Linux Foundation Offers UEFI Secure Boot for Open Source

Back in July, I wrote a note here about the potential for problems with open source software, stemming from the introduction of the Unified Extensible Firmware Interface [UEFI], a replacement for the venerable PC BIOS, and its Secure Boot facility.  When Secure Boot is enabled, the machine will refuse to boot any system that does not have a trusted cryptographic signature.   Though this has the potential to improve security, it also has the potential to make it difficult to set up a dual-boot system, or to replace the original OS entirely.  The Free Software Foundation [FSF] published a white paper discussing some of the potential problems.

The Linux Foundation has now announced a new first-stage boot loader that attempts to provide a way around some of these difficulties.  This new loader will be cryptographically signed, but will not actually boot any operating system; rather, it will present the user with the option to run an unsigned second-stage loader that can boot Linux, or any other desired system.

In a nutshell, the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system). The pre-bootloader will employ a “present user” test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems.

The new pre-loader will attempt to run the second-stage loader from a known location.  If it succeeds, everything proceeds normally.  If it fails, because the second-stage loader is not signed, the pre-loader will present the user with a screen asking whether booting with the unsigned second stage should continue.  If the system is in Setup mode, the user will also be asked for permission to install the signature of the second stage as a trusted signature; this will facilitate normal booting from a hard disk, for example.  (The announcement has a more complete technical summary.)

As the announcement says, this is not a permanent solution, but a temporary expedient, to make life easier until a solution that fully integrates alternative systems and UEFI Secure Boot can be developed.  Nonetheless, it is a useful and constructive step to ensure that the user retains control of his or her computer.

Update Saturday, October 13, 21:55 EDT

Ars Technica also has a brief article on this announcemnt.