How to understand Ubuntu UEFI Secure Boot install?

Probably start here: help.ubuntu.com/community/UEFI

UEFI (~EFI) is a firmware interface that is widespread on recent computers, especially those more recent than 2010. It is intended to replace the traditional BIOS firmware interface that is prevalent on earlier machines. This page provides information about installing and booting Ubuntu using EFI, as well as about switching between EFI mode and legacy BIOS mode using Ubuntu.


UPDATE:

Ubuntu 12.10 is intended to be able to be used with Secure Boot.

Softpedia (Sep-2012) >> Canonical Unveils Plans for Ubuntu 12.10 Secure Boot

Canonical, through Jon Melamut, announced on September 20th that they will plan to implement support for Secure Boot in the upcoming Ubuntu 12.10 (Quantal Quetzal) operating system.

Therefore, after a discussion with Free Software Foundation, Canonical decided to drop the EFILinux bootloader implementation in favor of the GRUB2 bootloader one, signed with their own keys. ..

Muktware (Oct-2012) >> SecureBoot In Ubuntu 12.10

Ubuntu 12.10 is the first distro that supports the Secure Boot architecture by default. Canonical developers have spent a huge amount of time making sure that Ubuntu runs fine and without problems in all hardware. Steve Langasek, an Ubuntu developer has put forward a nice account in his blog, regarding how they are making Secure Boot supported.

closes with ..

Langasek says that they will backport the secure boot mechanism to Ubuntu 12.04 release as well, so that the LTS version can be installed in Secure Boot devices. So the next major service pack of Ubuntu Precise (12.04.2) will include support for SecureBoot.


There is a problem on some machines, particulary laptops - They don't appear to have the "Microsoft Windows UEFI Driver Publisher" public key installed in their BIOS to allow the signed Ubuntu boot loader (and other UEFI software such as ours) to run with Secure Boot option enabled. This is NOT the same key, which Microsoft use to sign their own UEFI Windows Boot Manager and it appears that some BIOS implementations only have this Microsoft exclusive public key.

The solution is either:

  1. For Microsoft to sign third party UEFI binaries with the SAME key as they use for their own bootloader.

  2. For BIOS vendors/computer hardware motherboard manufacturers to be sure they include the data to allow "Microsoft Windows UEFI Driver Publisher" signed binaries to work correctly.

On a Windows 8 machine, enter Mountvol Z: /S in an admin elevated command prompt box. Then in the command prompt do:

copy Z:\EFI\Microsoft\*.efi    C:\test

Where Z is an unused drive letter.

You can then check in (already created) C:\test folder the digital signatures on the Microsoft .efi files and see that the name of the key is different to the key they used to sign the Ubuntu boot loader.

The Ubuntu boot files can be found in X:\EFI\Boot where X is the CD drive letter.

This needs sorting out, and sorting quickly.

Our research indicates that of laptops tested so far, only ASUS laptops have the correct keys installed in their bios, but we haven't yet managed to check everyone. I am not mentioning here, the names of machines which won't work, but one is a similar name to the one which does!