Linux Foundation struggles with Microsoft's Secure Boot signing service
Despite several attempts, the Linux Foundation's James Bottomley has not managed to get Microsoft to sign the mini bootloader for starting Linux on systems with UEFI Secure Boot. In a blog post, the Linux Foundation Technical Advisory Board (TAB) member says that he successfully managed to use a Linux system for various preparatory bootloader signing tasks, although Microsoft stipulates that a specific Windows platform must be used. However, Bottomley said that to upload the CAB file containing the bootloader, he had to use a virtual machine with Windows 7 because this step requires Silverlight, and the open source Moonlight implementation of Silverlight didn't work.
The developer wrote that, after being uploaded, the archive was supposed to complete a seven-step process. However, Bottomley said that the process got stuck at stage six, and that he enquired about the reasons for this six days later. Apparently, Microsoft's support team replied that the file is not a valid Win32 application, to which Bottomley responded by noting that obviously it isn't a Win32 application because it is a 64-bit UEFI binary – and says that he didn't receive any further reply. He reports that he then started a new signing process, managed to get further this time and eventually received an email with a signed bootloader – but that the email stated that the signing process had failed. When asked about this, Microsoft's support team reportedly told Bottomley that he shouldn't use the delivered file because it was incorrectly signed.
The developer concludes by saying that he is "still waiting for Microsoft to give the Linux Foundation a validly signed pre-bootloader," adding that, "when that happens, it will get uploaded to the Linux Foundation website for all to use."
Two weeks ago at the LinuxCon Europe 2012 conference, Bottomley explained in a presentation (slides) why neither the UEFI Consortium nor the Linux Foundation, the hardware manufacturers or any of the Linux distributions have created their own certificate to sign the bootloader in the same way Microsoft does with VeriSign: Apparently, it's simply too expensive. According to Bottomley, the Foundation had negotiated with VeriSign to create a joint signature service – but that VeriSign had wanted several million dollars for such a service. The developer added that the Linux Foundation had also considered starting its own certification authority but had abandoned this plan because it would have required a huge effort and incurred high costs.
See also:
- State of Secure Boot detailed, a report from The H.
(crve)