Linux Foundation Sounds Off on UEFI

By

Will UEFI secure boot lock a whole generation of computers out of Linux? Recent guidelines from the Linux Foundation will help to ensure that system admins and computer users will still have the power to change the operating system.

The Linux Foundation officially jumped in to the Unified Extensible Framework Interface (UEFI) boot controversy by releasing a document entitled “Making UEFI Secure Boot Work with Open Platforms.” The document is intended to provide PC hardware manufacturers with guidelines for how to implement the UEFI framework without preventing the owner from installing Linux or another non-Windows OS onto a UEFI Secure-Boot-compliant computer.

A few weeks ago, Red Hat engineer Matthew Garrett made news with a blog post indicating the possibility of a Linux lock-out with the new UEFI secure boot feature. According to Garrett, the new specification, which is designed to prevent so-called "bootkits" and other forms of BIOS-bolluxing malware, associates the firmware with a signing key, which prohibits the user from installing a new operating system. (The majority of Linux desktop systems are installed over a previous OEM version of Windows.)

When the announcement appeared at SlashDot and other open source news sources, the Linux community immediately raised the alarm, challenging this as yet another unfair business practice designed to restrict user choice in favor of proprietary software. Microsoft soon stepped in to say that, if such a lock-out occurs, it will be because of the OEMs, not Microsoft.

These new guidelines from the Linux Foundation describe steps that an OEM should take to ensure that the owner of the system will be free to install a different operating system on the computer. The document includes the following summary of recommendations:

  • All platforms that enable UEFI secure boot should ship in setup mode, where the owner has control over which platform key (PK) is installed. It should also be possible for the owner to return a system to setup mode in the future if needed.
  • The initial bootstrap of an operating system should detect a platform in setup mode, install its own key-exchange key (KEK), and install a platform key to enable secure boot.
  • A firmware-based mechanism should be established to allow a platform owner to add new key-exchange keys to a system running in secure boot mode so that dual-boot mode systems can be set up.
  • A firmware-based mechanism should be created to support easy booting of removable media.
  • At some future time, an operating-system-neutral and vendor-neutral certificate authority should be established to issue KEKs for third-party hardware and software vendors.

The guidelines will also assist system administrators and PC consumers with choosing systems that do not lock the user in with original operating system. If you are purchasing a computer that advertises support for the UEFI “Secure Boot” feature, and you want to ensure that you have the freedom to change to a different operating system later, refer to the Linux Foundation guidelines.

10/28/2011

Related content

comments powered by Disqus

SysAdmin Day 2017!

  • Happy SysAdmin Day 2017!

    Download a free gift to celebrate SysAdmin Day, a special day dedicated to system administrators around the world. The Linux Professional Institute (LPI) and Linux New Media are partnering to provide a free digital special edition for the tireless and dedicated professionals who keep the networks running: “10 Terrific Tools."

Special Edition

Newsletter

Subscribe to ADMIN Update for IT news and technical tips.

ADMIN Magazine on Twitter

Follow us on twitter