Canonical, along with Red Hat, have today published a white paper on the potential implications, and benefits, of “Secure boot” for Linux.
‘Secure Boot’, a BIOS technology that seeks to safeguard against malware, works by keeping ‘secret keys’ within the system itself.
These keys are then used to “sign” anything that wishes to run – such as operating systems. If an operating system isn’t signed by a matching key then it won’t be allowed to boot.
But it’s not just restrictive to software vendors either as Red Hat’s Matthew Garrett explains: -
“A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that’s included in the system firmware. If you install a new graphics card that either has unsigned drivers, or drivers that are signed with a key that’s not in your system firmware, you’ll get no graphics support in the firmware.”
The technology isn’t new; most motherboards shipped today support Secure Boot but have it disabled by default. For the roll out of Windows 8 Microsoft will require Secure Boot to be enabled by default.
Now, that in and of itself isn’t a bad thing: security is great idea. The issue is with Microsoft’s idea of how Secure Boot should be implemented – one that makes it nigh on difficult for software to be added to the “approved” list – a proposal that will see users of alternate operating systems, such as Ubuntu, placed at a disadvantage.
Microsoft have said that whilst they require Secure Boot to be enabled by default on Windows 8-toting machines they place no requirement on system manufacturers to provide users with an ‘off’ switch for Secure Boot. Fair enough.
But will OEMs go to the trouble of adding in an ‘off’ switch? That’s one of the worries.
Canonical and Red Hat propose a different solution in their whitepaper, one that provides users with both the security afforded by Secure Boot, but also allows the addition of additional software and OSes – such as Linux – to the approval list.
This would, it’s hoped, allow users to run both Windows 8 and Linux, be it installed or on live media, on a PC with Secure Boot enabled.
Further still, the white paper suggests that PCs ship with a user-friendly interface for disabling/enabling secure boot altogether.
It will be interesting to see what impact the suggestion has on this issue, and with over 16,000 people having signed the Free Software Foundation’s statement on “Secure Boot” the chances of this issue meekly subsiding are small.