Ubuntu's approach sounds better - if it works
Posted Jun 28, 2012 11:17 UTC (Thu) by Jonno
In reply to: Ubuntu's approach sounds better - if it works
Parent article: Ubuntu details its UEFI secure boot plans
> Or am I getting confused, and this will apply only to machines with Ubuntu preinstalled, while installing Ubuntu on a stock UEFI machine that originally shipped with Windows will still require all the shenanigans that Fedora goes through?
Sort of. User-installed Ubuntu machines will boot a Verisign-signed shim bootloader, which will only launch an Canonical-signed efilinux bootloader (so the signed shim bootloader won't be useful to other distributions).
However, unlike the Fedora-signed Grub 2 bootloader, the Canonical-signed efilinux bootloader will in turn launch any Linux kernel.
OEM installations will include the Canonical public key in UEFI flash, and will launch the Canonical-signed efilinux bootloader directly, making the shim bootloader unnecessary. End users with a motherboard that allows adding new keys could conceivably also add the Canonical key and boot efilinux directly (or for that matter add the Fedora key and boot Grub 2 directly), making theoretically possible to remove the Verisign key.
Note, however, that not all motherboards will offer that functionality. The Windows 8 logo requirements only state that you have to make it possible to add/remove keys or to disable secure boot entirely. I fully expect most consumer motherboards to only offer a simple disable option, while at least some enterprise motherboards will only offer the ability to add/remove keys (to satisfies corporate secure boot policies).
to post comments)