Decide how and if Secure Boot should be supported
Open, NormalPublic


Like the title says: UEFI secure-boot has some annoying properties where we need to decide if we want to support it, and if so, how.

Currently, we can

  1. Not support secure-boot
  2. Support secure-boot the Ubuntu-way, where we ship an Microsoft-signed shim, but don't validate the kernel images (meaning that we don't actually use secure-boot, but bypass it)
  3. Use a proper implementation, e.g. with the Linux Foundation's shim loader

All of those solutions, except for the first, would require us to ship a signed BLOB in the main archive (we have the source-code for it, but can't reproduce it due to missing signing-keys).
Solution 2 would allow us to make installations easier by bypassing secure-boot, so users don't need to fiddle with the UEFI settings if they want to install Tanglu. Solution 3 would be the proper implementation.

So, I think we should likely go from 1 -> 2 -> 3 when implementing it - but I would like to have some feedback if we can and should ship a signed BLOB in the archive for boot (naturally, this feels like something for non-free, but we can't enable non-free by default just to have users boot their system).

ximion created this task.Sep 9 2015, 5:00 PM
ximion lowered the priority of this task from "High" to "Normal".
ximion added a subscriber: ximion.

I prefer solution 3