James Bottomley has shared the LF UEFI SecureBoot plan on the behalf of the Linux Foundation and its Technical Advisory Board. The plans were shared via his blog and effectively comes down to: "The Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system). The pre-bootloader will employ a “present user” test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it."
As soon as the Linux Foundation is able to obtain a SecureBoot key from Microsoft, they will release this new pre-bootloader on their web-site.
Bottomley adds, "The current pre-bootloader is designed as an enabler only in that, by breaking the security verification chain at the actual bootloader, it provides no security enhancements over booting linux with UEFI secure boot turned off. Its sole purpose is to allow Linux to continue to boot on platforms that come by default with secure boot enabled."
"It is designed to be as small as possible, leaving all the work to the real bootloader. The real bootloader must be installed on the same partition as the pre-bootloader with the known path loader.efi (although the binary may be any bootloader including Grub2). The pre-bootloader will attempt to execute this binary and, if that succeeds, the system will boot normally." The source to this UEFI SecureBoot pre-bootloader is currently available, but not exactly useful until the Linux Foundation receives its proper key.
Meanwhile, Ubuntu already has their own SecureBoot plans and other distributions have also been brewing their own plans.