|
|
|
| Authored by: Anonymous on Friday, June 22 2012 @ 11:00 AM EDT |
Steve Langasek, Colin Watson, and Jeremy Kerr write:
So, the bad
news first: at this point, we are not planning to use GRUB 2
by default on
systems with secure boot enabled. As a search through its
ChangeLog will show,
we've put a considerable amount of upstream
development effort into GRUB 2 and
we hope to carry on doing so, so this
wasn't an easy decision.
Matthew
Garrett has outlined Fedora's plans in some detail elsewhere,
and they do
involve GRUB 2. The reason we've arrived at a different
plan is that Ubuntu has
a rather extensive base of preinstalled systems.
Microsoft's Windows 8 logo
requirements do say that there must be a way
for users to disable secure boot or
to install their own keys, and we
strongly support this in our own firmware
guidelines; but in the event
that a manufacturer makes a mistake and delivers a
locked-down system
with a GRUB 2 image signed by the Ubuntu key, we have not
been able to
find legal guidance that we wouldn't then be required by the terms
of
the GPLv3 to disclose our private key in order that users can install
a
modified boot loader. At that point our certificates would of course
be
revoked and everyone would end up worse off.
https://lists.ubuntu.com/archives/ubuntu-devel/2012-June/035445.html[ Reply to This | Parent | # ]
|
| |
| Authored by: Anonymous on Friday, June 22 2012 @ 11:33 AM EDT |
A more detailed account may be found at
Phoronix:
Also shared is that Canonical only plans to enforce requiring
the authentication of boot-loader binaries but not signed kernel images or
kernel modules. This will make Ubuntu Linux still capable of loading binary
blobs like the NVIDIA and AMD Catalyst drivers and for users to easily spin
their own kernels.
"Booting our CDs will rely on a loader image signed by
Microsoft's WinQual key, for much the same reasons as Fedora: it's a key that,
realistically, more or less every off-the-shelf system is going to have, as it
also signs things like option ROMs, and the UEFI specification only allows an
image to be signed by a single key. This will then chain to efilinux (Ed: an
Intel boot loader Canonical to use in lieu Grub 2) signed by our own key (so we
don't have to go through the WinQual signing process every time we want to make
a minor change there). We hope that we'll also be able to make the first stage
loader detect whether Secure Boot is enabled and otherwise chain to GRUB 2, to
ensure that we don't regress behaviour for those with UEFI systems that do not
implement Secure Boot or that have it disabled."
Ed L (not logged
in)
[ Reply to This | Parent | # ]
|
| |
| Authored by: Anonymous on Friday, June 22 2012 @ 12:47 PM EDT |
Who is going to sell Google the hardware for their Chrome gear?
[ Reply to This | Parent | # ]
|
|
|
|
|
