1. Computers
  2. Display Drivers
  3. Graphics Cards
  4. Memory
  5. Motherboards
  6. Processors
  7. Software
  8. Storage
  9. Operating Systems


Facebook RSS Twitter Twitter Google Plus


Phoronix Test Suite

OpenBenchmarking.org

Ubuntu's Plans To Implement UEFI SecureBoot: No GRUB2

Ubuntu

Published on 22 June 2012 07:54 AM EDT
Written by Michael Larabel in Ubuntu
88 Comments

Canonical has shared publicly their plans this morning on how they plan to implement support for UEFI SecureBoot on future versions of Ubuntu Linux.

There was an update first on the Canonical blog regarding "An update on Ubuntu and Secure Boot." This blog post really wasn't technical in nature (as is expected by now from the Canonical blog) but basically reiterated that they've been looking into how to deal with Secure Boot as part of the UEFI specification, Canonical has been a contributing member to the UEFI Forum, and that they're committed to ensuring that Ubuntu will "work smoothly" with SecureBoot-enabled hardware. Canonical has generated a signed Ubuntu key and is working on a "revised bootloader" to provide a "it just works" experience on Ubuntu 12.10.

While that blog post was scarce on details, a much more interesting post just hit the Ubuntu development mailing list. The mail, entitled "UEFI Secure Boot and Ubuntu - implementation", and written by Steve Langasek provides much more detail.

The bad news they share is that Ubuntu will not be using GRUB2 by default on systems where SecureBoot is enabled (i.e. all future PCs that are Windows 8 certified). Canonical has invested heavily in the GRUB2 boot-loader, but their move away from GRUB2 comes from GPLv3 concerns.

If an OEM shipping an Ubuntu pre-install ships a GRUB2-enabled Ubuntu release where there is Canonical's private SecureBoot key, they think as part of the GPLv3 they might have to disclose their private key with the source code so users could install a modified boot-loader. If the private key was publicly known, it would then be revoked.

With the GPLv3-licensed GRUB2 not being an option, Canonical then explored using the GRUB Legacy release with EFI patches on top, but they didn't want to touch that aging code-base. Canonical has decided to use Intel's efilinux loader that is more liberally licensed and they're able to make some modifications to provide a simple menu interface.

Also shared is that Canonical only plans to enforce requiring the authentication of boot-loader binaries but not signed kernel images or kernel modules. This will make Ubuntu Linux still capable of loading binary blobs like the NVIDIA and AMD Catalyst drivers and for users to easily spin their own kernels.

"Booting our CDs will rely on a loader image signed by Microsoft's WinQual key, for much the same reasons as Fedora: it's a key that, realistically, more or less every off-the-shelf system is going to have, as it also signs things like option ROMs, and the UEFI specification only allows an image to be signed by a single key. This will then chain to efilinux signed by our own key (so we don't have to go through the WinQual signing process every time we want to make a minor change there). We hope that we'll also be able to make the first stage loader detect whether Secure Boot is enabled and otherwise chain to GRUB 2, to ensure that we don't regress behaviour for those with UEFI systems that do not implement Secure Boot or that have it disabled."

Future OEM PCs to have Ubuntu pre-installed and certified will require that the Ubuntu key be part of the device's UEFI signature database. They also hope to provide an alternative to Microsoft's signing infrastructure while requiring the standard Microsoft key be present in the Ubuntu certification process.

This Ubuntu SecureBoot news comes a few weeks after Red Hat shared their SecureBoot approach for Fedora.

About The Author
Michael Larabel is the principal author of Phoronix.com and founded the web-site in 2004 with a focus on enriching the Linux hardware experience and being the largest web-site devoted to Linux hardware reviews, particularly for products relevant to Linux gamers and enthusiasts but also commonly reviewing servers/workstations and embedded Linux devices. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics hardware drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated testing software. He can be followed via and or contacted via .
Latest Linux Hardware Reviews
  1. Scythe Mugen MAX
  2. Intel Core i7 5960X Haswell-E On Linux
  3. Intel 80GB 530 Series M.2 SSD On Linux
  4. With A New Motherboard, The Core i7 5960X Haswell-E Lights Up
Latest Linux Articles
  1. RadeonSI GLAMOR Benchmarks With X.Org Server 1.16
  2. RadeonSI Gallium3D vs. Catalyst At 4K UHD On Linux
  3. MSAA RadeonSI Gallium3D Performance Preview
  4. Intel Core i7 5960X CPU Core Scaling Under Linux
Latest Linux News
  1. Ubuntu Touch/Phone Reaches Its First RTM Image
  2. The KMS Mode-Setting Driver Was Imported For X.Org Server 1.17
  3. SNA & UXA Intel Benchmarks With X.Org Server 1.16
  4. Graphics Driver Changes Coming In The Linux 3.18 Kernel
  5. Tropico 5 Being Released For Linux Gamers This Week
  6. Eclipse IDE Starts Firing Up On Wayland's Weston
  7. OpenSUSE Announcement On SUSE's Recent Merger
  8. Valve Begins Publicly Tracking AMD Catalyst Linux Issues
  9. Digia Qt Spinoff Is Called "The Qt Company"
  10. GNOME 3.14 Makes More Progress In Running Natively On Wayland
Latest Forum Discussions
  1. Stop grabbing my keyboard :(
  2. New Group Calls For Boycotting Systemd
  3. Updated and Optimized Ubuntu Free Graphics Drivers
  4. Best Radeon for a Power Mac G5?
  5. New stress testing utility for GPU's
  6. Hd 6850
  7. support for first generation UVD blocks (RV6xx, RS780, RS880 and RV790)
  8. Nvidia joins the ranks of Apple and Microsoft