Linux camp has key to Windows 8 boot lockout

Linux pinguin

(—Microsoft's rocky reputation with the open source community was not exactly obliterated with hardware news surrounding the upcoming launch of the operating system, Windows 8. Systems will come with Secure Boot enabled in the Unified Extensible Firmware Interface (UEFI). Only operating systems with an appropriate digital signature will be able to boot. The worry was that only Windows 8 will run on these systems. Users would find it hard to boot non-Microsoft operating systems. UEFI stands for Unified Extensible Firmware Interface (UEFI)and it defines a software interface between an operating system and platform firmware.

Numerous PCs designed for the mass market will be labeled with Windows 8 and that in turn set many users to think these are tough times for Linux users to boot their favorite Linux flavors. Some see this as a way for Microsoft simply to ensure security over its machines while others see it as a way for Microsoft to push Linux distributions to the back of the line.

Systems with the Designed for Windows 8 that include the Secure Boot can stop unsigned code such as malware from running during the boot process. Any will also be prevented to run if it doesn't have the approved bootloader.

Open source advocates recognize that UEFI has its security merits. Earlier this year, Olaf Kirch, director of the SUSE Linux Enterprise department in SUSE Engineering, called UEFI Secure Boot a useful technology, as it makes life more difficult for attackers to hide a rootkit in the boot chain. At the same time, he said, the basics of its operation, establishing a single root of trust, "conflict with the principles of Open Source development, which must be independent and distributed to work."

Outside Microsoft, big name vendors have been responding with workarounds. Leading Linux names, Canonical, Red Hat, and SUSE have been working on ways that allow their distributions to boot on Windows 8-certified hardware.

The Linux Foundation, meanwhile, has come up with a plan to bypass the problem presented by Secure Boot to enable users of operating systems to continue to boot on hardware certified for Windows 8. The foundation has announced it will obtain a key from Microsoft and sign a small pre-bootloader. This will allow the booting of any operating system. In a guest post from James Bottomley, Linux Foundation Technical Advisory Board, talked about the 8 move. "In a nutshell, the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system)."

This will be a general purpose solution, not just for Linux. The key would not directly enable booting but instead would transfer control to another bootloader to boot an operating system. As such, the workaround is called the"pre-bootloader." The pre-bootloader goes past the Secure Boot process. A boot-loader such as GRUB2 takes over and handles the OS booting.

According to the Foundation, all the work is left to the real bootloader which "must be installed on the same partition as the pre-bootloader with the known path loader.efi (although the binary may be any bootloader including Grub2)."

Once the pre-bootloader is run, the user can boot any OS without having to worry about Secure Boot lockouts. As for a risk that it will turn out to be a vector for malware, the pre-bootloader can be used to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution. The pre-bootloader will involve a "present user test." Someone must be present at boot time to confirm the user wants a particular OS to run. After the pre-bootloader carries out its work, it will wait for a prompt for a user before continuing The user test removes the fear that it can be used to carry malware.

Explore further

PC BIOS soon to be replaced by UEFI

More information: … t-system-open-source

© 2012

Citation: Linux camp has key to Windows 8 boot lockout (2012, October 14) retrieved 15 September 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Oct 14, 2012
Windows 8 is already secure, no one will be able to use it with such a horrible interface. PC industry will quickly realize where the user base is and will tailor hardware to meet the masses. I have used windows for a long time but MS is lost in la la land right now and forgot there is users who have their needs.

Oct 14, 2012
Every even version of winblows is stillborn. Everything is going according to plan. Then the suits will pine for winblows 9 to fix all the crap and micro$oft will have sold their os twice.

Oct 15, 2012
Linux community will obtain a key and write a boot loader that will then be able to boot malware.

That is the solution.

Oct 15, 2012
Linux community will obtain a key and write a boot loader that will then be able to boot malware.

Malware that at least won't affect the host, just other MS computers it comes in contact with. :)

Oct 15, 2012
Any attempt to add a security feature that annoys the hell out of people, is pointless, as it will just be disabled. How many people disabled UAC in Windows Vista/7 because it was a pain?

For workstations and phones the additional security in UEFI should be well received. For Linux servers, it would be a pain in the butt, having to drive all over town, pressing a key on a keyboard, after a power failure causes 50 servers to reboot.

Please excuse my excessive use of comma's.

Oct 15, 2012
Why not just use TPM... Sure there are some concerns with TPM such as certain software being locked out that the manufacturer chooses, but that's hypothetical. With secure boot you know for sure MS will try to block at least some software, such as free OSs.

Oct 15, 2012
I can't decide whether to ROTFLMAO or to weep. This is both so hilarious and so profoundly pathetic. But hey, not unexpected.

And to top it all, I can just imagine the look on some M$ folks' faces when the FOSS camp simply decided to get a key. I'm still giggling.

But then, I expect M$ to counter with legal gymnastics to the tune of "we don't have to sell them the key", or something about unintended use of hardware that has officially and contractually been restricted to only software (read, OS) from a single vendor. And patents and other land mines thwarting the world.

How about import restrictions to hardware that doesn't contain this W8 thing? Or even blockades of the entire vendors. These are (again) interesting times. But this time for all the wrong reasons.

Oct 15, 2012
Having to press a key in order to boot Linux is still not a good solution. Expect mass EFI flashing with versions that (have the option to ?) disable Secure Boot.

Oct 15, 2012
micro$ has tried to ruin Linux many times before. Micro$ was the secret 50& partner of SCO 'unix' when its business model was to sue and sue even its own customers. Did not work then. This 'secure boot model' will by-passing it run the risk of the by-passer being arrested for 'hacking a security system'?

Oct 15, 2012
who cares. vote with your wallets. i've stopped buying machines with windows preloaded and so should you.

Oct 15, 2012
My concern is once booted into your favorite distro, will you still be able to access files on your Windows 8 drives?

Oct 15, 2012
For Linux servers, it would be a pain in the butt, having to drive all over town, pressing a key on a keyboard, after a power failure causes 50 servers to reboot.

One just needs to buy a new keyboard that after reset will issue any needed keystrokes. Or alternatively other dongle into keyboard cable that does the same thing. Or `fake` keyboard plugged into any free USB port to give those keys after reset. When mass produced such dongles would be inexpensive.

Oct 15, 2012
But since Linux is open source an in turn 99% of all the binaries it uses and load -- then this key is essentially in the public domain. So malware needs to load not only a rootkit but a root bootloader based that can load NTFS. It makes for a more sophisticated virus maker. I suspect that this will take only slightly longer than a 5 year trying to read this article. Mind you most 5 year olds have attention span issues, and don't like acronyms or big words.

Oct 15, 2012
The cat and mouse game continues. Mainstream computers will NEVER be truly secure, because either the software they run or the users that operate them are flawed and can be circumvented. Its nice to see some attempt at stopping rootkits and MBR viruses. Sadly, malware makers make MONEY, so they will never stop and they will ALWAYS find a way to infect systems, because they get PAID to do it. As far as having difficulty installing linux on a Windows 8 machine, it will be ok, Linux experts will always find a way. And yes, Windows 8 is stupid because you cannot run a tablet OS on a Desktop, just as you wouldnt run a Desktop OS on a Tablet. Get with it, it takes two types of OS's to fit on tablets and desktops.

Oct 15, 2012
so everyone thinks it's alright to use the word stillborn out of context and basically as a weapon
Your ginned-up objections to weapon-words are stillborn, "you twisted fuck" (not to mention, hypocrite.)

Just because you have some kind of a Pavlovian knee-jerk paroxysm in connection with that word, doesn't mean everyone else should suddenly censor themselves to keep your neurotic psychoses from exploding.



(the word has another definition, in addition to the one you found oh-so-inflammatory, which fits perfectly with the original usage that oh-so-offended your demented sensibilities.)

Oct 15, 2012
On a more relevant note, I find the Linux "solution" to the security threat from malware somehow less than impressive.

So what if the user has to push on a key? How does the user know that the bootloader about to be activated, hasn't been tampered with (or replaced) by malware? After all, the above article explicitly mentions that the "work-around" pre-bootloader will make no signature checks on the thing it's passing control over to.

This "solution" is incredibly naive, in the best tradition of FOSS.

Probably a better approach would have been to hardware-protect the boot sector, so that anything written to it must have been pre-encrypted with a correct private key (and gets auto-decrypted on-write with the correct public key). That way, at hackers would need to have first obtained the secret key before they could overwrite any part of the bootloader.

Oct 16, 2012
@Bowler_4007's bad enough that people fight on these articles without people using inappropriate and upsetting words like that
If you don't like the word, stop eating meat which encourages large litters where there aren't enough nutrients for all to survive. Also stop eating eggs!

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more