Secure Boot bootloader for distributions available now
Download Here:
http://www.codon.org.uk/~mjg59/shim-signed/
Friday, December 28, 2012
Linux (slowly) comes to Windows 8 PCs with UEFI secure boot
One of the largest underlying changes to Windows 8 is the long-overdue shift from BIOS to UEFI. UEFI (Unified Extensible Firmware Interface) is superior to BIOS (Basic Input/Output System) in almost every way, except for one: At the moment, UEFI prevents Linux distributions from being installed on Windows 8 machines.
UEFI, in essence, is a light-weight operating system that your computer loads at boot time. (See: Demystifying UEFI, the long-overdue BIOS replacement.) Because it’s an operating system, UEFI has full access to your hardware, and it can be programmed to do just about anything (thus the Extensible part of its acronym). UEFI interfaces can be mouse-driven (pictured below), and can perform complex tasks such as surfing the web or backing up your hard drives.
The UEFI specification itself also introduces a few new features to improve performance, flexibility, and security. The feature that has received by far the most attention is secure boot, as it can be used by PC OEMs to prevent other operating systems being installed on their hardware. Dell, if it so wishes, could build a PC that only runs Windows. On the flip side, Apple could stop Windows from being installed on its hardware.
Ostensibly,
secure boot isn’t meant to be used maliciously, though: Its primary
purpose is to prevent a malware-infected PC from booting, thus
protecting the user from possible data theft or worse. Secure boot works
by means of cryptographic signing: A chip on the motherboard stores the
cryptographic hash/key of important operating system files and drivers,
and during boot-up those files are checked — if their hashes have
changed, they’re assumed to be compromised, and the boot process stops.
If you try to boot Linux, secure boot detects the altered hashes and
halts boot. While Linux obviously isn’t malware, secure boot doesn’t
know that.The solution, of course, is to add the Linux file/driver hashes to the secure boot chip — but to do that, you need a secret password. In the case of Windows 8 machines (i.e. official OEM machines bearing the Windows 8 logo), only Microsoft and the OEM know the password. If the key was public, then malware authors would be able to add their own hashes, and thus the system would be worthless.
Where
does this leave Linux? One solution is to simply disable secure boot.
Some OEM machines allow you to do this, while some (most notably the
ARM-powered Windows RT devices) don’t. This is a bit of an unfair
compromise, though, as it leaves your computer vulnerable to malware and
rootkit infection. Another option would be for Linux distributors, such
as Red Hat and Canonical, to collaborate with Microsoft to get their
distros added to the secure boot system. It doesn’t seem like there has
been much movement in that area, though.The currently favored solution is a workaround: a pre-bootloader signed by Microsoft (so it passes secure boot) that can then be used to load a normal Linux bootloader without further signature checking. One Linux developer, Matthew Garrett, has managed to get Microsoft to sign a pre-bootloader called Shim. You can download it today and use it to boot Linux on your Windows 8 machine. Shim should soon find its way into SUSE, Fedora, Ubuntu, and other major Linux distros. The Linux Foundation is developing an “official” workaround, but as of November it still hadn’t received Microsoft’s blessing.
Source:http://www.extremetech.com/computing/144204-linux-slowly-comes-to-windows-8-pcs-with-uefi-secure-boot
Subscribe to:
Posts (Atom)