Fedora Linux capitulates to Microsoft boot certificate

To run on UEFI-secured machines, the next version of Fedora will use a digital key from Microsoft

In order to get its Linux distribution to run on the next generation of secured desktop computing hardware, the Fedora Project will obtain a digital signature from Microsoft, a developer from the project announced Wednesday.

"This isn't an attractive solution, but it is a workable one," wrote Matthew Garrett in a blog post on Wednesday. "We came to the conclusion that every other approach was unworkable."

The next release of the open-source distribution, Fedora 18, due in November, will be the first version able to run on computers that use UEFI (Unified Extensible Firmware Interface), which requires the operating system to furnish a digital key before it can be run by the machine.

With the growing adoption of UEFI among hardware developers -- largely at the behest of Microsoft -- the Fedora Project faced a number of alternatives, none of them completely satisfying, Garrett said.

Fedora could ignore the request for a digital certificate. This would require users to fiddle with their firmware settings, though, which would make the software less usable for those less technically inclined. "The cause of free software isn't furthered by making it difficult or impossible for unskilled users to run Linux, and while this approach does have its downsides, it does also avoid us ending up where we were in the 90s," Garrett continued. "Users will retain the freedom to run modified software and we wouldn't have accepted any solution that made that impossible."

Another possibility: Fedora could produce its own key. This approach, however, would require buy-in from each hardware manufacturer, which would be difficult to achieve and may result in long lists of computers and components that would be compatible with Fedora. It would also leave out other, smaller, Linux distributions, such as Slackware, which may not have the resources to manage their keys.

The Fedora Project also looked into producing a key for all Linux distributions. This approach, however, would end up costing millions of dollars and take a lot of time, neither of which most Linux distributors would have the resources to cover.

In the approach Fedora chose, the organization would pay US$99 to have Microsoft sign the binary release of the Fedora distribution. Although the cost for the certificates would be less than $200 a year for Fedora's twice-a-year release schedule, it still hands control of Fedora over to Microsoft, however nominally. With the key, the machine can check if the binary version of the distribution is identical to the one submitted to the key signer. Fedora engineers would then develop a bootloader -- a small program that loads the operating system when the computer is powered on -- that would provide the required Microsoft key to the hardware and then hand over operations to the standard bootloader. Garrett characterized this software as a "shim," one that would only add minimal delay to the booting process of a computer.

Garrett admits that even this approach has drawbacks. Some kernel functionality will be locked down. Also, kernel modules will need to be signed. Developers who compile their own kernel binary will have to figure out a way to get it signed, either by applying to the firmware company directly, or creating a shim similar to Fedora's bootloader. Or, they can run their binaries on those computers that don't require certificates.

Although the project is still open to other possibilities, Garrett said, purchasing a key from Microsoft has thus far been the most feasible way of running Fedora on UEFI machines.

Nonetheless, the act of relying on Microsoft to give its approval to run Linux on a computer may be a bitter pill for many longtime open-source advocates, who remember Microsoft's once-hostile stance toward open source. "What is Fedora's plan if Microsoft changes these terms of their $99 signing program to exclude you?" one commenter to Garrett's post asked.

Last year, Microsoft announced that all computers running its Windows 8 operating system will need to require firmware to support UEFI. On x86 systems, it can be turned off, though computers running ARM processors will not have this option. Garrett was less worried about the mandatory UEFI on ARM computers because Microsoft's influence over these vendors is not as expansive.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?