Two leading GNU/Linux players - Fedora and Ubuntu - have already disclosed their plans for secure boot. While Canonical decided to ditch Grub2 due to GPLv3, Fedora's approach was to use Grub2 and use Microsoft keys. That left openSUSE/SUSE Linux Enterprise.
We have not yet heard any plans from the openSUSE teams, but the SUSE Linux Enterprise team has started disclosing its plan. SLES team is planning to use the solution proposed by the Fedora teams. The company has started a series of blogs where they will disclose their UEFI Secure Boot strategy.
Olaf Kirch of SUSE writes on the blog, "At the implementation layer, we intend to use the shim loader originally developed by Fedora – it’s a smart solution which avoids several nasty legal issues, and simplifies the certification/signing step considerably. This shim loader’s job is to load grub2 and verify it; this version of grub2 in turn will load kernels signed by a SUSE key only. We are currently considering to provide this functionality with SLE11 SP3 on fresh installations with UEFI Secure Boot present."
What About openSUSE?
That leaves one wondering what plans do openSUSE have for UEFI Secure Boot as the team has not made any public announcement yet. Will SUSE's proposal affect openSUSE?
Olaf clarifies, "Note that when we say “SUSE”, we really mean two very distinct distributions - SUSE Linux Enterprise on one hand, and openSUSE on the other hand. The latter, being a community project, is rather independent in their decisions on how to address the issue - so the description below should be considered as the current Plan of Record for SUSE Linux Enterprise..."
However he also indicates that this proposal can be for the consideration of the openSUSE community as well. "...but in the context of openSUSE, it can be a proposal for the community’s consideration only."
Interestingly, SUSE team has not disclosed its complete plan. In a dramatic manner, the team will be disclosing their complete strategy for the UEFI secure boot through one blog at a time.
In his first blog post, Olaf touched upon various aspects of UEFI Secure Boot and talked about the conflict it has with the free software development:
As explained in the previous installment of this series, UEFI Secure Boot is a useful technology, making it harder for attackers to hide a rootkit in the boot chain.
And at the same time, already the basics of its operation – establishing a single root of trust – conflict with the principles of Open Source development, which must be independent and distributed to work.
While Olaf doesn't see any conspiracy in Microsoft's Secure Boot plans (ARM's complete lockdown leaves nothing to imagination), he does see it as an obstacle:
Just for the record, I do not think this is a conspiracy, or a sinister attempt to kill Linux. That’s not going to happen. But while Secure Boot can be a significant improvement for many, it definitely creates obstacles for the Linux community.
What do you think of SUSE's solution for UEFI Secure Boot?