Ticket #1152 (new task)

Opened 9 years ago

Last modified 8 years ago

Deal with Secure Boot on Windows 8-era hardware

Reported by: achernya Owned by:
Priority: high Milestone: Current Semester
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description (last modified by geofft) (diff)

Windows 8 requires that all hardware shipped with it pre-installed have  Secure Boot enabled. This means that all hardware will use UEFI and a database of trusted keys. The trusted key will, of course, be Microsoft's. With Secure Boot enabled, BIOS-compatible booting will be disabled.

This means that there will be additional hassle with new hardware bought for the clusters. For now, an option is to go into the UEFI settings and disable secure boot, but there is not guarantee that this will work as expected, or will continue to be an option.

Alternatively, we could do as  Fedora did, and pay $99 for a Microsoft-signed key to sign our distributions. This is a one-time fee. This is not ideal, as then we have to deal with yet another credential, but it beats sitting and waiting for Upstream to deal.

Change History

comment:1 Changed 9 years ago by jdreed

This has been incorporated into the current discussions regarding the next supported Dell configuration. No additional information at this time.

comment:2 Changed 9 years ago by geofft

It sounds like Ubuntu's plans for secure boot involve only locking down GRUB / the preboot environment, and I haven't heard that they've changed their minds on that. So we shouldn't particularly need to care in that respect, and our machines should boot up fine (and load custom kernel modules fine).

In any event. SUSE is getting an MS-signed loader that  lets you specify what you want to boot, so in the worst case, we can use that. I doubt it'll come to that, though.

The one thing we will need to care about is PXE, because as far as I can tell, there's no way to differentiate a BIOS machine and a UEFI machine on the PXE server side, and you can only send down one image, and a Secure Boot UEFI machine will not allow BIOS-compatibility booting. So we'll probably need to add a new "Debathena (UEFI)" PXE option.

I imagine this will affect booting the Windows installer over PXE too, so we should check with network and see what their plans are here.

comment:3 Changed 9 years ago by geofft

  • Description modified (diff)

comment:4 Changed 9 years ago by geofft

comment:5 Changed 9 years ago by geofft

So we'll probably need to add a new "Debathena (UEFI)" PXE option.

Wait, actually the menu itself is presumably a BIOS program, so we'll need to replace that menu entirely with a signed UEFI program.... this gets complicated.

The PDF above suggests some stupid tricks for hybrid BIOS/UEFI environments, like noting the MAC addresses of your UEFI machines.

comment:6 Changed 8 years ago by jdreed

I got a Dell 7010 the other day with a newer BIOS that does in fact support secure boot, but it appears to ship with it disabled because Windows 7.

comment:7 Changed 8 years ago by jdreed

OK, the 9020 AIOs are shipping with secure boot enabled. I suspect we can convince Dell to disable it for the cluster config. We in fact need to disable it in order to use our PXE server. My current plan is to do this. I don't have a better idea. I'll inquire about the possibility of our DHCP server handing out UEFI boot images, but I don't see that happening. I'm happy ("happy") to switch a thumbdrive-based installer and give up on PXE, but we also need a supportable and scalable way of producing said thumbdrives.

Note: See TracTickets for help on using tickets.