Linus describes Secure Boot as being “pushed in your face by people with an agenda.” But his real problem is that Secure Boot would then imply Kernel Lockdown mode.
At its WinHEC hardware conference in Shenzhen, China, Microsoft talked about the hardware requirements for Windows 10. The precise final specs are not available yet, so all this is somewhat subject to change, but right now, Microsoft says that the switch to allow Secure Boot to be turned off is now optional. Hardware can be Designed for Windows 10 and can offer no way to opt out of the Secure Boot lock down.
The Linux Foundation started work on Secure Boot last year and announced back in October that its plan involved development of a pre-bootloader, which it will get signed by Microsoft. A signed pre-bootloader will allow for chain-loading of boot-loader of any other operating system thereby enabling users to install non-signed Linux distros on Windows 8 UEFI hardware. This signed pre-bootloader will greatly help smaller distributions that don’t have either the resources or time to get their own Microsoft-verified key.
At the implementation layer, we intend to use the shim loader originally developed by Fedora – it’s a smart solution which avoids several nasty legal issues, and simplifies the certification/signing step considerably. This shim loader’s job is to load grub2 and verify it; this version of grub2 in turn will load kernels signed by a SUSE key only. We are currently considering to provide this functionality with SLE11 SP3 on fresh installations with UEFI Secure Boot present.
Responding to a query from iTWire about what OpenBSD, widely recognised as the most security-conscious UNIX, would be doing to cope with “secure” boot, De Raadt said: “We have no plans. I don’t know what we’ll do. We’ll watch the disaster and hope that someone with enough power sees sense.”
Red Hat’s method of ensuring that PCs certified for Windows 8 can boot GNU/Linux, announced by its community distribution Fedora, is to sign up to the Microsoft developer program and obtain a key which will be used to sign a “shim” bootloader.
With the GPLv3-licensed GRUB2 not being an option, Canonical then explored using the GRUB Legacy release with EFI patches on top, but they didn’t want to touch that aging code-base. Canonical has decided to use Intel’s efilinux loader that is more liberally licensed and they’re able to make some modifications to provide a simple menu interface.
Summary: The drumbeat from Linux advocates about a key security feature in Microsoft’s forthcoming Windows 8 is getting louder. They call it an anti-Linux plot. But the two leading PC makers disagree with them. I’ve got exclusive details.