The Foundation has revealed that it will be acquiring a Microsoft Key to sign a small pre-bootloader that will facilitate the loading of a pre-designated bootloader which will in turn boot Linux or any other operating system. This suffices Microsoft’s requirement for ‘Secure Boot’ under which only those software can boot which are signed with a particular cryptographic certificate.
The solution from the Linux Foundation is more or less a general purpose solution for both Linux distributions as well as other non-Microsoft operating systems. The foundation is not planning to make a full-fledged boot loader but, has actually produced a minimal bootloader, which will be signed. This minimal bootloader will transfer control to any other bootloader, which can be signed or unsigned, enabling users to boot any operating system of their choice.
“..the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system)”, reads The Linux Foundation website.
To address risk of unauthorized use of the minimal bootloader, the software is going to present a splash screen thereby requiring user’s input before it actually boots. This averts risk of silent installations thereby eliminating the possibilities of transfer of system’s control to a rootkit.
“The pre-bootloader will employ a “present user” test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems”, notes the Linux Foundation on its website.
The source code of the pre-bootloader is available here.