Here's Microsoft's plan: Every new PC sold with Windows 8 will be locked up tight with Microsoft's UEFI (Unified Extensible Firmware Interface) secure boot on. Microsoft says that this is to help secure your PCs from rootkits and malware. It also happens to stop you from easily installing Linux or any other operating system, such as Windows 7 or XP, on a Windows 8 system. Thanks Microsoft. We really needed that kind of protection!
To get you up to speed, the first thing you need to know is that UEFI is the 21st century replacement for your PC's basic input/output system (BIOS). When you turn your computer on these are the first computing services that turn on. These enable your operating system to then boot up. PC vendors have slowly been replacing BIOS with the more flexible UEFI for years now. Modern Macs, for example, all use UEFI.
UEFI isn't just a more advanced version of the BIOS. It's a mini operating system in its own right. Exactly what a UEFI does depends on how your chip vendor, PC OEM, and operating system vendors implement it. If a company wants to install Windows 8, they must use Windows' Secure Boot function, which blocks other operating systems from being booted and thus installed.
Linux developers have no problem with secure boot in and of itself. Indeed, as The Linux Foundation white paper, Making UEFI Secure Boot Work With Open Platforms (PDF), states, "Linux and other open operating systems will be able to take advantage of secure boot if it is implemented properly in the hardware."
The problem is that Microsoft requires vendors to implement secure boot in such a way that it makes it very hard to install Linux. It's possible that hardware companies will simply give us the option of turning off secure boot during the UEFI setup similar to the way you can now use your BIOS to choose if you want to boot from your hard drive or a DVD or USB Flash drive. We don't know yet though. Even though Windows 8 PCs will start shipping this fall it's still not clear how many vendors will implement secure boot. The easy way will be for them to not give users the option of turning it off.
At least on x86 PCs, we may have the option of turning secure boot off. On Windows 8 on ARM (aka Windows RT), there will be no such choice. Microsoft's Windows Hardware Certification Requirements for Windows 8 client and server systems states that while Windows 8 Secure Boot can be disabled on Intel systems, "Disabling Secure [Boot] must not be possible on ARM systems.
Trying to boot Linux on UEFI
So what can we do? Well, for starters, we need to get Linux booting on UEFI. Period. Because, with the exception of Macs, few PCs use UEFI instead of BIOS, there's been little effort to getting Linux to boot straight from UEFI.
Most people today who want to run Linux on a Mac use the Compatibility Support Module (CSM), which provides BIOS emulation on the Mac. This method is messy, doesn't work that well, and I'm quite certain will fail miserably on Secure Boot Windows 8 PCs.
There are other, better ways, of doing this. The best of them that I've found to date is Rod Smith's guide to EFI-Booting Ubuntu on a Mac. Others, like Linux kernel developer Greg Kroah-Hartman, are also working on it.
While annoying, this is a relatively trivial problem. The heavy lifting comes with trying to deal with Secure Boot.
Secure Boot and Linux
In the best of all possible worlds, Microsoft and its partners would implement Secure Boot in the ways that the Linux Foundation says would work with Linux. Well, that's not going to happen.
So, instead we have three different paths. At this point, there's no telling which one is going to work out. In fact, we may end up using all of them. This is less than ideal, but with Microsoft's continued dominance of the field, Linux developers have to do the best they can with a difficult situation.
First, Linux developers need to get a better handle on the problem. To do this, James Bottomley, chair of the Linux Foundation's Technical Advisory Board, has released a Intel Tianocore UEFI boot image and some code that Linux programmers can use to get around Windows 8's Secure Boot restrictions.
Intel Tianocore is an open-source image of Intel's UEFI. Until recently this image didn't have the Authenticode that Microsoft uses for Secure Boot (PDF) but now it does include this functionality as well. Getting this into developers' hands will "widen the pool of people who are playing with UEFI Secure boot."
This will let programmers who don't have access to UEFI secure boot hardware have a "virtual platform [that] should allow them to experiment with coming up with their own solutions." But, Bottomley warns developers that "This is very alpha. The Tianocore firmware that does secure boot is only a few weeks old, and the signing tools weren't really working up until yesterday, so this is very far from rock solid."
Even so, with it developers can lock down the secure boot virtual platform with their own secured binaries that will boot and work on a UEFI Linux secured system. This is a major step forward in making it easier for developers to make use of UEFI security with their own keys.
This is the first approach: Create UEFI Secure Boot keys for your particular distribution. This is what Canonical is doing with Ubuntu. Some people, like the Free Software Foundation, hate this approach.
Fedora, Red Hat's community Linux distribution decided to work with Microsoft's key signing service, Verisign. So, in the Fedora plan, Fedora will create its own Windows 8 system compatible UEFI secure boot key using Microsoft's own system.
That has also gone over like a lead balloon in many open-source circles. Matthew Garrett, a Red Hat developer, defends it, saying that "it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions."
Frankly, as Ubuntu's founder Mark Shuttleworth said, neither plan is great, but "Secure Boot retains flaws in its design that will ultimately mandate that Microsoft's key is on every PC (because of core UEFI driver signing). That, and the inability of Secure Boot to support multiple signatures on critical elements means that options are limited but we continue to seek a better result."
There is still another way though: Use open hardware with open source software. This is the path Cathy Malmrose, CEO of the Linux PC vendor ZaReason would like to see followed.
As Malmrose said "With UEFI's Secure Boot around the corner, we are hoping to raise awareness that Linux distributors don't need to sign with Microsoft [or use their secure boot]. Computers that are rooted with open bootloader are available. That's what we ship." True, "UEFI's Secure Boot is implemented at OEM (original equipment manufacturer) level, all new PCs purchased (with the intent of loading your favorite distro) will have Secure Boot."
Malmrose isn't happy with disabling it or using Fedora or Ubuntu's methods. "Yes, you can disable it. But 'disabling' something that's 'secure' makes you bad." She also fears that in the long run, "the keystroke(s) needed to get Linux to run on machines post-2012 will be simple at first, becoming increasingly complex at a non-shocking rate. It's a monumental shift at OEM level." Malmrose fears that this will make desktop Linux "too difficult to new users, [and this will cause] slow death by suffocation" for Linux.
So, here's where we are today with Linux on Windows 8 PCs:
1. Hope that the OEMs will simply let you disable Secure Boot during the pre-boot up. If they do, then installing Linux on a Windows 8 PC won't be much harder than it is today on Windows 7 systems. This will not, however, be an option on Windows RT ARM-powered systems.
2. Use a Linux, like Fedora, that provides a Secure Boot compatible key using Microsoft's own Windows 8 signing tools
3. Use a Linux, like Ubuntu, that provides its own Secure Boot compatible key.
4. Avoid Windows 8 systems entirely and use open hardware instead.
Some Linux distributors, such as openSUSE, haven't decided what they're going to do yet.
I wish I could tell you that it's all going to be easy or give you a magic series of steps that you'll be able to take to get your Linux of choice running on your laptop or desktop. I can't. There will be no easy way to run Linux on Windows 8 PCs and we still don't know how OEMs will be handling Secure Boot.
I see a long, hard road ahead for Linux desktop users with post-2012 PCs. If I find a shortcut, I'll be sure to let you know.
Comments
Noelle Dalton said: Look all you have to do is go into the Bios settings amp select either compatability or ACHI modes amp turn UEFI off not rocket science people Bill Gates you know what you can kiss baby
Michaeldtalbott said: Well said That is definitely the problem Much like buying a new car and you are only allowed to go where the car TAKES YOU not where you take the car
Craig Magee said: False premise Whats wrong with you peopleIf you dont want to run Microsoft Windows 8 on a Microsoft Surface or Apples iOS on an Apple iPad dont buy a tablet from Microsoft or AppleIts really really simple
Sam said: False premise iOS is a closed-source OS that Apple can license as they see fit And yes I firmly believe that if I purchase an iPad I should be able to install Android on it It is deplorable that the Library of Congress decided to not uphold the DMCA exemption which allows rooting on tabletsIm not asking Microsoft to help me install Linux on the hardware that I own I am insisting that they do not abuse their monopoly to block me from installing Linux on hardware that I own
John O'Keefe said: Right Ubuntu who has a UEFI key can boot But what about OpenSuse and other distros who dont have oneAnd what about lay users who have no clue how to compile a kernel or edit their Grub system to experiment Its fine for us Linux users who have been doing this for a while and know how to play around with these options but what about dear old Grandma running OpenSuse or PCLinuxOS
Treacherous Computing said: It is a little disappointing that Apple doesnt release a standalone version of their iOS However Apple is in the fortunate position of being both a software and hardware vendor If they want to lock their software to their own hardware thats still anti-consumer but its not anti-competitive If they want to lock their hardware so it only runs their software which I dont think they do then thats fine too Apple seems quite happy to churn out generation after generation of near-identical products and their customers seem quite happy to shell out time and time again for Apples latest and greatestI am not interested in Apples hardware because I find it overpriced for what it is and cheaper better alternatives exist anywayI have not needed to touch Microsoft software for years However I have just begun studying IT meaning I will pretty much have to support Microsoft products as part of my jobIf I could choose not to support Microsoft I wouldnt That is not to say however that I do not like their software -- its their business practices and atrocious security record I find most objectionable In fact just last week I purchased a new Windows 7 ASUS laptop for my wife That was her choice However she also chose Firefox as her web browser and LibreOffice as her office suiteMicrosoft is a software vendor They have no business pushing their agenda on hardware vendors that do not wish to agree to it That is anti-competitive and wrongIf they wish to partner with a hardware vendor to produce a Microsoft branded device such as the Microsoft Surface and lock it down I have no problem with that But they should not be allowed to bully Toshiba Lenovo ASUS and others into doing the sameAlso do not make the mistake of assuming that Windows RT will support the classic Windows desktop and run legacy x86 Windows applications It will not Windows RT is Metro only The only viable option for a full desktop experience on an ARM laptop is Linux Linux could own that market and Microsoft know it But they stubbornly refuse to play niceMicrosoft knows that it cant compete on a level playing field just look at Windows CE and Windows Phone both of which have pretty much flopped in the market Also in both cases Android has been successfully ported to the hardware so they want to change the rules to be sure they can have that lucrative market all to themselvesIts Microsoft that wants to not only have the cake but own the cake and all the rights to anything that looks like a cake in the future oh wait thats Apple isnt it -P and they also want to own the hardware that the end users have paid for Its important to note that we are not Microsofts customers Toshiba HP and Lenovo are We are the hardware vendors customersIf Toshiba Lenovo ASUS or anyone else want to give their customers the end users the right and ability to install the operating system of their choice on the hardware they purchase then why shouldnt they be allowed to do that Why should a third party Microsoft be allowed to dictate what the end user can do with the hardware they paid for and should rightfully own
Craig Magee said: You cant run iOS on your Transformer either and the iPad obviously isnt a suitable solution to your situation Which is basically not being able to have your cake and eat it tooBeing dependent on software running on a Microsoft platform is the root of your problem You either need to find a solution or buy a Surface and run Windows 8 on itMicrosoft dont owe you a thing and they dont want to pander to your needsSorry for starting a new subchain this fixed width website is as badly designed as the original article was researched and written
Treacherous Computing said: There clearly isnt a market is thereIf there isnt a market for ARM-based laptops with a Linux-based OS then why does the ASUS Transformer series exist and why do they sell so quicklyASUS does in fact have a prototype Transformer all-in-one desktop The 18 tablet runs Android on ARM and doubles as a WiFi display for the desktop dock which runs Windows 8 on x86 I imagine that ASUS would very much like to save on hardware costs by making a similar device running Android and Windows RT but can they do that If Microsoft gets what they want then noWhy dont they use an x86 in the tablet and run the x86 version of Android Probably severalreasons including application compatibility but likely the biggest reason is the hardware An x86 would consume more power requiring more weight in the form of additional heatsinking and a larger capacity battery They could not realise this concept without ARM and Microsofts red tape limits them to using the x86 version of Windows for the dockDisclaimer I do not work for ASUS I just happen to really like their very innovative products
Treacherous Computing said: I have absolutely no problem with Microsoft competing on their own merits in the ARM market In fact I wish them well Competition is always a good thingWhat I do have a problem with is them or any other company using the very same monopolistic anti-competitive tactics theyve already been convicted of to deliberately lock out their competitors from an emerging marketNo other software vendor dictates what the hardware vendors can do with their own devices Not Google not HP WebOS not even Apple This is unprecedentedFor the record I have recently purchased an ASUS Transformer Pad It wont be long before I unlock the bootloader and install Cyanogenmod Debian on it Then I will create a virtual x86 machine and install Windows XP for the few Windows programs I am required to useAt some point I may wish to dual boot Windows RT on it Alas I will never have that option as it will be bundled only with new hardware Hardware that will be locked tighter than Fort KnoxAlso iOS is actually based on Debian If an iPad were jailbroken it would be quite trivial to turn it into a full-fledged Debian desktop
Craig Magee said: You show me a manufacturer willing to pump out unlocked ARM laptops with similar specs to their Windows RT cousinsThere clearly isnt a market is there Why oh why do the M haters expect M to produce products for themThere is zero doubt that the drive behind development of the Surface that you covet is M
Treacherous Computing said: You may not realise it but were on the same side here I dont want locked hardware any more than you do and I know very well that Microsoft would lock down Intel if they had half the chanceBut they cant do that so they are instead trying to lock their competitors out of the next-gen ARM tablet and laptop market where they do not yet hold a monopoly Its exactly the same tactic they used to shut out Netscape during the browser warsYou show me a manufacturer willing to pump out unlocked ARM laptops with similar specs to their Windows RT cousins and I would snatch one up in a momentThe fear here is if Microsoft can get away with this tactic that market will simply vaporise Toshiba et al will not wish to risk losing their Windows 8 certification by angering Microsoft That would be corporate suicide
Craig Magee said: More FUD If M could dictate x86 hardware had to have secure booting that cant be disabled they wouldBut they cant The market wont allow it and if it was forced to it would fracture into two models - the open one not being able to boot Windows 8 because it would lack secure booting using the M key We are only talking about a difference in firmware here it wouldntsurpriseme if the ARM Surface gets a public method to flash an unlocked version a week after releaseYour point is you want to buy M hardware to run linux You might as well go get an iPad and struggle with that or get a more open ARM platform like the ones running AndroidAnd yes it is M hardware even though third-party manufacturers are producing it If Apple were to licence iOS to third parties it would be exactly the same Because in both cases the hardware will come preinstalled with the OS and have the company branding on it
Treacherous Computing said: Thats the point It wont be merely difficult to install an alternative to Windows RT on an ARM laptop Itll be downright impossibleMicrosoft claims they are doing this to increase the security of the operating system but there are ways to implement Secure Boot that do not revoke the consumers right to install another OS on the hardware they paid for Microsoft has deliberately chosen not to do thatBesides if it really were in the interests of security then why does Microsoft require that x86x64 vendors provide a mechanism to disable Secure Boot Its a lock-in tactic pure and simpleMicrosoft is saying that if I want a lightweight power efficient ARM-based laptop then I have absolutely no choice of operating system I have to use the more power hungry and therefore heavier and hotter Intel architecture Thats just wrong
Craig Magee said: How do you know it wont be as uneasy to install Linux on a M tabletGet with the programme M have been dictating hardware for donkeys years Remember Winmodems Does your graphics card support DirectX and a majority of games only use DirectXEver battled with Windows especially 7 borking your bootloaderM are playing the same game as they always have and as a proprietary company thats how they rollThe line in the sand highlights the freedom of open-source n the other side of it which is something I value and appreciate I really dont expect M to produce or encourage the production of hardware to suit my needs and dictating my terms goes against the ethos of freedomIf you dont like it dont buy it
Treacherous Computing said: Nobody said it had to be easy to run Windows RT we are not talking about the fully featured Windows 8 OS here or Android on an iPad or to run iOS or Windows RT on an Android but the point is its still possible at least in theory Even ASUS realised it was a mistake to lock the Transformers bootloaderA locked bootloader is always anti-consumer but what does it matter if a hardware vendor is doing it to their own products Thats their decisionWhat Microsoft is doing is anti-competitive There is a fully featured desktop OS that can easily replace Windows RT and make the device much more useful and Microsoft know it They are scared And their response Order all the hardware vendors to lock their devices in such a way that only Microsoft operating systems can run on them Microsoft are not manufacturing the devices here Toshiba and Lenovo are Microsoft has no right to dictate what the hardware vendors can do with their own product
JohnGee said: SJVN stop posting FUD Everyone knows your are Linux troll
Craig Magee said: Theres no stipulation for Microsofts tablets to run anything but Windows Apple doesnt have to produce tablets that easily run Windows 8 or Linux and Android platforms dont have to be designed to run Windows 8 or iOS
Craig Magee said: So what can we do Well for starters we need to get Linux booting on UEFI Period Because with the exception of Macs few PCs use UEFI instead of BIOS theres been little effort to getting Linux to boot straight from UEFIIm using UEFI on my Asus laptop to boot Ubuntu 1204 Its trivialThe linux kernel has EFI stubs so you can put a kernel in the EFI partition and boot it directly without a bootloaderThere is the ability to add boot options to the kernel in its configuration before you compile it by entering the name of the initrd image you simply put your image on the same partition Each time I compile a new kernel and build a corresponding initrd I simply copy them to the EFI partition which is a FAT32 partitionThere are also other methods such as ELILOTheres no need for the FUD Keep calm and carry on
Treacherous Computing said: I would suggest that someone like Google or Red Hat or both take Microsoft to court for being anti-competitive Android and regular desktop Linux distributions have just as much right to own next years high-specced ARM-based laptop and tablet market as Windows 8 doesHowever I fear that any legal action taken now will not make it through the courts prior to Windows 8s release In fact I guarantee Microsoft will use every delay tactic in their arsenal to make sure of that