Linux Foundation Sounds Off on UEFI
The Linux Foundation officially jumped in to the Unified Extensible Framework Interface (UEFI) boot controversy by releasing a document entitled “Making UEFI Secure Boot Work with Open Platforms.” The document is intended to provide PC hardware manufacturers with guidelines for how to implement the UEFI framework without preventing the owner from installing Linux or another non-Windows OS onto a UEFI Secure-Boot-compliant computer.
A few weeks ago, Red Hat engineer Matthew Garrett made news with a blog post indicating the possibility of a Linux lock-out with the new UEFI secure boot feature. According to Garrett, the new specification, which is designed to prevent so-called "bootkits" and other forms of BIOS-bolluxing malware, associates the firmware with a signing key, which prohibits the user from installing a new operating system. (The majority of Linux desktop systems are installed over a previous OEM version of Windows.)
When the announcement appeared at SlashDot and other open source news sources, the Linux community immediately raised the alarm, challenging this as yet another unfair business practice designed to restrict user choice in favor of proprietary software. Microsoft soon stepped in to say that, if such a lock-out occurs, it will be because of the OEMs, not Microsoft.
These new guidelines from the Linux Foundation describe steps that an OEM should take to ensure that the owner of the system will be free to install a different operating system on the computer. The document includes the following summary of recommendations:
- All platforms that enable UEFI secure boot should ship in setup mode, where the owner has control over which platform key (PK) is installed. It should also be possible for the owner to return a system to setup mode in the future if needed.
- The initial bootstrap of an operating system should detect a platform in setup mode, install its own key-exchange key (KEK), and install a platform key to enable secure boot.
- A firmware-based mechanism should be established to allow a platform owner to add new key-exchange keys to a system running in secure boot mode so that dual-boot mode systems can be set up.
- A firmware-based mechanism should be created to support easy booting of removable media.
- At some future time, an operating-system-neutral and vendor-neutral certificate authority should be established to issue KEKs for third-party hardware and software vendors.
The guidelines will also assist system administrators and PC consumers with choosing systems that do not lock the user in with original operating system. If you are purchasing a computer that advertises support for the UEFI “Secure Boot” feature, and you want to ensure that you have the freedom to change to a different operating system later, refer to the Linux Foundation guidelines.