October 14, 2012 report
Linux camp has key to Windows 8 boot lockout
(Phys.org)—Microsoft's rocky reputation with the open source community was not exactly obliterated with hardware news surrounding the upcoming launch of the operating system, Windows 8. Systems will come with Secure Boot enabled in the Unified Extensible Firmware Interface (UEFI). Only operating systems with an appropriate digital signature will be able to boot. The worry was that only Windows 8 will run on these systems. Users would find it hard to boot non-Microsoft operating systems. UEFI stands for Unified Extensible Firmware Interface (UEFI)and it defines a software interface between an operating system and platform firmware.
Numerous PCs designed for the mass market will be labeled with Windows 8 and that in turn set many users to think these are tough times for Linux users to boot their favorite Linux flavors. Some see this as a way for Microsoft simply to ensure security over its machines while others see it as a way for Microsoft to push Linux distributions to the back of the line.
Systems with the Designed for Windows 8 that include the Secure Boot can stop unsigned code such as malware from running during the boot process. Any operating system will also be prevented to run if it doesn't have the approved bootloader.
Open source advocates recognize that UEFI has its security merits. Earlier this year, Olaf Kirch, director of the SUSE Linux Enterprise department in SUSE Engineering, called UEFI Secure Boot a useful technology, as it makes life more difficult for attackers to hide a rootkit in the boot chain. At the same time, he said, the basics of its operation, establishing a single root of trust, "conflict with the principles of Open Source development, which must be independent and distributed to work."
Outside Microsoft, big name vendors have been responding with workarounds. Leading Linux names, Canonical, Red Hat, and SUSE have been working on ways that allow their distributions to boot on Windows 8-certified hardware.
The Linux Foundation, meanwhile, has come up with a plan to bypass the problem presented by Secure Boot to enable users of open source operating systems to continue to boot on hardware certified for Windows 8. The foundation has announced it will obtain a key from Microsoft and sign a small pre-bootloader. This will allow the booting of any operating system. In a guest post from James Bottomley, Linux Foundation Technical Advisory Board, talked about the Windows 8 move. "In a nutshell, the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system)."
This will be a general purpose solution, not just for Linux. The key would not directly enable booting but instead would transfer control to another bootloader to boot an operating system. As such, the workaround is called the"pre-bootloader." The pre-bootloader goes past the Secure Boot process. A boot-loader such as GRUB2 takes over and handles the OS booting.
According to the Foundation, all the work is left to the real bootloader which "must be installed on the same partition as the pre-bootloader with the known path loader.efi (although the binary may be any bootloader including Grub2)."
Once the pre-bootloader is run, the user can boot any OS without having to worry about Secure Boot lockouts. As for a risk that it will turn out to be a vector for malware, the pre-bootloader can be used to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution. The pre-bootloader will involve a "present user test." Someone must be present at boot time to confirm the user wants a particular OS to run. After the pre-bootloader carries out its work, it will wait for a prompt for a user before continuing The user test removes the fear that it can be used to carry malware.
© 2012 Phys.org