Fri, 2011-10-28 09:20 by Swapnil Bhartiya
Microsoft stirred the bee's hive by announcing new requirements for manufacturers who want to ship Windows 8 systems, including a feature called 'Secure Boot'. It meant only Windows 8 will be able to run on that hardware locking GNU/Linux out, shutting all windows on Linux on these computers.
The Free Software foundation came out opposing Microsoft's requirements. More than 16,000 people signed the Free Software Foundation statement on “Secure Boot vs Restricted Boot”, which shows the users were concerned. We were expecting some response from the open source industry. Red Hat and Canonical have come forward. The two companies have published a white recommending how to implement 'Secure Boot', to ensure that users remain in control of their PCs.
What The Hell Is Secure Boot?
The UEFI Forum has defined the next generation interface between PC's firmware and any operating system that runs on it. The goal of the Forum was to make systems boot quicker and in secure manner, irrespective of what OS (whether Linux or Windows) you run. This is achieved by a process called Secure Boot which eliminates the possibility of any malware to insert itself between the firmware and the OS. This is accomplished by allowing only 'approved' to boot by a key that recognises pre-approved and signed software.
What Microsoft did was to push OEMs to put Windows keys on their hardware which meant nothing else will run on that hardware, meaning you can't run Linux on these PCs, even if you want to. They just won't boot into anything but Windows 8.
Microsoft remained silent over the concern raised by the Linux and free software community. The fact remains that a hardware must be able to run any OS of a users choice and that the 'secure boot' option should be available to all users and not only Windows.
While there will be no issues with PCs coming pre-installed with Ubuntu, as they will have the key, there is a major issue with PCs which comes with Windows forcefully pre-installed even if a user doesn't want it.
Red Hat and Canonical are recommending systems manufacturers to include a mechanism for allowing user to configuring her own list of approved software. This will allow a user to run Windows 8 and Linux at the same time in a PC with Secure Boot 'ON'. This should also include a user being able to try new software from a USB stick or DVD.
That is not enough because even if there is an option to add your prefered software, a non-tech users will not be able to try and test Linux on their PCs as it will be extremely hard for them to go to BIOS and make settings and changes. Thus the two companies are recommending that PCs include a User Interface to easily enable or disable Secure Boot and allow the user to chose to change their operating system.
Recommendations
The white paper highlights the recommendations for OEMs which include:
The companies recommend that all OEMs allow secure boot to be easily disabled and enabled through a firmware configuration interface. The companies write that it is essential that users are able to remove secure boot restrictions, and boot the software of their choice on the devices that they own. Furthermore, the interface to configure this option should be easily accessible by non-technical users. Of course, this option should only be available to users with physical access to the hardware, and not be accessible via programmatic means.
The two companies also recommend that OEMs (with assistance from BIOS vendors) provide a standardised mechanism for configuring keys in system firmware. For secure boot to be useful in a user-controlled environment, it must be possible for users to add custom keys (KEK, db and dbx entries) to the system firmware. Keys may then be shipped with an operating system or generated by the user. This allows the user to maintain control of the code run on their systems without giving up the benefits of secure boot.
For support purposes, the mechanism provided for key management must be consistent across platforms, and provide a simple method of booting custom software, including from removable media. A suggested implementation may be to scan removable media for signing keys and prompt the user for their installation, or using the specification-defined setup mode to allow key reconfiguration.
The companies also recommend that hardware ship in setup mode, with the operating system taking responsibility for initial key installation. Shipping hardware in setup mode allows key policy to be determined by the operating system vendor or end user. Pre-installed operating systems could then install their own signing keys on first boot. This permits the user to avoid the situation where pre-installed signing keys do not match the user's desired security policy.
Download the white paper.
Source: http://www.muktware.com
