In association with heise online

24 July 2012, 16:18

Fedora 18 to support UEFI Secure Boot

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Fedora logo

With two votes against, Fedora's nine person Engineering Steering Committee has approved a proposal outlining how Fedora 18 (scheduled for release in November) will support UEFI Secure Boot.

The plan, put forward by Red Hat employees Matthew Garrett and Peter Jones, provides for implementation in accordance with a suggestion from Garrett that was aired for discussion several weeks ago. The minimal shim bootloader will be signed using Microsoft's signing service; this will allow Fedora to be booted on systems without having to deactivate Secure Boot. The shim loader will then load the system's actual boat loader. Because they are designed to work with Windows 8, most UEFI PCs will include the appropriate public key for verifying this signature. Alternatively, users can sign the shim loader with their own keys and save the public key to the UEFI firmware as a trusted key, making UEFI trust the signed main boot loader.

If the shim software is loaded on a system on which Secure Boot is activated, it will use a key generated by Fedora to check that the GRUB 2 boot loader is unmodified and correctly signed before executing it. GRUB in turn checks the Linux kernel signature, which in turn checks the signatures of all kernel modules before loading them. By default, Fedora uses its own key pair to sign and check signatures. Users who save their own keys to the UEFI firmware will be able to use these to validate GRUB, the Linux kernel and kernel modules.

Where a system is booted in this way, some restrictions will be imposed on GRUB, similar to the case where a supervisor password is used in current BIOSes. The kernel will not allow some arguments to be passed during booting and will not allow DMA access to userland software. X Server graphics drivers will therefore only be able to use hardware acceleration if they utilise kernel drivers which support kernel-based mode setting (KMS). Proprietary graphics drivers from AMD and NVIDIA will therefore no longer work when booting with Secure Boot. But since Fedora does not include either of these drivers and they do not carry the Fedora signature, the kernel would not load the relevant kernel modules anyway.

At its IRC meeting held yesterday, Fedora's Engineering Steering Committee approved 15 further proposals for implementing new features in Fedora 18. The distribution is to move to the second generation of Liberation fonts and to activate automatic hinting in the Freetype font library, which is used by many different applications. Zeroconf implementation Avahi, which uses mDNS/DNS-SD to detect network printers automatically, will be activated by default on desktop installations. The development team also wants to use the improved seccomp infrastructure in Linux kernel 3.5 (released on Sunday) to improve isolation of virtual machines.

The Fedora development team has so far approved more than fifty major new features for Fedora 18. The deadline for submitting new features expires today. Feature freeze is scheduled for 7 August, with the first alpha release due at the end of that month.

On UEFI Secure Boot, see also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit