Summary: The Linux Foundation and friends are working on using UEFI so that computers can be both more secure and give users freedom of operating system choice instead of using Microsoft’s secure boot plan to lock users into Windows 8.

Last month Steven Sinofsky from Microsoft announced new requirements for manufacturers wanting to ship Windows 8 systems, including a feature called “Secure Boot”. I wrote about this last month: http://jet-computing.com/microsoft-kicks-linux-from-windows-8/

Canonical, together with Red Hat, today publishes a white paper (shown below) highlighting the implications of these requirements for users and manufacturers. The paper also provides recommendations on how to implement “Secure Boot”, to ensure that users remain in control of their PCs.

However, the obverse of this would be that Microsoft wants all new personal computers to be a closed appliance, as Apple is with it’s hardware and software.

Secondly, it would be most beneficial for the government because, if keys are decided by OEMs then they would have them by default. If keys are chosen by users then, it becomes more difficult for government. UEFI is a great thing, if it is left to users to choose keys. This way we retain complete control of our own computer systems and does so long as it is done not so as to lock out competition.

Download (PDF, 141.97KB)

How much do you know about the BIOS running on your laptop today? Sure, you probably have frantically pressed F12 at some point to try the latest Ubuntu from a CD or USB stick. Beyond that, BIOS doesn’t often get much attention.  The thing is: BIOS is evolving, and all thanks to the UEFI Specifications.

The UEFI Forum, of which Canonical is a member, is defining the next generation interface between your system’s firmware and any operating system that runs on it. The new specs will make Ubuntu systems boot quicker, have a better battery life and are easier to configure.

The latest UEFI specification also defines a process called Secure Boot (version 2.3.1 – Chapter 27). Secure Boot is designed to address the potential for malware to insert itself between the firmware and the operating system on your computer. It accomplishes this by enforcing that only “approved” software is able to boot in your computer by way of a key that recognises pre-approved and signed software.

According to Microsoft’s presentation at //BUILD/2011, Secure Boot will be “Required for Windows 8 client”. While the UEFI specification does not recommend a specific implementation, Microsoft has a preferred solution (outlined on this blog post) which does not give the user full control over what software that is approved to run on their PC. This is the real issue for users.

Secure Boot should be available to all users
Canonical successfully partners with computer manufacturers to ship millions of  Ubuntu pre-installed systems every year. While this distribution will continue to thrive, we are concerned for users wanting to install any Linux distribution on a PC sold with Secure Boot “ON”.

Any new Windows 8 PC will have Secure Boot switched “ON” when it leaves the shop and will be able to boot Microsoft approved software only. However, you will most likely find that your new PC has no option for you to add your own list of approved software. So to install Linux (or any other operating system), you will need to turn Secure Boot “OFF”.

However, we believe that you have the right to have your cake and eat it too!  Its possible to have Secure Boot and the ability to choose your software platform.

This is why we recommend that systems manufacturers include a mechanism for configuring your own list of approved software. This will allow you to run Windows 8 and Linux at the same time in your PC with Secure Boot “ON”. This should also include you being able to try new software from a USB stick or DVD.

Even with the ability for users to configure Secure Boot, it will become harder for non-techie users to install, or even try, any other operating system besides the one that was loaded on the PC when you bought it. For this reason, we recommend that  PCs include a User Interface to easily enable or disable Secure Boot and allow the user to chose to change their operating system.

Canonical has discussed these concerns with key industry partners and competitors, resulting in the “Secure Boot Impact on Linux” White Paper, authored by Jeremy Kerr (Technical Architect at Canonical), James Bottomley (Kernel Developer) and Matthew Garret (Senior Software Engineer at Red Hat).

I recommend you read this document to gain a better understanding on how Secure Boot will affect you.

This entry was posted on Thursday, November 3rd, 2011 at 04:47 by dsmith and is filed under Canonical, Linux, Microsoft, Red Hat Enterprise Linux, Secure Boot, Ubuntu, UEFI, Uncategorized, Windows 8. You can follow any responses to this entry through the RSS 2.0 feed.