Slashdot Mirror

← Back to Stories (view on slashdot.org)

Matthew Garrett Makes Available Secure Bootloader For Linux Distros

Posted by timothy on from the working-with-the-work-around dept.

TrueSatan writes "Matthew Garrett, formerly of Red Hat, is providing a shim bootloader that will allow installation/booting of secure boot enabled computers. The shim is designed to chain boot GRUB (Grand Universal Bootloader) without the need for a distribution to obtain a key from Microsoft. Garrett asks that further contacts regarding the shim be made to him and not to Red Hat as he no longer works there and they may not have knowledge of the product."

8 of 274 comments (clear)

  1. Yay! by wgoodman · · Score: 5, Interesting

    I'm really proud of him and I really hope that there is no ensuing lawsuit for violating some sort of propitiatory BS.

    1. Re:Yay! by Anonymous Coward · · Score: 5, Funny

      violating some sort of propitiatory BS

      Yeah I really hate all that appeasing the gods BS, too.

    2. Re:Yay! by Anonymous Coward · · Score: 5, Insightful

      You should never care if it is an AC.

      It is the message that is important, not the messenger. Why, after 11 years of using this site, should I register an account? My words stay the same. All it would be good for is group validation through karma whoring. I'd rather be ignored out of irrational bias than lauded for conforming to groupthink.

    3. Re:Yay! by Anonymous Coward · · Score: 5, Funny

      Cutting out the middle man is ALWAYS the right thing to do.

      Next time you're sick, I'll call the undertaker.

  2. Re:How does this work? by Kergan · · Score: 5, Informative

    In simplistic terms, it's a bit like on iOS devices: they'll only boot software that is signed by Apple, thus preventing low-level viruses and such from tampering with the OS.

    In more complicated terms, I'll defer to the wiki page.

  3. Re:Clarification by MysteriousPreacher · · Score: 5, Funny

    Micro$oft and Windoze? Have you recently emerged from 15 years in stasis? To bring you up to date...

    Madonna is still shit and now looks like Iggy Pop.
    9/11
    Year of Linux on the desktop is imminent
    The president's black
    The Rolling Stones aren't dead
    We sent cool shit to Mars
    World didn't end but will end again later this month

    --
    -- Using the preview button since 2005
  4. Re:Fuck secure boot. by mjg59 · · Score: 5, Informative

    "With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?"

    openssl req -new -nodes x509 -outform DER -out sig.crt -keyout signing_key.priv

    And then enrol it with mokutil or MokManager from shim.

  5. Re:How does this work? by AdamWill · · Score: 5, Informative

    Try reading the OP.

    This is a build of shim that's signed by Microsoft. It has particular properties. It is intended to be distributed by small Linux distros, with their own key as config data. When you boot it, it offers you the option to trust a single specific key - the key it was provided to you with. You have to specifically perform a certain operation to trust the key.

    What all this wiggling achieves is allow to say 'I trust the entity that provided me with this key to provide an operating system for my machine'. The safeguards prevent it from being used for malware, unless you're _really_ dumb and, when this screen pops up on your system after you install something you didn't think was an operating system, you carefully jump through all the hoops to allow it to nerf your system.

    So Microsoft is happy because the malware path is very unlikely to occur, and the Linux distributor is happy because if the person really is installing an alternative OS, all they have to do is navigate a menu once in order to say that OS's key is trusted, and from then on, that OS can function with SB enabled indefinitely.

    Clear?