Linux Secure Boot
Linux Secure Boot is a feature in Windows 10 and Windows Server 2016 that allows some Linux distributions to boot under Hyper-V as Generation 2 virtual machines. Linux Secure Boot corrects an issue where many non-Microsoft operating systems could not boot on computer platforms that use UEFI firmware.
The role of Secure Boot in system startup
All computers rely on a boot loader that hands control from the computer's firmware to the operating system each time the computer starts. Boot loaders have become a common attack vector for mechanisms such as rootkits that bypass the boot loader to launch malware which starts the operating system in a compromised state. The infections from these attacks are difficult to isolate and remove with traditional anti-malware tools.
To curb this attack vector, system designers developed a Secure Boot feature. Secure Boot is based in the Unified Extensible Firmware Interface (UEFI), the low-level system management software that runs before handing over control to the operating system. Secure Boot allows only approved operating systems to run on the machine. Secure Boot checks the cryptographic signature in the operating system's bootloader to see if it matches a registered key in the UEFI firmware. If a match is found, the boot process proceeds. If Secure Boot cannot verify the integrity of the operating system, the system will produce an error and the boot process will halt.
Most computers produced today use UEFI firmware.
Secure Boot concerns with non-Microsoft OSes
Before the introduction of Secure Boot functionality, computer owners could install any operating system as long as the system's hardware met the requirements for the particular OS.
In 2011, Microsoft required that all systems certified to run Windows 8 have Secure Boot enabled and use a Microsoft cryptographic key, which prevented the installation other operating systems, which included many versions of Linux. This forced administrators to operate Secure Boot in a custom mode which allowed additional keys for other operating systems to be added to the firmware. The only other option was to disable Secure Boot before the installation of an alternative operating system.
In terms of Microsoft operating systems, Secure Boot is currently supported by Windows 8 and 8.1, Windows Server 2012 and 2012 R2, Windows 10, and Windows Server 2016.
Linux Secure Boot for Windows
Microsoft introduced Secure Boot on Windows-based Generation 2 virtual machines (VMs) in Windows Server 2012 R2. Secure Boot was not an option for VMs that ran a Linux OS on that server OS.
The company added the Linux Secure Boot feature in Windows 10 and Windows Server 2016. Administrators can use a Linux operating system configured as Generation 2 VM on Windows Hyper-V as long as the distribution's boot loader has a digital signature that corresponds with the one in the UEFI firmware.
The following Linux versions can use Secure Boot on Windows Server 2016 with the Hyper-V role or Hyper-V Server 2016 or Client Hyper-V in Windows 10:
- CentOS 7.0 and later
- Debian 7.0 and later
- Fedora version 18 and later
- openSUSE version 12.3 nd later
- Red Hat Enterprise Linux (RHEL) 7.0 and later
- SUSE Linux Enterprise Server (SLES) 12 and later
- Ubuntu 14.04 and later
- FreeBSD 11.1 and later
Administrators who use Linux Secure Boot must configure the VM to use the Microsoft UEFI Certificate Authority before the VM starts. Administrators manage VM configurations with Hyper-V Manager, Virtual Machine Manager (VMM) or an elevated Windows PowerShell session.
Disabling Secure Boot
In situations where certain Linux versions cannot be installed with Secure Boot enabled, and new signatures cannot be added by running Secure Boot in a custom mode, it may be necessary to disable the Secure Boot function in the UEFI firmware.
Administrators should consider the potential security implications of running an important system such as an application server without the protection of Secure Boot. Rather than disable Secure Boot, administrators should check with the system manufacturer for firmware upgrades that might provide adequate compatibility with Secure Boot.