[arch-general] Secure Boot Support

kristof saposcat at myopera.com
Mon Dec 3 20:51:35 EST 2012

Now that Matthew Garrett's shim is fully featured and publicly available,  
will Arch be implementing support for secure boot in the near future?

For those who haven't seen the news yet:  
http://mjg59.dreamwidth.org/17542.html and  
http://mjg59.dreamwidth.org/20303.html give a pretty in-depth description  
of how to implement this distro-generic solution to secure boot.

More technical details on the shim are available here:  

Finally, I found this OpenSUSE dev post pretty helpful in understanding  
how the MOKs work but it's not a necessary article to read:  

The only work necessary on the packager's part is using Peter Jones'  
signing tool to sign GRUB2, kernel modules, and the Arch Linux distributed  
kernel binaries with an Arch Linux "key" that the users would place into  
the shim's trusted key database. This isn't any more cumbersome than the  
current package signing procedures, and I think it would go a long way to  
be one of the first distributions to support secure-boot without having to  
fiddle with the UEFI.

A final note: the shim currently only supports x86_64 machines and it's  
unknown if Garrett will ever work on a 32-bit binary. That, on top of the  
fact that Garrett won't be working on an ARM solution because of licensing  
issues, means that secure boot would simply be an Arch64 specific feature.

I'd really like to hear the community's thoughts on this.

More information about the arch-general mailing list