All about Secure Boot

You may have heard this week that Hispalinux, a Spanish Linux advocacy group is trying to get the EU to bring an anti-trust action against Microsoft on secure boot.

So what is secure boot and why has it driven Linux users in Spain to take this action?

Secure Boot is a feature included in Windows 8 that, given certain hardware requirements, allows you to block unauthorized firmware, operating systems or UEFI drivers from running during startup. Secure Boot uses a database of digital signatures to validate the integrity of firmware, the operating system, or UEFI drivers. These digital signatures must be generated using a special signing certificate from a specific Certificate Authority.

If the firmware doesn’t match a digital signature, the computer won’t boot until signed firmware is restored. If an version of Windows Boot Manager (bootmgr.exe) that isn’t correctly signed is found, Secure Boot will attempt to boot from a known safe backup copy of Windows Boot Manager. If drivers or ntoskrnl.exe don’t have valid digital signatures, secure boot loads the Windows Recovery Environment.

Secure Boot requires UEFI and cannot be used with computers that boot by using BIOS.

So coming back to Hispalinux.

Microsoft has decreed that if vendors want to receive Windows 8 compatibility certification, they have to ship with Secure Boot enabled. To accomplish this certification, secure boot must also be able to be disabled through direct user intervention. It’s up to vendors to determine whether users can install their own keys (known as platform keys) to validate other operating system digital signatures. But to get the “compatibility certification” tick, the computer needs to ship in a configuration where Secure Boot is enabled and can be user disabled.

What irks Hispalinux is that vendors are under no compulsion to offer this functionality. Some will, some won’t. If a vendor doesn’t and doesn’t decide to include platform keys from vendors such as RedHat or Ubuntu, it means that the person won’t be able to install Linux on the machine as there will be no signature to verify the integrity of the operating system.

What also troubles some Linux users is that even if keys are installed from RedHat or Ubuntu, only the signed versions of the Linux kernel shipped by those vendors will boot. Many Linux users modify their operating system kernel on a frequent basis. A modified kernel, even if it originally comes from RedHat, won’t be digitally signed. Linux vendors may provide the tools that allow you to sign your own kernel, but as you can see it does make installing Linux on computers that have Secure Boot enabled at a minimum more complicated and, if the vendor doesn’t support modification of Secure Boot, extremely difficult if not impossible.

The benefit of secure boot is that it makes the OS more secure from attacks on the boot environment. Attacks are forever increasing in sophistication, so the earlier you can implement protection at startup, the more secure the operating system environment. Any modification to the kernel or boot environment that is not authorized by the appropriate vendor is rejected.

Philosophically this is a big problem if you’re into tinkering and modifying computers and doing stuff that is not authorized by the appropriate vendor.

Just because Hispalinux has launched this action doesn’t mean that it is going to go anywhere. Vendors are still able to sell Windows 8 computers that use BIOS or UEFI, they just won’t get the “compatibility certification” tick. Vendors can still get the tick if they offer the option of allowing users to install their own keys.

Hispalinux would probably have done better to have approached vendors about including this functionality rather than lodging a complaint with the EU.