If the article published by ITWorld is to be believed, all Windows 8-certified machines now use UEFI (Unified Extensible Firmware Interface) with support for secure booting. Microsoft is no longer willing to use untrusted BIOS firmware for booting and this clearly indicates that from Windows 8 onwards both the firmware and software must have been signed by a trusted Certificate Authority to initiate the boot process. You won’t be able to boot a Linux distribution if you have bought a computer that includes the manufacturer’s keys and Microsoft’s keys as none of the EFI Linux bootloaders is signed.This also means that from now onwards you cannot compile your own custom kernels as Linux distribution requires secure UEFI booting support, and a non-GPL bootloader would be required and the kernel would have to be signed too.
According to Matthew Garrett, a Linux developer:
Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.Lets say Linux geeks find a way around this, but again there will be a number of hurdles such as what will happen with small Linux distributions or how will the users or various companies boot their own custom kernels? Several question remain unanswered.
[...] Firstly, we’d need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It’s a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it’s still necessary to get our keys included by ever OEM.”
0 reactions:
Post a Comment