Matthew Garrett ([personal profile] mjg59) wrote2012-12-27 19:02
Entry tags:

Secure Boot distribution support

It's after Christmas, and some number of people doubtless ended up with Windows 8 PCs and may want to install Linux on them. If you'd like to do that without fiddling with firmware settings, here are your options.
  • Ubuntu 12.10
    The 64-bit version of Ubuntu 12.10 ships with an older version of Shim that's been signed by Microsoft. It should boot out of the box on most systems, but it doesn't have some of the most recent EFI patches that improve compatibility on some machines. Grab it here.
  • Fedora 18
    Fedora 18 isn't quite released yet, but the latest 64-bit test builds include a Microsoft signed copy of the current version of Shim, including the MOK functionality described here. Fedora 18 has some additional EFI support patches that have just been merged into mainline, which should improve compatibility on some machines - especially ones with Radeon graphics. It also has improved support for booting on Macs. You can get it here, but do bear in mind that it's a test release.
  • Sabayon
    According to the wiki, Sabayon now supports UEFI Secure Boot out of the box. I don't know if the current CD images do, though. My understanding is that it's based on the Microsoft signed Shim I discussed here, and you'll have to manually install the key once you've booted the install media. Straightforward enough.
  • Other distributions
    Suse will be using a version of Shim signed by Microsoft, but I don't think it's in any pre-release versions yet. Debian have just merged UEFI support into their installer, but don't have any UEFI Secure Boot support at the moment. I'm not sure what other distributions are planning on doing, but let me know and I'll update the list.
  • The Linux Foundation loader
    The Linux Foundation have still to obtain a signed copy of their bootloader. There's no especially compelling reason to use it - the use case it supports is where you have users who can follow instructions sufficiently to press "y" but not to choose to enrol a key. The most interesting feature it has is the ability to use the MOK database via the usual UEFI LoadImage and StartImage calls, which means bootloaders like gummiboot work. Unfortunately it implements this by hooking into low-level functionality that's not actually required to be present, so relying on this may be somewhat dubious.

About Sabayon

(Anonymous) 2012-12-28 15:25 (UTC)(link)
Hey Matthew, you are correct. We are still ironing out the procedure but it's basically it for now (our daily ISO images now also support booting off USB on UEFI systems): we ship the images with our key + shim-signed. We handle the after-install boot by generating a key at install time and letting (a modified version of) grub handle the signing every time grub-install is spawned. Yes, the user has to enroll the after-install key as well, but that's quite trivial.

Re: About Sabayon

(Anonymous) 2012-12-30 01:16 (UTC)(link)
Having just tried to boot a Sabayonm 64-bit image on a secure boot-enabled system, I must say that if this process is trivial, then I'd like to know what is complicated.

Sam Varghese

Thanks for this list

(Anonymous) 2012-12-29 19:03 (UTC)(link)
1. Don't buy a new machine that does not allow you to disable secure boot.
2. Microsoft's real aim is to kill the aftermarket in used computers that have Win 8 installed by not allowing you to install something other than Windows. That's why this work is so important.

Re: Thanks for this list

(Anonymous) 2012-12-29 20:08 (UTC)(link)
If they had refused to sign the bootloaders, they'd surely be looking at more antitrust lawsuits both in the US and other countries.

Re: Thanks for this list

(Anonymous) 2012-12-30 11:57 (UTC)(link)
The problem I see is Linux is dependant on Microsoft policy.

Let's say all the mobile devices get populair and the PC is in sharp decline.

Now Microsoft thinks they can claim their monopoly isn't monopoly anymore and all older Windows operating systems have become obsolete.

Now they have a chance to change their policy which is: All Windows X devices including x86/amd64 should have Secure boot enabled and no disable button.

Will their policy on accepting signing of Linux boot binaries change ? How long is the old signatures valid anyway ?

Lots of servers already have TPM devices, ARM servers are coming. Microsoft might as well have the same policy for all servers and demand TPM for their next Windows Server operating systems (probably least likely).

There are just to many what-ifs and it depends on the actions of a competitor. I don't like it.

Re: Thanks for this list

(Anonymous) 2012-12-29 21:20 (UTC)(link)
By creating obstacles for installation, they are deterring more people from installing their own systems. That is 101 of usability: "You loose users the more hoops you make them jump through".

Re: Thanks for this list

(Anonymous) 2012-12-30 20:32 (UTC)(link)
"Obstacles to installation" is much broader than "won't be installable".

Any manual action required beyond "insert install disc and boot from it" is an obstacle to installation.

Re: Thanks for this list

(Anonymous) 2012-12-31 03:27 (UTC)(link)
They are already refusing to sign - for the ARM platform. It's entirely likely they will attempt to restict x86 hardware in the same way in the near future.

Sabayon Linux

(Anonymous) 2012-12-30 00:43 (UTC)(link)
Have you actually tested out Sabayon Linux to see if it will boot on an UEFI system with secure boot enabled? Or are you just repeating what the developers say?

Sam Varghese

Re: Sabayon Linux

(Anonymous) 2012-12-30 08:29 (UTC)(link)
You must use the daily/snapshot iso images, not Sabayon 10 ones.

Re: Sabayon Linux

(Anonymous) 2012-12-30 22:45 (UTC)(link)
I've used an image from here:


Re: Sabayon Linux

(Anonymous) 2012-12-30 18:47 (UTC)(link)
I know you have trouble with this thing we refer to as 'language', Sam, so let me help you out there.

"According to the wiki, Sabayon now supports UEFI Secure Boot out of the box."

You see those four words at the start? The ones that read "According to the wiki"? Now, if you look at the rest of the sentence, it would have made perfect sense without them! So why did Matthew put them in there? Why, to explicitly alert you to the fact that he is repeating information he gleaned elsewhere, not stating first-hand knowledge. He just specifically told you that he is repeating what the Sabayon wiki says, not telling you something he knows himself.

If that's not enough for you, the entire next sentence also represents a clear hint:

"I don't know if the current CD images do, though."

If Matt had actually *tried* them, it seems quite likely that he would know.

And then finally you have the very next sentence:

"My understanding is that it's based on the Microsoft signed Shim I discussed here, and you'll have to manually install the key once you've booted the install media."

Once again, if Matt had actually tried this, he wouldn't have to tell you his 'understanding', he would know.

Re: Sabayon Linux

(Anonymous) 2012-12-30 22:46 (UTC)(link)
Put your name to what you write. What are you, Matthew Garrett's cup boy?

I have asked the question to confirm that this kind of wrong information comes from a secondary source.


Re: Sabayon Linux

(Anonymous) 2013-01-02 19:17 (UTC)(link)
Sam, you're the same person who wrote an article claiming that OpenSUSE 12.2 was delayed because of needing to get it to work with UEFI/secure boot. When I pointed out to you that this wasn't what the developers said, you claimed that you had special sources who told you this. Well, I checked and still can't find any OpenSUSE developer who will back up your claim even in private. As such, you're the last person to lecture anyone on wrong information from secondary sources (although I suspect you simply made yours up when you got caught with errors in your article).

-Joseph G. Mitzen

Re: Sabayon Linux

(Anonymous) 2012-12-30 23:58 (UTC)(link)
And this is part of the information, using which, you tell people: "It's after Christmas, and some number of people doubtless ended up with Windows 8 PCs and may want to install Linux on them. If you'd like to do that without fiddling with firmware settings, here are your options."

How do they install if the images do not work?


Re: Sabayon Linux

(Anonymous) 2012-12-31 00:46 (UTC)(link)
Let me get this straight. You are offering advice to people to help them install Linux by getting past the secure boot hurdle.

You tell them about images which you do not know about - and you don't see that it contradicts your very own stated purpose?

In that case, I give up, there is no point in arguing further.


Re: Sabayon Linux

(Anonymous) 2012-12-31 07:53 (UTC)(link)
Woohoo! This thread can do without your ranting :)

Other options - Chromebooks/Chromeboxes/Raspberry Pi/Server Hardware

(Anonymous) 2012-12-31 00:10 (UTC)(link)
Another option is instead of paying the Microsoft tax on a Windows preloaded PC or laptop, to buy a Chromebook or Chromebox and install Linux on that using the built-in developer mode. The hardware is Linux certified and no Microsoft tax.

The Raspberry Pi is another option for low level hacking and embedded type devices, and there is cheap ix86 server hardware with superb Linux support, and many of these are cheaper than desktop PC hardware.

Re: Other options - Chromebooks/Chromeboxes/Raspberry Pi/Server Hardware

(Anonymous) 2012-12-31 03:29 (UTC)(link)
Exactly. Stop buying Windows hardware!

Big distros aren't the only one.

(Anonymous) 2012-12-31 10:56 (UTC)(link)
Fatdog64 Linux (, a complete but small distro of less 250MB, has just released a test-build capable of booting on UEFI and Secure Boot machines as noted in their post here:

It uses your shim, refind, and grub2. Thanks for your effort, Matthew. Otherwise small distros like us can't possibly get up and running with Secure Boot in such a short time.

Disclaimer: I'm the co-maintainer of Fatdog64.


Ubuntu 12.04 LTS

(Anonymous) 2012-12-31 13:52 (UTC)(link)
Hi Matt, do you know what the situation is with Ubuntu 12.04 LTS?


Bill, Hell called, they are waiting for you!

(Anonymous) 2013-01-01 01:23 (UTC)(link)
What Microsoft has managed to pull-off here is nothing short of criminal! They should be hulled before the courts, tried for violation of anti-trust, and then broken up into a handful of smaller companies --as they should have been a decade ago. But all that came out of that old anti-trust case is that Microsoft learned which palms it had to greese. It's all so fracking disgusting I can barely stand it.

Re: Bill, Hell called, they are waiting for you!

(Anonymous) 2013-01-02 19:24 (UTC)(link)
There is nothing criminal here. Every PC can disable secure boot in the BIOS. There's no antitrust going on, and I think users intelligent enough to go looking for alternate operating systems are capable of turning an "on" to "off" in the BIOS, particularly the fancy new GUI-enabled UEFI ones. If they can't do that, they're never going to cut it with Linux.

The real issue is with ARM devices mandating that Windows RT be permanently locked to the device. This means that nice ARM laptops will be coming out that will lock Linux out. We need to stop crying Wolf over the desktop - we WON on the desktop. MS was originally taking a "it will be up to the OEMs if they want to allow disabling secure boot *wink* *wink*" position, and we got them to change it. Battle over. Now we need to turn our attention to ARM and quit wasting energy over a battle we've already won.

Re: Bill, Hell called, they are waiting for you!

(Anonymous) 2013-11-29 13:25 (UTC)(link)
You're not neccessarily able to get into firmware without having to agree to MS EULA or rip out HDD/SSD, read up on FastBoot and pray your vendor didn't rush away from PS/2 keyboard.

Michael Shigorin

Corrections are in order

(Anonymous) 2013-01-01 22:13 (UTC)(link)
Your entire post has been used verbatim in an article on ZDNET.

Are you going to be honest enough to write and tell the author that there are lacunae in what you have posted? Or will you continue to let misinformation be fed to the public?


Re: Corrections are in order

(Anonymous) 2013-01-02 20:33 (UTC)(link)
Sam, the day you retract your own article's claim that OpenSUSE 12.1 was delayed due to secure boot issues you can start lecturing others about corrections.

By the way, this is somewhat pathetic for a Linux journalist to be freaking out like this and attacking a simple blog post incessantly. You're embarrassing yourself.

About Sabayon

(Anonymous) 2013-01-02 15:51 (UTC)(link)
Here's the official confirm by Fabio Erculani

The voice of Microsoft

(Anonymous) 2013-01-03 08:34 (UTC)(link)
SAM aren't you the voice of Microsoft ?
Matthew thanks for the article it was interesting where as the comments are just trolling rants, which is why I stopped commenting on stuff like this but Sam just wound me up enough with his trolling that I had to respond. Right i'm off out in to the real world now, no doubt the trolls and fanboys will still be here if I ever return.

ALT Linux half-regular build too

(Anonymous) 2013-01-10 00:02 (UTC)(link)
I've just glued the pieces together to build an ALT Linux based E17 ISO ( 20130110/regular-e17-20130110-x86_64.iso) that should boot off CD/Flash on BIOS/UEFI (including RestrictedBoot) x86_64 hardware (if the link's dead even after removing an extra space then either newer snapshot directories should hold similar images or official ALT 7.0+ releases are already out there).

It's shim-signed + elilo signed by pre-generated key, I'm considering the ways to get the proper keys through the build infrastructure (probably a separate bit and a lightweight HSM looms either).

Boots in non-SB virtualbox-4.2 and on ASUS UX31A with SB turned back on.

Michael Shigorin

uefi boot

(Anonymous) 2013-02-11 04:52 (UTC)(link)
i want to dban and install ubuntu but everytime i do on my windows 8 uefi it say selected boot device failed press any key to continue please anyone help me out i really hate windows!

uefi boot

(Anonymous) 2013-02-11 04:54 (UTC)(link)
same guy from above. i used a usb to try to dban and install linux.used universal usb installer to convert files.