Dear (UEFI Forum, Trustworthy Computing Group, Intel):
For my birthday, I’d like to have a spreadsheet showing which Linux distributions support Trusted Boot, Measured Boot, and/or Secure Boot, and if it supports FWUpd.
For Secure Boot, the UEFI Certificate Authority has the data, but they’re not showing the list of signed bootloaders.
For the certs, it’d be useful to know WHO signed it. The default UEFI CA (Microsoft) may be the sign, but some distros will go another route.
I’d like to know if their Secure Boot key is up-to-date. Today I’d have to access the dbx blacklist tool. On Redhat, I could use dbxtool. On other distros, no tool to help AFAIK. Again, the UEFI CA would have this data, and could put it in a human-readable spreadsheet, the DBX blacklist file hosted in uefi.org is not human-readable. There should be pointers to their keys and how to test them, something to replace lack of CRL/OSCP for firmware certs.
Extra points if you can clarify how well the distro supports Secure Boot. When enabled, Fedora won’t let unsigned kernel drivers load, but Ubuntu will only disable unsigned drivers during the boot process but will run them post-boot. So, security-minded users would want to use Fedora instead of Ubuntu, until Ubuntu fixes this security hole.
Today, the only way I know how to get a clue if a distro may support Secure Boot is by checking:
It would probably be nice to include ALL operating systems, not just Linux distros. FreeBSD now has some Secure Boot support.
It would also be nice to note which booloader the distro uses (eg, GRUB2, rEFInd, or something else.)
FWUpd support data is, at least, publicly-available.
Thanking you in advance! 🙂
Firmware Security 