How do Linux Distro creators install Secure Boot Keys in UEFI ?
For PC's that come preinstalled with Windows 8 Microsoft has the OEM ship the new UEFI PC's with Secure Boot enabled.
According to the " Windows Hardware Certification for Client and Server Systems, Sections 14 through 18 under the heading: System.Fundamentals.Firmware.UEFISecureBoot, I (The User) am supposed to have the ability through my UEFI Firmware Settings page to delete any or add my own Secure Boot Keys.
Document found here: ( Please remove the (colon) & (dot)'s and replace them with real colon and dots for the URL to work)
The point is, If I create a Secure Boot Key for a operating system I create, How do I implement this in UEFI so that it can check against the information in my boot loader (on my distro disks) to KNOW it's o.k. to let it install? There Has to be a way to add this key to UEFI so Secure Boot can use verify my system as good to install.
What's the normal procedure for doing this?
I ask because I can't find anywhere in my bios/UEFI that will allow me to delete or add Secure Boot Keys.
I know the industry is looking for ways around this and The Linux Foundation is even trying to get a Secure Boot Key from Microsoft working. I also know there is a way to disable Secure Boot and some distros have the ability to work with UEFI itself. I also know that you can just switch to Legacy Bios mode to install a distro. My thing is the wording says a User has the ability to delete secure boot keys or add their own Secure Boot keys. I should have the ability to even delete Microsoft's Secure Book Key if I wish. Of course this would cause Windows 8 not to boot when Secure Boot is enabled. All of that is beyond the scope of this discussion.
If I were an operating system creator or a creator for another tool that needs to boot with Secure Boot enabled, How would I add this key to my UEFI? If I'm reading this right, that key gets installed into UEFI and when Secure Boot encounters your boot loader it checks this key against the key the boot loader has to know it's safe to allow the system to boot.
Or does it actually work another way and the key doesn't need to be previously installed to UEFI at all? ( seems silly for this key to get installed by the boot loader at the time of install for Secure Boot to check against.. if that's the case, anyone can circumvent Secure Boot) I'm trying to determine if I have an incomplete version of Bios/UEFI installed on my system.