The system must have an Ubuntu key preinstalled in each of KEK and db

It must be possible to disable secure boot

It must be possible for the end user to reconfigure keys

Canonical could offer a signing service. Expensive and awkward, but obviously achievable. However, this isn't a great solution. The Authenticode format used for secure boot signing only permits a single signature. Anything signed with the Ubuntu key cannot also be signed with any other key. So if, say, Fedora wanted to install on these systems without disabling secure boot first, you'd need to have two sets of install media - one signed with the Ubuntu key for Ubuntu hardware, one signed with the Microsoft key for Windows hardware. Require that ODMs include the Microsoft key as well as the Ubuntu key. This maintains compatibility with other operating systems.

A couple of people have asked me about the Ubuntu ODM UEFI requirements , specifically the secure boot section. This is aimed at hardware vendors who explicitly want to support Ubuntu, so it's not necessarily the approach Canonical will be taking for installing Ubuntu on average consumer hardware. But it's still worth looking at.In a nutshell, the requirements for secure boot are:It's basically the same set of requirements as Microsoft have, except with an Ubuntu key instead of a Microsoft one.The significant difference between the Ubuntu approach and the Microsoft approach is that there's no indication that Canonical will be offering any kind of signing service. A system carrying only the Ubuntu signing key will conform to these requirements and may be certified by Canonical, but will not boot any OS other than Ubuntu unless the user disables secure boot or imports their own key database. That is, a certified Ubuntu system may be more locked down than a certified Windows 8 system.(Practically speaking this probably isn't an issue for desktops, because you'll need to carry the Microsoft key in order to validate drivers on any PCI cards. But laptops are unlikely to run external option ROMs, so mobile hardware would be viable with only the Ubuntu key)There's two obvious solutions for this:This kind of problem is why we didn't argue for a Fedora-specific signing key. While it would have avoided a dependence on Microsoft, it would have created an entirely different kind of vendor lock-in.Update: Canonical have now provided their full plans . They won't be providing a signing service, but will be requiring that all Ubuntu-certified hardware ship with the Microsoft key