Linux Foundation's Secure Boot bootloader restructured
James Bottomley has substantially restructured the mini bootloader to allow any Linux version to be launched on PCs with UEFI Secure Boot. The boot loader's development has been sponsored by the Linux Foundation. The revised version uses a different method to boot the more complex secondary bootloader; this enables it to co-operate with Gummiboot, which was introduced last summer. Gummiboot doesn't load or start Linux itself like GRUB does, instead it accesses EFI mechanisms; this keeps its structure significantly less complex than that of GRUB. When Secure Boot is active, however, this approach requires other, firmware-related mechanisms to verify the kernel before it is launched.
In a blog post, Bottomley says that, as a consequence of this, Gummiboot doesn't work with Shim or the original version of the Linux Foundation's bootloader when Secure Boot is active. Further details can be found in the slides for a presentation given by Bottomley, a member of the Linux Foundation's Technical Advisory Board, at Linux.conf.au 2013. In this presentation, he explains that the kernel and Gummiboot versions should not be verified via keys, and that user-authorised hash values should be used instead. To provide this functionality, the new version uses some trickery that is also part of an extension which was introduced by SUSE developers and has since been integrated into Shim 0.2; this extension allows Shim to store trusted code information in a "MOKs" (Machine Owner Keys) database.
According to Bottomley's presentation slides, it takes a week or two for Microsoft to respond to bootloader submissions and provide a signature that is considered trustworthy by Secure Boot PCs. This means that the difficulties Bottomley encountered when he tried to get an earlier version of his mini bootloader signed last autumn appear to have been eliminated. Bottomley says that he submitted the revised version to be signed by Microsoft on 21 January, and that he hopes to receive a signed version shortly. The Linux Foundation plans to offer this signed version for download free of charge.
Main Shim contributor Matthew Garrett has recently also written a blog post on UEFI and Secure Boot. In this post, the developer provides some details about the problems that have caused Samsung notebooks to refuse to start at all after Linux was booted. He also mentions flaws in the UEFI firmware of various Toshiba notebooks that result in the signatures of the Secure Boot-compatible Fedora 18 being considered invalid, which prevents the distribution from starting when Secure Boot is active.