Linux on Windows 8 PCs: Some progress, but still a nuisance

Linux on Windows 8 PCs: Some progress, but still a nuisance

Summary: Some Samsung laptops with UEFI will brick when you try to install Linux on them, others have problems, and the Linux Foundation is continuing to try to bring its fix for Windows 8 UEFI Secure Boot out.

SHARE:

Getting Linux to boot and install on PCs locked down with Windows 8's UEFI (Unified Extensible Firmware Interface) Secure Boot continues to be annoying at best and downright impossible in some cases. Still, slowly, ever so slowly, progress is being made.

asus-uefi
Windows 8's UEFI Secure Boot continues to be a pain in the neck for Linux users. (Credit: sjvn)

First, the bad news. Trouble with a kernel driver in some Samsung laptops equipped with UEFI have caused them to "brick" simply by trying to boot Linux on them. This, however, is not a problem with Secure Boot. Instead, it's a problem with how Samsung has implemented UEFI.

UEFI Secure Boot Linux expert Matthew Garrett explained, "The samsung-laptop driver is a slightly weird thing. By 2010 (when it first appeared) most vendors had moved over to using some level of firmware abstraction, either using ACPI [Advanced Configuration and Power Interface] or WMI [Windows Management Instrumentation]. Samsung still seemed to be stuck around a decade earlier - they were providing a region of memory at a known address, and you'd read that address to find a bunch of offsets. Then you'd write magic values based on those offsets to magic system IO ports based on those offsets and something would happen."

That "something", he continued, was that these "writes were triggering System Management Mode [SMM], a special x86 CPU mode where the processor executes code from memory that the OS can't see, without telling the OS that it's doing so. There's nothing especially new in this (SMM first appeared in the 386sl back in 1990), but it also means that you depend on the system vendor not changing the interface without telling you. Turns out that Samsung apparently changed their platform interface when they moved to UEFI, but didn't actually do anything to prevent old drivers from breaking things - performing exactly the same series of accesses on some modern Samsung laptops gives an uncorrectable machine check exception (in the best case) or destroys your firmware (in the worst case)."

There may also be other problems with UEFI-equipped Samsung laptops and Linux. The H reports that "Samsung developers have been attempting to develop a firmware update to prevent the problem for several weeks."

In the meantime, Linus Torvalds has merged two changes into Linux, which will prevent the Samsung-laptop kernel driver from being activated when Linux is booted with UEFI. This means that within the next few days, as the change progresses from the kernel to the various Linux distributions, you'll be able to boot Linux on these systems without bricking them.

Some other systems are still having trouble. In particular, some UEFI Secure Boot-equipped Toshiba laptops won't boot Linux at all. According to Garrett, "This turns out to be some staggering incompetence on the part of Toshiba (or, more likely, their third-party vendor) - they managed to leave the signing key out of the database that's used to validate binaries, and managed to leave the signature database signing key out of the database that's used to provide whitelist or blacklist updates. The good news is that this is a blatant violation of Microsoft's Windows 8 certification guidelines, and that seems to have encouraged Toshiba to actually fix their BIOS. The bad news is that any of the affected machines that are currently available are still broken, and Toshiba don't seem to be willing to actually give you the firmware update yet."

Finally, and more troubling, some Lenovo PCs with UEFI Secure Boot aren't simply checking the proper keys to see if an operating system should be allowed to boot, but are also checking to see if an operating system is saying if it's "Windows" in its descriptive text. If the text doesn't say Windows, even if it is Windows 8, it won't boot. As Garrett says, "This is, obviously, bizarre." This problem has been known since November, and, Garrett's sole recommendation is "drinking, because as far as I know they haven't actually got around to doing anything useful about this yet."

James Bottomley, Parallels' CTO of server virtualization, well-known Linux kernel maintainer, and the man behind the Linux Foundation's efforts to create an easy way to install and boot Linux on Windows 8 PCs , is reporting some useful work is being done with the Linux Foundation's secure boot loader. Alas, it's continued not to be smooth-sailing.

Bottomley was sorry to report that the proposed "Pre-BootLoader wouldn’t work in its current form with Gummiboot." Gummiboot is a small and simple bootloader that's designed to take "advantage of all the services available in the UEFI platform instead of being the massive link loader that things like grub," the popular multi-boot loader.

"Unfortunately this means that it boots kernels using BootServices->LoadImage()," Bottomley explained, "which means that the kernel to be booted is run through the UEFI platform secure boot checks.  Originally Pre-BootLoader, like shim, was written to use PE/Coff [Portable Executable and Common Object File Format] link loading to defeat the secure boot checks. Unfortunately, this means that something run by the Pre-BootLoader must also use link loading to defeat the secure boot checks on anything it wants to load and thus, Gummiboot, which is deliberately not a link loader, won’t work under this scheme."

To get it to work, Bottomley had re-architect and re-write the bootloader. "The problem has now gone from being how do we create a Microsoft signed link loader that obeys their policies to how do we enable all children of the bootloader to use BootServices->LoadImage() in a way that obeys their policies. Fortunately, there is a way to intercept the UEFI platform signing infrastructure by installing your own security architecture protocol."

"Unfortunately," Bottomley continued, "the PI [Platform Initialization] Spec isn’t actually part of the UEFI specification, but fortunately it is implemented by every Windows 8 system that I can find. The new architecture now Intercepts this protocol and adds its own security check. However, there’s a second problem: While we’re in the security architecture protocol callback, we don’t necessarily own the screen of the UEFI system, making it completely impossible to do a present user test for authorizing the running of the binary. Fortunately, there does exist a non-interactive way of doing this and that’s the SUSE MOK [machine owner key] mechanism (https://www.suse.com/blogs/uefi-secure-boot-details/). Thus, the Linux Foundation Pre-BootLoader has now evolved to use the standard MOK variables to store hashes of authorized binaries."

So, the bottom line is that you can now use the "pre-BootLoader with Gummiboot. To boot, you have to add two hashes: one for Gummiboot itself and one for the kernel you’re booting, but actually this is a good thing because now you have a single security policy controlling all of your boot sequence.  Gummiboot itself has also been patched to recognize a failure due to secure boot and pop up a helpful message telling you which hash to enroll."

The Linux Foundation final fix is still a few weeks away. At the linux.conf.au conference in Canberra, Australia, Bottomley said, in his presentation UEFI Secure Boot: Where we stand  (PDF Link) that the Foundation submitted the fixed bootloader to Microsoft on January 21. Under Windows 8 Secure Boot, all PCs, no matter what operating system they actually run, must include several Microsoft-owned keys. Bottomley expects Microsoft to sign the Linux Foundation's bootloader with the appropriate keys within the next few days.

When you put it all together, it's clear that Linux has been making progress in working with Windows 8 PCs equipped with UEFI Secure Boot. That said, it's also clear that getting Linux to install and boot on a Windows 8 PC is still a major nuisance.

Related Stories:

Topics: Linux, Hardware, Laptops, Lenovo, Samsung, Toshiba, PCs, Windows 8

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

145 comments
Log in or register to join the discussion
  • Not on my machine

    Could use one less crash dump
    LBiege
  • Windoze breaks it

    Linux has to fix it. So what else is new...
    CaviarGreen
    • It is the future m8

      At least for Microsoft, they tried to lock the application front and they broke the Windows desktop paradigm. They tried to lock the PC and they broke the hardware.

      All I can say to the Linux funs out there, yes you do have to fix it because more ex-Windows developers are going to be joining you soon.
      mil7
    • You mean Linsux?

      It sure does.
      William Farrel
      • William Farrel ...so your say Linux is over your ability to comprehend just

        like it is for Loverock Davidson, toddbottom3?

        the only thing you let out missy Farrel was the to of downloading and compiling, kernel panics, or an open and exposed telnet port......but we'll leave that FUD for Loverock Davidson to come along spew.........
        Over and Out
      • No, I mean...

        ...the OS you never used before that you're so scared of.
        CaviarGreen
    • good lad.....

      The problem seems to arise when putting Linux on the machines... If you like Linux so much why bother with windows? Stupid complaint... Fixing it would be make your own Linux hardware...
      Skunkwurx
      • Why bother with Windows?

        It could have to do with the fact that there are about 20 stores that don't sell Linux machines for every 3 that do.
        Michael Alan Goff
        • You know what is Awesome?

          You can go to any computer store and buy parts and assemble an OS free machine usually cheaper than that crappy OEM anyway and install whatever OS you want on it. Well any OS aside from MacOS of course because that is illegal.
          bobiroc
          • I wasn't aware of that

            So what makes you think the average person is?
            Michael Alan Goff
          • The average person isn't looking for Linux in the stores

            The average PC user -- not necessarily the average IT person, or even the average PC enthusiast -- does not use Linux for their PC needs. And that means that, when they go to buy a replacement PC, they aren't looking for a Linux PC in the store. So they could care less that the local store or online retailer doesn't offer an out-of-the-box Linux PC. In fact, among my family & in-laws, my brother-in-law is the only one that evens comes close with his Android smartphone... and he didn't pick it because it ran Android (he could have cared less what OS it used), he picked it because it was the most affordable option for him. Not to mention that Android may be derived from Linux, but Android Linux.
            spdragoo@...
    • Linux can't fix this. Doesn't try to.

      This is a just work-around.

      The problem is in the Samsung's crufty laptop firmware, in Samsung's laptop-driver to that firmware, and also Samsung's incorrect spec describing them, and these are obviously Samsung's job to fix. Samsung has apparently been working on the issue for weeks, already. But kludgey, crufty, buggy code is notoriously difficult to work on, and Samsung needs to devise a fix that works reliably on the hardware they've already sold, addresses the related other issues as well, and doesn't create new breakage of it's own.

      Meanwhile, the Linux devs are just jiggering the Linux kernel to avoid handling the buggy Samsung firmware/driver mess at all. That's all they can do -- and that's not a "fix", that's a "work-around"
      bswiss
      • That's not a work around

        Tha'ts a fix.
        RickLively
      • Apparently a problem in Windows, too

        It seems there are multiple ways, none of which should be a problem in the first place, to brick this Samsung firmware.

        Samsung UEFI bug definitely not fixed
        08 February 2013, 10:55
        www.h-online.com/open/news/item/Samsung-UEFI-bug-definitely-not-fixed-1800541.html

        Quote:
        As well as the samsung-laptop Linux driver, there are other ways of confusing the firmware on some Samsung laptops in UEFI mode to the extent that they will no longer boot. Matthew Garrett indicated as much in a recent blog post, in which he says that it appears that even normal userspace applications in Windows are able to trigger the problem. The kernel developer advises users to run in BIOS mode whatever their operating system. This requires instructing the UEFI firmware to use the CSM (compatibility support module) to boot the operating system; operating systems installed in UEFI mode are, however, unable to boot via CSM.
        bswiss
  • Linux on Windows 8 PCs: Step backs, steps forward

    Easy solution to this problem, don't install linux. If linux is this hard and complicated then you don't need it. Put all that time you are wasting on linux to good use like learning how to properly use Microsoft Windows 8 since its already on the laptop. You won't have to worry about things like the UEFI, downloading and compiling, kernel panics, or an open and exposed telnet port. Plus with Microsoft Windows 8 you have a wealth of applications to choose from that were made by real software vendors and not some hack in his basement who won't give you support.
    Loverock-Davidson
    • His hin-ass Loverock Davidson has arrived........what took you so long?

      Were you doing some compiling in the Mens room or working on exposing your telent port to everyone here at Zdnet?
      Over and Out
      • Well said...

        Enough Said
        CaviarGreen
    • Why don't you use a distro from 2012 or beyond

      I haven't had to compile a kernel... ever.

      I dare say, I don't even know the correct terminal commands to do so.
      Michael Alan Goff
      • I have

        and it was quickly formatted and made space for my Microsoft Windows install. Sooner or later you guys will need to understand that linux just doesn't operate properly.
        Loverock-Davidson
        • Or Linux is over your ability to comprehend it Mr Davidson

          You have what Loverock.....compiled a kernel to make room for a M$ install? .......... What are you trying to say Lovie?......are you smoking something real special today?....your post sounds like your up in the clouds............

          Were you toking? before doing some compiling in the Mens room or working on exposing your telent port to everyone here at Zdnet?

          I'm sorry Lovie but all kidding aside............Linux really does work properly for those that are in the know......sorry its never seemed to work for you.............
          Over and Out