Canonical details Ubuntu UEFI Secure Boot plans
In a posting to the Ubuntu developers list, Canonical has detailed its plans for UEFI Secure Boot and appears to be seeking to calm concerns after comments about its ODM UEFI requirements earlier this week. Those appeared to state that it would require hardware makers to include their own Ubuntu specific key and left some worried that Canonical was carving out its own UEFI key, to lock systems into Ubuntu Linux. It appears now though, that the company is, in fact, following the Fedora route of having an initial boot loader signed through a Microsoft programme.
When a UEFI Secure Boot system boots up a future Ubuntu, it will first boot a loader image. The company will be relying on a Microsoft key for booting this loader image from its CDs and will be signing the loader only with that key due to UEFI restrictions. Canonical say "it's a key that, realistically, more or less every off-the-shelf system is going to have, as it also signs things like option ROMs". This loader will then run a new boot loader, signed with Ubuntu's own key.
For preinstalled or "Ubuntu Certified" machines, this Ubuntu key, generated for use with UEFI, will have to be installed in the firmware's signature database, but specifically so it can receive updates for the revoked signature database when a UEFI binary is compromised. Systems which have Ubuntu installed on them later should be able to add the Ubuntu key to the firmware to get these updates. As it has limited plans to use its own key, Canonical says it will not be offering a signing service like Microsoft's.
Because of uncertainty around the GPLv3 GRUB 2 boot loader, the loader will then boot Canonical's own liberally licensed boot loader on systems where Secure Boot is being used. The default will, they believe, avoid the possibility of a system manufacturer shipping Ubuntu on a locked down system which could require Canonical to disclose their private part of the Ubuntu key. Canonical hopes that its first stage loader image will, when complete, detect when Secure Boot is not being used and use GRUB 2 instead, as it has invested much engineering time in the boot loader.
Canonical says that its focus is not on delivering a signed operating system but on ensuring that Ubuntu is able to boot on systems with Secure Boot enabled. It says that Secure Boot is designed to only protect the pre-boot sequence before the kernel is executed and will therefore not being requiring signed kernels or drivers. It concludes that Ubuntu-certified systems will be "no more locked down than other machines on the market, and will be compatible with any UEFI binaries that can be used on a Windows machine".
In a separate posting on the Canonical blog, the company pointed to the work it has done with the UEFI forum and noted that it was a co-author with Red Hat on a paper – "Secure Boot Impact on Linux". Canonical hopes to deliver the revised boot loading system for Ubuntu 12.10, Quantal Quetzal, and says it is discussing its plans with partners and OEMs to allow them to make use of the Ubuntu key.