UEFI defines the next generation firmware interface for your personal computer. The Basic Input and Output System (BIOS) firmware, originally written in assembly and using software interrupts for I/O, has defined the PC ecosystem since its inception – but changes in the computing landscape have paved the way for a “modern firmware” definition to usher in the next generation of tablets and devices.
The intent of UEFI is to define a standard way for the operating system to communicate with the platform firmware during the boot process. Before UEFI, the primary mechanism to communicate with hardware during the boot process was software interrupts. Modern PCs are capable of performing faster, more efficient block I/O between hardware and software, and UEFI allows designs to utilize the full potential of their hardware.
UEFI allows for modular firmware design that enables hardware and system designers a greater flexibility in designing firmware for the more demanding modern computing environments. Whereas I/O was limited by software interrupts, UEFI promotes the concept of event-based, architecture-neutral coding standards.
UEFI has a firmware validation process, called secure boot, which is defined in Chapter 27 of the UEFI 2.3.1 specification. Secure boot defines how platform firmware manages security certificates, validation of firmware, and a definition of the interface (protocol) between firmware and the operating system.
What all does it provides
1. UEFI allows firmware to implement a security policy
2. Secure boot is a UEFI protocol not a Windows 8 feature
3. UEFI secure boot is part of Windows 8 secured boot architecture
4. Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure
5. Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components
6. OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
7. Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows
So what the heck is the problem of RHEL with Secureboot,when we talk of dual boot systems, we have not seen secure boot implemented in any open systems as of now, even though, fedora 18 is now with grub2, still lots have to be fixed,so dual boot will be an issue with secureboot enabled hardware systems. As there are plans to replace BIOS with secureboot , the hardware companies may forbid the option to customise secureboot completely for better security.
In 2013, mostly all windows 8 certified systems will be carrying secureboot keys and if it comes with Windows 8 pre-installed then secure boot will be enabled by default, what meant here is, if you want the windows 8 dual booted with RHEL,then the RHEL must have their grub first stage signed with Microsoft keys and any other distribution not signed by Microsoft will not form the function of boot chainloader (as secureboot will be disabled for them).
The Windows 8 logo requirements specify that secure boot must be enabled. After some pushback, the requirements have been amended to also say that it should be possible for the owner of a system to disable secure boot or install new keys. It does not say that these actions need to be easy to carry out, though. Given that changing secure boot is a firmware-level operation, users wanting to make changes will be subjecting themselves to the very best sort of user experience that can be created by BIOS developers. It would be entirely unsurprising, for example, if users were forced to hand-enter new keys as long hex strings. For this to be an unpleasant and error-prone process would not be surprising.
So dual boot will not happen with windows 8 OS unless that distribution is signed by Microsoft keys as of now (99$ one time payment for signing unlimited OS modules), but linux foundation is trying to implement a solution so that free software culture is not washed away, but the problem is, the solution is only for minor distributions, all major distributions are working on their own secureboot implementations.
Secure Boot Info on Linuxfoundation
In the meantime, all the Linux desktop vendors are going to have to address the UEFI issue. By year’s end, many, if not most, mass-market PCs are going to be sold with Windows 8 and that in turn will mean there’s no easy way to boot them into Linux.
How it works, Uefi Secure Boot Details
Category: LINUX HOWTO