Secure Boot distribution support

Dec. 27th, 2012 07:02 pm
[personal profile] mjg59
It's after Christmas, and some number of people doubtless ended up with Windows 8 PCs and may want to install Linux on them. If you'd like to do that without fiddling with firmware settings, here are your options.
  • Ubuntu 12.10
    The 64-bit version of Ubuntu 12.10 ships with an older version of Shim that's been signed by Microsoft. It should boot out of the box on most systems, but it doesn't have some of the most recent EFI patches that improve compatibility on some machines. Grab it here.
  • Fedora 18
    Fedora 18 isn't quite released yet, but the latest 64-bit test builds include a Microsoft signed copy of the current version of Shim, including the MOK functionality described here. Fedora 18 has some additional EFI support patches that have just been merged into mainline, which should improve compatibility on some machines - especially ones with Radeon graphics. It also has improved support for booting on Macs. You can get it here, but do bear in mind that it's a test release.
  • Sabayon
    According to the wiki, Sabayon now supports UEFI Secure Boot out of the box. I don't know if the current CD images do, though. My understanding is that it's based on the Microsoft signed Shim I discussed here, and you'll have to manually install the key once you've booted the install media. Straightforward enough.
  • Other distributions
    Suse will be using a version of Shim signed by Microsoft, but I don't think it's in any pre-release versions yet. Debian have just merged UEFI support into their installer, but don't have any UEFI Secure Boot support at the moment. I'm not sure what other distributions are planning on doing, but let me know and I'll update the list.
  • The Linux Foundation loader
    The Linux Foundation have still to obtain a signed copy of their bootloader. There's no especially compelling reason to use it - the use case it supports is where you have users who can follow instructions sufficiently to press "y" but not to choose to enrol a key. The most interesting feature it has is the ability to use the MOK database via the usual UEFI LoadImage and StartImage calls, which means bootloaders like gummiboot work. Unfortunately it implements this by hooking into low-level functionality that's not actually required to be present, so relying on this may be somewhat dubious.
Tags:
  • Add Memory
  • Share This Entry
Threaded | Flat

About Sabayon

Date: 2012-12-28 03:25 pm (UTC)
From: (Anonymous)
Hey Matthew, you are correct. We are still ironing out the procedure but it's basically it for now (our daily ISO images now also support booting off USB on UEFI systems): we ship the images with our key + shim-signed. We handle the after-install boot by generating a key at install time and letting (a modified version of) grub handle the signing every time grub-install is spawned. Yes, the user has to enroll the after-install key as well, but that's quite trivial.

Thanks for this list

Date: 2012-12-29 07:03 pm (UTC)
From: (Anonymous)
1. Don't buy a new machine that does not allow you to disable secure boot.
2. Microsoft's real aim is to kill the aftermarket in used computers that have Win 8 installed by not allowing you to install something other than Windows. That's why this work is so important.

Sabayon Linux

Date: 2012-12-30 12:43 am (UTC)
From: (Anonymous)
Have you actually tested out Sabayon Linux to see if it will boot on an UEFI system with secure boot enabled? Or are you just repeating what the developers say?

Sam Varghese

Other options - Chromebooks/Chromeboxes/Raspberry Pi/Server Hardware

Date: 2012-12-31 12:10 am (UTC)
From: (Anonymous)
Another option is instead of paying the Microsoft tax on a Windows preloaded PC or laptop, to buy a Chromebook or Chromebox and install Linux on that using the built-in developer mode. The hardware is Linux certified and no Microsoft tax.

The Raspberry Pi is another option for low level hacking and embedded type devices, and there is cheap ix86 server hardware with superb Linux support, and many of these are cheaper than desktop PC hardware.

Big distros aren't the only one.

Date: 2012-12-31 10:56 am (UTC)
From: (Anonymous)
Fatdog64 Linux (http://distro.ibiblio.org/fatdog/web/), a complete but small distro of less 250MB, has just released a test-build capable of booting on UEFI and Secure Boot machines as noted in their post here: http://murga-linux.com/puppy/viewtopic.php?t=83402.

It uses your shim, refind, and grub2. Thanks for your effort, Matthew. Otherwise small distros like us can't possibly get up and running with Secure Boot in such a short time.

Disclaimer: I'm the co-maintainer of Fatdog64.

James

Ubuntu 12.04 LTS

Date: 2012-12-31 01:52 pm (UTC)
From: (Anonymous)
Hi Matt, do you know what the situation is with Ubuntu 12.04 LTS?

Thanks

Bill, Hell called, they are waiting for you!

Date: 2013-01-01 01:23 am (UTC)
From: (Anonymous)
What Microsoft has managed to pull-off here is nothing short of criminal! They should be hulled before the courts, tried for violation of anti-trust, and then broken up into a handful of smaller companies --as they should have been a decade ago. But all that came out of that old anti-trust case is that Microsoft learned which palms it had to greese. It's all so fracking disgusting I can barely stand it.

Corrections are in order

Date: 2013-01-01 10:13 pm (UTC)
From: (Anonymous)
Your entire post has been used verbatim in an article on ZDNET. http://www.zdnet.com/2013-installing-linux-on-windows-8-pc-is-still-a-pain-7000009237/

Are you going to be honest enough to write and tell the author that there are lacunae in what you have posted? Or will you continue to let misinformation be fed to the public?

Sam

About Sabayon

Date: 2013-01-02 03:51 pm (UTC)
From: (Anonymous)
Here's the official confirm by Fabio Erculani

http://lxnay.wordpress.com/2013/01/02/uefi-and-uefi-secureboot-linux-is-the-nightmare-over/

The voice of Microsoft

Date: 2013-01-03 08:34 am (UTC)
From: (Anonymous)
SAM aren't you the voice of Microsoft ?
Matthew thanks for the article it was interesting where as the comments are just trolling rants, which is why I stopped commenting on stuff like this but Sam just wound me up enough with his trolling that I had to respond. Right i'm off out in to the real world now, no doubt the trolls and fanboys will still be here if I ever return.

ALT Linux half-regular build too

Date: 2013-01-10 12:02 am (UTC)
From: (Anonymous)
I've just glued the pieces together to build an ALT Linux based E17 ISO (http://ftp.linux.kiev.ua/pub/Linux/ALT/people/mike/iso/mkimage-profiles/half-/ 20130110/regular-e17-20130110-x86_64.iso) that should boot off CD/Flash on BIOS/UEFI (including RestrictedBoot) x86_64 hardware (if the link's dead even after removing an extra space then either newer snapshot directories should hold similar images or official ALT 7.0+ releases are already out there).

It's shim-signed + elilo signed by pre-generated key, I'm considering the ways to get the proper keys through the build infrastructure (probably a separate bit and a lightweight HSM looms either).

Boots in non-SB virtualbox-4.2 and on ASUS UX31A with SB turned back on.

--
Michael Shigorin

uefi boot

Date: 2013-02-11 04:52 am (UTC)
From: (Anonymous)
i want to dban and install ubuntu but everytime i do on my windows 8 uefi it say selected boot device failed press any key to continue please anyone help me out i really hate windows!

uefi boot

Date: 2013-02-11 04:54 am (UTC)
From: (Anonymous)
same guy from above. i used a usb to try to dban and install linux.used universal usb installer to convert files.
  • Add Memory
  • Share This Entry
Threaded | Flat

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Nebula. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Active Entries

Expand Cut Tags

No cut tags