Fedora's hand forced in the battle to comply with Secure Boot specifications
Fedora 18 will support UEFI's Secure Boot feature by using Microsoft's sysdev signing service, to sign its initial bootloader.
The plan and the reasoning behind it for Fedora's next release, was detailed in a blog post by Red Hat's Matthew Garrett. Garrett has provided a running dialogue on the problems faced by Fedora and Red Hat, to operate with the upcoming UEFI Secure Boot enabled hardware.
Garret said that future releases of Fedora will have a bootloader that is signed using Microsoft's signing key, because there is a very high probability that Microsoft's key will be bundled will all hardware, to be Secure Boot compatible. Since this option is available to any Linux distribution, it prevents Fedora being in a better position than smaller distributions, due to its backing and mindshare.
The signed bootloader will do nothing more than load a version of Grand Unified Bootloader (GRUB), the standard Linux bootloader, that is signed with a Fedora signing key. This version of GRUB will be prevented from module loading and running arbitrary code at runtime, two features that are unrestricted presently.
Following on from this, the Fedora kernel will now also be signed and will have its command line sanitised, to avoid functionality that would allow an attack to cause a signed kernel to launch arbitrary code.
Fedora will be signing all the modules and drivers that it ships, and restricting access to PCI, which will mean that graphics cards will need kernel drivers; also, user modesetting will be removed.
"Secure boot is built on the idea that all code that can touch the hardware directly, is trusted, and any untrusted code must go through the trusted code. This can be circumvented if users can execute arbitrary code in the kernel. So, we'll be moving to requiring signed kernel modules and locking down certain aspects of kernel functionality." wrote Garrett.
"If we produce signed code that can be used to attack other operating systems, then those other operating systems are justified in blacklisting us. That doesn't seem like a good outcome."
Users can remove these restrictions by disabling Secure Boot.
Prior to coming to this decision, Fedora explored the possibility of creating a Fedora key and having vendors include that key in their hardware, it was dismissed for two reasons; it would not be possible to get the key into each and every vendor's hardware, and that it would have put Fedora in a privileged position.
"As one of the larger distributions, we have more opportunity to talk to hardware manufacturers than most distributions do. Systems with a Fedora key would boot Fedora fine, but would they boot Mandriva? Arch? Mint? Mepis? Adopting a distribution-specific key and encouraging hardware companies to adopt it, would have been hostile to other distributions. We want to compete on merit, not because we have better links to OEMs," Garrett said.
Another alternative was to create a generic signing key for Linux, but this was seen as prohibitively expensive to maintain, and no organisation stepped forward to handle it.
Garrett was at pains to stress that while he is a Red Hat employee, these are only the plans for Fedora, not Red Hat.
Fedora has no plans to support any ARM devices running Windows 8 that come with extra specifications, such as the inability to disable Secure Boot, or allowing the user to manage their own keys.