Canonical comes with its own key and bootloader for secure boot

Canonical has announced that it will support the uefi secure boot mechanism in future Ubuntu releases. For that, it will introduce its own Ubuntu signature along with a bootloader that will replace Grub2.

In an update to an earlier posting on the Canonical blog, the Ubuntu developer describes his plans regarding the secure boot feature, part of the uefi specification and also a controversial security feature of Windows 8. The company, which is part of of the UEFI Forum, states that it strives to make the Ubuntu operating system work as ‘smoothly as possible’ with PCs and laptops that have secure boot enabled. Canonical also says that it wants to introduce its own Ubuntu signature for this and that a special bootloader will be released.

On the Ubuntu developer mailing list, Canonical takes a closer look at the chosen implementation. For example, Grub2, the traditional boot loader of the latest Ubuntu releases, will be replaced for secure boot systems by Intel’s Efilinux loader. Canonical says it made this choice because Grub2 is under the GPLv3 license and because of this there is a chance that its secure boot key will be published. Should this happen, this signature will be declared invalid. Furthermore, Grub’s code was labeled too dated.

Canonical further reports that only the bootloader binaries need to be signed by Ubuntu. This allows users to compile their own kernels and use the proprietary drivers from Nvidia and AMD. With this method, Canonical is less strict than the secure boot implementation that Red Hat envisions with Fedora.

Finally, Canonical will make it mandatory for manufacturers that ship hardware with Ubuntu to include the necessary key in the uefi. The company also hopes that there will be an alternative to Microsoft’s signing service in due course, but there is still a lot of uncertainty about this issue.