Home     Blog

Linux Licensing in Conflict with Secure Boot Support

LiLo Linux LoaderOne of the novelties coming with Windows 8 is support for Unified Extensible Firmware Interface (UEFI) secure boot protocol which, when enabled, requires the boot loader of an operating system to provide a certified signing key in order to be allowed to boot. In fact, Microsoft made enabling secure boot by default a requirement for vendors who participate in the Windows 8 logo program, meaning that all PCs coming with Windows 8 pre-installed or branded as Windows 8 ready will come with secure boot enabled by default.

The reasoning behind this is securing the Windows boot path by making it impossible for malware to execute and embed itself on the system before anti-malware software even runs. In other words, it closes off the boot process to malware infection by installing a checkpoint at boot.

This has raised concerns, and quite a furor, from some Linux fans who worry that this could lock Linux (and other alternative operating systems such as various FreeBSD variants) out if their boot loaders don’t have the proper key to provide for secure boot.

Given the historical animosity that has existed between Linux fans and Microsoft it is easy for a Linux enthusiast to see this move as a yet another attempt by Microsoft to stifle competition in the name of a noble goal such as security.

That said, the problem would be relatively easy to solve if it wasn’t for certain peculiarities in the way Linux software is typically licensed. Linux vendors could certify a key to be used with UEFI secure boot and include this key in Linux boot loaders so they can pass this security checkpoint. The important thing here is that this key needs to stay secret, and the only way to make sure it stays secret while distributing it as part of Linux boot loaders is for it to be in binary form (no source code).

This is where we get to the core of the issue. Most commonly used Linux boot loaders, GRUB and GRUB2 are licensed under GPL, a license which denies embedding proprietary code in it, and requiring a secret key to function. GRUB2 is licensed under GPLv3 which makes this explicitly denied, whereas it is a gray area in GPLv2. As gray as it may be, however, exploiting it would run against the spirit of the license which is what fueled the strictness in GPLv3 to begin with.

In other words, making Linux boot loaders work with secure boot would require breaking their licensing requirements, and arguably the spirit of Free Open Source Software as well.

To make matters worse the Linux kernel, which is also licensed under the GPL, is apparently planned to be more deeply involved with the boot process as well, implicating it into the whole issue.

I’m not sure what would solve the problem if the kernel becomes involved, other than licensing the components involved under a more permissive license. As far as boot loaders go, however, it appears GRUB has to be ditched in favor of something under a more permissive license such as the BSD license. Interestingly, an old boot loader for Linux called LiLo (literally meaning “Linux Loader”) has just resumed development last year, and it is licensed under the BSD. This may make it an attractive alternative under these circumstances.

The only other option that comes to mind defeats the whole purpose of having secure boot, and opens the doors to its exploitation. It would involve having the signing key public, in which case it could be included in GPL-licensed boot loaders without issues, and persuading the computer vendors to allow boot loaders with this key. Of course, any malware maker would then know about this key as well, so secure boot would no longer be secure at all. That makes this option an obvious non-option.

Of course, this does remind of a distinct possibility. Someone could leak or crack the key for Windows 8 itself, defeating secure boot anyway, and perhaps proving that security through obscurity really doesn’t work. I’m fairly sure such an event would please Free Open Source Software advocates.

But to get back to the issue, if Linux boot loaders aren’t fixed to support secure boot then computers with secure boot enabled won’t be able to boot Linux. This just means that people who want to run Linux have to choose carefully when buying their new computers in order to make sure that the one they buy allows disabling secure boot.

Of course, that’s not a pretty situation since it adds an additional special requirement for Linux that doesn’t have to bother Windows 8 users, and somewhat limits the hardware options for Linux users.

Microsoft’s Steven Sinofsky responded to these concerns in a comprehensive blog post explaining the UEFI secure boot process, and pointing out that Windows 8 is merely taking advantage of an UEFI protocol and aiming to provide a more secure user experience while also mentioning that the Samsung Developer Preview tablet they gave away to developers on the BUILD conference allows disabling secure boot.

He has also clarified that Windows 8 will still run even if secure boot is disabled. Enabling it by default is merely a requirement vendors have to meet to put a Windows 8 logo on their machines, but that doesn’t mean they can’t include an option to disable it.

In a nutshell, the fate of Linux in this case appears to be in the hands of hardware vendors and their willingness to allow secure boot to be disabled. Either that, or Linux operating systems should widely adopt a secure boot compatible boot loader, which likely means a boot loader not licensed under the GPL (possibly making Richard Stallman quite annoyed).

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
Linux Licensing in Conflict with Secure Boot Support, 10.0 out of 10 based on 1 rating
Follow Daniel Memetic on
  • Shawn

    “Someone could leak or crack the key for Windows 8 itself, defeating secure boot anyway, and perhaps proving that security through obscurity really doesn’t work. I’m fairly sure such an event would please Free Open Source Software advocates.”
    No, it would not. This just proves that Microsoft is simply making Linux harder to install because there’s no real security with its move. It’s just a way to hassle those who want to run Linux.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  • Troy

    Please learn how the key handling works in UEFI, before you spout a bunch of crap.  The boot loader is signed with the private key and UEFI verifies with the public key.  So, there is not keeping secret as it were.  The issue is that the manufacturers are not required to provide a way for additional keys to be added and they are not required to give the option of disabling the secure boot.
     
    The best solution is simply that the manufacturers provide a way to manage the keys in the secure boot firmware.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • memenode

      If all that is needed to pass the boot is a public key then wouldn’t that mean everyone can make a bootloader that passes, defeating the whole purpose of secure boot? Everyone could just use the Windows 8 public key if other OS’s aren’t added.

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
      • Ryan

        memenode: No, that’s not how asymmetrical encryption works.

        VA:F [1.9.22_1171]
        Rating: 0.0/5 (0 votes cast)
  • Andrew Yeomans

    Trying to keep a secret signing key doesn’t sound the best way forward.
    Perhaps some vendors might make devices that only recognise the Microsoft signing key. But that seems short-sighted – it would be impossible to boot recovery & diagnostic software when they went wrong.
    A better approach is if the hardware /BIOS manufacturers can provide the options to (a) boot untrusted operating system or diagnostics – and there’s no reason this should be the default; and (b) load other signing keys into the BIOS. In the second case, a unique key could be generated during the installation process, adding yet another level of protection to make it difficult to boot any other software.
    Google’s Chromebook design is well worth looking at: http://www.chromium.org/chromium-os/chromiumos-design-docs/firmware-boot-and-recovery.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  • jsp722

    Funny enough, I’m under the strong impression that signing keys are not programs, that there is no source-code to them to be open-sourced, and that there are thousands of binary signing keys daily used by opens source systems without any thought of violation of any GPL licences.

    Furthermore making public the signing key is far from being the only option ‘coming to mind’ of anyone with a minimum of information, because simply giving the option to disable secure boot has been so much discussed.

    Also, trying to depict free and open source advocates as people who would be “pleased” with leaking or cracking secret keys sounds rather strange, as open source is well known to provide the most secure, virus- and malware-free systems available. It looks like more of an attemp to label open-source as associated with cyber criminality (maybe even terrorism).

    Actually, those who apparently most rejoice at (and make billions of dollars out of) virus and malware are the antivirus industry, which prospers under under Microsoft and would go bankrupt if there were only Linux and open source around.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • memenode

      Signing keys are not programs, but in this case they’d be required for a given program to function as intended, which is the whole issue. You get the program, but it wont work without a key not available to you (for security purposes).

      Also you may have misunderstood what I meant by “pleased”. Free Open Source Software advocates tend to believe in security by a “many eyes on the code” method as opposed to security by obscurity which this secure boot process appears to represent. What I meant was that if secure boot fails it would be a yet another example that FOSS fans could point to as proof that security by obscurity does not work. It doesn’t have anything to do with labeling FOSS  with cyber-criminality or terrorism. That would be a huge jump, and I myself am annoyed at how liberally such labels are thrown around nowadays.

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  • Paul C. Brown

    You’re wrong. Secure key exchanging, which is what this is all about, does not conflict with free licenses (including the GPL). SSH or GPG signed and encrypted email wouldn’t work without it. But the users will have to be allowed to generate their own keys,

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • memenode

      I think encrypted email is different. It is data as opposed to software. In this case it is the software’s functionality which would be effectively disabled without the said key, and GPL (at least GPLv3 explicitly) requires all such functionality-unlocking keys to be available to the user. 

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
      • Paul C. Brown

        Okay, more similar to SSH connection with keys then, were you cannot access a functionality (i.e.: a remote shell) without having the correct key. Still not infringing GPL.

        VA:F [1.9.22_1171]
        Rating: 0.0/5 (0 votes cast)
  • Amish Geek

    While users with PC’s that have secure boot enabled would not be able to install linux (while it is enabled), simply disabling secure boot within the bios would allow the user to then install linux as it is done currently.

    Only if an OEM manufacturer releases a PC/Motherboard and DOES NOT allow the user to disable secure boot, would the user be unable to install linux.

    This is akin to password protecting your bios/boot process.  Simply disable it, and there is no more problem. 

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  • NotMe

    I can see M$ saying Windows is more secure just because it probably is easier for BIOS to disable the function than to accommodate public key for various Linux Loader.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  • WorBlux

    The solution is to distribute per-device keys as well as the keys for Windows 8, TrueCrypt, Redhat, and whatever other companies convince an OEM to include their vendor-specific key. Publish it in the hardware manual, then just about every issue with secure boot is resolved, improving usability greatly while keeping 99% of the security advantages. By allowing greater deployment in the end creating more security.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
Related Posts

  • SpiderOak Secure Cloud Storage and Backup Review

    Making backups of important files is always smart. There are various ways to accomplish this, one is to simply copy data to external media. The best way is to use some form of off-site backup scheme so that the backup remains intact even if there is a robbery or the tech is destroyed in some kind of a disaster. The advent of modern broadband and the resulting rise in Internet based “cloud” services give users options for off-site backup on the Internet. One such option is SpiderOak. Backup With SpiderOak, there are multiple ways of choosing what to backup. Presets [...]...


Home » Blog » News » Computer News » Intel Haswell Promises 24h Battery Life