Linux Foundation Struggles With Microsoft UEFI Signing
Posted by Michael Larabel on November 20, 2012
James Bottomley has written about the problems being faced by the Linux Foundation in having a Microsoft-approved validly-signed UEFI pre-bootloader.
There's many hurdles to jump from Microsoft and Verisign/Symantec for obtaining a valid signing key. There's third-party open-source tools for handling much of the signing process, but in the end Windows is still needed due to a Silverlight-based file uploader for the UEFI binary. The Mono-based Moonlight doesn't work with the Silverlight uploader. After uploading the cabinet file for signing, there's a seven-stage process.
Unfortunately, it's with this seven-stage process on Microsoft's end is where the Linux Foundation binary is stuck. "I’m still not sure what the actual problem is, but if you look at the Subject of the signing key, there’s nothing in the signing key to indicate the Linux Foundation, therefore I suspect the problem is that the binary is signed with a generic Microsoft key instead of a specific (and revocable) key tied to the Linux Foundation."
Bottomley ends with, "We’re still waiting for Microsoft to give the Linux Foundation a validly signed pre-bootloader. When that happens, it will get uploaded to the Linux Foundation website for all to use." The full status can be read on his blog.
For those not familiar with the Linux Foundation's UEFI/SecureBoot plans, they're outlined here.
There's many hurdles to jump from Microsoft and Verisign/Symantec for obtaining a valid signing key. There's third-party open-source tools for handling much of the signing process, but in the end Windows is still needed due to a Silverlight-based file uploader for the UEFI binary. The Mono-based Moonlight doesn't work with the Silverlight uploader. After uploading the cabinet file for signing, there's a seven-stage process.
Unfortunately, it's with this seven-stage process on Microsoft's end is where the Linux Foundation binary is stuck. "I’m still not sure what the actual problem is, but if you look at the Subject of the signing key, there’s nothing in the signing key to indicate the Linux Foundation, therefore I suspect the problem is that the binary is signed with a generic Microsoft key instead of a specific (and revocable) key tied to the Linux Foundation."
Bottomley ends with, "We’re still waiting for Microsoft to give the Linux Foundation a validly signed pre-bootloader. When that happens, it will get uploaded to the Linux Foundation website for all to use." The full status can be read on his blog.
For those not familiar with the Linux Foundation's UEFI/SecureBoot plans, they're outlined here.
Discuss this article in our forums, IRC channel, or email the author. You can also follow our content via RSS and on social networks like Facebook, Identi.ca, and Twitter (@Phoronix and @MichaelLarabel). Subscribe to Phoronix Premium to view our content without advertisements, view entire articles on a single page, and experience other benefits.
Copyright © 2004 - 2013 by Phoronix Media.
All trademarks used are properties of their respective owners. All rights reserved. Legal Disclaimer & Disclosure.
Powered by the Phoronix Content Management System (PHXCMS-7.4).
All trademarks used are properties of their respective owners. All rights reserved. Legal Disclaimer & Disclosure.
Powered by the Phoronix Content Management System (PHXCMS-7.4).