White Paper: Secure Boot impact on Linux

Last month Steven Sinofsky from Microsoft announced new requirements for manufacturers wanting to ship Windows 8 systems, including a feature called “Secure Boot”.

Canonical, together with Red Hat, today publishes a white paper highlighting the implications of these requirements for users and manufacturers. The paper also provides recommendations on how to implement “Secure Boot”, to ensure that users remain in control of their PCs.

UEFI is a good step forward
How much do you know about the BIOS running on your laptop today? Sure, you probably have frantically pressed F12 at some point to try the latest Ubuntu from a CD or USB stick. Beyond that, BIOS doesn’t often get much attention.  The thing is: BIOS is evolving, and all thanks to the UEFI Specifications.

The UEFI Forum, of which Canonical is a member, is defining the next generation interface between your system’s firmware and any operating system that runs on it. The new specs will make Ubuntu systems boot quicker, have a better battery life and are easier to configure.

The latest UEFI specification also defines a process called Secure Boot (version 2.3.1 – Chapter 27). Secure Boot is designed to address the potential for malware to insert itself between the firmware and the operating system on your computer. It accomplishes this by enforcing that only “approved” software is able to boot in your computer by way of a key that recognises pre-approved and signed software.

According to Microsoft’s presentation at //BUILD/2011, Secure Boot will be “Required for Windows 8 client”. While the UEFI specification does not recommend a specific implementation, Microsoft has a preferred solution (outlined on this blog post) which does not give the user full control over what software that is approved to run on their PC. This is the real issue for users.

Secure Boot should be available to all users
Canonical successfully partners with computer manufacturers to ship millions of  Ubuntu pre-installed systems every year. While this distribution will continue to thrive, we are concerned for users wanting to install any Linux distribution on a PC sold with Secure Boot “ON”.

Any new Windows 8 PC will have Secure Boot switched “ON” when it leaves the shop and will be able to boot Microsoft approved software only. However, you will most likely find that your new PC has no option for you to add your own list of approved software. So to install Linux (or any other operating system), you will need to turn Secure Boot “OFF”.

However, we believe that you have the right to have your cake and eat it too!  Its possible to have Secure Boot and the ability to choose your software platform.

This is why we recommend that systems manufacturers include a mechanism for configuring your own list of approved software. This will allow you to run Windows 8 and Linux at the same time in your PC with Secure Boot “ON”. This should also include you being able to try new software from a USB stick or DVD.

Even with the ability for users to configure Secure Boot, it will become harder for non-techie users to install, or even try, any other operating system besides the one that was loaded on the PC when you bought it. For this reason, we recommend that  PCs include a User Interface to easily enable or disable Secure Boot and allow the user to chose to change their operating system.

Canonical has discussed these concerns with key industry partners and competitors, resulting in the “Secure Boot Impact on Linux” White Paper, authored by Jeremy Kerr (Technical Architect at Canonical), James Bottomley (Kernel Developer) and Matthew Garret (Senior Software Engineer at Red Hat).

I recommend you read this document to gain a better understanding on how Secure Boot will affect you. We will continue to work with our partners to ensure you still get to choose what runs on your PC!

33 comments

  1. charles

    i agree with all of this. as everyone knows, though, there’s always a trade-off between security and accessibility… and UEFI secure boot is a step towards security. at least, it’s supposed to be. but i bet that one day, maybe soon, that same secure boot will be turned against non-techie users the same way that the most profitable malwares today have been used against them.

  2. ilmari

    The white paper mentions the need for “configuring keys in system firmware”, but only talks about adding custom keys.

    It should also be possible to remove any keys shipped by default, if one for example does not trust the OS vendors that the motherboard manufacturers trust.

  3. Andreas

    The user interface should also allow to remove signatures/permissions to run certain OSes. I would like to configure my BIOS to run Ubuntu *only*.

  4. neuromancer

    Great job Canonical and Red Hat: collaboration is the key. It’s also necessary to inform users and report to media this unfair behaviors of microsoft.
    Go Linux :)

  5. manny

    Secure-boot might become a good thing.

    Ubuntu users are used to buying “Windows computers” and feeding them…

    Ubuntu preinstalled is the way. It will be more important than ever to purchase open Ubuntu computers from friendly companies like System76, zareason and Dell China.

    But ubuntu needs to have more quality, less bugs, more attractive, More up to date software backported, Longer release cycles to keep a stable base for OEMs, users and developers (think “Apple”; 6 month releases dont work).
    These computers should ship only with LTS releases.. because normal consumers prefer not to upgrade, but keep the software they use up to date. If we do it correctly , we will reach those 200 million, but ubuntu is not as good or ready as it should be for the consumer market yet..

  6. Duncan Macdonald

    As UEFI is only in control until the OS bootstrap is started, the easiest fix would seem to be to get the GRUB loader signed. Once it has started it can then load Linux without any of the main Linux code needing to be signed.

  7. mg_bobuk

    when i first heard about this i thought it was a joke, if microsoft is putting pressure on PC manufactures to have the secure boot on when they are installed with window 8 that will make duel boot impossible.

    I agree with what you have said in your white paper allowing the user to decide what they want on their machine rather than Microsoft telling then that you can only have their OS and no others.

    I feel that having the gui front end that allow the user to enter the OS they want to use is a good idea.

  8. PJuggler

    What happens when Windows fails? What are you allowed to boot with to fix it? Are you obliged to format the drive and start over or do you throw out the computer and buy a new one?

  9. mg_bobuk

    I think this open more questions than it answers. I build my own machine to my standards, having to enter a key for each of the products sound like a pain in the neck.

    It smell to me that Microsoft don’t trust it own product and to protect it its willing to lean on the pc market to comply with it standards.

  10. Herbert Nachtnebel

    Since Canonical is a member of the UEFI group it should be made absolutly clear to the hardware manufactures that any attempt to force such a restriction onto its custumors will have a strong impact on the sales numbers of the boards/computers/hardware devices the manufacturer is trying to sale. This year is a perfect example why. Since June at least 4 CA’s have been compromised and had to revoke more than 50 certificates to protect the integrity of SSL communication. How will such things be handled within the BIOS? Who is responsible for this? Why should I as a user trust any certificate placed by whomever in the BIOS of the computer which I have bought regularly and own therefor?
    There is only one valid answer to these questions: only the owner of the computer can say who she will trust or not. If the owner of the computer is not able to control that _fully_ (even preinstalled M$ certificates), than that computer can’t be trusted by the owner and is as a result quite useless. The manufactures should not falsely take the position that the typical customer is unable to handle such technical questions and hence isn’t interested in such topics since any nontechnical customer is usually asking someone with a more technical background for help in decision making and any honest person will for shure have problems in recommending such crippled hardware devices.

  11. Herbert Nachtnebel

    Since Canonical is a member of the UEFI group it should tell its hardware manufacturing partners that any attempt to force such a restriction onto its custumors will have a strong impact on the sales numbers of the boards/computers/hardware devices they are trying to sale. This year is a perfect example why. Since June at least 4 CA’s have been compromised and they had to revoke more than 50 certificates to protect the
    integrity of SSL communication. How will such things be handled within the BIOS? Who is responsible for this? Why should I as a user trust any certificate placed by whomever in the BIOS of the computer which I have bought
    regularly and own therefor? There is only one valid answer to these questions: only the owner of the
    computer can say who she will trust or not. If the owner of the computer is not able to control that _fully_ (even preinstalled M$ certificates), than that computer can’t be trusted by the owner and is as a result quite useless. The manufactures should not falsely take the position that the typical customer is unable to handle such technical questions and hence isn’t interested in such topics since any nontechnical customer is usually asking someone with a little bit more technical background for help in decision making and any honest person will for shure have problems in recommending such crippled hardware devices.

  12. Kruug

    Is there anyway to get Linux distro’s and repository’s signed so that no settings have to bbe changed on the users end?

  13. Kevin Lynch (@aikiwolfie)

    I think it’s about time someone started building Linux machines that can’t run Windows natively. Maybe we can use the secure boot function in UEFI.

  14. robert flatters

    i guess this is a short comment really, i felt your white paper hit the mark really in what it says about it should be upto the end user what OS they run rather than Microsoft telling them they should use their package only. I build pcs as a hobby and i want to be given an options what OS i want to put on my pc at the end of the. If someone buys a pc from a shop they will not be given that option in the first place. Unless, like web browsers selection, a user is given an option what OS they want to download and install.

    When the chip manufacturers start to implement this in their BIOs there will be resistance to the change. Like i said i agree with what Canonical has reconmended in its white paper.

  15. John

    Good on ya! The prospect of Microsoft getting more control of my property is infuriating. Thank you for describing the matter in lucid and temperate terms. The temperance is beyond me at present.

  16. 1linuxfreak

    Funny I thought when you purchased a product it was yours to own and do what you want to with it , guess I was wrong .
    Locked bootloader is something we fight on cellphones as well (lot of manufactures are now unlocking bootloader in fear of losing sales) , now our PCs .

  17. Wiil

    I think this just a continuation of the wintel conspiracy to keep end users (AKA non-techies) blind from Linux (a much more viable and better platform)(now including ARM). Microsoft is now trying to extend their monopoly-like reach to more forms of computers (tablets, smart phones, and the like)(their isn’t going to be windows phone 8). Now their copying other Operating systems for ideas (take note of metro interface be fused vs. iPad interface be fused with parts of OS X.)(also the live USB idea is be copied. “hold your operating system and data on only one drive” (an idea Ubuntu live media holds)) if they interface ANY part of the normal system of windows to this, then sh*t is going down (their are probably going to be jailbreaks for ARM-based devices to get windows off) I happy of the news of 14.04 LTS and later integrating support for tablet computes and mobile platforms, but then it might be too late (seeing how windows is so mainstream)(since Ubuntu goes through major updating every 6 MONTHS!) I going to save this forever as an argument cannon pointed at MS and their evil.

  18. Paddy Landau

    I think that the European Commission for anti-trust would have something to say about Microsoft’s actions.

    Microsoft’s UEFI version is a blatant attempt to prevent alternative OS installations and (yet again) use its power to try to destroy competition.

  19. Mister

    UEFI is a complete disaster. It is basically trying to “complicate the wheel” with all of its fancypants extensions. It is almost as if UEFI itself is an operating system!

    the BIOS has the biggest advantage over UEFI in terms of simplicity. Sure it may not be able to handle things like >137GB (CHS) or 2TB (LBA?) boot, but it was simple. If one got rid of these limitations (and to be honest, I cannot see how 16-bit code is a limitation of the BIOS) then BIOS would do fine.

    There is NO need to run a fancypants GUI or fully fledged networking capabilities in the pre-boot environment, and these present some valid security concerns.

    Given enough time I could probably come up with a much simpler architecture, which basically can just boot the OS and let the OS do its thing without interfering.

    Remember what BIOS stands for… Basic Input/Output System… With UEFI you effectively get rid of the “BASIC” bit.

  20. Peter Smout

    Please please do NOT let Microsoft dictate what os we choose to use on any machine that we have parted with our hard earned cash to purchase! I can not think of anything else I could buy where a private company could decide what I can use on it. It’s like buying a dinning table from Ikea and them saying I cannot use my Marks & Sparks crockery on it!!

  21. Jose Luis Triana

    Peter: That thing belongs to us, the customers, the end-users; as we have the money to purchase the hardware, we have the power to make them not to put that UEFI secure boot thing as Microsoft wants to. We have the choice, we have the last word, as always was. Canonical is just a company, but we are the force that permits or not to be dictated. But we need, everybody needs to be consciouss of this, to be consciouss that it will not be fair for everybody that only OEM distributors and microsoft could have the control of the OS that boots on that brand new computer. What if I want to run Ubuntu in that laptop and I can’t do it? we’re in time to avoid microsoft’s desesperate effort to conserve it’s power.

  22. Wiil

    If canonical and red hat left this alone then the feds in america and European Commission for anti-trust in Europe will effectively “break” apart Microsoft into smaller companies so that a monopoly doesn’t form completely shutting out everything. In this view, M$ would have to sell itself to various companies (DOS goes back to IBM for instance) and people wouldn’t have a “standard windows”. It might be that M$ gets sued AND this white paper specification is implemented. (great :D)

  23. Bob

    MS may be able to make this work in USA, but I can’t see the EU falling for it. This is a monopolistic move that will be challenged in court if hardware vendors start locking out users from loading other OS’s on their PC. Personal computers as we use them today are classed as general-purpose computing devices, not Windows-specific computing devices. Unlike TV’s, clock radios, refrigerators, etc.; PC’ are designed to allow loading and unloading of a vast variety of binary code, including the OS. :-)

    Don’t worry too much about this. It will never fly the way MS wants it too.

  24. Scott

    My position is that I believe that hardware vendors should supply a pluggable trust device to connect to their mainboard that affords the original purchaser the ability to modify the held PK’s of the O/S vendors (or the custom built image originator), thus the owner of the hardware has the equivalent rights over property that e.g. the owner of a vehicle has.

    Having the platform keys kept secret (as things stand now) is the wrong approach, creating more and more instant obsolescence (as has already been stated.) Hardware vendors, I will not recommend your products for purchase until you fix this.

  25. paddywhack

    Contact your legislators. Microsoft’s blatant use of its status as the industry’s 800lb gorilla in an attempt at total monopoly is disturbing.

    If you live in the United States, you will recognize this as something that Teddy Roosevelt would have attacked, dismantled, thrown to the ground and burned. Get that, Republicans? This is what happens when American corporations are not scrutinized, regulated and kept from colluding to form monopolies.

    Oh. Teddy Roosevelt? He was a Republican. He probably would be ashamed of his Party today.

  26. Harry Richter

    Some facts to consider in this discussion:
    1. Any hardware manufacturer can sell hardware with Windows 8, regardless of processor architecture (ARM or INTEL) and regardless of the implementation of Secure Boot.
    2. Only such hardware that implements Secure Boot as outlined in the “Windows Hardware Certification Requirements” is allowed to use the tiny sticker that says “Designed for Windows 8”.
    3. No hardware manufacturer is forced to adhere to the “Windows Hardware Certification Requirements”.
    4. No hardware manufacturer is forced to sell the hardware bundled with an operating system.
    5. Nobody is forced to buy hardware bundled with an operating system.
    6. Nobody is forced to buy hardware that has the tiny sticker that says “Designed for Windows 8” (and thus has the implementation of Secure Boot as outlined in the “Windows Hardware Certification Requirements”).

  27. Trust F. OBE

    PaddyWhack is Right,
    No One Is forced to buy hardware that is bundled with an 0S that has SecureBoot On…BUT Microsoft are not your average company, they DEFINITELY Have an EndGame which will definitely dwarf users that do N0T adhere to their selfISH and monopolistic rules…If they are not stopped IN TIME.
    If Dr. Dre can partner with HP to produce laptops with Beat By Dre Speakers, they can MAKE SURE 99% of P.C’s adhere to their SPECIFICATIONS…so If You can’t find a system that has SecureBoot turned off…You Simply Buy What Is Available…

  28. Trust F Obe

    Clearly Microsoft doesn’t FORCE anyone to buy a PC that is “Designed for windows 8″ and has SecureBoot on by default…BUT Microsoft is not your average IT company, They’re the BIG BOSSES, if Dr, Dre could team Up with HP to produce A line of PC’s that will come with Beats By Dre Speakers….without asking from potential buyers if they wolud like stuff like that to be in the market, then You should konw Microsoft is capable of making 99% of PC’s In the market be built to their specifications(without forcing anyon to buy)
    So, If All that is available is what you don’t like, it Is you that will adjust to the market, NOT MICROSOFT…..it is only IF they Are stopped before it gets to that point

  29. Gary Maxwell

    The UEFI spec is touted as a way to secure a machine in such a way as to prevent malware from executing during the boot process.

    There are some good things about it but the downsides are far more for the Linux user.

    Microsoft has played its hand skillfully here.

    They themselves are making the requirement that all ARM machines be shipped with the ability to disable the UEFI firmware set to “off.” Now, if the manufacturers decide to NOT implement a way for users to easily disable UEFI then the resonsibility is passed from Microsoft to the hardware manufacturers.

    Microsoft gets its wish but the hardware manufacturers get the blame. It still sounds like collusion to me.

    Should be interesting to see what happens.

    As to the argument that we own the hardware and should be allowed to do with it as we please, Microsoft and their OEM partners can simply say that you don’t have to buy their hardware…

    I can see a legal battle coming…

  30. Carlos

    That sounds me like a tyranny, as naturally evolution of big power and greed, just masked out as a pretended user friendly protection gesture. Without trully step foward into freedom or user defense, gigant cash companies dont almost never want to share the money (legal or not) nor market with others. They prefer (as politicians) to make agreements between top competitors or strategic share partners (like hardware makers, and “labeled” assemblers aka HP, dell, etc) and convince them in one way or other (using their weigth and power). I spect you canonical never came out like a microsoft practices nor a user abuser.

    Wehen they have this kind of practices, they drastically cut the competition, made harder to implement alternatives, and we, the final users, at final stage lose the most. Even our liberty to do what everything we want with the things we legally bought. Making the gov accomplice, bringing laws to “protect” or making us criminals about deciding what to modify or adapt to personal use the things be payed them for.

    Stop them, and make trully free the users. Dont spy users activities, sell the stadistic info, nor make anti-etic profit, just be legal, human have theprimordial rigth to equality and the right of choice, without harming nor limiting the right to others.

    Security YES, lack of freedom NEVER. It not that difficult.
    Ther is a vast variety of right choices, not only microsoft nor even linux deployments. We wait it for.

  31. Carlos

    That sounds me like a tyranny, as naturally evolution of big power and greed, just masked out as a pretended user friendly protection gesture. Without trully step foward into freedom or user defense, gigant cash companies dont almost never want to share the money (legal or not) nor market with others. They prefer (as politicians) to make agreements between top competitors or strategic share partners (like hardware makers, and “labeled” assemblers aka HP, dell, etc) and convince them in one way or other (using their weigth and power). I spect you canonical never came out like a microsoft practices nor a user abuser.

    When they have this kind of practices, they drastically cut the competition, made harder to implement alternatives, and we, the final users, at final stage lose the most. Even our liberty to do what everything we want with the things we legally bought. Making the gov accomplice, bringing laws to “protect” or making us criminals about deciding what to modify or adapt to personal use the things be payed them for.

    STOP THEM, and make trully free the users. Dont spy users activities, sell the stadistic info, nor make anti-etic profit, just be legal, human have theprimordial rigth to equality and the right of choice, without harming nor limiting the right to others.

    Security YES, lack of freedom NEVER. It not that difficult.
    Ther is a vast variety of right choices, not only microsoft nor even linux deployments. We wait it for.

  32. Annie linux

    None of this is required if a pc uses encrypted boot, system and user partitions and this sort of encryption is trivially easy to implement – redhat/fedora/centos and debian come now basically with whole disk encryption available if you want it. UEFI is more about the big bad boy on the block (you know who you are) controlling what is installed on a machine – see fedora from v18 has already succumbed and has gone running to microshaft to purchase a key for UEFI, it means that loadable kernel modules will need their own key as well as the distro being signed by m$. Pah!

  33. pompe achaleur pour piscine

    One thing I’ve noticed is the fact that there are plenty of beliefs regarding the lenders intentions any time talking about foreclosure. One fable in particular is that often the bank desires your house. The lending company wants your hard earned dollars, not your house. They want the money they loaned you having interest. Avoiding the bank will still only draw some sort of foreclosed summary. Thanks for your publication.

Add your comment