Linux Foundation Offers Their Own UEFI Secure Boot Solution

rated by 0 users
This post has 6 Replies | 3 Followers

Top 10 Contributor
Posts 26,074
Points 1,182,895
Joined: Sep 2007
ForumsAdministrator
News Posted: Fri, Oct 12 2012 3:28 PM

When word hit the wire last fall that Microsoft's Windows 8 certification could prevent Linux from being installed to a PC, it caused ripples throughout the open-source community. While it's clear that Microsoft would love for its competition to cease to exist, this marked the first time in history where the company actually held the power to prevent its competition from appearing on the computers it certifies - a scary thought.

The reason this could happen owes thanks to Microsoft's use of a "Secure Boot" protocol within the UEFI (the BIOS successor). In order for Windows 8 or any other Secure Boot-enabled OS to load up, an authentication key must be presented at boot time in order for the OS or any other boot-related software to load. Because Microsoft wants to keep a tight reign on PCs equipped with Windows 8, the company requires Microsoft-produced keys to be used. If one isn't, the PC will not receive Windows 8 certification - a denotation that many consumers will keep an eye out for.

Likely to avoid potential monopolistic charges, Microsoft doesn't limit which entities can purchase its keys - costing about $100 each - which means that different distributions could go ahead and purchase their own keys to help users get around this roadblock. Some have already jumped on that solution, in fact, such as openSUSE and Fedora. However, what couldn't hurt is an official solution - such as one from the Linux Foundation itself.


Some distributions, such as openSUSE, have already implemented their own Secure Boot solution

This week, that's just what we received. In a post made to the Linux Foundation website, James Bottomley - a developer involved in the search of a solution since the day Secure Boot became an issue for Linux - lays out a solution that could quickly become a standard once Windows 8 hits.

Like Fedora, the Linux Foundation went ahead and purchased its own Microsoft-approved key and used it to create a "pre-bootloader". That's an important distinction to make, because the goal of this pre-bootloader is simply to do what needs to be done to mosey on past the Secure Boot process. Once that's accomplished, the boot process gets handed off to the real boot-loader (such as GRUB2) that handles the actual OS booting.

If this solution sounds a bit sloppy - it's because it is. It's little more than a work-around that aims only to allow Linux users to bypass the limitation that Microsoft has put in place. While other solutions do exist, it was the Linux Foundation's goal to provide a solution that doesn't require a computer genius to handle. After all, a major goal of the Linux Foundation is getting the OS and other open-source software into the hands of common folk, so if a manual is required to simply boot into the OS, that's a problem.

But what about simply using this pre-bootloader to pass the boot process along to a malware-infected boot-loader, or another OS that has nefarious plans? According to the Linux Foundation, this shouldn't be a problem. As an added measure, the pre-bootloader presents a question to the user before the boot process initiates. If the user agrees, the CD, DVD or what-have-you, will boot.

I'll be honest in saying that this still doesn't sound too secure. If all that's needed is the official source code for this pre-bootloader, created with the help of an official Microsoft key, then what's stopping anyone from picking it up and using it for causes other than just booting into a Linux distro? At the core, this seems like little more than a simple Yes / No prompt being added to the boot process. The only difference is that it happens to abide by Microsoft's rules.

There's also the issue of some distributions not picking up on this solution because it's in effect created by Microsoft. While the source code exists for the pre-bootloader, the fact that Microsoft and its key is involved is unlikely to be kosher with those distributions that aim to be as "open" as possible. Though on the flipside, freedom is a key focus of Fedora Linux, and it has opted to go with a similar solution. It may in fact be rare when a distribution decides to opt against it.

Any way you look at it, this is still an inconvenience to Linux enthusiasts, or even those just curious about the alternative OS. And at the end of the day, it's really difficult to understand how this will benefit consumers at all. It could just be Microsoft's hope that, even in a minor way, this could hurt the already modest marketshare Linux has on the desktop. While the Linux Foundation's solution is nothing more than a work-around, offering no additional security to the user, it's fortunate that an option does finally exist in an official form.

  • | Post Points: 35
Top 50 Contributor
Posts 2,865
Points 29,645
Joined: Mar 2011
Location: United States, Connecticut

Now I am not one for being sue happy. But I kind of hope that MS gets sued for being anti-competitive. There is no reason why they could not have programmed a bootloader with secure keys from a thirdparty certificate authority or that would start any operating system.

  • | Post Points: 20
Top 10 Contributor
Posts 8,621
Points 103,870
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator
realneil replied on Fri, Oct 12 2012 9:00 PM

Restriction of trade under the guise of a security solution. Seems to me that 99.9% of security solutions get blasted out of the water in short order anyways.

Somebody, somewhere will figure it out, and it's only a matter of time.

I'll be sure ~not~ to buy any PC gear that incorporates this BS into it.

Dogs are great judges of character, and if your dog doesn't like somebody being around, you shouldn't trust them.

  • | Post Points: 20
Top 50 Contributor
Posts 2,377
Points 31,015
Joined: Nov 2010
Location: Crystal Lake,IL
rrplay replied on Fri, Oct 12 2012 9:50 PM

realneil:

Somebody, somewhere will figure it out, and it's only a matter of time.

I'll be sure ~not~ to buy any PC gear that incorporates this BS into it.

Yeah me too   my mind was made up since we first heard about it and not going to buy or recommend products that have it. It is a bunch of bull. It is a royal pita for MS to impose the Secure boot protocol in the first place [cram and ram ] is more like. In some way it reminds me of some Apple tactics totally dictating exactly the how while misleading the why?. Still seeing it for what it is. sure looks like MS is really got a bug up somewhere since we heard about the Secure boot and how wonderful the world was going to be ...safe and MS secure for ever on .in ..la la la land   ?! ?! !

When Win8 & that Metro UI or whatever they decided to call it appeared.

schnitz !

Yep someone will figure something out  however one looks at it.

"Don't Panic ! 'cause HH got's your back!"

  • | Post Points: 5
Top 150 Contributor
Posts 653
Points 5,925
Joined: May 2008
Location: Stockholm
mhenriday replied on Sun, Oct 14 2012 7:32 AM

Agree with Rob and the previous speakers/posters. Typical Microsoft - lock in, lock out !...

Henri

Top 50 Contributor
Posts 2,377
Points 31,015
Joined: Nov 2010
Location: Crystal Lake,IL
rrplay replied on Thu, Oct 18 2012 6:08 AM

Came across another flavor of a Linux distro called Rosa Linux, certainly not a well known or big player but they have  there own Basic UEFI support.

More info can be found here http://www.rosalab.com/

 

"Don't Panic ! 'cause HH got's your back!"

  • | Post Points: 20
Top 150 Contributor
Posts 653
Points 5,925
Joined: May 2008
Location: Stockholm
mhenriday replied on Thu, Oct 18 2012 8:02 AM

One of the lovely things about GNU/Linux - and at the same time one of the most frustrating - is the plethora of distributions that use the system. There creativity flourishes, as opposed to the situation elsewhere ; an apt analogy would be the difference between a natural forest and a tree plantation. But it is not, perhaps, for everybody, even if many would no doubt be pleasantly surprised were they to screw up their courage and enter the forest....

Henri

  • | Post Points: 5
Page 1 of 1 (7 items) | RSS