Secure Boot Hurdles

  • Hello everyone,

    I wanted to get some feedback on some different secure boot possibilities. As it stands now, CloneDeploy supports secure boot with the Windows Imaging Environment with PXE, USB, and ISO. The Linux Imaging Environment only supports secure boot with USB and ISO. My question is, does anyone care to have secure boot with PXE for the Linux Imaging Environment, or does everyone just turn it off anyway?

    Currently, major linux distros have a signed shim and grub2 bootloader that does work with normal pxe operations. Unfortunately they do not implement proxy offers and cannot work with CloneDeploy proxy dhcp.

    I have compiled these with fixes needed to work with CloneDeploy Proxy dhcp, but obviously they are not signed and will not work with secure boot. In order to get these signed, requires a business and a financial commitment. I have attempted to order a signing certificate but since I am not a business, I cannot. Here are the current options:

    1.) I need a volunteer with a business that can order this certificate for me.

    2.) I need to create my own business. Doing so would go against my mission, but I don't see many other choices. I would be forced to create a free and paid option for CloneDeploy. The paid option would include signed binaries for Secure Boot and possibly supportive services.

    3.) Leave everything alone, and just disabled secure boot on the pc's. I feel that eventually this option won't exist. Eventually all computers will require secure boot and you won't be able to disable it. Thus, ending CloneDeploy.

    Any thoughts?

  • I agree with you on option 3; Secure boot is definitely not going away. Even though it goes against your original idea for CD, I think #2 is the most viable option though I could see support becoming a burden.

  • I'm still fine with option 3. We've been disabling Secure Boot on our machines for some time now, not that big of a deal. If the issue arises where signed binaries are mandatory then so be it. By then you will have enough people (if not already) invested in your product to make the leap to a paid version.

  • I always disable secure boot on new computers, option 3 works just fine for me.

  • I would like to make a fourth suggestion:

    4.) Become a 501(c)3 nonprofit organization (such as Fedora) and run a fundraiser to pay for the certification. From what I'm gathering, an EV cert would cost about $200-$300/year depending on who issues it. That would easily be funded from an online fundraiser with a cap so it only goes to pay for the certificate. In my opinion, may be easier than running a company with a free\paid service(s)

  • Have a paid for version.

    I wouldnt mind paying you 20$ a month if you update and support he software.

  • Create the free and paid versions. I don't think it will hurt with the core mission at all. It may actually help in some way. If you tell people they have to pay (or work) for something it can bring respect.

  • Sounds like this will come down to how strongly you feel about making this awesome free product (your mission) versus having an official business. Working in a school district I'm used to being forced to pay for software. I never imagined a software engineer being forced to charge for it! Regardless of your decision you've done some great work and your support is unmatched.

  • Thanks commenters to share your thoughts.