Deal with Secure Boot on Windows 8-era hardware

[achernya]

Windows 8 requires that all hardware shipped with it pre-installed have  Secure Boot enabled. This means that all hardware will use UEFI and a database of trusted keys. The trusted key will, of course, be Microsoft's. With Secure Boot enabled, BIOS-compatible booting will be disabled.

This means that there will be additional hassle with new hardware bought for the clusters. For now, an option is to go into the UEFI settings and disable secure boot, but there is not guarantee that this will work as expected, or will continue to be an option.

Alternatively, we could do as  Fedora did, and pay $99 for a Microsoft-signed key to sign our distributions. This is a one-time fee. This is not ideal, as then we have to deal with yet another credential, but it beats sitting and waiting for Upstream to deal.

[jdreed]

This has been incorporated into the current discussions regarding the next supported Dell configuration. No additional information at this time.

[geofft]

It sounds like Ubuntu's plans for secure boot involve only locking down GRUB / the preboot environment, and I haven't heard that they've changed their minds on that. So we shouldn't particularly need to care in that respect, and our machines should boot up fine (and load custom kernel modules fine).

In any event. SUSE is getting an MS-signed loader that  lets you specify what you want to boot, so in the worst case, we can use that. I doubt it'll come to that, though.

The one thing we will need to care about is PXE, because as far as I can tell, there's no way to differentiate a BIOS machine and a UEFI machine on the PXE server side, and you can only send down one image, and a Secure Boot UEFI machine will not allow BIOS-compatibility booting. So we'll probably need to add a new "Debathena (UEFI)" PXE option.

I imagine this will affect booting the Windows installer over PXE too, so we should check with network and see what their plans are here.