1. Computers
  2. Display Drivers
  3. Graphics Cards
  4. Memory
  5. Motherboards
  6. Processors
  7. Software
  8. Storage
  9. Operating Systems


Facebook RSS Twitter Twitter Google Plus


Phoronix Test Suite

OpenBenchmarking.org

Ubuntu's Plans To Implement UEFI SecureBoot: No GRUB2

Ubuntu

Published on 22 June 2012 07:54 AM EDT
Written by Michael Larabel in Ubuntu
88 Comments

Canonical has shared publicly their plans this morning on how they plan to implement support for UEFI SecureBoot on future versions of Ubuntu Linux.

There was an update first on the Canonical blog regarding "An update on Ubuntu and Secure Boot." This blog post really wasn't technical in nature (as is expected by now from the Canonical blog) but basically reiterated that they've been looking into how to deal with Secure Boot as part of the UEFI specification, Canonical has been a contributing member to the UEFI Forum, and that they're committed to ensuring that Ubuntu will "work smoothly" with SecureBoot-enabled hardware. Canonical has generated a signed Ubuntu key and is working on a "revised bootloader" to provide a "it just works" experience on Ubuntu 12.10.

While that blog post was scarce on details, a much more interesting post just hit the Ubuntu development mailing list. The mail, entitled "UEFI Secure Boot and Ubuntu - implementation", and written by Steve Langasek provides much more detail.

The bad news they share is that Ubuntu will not be using GRUB2 by default on systems where SecureBoot is enabled (i.e. all future PCs that are Windows 8 certified). Canonical has invested heavily in the GRUB2 boot-loader, but their move away from GRUB2 comes from GPLv3 concerns.

If an OEM shipping an Ubuntu pre-install ships a GRUB2-enabled Ubuntu release where there is Canonical's private SecureBoot key, they think as part of the GPLv3 they might have to disclose their private key with the source code so users could install a modified boot-loader. If the private key was publicly known, it would then be revoked.

With the GPLv3-licensed GRUB2 not being an option, Canonical then explored using the GRUB Legacy release with EFI patches on top, but they didn't want to touch that aging code-base. Canonical has decided to use Intel's efilinux loader that is more liberally licensed and they're able to make some modifications to provide a simple menu interface.

Also shared is that Canonical only plans to enforce requiring the authentication of boot-loader binaries but not signed kernel images or kernel modules. This will make Ubuntu Linux still capable of loading binary blobs like the NVIDIA and AMD Catalyst drivers and for users to easily spin their own kernels.

"Booting our CDs will rely on a loader image signed by Microsoft's WinQual key, for much the same reasons as Fedora: it's a key that, realistically, more or less every off-the-shelf system is going to have, as it also signs things like option ROMs, and the UEFI specification only allows an image to be signed by a single key. This will then chain to efilinux signed by our own key (so we don't have to go through the WinQual signing process every time we want to make a minor change there). We hope that we'll also be able to make the first stage loader detect whether Secure Boot is enabled and otherwise chain to GRUB 2, to ensure that we don't regress behaviour for those with UEFI systems that do not implement Secure Boot or that have it disabled."

Future OEM PCs to have Ubuntu pre-installed and certified will require that the Ubuntu key be part of the device's UEFI signature database. They also hope to provide an alternative to Microsoft's signing infrastructure while requiring the standard Microsoft key be present in the Ubuntu certification process.

This Ubuntu SecureBoot news comes a few weeks after Red Hat shared their SecureBoot approach for Fedora.

About The Author
Michael Larabel is the principal author of Phoronix.com and founded the web-site in 2004 with a focus on enriching the Linux hardware experience and being the largest web-site devoted to Linux hardware reviews, particularly for products relevant to Linux gamers and enthusiasts but also commonly reviewing servers/workstations and embedded Linux devices. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics hardware drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated testing software. He can be followed via and or contacted via .
Latest Linux Hardware Reviews
  1. NVIDIA GeForce GTX 970 Offers Great Linux Performance
  2. CompuLab Intense-PC2: An Excellent, Fanless, Mini PC Powered By Intel's i7 Haswell
  3. From The Atom 330 To Haswell ULT: Intel Linux Performance Benchmarks
  4. AMD Radeon R9 285 Tonga Performance On Linux
Latest Linux Articles
  1. AMD Moves Forward With Unified Linux Driver Strategy, New Kernel Driver
  2. MSI: Update Your BIOS From The Linux Desktop
  3. NVIDIA vs. AMD 2D Linux Drivers: Catalyst Is Getting Quite Good At 2D
  4. 15-Way GPU Comparison With Mesa 10.3 + Linux 3.17
Latest Linux News
  1. Automatic Feedback Directed Optimizer Merged Into GCC
  2. Debian Now Defaults To Xfce On Non-x86 Desktops
  3. Phoenix Is Trying To Be An Open Version Of Apple's Swift
  4. Linux 3.19 To Have Skylake Graphics, PPGTT Enablement
  5. Ubuntu 16.04 Might Be The Distribution's Last 32-Bit Release
  6. Imagination Releases Full ISA Documentation For PowerVR Rogue GPUs
  7. Features GNOME Developers Want In The Linux Kernel
  8. GTK+ Gains Experimental Overlay Scrollbars
  9. Phoronix Test Suite 5.4 M3 Is Another Hearty Update
  10. GParted 0.20 Improves Btrfs Support
Latest Forum Discussions
  1. Users/Developers Threatening Fork Of Debian GNU/Linux
  2. Proof that strlcpy is un-needed
  3. xbox one tv tuner
  4. HOPE: The Ease Of Python With The Speed Of C++
  5. Bye bye BSD, Hello Linux: A Sys Admin's Story
  6. Updated and Optimized Ubuntu Free Graphics Drivers
  7. NVIDIA Presents Its Driver Plans To Support Mir/Wayland & KMS On Linux
  8. AMD Is Restructuring Again, Losing 7% Of Employees