Matthew Garrett, a.k.a. UEFI-guru, has revealed that those who are keeping their fingers crossed and hoping to find run Linux on Microsoft’s tablet are on an uphill walk and it doesn’t seem to be an easy one. So why is this?
The answer is in the manner in which Microsoft has restricted the Surface from loading non-signed software / binaries by implementing UEFI SecureBoot. Microsoft has loaded its private key instead of the "Microsoft Windows UEFI Driver Publisher" key on the ARM based tablet, which is needed to sign non-Microsoft software like Linux distributions or loaders. So, no publisher key = no signed non-Microsoft binary = no Linux.
Garrett notes on his blog, “Microsoft provide a signing service for UEFI binaries, so it's tempting to think that getting around this restriction would be as simple as taking an existing Linux bootloader, signing it and then booting.”
“Unfortunately Microsoft's signing service signs binaries using a different key (the "Microsoft Windows UEFI Driver Publisher" key) to the one used to sign Windows, and the Surface doesn't carry that key”, he adds further.
The UEFI-guru does mention that there are chances of loading a non-Microsoft OS on the Surface tablet if some vulnerability in the device’s firmware is exploited to execute arbitrary code.
The Free Software Foundation has started a campaign against Microsoft's UEFI SecureBoot and is appealing for signatures and donations in a bid to stop it from advancing any further.