To some degree, the design specification for hardware suppport of keys is faulty. A prior article on Michael's blog dispels a few myths about secure boot. Here's a relevant portion (emphasis added).

If Canonical followed the Fedora approach, all recognized flavors of Ubuntu would be included.

If Debian followed the Fedora approach, it would extend down the derivative chain to the point where a distro uses its own kernel and drivers. So while Ubuntu is Debian-derived, it wouldn't benefit from a signed Debian stub bootloader since Ubuntu compiles its own kernel.

Correct. The only thing Fedora is getting signed is the bootloader "stub" Michael mentioned. This also gives Fedora a key they can use to sign their own code, including the full bootloader, the kernel, and all the drivers they ship.

The Fedora approach has the benefit of not requiring hardware manufacturers to include keys for every operating system in the world. Yes, one approach would be for Ubuntu to follow Fedora's example, and do exactly the same. All the *buntu variants would benefit from this, since they all use the same kernel source and drivers.

IMHO, the best approach is, alas, the most expensive one: a single key that would work for all Linux distributions. But, alas, Michael was serious when he wrote "millions of dollars" expensive. Perhaps, someday, the Linux Foundation might take on the responsibility.

Any hardware vendor that bends over for M$ does not get my geek dollars.

If Ubuntu could get a key, would it apply to Kubuntu/Lubuntu/Xubuntu etc? Taking it back a step further, if Debian got a key, would Debian be able to issue it to trusted Debian spinoffs like Ubuntu?

Thanks for the very imformative post and link SR.

There was discussion of the key being a one time deal and it would affect "all" "Fedoras", if I understood it correctly.

So, does that mean that Ubu will do the same and it will then be available for all Ubu variants, or BSD will do so and it will be available for all BSD variants?

woodsmoke

Folks, don't let your only source of information be these articles, because these articles are bound to get stuff wrong. Please do yourself a favor and read Matthew Garrett's full blog post. He presents a good summary of all the options, and why the one Fedora chose stinks the least.

First, realize that the $99 doesn't go to Microsoft -- instead, it goes to Verisign. They're the issuing authority for UEFI certificates. Microsoft is simply the broker here, they run the signing portal. An interesting question would be why Verisign doesn't run the signing portal, but I don't have any insight there.

Note that the Network World article is wrong: it claims the money goes to Microsoft, which it does not. It also claims that Fedora will have to pay each time it releases a new version: again this is incorrect. Fedora pays Verisign a single $99 fee to obtain a signing certificate that chains up to the UEFI root. From this, they can issue as many certificates as they want.

Second, understand the market dynamics. Hardware manufacturers will immedately get their stuff signed by a Microsoft authority because that way it'll just run in a machine where UEFI secure boot is enabled. If 99.9% of all PCs run a Microsoft OS, this is a defensible move by the hardware manufacturers. Now for those other 0.1% of machines, remember that every driver for every piece of hardware needs to validate the operating system's key. If the key can't be validated, UEFI secure boot will not allow the OS to boot.

Garrett's blog lays out all the options and explains Fedora's choice well, which is a choice I happen to agree with. It provides Fedora with a certificate they can use that chains up to the same root that all the hardware in the world will trust. Yes, it has the most suckage when considered philosophically. But technically, it's the easiest and the cheapest. The alternatives retain philosophical purity but have technical and cost suckage.

Ultimately, I suppose, it's a matter of choosing which kind of suckage you're most comfortable with.

If not, you can go to the manufacturers website to find out more info.

I'm hoping Newegg will make it known on the motherboard specs if the MB is UEFI or not.

+1 That's George Bernard Shaw's joke.

I heard it like this: A guy asks a gal if she'd sleep with him for one million dollars. "Yes!", she replied. He asked her if she would for 25 cents. "Of course not!", she replied, "what do you think I am?" "I know what you are", he returned, "we are just quibbling over price.".

Well ther are ways to turn off UEFI. But it makes installation more difficult. I think the reason why Fedora is paying for the certificate is so that users wont be turned off by a more complicated install process.

Extortion was the word I was thinking of. Once you start paying MS, there will be no end to it. Better off paying lawyers to sue hardware manufacturers, or at least threaten lawsuits. Also shine the light on the crap MS keeps pulling.

There must be a better way to deal with UEFI then to pay Microsoft an extortion fee.

I read about this earlier today, and I must say I don't like where this is going.

Microsoft is truly the work of the devil.