Announcement

Collapse
No announcement yet.

Ubuntu to Use Signed GRUB2 Bootloader for Secure Boot

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Ubuntu to Use Signed GRUB2 Bootloader for Secure Boot

    Coming to version 12.10

    http://www.omgubuntu.co.uk/2012/09/u...or-secure-boot

    #2
    Interesting.... I figured that they would have to go down this road eventually. Sure will make it easier to install on newer hardware.

    Comment


      #3
      Well secureBoot doesn't affectme yet! I have two computers (both Dell) and both still use BIOS and am planning on keeping both machines for at least the next 5 years.

      Comment


        #4
        Same here. I built this one last December and hopefully it will last at least five years. Might be buying a new laptop in the next year or two though....

        Comment


          #5
          Remember, using secure boot is not a requirement. If you disable it, none of this signing stuff need trouble you.

          Comment


            #6
            That's if you can disable it. If you happen to buy hardware that is locked by the manufacturer at the request of MS you will have trouble disabling it.

            Comment


              #7
              Originally posted by nickstonefan View Post
              That's if you can disable it. If you happen to buy hardware that is locked by the manufacturer at the request of MS you will have trouble disabling it.
              That's not a worry for x86 hardware. Matter of fact, Microsoft requires that manufacturers provide a mechanism to disable secure boot. The details are documented in "Windows Hardware Certification Requirements - Client and Server Systems." The section System.Fundamentals.Firmware.UEFISecureBoot contains the following:

              16. Mandatory. Secure Boot Variable. The firmware shall implement the SecureBoot variable as documented in Section 3.2 "Globally Defined Variables' of UEFI Specification Version 2.3.1 Errata B"

              17. Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:

              1. It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx) which will put the system into setup mode.

              2. If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system will be operating in Setup Mode with SecureBoot turned off.

              3. The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults.On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enabled.

              18. Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows Server may also disable Secure Boot remotely using a strongly authenticated (preferably public-key based) out-of-band management connection, such as to a baseboard management controller or service processor. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure Boot must not be possible on ARM systems.

              Comment


                #8
                Thanks for the info.

                Comment


                  #9
                  Originally posted by nickstonefan View Post
                  Thanks for the info.
                  +1
                  Linux User #454271

                  Comment


                    #10
                    Originally posted by SteveRiley View Post
                    That's not a worry for x86 hardware. Matter of fact, Microsoft requires that manufacturers provide a mechanism to disable secure boot. The details are documented in "Windows Hardware Certification Requirements - Client and Server Systems." The section System.Fundamentals.Firmware.UEFISecureBoot contains the following:
                    [paranoia]I don't trust MS for a second, they may revert this stance any time they like, and if the wind blows in their favour they will.[/paranoia]

                    I read this article a few days ago and there's a comment that link to the Fedora and Suse stand on this, which were both very enlightening to me. There seem to be more options at hand looking at Suse's implementation of Secure boot. Simplicity and great engineering, as far as I can tell/understand. Reading that I'm now positive to secure boot ... not just in the hands of MS

                    https://www.suse.com/blogs/uefi-secure-boot-details/

                    http://mjg59.dreamwidth.org/15818.html

                    b.r

                    Jonas
                    ASUS M4A87TD | AMD Ph II x6 | 12 GB ram | MSI GeForce GTX 560 Ti (448 Cuda cores)
                    Kubuntu 12.04 KDE 4.9.x (x86_64) - Debian "Squeeze" KDE 4.(5x) (x86_64)
                    Acer TimelineX 4820 TG | intel i3 | 4 GB ram| ATI Radeon HD 5600
                    Kubuntu 12.10 KDE 4.10 (x86_64) - OpenSUSE 12.3 KDE 4.10 (x86_64)
                    - Officially free from windoze since 11 dec 2009
                    >>>>>>>>>>>> Support KFN <<<<<<<<<<<<<

                    Comment


                      #11
                      This is great news for those who need both, as long as I can turn Secure Boot off in the bios I am happy, I have no plans on using MS.
                      Rob

                      Comment


                        #12
                        Secure Boot isn't part of BIOS. It's a feature of UEFI.

                        Comment

                        Working...
                        X