By design, Microsoft has made installing and booting Linux on Windows 8 PCs with UEFI (Unified Extensible Firmware Interface) Secure Boot troublesome. Many of the major Linux distributors, including Fedora, openSUSE, and Ubuntu, have proposed different ways of addressing this problem. The Linux Foundation, which supports all Linux, recently proposed a universal plan for addressing the UEFI Secure Boot issue. Unfortunately, it's been delayed.
The plan was, as James Bottomley, Parallels' CTO of server virtualization and well-known Linux Kernel maintainer, explained on October 10th, 2012, to "obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system)."
This "pre-bootloader employ a 'present user' test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it."
The idea was to make it easy for non-technical users to get a taste of Linux in the way they've always done before. That is by providing a "solution that would enable people to continue to try out Linux and other Open Source Operating Systems in spite of the barriers UEFI Secure boot would place in their way and without requiring that they understand how to take control of their platforms." In short, Jane User could simply put a Linux boot CD, DVD, or USB drive in their computer, reboot and choose to give Linux a try without needing to jump through any technical hoops.
Alas, the plan's been delayed. When I asked Bottomley what the status of the project was he told me "We're all done and dusted with the signed contract with Microsoft and the binary ready to release. However, I've been having bizarre experiences with the Microsoft sysdev centre."
Specifically, "The first time I sent the loader through, it got stuck (it still is, actually). So I sent another one through after a week or so. That actually produced a download, which I've verified is signed (by the MS UEFI key) and works, but now the Microsoft sysdev people claim it was "improperly" signed and we have to wait for them to sort it out. I've pulled the binary apart, and I think the problem is that it's not signed with a LF [Linux Foundation] specific key, it's signed by a generic one rooted in the UEFI key."
Bottomley concluded, "I'm not sure how long it will take MS to get their act together but I'm hoping its only a few days." With the holiday season upon us, I fear it will be more like a few weeks. I hope it will be ready by the New Year.
- Ubuntu Linux adopts new UEFI boot problem approach
- Linux developers working on Windows UEFI secure boot problem
- Shuttleworth on Ubuntu Linux, Fedora, and the UEFI problem
- Another way around Linux's Windows SecureBoot problem
- Linus Torvalds on Windows 8, UEFI, and Fedora
- Microsoft to lock out other operating systems from Windows 8 ARM PCs & devices