Linux developers working on uniting Windows 8 Secure Boot fixes

There are now two major ways to boot and install Linux on Windows 8 PCs, but soon they'll only be a single unified method.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Thanks to Microsoft's Windows 8 UEFI (Unified Extensible Firmware Interface) Secure Boot there was no easy way to boot Linux, or any other operating system, on Windows 8 PCs. Now, there are two ways, the recently released Linux Foundation (LF) UEFI secure boot system and Matthew Garrett's shim system to boot Linux on these PCs. Soon, there will be only one unified way.

Soon, loading Linux on a Winodws 8 PC will be as simple as picking a distribution from a menu. (Credit: Gummiboot)

UEFI Secure Boot Linux expert Garrett wrote in his blog, "we now have two signed bootloaders available." The shim method, which Garrett worked on, is now used by Fedora, openSUSE, and Ubuntu. "The LF loader is a different solution to the same problem," said Garrett.

According to Garrett, "One of the primary functional differences between Shim and the LF loader is that the LF loader is based around cryptographic hashes rather than signing keys. This means that the user has to explicitly add a hash to the list of permitted binaries whenever a distribution updates their bootloader or kernel. Doing that involves being physically present at the machine, so it's kind of a pain."

So why did the LF create it then? Garrett explained, "Being hash based means that you don't need to maintain any signing infrastructure. This means that distributions can support Secure Boot without having to change their build process at all. Shim already supports this use case (and some distributions are using it), but the LF loader has nicer UI for managing it."

In addition, Garrett conceded, "Shim implements Secure Boot loading in a less than entirely ideal way - it duplicates the firmware's entire binary loading, validation, relocation and execution code. This is necessary because the UEFI specification doesn't provide any mechanism for adding additional authentication mechanisms. The main downside of this is that the standard UEFI LoadImage() and StartImage() calls don't work under Shim. The LF loader hooks into the low-level security architecture and installs its own handlers, which means the standard UEFI interfaces work. The upshot is that you can use bootloaders like Gummiboot or efilinux [user-friendly UEFI boot menu systems] without having to modify them to call out to Shim."

So, with two different approaches to the same goal, Garrett has decided to merge them together. He's now working on "integrating the LF loader's UI and security code into Shim with the aim of producing one loader that'll satisfy the full set of use cases."

Jame Bottomley, the Linux kernel developer behind the LF UEFI bootloader thinks this is a fine idea. "We’re currently investigating merging them. The main sticking point is the validity of the security override protocol," wrote Bottomley.

Once that problem is fixed, and the usual programming teething troubles are overcome, we'll see a new, unified Linux bootloader for all Intel-based Windows 8 PCs. Neither method, nor the forthcoming unified one, will work on any ARM-powered Windows RT tablet or laptop. Microsoft ARM-powered devices are permanently locked into Windows 8. Still, within the next few months, booting and installing Linux on Intel-based Windows 8 PCs will once more be a matter as simple as putting a Linux CD or USB stick in a PC and re-booting the system.

Related Stories:

Editorial standards