Linked by Thom Holwerda on Fri 22nd Jun 2012 23:17 UTC
Ubuntu, Kubuntu, Xubuntu After Fedora, Ubuntu has now also announced how it's going to handle the nonsense called "Secure" Boot. The gist: they'll use the same key as Fedora, but they claim they can't use GRUB2. "In the event that a manufacturer makes a mistake and delivers a locked-down system with a GRUB 2 image signed by the Ubuntu key, we have not been able to find legal guidance that we wouldn't then be required by the terms of the GPLv3 to disclose our private key in order that users can install a modified boot loader. At that point our certificates would of course be revoked and everyone would end up worse off." So, they're going to use the more liberally licensed efilinux loader from Intel. Only the bootloader will be signed; the kernel will not.
Permalink for comment 523444
To read all comments associated with this story, please click here.
The solution[tm]...
by pepper on Sat 23rd Jun 2012 07:56 UTC
pepper
Member since:
2007-09-18

Can someone explain to me why they don't implement a Damn Simple Bootloader in the MBR that is signed and chainloads grub2 from the currently active partition?

Also, why on earth does it seem like none of the UEFI designers ever heard of Trusted Boot? This would be the obvious solution for measuring exactly what you're loading, but reacting on it only later on after sufficient infrastructure is loaded to flexibly detect the situation(online revocation etc). At the same time, it allows anyone who doesn't care to load anything they want.

For those who don't like TPMs, UEFI can implement the necessary base function in software.

Reply Score: 3