Microsoft Subnet An independent Microsoft community View more

Next-gen boot spec could forever lock Linux off Windows 8 PCs

Windows 8's super-fast boot times come from the UEFI spec that,when used in secure mode, prevents users from loading operating systems and drivers

Windows 8 PCs will boot super fast in part because of the next-generation booting specification known as Unified Extensible Firmware Interface (UEFI). The latest UEFI, released April 8, includes a secure boot protocol which will be required for Windows 8 clients. Secure UEFI is intended to thwart rootkit infections by requiring keys before allowing executables or drivers to be loaded onto the device.

Problem is, such keys can also be used to keep the PC's owner from wiping out the current OS and installing another option such as Linux, says Matthew Garrett, a mobile Linux developer at Red Hat, in a blog post.

'If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable. ... Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled.'

 UPDATED 09/26 Also see: Microsoft explains UEFI secure boot, but leaves big questions unanswered and Some W8 PCs won't turn off secure boot, Red Hat warns

Microsoft's requirement of secure UEFI is verified by a presentation at the BUILD conference given by Arie van der Hoeven, Principal Lead Program Manager of Microsoft. Slide 11 of the presentation states:

  • Current issues with boot
    • Growing class of malware targets the boot path
    • Often the only fix is to reinstall the operating system
  • UEFI and secure boot harden the boot process
    • All firmware and software in the boot process must be signed by a trusted Certificate Authority (CA)
    • Required for Windows 8 client [emphasis mine]
    • Does not require a Trusted Platform Module (TPM)
    • Reduces the likelihood of bootkits, rootkits and ransomware

Secure boot uses a PKI scheme so that UEFI 2.3.1 firmware will only run digitally signed EFI bootloaders and device drivers. A recent article in The H notes that it can be "designed to accept a software key management service (KMS), a network-accessible key server or a hardware security module (HSM)." The hardware module would likely be a Trusted Platform Module (TPM 1.2), though as van der Hoeven points out, TPM isn't required.

The Linux community has been on alert about secure UEFI for a couple of months, according to an article in June from LWN.net:

'The basic idea behind secure boot is to sign executables using a public-key cryptography scheme (RSA with 2048-bit keys with SHA-1 or SHA-256 as the hash). The public part of a 'platform key' (PK) can be stored in the firmware for use as a root key. Additional 'key exchange keys' (KEKs) can also have their public portion stored in the firmware in what is called the 'signature database'. That database contains public keys that can be used to verify different components that might be used by UEFI (e.g. drivers) as well as bootloaders, and operating systems that get loaded from external sources (disks, USB devices, network, and so on). The signature database will also contain 'forbidden' signatures which correspond to a revocation list of previously valid keys. The signature database is meant to contain the current list of authorized and forbidden keys as determined by the UEFI organization.'

The fear expressed by the Linux community in June was that proprietary operating system vendors could demand an implementation of Secure UEFI where device makers do not or cannot share private keys with the buyers/users of the device. Without that, only the entities in the signature database will be able to authenticate drivers and OSes for the hardware.

There are two ways Microsoft could go with its required secure UEFI, says Garrett. Windows can be signed with a Microsoft key and the public part of that key can be included with all systems. Or, each OEM could have its own private key and therefore be the one to sign its own pre-installed version of Windows.

Without a key, Linux will be unable to boot off the machine. It may be possible for Linux distro makers to somehow offer signed versions of Linux, but this too, is problematic as this would require a bootloader not covered by the GPL. It also doesn't help people who want to run their own custom-tweaked versions of Linux.

Enterprise users should be sure to voice their concerns with their hardware supplier (Dell, IBM, HP, Toshiba and so on). Let them know that just because the technology exists to take choice away from you, doesn't mean they should use it.

Join the discussion
Be the first to comment on this article. Our Commenting Policies