In the foundation's plan, the organization will obtain a Microsoft key to use on a new piece of software, called a pre-bootloader, which, when the computer is started, will load a program called a bootloader that, in turn, will boot Linux, or another operating system. The pre-bootloader will require a user to be present at the time it is run. The foundation will post the key and bootloader for anyone to use at no cost.
Board member Bottomley admitted that this approach provides no security protections.
"The current pre-bootloader .... provides no security enhancements over booting Linux with UEFI secure boot turned off," Bottomley wrote in a blog post. "Its sole purpose is to allow Linux to continue to boot on platforms that come by default with secure boot enabled."
This approach is only a stopgap measure, Bottomley admitted. The foundation is still encouraging the major Linux distributions to develop approaches that take full advantage of UEFI to secure a machine.
Red Hat developer Matthew Garrett, who has followed the issue closely on behalf of Red Hat and Fedora, discounted the Linux Foundation approach, stating that it is "less useful" than the shim approach because it "will boot untrusted images as long as a physically present end-user hits a key on every boot."
The Linux Foundation approach "requires manual intervention at some level, and requires you to know what you are doing, which is perfectly fine for a Linux kernel developer," SUSE's Pfeifer said. In contrast, SUSE's shim approach "will be much more transparent unless you want to dive into it." The SUSE kernel will be signed, so it can take full advantage of the UEFI.
"There are different approaches of doing things, and each has benefits and drawbacks," Pfeifer said. "There's nothing where UEFI and Linux wouldn't be able to get along very well."