Content #
Secure Boot is an EFI/UEFI feature that prevents computers from loading any operating system, operating system modules, or device drivers that haven’t been signed by an authorized security key. It helps prevent computers from loading various types of malware, such as rootkits.
TPM stands for Trusted Platform Module and is the firmware chip on the motherboard that contains the signing keys that the Secure Boot option needs.
What is bad is that the necessary signatures and signing keys are loaded into the TPM when the computer is manufactured, and Microsoft pretty much controls which signatures and keys get loaded. So, at first, Windows was the only operating system that was guaranteed to boot on a machine with Secure Boot enabled. Linux developers had to come up with a way to make Linux work with Secure Boot. The Linux faithful wailed and gnashed their teeth even more when they learned that this would have to involve letting Microsoft issue the signing keys for Linux bootloaders.
GRUB2 works with the shim system, which uses pre-signed shim files. On the Alma machine, these are the shimx64.efi and shimx64-almalinux.efi files, which we saw in the boot/efi/EFI/almalinux directory. On the Ubuntu Server machine, all we have is the shimx64.efi file in the boot/efi/EFI/ubuntu directory. So, why do we have this shim system, instead of just signing the GRUB2 bootloader files? Well, there are two reasons. One is that GRUB2 is already rather bloated and adding the Secure Boot code to it would bloat it even more. The other reason is that the GRUB2 code is licensed under the GPL3 free-as-in-speech software license. For some reason that I don’t know, Microsoft refuses to issue signing keys for anything that’s under GPL3. For that reason, systemd-boot is licensed under GPL2, which Microsoft seems to like better.
From #
Linux Service Management Made Easy with systemd