UEFI: Should Linux Users be Worried?

21
362
The UEFI factor

The UEFI factor

Microsoft intends to capture UEFI and make GNU/Linux and other free OSs “unauthorised”! Is this true, and if so, what is the community doing about it? This article attempts to answer some questions.

As technology enthusiasts, we are familiar with the workings of the boot mechanism in computers. We know which option to tweak in the boot settings to ensure that the CD/DVD disk is the first boot device, rather than the hard disk. Some of us might be interested in tweaking the BIOS, while still others may even have “flashed” it at some point of time. Nothing new here, to be honest. While our desktops have come to the wobbly windows of Compiz Fusion, the BIOS still looks mundane. Yet, it does what it’s meant to do and does it well for everyone — freedom lovers and proprietary software users alike.

However, in all likelihood, the days of happy booting as we know it may soon be gone! Yes, our “friends” at Microsoft have done it again. They are taking one of the core aspects of computing and making it, well, painful for freedom lovers. In other words, meet UEFI, short for United Extensible Firmware Interface.

So, what’s it all about?

Microsoft claims that UEFI “…brings the BIOS into the 21st century.” And how does it manage to do that? Well, for a start, unlike the old BIOS, UEFI boots up instantly. It is capable of handling disks as large as over two terabytes (yes, you read that right: >2 TB). Furthermore, UEFI is independent of CPU architecture. And lastly, it brings the much needed eye-candy element to the booting mechanism. Figure 1 shows where in the stack this comes in.

System stack with EFI
Figure 1: System stack with EFI

Sounds good so far, doesn’t it? Now, here is the tough part. Any new technology with scope for restrictions is bound to have proprietary giants lurking around it — and UEFI is no exception. To quote Gary Richmond, “… mooted changes to the UEFI firmware specification contain the implicit possibility that GNU/Linux would effectively be an ‘unauthorised’ operating system…”

UEFI boot-up
Figure 2: UEFI boot-up

In short, machines with UEFI on board may simply be incapable of booting GNU/Linux, BSD or any other open source OS.

But we can always override the default settings, right?

Actually, no. Any changes to the UEFI firmware will require a digitally signed image or “key” that can only be had via the OEMs or, obviously, Microsoft. Naturally, the latter will not only deny licensing such keys, but compel OEMs to withhold them as well.

And of course, Microsoft will not admit it that easily, will they?

They are justifying this act by claiming it to be an enhanced level of protection against rootkits, boot-time viruses and other malware. Picture this: we know GNU/Linux is not malware. But what if general users of the Windows desktop wish to give Ubuntu or Fedora a spin? They can’t boot it, as the UEFI mechanism will reject the boot disk as unauthorised (or, in other words, “malware”)! How is GNU/Linux going to win converts in such a case? Now, that is a tricky question!

Let’s assume for a moment that Microsoft gives in and allows dual-booting GNU/Linux with Windows 8. Yet again, there is a technical catch. In order to boot under the digitally signed keys, open source boot loaders such as GRUB will need to incorporate proprietary signatures within their code. This goes against the very ideology of FOSS, and, more precisely, will not be possible under the terms of the GPL.

Okay, what now?

Before you panic, here is another angle: the digital-signature mechanism in UEFI may have a loophole that has been spotted by the community pretty recently. UEFI, generally speaking, will be supported on Windows 8 devices only (even though certain Windows versions like Vista SP1 x64 do support UEFI, the “proper” integration will be shipped with Win8 only). As a result, older versions of Windows, such as XP, Vista, and perhaps even 7, might fall in the same category as GNU/Linux — unauthorised operating systems. While this is mere speculation, chances are that Microsoft will use UEFI as a tool to drag more users into its infamous “upgrade cycle” — either upgrade to Windows 8, or, well, upgrade to Windows 8!

In addition, while conventional boot-loaders will perhaps fail to make the cut once UEFI comes into play, alternatives such as WUBI might still go strong.

And, on a slightly more radical note, chances are that UEFI’s digital keys will reject many restore-and-recovery tools too. Obviously, GNU/Linux users will not be the only ones suffering — or complaining.

There is also speculation that given the gigantic success of Android (read: gigantic failure of Windows Mobile), Microsoft might employ this secure booting concept to seize a considerable portion of tablets and other portable devices for its Mobile OS.

Any reactions yet?

To begin with, hacking or jail-breaking the UEFI will not be possible, as in all probability, Microsoft intends to get the digital signatures copyrighted. Google Chromebooks also comes with such secure booting options, but they can be disabled under Developer Mode.

Along similar lines, One Laptop Per Child (OLPC) devices are also boot-protected by default, but the protection can be eliminated by requesting a unique key, and then running the firmware command disable-security. The logic behind the OLPC mechanism is to prevent the theft of laptops from children.

In such a case, Microsoft’s act can by no means be called ethical. Linux Australia is planning to appeal to the Australian Competition and Consumer Commission (ACCC) claiming that the digital signatures in UEFI are non-competitive, and are a ploy to establish monopoly control over the market by unethical methods.

Also, going beyond the FOSS community, this move has not been welcomed by OEMs and hardware vendors either, as they will be at the receiving end of the end users’ angry reactions to their inability to boot other operating systems.

The community response

Both Red Hat and Canonical are members of the UEFI forums. Thus, they are equally aware of the outcome if Microsoft has its way. Tactically, this might not matter much, as Microsoft commands both the financial and strategic resources to influence the entire forum.

Technically, on the other hand, Linux already supports both UEFI and BIOS firmware, while Microsoft Windows supports UEFI only in its newer releases. Clearly, the open source community is ahead. Of course, there exist certain bugs, but most of them will be patched sooner than later.

As mentioned above, the GPL of GRUB might not allow the inclusion of proprietary code in the boot-loader itself. Certain distros are considering abandoning GRUB (GPL licensed) and migrating to LILO (BSD licensed) since the BSD license allows the inclusion of non-free code, and thus, LILO can be considered a worthy option (though nearly overlooked, it still continues to be in active development).

Another easier, though slightly less secure option could be to invent a public access key for all boot-loaders.

To sum it up…

Most bloggers and Internet users are speculating about the results of these stealthy war games being played around UEFI. In any case, if the worst happens, rest assured that the community will indeed figure a way out. After all, most Ubuntu users have learnt to use the Windows logo key on their keyboards to bring up the Unity sidebar, haven’t they? As of now, all we can do is wait and watch!

References
Feature image and diagrams courtesy m Wikimedia Commons — Wikipedia article on UEFI

21 COMMENTS

  1. Linux is here to stay, thanks to smart phones, portable and ultra portable devices (viz., cotton candy, Raspberry Pi), thin clients, and enterprise servers. Even supercomputers run only on Linux.

  2. ROTFLMFAO!!!! Lets see, how about WhoTF on earth needs Windows??? I personally haven’t used that garbage in years, also don’t plan on ever using that sh*t for my computer(s)/Servers. Well if you want to pay for everything in life, go ahead. Or learn what GPL can do for you today… Seriously.
     
    Who really uses windows anyway? Mostly corporations that have their head wayyyyy too far up their own asses, ignorant sheeple, and lastly looser gamers. So any real Linux user has NO threat to worry about, none what so ever. Simply wash your hands and go back to work…. This doesn’t effect you. 
     
    I cannot wait for the day when knowledge is power, and a current form of currency. Sheeple, you are the ones in real trouble. Bye, BYE! yay!
     
    Windows 8 has no real place in this world. I’m sure I WILL NEVER use it. I’m the IT manager for a huge corp(150+peeps), so trust me, IT support stop at windows 7, anything past that is a total waste of time and will not be supported. Simple as that. Best part is I make the policies in regards to all upgrades and support. I am the gate keeper. I hold my middle finder high. With a hearty FY MS. Oh and btw MS, here is a spoon. Please, feel free to eat my ass, be sure to use your tongue.

  3. well, the uefi situation on arm-based windows8-oem machines shown the true intentions of microsoft about it…

  4. Dear Gates and Windows… Life Is Short…Break The Rules..Forgive Quickly…Love Truely….Laugh Uncontrollably…And Never Regret Anything That Made You Smile :)

  5. I think its because yesterday morning Microsoft called me, and was proposing our company new promotional prices on MSOFFICE, TERMINAL CALS, and EXCHANGE.. Haha I told them that we moved on OPEN SOURCE because their softwares were ineffective, and much expensive.. LOL.. Sorry guys..

  6. i have seen a grub version for efi or uefi on ubuntu s repository. there is no need to panic and start overreacting.

  7. I think MS is not going to take such a step especially after considering how Windows 8 and other OSes are being developed with help of the community feedback. :D.

  8. First of all, it’s Unified Extensible Firmware Interface.
    Second, it’s an open specification provided and worked over with both Dell, Intel and several others.

    Digital signatures needs to be burnt into the actual flash ROM on-board the M/B to provide such security that the EFI manager won’t be able to circumvein.

    The only other datalocation would be the EFI System Partition, and that’s as easy to remove as formating a harddrive.

    And last but not least, if this would happen in the near future then the development of TianoCore would probably pick up in pace and brings us an OSi compliant implementation.

    In my eyes, seeing how the 2.0 implementation looks, there’s many possibilites for jailbreaking.

  9. Regarding UEFI,  and secure booting. 

    What is the situation with the booting of a virtual machine?  Will the virtual machine have to communicate with a virtual uefi? 

    To satisfy other software vendors (example, embedded system designs, Linux, etc) the UEFI bios will require more than one signature, if the bios is going to be supported at all.

    The bios vendor will have to provide for a signature bypass for non Windows systems, or for multiple signatures to be supported. In doing the bypass, Linux will boot, but MS software that relies on it’s protected bios version will not untul the signature is reestablished. 

    And suppose that you boot an older MS system (w7) and run a VM to test Windows 8 or Windows 9) what then?

    I believe in the end, that DRM starting with the bios, and ending with the monitor electronics will fail.   

    The TPM was a hardware chip that was to protect the system from theft or from stealing confidential information. It should be the item that is used to store signatures. (The TPM is a smartcard in a chip (possibly pluggable) for the motherboard). To run Linux, you plug in a clean TPM and go from there.

    Any feedback would be appreciated.

  10. Once Steam comes to Linux (Yes it is happening, read the news in the steam program/website, search for Linux and it should be one of the first ones) Microsoft will lose a huge amount of customers. Then Blizzard will follow steams footsteps, even more will flock from Windows. Then all other software companies will see the mass fall of windows users, and the mass increase of Linux users and start programming for Linux… People in 2020 will be saying “Hey, whatever happened to Microsoft?” (And hopefully apple aswell, but lets kill that demon when it starts to be a serious threat instead of the joke that it is atm.)

  11. Bill gets ready to be burried soon with his UEFI machines,’ Your ass hole already blocked by Android.
    Dont worry with such a tactic, a diminishing OS will kill itself very soon.
    This would be a real boost for Linux users to stick with Linux.

  12. Sooner or later Linux is going to have to do what the morons at Microsoft did, SLEEP with some hardware manufacturers in order to secure a BIOS UEFI friendly MoBo.
    I little priority hardware would go a long way right now. Sovereign nations don’t coddle to Green Peace morons.

  13. I have ubuntu on a windows 8 laptop :3 figured it out in two or three hours for my girlfriend. Nyee nyee, Microsoft. *sticks out tongue* It’s not as hard as it looks, and you guys are big meanfaces, but thanks for the mental exercise.

  14. I tried ALL the top Linux distributions on my new Asus laptop, and NONE Of them worked, despite following all the circumventions and acceptions to the UEFI bios. Unless someone creates a replacement UEFI flash image to allow users to use REAL operating systems every Linux distribution is dead from here forward. I’m shocked that government isn’t involved in the Civil War, since it is a blatant violation of consumer rights and competition. The future of the e-world is bleak indeed. I may just have to go back to typing on paper.

LEAVE A REPLY

Please enter your comment!
Please enter your name here