Image may be NSFW.
Clik here to view.
Many Linux fans worried that the Secure Boot technology in the new Windows 8 will complicate downloading their favorite operating system on computers that come with a Unified Extensible Firmware Interface (UEFI).
The fact that Windows 8 will come with the closed boot UEFI, which does not allow users to set different operating systems, whether Linux or Windows 7 or Windows XP, on the same machine with Windows 8.
James Bottomley, chairman of the Advisory Board on technical matters Linux, has announced the release of Intel Tianocore UEFI – open source-interface version of the closed UEFI, which helps programmers of Linux to bypass restrictions imposed by Windows.
Bottomley has released an image of the Intel Tianocore UEFI and a few lines of code that should allow developers to begin thinking more seriously about working on a solution to bypass Windows 8 secure boot mechanism.
“It will widen the pool of people who are playing with UEFI Secure boot. The Linux Foundation Technical Advisory Board have been looking into this because it turns out to be rather difficult to lay your hands on real UEFI Secure Boot enabled hardware,” Bottomley says.
A virtual platform for developers has also been established to facilitate work sharing and experimenting with solutions.
Bottomley is “releasing this now because interest in UEFI Secure Boot is rising, particularly amongst the Linux Distributions which don’t have access to UEFI secure boot hardware, so having a virtual platform should allow them to experiment with coming up with their own solutions.”
Bottomley said he was able to “lock down the secure boot virtual platform with my own PK [Platform Key] and KEK [Key Exchange Key] and verified that I can generate signed efi binaries that will run on it (and that it will refuse to run unsigned efi binaries). Finally I’ve demonstrated that I can sign elilo.efi (this has to be built specially because of the bug in gnu-efi) and have it boot an unsigned Linux kernel when the platform is in secure mode (I’ve booted up to an initrd root prompt).”
Recently it became known that Fedora and Red Hat signed a deal with Microsoft to ensure the launch of its distribution on the equipment licensed for Windows 8, which raised criticism among Linux developers and users. To register a binary to run on UEFI-computer, you must issue the VeriSign certificate worth $99.
But Linux founder Linus Torvalds believes that the complaints are overblown. “I’m certainly not a huge UEFI fan, but at the same time I see why you might want to have signed bootup etc. And if it’s only $99 to get a key for Fedora, I don’t see what the huge deal is,” he tells.
Toralds said hackers will either find a way to get the right keys to break the Secure Boot.
“The real problem, I think, is that a clever hacker could solve the problem with the keys, after procuring the key or by using vulnerability in the signed software, and then he did not need a key.”
Matthew Garrett – a Red Hat engineer who has worked closely with Secure Boot – also believes Secure Boot will be broken but Microsoft will ultimately keep hackers at bay.
“Secure Boot is unlikely to be broken via fundamental flaws in its implementation, and there’s no evidence that public availability of the signing service will result in an explosion of boot level malware,” Garrett said.
If you a Linux user and wants to give a try, you can download the image from an openSUSE server in RPM format for x86 64-bit processors. You also need Bottomley fix for building efi binaries on Linux, which includes utilities and examples to use the fixed script and a builder for a LockDown.efi binary to perform a secure boot platform in setup mode and install a PK and KEK and enable secure boot.