|SUBJECT ||Subject: [NYLXS - HANGOUT] Locked Down PCs
Getting Linux to boot and install on PCs locked down with Windows 8's
UEFI (Unified Extensible Firmware Interface) Secure Boot is still a
major headache. However, Matthew Garrett, a well-known Linux developer
who's been working on fixing the Secure Boot problem, has just released
a working UEFI boot solution for Linux distributors. This should enable
many more versions of Linux to run on Secure Boot-imprisoned PCs.
Garrett, formerly a Red Hat programmer and now a security developer at
Nebula, an OpenStack private-cloud company, announced on November 30th
that he was "pleased to say that a usable version of shim is now
available for download. … This is intended for distributions that want
to support secure boot but don't want to deal with Microsoft."
This approach is not the same as the one that Garrett devised for use
with Fedora Linux. That approach uses a Fedora-specific key that's based
on a Microsoft/Verisign-supplied Secure Boot key.
While that meant dealing with Microsoft, it was as Garrett had written
earlier, "Easy enough for us [Red Hat] to do, but not necessarily
practical for smaller distributions." It's also, as The Linux Foundation
has found, in its so-far failed attempts to obtain a universal Secure
Boot key for Linux distributions, really not that easy at all.
What Garrett has done with his shim approach is to create a signed
boot-loader that can add keys to its own database. This is built on
SUSE's bootloader design. In the SUSE design, the boot-loader has its
own key database, besides the UEFI specification's key database. The
SUSE boot-loader then executes any second-stage boot-loaders signed with
a key in that database. Since the boot-loader is in charge of its own
key enrollment, the boot-loader is free to impose its own policy,
including enrolling new keys off a Linux distribution's installation
Garrett has added the a user-interface to the SUSE second-stage
boot-loader. With this, instead of stopping when a here-to-fore
untrusted key appears, the user can navigate the available file-systems,
choose a key and indicate that they want to add it to the key database.
From that time on, the boot-loader will trust binaries signed with that
What this means is that Linux, or other operating systems, can "take an
existing signed copy of shim and put it on their install media, along
with a file containing their key. If a user attempts to boot then the
boot will fail because the second stage boot-loader isn't signed with a
trusted key, but the user can then use the navigator and select the
distribution's key file. After providing confirmation and rebooting, the
second stage boot-loader's signature will now be recognized and the
installer will boot."
So, for example, with this shim program in place, a user can choose to
trust your distro's key and proceed to boot and install it on their
Windows 8 PC. Additional security can also be added to this approach to
beat back automated attacks.
The shim method is meant for developers to make it easy for end-users to
boot and install Linux. It's not meant for Joe or Jane user at home.
That said, it should lead to many more distributions being easier to use
on Windows 8 PCs.
It does have one disadvantage though for some Linux distributors. Since
the shim is a pre-compiled binary, distributions such as Debian, which
insist on having full source code availability, may choose not to use it.
Last, but not least, as I've long predicted, implementations of UEFI are
making it difficult to boot systems into Linux even when everything else
is set correctly. For example, Garrett himself recently ran into a case
with a Windows 8 Lenovo Thinkcentre M92p, which installed Fedora, but
then wouldn't boot it. In this case, it turned out that UEFI system was
checking the descriptive string for each operating system and refusing
to run any that didn't call itself either "Windows Boot Manager" or "Red
Hat Enterprise Linux."
So, while Garrett's shim will soon be bring many more varieties of Linux
to many more Windows 8 PCs, UEFI Secure Boot will remain a significant
worry for anyone wanting to run Linux or other alternative operating
systems on Windows 8 PCs.