![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mjg59The Microsoft Surface is a fairly attractive bit of tablet hardware, and as a result people have shown interest in running Linux on it. The immediate problem is that (like many ARM devices) it has a locked-down firmware that will only run signed binaries - unlike many other ARM devices, this is implemented using an existing standard (UEFI Secure Boot). Microsoft provide a signing service for UEFI binaries, so it's tempting to think that getting around this restriction would be as simple as taking an existing Linux bootloader, signing it and then booting. Unfortunately Microsoft's signing service signs binaries using a different key (the "Microsoft Windows UEFI Driver Publisher" key) to the one used to sign Windows, and the Surface doesn't carry that key. Booting Linux on these devices would involve finding a flaw in the firmware and using that to run arbitrary code.
Could this also be a problem on x86? In theory - Microsoft don't require that vendors carry the driver publisher key, and so a system could be Windows 8 certified and still not carry it. It's unlikely to occur in practice, though, since any third party expansion hardware will then fail on that device. As a result, anything with PCIe or Expresscard slots is effectively certain to have this key. If anyone finds any counterexamples, please let me know.
Could this also be a problem on x86? In theory - Microsoft don't require that vendors carry the driver publisher key, and so a system could be Windows 8 certified and still not carry it. It's unlikely to occur in practice, though, since any third party expansion hardware will then fail on that device. As a result, anything with PCIe or Expresscard slots is effectively certain to have this key. If anyone finds any counterexamples, please let me know.
OEM laptops - not yet, but probably soon
Date: 2013-01-03 11:53 pm (UTC)I will be very surprised if they do not omit the UEFI driver signing key on some laptops and servers to force you to use only supported, authorized and conveniently marked up hardware for disk/RAID controllers, hardware iSCSI initiators, PXE-capable NICs, remote management cards (VGA+USB host interface to Ethernet and VNC), etc. The temptation of lock-in and high margins is likely to be too strong, as we've already seen with various OEM's periodic attempts to lock server hardware support to their own storage controllers.
Re: OEM laptops - not yet, but probably soon
Date: 2013-01-09 01:45 am (UTC)Re: OEM laptops - not yet, but probably soon
Date: 2017-09-27 01:52 pm (UTC)