If we develop CI/CD for generating UEFI Secure Boot-compatible images, we will likely use some kind of HSM to store signing keys there. As of now, we have only developed Secure Boot integration, where keys are stored in the file system. Introducing HSM would be beneficial security-wise, but we would need to develop a secure way to transfer keys from HSM into the build environment. For this I suggest using PKCS#11 - a standard, which defines an API that
can be used to safely access and use those keys.
If we develop CI/CD for generating UEFI Secure Boot-compatible images, we will likely use some kind of HSM to store signing keys there. As of now, we have only developed Secure Boot integration, where keys are stored in the file system. Introducing HSM would be beneficial security-wise, but we would need to develop a secure way to transfer keys from HSM into the build environment. For this I suggest using PKCS#11 - a standard, which defines an API that can be used to safely access and use those keys.