32-Bit UEFI bootloader support needed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
debian-installer |
New
|
Unknown
|
|||
debian-installer (Ubuntu) |
Confirmed
|
High
|
Unassigned | ||
grub2 (Ubuntu) |
Triaged
|
High
|
Unassigned | ||
live-build (Ubuntu) |
Confirmed
|
High
|
Unassigned | ||
ubiquity (Ubuntu) |
Confirmed
|
High
|
Unassigned | ||
Bug Description
As of now, Ubuntu and other major Linux distributions do not support the use of a 32-bit EFI bootloader on UEFI machines. This has become extremely problematic due to the popularity of Intel Atom-based tablets and compact laptops. Atom-based devices are generally limited in storage space (32GB or 64GB eMMC is common), and as a result these devices almost universally ship with Windows 8.1 32-bit installed (winsxs consumes a significant amount of storage space in order to support 32-bit binaries in a 64-bit environment). By design, UEFI must use the same architecture used by the bootloader.
While most modern computers indeed use a 64-bit UEFI implementation due to the fact that new computers generally ship with a 64-bit operating system (be it OS X or Windows 8.1), Atom-based devices do *not* use a 64-bit operating system or UEFI implementation. This is by design.
Intel released a new Atom iteration (Bay Trail) in late 2013 and has indicated that they will continue to develop and release Atom CPUs due to consumer market demand. At the time of this filing there are a number of Atom-based tablets and compact laptops/netbooks being actively sold and marketed by major OEMs including Dell, HP, ASUS, and Acer. None of these devices have 64-bit UEFI firmware. It is also important to note that these Atom CPUs are 64-bit, but explicitly require a 32-bit UEFI bootloader.
The current Linux kernel in Ubuntu 14.04 does support booting the 64-bit signed kernel from a 32-bit Grub EFI bootloader. I can confirm this on at least two 32-bit UEFI devices, the ASUS Transformer T100TA and the Acer Aspire Switch 10. Unfortunately, the lack of official 32-bit EFI bootloader support in Ubuntu makes accomplishing this far from trivial and beyond the capacity of many users new to Linux as an alternative to Microsoft Windows.
This bug is currently marked as a security vulnerability due to the fact that as of now, it is necessary to compile Grub2 32-bit EFI manually in order to boot Linux. This negates the digital signature check that allows keeping Secure Boot enabled on modern UEFI-based machines.
Considering the above, it is very important to include a 32-bit UEFI bootloader as an update to Grub2 in Trusty and all future releases of Ubuntu.
information type: | Private Security → Public Security |
Changed in grub2 (Ubuntu): | |
status: | Confirmed → Triaged |
importance: | Undecided → High |
Changed in debian-installer (Ubuntu): | |
importance: | Undecided → High |
Changed in live-build (Ubuntu): | |
importance: | Undecided → High |
Changed in ubiquity (Ubuntu): | |
importance: | Undecided → High |
Changed in debian-installer: | |
status: | Unknown → New |
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.