The Linux Foundation’s UEFI Secure Boot Pre-Bootloader Rewritten to Boot all Linux Versions

The reason for modifying the pre-bootloader was that the current version of the loader wouldn’t work with Gummiboot. The simple reason is that this boot loader was designed to be as small as possible rather than being a bulky one and was designed to harness all the advantages of the services available in the UEFI platform.

Explaining the reason why Gummiboot won’t work with the original pre-bootloader through a blog post, James Bottomley notes that because Gummiboot was designed to be a minimal loader “it boots kernels using BootServices->LoadImage(), which means that the kernel to be booted is run through the UEFI platform secure boot checks.” Further the original pre-bootloader had been written using “PE/Coff link loading to defeat the secure boot checks.”

So why is this a problem? Explaining the issue Bottomley notes “this means that something run by the Pre-BootLoader must also use link loading to defeat the secure boot checks on anything it wants to load and thus, Gummiboot, which is deliberately not a link loader, won’t work under this scheme.”

This is the reason a re-write of the pre-bootloader was required and now it supports booting of all versions of Linux. The redesigned bootloader has already been submitted to Microsoft for singing and once the signed version is received, The Linux Foundation is planning to provide it for free.

More information about this can be found in the presentation slides [PDF] by Bottomley.