[manjaro-dev] secure boot. What to do?

kendell clark coffeekingms at gmail.com
Wed Mar 23 10:28:35 CET 2016 

hi all
I've recently been involved in a serious discussion on the sonar support
list about how well or not sonar and manjaro work with computers with
secure boot turned on. I do have a machine with uefi firmware, but not
with secure boot. One of my users brought up the possibility of manjaro
getting a key to sign it's boot loader and sonar using this key, since
we are a version of manjaro with pre-configured accessibility packages.
Is this a possibility? I know it costs money, and I'd be willing to put
up most or all of the fee if this is required. Another option is to use
the linux foundation's key to sign bootloaders with, allowing firmware
to detect and load linux. I do know that we use  the prebootloader shim,
which is supposed to be signed with a valid key which loads grub, which
then boots manjaro/sonar. I'm not at all sure how well this works. In
addition, I've installed the lockdown-ms package from the community
repository on all of our images, which is supposed to mimick a locked
down windows install to trick firmware into thinking it's loading
windows, but again, I don't know if this works. I'd like to make
whatever changes are necessary to allow sonar and manjaro to easily with
preferably no configuration necessary on users parts to work with secure
boot. This is largely because turning off secure boot, or messing with
uefi firmware settings is and always will likely be an inaccessible
process, and causes a lot of users to whine, complain and generally make
a nuisance of themselves if told to do so. I'm not sure what to do,
which is why I'm writing the list. What are my options? Is there
something I can do right now to improve sonar's support for secure boot,
assuming it doesn't work well natively? With the release of windows 10, 
microsoft has all but made secure boot mandatory, so this has gone from
something that should have been done but wasn't critical to something
that has to be done or we won't be able to work with a lot of the new
computers being released.
Thoughts?
Kendell Clark

More information about the manjaro-dev mailing list