Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Victor Tuson Palau
on 28 October 2011

White Paper: Secure Boot impact on Linux


Last month Steven Sinofsky from Microsoft announced new requirements for manufacturers wanting to ship Windows 8 systems, including a feature called “Secure Boot”.

Canonical, together with Red Hat, today publishes a white paper highlighting the implications of these requirements for users and manufacturers. The paper also provides recommendations on how to implement “Secure Boot”, to ensure that users remain in control of their PCs.

UEFI is a good step forward
How much do you know about the BIOS running on your laptop today? Sure, you probably have frantically pressed F12 at some point to try the latest Ubuntu from a CD or USB stick. Beyond that, BIOS doesn’t often get much attention.  The thing is: BIOS is evolving, and all thanks to the UEFI Specifications.

The UEFI Forum, of which Canonical is a member, is defining the next generation interface between your system’s firmware and any operating system that runs on it. The new specs will make Ubuntu systems boot quicker, have a better battery life and are easier to configure.

The latest UEFI specification also defines a process called Secure Boot (version 2.3.1 – Chapter 27). Secure Boot is designed to address the potential for malware to insert itself between the firmware and the operating system on your computer. It accomplishes this by enforcing that only “approved” software is able to boot in your computer by way of a key that recognises pre-approved and signed software.

According to Microsoft’s presentation at //BUILD/2011, Secure Boot will be “Required for Windows 8 client”. While the UEFI specification does not recommend a specific implementation, Microsoft has a preferred solution (outlined on this blog post) which does not give the user full control over what software that is approved to run on their PC. This is the real issue for users.

Secure Boot should be available to all users
Canonical successfully partners with computer manufacturers to ship millions of  Ubuntu pre-installed systems every year. While this distribution will continue to thrive, we are concerned for users wanting to install any Linux distribution on a PC sold with Secure Boot “ON”.

Any new Windows 8 PC will have Secure Boot switched “ON” when it leaves the shop and will be able to boot Microsoft approved software only. However, you will most likely find that your new PC has no option for you to add your own list of approved software. So to install Linux (or any other operating system), you will need to turn Secure Boot “OFF”.

However, we believe that you have the right to have your cake and eat it too!  Its possible to have Secure Boot and the ability to choose your software platform.

This is why we recommend that systems manufacturers include a mechanism for configuring your own list of approved software. This will allow you to run Windows 8 and Linux at the same time in your PC with Secure Boot “ON”. This should also include you being able to try new software from a USB stick or DVD.

Even with the ability for users to configure Secure Boot, it will become harder for non-techie users to install, or even try, any other operating system besides the one that was loaded on the PC when you bought it. For this reason, we recommend that  PCs include a User Interface to easily enable or disable Secure Boot and allow the user to chose to change their operating system.

Canonical has discussed these concerns with key industry partners and competitors, resulting in the “Secure Boot Impact on Linux” White Paper, authored by Jeremy Kerr (Technical Architect at Canonical), James Bottomley (Kernel Developer) and Matthew Garret (Senior Software Engineer at Red Hat).

I recommend you read this document to gain a better understanding on how Secure Boot will affect you. We will continue to work with our partners to ensure you still get to choose what runs on your PC!

Related posts


Gabriel Aguiar Noury
21 November 2024

EdgeIQ and Ubuntu Core; bringing security and scalability to device management 

Internet of Things Article

Today, EdgeIQ and Canonical announced the release of the EdgeIQ Coda snap and official support of Ubuntu Core on the EdgeIQ Symphony platform. EdgeIQ Symphony helps you simplify and scale workflows for device fleet operations, data consumption and delivery, and application orchestration. Distributing EdgeIQ Coda as a snap brings the power ...


Ishani Ghoshal
21 November 2024

Ubuntu 20.04 LTS end of life: standard support is coming to an end. Here’s how to prepare. 

Ubuntu Article

In 2025, Ubuntu 20.04 LTS (Focal Fossa) will reach the end of its standard five-year support window. It’s time to start thinking about your options for upgrading. What is an Ubuntu long-term support (LTS) release?  Ubuntu long-term support releases (LTS) are released every 2 years by Canonical. Canonical provides patching and maintenance ...


Felipe Vanni
20 November 2024

Join Canonical in London at Dell Technologies Forum

AI Storage

Canonical is excited to be partnering with Dell Technologies at the upcoming Dell Technologies Forum – London, taking place on 26th November. This prestigious event brings together industry leaders and technology enthusiasts to explore the latest advancements and solutions shaping the digital landscape. Register to Dell Technologies Forum ...