Skip to main content

Linux and Windows 8 UEFI secure boot issues

One of the largest underlying changes to Windows 8 is the long-overdue shift from BIOS to UEFI. UEFI (Unified Extensible Firmware Interface) is superior to BIOS (Basic Input/Output System) in almost every way, except for one: At the moment, UEFI prevents Linux distributions from being installed on Windows 8 machines.

UEFI, in essence, is a lightweight operating system that your computer loads at boot time. Because it’s an operating system, UEFI has full access to your hardware, and it can be programmed to do just about anything (thus the Extensible part of its acronym). UEFI interfaces can be mouse-driven, and can perform complex tasks such as surfing the web or backing up your hard drives.

The UEFI specification itself also introduces a few new features to improve performance, flexibility, and security. The feature that has received by far the most attention is secure boot, as it can be used by PC OEMs to prevent other operating systems being installed on their hardware. Dell, if it so wishes, could build a PC that only runs Windows. On the flip side, Apple could stop Windows from being installed on its hardware.

Ostensibly, secure boot isn’t meant to be used maliciously, though: Its primary purpose is to prevent a malware-infected PC from booting, thus protecting the user from possible data theft or worse. Secure boot works by means of cryptographic signing: A chip on the motherboard stores the cryptographic hash/key of important operating system files and drivers, and during boot-up those files are checked – if their hashes have changed, they’re assumed to be compromised, and the boot process stops. If you try to boot Linux, secure boot detects the altered hashes and halts the boot. While Linux obviously isn’t malware, secure boot doesn’t know that.

The solution, of course, is to add the Linux file/driver hashes to the secure boot chip – but to do that, you need a secret password. In the case of Windows 8 machines (i.e. official OEM machines bearing the Windows 8 logo), only Microsoft and the OEM know the password. If the key was public, then malware authors would be able to add their own hashes, and thus the system would be worthless.

The currently favoured solution is a workaround: A pre-bootloader signed by Microsoft (so it passes secure boot) that can then be used to load a normal Linux bootloader without further signature checking. One Linux developer, Matthew Garrett, has managed to get Microsoft to sign a pre-bootloader called Shim. You can download it today and use it to boot Linux on your Windows 8 machine. Shim should soon find its way into SUSE, Fedora, Ubuntu, and other major Linux distros. The Linux Foundation is developing an “official” workaround, but as of November it still hadn’t received Microsoft’s blessing.