| ▲ | bri3d 5 hours ago | |||||||||||||
With almost all modern motherboard firmware you can enter Setup mode and use KeyTool to configure the trust store however you want, starting from enrolling a user PK (Platform Key) upwards. It’s generally a lot more secure to avoid the use of any shims (since they leave you vulnerable to what happened in this article) and just build a UEFI Kernel Image and sign that. Some systems need third party firmware to reach the OS, and this can get a bit more complicated since those modules need to load with the new user keys, but overall what you are asking is generally possible. | ||||||||||||||
| ▲ | mistrial9 5 hours ago | parent [-] | |||||||||||||
> just build a UEFI Kernel Image and sign that. examples and documentation welcome | ||||||||||||||
| ||||||||||||||