Linux Licensing in Conflict with Secure Boot Support
One of the novelties coming with Windows 8 is support for Unified Extensible Firmware Interface (UEFI) secure boot protocol which, when enabled, requires the boot loader of an operating system to provide a certified signing key in order to be allowed to boot. In fact, Microsoft made enabling secure boot by default a requirement for vendors who participate in the Windows 8 logo program, meaning that all PCs coming with Windows 8 pre-installed or branded as Windows 8 ready will come with secure boot enabled by default.
The reasoning behind this is securing the Windows boot path by making it impossible for malware to execute and embed itself on the system before anti-malware software even runs. In other words, it closes off the boot process to malware infection by installing a checkpoint at boot.
This has raised concerns, and quite a furor, from some Linux fans who worry that this could lock Linux (and other alternative operating systems such as various FreeBSD variants) out if their boot loaders don’t have the proper key to provide for secure boot.
Given the historical animosity that has existed between Linux fans and Microsoft it is easy for a Linux enthusiast to see this move as a yet another attempt by Microsoft to stifle competition in the name of a noble goal such as security.
That said, the problem would be relatively easy to solve if it wasn’t for certain peculiarities in the way Linux software is typically licensed. Linux vendors could certify a key to be used with UEFI secure boot and include this key in Linux boot loaders so they can pass this security checkpoint. The important thing here is that this key needs to stay secret, and the only way to make sure it stays secret while distributing it as part of Linux boot loaders is for it to be in binary form (no source code).
This is where we get to the core of the issue. Most commonly used Linux boot loaders, GRUB and GRUB2 are licensed under GPL, a license which denies embedding proprietary code in it, and requiring a secret key to function. GRUB2 is licensed under GPLv3 which makes this explicitly denied, whereas it is a gray area in GPLv2. As gray as it may be, however, exploiting it would run against the spirit of the license which is what fueled the strictness in GPLv3 to begin with.
In other words, making Linux boot loaders work with secure boot would require breaking their licensing requirements, and arguably the spirit of Free Open Source Software as well.
To make matters worse the Linux kernel, which is also licensed under the GPL, is apparently planned to be more deeply involved with the boot process as well, implicating it into the whole issue.
I’m not sure what would solve the problem if the kernel becomes involved, other than licensing the components involved under a more permissive license. As far as boot loaders go, however, it appears GRUB has to be ditched in favor of something under a more permissive license such as the BSD license. Interestingly, an old boot loader for Linux called LiLo (literally meaning “Linux Loader”) has just resumed development last year, and it is licensed under the BSD. This may make it an attractive alternative under these circumstances.
The only other option that comes to mind defeats the whole purpose of having secure boot, and opens the doors to its exploitation. It would involve having the signing key public, in which case it could be included in GPL-licensed boot loaders without issues, and persuading the computer vendors to allow boot loaders with this key. Of course, any malware maker would then know about this key as well, so secure boot would no longer be secure at all. That makes this option an obvious non-option.
Of course, this does remind of a distinct possibility. Someone could leak or crack the key for Windows 8 itself, defeating secure boot anyway, and perhaps proving that security through obscurity really doesn’t work. I’m fairly sure such an event would please Free Open Source Software advocates.
But to get back to the issue, if Linux boot loaders aren’t fixed to support secure boot then computers with secure boot enabled won’t be able to boot Linux. This just means that people who want to run Linux have to choose carefully when buying their new computers in order to make sure that the one they buy allows disabling secure boot.
Of course, that’s not a pretty situation since it adds an additional special requirement for Linux that doesn’t have to bother Windows 8 users, and somewhat limits the hardware options for Linux users.
Microsoft’s Steven Sinofsky responded to these concerns in a comprehensive blog post explaining the UEFI secure boot process, and pointing out that Windows 8 is merely taking advantage of an UEFI protocol and aiming to provide a more secure user experience while also mentioning that the Samsung Developer Preview tablet they gave away to developers on the BUILD conference allows disabling secure boot.
He has also clarified that Windows 8 will still run even if secure boot is disabled. Enabling it by default is merely a requirement vendors have to meet to put a Windows 8 logo on their machines, but that doesn’t mean they can’t include an option to disable it.
In a nutshell, the fate of Linux in this case appears to be in the hands of hardware vendors and their willingness to allow secure boot to be disabled. Either that, or Linux operating systems should widely adopt a secure boot compatible boot loader, which likely means a boot loader not licensed under the GPL (possibly making Richard Stallman quite annoyed).