Secure Boot restrictions can be disabled in Fedora
When users disable the security checks in the Shim Secure Boot bootloader, the latest Fedora 18 kernels will disable any restrictions that are caused by their Secure Boot support. This means that Fedora now offers a very simple way of neutralising any Secure Boot restrictions that can be used uniformly on all systems and doesn't require users to disable Secure Boot in the UEFI firmware setup.
In its factory state, Fedora 18, which was introduced in mid-January, allows the verification of Grub and kernel binaries to be disabled by calling "
mokutil --disable-verification". During the next system boot, Shim will ask the user to confirm this by entering a one-time password; the downstream Grub bootloader will subsequently launch any Linux kernel even if Secure Boot is active. Without this trickery, which was originally
intended for developers, Shim will only start Grub and kernel binaries that it considers trustworthy – in Fedora 18's factory state, this ultimately only includes the Fedora project binaries that Grub will recognise by their Fedora signature.
Even if Grub and kernel binary verification was disabled in Shim, however, users previously had to accept various restrictions that were caused by Fedora's Secure Boot implementation and affected Fedora's own kernel binaries. For example, it was only possible to load modules that included a Fedora signature and features such as Suspend-to-Disk/Software Suspend, Kexec/Kdump and kernel monitoring via Systemtap or Kprobes no longer worked. However, the two latest kernel updates for Fedora 18 contain code that will disable any Secure Boot-related restrictions if verification has been disabled in Shim.
This allows users to load self-compiled kernel modules and those from package repositories such as RPM Fusion – including the kernel modules for the proprietary graphics drivers from AMD and NVIDIA – even if Secure Boot is enabled.