Windows 8’s Unified Extensible Firmware Interface (UEFI) boot protocol could lead to eight-second boot times, but it could also be used to keep users from loading Linux on a Windows 8 PC, warns a Red Hat developer. Meanwhile, Casio signed a Linux-related patent agreement with Microsoft.
Microsoft cheered Windows users earlier this month when it demonstrated the upcoming Windows 8 operating system booting in eight seconds. Part of the technology behind the fast boots, however, could enable Microsoft and its PC vendor partners to block users from loading Linux on a Windows 8 PC, according to a Matthew Garrett, a mobile Linux developer at Red Hat, writing in a Sept. 20 blog post.
Microsoft recommends using the latest Unified Extensible Firmware Interface (UEFI) boot protocol to achieve the best boot results. Released in April, the new UEFI includes a secure boot protocol intended to block rootkit infections by requiring the entry of secure keys before allowing executables or drivers to be loaded onto the device. The protocol is required for PCs running Windows 8 clients in order to conform to the Windows 8 logo program, writes Garrett.
Microsoft tips compliance plans at BUILD
According to a story by NetworkWorld, the compliance requirement was revealed at Microsoft’s recent BUILD summit where the company first released a preliminary version of Windows 8, reviewed here by our sister publication WindowsForDevices. Slide 11 of a presentation stack by Arie van der Hoeven, principal lead program manager of Microsoft, notes that UEFI secure boot is “required for Windows 8 client.” The presentation is available from a link on NetworkWorld.
UEFI Secure Boot presentation slide at Microsoft BUILD conference
The problem with UEFI secure boot is that there is no central signing authority for the keys, writes Red Hat’s Garrett. As a result, each PC vendor controls its own keys, giving the vendor — and Microsoft — control over what software is loaded on the computer. Once enabled, UEFI secure boot prevents executables or drivers from being loaded unless they’re signed by one of the keys that have loaded on the system, explains Garrett.
An associated set of keys called “Pkek” is said to allow communication between an operating system (OS) and the firmware. An OS with a Pkek matching that installed in the firmware — say, Windows 8 — has the authorization to add additional keys to a whitelist, and may also add keys to a blacklist, writes Garrett. Binaries signed with a blacklisted key — say related to a Linux distribution — will not load, he adds.
If enforced, such security efforts could not only keep users from installing an alternative OS such as Linux, it could also make it impossible to properly install a new graphics card that lacks the appropriately signed drivers, according to Red Hat’s Garrett.
“There’s no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code,” writes Garrett. “However, experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market. It’s almost certainly the case that some systems will ship with the option of disabling this.”
Concludes Garrett, “It’s probably not worth panicking yet. But it is worth being concerned.”
Potential Linux workarounds
The potential threat of a UEFI-related Microsoft freeze-out has been discussed in the Linux community since shortly after the release of the new UEFI secure boot implementation in April, notes NetworkWorld. In June, Jake Edge warned of the possibility in a LWN.net article on the technology.
Faced with such a lock-out, Linux distributions could possibly work around the problem by providing signed versions of Linux, but due to Grub licensing issues, this would require a non-GPL bootloader, explains Garrett. Complicating the issue further are future plans for the Linux kernel to be further integrated with the bootloader. In this case, any such workaround would also require that the kernel be signed as well, he adds.
UEFI consists of data tables with platform-related information, plus boot and runtime service calls that are available to the operating system and its loader. UEFI was derived from the Intel-created “EFI” (Extensible Firmware Interface) standard, which in 2005 was renamed to “Unified EFI” and placed under the jurisdiction the UEFI Forum. The EFI was famously criticized in 2006 by Linux creator Linus Torvalds as, “this other Intel brain-damage (the first one being ACPI).”
Microsoft nabs Casio in Linux patent agreement
While Microsoft may or may not use UEFI to block Linux on the desktop, it continues to profit from the use of Linux in embedded devices. While lately it has shifted its patent pressures to vendors using the Linux-based Android OS, as it did with recent patent agreements with Acer and ViewSonic, Redmond still signs up the occasional pure Linux vendor as well. Amazon’s Kindle, alone, represents a tidy income in patent royalties for the software giant.
The latest consumer electronic firm to agree to sign up with Microsoft rather than risk a lawsuit is Casio, as reported by our sister publication eWEEK. The agreement covers Casio’s use of Linux in certain unnamed devices. Under the terms, Casio will pay Microsoft undisclosed fees, says the story.