Find the answer to your Linux question:
Results 1 to 5 of 5
For PC's that come preinstalled with Windows 8 Microsoft has the OEM ship the new UEFI PC's with Secure Boot enabled. According to the " Windows Hardware Certification for Client ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2010
    Posts
    21

    How do Linux Distro creators install Secure Boot Keys in UEFI ?


    For PC's that come preinstalled with Windows 8 Microsoft has the OEM ship the new UEFI PC's with Secure Boot enabled.

    According to the " Windows Hardware Certification for Client and Server Systems, Sections 14 through 18 under the heading: System.Fundamentals.Firmware.UEFISecureBoot, I (The User) am supposed to have the ability through my UEFI Firmware Settings page to delete any or add my own Secure Boot Keys.

    Document found here: ( Please remove the (colon) & (dot)'s and replace them with real colon and dots for the URL to work)

    http(colon)//msdn(dot)microsoft(dot)com/en-US/library/windows/hardware/jj128256

    The point is, If I create a Secure Boot Key for a operating system I create, How do I implement this in UEFI so that it can check against the information in my boot loader (on my distro disks) to KNOW it's o.k. to let it install? There Has to be a way to add this key to UEFI so Secure Boot can use verify my system as good to install.

    What's the normal procedure for doing this?

    I ask because I can't find anywhere in my bios/UEFI that will allow me to delete or add Secure Boot Keys.

    I know the industry is looking for ways around this and The Linux Foundation is even trying to get a Secure Boot Key from Microsoft working. I also know there is a way to disable Secure Boot and some distros have the ability to work with UEFI itself. I also know that you can just switch to Legacy Bios mode to install a distro. My thing is the wording says a User has the ability to delete secure boot keys or add their own Secure Boot keys. I should have the ability to even delete Microsoft's Secure Book Key if I wish. Of course this would cause Windows 8 not to boot when Secure Boot is enabled. All of that is beyond the scope of this discussion.

    If I were an operating system creator or a creator for another tool that needs to boot with Secure Boot enabled, How would I add this key to my UEFI? If I'm reading this right, that key gets installed into UEFI and when Secure Boot encounters your boot loader it checks this key against the key the boot loader has to know it's safe to allow the system to boot.

    Or does it actually work another way and the key doesn't need to be previously installed to UEFI at all? ( seems silly for this key to get installed by the boot loader at the time of install for Secure Boot to check against.. if that's the case, anyone can circumvent Secure Boot) I'm trying to determine if I have an incomplete version of Bios/UEFI installed on my system.

  2. #2
    oz
    oz is offline
    forum.guy
    Join Date
    May 2004
    Location
    arch linux
    Posts
    18,733
    Quote Originally Posted by DarkPenquin View Post
    The point is, If I create a Secure Boot Key for a operating system I create, How do I implement this in UEFI so that it can check against the information in my boot loader (on my distro disks) to KNOW it's o.k. to let it install? There Has to be a way to add this key to UEFI so Secure Boot can use verify my system as good to install.

    What's the normal procedure for doing this?
    You can find information on Linux and UEFI Secure Boot:

    Making UEFI Secure Boot Work With Open Platforms | The Linux Foundation
    oz

  3. #3
    oz
    oz is offline
    forum.guy
    Join Date
    May 2004
    Location
    arch linux
    Posts
    18,733
    Don't know if it will be of any interest or help to you, but here's an interesting article about someone else dealing with UEFI secure boot and Linux:

    More fun with Windows 8 UEFI, Secure Boot, Fedora and Ubuntu | ZDNet
    oz

  4. #4
    Just Joined!
    Join Date
    Dec 2010
    Posts
    21
    Thanks. I'll look over both of them. My PC manufacture is famous for installing a scaled down bios. I have spoken to tech support and they told me they cannot even give support for bios/UEFI which I think is unthinkable. These new issues with UEFI having to have extra functionality specifically a Custom option that allows users to add or delete Secure Boot Keys, from section 17 of the document above appear to be missing from my system. The service manual doesn't mention them at all nor are they found on the system. From the support forum I was put in touch with a special troubleshooting division to which I just wrote a long letter detailing the problem. I will post the replies I get so we can all share in the answer.

  5. #5
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,600
    UEFI is not a bad bios, and has a lot of enhancements over the old PC bios API. However, add that to "secure boot" and we have a real mess (which we have been discussing int "The Coffee Lounge"). My philosophy is that if I own the hardware, then I own the system, and if you won't let me do with it what I want, then I won't purchase anything from you any longer!
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •