UEFI Secure Boot Still A Big Problem For Linux
Posted by Michael Larabel on January 17, 2012
Matthew Garrett has provided some insight regarding some of the problems still outstanding for Linux to handle UEFI Secure Boot.
Matthew Garrett, the Red Hat developer commonly working on power management and UEFI/BIOS matters for Linux, has a new blog post related to UEFI Secure Boot. This latest posting is simply entitled Why UEFI secure boot is difficult for Linux.
The post covers that the code for Linux to handle UEFI Secure Boot is practically done, but there's many other issues outstanding related to the handling of custom secure boot mode, out-of-tree kernel drivers, licensing, key distribution, and other matters. Microsoft has said that for x86/x86_64 systems it should be possible to disable UEFI Secure Boot, but recently it's come to light that ARM-based Windows 8 systems will not be permitted to disable this Microsoft-inspired feature.
Garrett also points out that using Secure Boot under Linux would effectively kill out-of-tree kernel drivers like the AMD Catalyst and NVIDIA graphics drivers. "Signed Linux kernels must refuse to load any unsigned kernel modules. Virtualbox on Linux? Dead. Nvidia binary driver on Linux? Dead. All out of tree kernel modules? Utterly, utterly dead. Building an updated driver locally? Not going to happen."
Matthew summarizes the current situation as, "We can write the code required to support secure boot on Linux in a minimal amount of time - in fact, most of it's now done. But significant practical problems remain, and so far we have no workable solutions for any of them."
Matthew Garrett, the Red Hat developer commonly working on power management and UEFI/BIOS matters for Linux, has a new blog post related to UEFI Secure Boot. This latest posting is simply entitled Why UEFI secure boot is difficult for Linux.
The post covers that the code for Linux to handle UEFI Secure Boot is practically done, but there's many other issues outstanding related to the handling of custom secure boot mode, out-of-tree kernel drivers, licensing, key distribution, and other matters. Microsoft has said that for x86/x86_64 systems it should be possible to disable UEFI Secure Boot, but recently it's come to light that ARM-based Windows 8 systems will not be permitted to disable this Microsoft-inspired feature.
Garrett also points out that using Secure Boot under Linux would effectively kill out-of-tree kernel drivers like the AMD Catalyst and NVIDIA graphics drivers. "Signed Linux kernels must refuse to load any unsigned kernel modules. Virtualbox on Linux? Dead. Nvidia binary driver on Linux? Dead. All out of tree kernel modules? Utterly, utterly dead. Building an updated driver locally? Not going to happen."
Matthew summarizes the current situation as, "We can write the code required to support secure boot on Linux in a minimal amount of time - in fact, most of it's now done. But significant practical problems remain, and so far we have no workable solutions for any of them."
Discuss this article in our forums, IRC channel, or email the author. You can also follow our content via RSS and on social networks like Facebook, Identi.ca, and Twitter (@Phoronix and @MichaelLarabel). Subscribe to Phoronix Premium to view our content without advertisements, view entire articles on a single page, and experience other benefits.
Copyright © 2004 - 2013 by Phoronix Media.
All trademarks used are properties of their respective owners. All rights reserved. Legal Disclaimer & Disclosure.
Powered by the Phoronix Content Management System (PHXCMS-7.4).
All trademarks used are properties of their respective owners. All rights reserved. Legal Disclaimer & Disclosure.
Powered by the Phoronix Content Management System (PHXCMS-7.4).