The signing costs them far more than the money they take to do it. Why no one else bothers (other than Canonical)? The cost to do the certification. .
MS wanted to help secure their OS so they have an incentive to have their bootcode signed to help protect against malware insertion, so they sign their code and offer a cheap way for others to get theirs signed.
Just as MS are not the ideal signing body in others eyes, the same can then be said of many CAs (I am not inferring that they are, just stating that if one isnât suitable what makes the others suitable instead), there have been breaches of trust with some CAs
See Timeline of Certificate Authority Failures - SSLMate
As for the UEFI specs it isnât MS who alone have input to the Standard, there is enough info out there to see that MS are only part of the membership and they have implemented for their OS the keys, anyone else, as I keep repeating can go ahead and do the same, i.e. they can become a key signer and ask the Motherboard manufacturers to put the keys in the UEFI (they just donât do that as their choice and not some MS conspiracy to lock them out)âŠCanonical do now and decided to use shim to load their keys if needed but no one else. SB is part of the Standard, and the way it is designed it is found in the UEFI and that is decided by a whole lot of people in the Industry. If you want to use an unsigned distro or other OS turn off SB.
No it isnât more difficult for others, they just donât choose to be key signers and get their own keys to enroll themâŠthat isnât MS that is the barrierâŠthe barrier are the ones who donât want to be key signers. Why isnât the UEFI organisation/forum doing it, I guess because they donât want to as a forum to be key signers/CA.
That was an IBM thing when they started the PC revolution, they used IBM DOS (provided by MS)âŠthey could have used anything they wanted but they didnât.
Intel not MS still own the patent on EFI 1.0, the forerunner to UEFI, and that isnât MS again.
For a lot more UEFI information, people should read the UEFI Organisationâs pages
https://uefi.org
https://uefi.org/board
https://uefi.org/members
From the FAQs page of the UEFI site
" What is UEFI?
UEFI stands for âUnified Extensible Firmware Interface.â The UEFI Specification defines a new model for the interface between personal-computer operating systems and platform firmware. The interface consists of data tables that contain platform-related information, plus boot and runtime service calls that are available to the operating system and its loader. Together, these provide a standard environment for booting an operating system and running pre-boot applications.
What is the UEFI Forum?
Through a collaborative approach with world-class companies, institutions and experts, the UEFI Forum advances innovation in firmware technology standards. These extensible, globally-adopted UEFI specifications bring new functionality and enhanced security to the evolution of devices, firmware and operating systems.
What problem is the UEFI Forum trying to solve with the UEFI Specification?
The UEFI Specification provides interfaces and mechanisms to allow for support of new technologies, improved development, and enhanced customer experience during the time before the operating system loads. The UEFI Specification has benefits for both the business and consumer end-user. Across multiple interfaces, the Specification supports a more secure system, a faster boot time, improved performance, platform feature innovation and a quicker, more cost-effective time-to-market product shipment. With regard to security, UEFI Secure Boot helps defend against malware attacks before the operating system loads.
For developers, the UEFI Specification increases efficiency because they allow developers to reuse code. In contrast to prior coding structures, UEFI standards allow for extensibility, modularity and easy prototyping during development.
The UEFI Forum promotes the implementation of the UEFI Specification by BIOS vendors, operating system vendors and add-in card vendors.
What is the relationship between EFI and UEFI?
The UEFI specification is based on the EFI 1.10 specification published by IntelÂź, with corrections and changes managed by the UEFI Forum. Intel still holds the copyright on the EFI 1.10 specification, but has contributed it to the Forum so that the Forum can evolve it. There will not be any future versions of the EFI specification, but customers who license it can still use it under the terms of their license from Intel. The license to the Unified EFI Specification will come from the Forum, not from Intel.
Can all systems disable UEFI Secure Boot?
While it is designed to protect the system by only allowing authenticated binaries in the boot process, UEFI Secure Boot is an optional feature for most general-purpose systems. By default, UEFI Secure Boot can be disabled on the majority of general-purpose machines. It is up to the system vendors to decide which system policies are implemented on a given machine. However, there are a few casesâsuch as with kiosks, ATM or subsidized device deploymentsâin which, for security reasons, the owner of that system doesnât want the system changed.
Can UEFI Secure Boot be adopted and implemented by a variety of operating systems?
UEFI specifications are platform-independent, supporting multiple platforms and architectures. In addition, UEFI specifications are designed to promote cross-functionality, as well as to support broad adoption across multiple operating systems, including Windows as well as Linux-based operating systems. The specifications are robust and can potentially complementâor even advanceâother distributions, such as Linux-based distributions.
What are the benefits of UEFI specifications?
UEFI specifications have benefits for both the business and consumer end-user. Across multiple interfaces, they support a more secure system, faster boot times, innovation and a faster time-to-market. In contrast to prior coding structures, UEFI standards allow for extensibility, modularity and easy prototyping during development. The UEFI Forum promotes the implementation of UEFI specifications by BIOS vendors, operating system vendors and add-in card vendors. UEFI specifications promote more efficient development because they allow developers to reuse code during the building process.
How do UEFI specifications differ from BIOS?
BIOS is typically used to refer to an IntelÂź Architecture firmware implementation rooted in the IBM PC design. Based on older standards and methods, BIOS was originally coded in 16-bit real mode x86 assembly code and remained substantially unchanged until its recent decline in use.
By contrast, UEFI standards reflect the past 30 years of PC evolution by describing an abstract interface set for transferring control to an operating system or building modular firmware from one or more silicon and firmware suppliers. The abstractions of UEFI Forum specifications are designed to decouple development of producer and consumer code, allowing each to innovate more independently and with faster time-to-market for both. UEFI also overcame the hardware scaling limitations that the IBM PC design assumed, allowing its broad deployment across high-end enterprise servers to the embedded devices. UEFI is âprocessor architecture-agnostic,â supporting x86, x64, ARM and Itanium.
Do UEFI specifications completely replace the BIOS?
The UEFI specifications define an interface and the BIOS refers to a specific implementation of the firmware that initializes the platform and loads an OS setup. UEFI specifications define an interface in which the implementation of UEFI performs the equivalent of the BIOS, by initiating the platform and loading the operating system.
How is UEFI implemented on a computer system?
Today, UEFI implementation enables the ability for modern, high-level programming principals to be applied to the firmware space. There are many possible implementations of UEFI that encourage code reuse, modularization, flexibility and modernization. UEFI specifications contain interfaces that streamline and aid in firmware innovation by promoting interoperability between devices, software and systems. One typical implementation is done in high-level C programming language, which is fundamentally different than the Legacy BIOS by encouraging the use of modern software practices.
Is there a charge to use the UEFI specification?
There is no charge for use of the specification itself. The promoters of UEFI specifications have agreed that any IP needed to implement the specification will be made available on reasonable and non-discriminatory terms."