Fedora Linux capitulates to Microsoft boot certificate

To run on UEFI-secured machines, the next version of Fedora will use a digital key from Microsoft

In order to get its Linux distribution to run on the next generation of secured desktop computing hardware, the Fedora Project will obtain a digital signature from Microsoft, a developer from the project announced Wednesday.

"This isn't an attractive solution, but it is a workable one," wrote Matthew Garrett in a blog post on Wednesday. "We came to the conclusion that every other approach was unworkable."

The next release of the open-source distribution, Fedora 18, due in November, will be the first version able to run on computers that use UEFI (Unified Extensible Firmware Interface), which requires the operating system to furnish a digital key before it can be run by the machine.

With the growing adoption of UEFI among hardware developers -- largely at the behest of Microsoft -- the Fedora Project faced a number of alternatives, none of them completely satisfying, Garrett said.

Fedora could ignore the request for a digital certificate. This would require users to fiddle with their firmware settings, though, which would make the software less usable for those less technically inclined. "The cause of free software isn't furthered by making it difficult or impossible for unskilled users to run Linux, and while this approach does have its downsides, it does also avoid us ending up where we were in the 90s," Garrett continued. "Users will retain the freedom to run modified software and we wouldn't have accepted any solution that made that impossible."

Another possibility: Fedora could produce its own key. This approach, however, would require buy-in from each hardware manufacturer, which would be difficult to achieve and may result in long lists of computers and components that would be compatible with Fedora. It would also leave out other, smaller, Linux distributions, such as Slackware, which may not have the resources to manage their keys.

The Fedora Project also looked into producing a key for all Linux distributions. This approach, however, would end up costing millions of dollars and take a lot of time, neither of which most Linux distributors would have the resources to cover.

In the approach Fedora chose, the organization would pay US$99 to have Microsoft sign the binary release of the Fedora distribution. Although the cost for the certificates would be less than $200 a year for Fedora's twice-a-year release schedule, it still hands control of Fedora over to Microsoft, however nominally. With the key, the machine can check if the binary version of the distribution is identical to the one submitted to the key signer. Fedora engineers would then develop a bootloader -- a small program that loads the operating system when the computer is powered on -- that would provide the required Microsoft key to the hardware and then hand over operations to the standard bootloader. Garrett characterized this software as a "shim," one that would only add minimal delay to the booting process of a computer.

Garrett admits that even this approach has drawbacks. Some kernel functionality will be locked down. Also, kernel modules will need to be signed. Developers who compile their own kernel binary will have to figure out a way to get it signed, either by applying to the firmware company directly, or creating a shim similar to Fedora's bootloader. Or, they can run their binaries on those computers that don't require certificates.

Although the project is still open to other possibilities, Garrett said, purchasing a key from Microsoft has thus far been the most feasible way of running Fedora on UEFI machines.

Nonetheless, the act of relying on Microsoft to give its approval to run Linux on a computer may be a bitter pill for many longtime open-source advocates, who remember Microsoft's once-hostile stance toward open source. "What is Fedora's plan if Microsoft changes these terms of their $99 signing program to exclude you?" one commenter to Garrett's post asked.

Last year, Microsoft announced that all computers running its Windows 8 operating system will need to require firmware to support UEFI. On x86 systems, it can be turned off, though computers running ARM processors will not have this option. Garrett was less worried about the mandatory UEFI on ARM computers because Microsoft's influence over these vendors is not as expansive.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Copyright © 2012 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon