Linux Foundation UEFI Secure Boot key for Windows 8 PCs delays explained

Linux Foundation UEFI Secure Boot key for Windows 8 PCs delays explained

Summary: Thanks to Microsoft, the Linux Foundation's program for booting Linux easily on Windows 8 PCs protected with Secure Boot is still stuck in neutral.

The Linux Foundation is sorry to report that its project for making Linux easy to boot with Windows 8 Secure Boot still isn't finished.

James Bottomley, Parallels' CTO of server virtualization, well-known Linux kernel maintainer, and the man behind the Linux Foundation's efforts to create an easy way to install and boot Linux on Windows 8 PCs with UEFI (Unified Extensible Firmware Interface) Secure Boot enabled is sorry to report that "We’re still waiting for Microsoft to give the Linux Foundation a validly signed pre-bootloader."

Despite the best efforts of FedoraopenSUSEUbuntu, and the Linux Foundation, booting Linux on UEFI Secure Boot Windows 8 PCs continues to be a problem . The easiest way to avoid Windows 8 lock-in is to disable UEFI Secure Boot from your system before it starts to boot. However, this option may not be available on all motherboard; isn't available at all on Windows RT devices, such as the Surface; and is still troublesome even with Secure Boot disabled. So, it is that the struggle—and struggle it is—to create an easy to use, universal install and boot Secure Boot Linux installer continues on.

You don't have to take my word for it. Bottomley reports that, even after jumping through various legal hoops, you can't "just upload a UEFI binary and have it signed First of all you have to wrap the binary in a Microsoft Cabinet file. Fortunately, there is one open source project that can create cabinet files called lcab. Next you have to sign the cabinet file with your Verisign key.  Again, there is one open source project that can do this: osslsigncode. For anyone else needing these tools, they’re now available in my openSUSE Build Service UEFI repository."

"The final problem is that the file upload requires silverlight. Unfortunately, moonlight [an open-source Silverlight implementation] doesn’t seem to cut it and even with the version 4 preview, the upload box shows up blank, so time to fire up windows 7 under kvm [Linux's built-in hypervisor]. When you get to this stage, you also have to certify that the binary “to be signed must not be licensed under GPLv3 or similar open source licenses” I assume the fear here is key disclosure but it’s not at all clear (or indeed what 'similar open source licences' actually are)."

Legally that's troublesome, but at least the technical problems seemed in hand. Alas, the trouble was only beginning.

First, creating the cabinet file failed. Eventually Bottomley generated a working UEFI Secure Boot Linux pre-loader but the signing process still indicated that there had been a failure. When he asked Microsoft what was going on, the company replied, "Don’t use that file that is incorrectly signed. I will get back to you." Bottomley speculates that the problem is that the working Secure Boot binary key "is signed with a generic Microsoft key instead of a specific (and revocable) key tied to the Linux Foundation."

So it is that the Linux Foundation is still waiting "for Microsoft to give the Linux Foundation a validly signed pre-bootloader." Until that happens, booting and installing Linux on Windows 8 PCs will remain an order of magnitude harder than it is on earlier model PCs.

Related Stories:

Topics: Linux, Hardware, Laptops, Microsoft, PCs, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Pass the butter...

    ..this is going to be entertaining... again...
    • why cant you boot Windows

      And then have your tinkering, side project, not going anywhere distro in a VM?

      Best of both worlds it seems.
      • Looks like Linux users...

        ...will need to vote with their feet. OEMs won't do anything unless Linux hostility results in significant lost sales.

        It's complete unrealistic for MS to give significant cooperation to an effort that is contrary to its financial interests.
        John L. Ries
        • Please let me edit my posts

          "It is completely unrealistic to expect MS to give significant cooperation to an effort that is contrary to its financial interests."
          John L. Ries
        • For this to work...

          ...OEMs will need to know why they're losing sales.
          John L. Ries
          • EXACTLY

            Right now, OEMs are blaming poor sales on "the economy" yet Apple continues to have record sales. I hate Apple with a passion, but Microsoft screwed up royally with Windows 8 GUI for non-touch displays (i.e. desktops and regular laptops).
          • Apples and oranges.

            Apples sales are about the iPad and iPhones. OSX desktops and laptops aren't exactly flying off the shelf. The whole paradigm has shifted away from desktops and laptops to tablets and other mobile computing devices. It has nothing to do with windows 8 or secure boot for that matter. The shift started long before Windows 8 was even on the drawing board.
          • EXACTLY

            SPOT ON!!!!!!!!!!!!!!!!!!

            "but Microsoft screwed up royally with Windows 8 GUI for non-touch displays (i.e. desktops and regular laptops)."
        • I'm reminded of the reply given when the philosophers went on strike...

          "Who will that inconvenience?"

          Here's the problem. It's not that there are no systems that cannot dual boot. It's not even that there aren't any NEW systems that can't dual boot...

          The problem seems to be that the Linux community wants to choose any hardware out there and dual boot on it. A laudable goal, I suppose, but unrealistic.

          The number of customers who will reject say, a SurfaceRT tablet because you can't boot it into Linux is microscopic compared to those who want a clean, safe, reliable experience booting it into WinRT.

          In the end, until Linux because so commonplace a system on desktops that it has enough market share to make an impact, the right answer is "buy the hardware that works, rather than trying to make the hardware that doesn't work, work."

          Sorry, but to most people, the Linux attitude just feels like butting ones head against a wall for the pain of it.
          The Werewolf!
          • And few things would be more horrifying to MS...

            ...than a flat-out refusal by Linux users to buy Windows-preloaded hardware. Why do you think MS has tried so hard to discourage the sale of naked machines?
            John L. Ries
          • Probably a few reasons...

            "And few things would be more horrifying to MS than a flat-out refusal by Linux users to buy Windows-preloaded hardware."

            Yep - can hear teeth chattering from here.. oh wait.. that was just Steven J. typing on his old IBM XT keyboard.

            "Why do you think MS has tried so hard to discourage the sale of naked machines?"

            Actually, it's more likely the answer lies in the number of pirated copies of Windows floating around (some estimates put pirated Windows installations ahead of legitimate Linux installations). But I guess you can chalk a small part of that up to Linux. Even though Microsoft's bulk OEM licensing predates Linux by about a decade.
          • According to MS...

            ...Linux users *are* pirates, unless they license undisclosed patents from MS.
            John L. Ries
          • According to MS...

            MS is posting losses every quarter, so far 2 in a row.

            The World is literally just a couple of years away from getting the last

            The evil empire aka Mafiasoft is going down hard thanks to Google Android
            and Apple moble NIX which owns 100% of that burgeoning market.

            I am personally shorting MS stock to make a ton of money!
          • And yet ...

            ... You can buy naked PC's from a variety of vendors or buy a PC pre installed with one of several distros (e.g. Some Dell laptops with Ubuntu pre installed)

            The fact of the matter is that the number of people installing Linux as the primary OS on a laptop/PC is vanishingly small and thus, to most OEM's, isn't worth the cost of modifying the manufacturing pipeline and support services
          • Possibly...

            ...but it's important to remember that buying is voting and that MS claims every last preload as a sale in its publicly reported features (why else do you think Windows Vista was so "successful"). So, if Windows isn't really what you want to use, then maybe you should go out of your way not to buy it, lest MS and its OEM vassals use your purchase as "evidence" that Linux users are a fringe group that is not worth accommodating in any way, shape, or form.

            And no, my software preferences are not, and should not, be determined by popular vote.
            John L. Ries
          • Absolutely, 100% agree.

          • Disagree on dual boot, agree on Linux attitude.

            USSR didn't work because there was no economic incentive. Linux doesn't work because it's sold the same way as communism was sold. The key is for Linux to start being PARTLY commercial. It's already moving in that direction, and the Linux community should support that. Then developers will have the incentive to start making better distros, make drivers, etc. The built in economic incentive will follow, as the distros become easier for the public to use.

            Even so, anyone can get a NEW Win7 machine, which does NOT allow UEFI to be on: I just bought one, and Dell offers a ton of them, laptop, desktop, you name it. Dellauction offers NO OS sales of some very recent vintage macines with i3-i7 processors, plenty of RAM and HDD. So do other vendors. So you can create a dual boot machine. You can also go get them built by ZaReason. I can send them any OS combo I want, and they will build a machine to my specs. So it's 'out there'.
          • False!

            Communism (more properly, Bolshevism) failed for two reasons:

            1. It was imposed and maintained by force (see Alexander Solzhenitsyn's The Gulag Archepelago for details.

            2. Reliance on central planning and control, rather than individual initiative.

            Open source is and always has been a voluntary effort, driven by individual initiative. If you don't want to participate, or use it, then fine, but leave those of us who choose to alone.
            John L. Ries
          • There were other reasons

            Mostly having to do with the huge effort it takes to control the human mind, and the profoundly negative consequences of suppressing bad news, which are why all totalitarian states fail in the end.
            John L. Ries
          • Linux compatibility lists

            Which is why we need to continue maintaining and researching Linux compatibility lists. Invite HW vendors to submit their products for inclusion as well, although I would hold them in an "unconfirmed" list until the compatibility gets validated by end users. In addition I would have a "wall of shame" for vendors who try submitting their products as compatible, that end up not being compatible.

            At this point, I also think we need to start publicly shaming HW & SW companies that refuse to verify Linux or Wine/Linux compatibility (such as the 2012 version of TaxAct).