What is UEFI and Secure Boot? How do they affect Ubuntu?
Solution 1:
To really understand how it affects users and Ubuntu, I think it's helpful to understand what UEFI is and what it changes. Then discuss the features of secure boot, and how it may affect installs:
UEFI is a specification that defines a software interface between an operating system and firmware
It is designed to replace the BIOS. The BIOS is old, and it was designed for older hardware. It can only support a 16 bit processor mode, only 1MB Addressable space, only boot maximum of 2TiB drive, 4 Partitions, etc. DOS and older OS's used to rely on the BIOS for basic I/O... but the boot loaders importance once an OS is running is greatly reduced today. Realize many people will still refer to UEFI as the BIOS.
Some major changes with UEFI are:
Processor independent architecture and drivers
Network capability before the OS loads.
Since UEFI can be 64 bit it allows it to read all memory which can be addressed by a 64 bit computer
a GUID Partition Table instead of a MBR which allows more than 4 partitions and over 2TiB from a boot drive (8ZiB)
provides runtime options for the OS such as getting date/time/NVRAM access
UEFI allows for SECUREBOOT:
Secure Boot stops drivers and OS loaders from being loaded by the firmware unless they are signed with a digital signature written to the firmware. This can be very useful for stopping rootkits. You can add more keys to allow other software to run in "Custom" mode.
That being said, you can read lots of limitations about Secure Boot, how it can be used to allow one OS to dominate a system, etc. Because of this Windows 8 required SecureBoot to be able to enter custom mode or be disabled to be Windows 8 certified. With it disabled, you lose all the benefits of secure-boot but you can still use UEFI. With it in Custom Mode you can add public keys which do not match the private key in the system so that other software can run besides just those with the private key
For Ubuntu
When you install Ubuntu, if your system is set to boot in UEFI, it will install as an EFI.
As of Ubuntu 12.10 it has supported Secure Boot
If you are adding Ubuntu as a 2nd OS it's important to have the same type of OS as your boot loader (ie. 64 bit or 32 bit). So if you have a 64 bit Windows and you boot UEFI you should choose 64 bit Ubuntu. If you do not, it will not load. I tried to boot UEFI with a 32 bit Ubuntu (13.10) and couldn't even get it to read the USB until I disabled UEFI. I installed the 32 bit version with it disabled. When I realized my mistake, I reloaded the 64 bit Ubuntu to the key, enabled UEFI and it detected it great. I then reinstalled.
Using UEFI allows you to have lots of primary partitions when you install, so don't worry about guides that make you start using logical after you have 4 partitions.
Everything isn't perfect yet. For example, GRUB has an issue booting Windows 8 with secure boot. I can choose to boot from the Windows drive first, it works fine. I can load GRUB first and boot Ubuntu under secure boot just fine. But when GRUB loads, it will not load Windows 8 with secure boot. Here is a good site about this issue, and at the bottom is the bug report which is confirmed: http://falstaff.agner.ch/2012/12/18/ubuntu-12-10-and-windows-8-with-secure-boot-mode/
Solution 2:
There was a plenary talk about that during UDS by Jeremy Kerr. The presentation was based on a document that he has been co-authored with Matthew Garrett and James Bottomley. You can find that document here.
My two cents are that it's a system to verify that the software you're using to boot your machine has been signed by using an authorized signature available in an internal database. This isn't dangerous as long as there is a way for you to edit the database of valid signatures. However, a big industry player seems to want OEMs to include only one signature in the database and no way to update it and that's the big problem since no other OS would be able to boot in a hardware in which those restrictions have been applied.