windows products
    
    Don't mind Cynical99, he's just threatened by Linux, that's all, I mean if Linux really had 2% desktop market share like he claims then he wouldn't be wasting his time here, and microsoft wouldn't be thinking about porting their Office suite to Linux, and lets not forget that in 2009 Steve Ballmer estimated that Linux desktop market share was about the same as Apples.
    
    guzz46
    11 February, 2013 04:47
    
    Reply 4 Votes
  - That you are a Microsoft hater.
    
    That IS the more likley scenario of the two you laid out.
    
    And before you try to put me on blast for somehow dissing Linux - I'm not. Linux is a decent OS, I liked Ubuntu but there is no distro of Linux nor any version of the Mac OS that allows me to run the games I want to play. Windows does. Nor is there any version of iTunes or similar software for Linux that allows me to sync my iPhone with my computer. In short Linux does not work for me as an OS. Nor does Mac OS.
    
    The theory that you are Microsoft haters is further proven by this whole whining over Secure Boot... you act like Microsoft put in place and is enforcing it with the OEMs simply to screw over Linux users... and that is simply not the case. It may be perhaps an added bonus to some people at Redmond. Honestly some Linux fanbois are as whiney and b1tchy as their Apple counterparts the frothing at the mouth zealots that see conspiracies from Microsoft everywhere.
    
    athynz
    11 February, 2013 18:48
    
    Reply Vote
- To bad there is
  
  no such solution for those wanting to install older Win distros on Win8 devices.
  
  coastin
  10 February, 2013 03:35
  
  Reply 3 Votes
  - How would one install Win 7 on a device
    
    With a Windows 8 running UEFI?
    Can Windows 7 run UEFI native?
    
    RickLively
    10 February, 2013 04:32
    
    Reply Vote
    - RE: Can Windows 7 run UEFI native?
      
      A good question. I've previously asked Steven to write a blog article about installing Windows 7 on Windows 8 PCs.
      
      At a minimum, secure boot must be disabled to install Windows 7, placing Windows 8 in a less secure state. In some cases, legacy mode must be selected to install and boot Windows 7.
      
      So, Steven, how about a blog article detailing Windows 7 installation and booting on Windows 8 PCs? You actually like Windows 7, remember? Here's yet another chance to bash Windows 8.
      
      P.S. Congrats to the Linux Foundation's efforts.
      
      Rabid Howler Monkey
      10 February, 2013 14:19
      
      Reply 4 Votes
      - An example
        
        A bricked Samsung laptop. To be safe, don't use UEFI on any Samsung laptop. Want Windows on a Samsung laptop? Reinstall it. More here:
        
        "Samsung laptop bug is not Linux specific
        Feb. 8th, 2013
        http://mjg59.dreamwidth.org/22855.html
        
        UEFI-related problems are not exclusive to GNU/Linux.
        
        Rabid Howler Monkey
        11 February, 2013 04:36
        
        Reply 3 Votes
      - Not to mention...
        
        ...that Linux was actually among the first operating systems to support EFI (and consequently UEFI). So if anything, Linux is going to be the *most* compatible OS on the UEFI end.
        
        northrup
        11 February, 2013 18:52
        
        Reply 1 Vote
- The real reasons for the complaints ...
  
  ... is precisely that it makes it harder and takes longer to get alternate operating systems working with Secure Boot. And what if malware would abuse these keys somehow and they would be revoked? Then everybody has to wait again for getting a new bootloader signed. And chances are it would have to be more restricted (not working with custom compiled kernels, for example).
  
  Secure Boot could have been great if there had been a few additional requirements on the manufacturers, like having to make it easy to add (and manually revoke) keys, so that your favorite Linux distribution won't have to get a key issued to them.
  
  Natanael_L
  10 February, 2013 17:28
  
  Reply 3 Votes