SecureBoot Support

[Manouchehri]

sedutil seems to be using a pretty standard Linux boot process, so I don't see why we can't drop in existing signed binaries for SecureBoot unless I'm missing something.

TODO:

• [ ] Replace syslinux with Canonical's GRUB2
• [ ] Use Canonical's signed shim to boot GRUB2
• [ ] [Optional] Use Ubuntu's signed kernel (if EFI Boot Services are needed)

[unya]

Instead of using GRUB et al, the rootfs should be merged into initramfs and the whole thing integrated into single EFI executable, which can then be signed in whichever way you want.

[r0m30]

Every time I look into Secure boot I feel like Alice going down the rabbit hole. In theory that is all that should be need but the tools seen to be missing or closely held.

@unya There has been some work done on making the PBA a uefi module but doing that doesn't solve the problem of M$ holding the only keys that can sign UEFI binaries unless additional signers are added by the user/vendor.

[unya]

@r0m30 On any serious (professional) non-disposable (not a mobile/tablet device usually) the end user has the ability to replace the keys. In fact, one of MS security modes (up there in the highest security options) depends on this feature.

I am going to sign the binaries myself, for my own hardware. The tooling for this is widely available. The only thing MS holds is that "certified for Windows" machines (which nearly all are) need to have Microsoft "KEK" keys - there are two, one is for Windows, one is for MS-signed 3rd party software (like Canonical's shim).

[r0m30]

@unya Yes, there is usually some method of adding keys to the UEFI, BUT it's not standard or user friendly. If you look through the issues you can see that some people have trouble with the syntax of sedutil and do not understand how to turn a syntax diagram into a working command. Documenting and supporting the addition of a key to the UEFI isn't something we have the bandwidth to do effectively. If you have the knowledge and skill to do it on your system that's great.

[OliverO2]

See here for an easy-to-use secure boot PBA implementation based on sedutil using Grub 2 with UEFI: https://github.com/Drive-Trust-Alliance/sedutil/issues/301#issuecomment-555552669