Microsoft has finally forked a way to kill its smaller rival, Linux from the PC / desktop segment. Since most PCs are only designed to run Windows, and Windows 8 would be the obvious choice in the future, there is something we need to worry about.
With Windows 8, Microsoft would set certain guidelines to OEMs and PC manufacturers. All Windows 8 machines will need to be have the Unified Extensible Firmware Interface (UEFI) instead of the venerable BIOS firmware layer. BIOS has been pretty much the sole firmware interface for PCs for a long time.
The EFI system has slowly been making headway in recent years, and right now EFI firmware is compatible with Windows supporting the GUID Partition Table (GPT), OS X/Intel, and Linux 2.6 and beyond machines. EFI is seen as a better hardware/software interface than BIOS, since it is platform-agnostic, runs in 32- or 64-bit mode, and GPT machines can handle boot partitions of up to 9.4 zettabytes. (That’s 9.5 billion terabytes.)
Linux supports UEFI, thats is not a problem. The problem is Microsoft‘s other requirement for any Windows 8-certified client: the system must support secure booting. This hardened boot means that “all firmware and software in the boot process must be signed by a trusted Certificate Authority (CA)”.
By locking, Microsoft intends to prevent injection of malware onto Windows PCs, which looks like a justified claim. Linux bootloaders are EFI-ready but none of them are signed, hence they would just not work on PCs.
So what, we would Unlock the bootloader, like we did on Android phones and iPhone. No, it won’t be that easy. If all parts of the chain need to have a CA signature, then swapping out a machine’s signed EFI layer with, say, an unsigned BIOS or EFI would not work. Matthew Garrett from Redhat notes:
“Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.”
So what about Signing Linux Bootloader Distros?
“Firstly, we’d need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It’s a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it’s still necessary to get our keys included by ever OEM.”
What can be done?
We jsut have to rely on Manufacturers & OEMs so that they would include an option in their UEFI firmware to disable the secure booting feature.
Microsoft has finally found a way to tackle Linux, and someone out there has to make the extra effort to save it from the vicious Monopoly!
Update: Microsoft finally clarifies, it could be disabled via BIOS.