Ubuntu Linux adopts new UEFI boot problem approach

Ubuntu Linux adopts new UEFI boot problem approach

Summary: Canonical, Ubuntu's parent company, is taking a new way to address the Windows 8 UEFI secure-boot problem.

Ubuntu is changing how it will boot up on UEFI Secure Boot PCs.

Windows 8 PCs will come with Microsoft's UEFI (Unified Extensible Firmware Interface) Secure Boot. This “feature” will make it much harder to boot Linux or other operating systems. CanonicalUbuntu Linux's parent company, is going to take a new approach to address this problem.

When Canonical first announced its plan on dealing with Microsoft's Secure Boot in the next version of Ubuntu, 12.10, it ran into objections from the Fedora Linux developers and the Free Software Foundation (FSF). In an ideal world, the FSF wants PC vendors to not let users be locked in by Microsoft's Secure Boot.

Failing that, the FSF dislikes both Fedora and Ubuntu's plans on how to deal with Secure Boot because both require that a user trust in a Microsoft-generated key. With Ubuntu, the FSF also opposed Ubuntu dropping the Grub 2 bootloader “on Secure Boot systems, in favor of another bootloader.” A bootloader is the program that lets you boot your system and, if you have multiple operating systems, choose which one to boot.

While both Fedora and Ubuntu are still sticking with Microsoft keys for now, Canonical has come to an agreement with the FSF that will enable Ubuntu users to keep using GRUB2. In a blog posting, Jon Melamut, Canonical's VP of Professional & Engineering Services, writes, “When we announced our plans to support Secure Boot in Ubuntu 12.10, we originally planned that we would use an EFILinux bootloader. We chose that option over the Grub 2 bootloader because Grub 2 has licensing provisions that, in our view at the time, could have forced disclosure of Canonical keys if an OEM partner had inadvertently shipped a computer which did not allow disabling of Secure Boot.”

Canonical and the FSF have talked their disagreement out and, continues Melamut, "the FSF has stated clearly that Grub 2 with Secure Boot does not pose a risk of key disclosure in such circumstances. We have also confirmed that view with our OEM partners, and have introduced variations to the Ubuntu Certification program and QA scripts for pre-installs to ensure that security and user choice are maintained on Ubuntu machines. Therefore, we have decided that Grub 2 is the best choice for a bootloader, and will use only Grub 2 in Ubuntu 12.10 and 12.04.2 by default."

In a statement, John Sullivan, Executive Director of the FSF, added, “We are pleased with Canonical’s decision to stick with Grub 2. We know that the challenges raised when trying to support true user security without harming user freedom—Secure Boot vs. Restricted Boot—are new for everyone distributing free software. This is the situation for which GPLv3 was written, and after helpful conversations with Canonical, we are confident the license does its job well, ensuring users can modify their systems without putting distributors in untenable positions.”

While booting desktop Linux is going to continue to face challenges on Windows 8 PCs, at least the free software and open-source Linux communities are uniting in how they'll confront the Windows 8's UEFI Secure Boot lock-in problem.

Related Stories:

Topics: Ubuntu, Hardware, Linux, PCs, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So the real problem with Linux and Secure Boot was what?

    It sounds like Canonical figured out a solution...
    It sounds like Fedora figured out a solution...

    However, the politicos don't like the solution because it doesn't agree with their ideas of freedom.. and it seems to conflict with licensing..

    So the real problem was never a technical one.. it was a political one.. Anyone else starting to see a pattern here?
    • Yes. And on thop of that notice that SJVN continues to misleadingly call it

      "Windows 8's UEFI Secure Boot lock-in problem". How friggin lame it that? :-)
      Johnny Vegas
      • +1

        I don't see how buying the same licence that all the other distros are buying constitutes a new approach... We seem to just be discussing boot-loaders; outside of Ubuntu, yet within the open source community, you can in fact choose your boot-loader.
      • SJVN's Get The Facts campaign

        SJVN should be ashamed of himself. This is not the first time he's been corrected on this topic. The first time he wrote this, he could be excused because MS had left it up to the OEMs as to whether or not they wanted to implement a switch to turn off Secure Boot. Then MS made the change to their Windows 8 Certification requirements and SJVN still continued to call it lock-in, which we could excuse as innocent ignorance on his part. There is no excuse now. He has been corrected. He has been informed. This is the SJVN Get The Facts campaign.
        • But least not forget

          He hasn't forgiven Bill Gates for kicking sand in his face that day at the beach.
          Therefore every article will be 100% anti Microsoft regardless of the facts.
      • yawn

        How friggin lame are your onesided manipulative comments. Plz. dont bother ZDNET and us anymore ...
        • Just another comment

          from the Facts be Damned brigade.

          He keeps referring to this as an MS 8 issue when it's a function that can be turned on or off.

          Blind are we?
          • So Tell Me

            Please tell me how you can turn the security off and still boot Windows 8 on the new machines (which I have not seen, nor has anyone I know).
    • It also involves trust

      Do you trust Microsoft?

      Give us 10 reasons why you do...

      Here are a few reasons why one shouldn't:

      * IBM (re: DOS licensing/predatory tactics)
      * IBM (re: OS/2, any number of issues but the biggie was the legal proceeding that led to IBM getting to run Windows within OS2, followed by Microsoft changing the code structure with every new build release, making their lives difficult... It's a shame the breakup allowed Windows NT to come about, since it fixed a lot of OS/2's worst problems (e.g. SIQ...)
      * new OSes being more bloaty (for the sake of making life difficult for those who use VMs... 15GB is asinine for an OS, sorry)
      • Yawn. Give us one reason to trust you?

        William Farrel
        • yawn...

          yawn ... Plz. go and look after another hobby !
      • Not any further than any other corporation..

        ..but at least they are competent, and I know what I'm getting into when installing Microsoft software..

        As for your reasons I shouldn't:

        "* IBM (re: DOS licensing/predatory tactics)" - You mean like that deal they made with IBM to provide MS-DOS in exchange for the ability to license it for use on other computers? I guess in hindsight it wasn't one of the best moves IBM made. Or maybe it was - what would the computer industry look like today if IBM was the only "IBM compatible" manufacturer out there? Apple? Commodore? Tandy? They all tried this, some failed.

        Being considered the "Gold Standard" for small computers in its day, IBM probably benefited quite well from that deal. IBM went into that deal with both eyes open, and they knew exactly why Microsoft wanted that freedom. If they didn't like it, they didn't have to agree; it's not like IBM didn't have decades of experience in the computer industry with very talented engineers who could've easily made them an OS.

        "* IBM (re: OS/2, any number of issues but the biggie was the legal proceeding that led to IBM getting to run Windows within OS2, followed by Microsoft changing the code structure with every new build release, making their lives difficult... It's a shame the breakup allowed Windows NT to come about, since it fixed a lot of OS/2's worst problems (e.g. SIQ...)"

        Don't follow your logic here - it's a "Shame" that NT was allowed to be released because it "fixed" some glaring issues that OS/2 had? Doesn't sound too rational to me, but whatever.

        I'm sure with its massive adoption rate, even before Windows NT came onto the market, OS/2 would have done really well if only a few things were changed. If only it had the backing of a major player in the computer industry, and if only it were a better operating system than everything else out there, and if only it ran industry standard software and Windows programs, and if only it were backed by a major advertising campaign to take advantage of the window offered by a Windows' slipping release schedule... oh wait...

        "* new OSes being more bloaty (for the sake of making life difficult for those who use VMs... 15GB is asinine for an OS, sorry)"

        You know, there was a time, waaaaay back when hard drives went for a few hundred dollars a gigabyte, that the idea of an OS using more than 15 Megs of space was considered "asinine". Heck, I remember balking at all the floppy disks that OS/2 came on (something like 16, if I recall correctly).

        Times, they do change. Hard drives and RAM have gotten much cheaper nowadays though - even though the OS does take up much more space than before, the cost of the space taken up is a small fraction of what it used to be in the olden days.
        • Excellent answer

          You really can't feel that sorry for IBM over the IBM PC clones; clones affected the three existing home pc systems at the time; Apple2, TR80 and the PET, but IBM got buried and we got a standard because they just bolted other companies' parts together; meaning that so long as you could reverse engineer a ROM file you could legitimately build you're own IBM PC very easily, and they did.

          Why did IBM take such a risk, given that they had been in the developing computer industry since it's beginnings? Well up until the 70's even with the microprocessor computers cost 10's of thousands of dollars and took the form of a whole workstation. Home computers only really existed in terms of kits for "enthusiasts" remember enthusiasts in this context excluded all those without an exceptional knowledge of computing; cost and knowledge required excluded most "dabbling"

          However as those with the skills experimented with kits, they began to design their own kits -Apple 1 style. In 1977 this lead to the first home computers as we now understand them. There were two home brew projects; Steve Wozniak's Apple 2 and Don Drench's (with Steve leiniger) TR80, and the commodore PET, itself designed in response to commodore's experience with the apple 2.

          The point was these relatively cheap, home - focused computers all sprung up within the same year. For home purposes such as gaming they actually outperformed the scientific behemoths that IBM had previous experience with.

          As IBM saw the home market expand exponentially into a market with far more potential profitability than the one they found themselves in, they rushed out their pc within a year. To do this they bought off the shelf parts including their OS from MS.

          I'm not saying that the companies that cloned them and made it big acted ethically or anything, but IBM's rush to market essentially created an open platform with the only defendable aspect being the ROM file.

          As daftkey points out this did help us advance and creat a standard, which we benefit from - back into the mid 80's every non imb-compatible was either a clone or a proprietary system; a potential nightmare for developers as software developed. Just look how quick apple stopped supporting both powerpc and intel chips co-currently.

          I don't trust any of these companies, but if you want an example of naughty MS, why not look at microsofts dubius dealings with SCP. The IBM deal was legal; IBM did not enforce ms-dos to run only on their hardware.
          • except your assumptions are incorrect

            The PC was not patented and copyrighted to the gills because the group at Boca went rogue. The mainframers were trying to kill the PC, so the Boca brought it to market without going through all the IBM change management.

            IBM did NOT set the PC free voluntarily, filing suit against anyone that tried to build a clone for a very long time. Compaq was the first successful cloner and IBM tried desparately to kill Compaq in the beginning.

            Also, rember that IBM built MS as it were. Without IBM support, Gates and MS would have died on the vine relatively soon. IBM's commitment to MS DOS made the one most here refer to as the Evil Empire.

            You seem to cut IBM lots of slack writing revisionist history that just ain't true.
      • 15 GB ?

        I call utter bullshit. Windows 8 (with a few apps) - 9 GB
        Windows 7 - 8 GB fully updated.

        Ubuntu (just the default install) - 11 GB

        Of course the minute people talk about bloat, it is apparent they don't know what the hell they are on about.

        If the above is a challenge, don't be such a cheapskate and purchase proper storage.
        • sjaak327,

          >>Ubuntu (just the default install) - 11 GB
          You're quite misinformed: My 5 year-old with tons of extra non-default packages Ubuntu LTS (since 8.04) states:
          :~$ df -h | grep '\/$'
          /dev/sda4 21G 9.8G 9.4G 52% /
          where my /home dir is a separate partition. Moreover, I have a usb flash drive with live Linux mint partitions on them (LMDE and Ubuntu flavored) These have persistent filesystems and occupy no more than 1.3 gigs so far. I added some apps there, like emacs and postgresql already beyond the vanilla setup. Note, LMDE is actually "fatter" than Ubuntu default install.
          • Why does your 5-year-old have an Ubuntu system?

            And what do you think he's (she's) trying to tell you when he (she) says:
            ":~$ df -h | grep '\/$'
            /dev/sda4 21G 9.8G 9.4G 52% /"

            I don't understand your point.
            Does that have anything to do with anything being discussed?
          • I think you misunderstand

            As I read it, the install to which eulampius refers is 5 years old, not his offspring.

            The relevance is that after adding 5 years of packages and not always tidying up old files, the 21gb ubuntu partition (/dev/sda4) is only half full.

            Now with the other assertion; the live cd: this is actually a bit misleading as the live stick uses a compressed read only filesystem that allows it to be that small - if the installer was run, it would expand out to typically just under 6gb.

            In my experience ( I install around 15 OS per month) windows 7 will typically complete the update process around the 20gb mark - for a real world test, a machine I completed updates on on thus is reporting 18.4 GB used - that's just W7 and updates; it'll be closer to 25 once office is installed and updated.

            Like I say my Ubuntu install on this machine is 6.8, and that includes all open office software, browsers, IDE's, virtualbox, etc.

            Now these aren't completely accurate; the breakdown for Ubuntu ignores the 2gb swap, so it's really taking up around 10gb of free space.

            Additionally Windows actually takes up around 15 before it grabs SP1, which pushes it up high - depending on additional OEM software upto the 18 I mentioned.

            You can then reduce this size down to just over 15 again by running a clean up that removes the backups made when SP1 was installed.

            You can then reduce the system size my lowering the page file allocation; this may be able to get you down to 13gb - but you've got rid of the page file space - if you got rid of linux swap it'd still be half the size.

            There are no Linux or BSD that I have used that take up as much physical disk space as windows when configured to the same level, with the obvious exception of Mac OS.
          • "You can then reduce the system size my lowering the page file allocation;"

            What does this even mean?
            Seriously, I'm so glad I don't need Linux
          • Your Quote Refers to Windows

            Then sentence which you apparently didn't understand was a reference to a Windows system, not a Linux one. All operating systems have their technical parts.