Current state of SecureBoot support

[myxal]

(2018-11-28 23:15)NiKiZe Wrote:  You need to build ipxe, sign it with an EV certificate, and then have iPXE cross signed by Microsoft.

My findings with Gigabyte Z87N are indeed strange - with SB on, ipxe efi image boots (into the menu) without issue, so I thought this was already signed, and the documentation just wasn't updated..? The ipxe image comes from Kali's repo.

(2018-11-28 23:15)NiKiZe Wrote:  After iPXE starts you will in turn have to call shim to have the shim approve kernel or something else.

The only easy way is to disable SB on firmware level.
There is work going on that should make this easier in the future.

I got lucky this time and the board's firmware allows me to set SB "execution policy" that basically says "boot whatever" - windows gets its "secureboot on" state and clonezilla boots through ipxe without issue.

Barring this loophole, SB should allow unsigned/arbitrary kernel as long as its hash is in the SB's DB, which I was able to manipulate with Keytool.

Oh, and yes - Clonezilla-alt's kernel is signed with Canonical's key, the certificate for which is available (along with many others) here.