Jun 282012

Original article by Paul Castagnino, first published on usemoslinux.blogspot.it in spanish

Secure Boot is a type of mechanism that verifies that the code executed is digitally signed. Thus the computer can only boot an operating system that has a bootloader properly signed. This is a requirement that Microsoft asked to put on computers the badge “Windows 8 Certified”. This request by Microsoft has split the waters among the major Linux distributions , find out why.

The position of Red Hat and Fedora: in this the alternative that sound “less bad”?

As discussed in detail a few days ago, about boot loader approved by Microsoft, Red Hat will choose to use a Microsoft service called Sysdev (paying $99 for the registration), while money in the end will go VeriSign. This seems to imply that any GNU/Linux could use the same key, no doubt an act of great charity by Red Hat. The cost is not important, is only $ 99US, but that principle is not the reason which took the GNU/Linux far away from Microsoft all this time?

The position of Canonical and Ubuntu does not depend from Microsoft

Canonical, which is present in UEFI Forum, has generated a key for Ubuntu itself, thus avoiding having to use a Microsoft, as proposed by Red Hat.  The fundamental difference between the proposal of Ubuntu and Microsoft is that there would be no evidence of Canonical offers services for key creation. A system that has the Ubuntu key can only run Ubuntu unless, of course, the user disable Secure Boot or add other keys to UEFI. With this in mind, Canonical is already working on a replacement for GRUB 2  because apparently would create legal problems because of the GPLv3.

Do not use Secure Boot: the best solution

Perhaps the best option is to not use Secure Boot at all, although this will require to change an option in the BIOS, which can scare many rookies in their move to Linux. But to be completely honest, that same is already true today for users that want to run Linux from a LiveCD or LiveUSB.

Popular Posts:

Flattr this!

  4 Responses to “Secure Boot: Red Hat and Canonical present their alternatives”

  1. Assuming the Manufacturer of the PC you bought decides to implement a “turn off eufi” feature…. some will… some won’t…

  2. The best solution is to build the firmware to allow the user to enter platform setup mode, or to add custom KEK’s or X.509 certificates

    Being able to enter platform setup mode would be the best, because you could make is so you hardware doesn’t trust Microsoft singed binary objects. You could choose to trust only gNewSense or Trisquel kernels.

    Being able to add a KEK some signed by the Platform key private counterpart would add three levels to secure boot.
    1. Load only binary objects singed with a chain of trust going back to the platform’s private key
    2. Load the above binary objects, plus any that have trust going back to the user loaded keys.
    3. Load any binary object that it is requested.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>