[arch-general] Secure Boot Support
kristof
saposcat at myopera.com
Mon Dec 3 20:51:35 EST 2012
Now that Matthew Garrett's shim is fully featured and publicly available,
will Arch be implementing support for secure boot in the near future?
For those who haven't seen the news yet:
http://mjg59.dreamwidth.org/17542.html and
http://mjg59.dreamwidth.org/20303.html give a pretty in-depth description
of how to implement this distro-generic solution to secure boot.
More technical details on the shim are available here:
http://mjg59.dreamwidth.org/19448.html
Finally, I found this OpenSUSE dev post pretty helpful in understanding
how the MOKs work but it's not a necessary article to read:
https://www.suse.com/blogs/uefi-secure-boot-details/
The only work necessary on the packager's part is using Peter Jones'
signing tool to sign GRUB2, kernel modules, and the Arch Linux distributed
kernel binaries with an Arch Linux "key" that the users would place into
the shim's trusted key database. This isn't any more cumbersome than the
current package signing procedures, and I think it would go a long way to
be one of the first distributions to support secure-boot without having to
fiddle with the UEFI.
A final note: the shim currently only supports x86_64 machines and it's
unknown if Garrett will ever work on a 32-bit binary. That, on top of the
fact that Garrett won't be working on an ARM solution because of licensing
issues, means that secure boot would simply be an Arch64 specific feature.
I'd really like to hear the community's thoughts on this.
More information about the arch-general
mailing list