Former Red Hat developer Matthew Garrett has delivered a shim that will allow smaller Linux distributions to boot on a system using Secure Boot without having to deal with Microsoft.
Secure Boot is a Unified Extensible Firmware Interface (UEFI) specification that prevents the loading of drivers or OS loaders that are not signed with an authorised signature, and whose public key is stored in the device's firmware.
Garrett previously wrote that three options exist to allow non-Microsoft operating systems to boot. The first option is to disable Secure Boot entirely, which negates the benefits of Secure Boot's trusted boot process. The second option is to remove an existing Platform Key, presumably Microsoft's key, to allow the user the ability to add a new key. The last option that Garrett highlighted would be to ship a bootloader signed with Microsoft's public key, which contains its own key store, MokManager, which allows a signed second-stage bootloader to boot.
Garrett's new shim takes advantage of the third option, all the gory details of which are detailed here.
From a user's perspective, they would see a 10-second countdown with a menu that contains an option to enroll a key from disk. The user could then browse the filesystem to select the appropriate key and add it into the device's firmware.
Any operating system that is able to be booted from a GRUB environment can take advantage of this shim.
The one caveat with this system, though, is that MokManager is signed with a key that users and distributions will have to trust Garrett deleted immediately after the build was completed.
"You'll need to accept my assurance that the private key was deleted immediately after the build was completed. Other than that, it will only trust any keys that are either present in the system db or installed by the end user," wrote Garrett.
The shim can be downloaded from here
About Chris Duckett
Some would say that it is a long way from software engineering to journalism, others would correctly argue that it is a mere 10 metres according to the floor plan.During his first five years with CBS Interactive, Chris started his journalistic advent...
Full Bio
Some would say that it is a long way from software engineering to journalism, others would correctly argue that it is a mere 10 metres according to the floor plan.During his first five years with CBS Interactive, Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining the company as a programmer.Leaving CBS Interactive in 2010 to follow his deep desire to study the snowdrifts and culinary delights of Canada, Chris based himself in Vancouver and paid for his new snowboarding and poutine cravings as a programmer for a lifestyle gaming startup.Chris returns to CBS in 2011 as the Editor of TechRepublic Australia determined to meld together his programming and journalistic tendencies once and for all.In his free time, Chris is often seen yelling at different operating systems for their own unique failures, avoiding the dreaded tech support calls from relatives, and conducting extensive studies of internets -- he claims he once read an entire one.
