LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Ubuntu's approach sounds better - if it works

Ubuntu's approach sounds better - if it works

Posted Jun 28, 2012 9:22 UTC (Thu) by epa (subscriber, #39769)
Parent article: Ubuntu details its UEFI secure boot plans

If Ubuntu can get away with their plan, and not have their key revoked by the capricious gods of key revocation, then it sounds like a better approach to not require signed kernels. Or am I getting confused, and this will apply only to machines with Ubuntu preinstalled, while installing Ubuntu on a stock UEFI machine that originally shipped with Windows will still require all the shenanigans that Fedora goes through?

A machine that comes with Ubuntu pre-installed could still run Fedora or Windows or any other operating system, since the Ubuntu bootloader can surely be configured to boot other Linux distributions or OSes. It is not really necessary to include Microsoft's key or anyone else's. Indeed, it might be wise for Canonical to spin out their initial signed bootloader as a separate project, becoming the upstream for many other distributions. Then hardware vendors need include only a single key in order to boot pretty much any Linux distro.

(Log in to post comments)

Ubuntu's approach sounds better - if it works

Posted Jun 28, 2012 11:17 UTC (Thu) by Jonno (subscriber, #49613) [Link]

> Or am I getting confused, and this will apply only to machines with Ubuntu preinstalled, while installing Ubuntu on a stock UEFI machine that originally shipped with Windows will still require all the shenanigans that Fedora goes through?

Sort of. User-installed Ubuntu machines will boot a Verisign-signed shim bootloader, which will only launch an Canonical-signed efilinux bootloader (so the signed shim bootloader won't be useful to other distributions).

However, unlike the Fedora-signed Grub 2 bootloader, the Canonical-signed efilinux bootloader will in turn launch any Linux kernel.

OEM installations will include the Canonical public key in UEFI flash, and will launch the Canonical-signed efilinux bootloader directly, making the shim bootloader unnecessary. End users with a motherboard that allows adding new keys could conceivably also add the Canonical key and boot efilinux directly (or for that matter add the Fedora key and boot Grub 2 directly), making theoretically possible to remove the Verisign key.

Note, however, that not all motherboards will offer that functionality. The Windows 8 logo requirements only state that you have to make it possible to add/remove keys or to disable secure boot entirely. I fully expect most consumer motherboards to only offer a simple disable option, while at least some enterprise motherboards will only offer the ability to add/remove keys (to satisfies corporate secure boot policies).

Ubuntu's approach sounds better - if it works

Posted Jun 28, 2012 14:12 UTC (Thu) by epa (subscriber, #39769) [Link]

If Canonical's efilinux bootloader is happy to launch any Linux kernel, it can indeed be used to run any other Linux distribution, unless the other distribution depends on some special bootloader magic beyond the usual initrd and parameter passing.

But even in that case, isn't there some kexec type mechanism where the Linux kernel can be made to boot a different kernel or perhaps even GRUB2? My point is that if you can boot an arbitrary Linux kernel, with a little bit of programming work you can boot any other kernel. So Canonical's signed bootloader could be used by other distributions, even Fedora.

Ubuntu's approach sounds better - if it works

Posted Jun 29, 2012 16:03 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

If Canonical's efilinux bootloader is happy to launch any Linux kernel, it can indeed be used to run any other Linux distribution

And I assume it can be used to launch any other program at all, Linux or not. For example, an infected Windows kernel. So a smart Windows virus would install Canonical's signed efilinux bootloader along with its infected Windows kernel and defeat Microsoft's strategy to secure Windows 8 computers altogether.

So this should mean that Microsoft would not sign a key for Canonical, or should revoke it once Microsoft finds out Canonical is using it this way.

Or maybe I'm just still confused about how UEFI works.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds