On Sun, Oct 28, 2012 at 11:44 AM, "Arun Khan (অরুণ খান্/अरुण खान)" <knura9@gmail.com> wrote:
On Sat, Oct 27, 2012 at 2:44 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
I think, IIRC, that it is not the kernel that is signed, but the loader, ie grub, or even some other loader that loads grub. Or both.
FWIW, I found this @ Linux Foundation.
Still LF is paying MS for a key for use by the rest of us.
Interesting and I'm glad to see it, but it doesn't fundamentally change things for UEFI Secure Boot systems running openSUSE 12.3 and newer. But it does for both non-compliant systems that don't have a way to disable Secure Boot during OS installs and for older distros /operating systems that don't offer any form of Secure Boot support. As it strongly implies, a pre-boot loader is being created by the Linux Foundation and they are going through the process of getting it signed by an official Microsoft Key. That means all UEFI Secure Boot systems will see this new pre-boot loader as being properly signed. The new pre-boot loader is going to require a human is at the keyboard before it advances to the boot sequence, so it is not a panacea, especially for servers. Thus the mechanism to boot non-signed CDs/operating systems etc. becomes: - Disable Secure Boot in the bios, either one time or permanently OR - Boot via the new Linux Foundation pre-boot loader, confirm you are physically present, then continue boot process to non-signed CD/OS/etc. So if you have an new PC that you want to run old operating systems on, you should be able to install the new Linux Foundation pre-boot loader and then have it boot whatever traditional boot loader you like. The only issue is you have to be physically present whenever you boot the machine to the legacy OS. Or if you buy a new PC that does not have a way to disable the Secure Boot feature, then you can use this new pre-boot tool to boot a openSUSE install CD as an example and have it in turn install the more formal / comprehensive SUSE Secure Boot solution. That should be a one time occurrence, so having to be physically present should not be an issue. (It does raise the question in my mind of corporations which use Ghost etc. to rollout images. Not sure how that will be handled. I think I'll go ask on factory.) Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org