Linux Foundation support for booting Linux on Windows 8 PCs delayed

Linux Foundation support for booting Linux on Windows 8 PCs delayed

Summary: Thanks to Microsoft's implementation of secure boot, installing Linux on Windows 8 PCs is tricky. Unfortunately, the Linux Foundation's plan to address this problem has been stalled.

SHARE:
asus-uefi
Thanks to UEFI Secure Boot, getting Linux to run on Windows 8 PCs is still a pain in the rump.

By design, Microsoft has made installing and booting Linux on Windows 8 PCs with UEFI (Unified Extensible Firmware Interface) Secure Boot troublesome. Many of the major Linux distributors, including Fedora, openSUSE, and Ubuntu,  have proposed different ways of addressing this problem. The Linux Foundation, which supports all Linux, recently proposed a universal plan for addressing the UEFI Secure Boot issue. Unfortunately, it's been delayed.

The plan was, as James Bottomley, Parallels' CTO of server virtualization and well-known Linux Kernel maintainer, explained on October 10th, 2012, to "obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system)."

This "pre-bootloader employ a 'present user' test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it."

The idea was to make it easy for non-technical users to get a taste of Linux in the way they've always done before. That is by providing a "solution that would enable people to continue to try out Linux and other Open Source Operating Systems in spite of the barriers UEFI Secure boot would place in their way and without requiring that they understand how to take control of their platforms." In short, Jane User could simply put a Linux boot CD, DVD, or USB drive in their computer, reboot and choose to give Linux a try without needing to jump through any technical hoops. 

Alas, the plan's been delayed. When I asked Bottomley what the status of the project was he told me "We're all done and dusted with the signed contract with Microsoft and the binary ready to release.  However, I've been having bizarre experiences with the Microsoft sysdev centre."

Specifically, "The first time I sent the loader through, it got stuck (it still is, actually). So I sent another one through after a week or so. That actually produced a download, which I've verified is signed (by the MS UEFI key) and works, but now the Microsoft sysdev people claim it was "improperly" signed and we have to wait for them to sort it out. I've pulled the binary apart, and I think the problem is that it's not signed with a LF [Linux Foundation] specific key, it's signed by a generic one rooted in the UEFI key."

Bottomley concluded, "I'm not sure how long it will take MS to get their act together but I'm hoping its only a few days." With the holiday season upon us, I fear it will be more like a few weeks. I hope it will be ready by the New Year.

Related Stories:

Topics: Linux, Hardware, Open Source, Operating Systems, PCs, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

155 comments
Log in or register to join the discussion
  • Linux Foundation support for booting Linux on Windows 8 PCs delayed

    What is interesting from the article is Bottomley’s statement;

    Bottomley concluded, "I'm not sure how long it will take MS to get their act together but I'm hoping its only a few days."

    Ouch!
    daikon
    • Dr. Bottomley is waiting on response from Microsoft

      James Bottomley in the process of the signing received an error.

      From emails received from Microsoft Support: Don’t use that file that is incorrectly signed. I will get back to you.

      James Bottomley; We’re still waiting for Microsoft to give the Linux Foundation a validly signed pre-bootloader. When that happens, it will get uploaded to the Linux Foundation website for all to use.

      http://blog.hansenpartnership.com/adventures-in-microsoft-uefi-signing/
      RickLively
  • Can you clear something up for me?

    How is it that people who are obviously smart enough to be able to download a distro and install it on a PC are NOT smart enough to disable secure boot before doing so?

    Nothing has been delayed. You can install Linux on any Windows 8 PC. In order for a PC to become Windows 8 certified, it MUST allow the user to easily disable secure boot. This is mandated from Microsoft.

    Answer the charge SJVN. Answer my charge that you are lying about the delay in being able to install Linux on a Windows 8 PC.
    toddbottom3
    • Todd, how to can I disable secure boot on

      a Dell and an Asus computer?
      daikon
      • daikon, are you a computer newbie?

        I just have to wonder if you have any experience with computers? Clearly not. You've probably never even installed an OS before. Newb.

        http://support.dell.com/support/topics/global.aspx/support/kcs/document?docid=575109#Secure-Boot

        http://www.rodsbooks.com/efi-bootloaders/secureboot.html

        That took 30 seconds to find. Hope you get a chance to learn more about computers. It must be pretty hard for you to take the fact that I know more about computers than you do.
        toddbottom3
        • What it shows is that if one believes

          someone is a newb you can get one to do anything......

          Ouch!
          daikon
          • I'm glad to help

            Especially if helping you means providing even more links to destroy SJVN's point.

            Note that SJVN still hasn't had the courage to respond. The posted evidence on this blog that proves him wrong, in part thanks to you asking your simple question, is huge. I don't blame SJVN for running away but it doesn't make him look very good.

            So yes, thanks daikon, I appreciate the easy pitch allowing me to knock one out of the park.
            toddbottom3
          • toddbottom3....SJVN dosen't respond because of the funny looking growths

            coming out of each side of your head. What is that stupid picture you use supposed to represent anyway.
            Over and Out
          • Better than the help you would have gotten from the Linux "community"..

            ..asking a question like that would have gotten you an inbox full of "RTFM" with the odd link to a Slashdot article on how Bill Gates wants to take over your coffee maker.

            At least Todd provided you with some links.
            daftkey
          • That's because it helps to RTFM

            Usually, when one decides to RTFM, he/she will indeed learn much about how to do things. It's like an old man complaining that his VCR doesn't work, even though he didn't even take the manual for it out of the packaging, let alone read it.

            And generally the Ubuntu forums and AskUbuntu will provide much more than a recommendation to read some documentation. Or at least I do. Maybe you're thinking of the communities around user-unfriendly distros like Arch...
            northrup
        • So,

          You gave him two links.

          One is describes upgrading Dell computers to Windows 8. It does not describe Dell computers that come with Windows 8 pre-installed.

          The other, if you read the link is for a specific ASUS motherboard, the P8H77-I. I've owned enough ASUS motherboards to know that the BIOS settings are completely different among what appear to be similar models. Plus, the author also states "Unfortunately, there's no standardization in where Secure Boot options might be located or what they might be called; therefore, I can't provide a procedure that will work for every computer."

          So those links are worthless to those who own a Windows 8 PC and want to remove the so-called "Secure Boot".
          benched42
          • I answered the best anyone possibly could have

            The original question was:
            "Todd, how to can I disable secure boot on
            a Dell and an Asus computer?"

            That isn't a specific enough question for me to give the type of specific answer you demanded I give.

            Ultimately, I have 1 answer to ANY of these questions and that is to say that an OEM who releases a PC that does NOT provide a simple way of disabling secure boot cannot claim that the PC is a Windows 8 Certified PC. Believe it or not, MS can't actually control what OEMs do. The only thing MS can do is state that IF an OEM decides they want to sell a Windows 8 Certified PC, they must follow certain guidelines. One of those guidelines is that the OEM must provide a way to disable secure boot.

            This is straight from MS's Windows 8 Hardware Cert Requirements document:
            "Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv."

            MS is not leaving this up to the discretion of the OEM if the OEM wants to market their PC as Windows 8 Certified.

            If you know of an OEM selling a Windows 8 Certified PC that does NOT provide a way for the end user to disable secure boot, you should report that OEM to MS and MS will remove the certification. If an OEM decides to sell an uncertified PC with Windows 8 on it, I'm not sure exactly how you expect MS to do anything about it. I'm not even certain you would WANT MS to be able to do anything about it, would you?

            So no, I'm not able to provide specific instructions for PC model XYZ123. What I can say for sure is that if PC model XYZ123 is a Windows 8 Certified PC, there is a way of disabling secure boot via firmware setup. If there isn't, you should immediately report that OEM to MS because they are in breach of an agreement they made with Microsoft.
            toddbottom3
          • By the way, why do I have to fact check SJVN?

            You people should be furious with SJVN for leaving this piece of information out of his blogs. You are getting half the story from this blogger. When are you going to start demanding more honesty from this author?
            toddbottom3
          • Secure Boot

            Your quoted section: "Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv."

            FAIL

            From Microsoft: "If the system ships with a UEFI-compatible OS, system firmware must be implemented as UEFI and it must be able to achieve UEFI boot mode by default. Such a system may also support fallback to legacy BIOS boot on systems with OS which do not support UEFI, but only if the user selects that option in a pre-boot firmware user interface."

            Notice it says "Such a system ***may*** also support........" It is NOT required. By the way, this document is "Windows Hardware Certification Requirements for Client and Server Systems" and is at:
            http://msdn.microsoft.com/en-US/library/windows/hardware/jj128256
            benched42
          • Your quote says absolutely nothing about secure boot

            You realize that UEFI and secure boot aren't at all the same thing, don't you? YOUR link (which is where I got my quote from) SPECIFICALLY states that the user must be able to disable secure boot (System.Fundamentals.Firmware.UEFISecureBoot
            Section 18). End of story. Your quote doesn't trump that requirement.

            Your quote is about UEFI booting and support for legacy BIOS booting. MS is saying that system builders *may* optionally provide for a legacy BIOS mode in order to support OSs that will not boot under UEFI (like XP for example). This would also have the side effect of disabling secure boot but is NOT the only way of disabling secure boot.

            They make it ironclad in the section I quoted. OEMs MUST allow for an option to disable secure boot. No way around that. They *may* provide support for legacy OSs that can't boot from UEFI but this isn't mandated. As far as I'm aware, all modern Linux distros support booting from UEFI, don't they? If not, can you please make it clear that Linux lags far far far behind Windows in this respect?
            toddbottom3
          • UEFI

            Linux distros have supported UEFI longer than Microsoft has
            lost65
          • Good news

            Then MS is doing absolutely nothing to make it difficult to install Linux on a Windows 8 Certified PC. In fact, MS REQUIRES that OEMs make it easy for end users to disable Secure Boot in order to install Linux.

            Thanks for the update lost65, you've just proven that SJVN is wrong and that MS is doing absolutely nothing to block Linux. After all, benched42 almost had me because had Linux been unable to boot from anything other than BIOS then yes, one could suggest that by making BIOS booting "optional" that MS could block Linux. You just proved that benched42's quote is completely irrelevant here.

            Thanks again for your help on this matter.
            toddbottom3
          • question

            You might have a change to disable MS wanted feature secure boot to boot Linux. But have you tried to do a dual boot between NT and Linux after windows 8 was installed when secure boot was enabled?

            You are here claiming that there is no problem for user to secure boot technology booting third party bootloader and that reading Linux OS image to RAM and executing it.
            But Linux foundation developers, Linux developers, Linux hackers and even Microsoft UEFI developers failed to know how it works by not just saying "disable it, dual boot works perfectly and you can install what you want because you don't need secure boot." But instead they went and started to demand signed loader with Microsoft keys and they have brother once said to Linux foundation that it isn't needed at all and is waste of time. And still Microsoft has huge problems to sign a SINGLE pre-bootloader file with a CORRECT key and it takes from them days if not weeks to solve a such trivial problem!

            And here you are defending Microsoft, UEFI secure boot feature and blaming all of that the article (blog) writer from ignorance, while world biggest software companies and OS Hackers are having problems with your solution. Like you know better than those who build those motherboards, write bootloaders and write operating systems.

            Yes?

            Okay. Good to know that you are correct so I can trust you.
            Fri13
          • Why should Linux users need to disable secure boot?

            Especially if those users want to dual boot (and many do -- either for playing Windows games, or fur using a secure OS for their online banking needs).

            After all -- It's not as if Linux has any trouble supporting UEFI or Secure Boot. (Linux has in fact had UEFI support longer than Windows has). The issue is just how these are being implemented, in practice under the aegis of Microsoft.

            Any sensible implementation wouldn't be a problem. Such sensible implementations wouldn't be hard to implement in practice, either. A proper implementation would help rather than hinder the user to set up his computer, flexibly and securely. It could be as easy as setting up the order of boot devices.

            The fact that so many implementations from (MS-dependent) OEMs are painfully amateurish, awkward, convoluted, messy monstrosities is telling. These are supposed to be commercial, commodity products from professional, established and recognized "big-name" manufactures, not high-school science-fair projects.
            bswiss
          • I'll ask the same of you

            Why should Windows users need to disable secure boot on Chromebooks?

            After all -- It's not as if Windows has any trouble supporting UEFI or Secure Boot.
            toddbottom3