Good or bad, useful or not, implementation of the Unified Extensible Firmware Interface and Microsoft’s Secure Boot extension might well foul the fuel driving consumer migration to the Linux desktop.
I have extensive practice with installing various Linux distros on older and new computers. I am handy at setting up disk partitions and dual booting to maintain a working Microsoft Windows OS alongside numerous Linux distros. I also have routinely installed Linux on older and new computers by removing the Windows OS and replacing the entire drive with one or more Linux distros.
However, it was not until I attempted to do a Linux installation on a new Gateway Series DX desktop with Windows 8 installed that I stared that UEFI monster down. At first I nearly ran back to the big box store to return the shiny new Windows box. I was not able to get the BIOS settings for the UEFI and Secure Boot permissions to even see USB and DVD live sessions for Ubuntu, Linux Mint, Korora 19 or Puppy Linux. That made routine installation of Linux impossible.
The current use of UEFI and Secure Boot technologies might all too conveniently lock down the hard drive to lock out the installation of other operating systems — like Linux. Successfully installing Linux on UEFI/Secure Boot hardware controls depends on which computer brand or model you buy. Some of the newest BIOS versions effectively lock down any other OS access.
So if the implementation of UEFI and Secure Boot can essentially prevent a consumer from installing a free OS, is Microsoft encouraging computer makers to lock down users to just the Windows OS?
In short, “No,” said Vojtech Pavlik, director of Suse Labs.
“In the x86 market, it is a technology to prevent persistent stealth rootkit attacks, the most vicious form of malware attacks, a security threat that affects primarily the Microsoft Windows world,” he told LinuxInsider.
On my new computer, I ran into a brick wall installing Linux. Some of the installation methods that worked with legacy and recently purchased machines no longer worked on the newest BIOS on my shiny new computer. When less-experienced computer users hit this wall, will they find a way around it or just stop trying? Or will migrating to Linux be relegated to older hardware?
For instance, even with all of the obvious BIOS options set to allow legacy boot and with Secure Boot turned off, installing Linux failed. My new computer balked at letting the Linux installation disk see the existing Windows partition. The only option offered was reformatting the hard drive. Various tech support centers warned me that doing so might still prevent a Linux installation. UEFI and Secure Boot controls in the hardware would still be activated.
Trial and error got me to the correct combination of Legacy/Secure Boot/ UEFI options to load the Linux DVD. Still, none of the distros would get beyond hanging the system during early stages of partitioning the drive to start installation. The only solution was letting Windows 8.0 partition the hard drive.
Once the new partitions were created, Linux Mint 16 installed. However, I had to use the included UEFI folder on the Linux DVD to handle the Linux installation.
A computer tech friend warned me about upgrading to Windows 8.1 from the Microsoft Store before I did the Linux installation. Upgrading to Windows 8.1 first would return the hard drive to its OEM condition. It would overwrite the Linux installation.
I really should not have to do any of that, suggested Greg Kroah-Hartman, a fellow at the Linux Foundation and a Linux Kernel maintainer.
All that is needed should be booting in secure boot and leaving the BIOS settings alone, he explained.
The problems I encountered were the result of distro-specific issues that did not know how to handle UEFI boot mode, Kroah-Hartman believed. Yet some of the distros supplied the UEFI folder.
“Anyway, booting in dual-boot mode can be tricky, as usually the non-Linux operating system has no idea that it is not the only OS on the disk, and sometimes odd things can happen. There’s nothing that Linux can do about that, as it is not running at the moment,” Kroah-Hartman told LinuxInsider.
The Unified Extensible Firmware Interface is a specification for a software interface between an approved operating system and platform firmware. It looks for a key or certified operating system. Only then it passes on the control to that operating system.
Microsoft Secure Boot is a component of Microsoft’s Windows 8 operating system built into the UEFI hardware specification. Until Secure Boot appeared in 2012, computers booted using BIOS. The Secure Boot feature permits only authentic drivers certified by Microsoft to be loaded. This blocks malware.
Of course, the malware issue — at least by today’s standards — does not effect Linux code. So the entire process only benefits the security of the Windows OS. Secure Boot blocks the use of other boot loaders such as GRUB or LILO in Linux.
Early in the development process, the Linux Foundation worked with Microsoft to permit keys from participating Linux distro developers. That agreement allows some Linux distros to run on the UEFI/Secure Boot hardware.
“We did not negotiate anything. We just submitted a boot loader shim that is signed by the Microsoft key that allows the Linux kernel to then be booted in Secure Mode. We worked with Microsoft and the UEFI Group to help implement a solution such that all operating systems can properly boot in secure mode. The shim solution is available for all Linux distros to use, as well as any BSD that wishes to use it,” said Kroah-Hartman.
Cure for Some
Opinions vary on whether the UEFI standards are helping or hurting the migration to Linux. Enterprise users can select a Linux distro certified to work with UEFI standards, but not all Linux distros have keys that allow it to install. Despite the intent of the UEFI standards, the process so far is not universally successful.
It should “just work,” asserted Kroah-Hartman — but that depends on the distro you install. It also depends on which hardware you are installing it on. If you try to install a Linux distro on hardware that was created after the distro was released, it might be a bit hard to do.
“A successful installation does depend on the quality of implementation of the UEFI firmware and adherence to the UEFI 2.3.1c standard by the computer manufacturer. With the use of the UEFI standard still in its infancy, it is not all that rare to come across noncompliant implementations,” said Suse Labs’ Pavlik.
That is where some Linux officials part company. Some insist that Linux installations are not impacted.
“Generally, all major manufacturers of x86/64 systems follow the UEFI specification, meaning that the specific brand or model of a computer will not matter. Outside of the x86/64 server marketplace, including the consumer market, this can change — but for the most part, brand is irrelevant,” Eric Paris, supervisor for the Red Hat Enterprise Linux security team, told LinuxInsider.
Linux Not Equal
It is important to differentiate between UEFI and Secure Boot, insisted Paris.
UEFI is a specification that defines the software interface between an operating system and a platform’s firmware. Secure Boot is a security protocol component of UEFI that — shockingly — secures the boot process by preventing the loading of drivers or OSes that are not digitally signed with an acceptable marker, he explained.
The objective of Secure Boot is to ensure that the operating system bootstrap process does not introduce malware with the assistance of hardware verification. This is something that all Linux distros would like to embrace, according to Paris.
However, the reality is that not all distros support Secure Boot-enabled platforms, he said. One example of a platform that does not play nice with Secure Boot is Red Hat’s own Red Hat Enterprise Linux 6; the platform supports UEFI, but not the Secure Boot protocol.
“A counterpoint, however, is Fedora, which will load on UEFI machines with secure boot enabled right out of the box. Currently, Red Hat Enterprise Linux 7 Beta requires the user to put Secure Boot into learning mode and load the Red Hat Secure Boot Beta key, but we plan to further improve the end-user experience for Secure Boot by the time that Red Hat Enterprise Linux 7 reaches [general availability],” said Paris.
Another issue is that some distributions follow the Linux Foundation’s work or their own, while other distros simply do not have Secure Boot enabled as a default setting, he noted.
UEFI and Secure Boot are technologies that some Linux experts approach with a sense of curiosity. Take the case of James Bottomley, chair of the Linux Foundation’s Technical Advisory Board.
He recently did an install of openSuse 13.1 on a Samsung 9 AT IV. He was curious to see if it would work out of the box. He installed it on the system as delivered in Secure Boot mode using the USB key image. The install went flawlessly except that openSuse could not resize the Windows partition to allow it to share the disk. So he just erased Windows.
“We were initially worried about the problem of installing Linux on Secure Boot hardware. But thanks to a fairly long lead time and lots of work done by Greg [Kroah-Hartman], me, Matthew Garrett and Peter Jones, any distribution that wants to can get it to work easily,” Bottomley told LinuxInsider.
Installation can fail if you install a distro’s older version, he agreed. It also can get troublesome when using non-Microsoft keys.
In most cases, users can install almost any Linux distro on a computer that predates the UEFI and Secure Boot standards without difficulty. That process can involve repartitioning the hard drive, overwriting an earlier version of Microsoft Windows, or creating a dual boot environment. For less-experienced users with a new computer, a better option could be buying a computer with a specific Linux distro already installed.
“Unfortunately, there’s no clear-cut answer here, as the installation process, even without Secure Boot, will vary from distro to distro. To ensure that the installation process goes smoothly, home users should follow the process recommended by the distribution that they’re looking to install,” said Paris.
What steps should the typical Linux home user take to get Linux on a new computer? That depends on whom you ask. The process is documented (albeit for developers) here.
All of the major Linux distros should work out of the box just fine. That includes Fedora, openSuse and Ubuntu, according to Kroah-Hartman.
“Just use the install media and go through the steps provided by the distro. You should not have to modify any BIOS settings in order to install Linux. Windows has a boot to USB restart option somewhere in the shutdown menu, and then boot off of the USB install media, and you should be fine,” he suggested.
In most cases, nothing changes, according to Pavlik. On UEFI machines, just put in the DVD, boot from it, click through the installation screens, and you are done. If Secure Boot is enabled on the machine, use a distribution that supports UEFI Secure Boot. Then again, the procedure is unchanged.
For distributions that do not support Secure Boot, enter the firmware setup page, either by pressing a key during the boot sequence or from the presently installed OS on the laptop, and disable Secure Boot there.