Ubuntu's Plans To Implement UEFI SecureBoot: No GRUB2

Canonical has shared publicly their plans this morning on how they plan to implement support for UEFI SecureBoot on future versions of Ubuntu Linux.

There was an update first on the Canonical blog regarding "An update on Ubuntu and Secure Boot." This blog post really wasn't technical in nature (as is expected by now from the Canonical blog) but basically reiterated that they've been looking into how to deal with Secure Boot as part of the UEFI specification, Canonical has been a contributing member to the UEFI Forum, and that they're committed to ensuring that Ubuntu will "work smoothly" with SecureBoot-enabled hardware. Canonical has generated a signed Ubuntu key and is working on a "revised bootloader" to provide a "it just works" experience on Ubuntu 12.10.

While that blog post was scarce on details, a much more interesting post just hit the Ubuntu development mailing list. The mail, entitled "UEFI Secure Boot and Ubuntu - implementation", and written by Steve Langasek provides much more detail.

The bad news they share is that Ubuntu will not be using GRUB2 by default on systems where SecureBoot is enabled (i.e. all future PCs that are Windows 8 certified). Canonical has invested heavily in the GRUB2 boot-loader, but their move away from GRUB2 comes from GPLv3 concerns.

If an OEM shipping an Ubuntu pre-install ships a GRUB2-enabled Ubuntu release where there is Canonical's private SecureBoot key, they think as part of the GPLv3 they might have to disclose their private key with the source code so users could install a modified boot-loader. If the private key was publicly known, it would then be revoked.

With the GPLv3-licensed GRUB2 not being an option, Canonical then explored using the GRUB Legacy release with EFI patches on top, but they didn't want to touch that aging code-base. Canonical has decided to use Intel's efilinux loader that is more liberally licensed and they're able to make some modifications to provide a simple menu interface.

Also shared is that Canonical only plans to enforce requiring the authentication of boot-loader binaries but not signed kernel images or kernel modules. This will make Ubuntu Linux still capable of loading binary blobs like the NVIDIA and AMD Catalyst drivers and for users to easily spin their own kernels.

"Booting our CDs will rely on a loader image signed by Microsoft's WinQual key, for much the same reasons as Fedora: it's a key that, realistically, more or less every off-the-shelf system is going to have, as it also signs things like option ROMs, and the UEFI specification only allows an image to be signed by a single key. This will then chain to efilinux signed by our own key (so we don't have to go through the WinQual signing process every time we want to make a minor change there). We hope that we'll also be able to make the first stage loader detect whether Secure Boot is enabled and otherwise chain to GRUB 2, to ensure that we don't regress behaviour for those with UEFI systems that do not implement Secure Boot or that have it disabled."

Future OEM PCs to have Ubuntu pre-installed and certified will require that the Ubuntu key be part of the device's UEFI signature database. They also hope to provide an alternative to Microsoft's signing infrastructure while requiring the standard Microsoft key be present in the Ubuntu certification process.

This Ubuntu SecureBoot news comes a few weeks after Red Hat shared their SecureBoot approach for Fedora.