Linux Foundation's Secure Boot bootloader now available
On behalf of the Linux Foundation, kernel developer James Bottomley has released a Microsoft-signed mini bootloader whose signature is trusted by typical Windows 8 PCs and which allows such PCs to be started when Secure Boot is active. Commenting on the release, Matthew Garrett, the main developer of the Shim Secure Boot bootloader that has been available for some time, announced that he intends to integrate some of the features of the Linux Foundation's mini bootloader into Shim as well.
Rather than launching Linux itself, the Linux Foundation's mini bootloader usually calls other bootloaders that will then get Linux going; in the process, users must confirm that they trust the second bootloader and the kernel. The mini bootloader can deposit the hash values of both in the firmware; this enables it to remember the kernels and bootloaders that have already been authorised by the user and avoids repeat confirmation requests.
However, when announcing the signed bootloader, Bottomley explains that he has had to omit the KeyTool.efi module that is designed to provide firmware verification keys. Bottomley said that when performing tests during the signature approval process, Microsoft discovered a bug that can be exploited to bypass the UEFI security system in one hardware manufacturer's UEFI firmware; the module has therefore been omitted until the problem has been solved. The developer has also released an image for USB flash drives that allows users to try out his mini bootloader.
Over the past two months, Bottomley, a member of the Linux Foundation's Technical Advisory Board, has thoroughly restructured the Secure Boot bootloader that was announced last October to provide support for bootloaders such as Gummiboot, which was introduced last summer. Details of the bootloader's revised operation can be found in the slides of a presentation Bottomley recently gave at linux.conf.au; video recordings of this presentation in MP4 and OGV format are available on the conference web site.
In a blog post by Matthew Garrett, the main developer of Shim explains how Shim and the Linux Foundation's mini bootloader differ in his view. Garrett says that the Linux Foundation's mini bootloader has a better user interface and uses UEFI technologies when launching bootloaders and the kernel to support applications like Gummiboot. The developer mentions that he intends to integrate this functionality into Shim as well. As Bottomley explained when commenting on a blog post, the two developers are also contemplating whether to merge the two Secure Boot mini bootloaders.