LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Ubuntu's approach sounds better - if it works

Ubuntu's approach sounds better - if it works

Posted Jun 28, 2012 11:17 UTC (Thu) by Jonno (subscriber, #49613)
In reply to: Ubuntu's approach sounds better - if it works by epa
Parent article: Ubuntu details its UEFI secure boot plans

> Or am I getting confused, and this will apply only to machines with Ubuntu preinstalled, while installing Ubuntu on a stock UEFI machine that originally shipped with Windows will still require all the shenanigans that Fedora goes through?

Sort of. User-installed Ubuntu machines will boot a Verisign-signed shim bootloader, which will only launch an Canonical-signed efilinux bootloader (so the signed shim bootloader won't be useful to other distributions).

However, unlike the Fedora-signed Grub 2 bootloader, the Canonical-signed efilinux bootloader will in turn launch any Linux kernel.

OEM installations will include the Canonical public key in UEFI flash, and will launch the Canonical-signed efilinux bootloader directly, making the shim bootloader unnecessary. End users with a motherboard that allows adding new keys could conceivably also add the Canonical key and boot efilinux directly (or for that matter add the Fedora key and boot Grub 2 directly), making theoretically possible to remove the Verisign key.

Note, however, that not all motherboards will offer that functionality. The Windows 8 logo requirements only state that you have to make it possible to add/remove keys or to disable secure boot entirely. I fully expect most consumer motherboards to only offer a simple disable option, while at least some enterprise motherboards will only offer the ability to add/remove keys (to satisfies corporate secure boot policies).

(Log in to post comments)

Ubuntu's approach sounds better - if it works

Posted Jun 28, 2012 14:12 UTC (Thu) by epa (subscriber, #39769) [Link]

If Canonical's efilinux bootloader is happy to launch any Linux kernel, it can indeed be used to run any other Linux distribution, unless the other distribution depends on some special bootloader magic beyond the usual initrd and parameter passing.

But even in that case, isn't there some kexec type mechanism where the Linux kernel can be made to boot a different kernel or perhaps even GRUB2? My point is that if you can boot an arbitrary Linux kernel, with a little bit of programming work you can boot any other kernel. So Canonical's signed bootloader could be used by other distributions, even Fedora.

Ubuntu's approach sounds better - if it works

Posted Jun 29, 2012 16:03 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

If Canonical's efilinux bootloader is happy to launch any Linux kernel, it can indeed be used to run any other Linux distribution

And I assume it can be used to launch any other program at all, Linux or not. For example, an infected Windows kernel. So a smart Windows virus would install Canonical's signed efilinux bootloader along with its infected Windows kernel and defeat Microsoft's strategy to secure Windows 8 computers altogether.

So this should mean that Microsoft would not sign a key for Canonical, or should revoke it once Microsoft finds out Canonical is using it this way.

Or maybe I'm just still confused about how UEFI works.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds