Secure Boot bootloader for Linux
Linux developer Matthew Garrett has released a version of his Shim Secure Boot bootloader that allows any Linux distribution to be launched on Secure Boot systems without the need to disable UEFI Secure Boot. As Garrett's Shim binary has been signed by Microsoft, the Secure Boot bootloader will be executed by almost any type of UEFI firmware.
The Shim will ask the user for a key when launching and will then start any bootloader that has been signed with this key. On his blog, Garrett explains that Linux distributors simply need to sign their UEFI bootloader (grubx64.efi) with a separate key, include this key on their installation medium and tell their users where to find the key when the Shim asks for it. Anything else is up to the individual distributor; for example, Garrett says that it is possible to use signed kernel images and modules to implement a chain of trust for the entire boot process. The signed version of the Shim saves Linux distributors the effort of having to get their own bootloaders signed by Microsoft.
Garrett pointed out potential Secure Boot issues with Linux over a year ago and has worked to develop a convenient way of installing Linux on Secure Boot systems ever since. The Linux Foundation, which has been pursuing a similar approach, is currently struggling with Microsoft's Secure Boot signing service. Shim 0.2 is available to download as source code and as a signed binary.