Feeds

Linux Foundation ships UEFI Secure Boot workaround

Should work with any distro, but not without hassle

  • alert
  • submit to reddit

High performance access to file storage

The Linux Foundation's open source workaround for Unified Extensible Firmware Interface (UEFI) Secure Boot has shipped, and while it's not necessarily the easiest way to boot Linux on UEFI-enabled PCs, its authors claim it should now work with any bootloader and any distribution.

The Linux community was first alerted to potential problems with Secure Boot in 2011, when computer boffins warned that the digital signing restrictions in UEFI could lock Linux out of PCs that shipped with Windows installed and the firmware security features enabled.

With Secure Boot switched on, the UEFI firmware will only boot operating systems that have been digitally signed, which is problematic for free software. In particular, software that is licensed under the GPLv3 – such as the popular Linux bootloader Grub 2 – is explicitly incompatible with Microsoft's signing scheme.

For its part, Microsoft argued that OEMs were free to allow users to disable Secure Boot, so long as those who did so understood that they were reducing the overall security of their systems. But Linux enthusiasts observed that some OEMs were actually disabling the Secure Boot switch in their firmwares, leaving customers with no way to turn it off (and thus, no way to boot Linux).

Linux kernel hackers wasted no time attacking the problem, and a number of potential workarounds were soon mooted. With the official release of the Linux Foundation's method on Friday, there are now two working techniques for booting Linux on UEFI Secure Boot machines.

The first is Matthew Garret's Shim, some variant of which is currently used by Fedora, Suse, Ubuntu, and a number of smaller Linux distros. This method has the advantage of being fairly painless for end users, while allowing small distros to support Secure Boot without dealing directly with Microsoft.

The new method proposed by the Linux Foundation is slightly more complicated than the Shim method, but it does a better job of supporting the full Secure Boot OS loading API. Specifically, Shim doesn't support the standard UEFI LoadImage() and StartImage() calls, which means some UEFI-compatible bootloaders won't work with it.

The Linux Foundation's pre-bootloader does support such loaders – including gummiboot and efilinux – but the price is that it makes systems that use it harder to maintain.

The Linux Foundation's method is based on cryptographic hashes rather than signing keys, which means that every time the kernel or bootloader for a specific machine is updated, the user must manually add the new hash for that component to the list of permitted binaries. Doing so requires being physically present at the machine, which makes this method unsuitable for servers that are managed remotely.

Some of this may change in the future, however. Garrett says he is currently working on merging the Linux Foundation's code with Shim to produce a new loader that can support both approaches – though when such a combined tool might emerge remains up in the air.

For now, Linux hackers who would like to try out the Linux Foundation's method can download the code for its loader from maintainer Jim Bottomley's website. ®

Bootnote

It's worth noting that although the technical issues regarding Linux and UEFI Secure Boot seem close to being fully resolved, for many Free Software advocates the ethical issues remain outstanding. Bottomley's blog post announcing the Linux Foundation's pre-bootloader spurred lively debate, with several commenters insisting that the only workaround for Secure Boot that should be encouraged is to disable it completely in the UEFI firmware. One user with the login "E Algeo" wrote:

All in all when buying PC hardware one should not be forced to be intertwined with an operating system installed on it period or it seems one has not bought the hardware but instead is renting the right to operate the hardware purchased as well.

Others viewed the release in more pragmatic terms, however. As a user going by "Gary Handslap" remarked:

The notion that achieving perfection means never compromising is such nonsense. This is a great thing, because it means that more people will be able to run the software they want on UEFI hardware.

The Reg looks forward to hearing your thoughts on the matter in Comments.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
Microsoft: Windows version you probably haven't upgraded to yet is ALREADY OBSOLETE
Pre-Update versions of Windows 8.1 will no longer support patches
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
US taxman blows Win XP deadline, must now spend millions on custom support
Gov't IT likened to 'a Model T with a lot of things on top of it'
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.