All Linux OS developers can now implement Secure Boot in their distros!
Matthew Garrett, ex-power management and mobile Linux developer at Red Hat, proudly announced last evening, November 30, that a usable release of the Secure Boot bootloader is now available for download.Dubbed shim, this software is designed for all Linux-based operating system that want to support secure boot and that do not want to get in cahoots with the greedy Microsoft Corporation.
“As of 17:00 EST today, I am officially (rather than merely effectively) no longer employed by Red Hat, and this binary is being provided by me rather than them, so don't ask them questions about it."
"Special thanks to everyone at Suse who came up with the MOK concept and did most of the implementation work - without them, this would have been impossible.” said Matthew Garrett in the blog announcement.
Therefore, if you are a Linux distribution developer and want to include the Secure Boot bootloader in your operating system, get the shim archive from here, rename the shim.efi file to bootx64.efi and drop it in the /EFI/BOOT folder from your UEFI install media.
Moreover, you will also need to put the MokManager.efi file in the /EFI/BOOT folder as well, while making sure that the name of your boot loader binary is grubx64.efi, which should also be placed in /EFI/BOOT.
After that, you will need to generate a certificate and drop the public half as a binary DER file on your UEFI install media.
“On boot, the end-user will be prompted with a 10-second countdown and a menu. Choose "Enroll key from disk" and then browse the filesystem to select the key and follow the enrolment prompts.”
“Any bootloader signed with that key will then be trusted by shim, so you probably want to make sure that your grubx64.efi image is signed with it.” continued Matthew Garrett in the announcement.