When Windows 8 computers start shipping later this year, they will come with a brand-new firmware feature called Secure Boot. A year ago, Linux lovers were worrying that Secure Boot was going to somehow give Linux the boot, but now it looks like there's a brand-new twist to the story. It could be used to keep Microsoft's software from running on a computer.
To date, nobody has pulled off this technically tricky feat. In fact, most people will have to wait for Windows 8 to ship before they can even give it a try. But Red Hat Developer Matthew Garrett has been working with the Secure Boot standards-makers, and he recently described how users can replace the Microsoft cryptographic keys that ship with Windows 8 with their own keys and then sign any software that they want so it can run on their machine.
This project would be no fun for most PC users, but because it puts the power of Secure Boot back into the hands of the users, it creates an interesting option for free software advocates. They could use these techniques to ensure that their computer wasn't running any proprietary software on top of the firmware. In other words, they could turn the tables on Microsoft.
"There's still some work to be done in order to permit users to verify the entire stack, but Secure Boot does make it possible for the user to have much greater control over what their system runs," Garrett writes in his blog post. "The freedom to make decisions about not only what your computer will run but also what it won't is an important one, and we're doing what we can to make sure that users have that freedom."
Linux users could use this technique to cryptographically sign every piece of software that runs on the machine's firmware -- giving them control over the boot-loader, Linux kernel, and even the applications running on the machine, says Mark Doran a senior engineer with Intel who has led the Unified EFI firmware standards effort that's given birth to Secure Boot. "That would give you the ultimate in end-user owner machine control," he says.
About a year ago, this outcome seemed unlikely. That's because it looked like Microsoft was going to work with PC-makers to put its own Secure Boot keys in the registry and possibly lock out other players. The PC-makers have to pay close attention to Microsoft's directions on how to implement Secure Boot in order to qualify for that all-important Windows 8 certification sticker on their boxes.
The dreaded Linux lock-out doesn't seem to have happened, though. And while some concerns remain, when Intel-based Secure Boot systems ship this fall, users will be able to turn it off, and and there will be mechanisms to use non-Microsoft keys with the systems. In June, Linux creator Linus Torvalds downplayed the lock-out fear. He thinks the bigger worry is that the Secure Boot keys will be compromised and misused.
Red Hat, Intel, and others worked with the standards body that's hammering out the UEFI firmware standard that includes Secure Boot and they made sure that the kind of hack that Matthew Garrett describes in his blog post would work. "We wanted to make sure that end-users have their own ability to get their own keys signed," says Tim Burke vice president of Linux platform engineering at Red Hat.
