On 31/05/12 7:32 PM, Edward M wrote:
Hi,
I fully dont understand the approach that may be taken as workaround to
USFI Secure Boot for Fedora:
The last option wasn't hugely attractive, but is probably the least
worst. Microsoft will be offering signing services through their sysdev
portal <
http://sysdev.microsoft.com>.
It's not entirely free (there's a one-off $99 fee to gain access),
but it's cheaper than any realistic alternative would have been. It
ensures compatibility
with as wide a range of hardware as possible and it avoids Fedora
having any special privileges over other Linux distributions.
If there are better options then we haven't found them. So, in all
probability, this is the approach we'll take. Our first stage bootloader
will be signed with a Microsoft key.
So, The boot process on EFI without secure boot is
EFI firmware
|
v
grub(2)
|
v
kernel
With secure boot, it will run something like this
Efi firmware (signed and validated by hardware). This holds the MS
public keys, and verifies the signature of then next bootloader
|
v
First stage bootloader, Signed by the MS keys. This contains the Fedora
Keys, and will check the signature of the next stage.
|
v
Grub(2). This is signed by the fedora keys. It checks the signature of
the kernel against the fedora keys.
|
v
Kernel
If grub2 were loaded directly from firmware, every time grub2 was
updated, it would need to be submitted to MS for signing. This would
take time, and create hassles.
The reason that a first stage bootloader is needed, is that Grub 2 is
updated somewhat frequently. By having a small, static first stage
loader which contains the fedora keys, this means that it is less
frequent that this will need replacing, and more over, does not need
resigning by microsoft every time a grub2 update occurs. In theory, the
only time the First stage loader would need replacing is when the MS
keys expire, when the Fedora keys expire, or when an update to this
needs to occur. But of course, this would be small and simple, so
updates would be infrequent, if ever.
will I need to pay $99 to use linux,etc. what about other distros?
I know will be speculating at this point but wondering what could be the
reprecussions if this method is taken?
No. I would assume the Fedora project pays the $99, and then distrubtes
the signed bootloader component, with the fedora keys built in.
--
Sincerely,
William Brown
pgp.mit.edu
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2