Mailinglist Archive: opensuse (924 mails)

< Previous Next >
Re: [opensuse] UEFI
  • From: Greg Freemyer <greg.freemyer@xxxxxxxxx>
  • Date: Tue, 23 Oct 2012 12:18:19 -0400
  • Message-id: <CAGpXXZLww9L4UO_Edo=dUHkR847Wb7EYRVoPzn8L6hcjZDCt9g@mail.gmail.com>
On Tue, Oct 23, 2012 at 11:05 AM, Mark Hounschell <markh@xxxxxxxxxx> wrote:
On 10/23/2012 10:52 AM, Greg Freemyer wrote:

On Tue, Oct 23, 2012 at 9:43 AM, Tony <tonys@xxxxxxxxxxxxxxxx> wrote:

With the upcoming UEFI and Secure Boot WIndows 8 etc....

UEFI Secure Boot is scheduled to be incorporated into opensuse 12.3
(Currently due in March 2013). It might be in factory before that if
you critically have to have it.

The process is to manually disable Secure Boot in the bios, boot from
opensuse CD. It will install a Secure Boot key/extension which will
opensuse to boot.

Manually re-enable secure boot. The opensuse kernels should now be
recognized and allow boot.

Greg

Does this mean we won't be able to run any kernels other than opensuse
kernels?

Mark

Mark,

Quick answer (that I expect most kernel hackers to use):

The spec calls for x86 PCs to have a bios option to disable UEFI Secure Boot.

With that disabled, you can do what you please.

Long answer (which assumes Secure Boot is enabled):

This is linux. The SUSE team is doing its very best to make sure you
are still in control. Fortunately, they are also contributing their
solution to openSUSE.

Hopefully you know about private and public keys. Private keys are
used to sign, public keys to authenticate. (You will not have access
to the openSUSE private key, so you won't be able to sign kernels with
it.)

opensuse is developing an open/extensible solution that will leverage
their private key by installing their public key into a Secure Boot
key database.

If you have a true need to sign your own kernels, then I assume you
can get a copy of the extensible Secure Boot module that openSUSE is
developing and use it to install your own public key to the secure
boot key database. Then you will need to sign your kernels with your
private key.

I can see large enterprises wanting to implement a policy that only
kernels signed by the enterprise can be used. From my understanding ,
the UEFI Secure Boot process combined with the SUSE extensions would
allow that to be done.

Greg
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >