The other situation :

Story: Linux Foundation Comes Up With SecureBoot PlanTotal Replies: 4
Author Content

Oct 11, 2012
9:51 AM EDT
Someone wants to install Linux on some PC UEFI capable, with secure boot disabled or inexistant, a PC without the Windows logo. Would the boot process still be dependant on that pre-bootloader ? Can that pre-bootloader be totally ignored ? If the pre-bootloader cannot be ignored, would such a PC still be bootable ?

Oct 11, 2012
11:07 AM EDT
The pre-bootloader is only needed on systems with UEFI Secure Boot enabled. Otherwise you just don't need it. Whether it can be ignored or not will depend on how this is implemented. I would hope that it would have the smarts to check whether a system has a traditional or UEFI BIOS and, if it's UEFI, if Secure Boot is enabled. In theory (and since we haven't seen the code theory is all we have) the pre-bootloader would simply load the traditional bootloader (GRUB or LILO) if UEFI Secure Boot is not enabled.

I'm just a bit disappointed that the official Linux (Foundation) solution is a Microsoft key. I hate being dependent on Microsoft for anything. Having said that, it's probably the only way to insure that any (and all) Linux distros will work with new, off the shelf hardware.

Oct 11, 2012
12:55 PM EDT
Unless I'm mistaken, What puzzles me :

Signing the pre-bootloader requires the private key, only MS can do that. They enforced secure boot on PC makers to fight other operating systems,

Suppose MS signs the pre-bootloader binary, which would be unnatural. What's the use of open sourcing the pre-bootloader code ? One will never be sure that pre-bootloader binary is genuine. It may be a rootkit in itself. Sould we revive some CIA/NSA/MI6... conspiration theory ? Or would the Linux Foundation be a 'partner' of MS and be trusted a MS owned private key ?

(Please note I don't intend any offense whatever.)

Oct 11, 2012
4:21 PM EDT
I think that the explanation in Heise-online is clearer:


Oct 11, 2012
8:55 PM EDT
@nmset As I understand it MS does provide a signing service which would require a one time $99 fee to register with verisign to use. The signature and the binary are fitted together in a documented format, such that you can still test the md5 hash of what is signed to verify its integrity.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!