The folks behind the popular Fedora Linux operating system have good news and less good news for open source software enthusiasts. The good news is that they’ve come up with a method that will make it easy for anyone to install the next version of Fedora on hardware designed to run Microsoft Windows 8 without disabling the secure boot features Microsoft is insisting hardwaer makers include.

Fedora 17

The bad news is that the method involves Fedora paying a one-time $99 fee for a digital signature from Microsoft. This will allow Windows 8 computers with x86 processors and secure boot enabled to recognize and boot Fedora — but it will make a lot of other things more complicated.

Users that want to develop their own kernels will either have to add support on their own firmware, or pay for their own $99 digital signature if they want to distribute those custom kernels. Drivers for graphics cards and other hardware could also need to be signed.

Red Hat and Fedora developer Matthew Garrett  shared the strategy on his blog recently — and it’s generated a lot of comments, including many complaints that this move is a slap in the face of software freedom.

On the other hand, it’s not clear what alternatives there were. Microsoft has somewhere around a 80 or 90 percent market share in the personal computer space, and it’s Apple, not Linux, that makes up most of the rest. So it’s pretty much a given that if Microsoft wants Windows 8 computers to ship with UEFI secure boot features enabled, then most computer that ship later this year will have secure boot turned on by default.

Microsoft has confirmed that it won’t prevent users from disabling secure boot — but it will be up to hardware makers to decide whether or not to bother offering the option. Many users may also not be comfortable futzing around with firmware options.

So the easiest way to make sure everyone has access to alternate software such as Fedora is to register a digital signature for its operating system.

Another option would have been to work out deals directly with hardware companies — and Fedora has enough clout to get at least a few major PC makers on board. But that option wouldn’t necessarily be open to smaller Linux distributions and there’s no way to guarantee that all hardware makers would be on board. So rather than ask users interested in Fedora to only buy computers from certain companies, the Fedora team is basically using Microsoft’s digital signature tools.

Secure boot features will actually help make Linux-based operating systems like Fedora more secure, just as they will Windows 8. Basically the secure boot features prevent unsigned code from running before the operating system boots — and require the kernel and other software that interacts directly with a computer’s hardware to be signed.

But it still sounds like turning off secure boot when possible might provide the best user experience, even on operating systems such as Fedora which will support the feature.

Fedora 18 is due out this fall, around the same time that Windows 8 will launch.

Theoretically the Fedora team could take a similar approach toward Windows 8 devices with ARM-based processors,

via OStatic

Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign

or...

Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.

20 replies on “Fedora 18 will support secure boot on Windows 8 PCs”

  1. Hi, am I to understand the “secure boot” implementation will mean
    that I will not be able to take a newly purchased Windows 8
    computer and install Fedora, wiping Windows 8 off the drive?

  2. The problem with secure boot is this: Microsoft, years ago, stopped allowing PC makers to include reinstall CDs/DVDs for Windows with their computers.  Usually, the Windows install includes a program to burn a system restore DVD–but, I assure you, your average computer user never bothers to do this.

    A couple of years pass and said end user ends up loaning out their computer to their airheaded cousin, who, naturally, downloads every imaginable virus to the computer in their quest for porn.  At this point, a system restore is needed, but that’s impossible.

    By having this secure boot technology, Microsoft has just made it impossible to do anything useful with that computer without purchasing, for an amount more than the value of the computer, a new version of Windows.

    It’s a shame that Linux was never able to become a truly useful computer for end-users.  People with said borked computer generally are not open to making it a Linux box because of a correct perception that you have to be a megageek to do anything useful with it, and because a lot of important end user applications (like Photoshop or any modern PC game) are not available at all for Linux, or only available in a crippled form (like Skype:  No video calls in Linux).

    One issue I have with this option is that it sounds like Fedora is going to have to get a new signature every time they find a buffer overflow in that obscure SCSI driver; the other is that it will not be possible to use a custom kernel, such as an OpenVZ build for lightweight virtualization.

    1.  Microsoft didn’t stop them from including recovery discs, they stopped that themselves to save money.  Since most people didn’t use them and they’re also starting to phase out optical drives anyway.

      Even Apple switched to a mostly all digital system now.

      The only thing MS disallowed was providing replacement recovery discs, at least not for free.

      While we should all be in the habit of making our own backups now.  Many systems even prompt this the first time you turn them on and all you need is a spare USB drive.

      While, if you bought retail copy then you don’t need to buy another to re-install.

    2. If you can set your PC up to boot from CD/DVD then you can run Linux and have been able to do so for several years. This gives a far more useful computer from the word go without needing to spend large amounts of money to make it useful as you do with MS Windows.
      Oh and it is so much easier to install software and hardware with Linux than Windows now. For example i plugged in my new HP Officejet printer and switched it on. A couple of minutes with no input from me it was ready to print.
      My wife and two of her friends didn’t even realise they were running Linux rather than Windows on their PC’s. The only people who need to run Windows to do what they want are gamers and even that is beginning to change with steam.So I guess you ideas are way out of date.

      1. Ironic that this “We will have the year of Linux on the desktop” anonymous poster resurrected a long-dead thread, since Linux has not been a serious contender for end-user desktops for over a decade. There are many reasons that Linux is on, at most, 1% of end-user desktops.

        Linux on the end-user desktop is dead. Get over it.

  3. sort of secure booting features and uefi are already built into a lot of win7 machines, certainly ones with fast boot features. thus, if you install / run another system than windows – alone standing or as a dualboot option – you will lose this features (in windows). thus one certainly will be able to run pcs without ms tricks & features in future also. for linux / unix only machines this is not needed at all. if one likes to have a dualboot system the question will be another one. the same might be valid if win8 shall be run in a virtual machine. and i doubt if ms – together with its manufacturer alliance – will be able to maintain this licence bottle neck for everybody for a long time or will be forced by jusrisdiction to open this up freely.

  4. booo, hissss.  bad on you fedora.  everyone should be fighting this tooth and nail.  how do we get other distros like arch or freebsd, or plan9 or whatever to work?

    What about those poor folks who might want to dabble in OS development?

    1. Like the article says, as long as they’re willing to pay the fee and do the extra work required to be certified then they too can get their own digital signature.

      At least it’s only a one time fee that only the developer has to pay.  Users can then take advantage of it…  Though the developers may have to pay extra if developing their own hardware drivers as well.

      People, who only dabble can work on systems with secure boot disabled, and if they want others to use it on any system then they could fund raise for the digital signature fee.

      Or if they’re using a already certified kernel then they may not need to pay anything. Not every distro needs to have a different kernel.

      It’s only a issue for people who want to use both Win8 and Linux on the same system, and/or avoid the annoyance of having to turn secure boot on and off with every switch of OS.

      While for people who use Win8 mainly, should still have the option to run any Linux distro in VM and VM features are being baked into Win8 to make it a more common option.

      Though on ARM it would be a either/or only option but there’s plenty of non-WinRT tablets to choose from, along with the possibility some system makers may pay the fee for the digital signature if they want to give users the option or sell a system with both OS, and some are working on merging Linux with Android, with Ubuntu likely to be one of the first hybrid offerings… Kinda like how Win8 switches between Metro and Desktop but will be more an actual switch between the two instead of just a UI switch.

  5. Open Source should come up with it’s own “secure boot” bios features.
    Then, have hardware folks use that, and tell Microsoft to go kick the can or use the free version.

    1. Possibly, but considering how hard it is for them to even come up with DRM solutions it seems unlikely.

      1. Microsoft own tons of DRM patents (bought up a lot of companies that had em over the last 10 years or so).
        Maybe they also own the “secure boot” patents as well?
        We need an Anti-trust case again, one the  works this time.

        1.  Patent or not the basic premise of secure boot requires that its source code never be revealed otherwise anyone could hack it.  Since it’s mainly security by secrecy!

          So for it to work for Linux they would have to invent something that would work regardless of how much anyone knew about how it worked. 

  6. This is f-ed up! A foul anti-competitive move from Microsoft. I hope they will be fought in court.

    1. What’s anti-competitive?  Most, if not all, PC makers will allow the option to turn secure boot off for those who want to use something besides Win8.  It’s only locked in for ARM devices but they offer plenty of non-WinRT options.

      While the feature is to help make the system more secure against attacks, which is something most people would want, and they’re allowing a way for others to become compatible, it’s just not a free option but not being free isn’t a crime or anti-competitive.

  7. My hardware doesn’t need secure boot because from what i’ve seen from the last 3 Win8 previews, there is no reason to use it unti January 2020 when extended support for Win7 runs out

    1. But if you plan to buy a off-the-shelf computer in the next few years, odds are that it’ll come with secure boot enabled. 

      1. I understand that, but unless i’m in the market for a laptop, i personaly wouldn’t buy off-the-shelf. The last Desktop i didn’t build myself came with a Pentium 200 MMX and since i’m “The computer guy” for allmost my entire circle of friends and family, i will activly and vocaly advise AGAINST buying any computer that doesn’t give at least the option to turn secure boot off or offers a complete set of windows 7 drivers, because i just know that one of the first things people will ask me to do is get rid of 8 and downgrade to 7.

        1.  From one of the links in the post: “all x86 Windows machines will be required to have a firmware option to disable this” but “Microsoft’s certification requirements for ARM machines forbid vendors from offering the ability to disable secure boot.”

        2.  Shouldn’t assume too much, as not everyone will dislike Win8.  It’s just a major change and major changes tends to polarize people’s opinions to either love or hate. 

          So while you may dislike it doesn’t mean everyone you know will too.

          Though I agree, if they prefer choice to make sure they at least have the option if they want it to disable the feature.

          It would be interesting though if it becomes mute and more alternative OS start supporting secure boot. After all many more operating systems are starting to come under malware attacks and secure boot at least makes some of those harder to pull off.

Comments are closed.