Linux Heavyweights Develop Secure Boot Strategy
Canonical and Red Hat have issued a joint statement regarding Microsoft’s plan to make UEFI Secure Boot a requirement of Windows 8. Simultaneously, The Linux Foundation has issued a similar statement.
We first covered this issue in September.
The joint Red Hat and Canonical statement opens with an assessment of the situation:
The UEFI specification for secure boot does not define who controls the boot restrictions on UEFI platforms, leaving the platform implementer in control of the exact security model. Unfortunately, Microsoft’s recommended implementation of secure boot removes control of the system from the hardware owner, and may prevent open source operating systems from functioning. The Windows 8 requirement for secure boot will pressure OEMs to implement secure boot in this fashion.
We believe that restrictions that prevent users from exercising full control over their hardware is not in the best interest of those users, and works against the spirit of open source software in general.
It's a fair assessment of the situation. It's worth noting that the language used in both documents is reasonable and doesn't go out of its way to demonize Microsoft. Both documents outline the difficulties that will be caused to Linux adoption in general by the proposed measures. They also highlight some of the benefits of EUFI and secure boot, and I got the impression that all three organizations have accepted that Secure Boot is an inevitable development in some form.
The Canonical/Red Hat document concludes with three proposals:
“We recommend that all OEMs allow secure boot to be easily disabled and enabled through a firmware configuration interface”
One point that the authors make is that as Windows 8 will require Secure Boot in order to boot, this causes a problem for dual boot scenarios. The user would probably have to enter the setup interface and manually toggle the feature between each reboot.
There is also the possibility that some vendors won't include a menu option to disable secure boot at all.
“We recommend that OEMs (with assistance from BIOS vendors) provide a standardised mechanism for configuring keys in system firmware”
The problem with this, as pointed out in the document, is that a feature to add extra keys to the firmware must not be susceptible to malware. Again, it sounds like a lot of additional hassle, particularly for non technical users.
“We recommend that hardware ship in setup mode, with the operating system taking responsibility for initial key installation”
What the authors are suggesting is that an operating system would be able to add its secure key to a brand new system the first time it boots.
This means that it would be possible to switch over to an alternate operating system on a brand new machine that has never been booted. This might appeal to companies that sell complete machines. If the proposal were adheared to, a brand new motherboard would also ship in this state. Obviously, Microsoft would have to agree support this system, and they might not.
The Linux Foundation document includes similar recommendations. It echos the suggestion that new machines could ship in a state in which they are ready to receive a new key, but adds that it should be possible for the user to reset a machine to the initial state. It acknowledges the potential problems for dual booting. It adds the point that some sort of provision needs to be made for booting from removable media. It also suggests that a neutral organization should be formed for the granting of keys to hardware and software vendors.
The tone of both documents gives the impression that all parties have accepted the inevitability of Secure Boot. It's starting to look like we might soon be looking back with fondness on the days in which we could walk around installing Linux wherever we liked.
Both documents were well-written, fair and either would serve as a good introduction to the issue.
The Red Hat/Canonical document
The Linux Foundation document
UK based freelance writer Michael Reed writes about technology, retro computing, geek culture and gender politics.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
|Fancy Tricks for Changing Numeric Base||May 29, 2016|
|Working with Command Arguments||May 28, 2016|
|Secure Desktops with Qubes: Installation||May 28, 2016|
|CentOS 6.8 Released||May 27, 2016|
|Secure Desktops with Qubes: Introduction||May 27, 2016|
|Chris Birchall's Re-Engineering Legacy Software (Manning Publications)||May 26, 2016|
- Tips for Optimizing Linux Memory Usage
- Secure Desktops with Qubes: Introduction
- Working with Command Arguments
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Secure Desktops with Qubes: Installation
- Fancy Tricks for Changing Numeric Base
- CentOS 6.8 Released
- Linux Mint 18
- The Italian Army Switches to LibreOffice
- Petros Koutoupis' RapidDisk
Until recently, IBM’s Power Platform was looked upon as being the system that hosted IBM’s flavor of UNIX and proprietary operating system called IBM i. These servers often are found in medium-size businesses running ERP, CRM and financials for on-premise customers. By enabling the Power platform to run the Linux OS, IBM now has positioned Power to be the platform of choice for those already running Linux that are facing scalability issues, especially customers looking at analytics, big data or cloud computing.
￼Running Linux on IBM’s Power hardware offers some obvious benefits, including improved processing speed and memory bandwidth, inherent security, and simpler deployment and management. But if you look beyond the impressive architecture, you’ll also find an open ecosystem that has given rise to a strong, innovative community, as well as an inventory of system and network management applications that really help leverage the benefits offered by running Linux on Power.Get the Guide