UEFI and Secure Boot: Canonical develops an Ubuntu key

June 25th, 2012 - 09:35 am ET by J. G.

Canonical manages an Ubuntu key for systems with UEFI Secure Boot activated. They have also announced that they will be abandoning GRUB 2 from Ubuntu 12.10.

With UEFI (Unified Extensible Firmware Interface; BIOS’ replacement), Linux distribution editors are confronting a difficult problem.

UEFI Secure Boot requires a digital key to boot a system. This measure aims at securing the pre-OS environment by limiting the possibilities of a malware attack (rootkit) which aim at compromising the boot process.

Microsoft has made Secure Boot an important element for the certification of Windows 8. This has raised some questions about the possibility of dual boot Windows 8 / Linux systems on new computers.

For Mark Shuttleworth, the founder of Canonical, Secure Boot has some faults in its conception which will require a Microsoft key for each PC. "We are working on an alternative so that the free software ecosystem isn’t dependant on Microsoft’s participation to provide access to modern PC hardware".

Sponsor of the Ubuntu distribution, Canonical has announced that they have generated an Ubuntu key while also being is discussion with partners so that this key can be easily implemented for enterprises and home users.

A consequence is that from Ubuntu version 12.10 to be released in October, the GRUB 2 boot loader will no longer be used by default on systems where Secure Boot is active. Instead, a modified version of Intel’s boot loader will be present.

Canonical has had to separate with the GRUB 2 license under GPLv3 due to the codes publication constraints. The use of a digital key means that there isn’t really sufficient privacy implemented.

Looking at this same Secure Boot problem, Red Hat’s choice is different. "Microsoft will provide keys for Windows and Red Hat will provide keys for Red Hat Enterprise Linux and Fedora". So that Fedora 18 can work with UEFI’s Secure Boot, Red Hat will pay VeriSign 99 dollars for a digital signature (to sign as many components as they like).