When Fedora's Matthew Garrett proposed a solution to enable 'everyone' to run 'any' GNU/Linux distribution on a Secure Boot UEFI device with Microsoft key on it, the solution met with criticism from the some members of the community. My question was “what solutions do others have?”
Canonical has not made any statements about the secure boot. I do trust they are working on the solution. Michael Hall said during a discussion on Google+ that they will find a solution once Windows 8 devices start hitting the market.
I am interested in their solution because I am a long time Ubuntu user so I do want to know whether I will be able to run Ubuntu on the hardware that I will be buying soon.
However, while Canonical is yet to announce their plan for how to deal with secure boot when you buy a regular PC, they do have recommendations for vendors producing Ubuntu-specific hardware [PDF].
Matthew Garrett sums up these requirements. He says, in a nutshell, the requirements for secure boot are:
- The system must have an Ubuntu key pre-installed in each of KEK and db
- It must be possible to disable secure boot
- It must be possible for the end user to reconfigure keys
It's basically the same set of requirements as Microsoft have, except with an Ubuntu key instead of a Microsoft one.
Does that mean you will have the same restrictions on a Ubuntu pre-installed machines as you will have on a Windows machine? Does it mean you won't be able to boot any other OS of your choice on a Ubuntu PC?
Matthew further says:
The significant difference between the Ubuntu approach and the Microsoft approach is that there's no indication that Canonical will be offering any kind of signing service. A system carrying only the Ubuntu signing key will conform to these requirements and may be certified by Canonical, but will not boot any OS other than Ubuntu unless the user disables secure boot or imports their own key database. That is, a certified Ubuntu system may be more locked down than a certified Windows 8 system.
Matthew also clarifies that this was one of the reasons Fedora did not propose a 'Fedora-specific key signing, "This kind of problem is why we didn't argue for a Fedora-specific signing key. While it would have avoided a dependence on Microsoft, it would have created an entirely different kind of vendor lock-in."