| ▲ | NekkoDroid 4 hours ago | |
The enrolling of the certs happen before the bootloader calls `ExitBootServices()` (I think that is what the function was called). Up until then the bootloader still has elevated priviledges and can modify certain UEFI stuff it can't after, including enrolling certs. systemd-boot can do that if you force it to (only does it by default on VMs cuz expectedly UEFI implementations in the wild are kinda shit)[1, 2] [1]: https://www.freedesktop.org/software/systemd/man/latest/syst... [2]: https://www.freedesktop.org/software/systemd/man/latest/load... | ||
| ▲ | mjg59 an hour ago | parent [-] | |
No, there's nothing special about the spec secure boot variables as far as boot services goes - you can modify those in runtime as well. We use boot service variables to protect the MOK key in Shim, but that's outside what the spec defines as secure boot. | ||