UEFI Secure Boot Still A Big Problem For Linux
Matthew Garrett has provided some insight regarding some of the problems still outstanding for Linux to handle UEFI Secure Boot.
Matthew Garrett, the Red Hat developer commonly working on power management and UEFI/BIOS matters for Linux, has a new blog post related to UEFI Secure Boot. This latest posting is simply entitled Why UEFI secure boot is difficult for Linux.
The post covers that the code for Linux to handle UEFI Secure Boot is practically done, but there's many other issues outstanding related to the handling of custom secure boot mode, out-of-tree kernel drivers, licensing, key distribution, and other matters. Microsoft has said that for x86/x86_64 systems it should be possible to disable UEFI Secure Boot, but recently it's come to light that ARM-based Windows 8 systems will not be permitted to disable this Microsoft-inspired feature.
Garrett also points out that using Secure Boot under Linux would effectively kill out-of-tree kernel drivers like the AMD Catalyst and NVIDIA graphics drivers. "Signed Linux kernels must refuse to load any unsigned kernel modules. Virtualbox on Linux? Dead. Nvidia binary driver on Linux? Dead. All out of tree kernel modules? Utterly, utterly dead. Building an updated driver locally? Not going to happen."
Matthew summarizes the current situation as, "We can write the code required to support secure boot on Linux in a minimal amount of time - in fact, most of it's now done. But significant practical problems remain, and so far we have no workable solutions for any of them."
Matthew Garrett, the Red Hat developer commonly working on power management and UEFI/BIOS matters for Linux, has a new blog post related to UEFI Secure Boot. This latest posting is simply entitled Why UEFI secure boot is difficult for Linux.
The post covers that the code for Linux to handle UEFI Secure Boot is practically done, but there's many other issues outstanding related to the handling of custom secure boot mode, out-of-tree kernel drivers, licensing, key distribution, and other matters. Microsoft has said that for x86/x86_64 systems it should be possible to disable UEFI Secure Boot, but recently it's come to light that ARM-based Windows 8 systems will not be permitted to disable this Microsoft-inspired feature.
Garrett also points out that using Secure Boot under Linux would effectively kill out-of-tree kernel drivers like the AMD Catalyst and NVIDIA graphics drivers. "Signed Linux kernels must refuse to load any unsigned kernel modules. Virtualbox on Linux? Dead. Nvidia binary driver on Linux? Dead. All out of tree kernel modules? Utterly, utterly dead. Building an updated driver locally? Not going to happen."
Matthew summarizes the current situation as, "We can write the code required to support secure boot on Linux in a minimal amount of time - in fact, most of it's now done. But significant practical problems remain, and so far we have no workable solutions for any of them."
29 Comments