1. Computers
  2. Display Drivers
  3. Graphics Cards
  4. Memory
  5. Motherboards
  6. Processors
  7. Software
  8. Storage
  9. Operating Systems


Facebook RSS Twitter Twitter Google Plus


Phoronix Test Suite

OpenBenchmarking.org

Ubuntu's Plans To Implement UEFI SecureBoot: No GRUB2

Ubuntu

Published on 22 June 2012 07:54 AM EDT
Written by Michael Larabel in Ubuntu
88 Comments

Canonical has shared publicly their plans this morning on how they plan to implement support for UEFI SecureBoot on future versions of Ubuntu Linux.

There was an update first on the Canonical blog regarding "An update on Ubuntu and Secure Boot." This blog post really wasn't technical in nature (as is expected by now from the Canonical blog) but basically reiterated that they've been looking into how to deal with Secure Boot as part of the UEFI specification, Canonical has been a contributing member to the UEFI Forum, and that they're committed to ensuring that Ubuntu will "work smoothly" with SecureBoot-enabled hardware. Canonical has generated a signed Ubuntu key and is working on a "revised bootloader" to provide a "it just works" experience on Ubuntu 12.10.

While that blog post was scarce on details, a much more interesting post just hit the Ubuntu development mailing list. The mail, entitled "UEFI Secure Boot and Ubuntu - implementation", and written by Steve Langasek provides much more detail.

The bad news they share is that Ubuntu will not be using GRUB2 by default on systems where SecureBoot is enabled (i.e. all future PCs that are Windows 8 certified). Canonical has invested heavily in the GRUB2 boot-loader, but their move away from GRUB2 comes from GPLv3 concerns.

If an OEM shipping an Ubuntu pre-install ships a GRUB2-enabled Ubuntu release where there is Canonical's private SecureBoot key, they think as part of the GPLv3 they might have to disclose their private key with the source code so users could install a modified boot-loader. If the private key was publicly known, it would then be revoked.

With the GPLv3-licensed GRUB2 not being an option, Canonical then explored using the GRUB Legacy release with EFI patches on top, but they didn't want to touch that aging code-base. Canonical has decided to use Intel's efilinux loader that is more liberally licensed and they're able to make some modifications to provide a simple menu interface.

Also shared is that Canonical only plans to enforce requiring the authentication of boot-loader binaries but not signed kernel images or kernel modules. This will make Ubuntu Linux still capable of loading binary blobs like the NVIDIA and AMD Catalyst drivers and for users to easily spin their own kernels.

"Booting our CDs will rely on a loader image signed by Microsoft's WinQual key, for much the same reasons as Fedora: it's a key that, realistically, more or less every off-the-shelf system is going to have, as it also signs things like option ROMs, and the UEFI specification only allows an image to be signed by a single key. This will then chain to efilinux signed by our own key (so we don't have to go through the WinQual signing process every time we want to make a minor change there). We hope that we'll also be able to make the first stage loader detect whether Secure Boot is enabled and otherwise chain to GRUB 2, to ensure that we don't regress behaviour for those with UEFI systems that do not implement Secure Boot or that have it disabled."

Future OEM PCs to have Ubuntu pre-installed and certified will require that the Ubuntu key be part of the device's UEFI signature database. They also hope to provide an alternative to Microsoft's signing infrastructure while requiring the standard Microsoft key be present in the Ubuntu certification process.

This Ubuntu SecureBoot news comes a few weeks after Red Hat shared their SecureBoot approach for Fedora.

Latest Linux Hardware Reviews
  1. 13-Way Low-End GPU Comparison With AMD's AM1 Athlon
  2. ASUS AM1I-A: A Mini-ITX Board For Socketed Kabini APUs
  3. Mini-Box M350: A Simple, Affordable Mini-ITX Case
  4. Overclocking The AMD AM1 Athlon & Sempron APUs
Latest Linux Articles
  1. Ubuntu 12.04.4 vs. 13.10 vs. 14.04 LTS Desktop Benchmarks
  2. AMD OpenCL Performance With AM1 Kabini APUs
  3. A Quick Look At GCC 4.9 vs. LLVM Clang 3.5
  4. Are AMD Athlon/Sempron APUs Fast Enough For Steam On Linux?
Latest Linux News
  1. Git 2.0 Test Releases Begin With Many Changes
  2. Wine 1.7.17 Works On Its Task Scheduler, C Run-Time
  3. The Improv ARM Board Still Isn't Shipping; Riding A Dead Horse?
  4. Debian To Maintain 6.0 Squeeze As An LTS Release
  5. Wasteland 2 Is Finally Released For Linux Gamers
  6. FreeBSD Advances For ARM, Bhyve, Clang
  7. Ubuntu 14.04 LTS "Trusty Tahr" Officially Released
  8. Ubuntu 12.04 LTS vs. 14.04 LTS Server Benchmarks
  9. QEMU 2.0 Released With ARM, x86 Enhancements
  10. Running The Unity 8 Preview Session On Ubuntu 14.04 LTS
  11. R600 Gallium3D Disables LLVM Back-End By Default
  12. Fedora 21 Gets GNOME 3.12, PHP 5.6, Mono 3.4
Latest Forum Discussions
  1. Suggestions about how to make a Radeon HD 7790 work decently?
  2. The GNOME Foundation Is Running Short On Money
  3. Updated and Optimized Ubuntu Free Graphics Drivers
  4. Radeon 8000M problematic on Linux?
  5. Linux Kernel Developers Fed Up With Ridiculous Bugs In Systemd
  6. After Jack Keane, RuseSoft will briing Ankh 3 to Linux through Desura
  7. Suspected PHP Proxy Issue
  8. Change installation destination from home directory