UEFI Secure Boot and Ubuntu - implementation
cjwatson at ubuntu.com
Sat Jun 23 07:53:59 UTC 2012
On Sat, Jun 23, 2012 at 04:21:33AM +0100, Matthew Garrett wrote:
> On Fri, Jun 22, 2012 at 12:04:29PM +0100, Steve Langasek wrote:
> > we have not been able to find legal guidance that we wouldn't then be
> > required by the terms of the GPLv3 to disclose our private key in
> > order that users can install a modified boot loader.
> Have you talked to the FSF about their position on this? They're the
> sole copyright holder of grub 2, so any position they'd publicly take
> would be pretty relevant in terms of potential legal action.
I haven't been privy to all the mails on this, but in the ones I saw,
the responses were distinctly equivocal at best. They certainly didn't
say that we were safe, rather the reverse.
(Not using GRUB 2 is definitely a second-class option as far as we're
concerned, so if the FSF ever makes it clear that this wouldn't be a
problem for us, I suspect we will gladly reverse our boot loader
> > As announced earlier today, we've generated an Ubuntu signing key for
> > use with UEFI. The private half of this key will be stored securely on
> > our Launchpad infrastructure, which will be responsible for signing boot
> > loader images and distributing them in the Ubuntu archive.
> I'm not fully clear on this. If the bootloaders you distribute in the
> archive will be signed with your key, how do you get your key installed
> on existing systems? Or will there be two bootloader packages, one
> signed by Microsoft and one signed by you, with the first chaining to
> the second?
The latter. Sorry for not making that clear. In fact something like
your shim looked fine for that part; I thought Steve had been talking
with you about that.
Colin Watson [cjwatson at ubuntu.com]
More information about the ubuntu-devel