![[personal profile]](http://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mjg59Updated 22/06/2012: Reference to Canonical's response
A couple of people have asked me about the Ubuntu ODM UEFI requirements, specifically the secure boot section. This is aimed at hardware vendors who explicitly want to support Ubuntu, so it's not necessarily the approach Canonical will be taking for installing Ubuntu on average consumer hardware. But it's still worth looking at.
In a nutshell, the requirements for secure boot are:
It's basically the same set of requirements as Microsoft have, except with an Ubuntu key instead of a Microsoft one.
The significant difference between the Ubuntu approach and the Microsoft approach is that there's no indication that Canonical will be offering any kind of signing service. A system carrying only the Ubuntu signing key will conform to these requirements and may be certified by Canonical, but will not boot any OS other than Ubuntu unless the user disables secure boot or imports their own key database. That is, a certified Ubuntu system may be more locked down than a certified Windows 8 system.
(Practically speaking this probably isn't an issue for desktops, because you'll need to carry the Microsoft key in order to validate drivers on any PCI cards. But laptops are unlikely to run external option ROMs, so mobile hardware would be viable with only the Ubuntu key)
There's two obvious solutions for this:
This kind of problem is why we didn't argue for a Fedora-specific signing key. While it would have avoided a dependence on Microsoft, it would have created an entirely different kind of vendor lock-in.
Update: Canonical have now provided their full plans. They won't be providing a signing service, but will be requiring that all Ubuntu-certified hardware ship with the Microsoft key
A couple of people have asked me about the Ubuntu ODM UEFI requirements, specifically the secure boot section. This is aimed at hardware vendors who explicitly want to support Ubuntu, so it's not necessarily the approach Canonical will be taking for installing Ubuntu on average consumer hardware. But it's still worth looking at.
In a nutshell, the requirements for secure boot are:
- The system must have an Ubuntu key preinstalled in each of KEK and db
- It must be possible to disable secure boot
- It must be possible for the end user to reconfigure keys
It's basically the same set of requirements as Microsoft have, except with an Ubuntu key instead of a Microsoft one.
The significant difference between the Ubuntu approach and the Microsoft approach is that there's no indication that Canonical will be offering any kind of signing service. A system carrying only the Ubuntu signing key will conform to these requirements and may be certified by Canonical, but will not boot any OS other than Ubuntu unless the user disables secure boot or imports their own key database. That is, a certified Ubuntu system may be more locked down than a certified Windows 8 system.
(Practically speaking this probably isn't an issue for desktops, because you'll need to carry the Microsoft key in order to validate drivers on any PCI cards. But laptops are unlikely to run external option ROMs, so mobile hardware would be viable with only the Ubuntu key)
There's two obvious solutions for this:
- Canonical could offer a signing service. Expensive and awkward, but obviously achievable. However, this isn't a great solution. The Authenticode format used for secure boot signing only permits a single signature. Anything signed with the Ubuntu key cannot also be signed with any other key. So if, say, Fedora wanted to install on these systems without disabling secure boot first, you'd need to have two sets of install media - one signed with the Ubuntu key for Ubuntu hardware, one signed with the Microsoft key for Windows hardware.
- Require that ODMs include the Microsoft key as well as the Ubuntu key. This maintains compatibility with other operating systems.
This kind of problem is why we didn't argue for a Fedora-specific signing key. While it would have avoided a dependence on Microsoft, it would have created an entirely different kind of vendor lock-in.
Update: Canonical have now provided their full plans. They won't be providing a signing service, but will be requiring that all Ubuntu-certified hardware ship with the Microsoft key
Re: Isn't there a key difference from Microsoft's requirements?
Date: 2012-06-23 03:33 am (UTC)Its good to hear we'll have the ability to run our own code in setup mode and to make real system changes that way -- not having to rely on upstream hardware vendors any more than necessary is a very good.
I know this isn't directly a MS Win 8 or UEFI matter, but I'm still feeling sad that many hardware vendors will disallow user-provided firmware updates (e.g. coreboot) in setup mode -- at least the reality of control over secure boot makes this a wish-had item over a must-have.
I appreciate why it is a good feature for a system owner who worries about other physically present people tampering with the system -- operating a chip programmer can be a more daunting matter, if I understand correctly this is especially hard when a surface mounted flash chip is involved without special programming pins available on the main board.