Matthew Garrett, kernel developer at Red Hat, has given details of the plans to ship Fedora 18 with the ability to boot under UEFI secure boot. The Secure Boot technology of UEFI will be enabled by default on future Windows 8 hardware and is designed to ensure that only appropriately digitally signed operating systems will boot.

As the only company actively pursuing this signing was Microsoft, the requirement had led many to conclude that Microsoft was locking other operating systems out of future PCs. Microsoft modified their position to allow x86 Windows machines to disable the secure boot option or to allow users to enrol their own keys, but Garrett says that "it's not really an option to force all our users to play with hard-to-find firmware settings before they can run Fedora".

After eliminating options of creating their own Fedora key or an overall Linux key as too complex or costly, Garrett says they have decided to opt for the "least worst" option; have Microsoft sign Fedora. For $99, Microsoft offer a signing service and this should ensure compatibility with a wide range of hardware. "If there are better options then we haven't found them" he added.

Update 1/6/12 - Garrett has revised his posting to clarify that the $99 is actually a payment to Verisign, who are being subsidised by Microsoft to provide the service, and that one payment allows a recipient to sign as many binaries as they wish.

What will actually be signed is a simple "shim" bootloader which will then boot the real GRUB 2 bootloader and validate that it is signed with the Fedora signing key before executing it. There will be changes made to GRUB 2, such as disabling module loading at runtime, to ensure secure boot integrity is maintained.

Secure booting will also require that only trusted code is executed by the kernel. To ensure this, kernel drivers will have to be signed, but Garrett and the other developers on Fedora are still trying to work out a plan for drivers that are from outside the Linux tree.

They will though be providing the tools to allow people to sign their own kernels and bootloaders, but will not, for obvious reasons, be handing out the keys they use. Garrett suggests that keys can be obtained by either generating and enrolling a fresh key (as Fedora will trust anything signed with a key in the firmware), rebuild the bootloader with their own key and then get that signed by Microsoft, or just disable secure boot on the target system.

The plan should allow users to securely boot a system where UEFI Secure Boot is in use, but where it is not in use, the various restrictions will not be applied. The changes will not change the status of ARM systems where UEFI Secure Boot cannot be disabled. The details of the plan for x86 systems aren't set in stone, but Garrett believes it can all be implemented by the time Fedora 18 arrives. "This isn't an attractive solution, but it is a workable one" he says, concluding "if we can increase user freedom without making awful compromises somewhere else then we'll do it".

(djwm)