Linux

Fedora to be signed by Microsoft

Fedora's hand forced in the battle to comply with Secure Boot specifications

Fedora 18 will support UEFI's Secure Boot feature by using Microsoft's sysdev signing service, to sign its initial bootloader.

The plan and the reasoning behind it for Fedora's next release, was detailed in a blog post by Red Hat's Matthew Garrett. Garrett has provided a running dialogue on the problems faced by Fedora and Red Hat, to operate with the upcoming UEFI Secure Boot enabled hardware.

Garret said that future releases of Fedora will have a bootloader that is signed using Microsoft's signing key, because there is a very high probability that Microsoft's key will be bundled will all hardware, to be Secure Boot compatible. Since this option is available to any Linux distribution, it prevents Fedora being in a better position than smaller distributions, due to its backing and mindshare.

The signed bootloader will do nothing more than load a version of Grand Unified Bootloader (GRUB), the standard Linux bootloader, that is signed with a Fedora signing key. This version of GRUB will be prevented from module loading and running arbitrary code at runtime, two features that are unrestricted presently.

Following on from this, the Fedora kernel will now also be signed and will have its command line sanitised, to avoid functionality that would allow an attack to cause a signed kernel to launch arbitrary code.

Fedora will be signing all the modules and drivers that it ships, and restricting access to PCI, which will mean that graphics cards will need kernel drivers; also, user modesetting will be removed.

"Secure boot is built on the idea that all code that can touch the hardware directly, is trusted, and any untrusted code must go through the trusted code. This can be circumvented if users can execute arbitrary code in the kernel. So, we'll be moving to requiring signed kernel modules and locking down certain aspects of kernel functionality." wrote Garrett.

"If we produce signed code that can be used to attack other operating systems, then those other operating systems are justified in blacklisting us. That doesn't seem like a good outcome."

Users can remove these restrictions by disabling Secure Boot.

Prior to coming to this decision, Fedora explored the possibility of creating a Fedora key and having vendors include that key in their hardware, it was dismissed for two reasons; it would not be possible to get the key into each and every vendor's hardware, and that it would have put Fedora in a privileged position.

"As one of the larger distributions, we have more opportunity to talk to hardware manufacturers than most distributions do. Systems with a Fedora key would boot Fedora fine, but would they boot Mandriva? Arch? Mint? Mepis? Adopting a distribution-specific key and encouraging hardware companies to adopt it, would have been hostile to other distributions. We want to compete on merit, not because we have better links to OEMs," Garrett said.

Another alternative was to create a generic signing key for Linux, but this was seen as prohibitively expensive to maintain, and no organisation stepped forward to handle it.

Garrett was at pains to stress that while he is a Red Hat employee, these are only the plans for Fedora, not Red Hat.

Fedora has no plans to support any ARM devices running Windows 8 that come with extra specifications, such as the inability to disable Secure Boot, or allowing the user to manage their own keys.

About

Some would say that it is a long way from software engineering to journalism, others would correctly argue that it is a mere 10 metres according to the floor plan.During his first five years with CBS Interactive, Chris started his journalistic advent...

2 comments
ergodic
ergodic

I feel betrayed by Fedora, an OS which I have admaired and promoted since the times of Fedora Core 3 release. Claudication to Microsoft denies and destroys all the ideals and predicates of software freedom. I will not recomend or buy hardware that requires a Microsoft license to function. I will cease to use Fedora. M. A. MacLain

mof.biz.it
mof.biz.it

Is ARM maker the instrument of Microsoft to suppress the freedom of the business world? Why Microsoft is dictating the world. Can the supporters of the Open Source, like Red Hat, Novel, or Google can take action to protect the consumers from the greed of Microsoft? I think if the courts and lawmakers is given the light on the implications of Microsoft's move to suppress our freedom will be prevented. Similar to what had happened with the case of Oracle vs. Google on Java, Red Hat should not pay.

Editor's Picks