SUSE slowly shows UEFI Secure Boot plan

Apparently, it's a multi-part adventure

After a couple of months working on their approach to the UEFI Secure Boot issue, SUSE has finally opened up a bit on how they will address getting SUSE Linux Enterprise Server (SLES) to boot on machines with UEFI Secure Boot in place.

For now, it seems, SLES will implement an approach similar to that used by Fedora.

"At the implementation layer, we intend to use the shim loader originally developed by Fedora--it's a smart solution which avoids several nasty legal issues, and simplifies the certification/signing step considerably. This shim loader's job is to load grub2 and verify it; this version of grub2 in turn will load kernels signed by a SUSE key only. We are currently considering to provide this functionality with SLE11 SP3 on fresh installations with UEFI Secure Boot present," wrote Director of the SUSE Linux Enterprise Olaf Kirch on the SUSE blog today.

But that's about all you're going to get for now. For whatever reason, SUSE seems to be taking a Saturday-morning-serial approach to their big reveal, taking their own sweet time to explain why they are choosing the path they are planning to implement. Kirch's first blog entry on Tuesday merely introduced the problem of UEFI Secure Boot. Today's blog only specified the use of the shim bootloader. And wait, there's more:

"What isn't clear is how this allows Open Source developers to run their own kernels, or bootloaders for that matter or how this complies with the GPL v3 license. In the next part of this series of blogs, we will explain how we intend to provide this with our version of the shim," Kirch concluded in today's entry.

Why SUSE is building the suspense is beyond me. Fedora has already approved their proposed solution, and Canonical is working on their own answer for Ubuntu.

Under the Windows 8 logo certification plan, all Windows 8 machines must have the Unified Extensible Firmware Interface (UEFI) instead of the BIOS firmware layer that most computers have been using for a while.

EFI, and the later UEFI specification, is not the problem for Linux--any distro running Linux 2.6 and after can handle UEFI. The problem is Microsoft's other requirement for any Windows 8-certified client: the system must support secure booting. This hardened boot means that all firmware and software in the boot process must be signed by a trusted Certificate Authority (CA).

This means that any user who wants to dual-boot on a Windows 8-certified machine would be unable to accomplish the task, unless they had a signed key the UEFI secure boot system recognized.

Not only is SUSE dragging this out, but their explanation today is a bit unclear. In the shim bootloader explanation above, Kirch specified that grub2 would load only Linux kernels signed by a SUSE key. But was this an actual SUSE-signed key or was Kirch generically referring to any key that the bootloader could use to get into SUSE? Earlier in the blog entry, he specified the possibility of more than one approach.

"There are two ways of getting there. One is to work with hardware vendors to have them endorse a SUSE key which we then sign the boot loader with. The other way is to go through Microsoft's Windows Logo Certification program to have the boot loader certified and have Microsoft recognize our signing key (i.e., have it signed with their KEK). We are currently evaluating both approaches, and may eventually even pursue both in parallel," Kirch wrote.

SUSE's drawn-out approach to outlining their solution also doesn't cover what openSUSE might be doing--Kirch was emphatic on that point. So, unlike Red Hat and Fedora, which seem to be in lock-step on their Secure Boot solutions, there is a chance that SLES and openSUSE may have different approaches. That may not make much of a difference overall, since the end result is the same, but it does speak to the streak of independence within the openSUSE community.

Eventually, we will learn everything about the SUSE solution, which will make all three major commercial Linux vendors heard from. Just tune in for the next installment on the SUSE Blog, same lizard-time, same lizard-channel.

Read more of Brian Proffitt's Open for Discussion blog and follow the latest IT news at ITworld. Drop Brian a line or follow Brian on Twitter at @TheTechScribe. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies