Linux and UEFI secure boot, or: Linus Torvalds as the voice of reason

As you may recall, I wrote a blog about linux and the problems with UEFI secure boot a while ago. Since there have been some changes regarding secure boot in the linux world recently, this calls for an update.

My blog was mostly about the tendency of linux developers placing the importance of their software license (and Microsoft-hatred) above everything else. However, Fedora has stepped forward as a more pragmatic distribution, and they have found a solution to the secure boot problem. Namely, they simply wrote a bootloader that does nothing more than just load Grub as usual. However, because the bootloader now sits between the UEFI boot and Grub itself, only the bootloader needs to be signed with a key that is recognized by the UEFI secure boot.

They have decided to sign the bootloader via the Microsoft sysdev portal. It is not free, then again, what in this world is? You don’t get your hardware for free either. Developers have to make some investments in order to develop their software, even if it’s open source. The cost is a one-time fee of $99, which is hardly a big deal for any of the larger linux distributors.

I was pleasantly surprised to see that Linus Torvalds actually supported this move by Fedora. As Linus commented:

 “I’m certainly not a huge UEFI fan, but at the same time I see why you might want to have signed bootup etc. And if it’s only $99 to get a key for Fedora, I don’t see what the huge deal is.”

Well, that’s the proper attitude. It might not be ideal (then again, what in this world is?), but it is a small price to pay to ensure that even people with a system where UEFI secure boot cannot be disabled, can run a linux distribution out-of-the-box.

There, problem solved, now was that so hard? I wonder how many linux developers will change their stance, now that their big Finnish leader has shown the way.

This entry was posted in Software news and tagged , , , , , , , , , , , , , , , . Bookmark the permalink.

14 Responses to Linux and UEFI secure boot, or: Linus Torvalds as the voice of reason

  1. snemarch says:

    It’s a reasonable and pragmatic solution – and I, too, was a bit surprised to see such a calm and reasonable comment from Torvalds.

    I’m still a bit concerned whether this is just a first step towards more hardcore lockdown – get people to accept a tiny bit of inconvenience now, only to pull the rug entirely at some later point. I certainly wouldn’t put it past Microsoft to do this, although they might have learned enough of a lesson from the antitrust lawsuits to not attempt doing it.

    • Scali says:

      Well, Microsoft is not doing all that much. They don’t have anything to do with UEFI and secure boot, really. The standard has been around for years. MS just wants OEMs to use the feature by default, and in the case of mobile devices, to have it on at all times. Then again, all other mobile devices have secure/locked down boot sequences as well. MS just happens to be the only one using an industry standard, rather than some proprietary thing like Apple and all Android vendors.
      I don’t quite see how that makes MS the bad guy (they don’t even have a monopoly in the mobile market, not even close).

      • snemarch says:

        Locked-down boot has been normal in the mobile and appliance sectors since forever, yes – but it’s a new thing locking down PCs this way. It’s one thing having an OS that (tries to) not run on generic hardware (OS X and it’s DSMOX kext crap), but (possibly) not letting other OSes run on standard x86 hardware? Ho humm.

        I’m not against secure boot in and by itself, IMHO it can be a worthwhile security factor – I would have liked a bit of consumer protection in the standard, though. Like *requiring* that end-users have the ability to manage signing certificates.

      • Scali says:

        Yes, but Microsoft is not even saying the systems should be locked down. It merely says secure boot should be enabled by default, if the OEMs want to have a Windows 8 sticker on their machines.
        And again I stress that this is UEFI, an industry standard with which Microsoft has nothing to do. I don’t see it as locking down, even if at some point the secure boot can no longer be disabled.
        It’s still an industry standard, and any OS distributor can support this standard (as Fedora have demonstrated).
        So the whole argument of ‘not letting other OSes run’ is false. It is really no different than it has always been: any x86 OS can run on standard PCs as long as it is compatible with the standard PC boot procedure (something that OS X is not).

  2. snemarch says:

    Microsoft is on the board of directors for the UEFI Forum, which is the organization forming the UEFI spec – so saying Microsoft has nothing to do with UEFI isn’t entirely true 🙂

    There can be no question that secure boot is a lockdown – what remains to see is how much of a lockdown it might eventually (d)evolve into. As long as we can get away with a 1st-stage bootloader having to be signed, and said bootloader can load unsigned code, things will be OK.

    But if secure boot had been designed primarily with consumer interests in mind, there would have been provisions for installing our own certificates. Claiming anything else is swallowing corporate propaganda.

    • Scali says:

      They are now, yes (and just one of many board members, so their influence on the standard is not all that large). But secure boot has been around for years. It was developed by Intel-HP for their Itanium platform, if I’m not mistaken.
      Microsoft had no say in it as far as I know.

      Also, don’t get your lockdowns confused. Yes, clearly secure boot locks out non-secure bootloaders. But it is by no means vendor-specific. People tend to go overboard and claim that MS is locking out other vendors. Firstly, it’s not MS doing anything. It’s the UEFI standard and OEMs implementing that standard on their motherboards.
      Secondly, it’s only locking out non-secure bootloaders, which is not the same as non-Windows bootloaders.

      I sincerely doubt that consumer interests had anything to do with it. Again, it was Intel/HP developing it for Itanium. Not a platform aimed at consumers. Its primary aim is security. As we all know, consumers don’t care much about security. They care more about convenience, which is usually the enemy of security.

  3. snemarch says:

    Yes, IIRC the original EFI was made by Intel for Itanium, and then extended into UEFI. Dunno when Secure Boot was added to the standard, and IMHO it’s not too important for the rest of the discussion – I don’t particularly care if it was pushed by one company or another, and as I’ve already mentioned, the feature in and by itself can be a good thing.

    As for MS locking out other vendors, well, I think we both know whose signing certificates are going to be in just about every system that ships with secure boot capabilities. Laying the blame on the motherboard OEMs is a bit of a cheap shot, IMHO – but whether MS is doing nefarious things behind the curtains is something I’ll leave to the conspiracy theorists.

    I’m wary of the direction things are taking, though.

    • Scali says:

      Well, I don’t see how anyone can reasonably blame Microsoft for OEMs not including certificates of other vendors (which at this point is a purely hypothetical situation anyway).
      You also can’t blame Microsoft for having OEMs include their certificates. That’s the whole idea behind UEFI’s secure boot, is it not? Microsoft just makes sure they have their business in order. Fedora did the same. So should the rest.

  4. Pingback: Voice of reason, quite… | Scali's blog

  5. Pingback: First Fedora, now Canonical | Scali's blog

  6. Pingback: Why I don’t use linux (and why you shouldn’t either) | Scali's blog

  7. Yuri says:


    I’m sorry but the lack of technical detail here is appauling. I’m a pretty hardcore developer, and I use some pretty oldschool tools. I don’t agree to this microsoft-only and corporate-only key signing strategy. It means that I, as an opensource developer, can’t run a signed and modified kernel of my own anymore. It means corporations are the only holders of this technology. It means the key signers can deny further use of provisioned keys for future software releases. This is not a sound strategy.

    You need to realize that your “Holy Chicken-Leadership” idea on corporate key signing __doesn’t apply__ to individual developers. How am I supposed to fork the kernel and run my own signed version? This technology is excluse to big corp, and now I, as an individual, can no longer dual-boot a windows system while taking advantage of UEFI while simultaneously developing my own custom kernels with the same bios without switching the damned thing on and off all the time. That’s great security microsoft. I’m so glad they were only thinking of themselves once again.

    If you read the rest of that article that you quoted out of context, the Linux Foundation was asking for manufacturers to implement the ability for users to provide their own signing and keys, without the need of any further purchase. Linus himself expressed discontent towards UEFI. Read some of Greg K-H’s emails. You’ll see what I mean.

    This is not a good strategy, and I’ll do my best to avoid this technology because it’s exclusive and it discourages innovation.

    • Scali says:

      “It means that I, as an opensource developer, can’t run a signed and modified kernel of my own anymore.”

      Incorrect. You cannot run modified *bootloaders* anymore (which is purely hypothetical at this point anyway, except for ARM-based devices).
      Both Fedora and Ubuntu still allow you to run modified kernels using their signed bootloader.
      Besides, if you REALLY want to sign your custom-built bootloaders, 99 dollars is not such a big deal even for an individual developer. It’s not exactly like it’s completely out of reach for anything other than big corporations.

      Please inform yourself a bit better before you go on some anti-corporate rant.

      For the rest, the issue of certificates has been around for a long time. I never heard anyone complain about SSL certificates… but it’s the same story. It costs money to get a certificate, and if at some point, for some reason, the certificate authorities decide not to give out any certificates anymore, that’s the end of that. You could hold similar arguments for various other things where some authority hands out whatever resources, such as IP addresses or domain names or whatnot (but for some reason nobody has… I guess that’s the Microsoft-factor, isn’t it? You people make me sick. UEFI secure boot is not Microsoft’s invention, but an industry standard. And quite simply, it is not Microsoft’s problem if some OSes are not compatible with such an industry standard. Your example of dual-boot is pathetic, especially in putting the blame with MS. Do you also blame MS for the fact that OS X cannot be installed on generic x86 PCs out-of-the-box?).
      Apparently the system has worked fine so far, and there’s no reason why it would not work just as well for UEFI secure boot.

      Also, everyone is a hardcore developer with oldskool tools these days… PAH I say! I doubt you are anywhere remotely as oldskool and hardcore as some of the things I have posted on my blog.

  8. Pingback: The problem with free/open source software | Scali's OpenBlog™

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s