They use a small «shim» boot
loader signed by Microsoft, which in turn confirms the main boot loader was signed by the Linux distribution before loading it.
The Microsoft - signed shim checks to ensure it's booting a boot
loader signed by the Linux distribution, and then the Linux distribution boots normally.
Not exact matches
The UEFI firmware won't check to ensure you're running a
signed boot
loader, and anything will boot.
It's the second, optional key that Microsoft uses to
sign Linux boot
loaders.
On Intel x86 PCs, you'll be able to add your own security keys to the UEFI firmware, so you could even have your system boot only secure Linux boot
loaders that you've
signed.
Microsoft actually
signs Canonical's Ubuntu boot
loader and Fedora's boot
loader with a Microsoft corporation key.
When you boot a new Windows 8 PC, the Secure Boot feature in the UEFI firmware checks the operating system
loader and its drivers to ensure they're
signed by an approved digital signature.
These PCs ship with Microsoft's keys preinstalled, so they're effectively checking Microsoft has
signed the boot
loader before allowing it to boot.
While Microsoft does
sign Linux boot
loaders with a Microsoft key, these boot
loaders are
signed with a separate key from the one Microsoft uses to
sign Windows.