Fedora Linux capitulates to Microsoft boot certificate

To run on UEFI-secured machines, the next version of Fedora will use a digital key from Microsoft

In order to get its Linux distribution to run on the next generation of secured desktop computing hardware, the Fedora Project will obtain a digital signature from Microsoft, a developer from the project announced Wednesday.

"This isn't an attractive solution, but it is a workable one," wrote Matthew Garrett in a blog post on Wednesday. "We came to the conclusion that every other approach was unworkable."

The next release of the open-source distribution, Fedora 18, due in November, will be the first version able to run on computers that use UEFI (Unified Extensible Firmware Interface), which requires the operating system to furnish a digital key before it can be run by the machine.

With the growing adoption of UEFI among hardware developers -- largely at the behest of Microsoft -- the Fedora Project faced a number of alternatives, none of them completely satisfying, Garrett said.

Fedora could ignore the request for a digital certificate. This would require users to fiddle with their firmware settings, though, which would make the software less usable for those less technically inclined. "The cause of free software isn't furthered by making it difficult or impossible for unskilled users to run Linux, and while this approach does have its downsides, it does also avoid us ending up where we were in the 90s," Garrett continued. "Users will retain the freedom to run modified software and we wouldn't have accepted any solution that made that impossible."

Another possibility: Fedora could produce its own key. This approach, however, would require buy-in from each hardware manufacturer, which would be difficult to achieve and may result in long lists of computers and components that would be compatible with Fedora. It would also leave out other, smaller, Linux distributions, such as Slackware, which may not have the resources to manage their keys.

The Fedora Project also looked into producing a key for all Linux distributions. This approach, however, would end up costing millions of dollars and take a lot of time, neither of which most Linux distributors would have the resources to cover.

In the approach Fedora chose, the organization would pay US$99 to have Microsoft sign the binary release of the Fedora distribution. Although the cost for the certificates would be less than $200 a year for Fedora's twice-a-year release schedule, it still hands control of Fedora over to Microsoft, however nominally. With the key, the machine can check if the binary version of the distribution is identical to the one submitted to the key signer. Fedora engineers would then develop a bootloader -- a small program that loads the operating system when the computer is powered on -- that would provide the required Microsoft key to the hardware and then hand over operations to the standard bootloader. Garrett characterized this software as a "shim," one that would only add minimal delay to the booting process of a computer.

Garrett admits that even this approach has drawbacks. Some kernel functionality will be locked down. Also, kernel modules will need to be signed. Developers who compile their own kernel binary will have to figure out a way to get it signed, either by applying to the firmware company directly, or creating a shim similar to Fedora's bootloader. Or, they can run their binaries on those computers that don't require certificates.

Although the project is still open to other possibilities, Garrett said, purchasing a key from Microsoft has thus far been the most feasible way of running Fedora on UEFI machines.

Nonetheless, the act of relying on Microsoft to give its approval to run Linux on a computer may be a bitter pill for many longtime open-source advocates, who remember Microsoft's once-hostile stance toward open source. "What is Fedora's plan if Microsoft changes these terms of their $99 signing program to exclude you?" one commenter to Garrett's post asked.

Last year, Microsoft announced that all computers running its Windows 8 operating system will need to require firmware to support UEFI. On x86 systems, it can be turned off, though computers running ARM processors will not have this option. Garrett was less worried about the mandatory UEFI on ARM computers because Microsoft's influence over these vendors is not as expansive.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Show Comments


Brother MFC-L3745CDW Colour Laser Multifunction

Learn more >



Sony WH-1000XM4 Wireless Noise Cancelling Headphones

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?