The drama surrounding Microsoft’s decision to make ’locked down’ bootloaders a requirement for computer makers wishing to ship Windows 8 has been rumbling on for a while.
The devices will use the UEFI-based SecureBoot specification to “prevent unauthorized firmware, operating systems, or UEFI drivers from running at boot time”.
Put simply: only operating systems that have a verified digital key/signature will be able to boot.
UEFI, SecureBoot and Ubuntu
Ever since the Windows 8 SecureBoot dilemma reared its the big question has been: “Can I still use Ubuntu?” .
Canonical have today responded with plans on how they intend to approach the SecureBoot situation to ensure that Ubuntu ‘works smoothly’ for users of devices enabled with it.
Firstly, Canonical has generated an Ubuntu key that, once manually added to affected systems, will allows users to boot Ubuntu.
‘Simple ways for enterprises and consumers to use this key‘ will be announced in due course.
Ubuntu will also use a different kind of boot-loader for Ubuntu on SecureBoot hardware – one not based on the traditional GRUB2.
The reason for this is legal rather than technical, as Steve Langasek explained on the Ubuntu Development mailing list:
“The reason we’ve arrived at a different plan is that Ubuntu has a rather extensive base of preinstalled systems. Microsoft’s Windows 8 logo requirements do say that there must be a way for users to disable secure boot or to install their own keys, and we strongly support this in our own firmware guidelines; but in the event that a manufacturer makes a mistake and delivers a locked-down system with a GRUB 2 image signed by the Ubuntu key, we have not been able to find legal guidance that we wouldn’t then be required by the terms of the GPLv3 to disclose our private key in order that users can install a modified boot loader. At that point our certificates would of course be revoked and everyone would end up worse off.”
To remedy this Canonical have decided to use Intel’s efilinux loader (code which will be familiar to with Intel Mac dual-booters), to which they will apply a few tweaks and add a ‘simple menu’ for OS switching.
Secondly, Ubuntu CDs will make use of a loader image signed by Microsoft’s ‘WinQual‘ key. This will allow Ubuntu to boot on ‘more or less every off-the-shelf [Windows 8] system’.
Steve Langasek explains this particular part further in a mail to the Ubuntu Development mailing list:
“This will then chain to efilinux signed by our own key (so we don’t have to go through the WinQual signing process every time we want to make a minor change there).
We hope that we’ll also be able to make the first stage loader detect whether Secure Boot is enabled and otherwise chain to GRUB 2, to ensure that we don’t regress behaviour for those with UEFI systems that do not implement Secure Boot or that have it disabled.”
Calm Before The Storm?
None of the above is set in stone, and things may yet change.
With the first Windows 8 UEFI/SecureBoot devices not out of the gate yet, Canonical do have a bit more breathing time in which to evaluate and implement solutions.
But they’ll be keenly aware that they need to do it before the flood of devices arrives.