It seems safe to say that a sizable proportion of Linux PC users in the world today installed the free and open source operating system on hardware that originally came loaded with Windows. After all, while there are preloaded systems available, it often ends up being cheaper to buy a Windows PC and load Linux yourself.
Once Windows 8 starts shipping on PCs, however, that may no longer be possible. It turns out that a new feature included in the operating system in the name of security may also effectively make it impossible to load Linux on officially Windows 8-certified hardware.
See also: Microsoft Windows 8 review
"It's probably not worth panicking yet," wrote Red Hat developer Matthew Garrett in a Tuesday blog post on the topic. "But it is worth being concerned."
'It Won't Be Installable'
The problem derives from Microsoft's decision to use a hardware-based secure boot protocol known as Unified Extensible Firmware Interface (UEFI) in Windows 8 rather than the traditional BIOS we're all familiar with. Microsoft principal lead program manager Arie van der Hoeven explained and demonstrated UEFI in a talk at the company's BUILD conference earlier this month, and that explanation is still available in the video below.
Essentially, the technology is designed to protect against rootkits and other low-level attacks by preventing executables and drivers from being loaded unless they bear a cryptographic signature conferred by a dedicated UEFI signing key.
"There is no centralised signing authority for these UEFI keys," Garrett explained. "If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable."
Microsoft has said it will require that Windows 8 logo machines ship with secure boot enabled. Most likely, Windows on such systems will be signed with a Microsoft key, Garrett predicted.
Other operating systems, such as Linux, won't include any such signatures in their current state, of course. So, unless deliberate measures are taken to make them available, "a system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux," Garrett explained.
'Kernels Will Also Have to Be Signed'
Options for Linux include providing signed versions of the operating system, but there are several problems associated with that approach, Garrett pointed out.
First, a non-GPL bootloader would be required. Grub 2 and Grub are released under the GPLv3 and GPLv2, respectively, he noted.
Second, "in the near future the design of the kernel will mean that the kernel itself is part of the bootloader," Garrett added. "This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical."
Finally, if Linux distributions sign for themselves, the required keys would have to be included by every OEM, he said.
It may turn out to be the case that Microsoft will allow vendors to provide firmware support for disabling this feature and running unsigned code, Garrett acknowledged. Even so, however, it's unlikely that all hardware will ship with that option, he added, posing problems for at least some Linux users down the road.
It remains to be seen how this situation will play out, of course. For my part, though, it sounds like one more good reason to choose hardware with Linux preinstalled.
Comments
Richard T said: Get in the real world Ian its to stop all the crap that MS haters throw at Windows Its a definite step forward and a long time comingRmmontgomeryAs regardscourt cases in Europe this is a load of cods wallop Apple have been doing it for yearswith their restrictive practises for their OSsIts a bit like taking your petrol car manufacturer to court because you can not run on diesel
Ian Sandeman said: I agree I can also see a vast market in UEFI disabling dongles or such like on ebay
Rmmontgomery said: got to be destined for the courts in europe at least It gives M the say over what you can or cant do with your own computer Talk about monopolies Gates must be delighted at the prospect Not to mention that google and their Android might not take it at face value In fact I wonder if they even realise how unattractive this makes the whole concept of windows 8
Ian Sandeman said: Lets face it this new security feature is for the benefit of Microsoft ONLY Its designed to scupper illegal copies of Windows 8 I will give it 6 months before the hackers have this running on non UEFI hardware