Community fears Windows 8 Secure Boot will block Linux

Among the new features of Windows 8 is the Secure Boot function, which prevents unsigned boot loaders from starting on PC motherboards and notebooks that run the most recent versions of UEFI (2.3.1). This means that, if Secure Boot is enabled, no Linux system, or other operating system, can be booted unless it includes the required signatures and has explicitly been authorised for the system by the owner or administrator of the device.

This is the intentional purpose of Secure Boot. It is designed to protect systems from being accessed by other unauthorised operating systems so that, for example, thieves cannot spy on a user's data by booting a stolen PC from a USB flash drive. Secure Boot is also designed to detect whether operating system code has been tampered with, allowing malware infections to be exposed. This requires any firmware and boot process software – including boot loaders as well as elements such as UEFI drivers for on-board components and expansion cards – to be signed by a trusted Certificate Authority (CA).

However, Linux developer Matthew Garrett fears that UEFI Secure Boot will also prevent Linux from being installed on systems that are protected by this feature. One of the difficulties Garrett anticipates is that not all PC manufacturers will be willing to include keys for signed Linux software in the UEFI firmware of their products. Another issue Garrett identifies is with the GRUB 2 bootloader. GRUB 2 is released under the GPLv3 which, Garrett notes, explicitly requires that the signing keys are provided. The developer added that it could also become necessary for the Linux kernel itself to be signed, which would generate a lot of extra work for custom compiled kernels.

Referring to a presentation (PowerPoint .pptx file) at the Build developer conference, Garrett said that all client systems – desktop PCs, notebooks, tablets – with a Windows 8 logo must support UEFI Secure Boot and have this feature enabled. However, the way it is described in this document, the second condition at least isn't necessarily mandatory: it could also be that the function must explicitly be enabled by the computer's owner or administrator. Also, as has so far been the case, most systems with UEFI will probably be able to load an optional Compatibility Support Module (CSM) that allows operating systems to be booted in BIOS mode. This is a prerequisite for installing 32-bit versions of Windows because only the x64 versions of Windows since Vista can be installed in UEFI mode. Microsoft refers to systems that can boot either in UEFI or in BIOS mode as "Class 2" systems; systems without CSM are referred to as "Class 3".

However, the situations that will allow multiple operating systems, where some start in UEFI mode while others start in BIOS mode, to be installed on the same hard disk remain unclear – this will probably make it difficult to install dual-boot systems on notebooks, tablets and other devices that only have one mass storage device. There may be no choice in some circumstances; the Windows 8 mobile computers with ARM SoCs that have been announced will only ever be available as Class 3 devices. On these devices, however, Microsoft plans to increase platform security by allowing only apps from the app store that have been checked and signed to be installed on the Metro user interface.

Another problem when booting alternative operating systems could arise from hard disks that are fully encrypted with TCG Opal or BitLocker, if the boot loader is required to include functions that allow a key to be submitted to a Self-Encrypting Drive (SED).

(crve)