James Bottomley, who had been paid by Novell (Microsoft) before he left, is developing "secure boot" and finding out that UEFI promises are empty. From his blog:
Asked support why the process was indicating failed but I had a valid download and, after a flurry of emails, got back “Don’t use that file that is incorrectly signed. I will get back to you.” I’m still not sure what the actual problem is, but if you look at the Subject of the signing key, there’s nothing in the signing key to indicate the Linux Foundation, therefore I suspect the problem is that the binary is signed with a generic Microsoft key instead of a specific (and revocable) key tied to the Linux Foundation.
However, that’s the status: We’re still waiting for Microsoft to give the Linux Foundation a validly signed pre-bootloader. When that happens, it will get uploaded to the Linux Foundation website for all to use.
In any case, the end result is that, despite paying its $99 fee, the Linux Foundation so far still does not have a validly signed pre-bootloader.
By design, Microsoft has made installing and booting Linux on Windows 8 PCs with UEFI (Unified Extensible Firmware Interface) Secure Boot troublesome. Many of the major Linux distirbutors, including Fedora, openSUSE, and Ubuntu, have proposed different ways of addressing this problem. The Linux Foundation, which supports all Linux, recently proposed a universal plan for addressing the UEFI Secure Boot issue. Unfortunately, it's been delayed.
The plan was, as James Bottomley, Parallels' CTO of server virtualization and well-known Linux Kernel maintainer, explained on October 10th, 2012, to "obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system)."
Linux Foundation Struggles With Microsoft UEFI Signing
James Bottomley has written about the problems being faced by the Linux Foundation in having a Microsoft-approved validly-signed UEFI pre-bootloader.
There's many hurdles to jump from Microsoft and Verisign/Symantec for obtaining a valid signing key. There's third-party open-source tools for handling much of the signing process, but in the end Windows is still needed due to a Silverlight-based file uploader for the UEFI binary. The Mono-based Moonlight doesn't work with the Silverlight uploader. After uploading the cabinet file for signing, there's a seven-stage process.
M$ Sabotages UEFI “Secure Boot” for Linux Foundation
[...]
I have always thought it was a mistake to do anything in GNU/Linux the M$’s way. They will do anything to prevent GNU/Linux being more widely accessible for consumers. Expect nothing but “accidents”, failures, disasters and the inevitable legal suits to result. They’re all good for M$ keeping the cash-cow flowing a bit longer.
Microsoft may have attracted some headlines and discussion on Slashdot for being a 'sponsor' at the Linux Foundation's Europe event LinuxCon. But this sponsor is not giving the Linux Foundation any special treatment when it comes to UEFI Secure boot.
If you remember the Linux Foundation earlier announced their workaround for the UEFI Secure boot for the Linux community. That's getting delayed.
James Bottomley, chair of the Linux Foundation's Technical Advisory Board, explains in his blog the 'technical' and 'paper' challenges there are to get a Microsoft signed key and implement it.
He detailed the entire painful process to get a Microsoft signed key. While is extremely easy to pay $99 and get a Verisign verified key the rest of the process is quite daunting and challenging, which also requires one to use Microsoft technologies.
[...]
The foundation somehow managed to create and upload the file which had to go through seven stages and "unfortunately, the first test upload got stuck in stage 6 (signing the files)."
There were some email exchanges between Microsoft and Bottomley to sort the problem but at the moment the cart is stuck in mud.We're still waiting for Microsoft to give the Linux Foundation a validly signed pre-bootloader. When that happens, it will get uploaded to the Linux Foundation website for all to use.
Comments
Michael
2012-11-21 23:29:59