Linux Foundation ships UEFI Secure Boot workaround

"I'm pretty sure these are the sorts of OEMs who would rather not receive loads of support issues from Linux newbies complaining about XYZ not working."

To which the tech support Muppet replies..

"I'm sorry sir, we only support the originally installed OS on your machine". End of call. No further action necessary. Problem solved.

"The whole "designed for Windows" sticker regime seems to suggest that is their thinking."

Is that like Vista capable?

Panic ye not!

MS lets the dust settle then quietly whispers in OEMs ears that they will get a discount if there is no secure boot off in their BIOS. In 12 months time rocking horse shit will be easier to find than a BIOS with a secure boot flip switch

Fortunately that's not going to happen, at least on PCs. The ability to turn off Secure Boot is actually a requirement for Windows 8 compatibility certification on x86.

Not least, I suspect, because a licence for Windows 8 Professional (and up) allows the user to run Windows 7 instead ... and Windows 7 isn't signed, so you wouldn't be able to do that with Secure Boot enabled.

There's also the fact that if Microsoft say that turning off Secure Boot has to be allowed, nobody can really complain that they're using it to lock users in to Windows.

Note that on x86 Microsoft don't make the hardware themselves. On Arm it's a different matter ... Microsoft don't want you buying their nice (?) new surface hardware and running Android on it. I might be able to understand and even forgive that attitude if surface was competitively priced.

Re: sign your own software

The only "proper" way to meet the requirements of the GPL and UEFI would be to provide a signed bootloader binary, while also providing the plaintext sourcecode, revealing the private key to all and sundry, of course making it utterly worthless.

I'm not an expert on the niceties of the GPL ... but the bootloader only needs access to the public key needed to check the signatures of the binaries that it loads. It may be possible to keep the private key private and remain GPL-compliant. I think it may depend whether the private key is regarded as a "derivative work" of the public key.

Re: sign your own software

"The problem is GRUB, as GPL software, cannot include baked-in keys. The GPL explicitly precludes one from distributing a binary-only version of the program with the secret key baked in. "

Please stop using the trendy hipster journo phrase "baked-in". It makes you sound like an ass. In english we say built in or included with.

Thanks.

Re: sign your own software

No, it doesn't need to be signed by MS

It needs to be signed using the private key that corresponds to the public key embedded in a certificate that's stored on the board.

There's been a lot of contradictory stuff written about this, but as I (now) understand it the norm is for UEFI PCs to be sold with a single certificate on the motherboard, and that certificate is for a key owned by Microsoft (the certificate is generated for them by Verisign, but it's not Verisign's key).

MS are offering a signing service for Linux, that's a remarkably different thing.

It's not that different a thing. If you want to run Linux from a signed bootloader on a bog-standard UEFI PC you either have to get Microsoft to sign your bootloader so that the signature can be verified using the manufacturer-distributed certificate or you have to add a certificate for another key to the motherboard (if the UEFI firmware will let you) so that you can use a bootloader signed using that key.

Or you turn Secure Boot off, or you switch off UEFI mode ... assuming the firmware allows you to. Then you can use any bootloader you like whether it's been signed or not.