Shimming your way to Linux on Windows 8 PCs

While that meant dealing with Microsoft, it was as Garrett had written earlier, "Easy enough for us [Red Hat] to do, but not necessarily practical for smaller distributions." It's also, as The Linux Foundation has found, in its so-far failed attempts to obtain a universal Secure Boot key for Linux distributions, really not that easy at all.

What Garrett has done with his shim approach is to create a signed boot-loader that can add keys to its own database. This is built on SUSE's bootloader design. In the SUSE design, the boot-loader has its own key database, besides the UEFI specification's key database. The SUSE boot-loader then executes any second-stage boot-loaders signed with a key in that database. Since the boot-loader is in charge of its own key enrollment, the boot-loader is free to impose its own policy, including enrolling new keys off a Linux distribution's installation file-system.

Complete Story

Related Stories:

• Canonical proposes alternate UEFI Secure Boot solution(Jun 22, 2012)
• Implementing UEFI Secure Boot in Fedora - BY PAYING MICROSOFT?!(May 31, 2012)
• Making UEFI Secure Boot Work With Open Platforms(Oct 28, 2011)
• UEFI "Secure Boot" and Microsoft Windows 8: The danger for free software(Oct 17, 2011)
• Red Hat engineer renews attack on Windows 8-certified secure boot(Sep 27, 2011)
• Microsoft confirms UEFI fears, locks down ARM devices(Jan 15, 2012)