Canonical and RedHat Publish a White Paper concering UEFI “Secure Boot”

By now I’m pretty sure that you’ve heard about this little flame wars that took place between OpenSource and proprietary “believers” because of a term called “Secure Boot”. In basic terms, Secure boot is actually a standard set by the UEFI organization, in an attempt to enhance the protection of your PC by not letting running software that aren’t “per-approved/signed” by official developers of that software (the OS to be precise) while its booting.

But since Microsoft’s version of Secure boot has few “dark ends” to it, Free Software Foundation recently started a campaign against it (against the MS version of secure boot to be precise). Anyhow, Ubuntu, even after huge criticisms against their “Unity” desktop module… still growing steadily as the number one GNU/Linux desktop OS and this SB issue could has a lot of negative “effects” for their OS popularity in the future which draws big concerns for them thus (obviously) today they too announced that both them (Canonical) and RedHat has published a joint white-paper concerning this Secure-Boot issue.

And Canonical is among one of the supporting members of UEFI specification thus they said in their announcement that the new UEFI implementation (with or without the SB) should help Ubuntu to boot faster + might also give slightly better battery life too, But…

Heck! ... it's pretty complicated :/

Concerning the issue, I first thought that both Canonical and RedHat is on the belief that the only “evil” is not the idea of secure boot but the implementation of Microsoft which might make it impossible for the users to run GNU/Linux or any OS other than the MS Windows that comes with the PC.

In their own words…

…we recommend that systems manufacturers include a mechanism for configuring your own list of approved software. This will allow you to run Windows 8 and Linux at the same time in your PC with Secure Boot “ON”…

Even with the ability for users to configure Secure Boot, it will become harder for non-techie users to install, or even try, any other operating system besides the one that was loaded on the PC when you bought it. For this reason, we recommend that  PCs include a User Interface to easily enable or disable Secure Boot and allow the user to chose to change their operating system…

If you’d like to do a bit of a reading, then this official “Secure boot impact on Linux” white paper (in PDF) might get you interested. It ain’t that long (about 9 pages) and I haven’t read all the pages, only the ones that interested me.

The PDF actually has some interesting suggestions and if you want to get a general (both technical and non-technical) idea on this subject since most people are still confused about it (including me), then I humbly suggest that you read it.

As said before, after reading it, I don’t think both Canonical and RedHat are highly impressed with Secure-Boot 100%, because the PDF has a section that describes “Disadvantages” 😉 and an interesting ending note (more later) which is not uncommon since they support the idea of OpenSource (or at lest we’re being told so) .

And unlike with the MS approach where we cannot disable it which puts only MS at controlling the PC, as a a way around it, other than asking for the ability to completely Disable Secure-Boot (since it seems to be somewhat helpful for giving a slightly better secure PC boot, less root-kit viruses, etc) according to the UEFI specification, there’s actually a feature called “setup mode” that lets us use our own “Signed-keys” which lets us run any OS with the secure boot enabled.

Anyhow, the white-paper is authorized by Jeremy Kerr (Canonical Technical Architect), Matthew Garret (representing RedHat) and James Bottomley (a GNU/Linux Kernel developer). This is still a white-paper and not sure how the OEM would react to it either.

As an ending note, as mentioned said before, although secure-boot seems a friendly folk … but the white-paper PDF has a pretty interesting final suggestion (even after Ubuntu clamming that SB would help to enhance security and speed-up things a bit) which flaws through the OpenSource community because of real-life experiences rather than the “idealistic views” (a common contempt to the OpenSource world from the believers of “the proprietary”).

Here it goes…

“Secure boot technology can be beneficial for increasing the security of Linux installations…

Unfortunately, the current implementation recommended for secure boot makes installation of
Linux more difficult and may prevent users from modifying their own systems.

So, we recommend that secure boot implementations are designed around the hardware owner having full control of the security restrictions.

We recommend that all OEMs allow secure boot to be easily disabled and enabled through a
firmware configuration interface.”

Leave a Comment