Windows 8 Secure Boot - Two Linux distributions respond

Controversy has been raging over Microsoft's Windows 8 Secure Boot plans ever since they were first revealed last fall, and there's still no sign that that will change anytime soon.

Now the leading Linux distributions are beginning to respond with an outline of how they plan to deal with the restrictions imposed by Microsoft's plans.

First it was Fedora, which revealed its strategy late last month. Then, this week Canonical spoke up in turn with its own plans for Ubuntu Linux.

The two distributions are taking pretty different approaches. Here's an overview of what they've each said.

What we know so far

For those who missed it, a quick recap on what's coming our way: Basically, future Windows 8 hardware will come with the Secure Boot technology enabled in the Unified Extensible Firmware Interface (UEFI), meaning that only operating systems with an appropriate digital signature will be able to boot.

On ARM-based hardware, it apparently won't be possible to disable Secure Boot. On x86 Windows machines, however, Microsoft did soften its stance to make that option possible; alternatively, users could be permitted to enroll their own keys.

Since the topic arose, both the Free Software Foundation and the Linux Foundation have weighed in with their own views on the matter.

Fedora's approach: 'Least Worst'

From Fedora's viewpoint, however, “it's not really an option to force all our users to play with hard to find firmware settings before they can run Fedora,” explained Red Hat developer Matthew Garrett in a blog post late last month.

Instead, Fedora will pay $99 to Verisign for unlimited use of Microsoft signing services, allowing its first stage boot loader to be signed with a Microsoft key.

“It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions,” Garrett explained. “If there are better options then we haven't found them.”

The option “wasn't hugely attractive, but is probably the least worst,” he added.

It's worth noting that there's been considerable negative feedback from at least some parts of the community in response to Fedora's decision.

Canonical weighs in: An Ubuntu key instead

As for Canonical, it's published a set of UEFI requirements targeting device manufacturers, and “it's basically the same set of requirements as Microsoft have, except with an Ubuntu key instead of a Microsoft one,” as Garrett pointed out.

“The significant difference between the Ubuntu approach and the Microsoft approach is that there's no indication that Canonical will be offering any kind of signing service,” Garrett added. “A system carrying only the Ubuntu signing key will conform to these requirements and may be certified by Canonical, but will not boot any OS other than Ubuntu unless the user disables Secure Boot or imports their own key database.”

So, “a certified Ubuntu system may be more locked down than a certified Windows 8 system,” he noted.

'We continue to seek a better result'

Last week, Canonical founder Mark Shuttleworth added comments of his own.

“We've been working to provide an alternative to the Microsoft key, so that the entire free software ecosystem is not dependent on Microsoft's goodwill for access to modern PC hardware,” Shuttleworth began.

"We're pressing OEM partners for options that will be more broadly acceptable than Red Hat's approach,” he added.

Ultimately, Secure Boot's design mandates that Microsoft's key is on every PC because of core UEFI driver signing, Shuttleworth pointed out.

“That and the inability of Secure Boot to support multiple signatures on critical elements means that options are limited,” Shuttleworth concluded. “But we continue to seek a better result.”