Windows 8: The conflict between UEFI and Linux
What is UEFI?
Unified Extensible Firmware Interface (UEFI) is a technology used in Windows 8 that requires any program to present a certified key to be allowed to execute while the operating system is booting.
Any computer that comes pre-installed with Windows 8 will have secure boot enabled.
The execution of malware is prevented using this protocol and hence malware programs cannot alter or disrupt anti-malware software.
You can consider UEFI as a gateway that filters incoming programs and allows only genuine programs to execute whose authenticity is verified by using the keys provided.
What is the speculation among Linux users?
Linux users believe that computers running Windows 8 will not allow Linux to boot if proper keys are not presented to the operating system loader.
Linux users feel that this is yet another attempt by Microsoft to thwart the competition between Linux and Windows by using the terminology of security as an excuse.
A workaround for this problem
Linux operating system vendors should assign a key to their respective operating systems that can be used with UEFI boot and include this key as a component of any Linux boot loader.
Care has to be taken to ensure that the identity of the key is not compromised and that can be achieved by distributing the Linux boot loaders in partial binary format.
What is the problem with this workaround?
The Linux boot loaders GRUB and GRUB 2 use general public license that does not allow operating system vendors to embed proprietary code in it.
As per the specifications of GPLv3, it is clearly mentioned that modifications are not allowed whereas it is still unclear with GPLv2.
So, operating system vendors will have to break the terms of their licensing agreement to support secure booting with Linux.
What alternatives are available?
- One option is to abandon the GRUB boot loader that uses a GPL license and settle for a LiLo (Linux Loader) that uses a BSD license. This enables proprietary code to be incorporated without compromising the terms of the license.
- The other option is design a public key for the boot loaders that can be used with the GPL licensed boot loaders. The computer will be configure to allow these keys but the problem with this approach is that the malware makers will find about this key and the whole idea of secure boot would become non-existent.
Figure 3: GPLv3
Computers having Windows 8 with secure boot enabled will not be able to boot Linux if this issue is not resolved amongst Linux developers.
People who want a computer that is capable of running Linux along with Windows 8 will have to opt for a computer that allows disabling secure boot.
The hardware options will be limited on such a computer. Steven Sinofsky has responded to these issues by addressing the need for secure boot and its working. He has mentioned that secure boot can be enabled or disabled by the user and Windows 8 runs with or without it enabled.
Hardware vendors will decide whether disabling secure boot is an option and the fate of Linux hangs in balance on this pending decision. The only possible way around this system is that Linux boot loaders use a license such as BSD instead of GPL.