Ubuntu ODM UEFI requirements for secure boot

[mjg59]

Updated 22/06/2012: Reference to Canonical's response

A couple of people have asked me about the Ubuntu ODM UEFI requirements, specifically the secure boot section. This is aimed at hardware vendors who explicitly want to support Ubuntu, so it's not necessarily the approach Canonical will be taking for installing Ubuntu on average consumer hardware. But it's still worth looking at.

In a nutshell, the requirements for secure boot are:

• The system must have an Ubuntu key preinstalled in each of KEK and db
• It must be possible to disable secure boot
• It must be possible for the end user to reconfigure keys

It's basically the same set of requirements as Microsoft have, except with an Ubuntu key instead of a Microsoft one.

The significant difference between the Ubuntu approach and the Microsoft approach is that there's no indication that Canonical will be offering any kind of signing service. A system carrying only the Ubuntu signing key will conform to these requirements and may be certified by Canonical, but will not boot any OS other than Ubuntu unless the user disables secure boot or imports their own key database. That is, a certified Ubuntu system may be more locked down than a certified Windows 8 system.

(Practically speaking this probably isn't an issue for desktops, because you'll need to carry the Microsoft key in order to validate drivers on any PCI cards. But laptops are unlikely to run external option ROMs, so mobile hardware would be viable with only the Ubuntu key)

There's two obvious solutions for this:

1. Canonical could offer a signing service. Expensive and awkward, but obviously achievable. However, this isn't a great solution. The Authenticode format used for secure boot signing only permits a single signature. Anything signed with the Ubuntu key cannot also be signed with any other key. So if, say, Fedora wanted to install on these systems without disabling secure boot first, you'd need to have two sets of install media - one signed with the Ubuntu key for Ubuntu hardware, one signed with the Microsoft key for Windows hardware.
2. Require that ODMs include the Microsoft key as well as the Ubuntu key. This maintains compatibility with other operating systems.

This kind of problem is why we didn't argue for a Fedora-specific signing key. While it would have avoided a dependence on Microsoft, it would have created an entirely different kind of vendor lock-in.

Update: Canonical have now provided their full plans. They won't be providing a signing service, but will be requiring that all Ubuntu-certified hardware ship with the Microsoft key

Comments

It is a no-win situation

[alanbell [launchpad.net]]

This is one of several solutions competing to be the least-worst option. I truely can understand why Canonical don't want their OEM pre-installed systems to be signed with a Microsoft key, or to compel OEMs to carry the Microsoft key (I think it is still an option for the OEMs to do so and I am fairly certain they will unless Microsoft prevent them). Depending on what Canonical do for the regular aftermarket CD this might make it equally tricky to install an Ubuntu CD on these computers as it would be for any other distribution.

Every option sucks.

Re: It is a no-win situation

[(Anonymous)]

I think its going to suck a lot more before it gets better.

If Google decided to do what Canonical did.. avoiding MS as a signing service.. that will really bring home the limitation inherent in the single allowed signature on driver blobs. Microsoft and Google standing themselves as different signatories for drivers is going to mean double the work. for all mobile device manufacturers. No offense to Canonical but they aren't one of the 500 lb gorillas and unfriendly vendors will just ignore Canonical's requirements. Nobody in the ARMs-race can ignore Google. And as gross as this issue is on intel "PC" hardware the real fight is going to be ARM as MS tries to muscle in and lockin there.

-jef