UEFI Secure Boot and Ubuntu - implementation

Colin Watson cjwatson at ubuntu.com
Sat Jun 23 07:53:59 UTC 2012

On Sat, Jun 23, 2012 at 04:21:33AM +0100, Matthew Garrett wrote:
> On Fri, Jun 22, 2012 at 12:04:29PM +0100, Steve Langasek wrote:
> > we have not been able to find legal guidance that we wouldn't then be 
> > required by the terms of the GPLv3 to disclose our private key in 
> > order that users can install a modified boot loader.
> Have you talked to the FSF about their position on this? They're the 
> sole copyright holder of grub 2, so any position they'd publicly take 
> would be pretty relevant in terms of potential legal action.

I haven't been privy to all the mails on this, but in the ones I saw,
the responses were distinctly equivocal at best.  They certainly didn't
say that we were safe, rather the reverse.

(Not using GRUB 2 is definitely a second-class option as far as we're
concerned, so if the FSF ever makes it clear that this wouldn't be a
problem for us, I suspect we will gladly reverse our boot loader

> > As announced earlier today, we've generated an Ubuntu signing key for
> > use with UEFI.  The private half of this key will be stored securely on
> > our Launchpad infrastructure, which will be responsible for signing boot
> > loader images and distributing them in the Ubuntu archive.
> I'm not fully clear on this. If the bootloaders you distribute in the 
> archive will be signed with your key, how do you get your key installed 
> on existing systems? Or will there be two bootloader packages, one 
> signed by Microsoft and one signed by you, with the first chaining to 
> the second?

The latter.  Sorry for not making that clear.  In fact something like
your shim looked fine for that part; I thought Steve had been talking
with you about that.

Colin Watson                                       [cjwatson at ubuntu.com]

More information about the ubuntu-devel mailing list