1. Computers
  2. Display Drivers
  3. Graphics Cards
  4. Memory
  5. Motherboards
  6. Processors
  7. Software
  8. Storage
  9. Operating Systems


Facebook RSS Twitter Twitter Google Plus


Phoronix Test Suite

OpenBenchmarking.org

Ubuntu's Plans To Implement UEFI SecureBoot: No GRUB2

Ubuntu

Published on 22 June 2012 07:54 AM EDT
Written by Michael Larabel in Ubuntu
88 Comments

Canonical has shared publicly their plans this morning on how they plan to implement support for UEFI SecureBoot on future versions of Ubuntu Linux.

There was an update first on the Canonical blog regarding "An update on Ubuntu and Secure Boot." This blog post really wasn't technical in nature (as is expected by now from the Canonical blog) but basically reiterated that they've been looking into how to deal with Secure Boot as part of the UEFI specification, Canonical has been a contributing member to the UEFI Forum, and that they're committed to ensuring that Ubuntu will "work smoothly" with SecureBoot-enabled hardware. Canonical has generated a signed Ubuntu key and is working on a "revised bootloader" to provide a "it just works" experience on Ubuntu 12.10.

While that blog post was scarce on details, a much more interesting post just hit the Ubuntu development mailing list. The mail, entitled "UEFI Secure Boot and Ubuntu - implementation", and written by Steve Langasek provides much more detail.

The bad news they share is that Ubuntu will not be using GRUB2 by default on systems where SecureBoot is enabled (i.e. all future PCs that are Windows 8 certified). Canonical has invested heavily in the GRUB2 boot-loader, but their move away from GRUB2 comes from GPLv3 concerns.

If an OEM shipping an Ubuntu pre-install ships a GRUB2-enabled Ubuntu release where there is Canonical's private SecureBoot key, they think as part of the GPLv3 they might have to disclose their private key with the source code so users could install a modified boot-loader. If the private key was publicly known, it would then be revoked.

With the GPLv3-licensed GRUB2 not being an option, Canonical then explored using the GRUB Legacy release with EFI patches on top, but they didn't want to touch that aging code-base. Canonical has decided to use Intel's efilinux loader that is more liberally licensed and they're able to make some modifications to provide a simple menu interface.

Also shared is that Canonical only plans to enforce requiring the authentication of boot-loader binaries but not signed kernel images or kernel modules. This will make Ubuntu Linux still capable of loading binary blobs like the NVIDIA and AMD Catalyst drivers and for users to easily spin their own kernels.

"Booting our CDs will rely on a loader image signed by Microsoft's WinQual key, for much the same reasons as Fedora: it's a key that, realistically, more or less every off-the-shelf system is going to have, as it also signs things like option ROMs, and the UEFI specification only allows an image to be signed by a single key. This will then chain to efilinux signed by our own key (so we don't have to go through the WinQual signing process every time we want to make a minor change there). We hope that we'll also be able to make the first stage loader detect whether Secure Boot is enabled and otherwise chain to GRUB 2, to ensure that we don't regress behaviour for those with UEFI systems that do not implement Secure Boot or that have it disabled."

Future OEM PCs to have Ubuntu pre-installed and certified will require that the Ubuntu key be part of the device's UEFI signature database. They also hope to provide an alternative to Microsoft's signing infrastructure while requiring the standard Microsoft key be present in the Ubuntu certification process.

This Ubuntu SecureBoot news comes a few weeks after Red Hat shared their SecureBoot approach for Fedora.

About The Author
Michael Larabel is the principal author of Phoronix.com and founded the web-site in 2004 with a focus on enriching the Linux hardware experience and being the largest web-site devoted to Linux hardware reviews, particularly for products relevant to Linux gamers and enthusiasts but also commonly reviewing servers/workstations and embedded Linux devices. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics hardware drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated testing software. He can be followed via and or contacted via .
Latest Linux Hardware Reviews
  1. Btrfs On 4 x Intel SSDs In RAID 0/1/5/6/10
  2. AMD Radeon R9 290 On Ubuntu 14.10: RadeonSI Gallium3D vs. Catalyst
  3. MSI X99S SLI PLUS On Linux
  4. NVIDIA GeForce GTX 970 Offers Great Linux Performance
Latest Linux Articles
  1. NVIDIA's Linux Driver Can Deliver Better OpenGL Performance Than Windows 8.1
  2. Windows 8.1 vs. Ubuntu 14.10 With Intel HD Graphics
  3. 6-Way Ubuntu 14.10 Radeon Gallium3D vs. Catalyst Driver Comparison
  4. NVIDIA vs. Nouveau Drivers On Ubuntu 14.10
Latest Linux News
  1. Wine 1.7.30 Continues Work On DirectWrite & Offers Regedit Fixes
  2. Has The Sky Fallen? Qualcomm Contributes To Freedreno's DRM/KMS Driver
  3. Manjaro Works To Make Calamares A Distribution-Independent Installer
  4. DisplayLink USB 3.0 Support Sounds Like A Mess
  5. PulseAudio Gains A Native Bluetooth Headset Backend
  6. X.Org Foundation Decides On Its Women Outreach Project
  7. GTK+ 3.16's New GtkGLArea Widget Gets Improved
  8. X.Org Server 1.17 ABI Bumped
  9. Fedora 21 Beta To Be Released Next Week
  10. Go 1.4 Beta Release Brings Big Runtime Changes
Latest Forum Discussions
  1. How to get rid of Linux
  2. Closed source to opensource
  3. What Would You Like To See Next?
  4. Is foolish currently develop in machine code, hexadecimal and assembly?
  5. Reducing The CPU Usage In Mesa To Improve Performance
  6. Help diagnosing problems with a Readon HD 4670 on Mesa 10.3.2-1
  7. Advertisements On Phoronix
  8. nv and xorg.conf under Debian PPC