Linux Foundation Offers Their Own UEFI Secure Boot Solution

When word hit the wire last fall that Microsoft's Windows 8 certification could prevent Linux from being installed to a PC, it caused ripples throughout the open-source community. While it's clear that Microsoft would love for its competition to cease to exist, this marked the first time in history where the company actually held the power to prevent its competition from appearing on the computers it certifies - a scary thought.

The reason this could happen owes thanks to Microsoft's use of a "Secure Boot" protocol within the UEFI (the BIOS successor). In order for Windows 8 or any other Secure Boot-enabled OS to load up, an authentication key must be presented at boot time in order for the OS or any other boot-related software to load. Because Microsoft wants to keep a tight reign on PCs equipped with Windows 8, the company requires Microsoft-produced keys to be used. If one isn't, the PC will not receive Windows 8 certification - a denotation that many consumers will keep an eye out for.

Likely to avoid potential monopolistic charges, Microsoft doesn't limit which entities can purchase its keys - costing about $100 each - which means that different distributions could go ahead and purchase their own keys to help users get around this roadblock. Some have already jumped on that solution, in fact, such as openSUSE and Fedora. However, what couldn't hurt is an official solution - such as one from the Linux Foundation itself.


Some distributions, such as openSUSE, have already implemented their own Secure Boot solution

This week, that's just what we received. In a post made to the Linux Foundation website, James Bottomley - a developer involved in the search of a solution since the day Secure Boot became an issue for Linux - lays out a solution that could quickly become a standard once Windows 8 hits.

Like Fedora, the Linux Foundation went ahead and purchased its own Microsoft-approved key and used it to create a "pre-bootloader". That's an important distinction to make, because the goal of this pre-bootloader is simply to do what needs to be done to mosey on past the Secure Boot process. Once that's accomplished, the boot process gets handed off to the real boot-loader (such as GRUB2) that handles the actual OS booting.

If this solution sounds a bit sloppy - it's because it is. It's little more than a work-around that aims only to allow Linux users to bypass the limitation that Microsoft has put in place. While other solutions do exist, it was the Linux Foundation's goal to provide a solution that doesn't require a computer genius to handle. After all, a major goal of the Linux Foundation is getting the OS and other open-source software into the hands of common folk, so if a manual is required to simply boot into the OS, that's a problem.

But what about simply using this pre-bootloader to pass the boot process along to a malware-infected boot-loader, or another OS that has nefarious plans? According to the Linux Foundation, this shouldn't be a problem. As an added measure, the pre-bootloader presents a question to the user before the boot process initiates. If the user agrees, the CD, DVD or what-have-you, will boot.

I'll be honest in saying that this still doesn't sound too secure. If all that's needed is the official source code for this pre-bootloader, created with the help of an official Microsoft key, then what's stopping anyone from picking it up and using it for causes other than just booting into a Linux distro? At the core, this seems like little more than a simple Yes / No prompt being added to the boot process. The only difference is that it happens to abide by Microsoft's rules.

There's also the issue of some distributions not picking up on this solution because it's in effect created by Microsoft. While the source code exists for the pre-bootloader, the fact that Microsoft and its key is involved is unlikely to be kosher with those distributions that aim to be as "open" as possible. Though on the flipside, freedom is a key focus of Fedora Linux, and it has opted to go with a similar solution. It may in fact be rare when a distribution decides to opt against it.

Any way you look at it, this is still an inconvenience to Linux enthusiasts, or even those just curious about the alternative OS. And at the end of the day, it's really difficult to understand how this will benefit consumers at all. It could just be Microsoft's hope that, even in a minor way, this could hurt the already modest marketshare Linux has on the desktop. While the Linux Foundation's solution is nothing more than a work-around, offering no additional security to the user, it's fortunate that an option does finally exist in an official form.