White Paper: Secure Boot impact on Linux

Victor Tuson Palau

Victor Tuson Palau

on 28 October 2011

Last month Steven Sinofsky from Microsoft announced new requirements for manufacturers wanting to ship Windows 8 systems, including a feature called “Secure Boot”.

Canonical, together with Red Hat, today publishes a white paper highlighting the implications of these requirements for users and manufacturers. The paper also provides recommendations on how to implement “Secure Boot”, to ensure that users remain in control of their PCs.

UEFI is a good step forward
How much do you know about the BIOS running on your laptop today? Sure, you probably have frantically pressed F12 at some point to try the latest Ubuntu from a CD or USB stick. Beyond that, BIOS doesn’t often get much attention.  The thing is: BIOS is evolving, and all thanks to the UEFI Specifications.

The UEFI Forum, of which Canonical is a member, is defining the next generation interface between your system’s firmware and any operating system that runs on it. The new specs will make Ubuntu systems boot quicker, have a better battery life and are easier to configure.

The latest UEFI specification also defines a process called Secure Boot (version 2.3.1 – Chapter 27). Secure Boot is designed to address the potential for malware to insert itself between the firmware and the operating system on your computer. It accomplishes this by enforcing that only “approved” software is able to boot in your computer by way of a key that recognises pre-approved and signed software.

According to Microsoft’s presentation at //BUILD/2011, Secure Boot will be “Required for Windows 8 client”. While the UEFI specification does not recommend a specific implementation, Microsoft has a preferred solution (outlined on this blog post) which does not give the user full control over what software that is approved to run on their PC. This is the real issue for users.

Secure Boot should be available to all users
Canonical successfully partners with computer manufacturers to ship millions of  Ubuntu pre-installed systems every year. While this distribution will continue to thrive, we are concerned for users wanting to install any Linux distribution on a PC sold with Secure Boot “ON”.

Any new Windows 8 PC will have Secure Boot switched “ON” when it leaves the shop and will be able to boot Microsoft approved software only. However, you will most likely find that your new PC has no option for you to add your own list of approved software. So to install Linux (or any other operating system), you will need to turn Secure Boot “OFF”.

However, we believe that you have the right to have your cake and eat it too!  Its possible to have Secure Boot and the ability to choose your software platform.

This is why we recommend that systems manufacturers include a mechanism for configuring your own list of approved software. This will allow you to run Windows 8 and Linux at the same time in your PC with Secure Boot “ON”. This should also include you being able to try new software from a USB stick or DVD.

Even with the ability for users to configure Secure Boot, it will become harder for non-techie users to install, or even try, any other operating system besides the one that was loaded on the PC when you bought it. For this reason, we recommend that  PCs include a User Interface to easily enable or disable Secure Boot and allow the user to chose to change their operating system.

Canonical has discussed these concerns with key industry partners and competitors, resulting in the “Secure Boot Impact on Linux” White Paper, authored by Jeremy Kerr (Technical Architect at Canonical), James Bottomley (Kernel Developer) and Matthew Garret (Senior Software Engineer at Red Hat).

I recommend you read this document to gain a better understanding on how Secure Boot will affect you. We will continue to work with our partners to ensure you still get to choose what runs on your PC!

Talk to us today

Interested in running Ubuntu Desktop in your organisation?

Newsletter signup

Select topics you’re interested in

In submitting this form, I confirm that I have read and agree to Canonical’s Privacy Notice and Privacy Policy.

Related posts

开源基础设施,桌面和物联网开发者都聚焦在Ubuntu 19.04

2019年4月18日,Canonical今天宣布Ubuntu 19.04 正式发布,新版系统将聚焦开源基础设施部署,开发者桌面,物联网和云到端的软件分发等领域。 “Ubuntu在电信,金融和多媒体领域的开源优势已经扩展到其他领域。从公有云到私有数据中心再到边缘设备或集群,开源已成为效率和创新的标志。Ubuntu 19.04包含了支持领先项目的转换,以及用于加速这些域的应用程序的开发人员工具。” Canonical的CEO Mark Shuttleworth说道。…

Announcing OpenJDK 11 packages in Ubuntu 18.04 LTS

OpenJDK 11 is the default JRE/JDK for 18.04 LTS and is covered under LTS upstream security support. OpenJDK 11 will be the default package for the upcoming 19.04 release.

Open infrastructure, developer desktop and IoT are the focus for Ubuntu 19.04

18th April, 2019: Canonical today announced the release of Ubuntu 19.04, focused on open infrastructure deployments, the developer desktop, IoT, and cloud to edge software distribution. “The open-source-first on Ubuntu movement in telco,…