Debian Developers Discuss UEFI SecureBoot Plans
Debian developers today at DebConf 12, aside from talking about the future Debian codename, discussed what to do about UEFI booting for Debian Linux.
UEFI is a hot discussion topic right now with Microsoft Windows 8 approaching that mandates UEFI SecureBoot support, uncertainty about how different OEMs will implement SecureBoot, different Linux distributions taking distinctly different approaches to supporting the controversial technology, and all around this just being another headache for Linux developers and distribution vendors.
While the room was full of Debian developers in Managua, Nicaragua, nothing really new came out of the discussion. If you've been keeping track of Matthew Garrett's blog posts, talks, and other information concerning SecureBoot on Linux, you didn't miss out on much from this Debian talk.
The developers went over the UEFI SecureBoot state, the approach Fedora is going with, the major UEFI SecureBoot work being done by Red Hat's Matthew Garrett, SecureBoot on QEMU-KVM virtualization, and Ubuntu's controversial approach.
While this work was discussed, nothing genuinely new was brought up during the 45-minute discussion. It's still not decided what approach Debian will ultimately support whether it's like Fedora using GRUB2 and singing the entire stack, Ubuntu using efilinux and only signing the low-level bits, or some entirely new approach for handling EFI/SecureBoot. However, something has to be decided for Debian 7.0 "Wheezy" seeing as when it ships early next year there will be a number of motherboards and PCs shipping with this headache-inducing technology.
Canonical also participated in the discussion, during which they continue to insist that the best legal advice they have is that it's still too dangerous to ship GRUB2 with their secure key, contrary to what the Free Software Foundation recently claimed.
Coming up tomorrow at this Debian event in Managua will be discussing multi-arch cross-building, Debian derivatives BoF, building Debian with the LLVM/Clang compiler, an ARM ports update, supporting ARM AArch64 as the 64-bit ARMv8 architecture, and integrating Emdebian into Debian.
Embedded below are the official notes from the EFI in Debian session.
UEFI is a hot discussion topic right now with Microsoft Windows 8 approaching that mandates UEFI SecureBoot support, uncertainty about how different OEMs will implement SecureBoot, different Linux distributions taking distinctly different approaches to supporting the controversial technology, and all around this just being another headache for Linux developers and distribution vendors.
While the room was full of Debian developers in Managua, Nicaragua, nothing really new came out of the discussion. If you've been keeping track of Matthew Garrett's blog posts, talks, and other information concerning SecureBoot on Linux, you didn't miss out on much from this Debian talk.
The developers went over the UEFI SecureBoot state, the approach Fedora is going with, the major UEFI SecureBoot work being done by Red Hat's Matthew Garrett, SecureBoot on QEMU-KVM virtualization, and Ubuntu's controversial approach.
While this work was discussed, nothing genuinely new was brought up during the 45-minute discussion. It's still not decided what approach Debian will ultimately support whether it's like Fedora using GRUB2 and singing the entire stack, Ubuntu using efilinux and only signing the low-level bits, or some entirely new approach for handling EFI/SecureBoot. However, something has to be decided for Debian 7.0 "Wheezy" seeing as when it ships early next year there will be a number of motherboards and PCs shipping with this headache-inducing technology.
Canonical also participated in the discussion, during which they continue to insist that the best legal advice they have is that it's still too dangerous to ship GRUB2 with their secure key, contrary to what the Free Software Foundation recently claimed.
Coming up tomorrow at this Debian event in Managua will be discussing multi-arch cross-building, Debian derivatives BoF, building Debian with the LLVM/Clang compiler, an ARM ports update, supporting ARM AArch64 as the 64-bit ARMv8 architecture, and integrating Emdebian into Debian.
Embedded below are the official notes from the EFI in Debian session.
== EFI in Debian ==
Please take notes here
What do we do?
Two parts to this:
EFI boot itself
* easy - not trivial, not implemented in installer/debian-cd yet.
* SMOP
Secure boot
* what's the least bad way?
Others:
* Fedora - RedHat
* Everything signed
* Full signing of the kernel stack. You even have to sign modules, so it
complicates stuff for things like DKMS.
*
* Ubuntu - Canonical
* not persuaded that it is safe to use GPLv3 bootloaders - differs from
FSF view of the issue under best current legal advice with respect to
their pre-installed requirements in-house.
* for now avoids going the path of fully signing the kernel stack
* for now: prevent the user to have anything to do with BIOS, SecureBoot
key handling, etc.
* FSF
* Tend to think that GPLv3 issues (such as risking the obligation to
release private key content) are either not an issue or that the license
can be changed to avoid them