Linux Foundation UEFI Secure Boot key for Windows 8 PCs delays explained

Thanks to Microsoft, the Linux Foundation's program for booting Linux easily on Windows 8 PCs protected with Secure Boot is still stuck in neutral.
Written by Steven Vaughan-Nichols, Senior Contributing Editor
The Linux Foundation is sorry to report that its project for making Linux easy to boot with Windows 8 Secure Boot still isn't finished.

James Bottomley, Parallels' CTO of server virtualization, well-known Linux kernel maintainer, and the man behind the Linux Foundation's efforts to create an easy way to install and boot Linux on Windows 8 PCs with UEFI (Unified Extensible Firmware Interface) Secure Boot enabled is sorry to report that "We’re still waiting for Microsoft to give the Linux Foundation a validly signed pre-bootloader."

Despite the best efforts of FedoraopenSUSEUbuntu, and the Linux Foundation, booting Linux on UEFI Secure Boot Windows 8 PCs continues to be a problem . The easiest way to avoid Windows 8 lock-in is to disable UEFI Secure Boot from your system before it starts to boot. However, this option may not be available on all motherboard; isn't available at all on Windows RT devices, such as the Surface; and is still troublesome even with Secure Boot disabled. So, it is that the struggle—and struggle it is—to create an easy to use, universal install and boot Secure Boot Linux installer continues on.

You don't have to take my word for it. Bottomley reports that, even after jumping through various legal hoops, you can't "just upload a UEFI binary and have it signed First of all you have to wrap the binary in a Microsoft Cabinet file. Fortunately, there is one open source project that can create cabinet files called lcab. Next you have to sign the cabinet file with your Verisign key.  Again, there is one open source project that can do this: osslsigncode. For anyone else needing these tools, they’re now available in my openSUSE Build Service UEFI repository."

"The final problem is that the file upload requires silverlight. Unfortunately, moonlight [an open-source Silverlight implementation] doesn’t seem to cut it and even with the version 4 preview, the upload box shows up blank, so time to fire up windows 7 under kvm [Linux's built-in hypervisor]. When you get to this stage, you also have to certify that the binary “to be signed must not be licensed under GPLv3 or similar open source licenses” I assume the fear here is key disclosure but it’s not at all clear (or indeed what 'similar open source licences' actually are)."

Legally that's troublesome, but at least the technical problems seemed in hand. Alas, the trouble was only beginning.

First, creating the cabinet file failed. Eventually Bottomley generated a working UEFI Secure Boot Linux pre-loader but the signing process still indicated that there had been a failure. When he asked Microsoft what was going on, the company replied, "Don’t use that file that is incorrectly signed. I will get back to you." Bottomley speculates that the problem is that the working Secure Boot binary key "is signed with a generic Microsoft key instead of a specific (and revocable) key tied to the Linux Foundation."

So it is that the Linux Foundation is still waiting "for Microsoft to give the Linux Foundation a validly signed pre-bootloader." Until that happens, booting and installing Linux on Windows 8 PCs will remain an order of magnitude harder than it is on earlier model PCs.

Related Stories:

Editorial standards