Fedora Linux capitulates to Microsoft boot certificate

To run on UEFI-secured machines, the next version of Fedora will use a digital key from Microsoft

In order to get its Linux distribution to run on the next generation of secured desktop computing hardware, the Fedora Project will obtain a digital signature from Microsoft, a developer from the project announced Wednesday.

"This isn't an attractive solution, but it is a workable one," wrote Matthew Garrett in a blog post on Wednesday. "We came to the conclusion that every other approach was unworkable."

The next release of the open-source distribution, Fedora 18, due in November, will be the first version able to run on computers that use UEFI (Unified Extensible Firmware Interface), which requires the operating system to furnish a digital key before it can be run by the machine.

With the growing adoption of UEFI among hardware developers -- largely at the behest of Microsoft -- the Fedora Project faced a number of alternatives, none of them completely satisfying, Garrett said.

Fedora could ignore the request for a digital certificate. This would require users to fiddle with their firmware settings, though, which would make the software less usable for those less technically inclined. "The cause of free software isn't furthered by making it difficult or impossible for unskilled users to run Linux, and while this approach does have its downsides, it does also avoid us ending up where we were in the 90s," Garrett continued. "Users will retain the freedom to run modified software and we wouldn't have accepted any solution that made that impossible."

Another possibility: Fedora could produce its own key. This approach, however, would require buy-in from each hardware manufacturer, which would be difficult to achieve and may result in long lists of computers and components that would be compatible with Fedora. It would also leave out other, smaller, Linux distributions, such as Slackware, which may not have the resources to manage their keys.

The Fedora Project also looked into producing a key for all Linux distributions. This approach, however, would end up costing millions of dollars and take a lot of time, neither of which most Linux distributors would have the resources to cover.

In the approach Fedora chose, the organization would pay US$99 to have Microsoft sign the binary release of the Fedora distribution. Although the cost for the certificates would be less than $200 a year for Fedora's twice-a-year release schedule, it still hands control of Fedora over to Microsoft, however nominally. With the key, the machine can check if the binary version of the distribution is identical to the one submitted to the key signer. Fedora engineers would then develop a bootloader -- a small program that loads the operating system when the computer is powered on -- that would provide the required Microsoft key to the hardware and then hand over operations to the standard bootloader. Garrett characterized this software as a "shim," one that would only add minimal delay to the booting process of a computer.

Garrett admits that even this approach has drawbacks. Some kernel functionality will be locked down. Also, kernel modules will need to be signed. Developers who compile their own kernel binary will have to figure out a way to get it signed, either by applying to the firmware company directly, or creating a shim similar to Fedora's bootloader. Or, they can run their binaries on those computers that don't require certificates.

Although the project is still open to other possibilities, Garrett said, purchasing a key from Microsoft has thus far been the most feasible way of running Fedora on UEFI machines.

Nonetheless, the act of relying on Microsoft to give its approval to run Linux on a computer may be a bitter pill for many longtime open-source advocates, who remember Microsoft's once-hostile stance toward open source. "What is Fedora's plan if Microsoft changes these terms of their $99 signing program to exclude you?" one commenter to Garrett's post asked.

Last year, Microsoft announced that all computers running its Windows 8 operating system will need to require firmware to support UEFI. On x86 systems, it can be turned off, though computers running ARM processors will not have this option. Garrett was less worried about the mandatory UEFI on ARM computers because Microsoft's influence over these vendors is not as expansive.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Show Comments



Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?