Windows 8 PCs with UEFI Secure Boot Could Lock Linux Out

Claims Matthew Garrett, mobile Linux developer at Red Hat

By on September 22nd, 2011 12:59 GMT

Although he acknowledges that there’s nothing to panic about yet, Matthew Garrett, mobile Linux developer at Red Hat, posted a blog post designed to raise some concerns over the possibility that Linux might be locked out from Windows 8 PCs because of the new UEFI secure boot feature.

One of the new security mitigations introduced into Windows 8 involves bulletproofing the startup process, in an effort to fend off threats such as rootkits, and similar malware.

This is done by only loading components that are correctly signed by Microsoft as Windows 8 is booting.

Here is how Microsoft details the secured boot feature of the next major iteration of Windows:

“Secured boot stops malware in its tracks and makes Windows 8 significantly more resistant to low-level attacks. Even when a virus has made it onto your PC, Windows will authenticate boot components to prevent any attempt to start malware before the operating system is up and running.

“If the component isn’t correctly signed by Microsoft, Windows will begin remediation and start the Windows Recovery Environment, which will automatically try to fix your operating system.”

Secure boot is an aspect of the evolution of the Unified Extensible Firmware Interface, involving the integration of signing keys directly into the system firmware.

Code running on a machine with UEFI secure boot will need to also be signed with the same keys as the system firmware by the manufacturer of the computer.

According to Garrett, Microsoft considers secure boot enabled by default as a requirement of the logo program for Windows 8 PCs.

“The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows,” he notes.

“The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.”

Garrett stresses that a logoed OEM Windows 8 PC with UEFI secure boot will not boot generic copies of Linux, and there are a dime a dozen of those.

While Linux distributors could just as well sign their versions of the operating system, the very licensing of the platform creates some issues. Bootloaders under GPLv3 and GPLv2 simply won’t do, because the licenses imply that the vendors share the signing keys.

With OS kernels becoming part of the bootloader, they’ll also need to be signed. And even in the eventuality that devs sign their own code, they still need to work with manufacturers to have the keys included into the system firmware.

“There's no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code. However, experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market. It's almost certainly the case that some systems will ship with the option of disabling this. Equally, it's almost certainly the case that some systems won't,” Garrett added.

Personally, I don’t think that Windows 8 PCs with UEFI secure boot will block users from installing, booting or running any operating system thy want, including Linux.

I welcome the new bulletproofed boot process of Windows 8 and I think that it will have a great impact on increasing the level of security for end users. At the same time, I’m confident that Linux will still continue to boot on new computers worldwide even after Windows 8 is launched.

Windows 8 Developer Preview Build 8102 Milestone 3 (M3) is available for download here.

Comments