edk2: Enable Secure Boot support

This enables *support* for Secure Boot. It is not recommended to enable Secure Boot. There is no firmware UI for managing the state or keys. The system will default to disabled in Setup Mode: $ mokutil --sb-state SecureBoot disabled Platform is in Setup Mode This is sufficient to install Windows 11. Signed-off-by: Tim Crawford <tcrawford@system76.com>
2023-01-24 10:41:01 -07:00
parent bb66f96e7d
commit 105e74b146
36 changed files with 36 additions and 35 deletions
--- a/models/addw1/edk2.config
+++ b/models/addw1/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/addw2/edk2.config
+++ b/models/addw2/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/addw3/edk2.config
+++ b/models/addw3/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/bonw14/edk2.config
+++ b/models/bonw14/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/darp5/edk2.config
+++ b/models/darp5/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/darp6/edk2.config
+++ b/models/darp6/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/darp7/edk2.config
+++ b/models/darp7/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/darp8/edk2.config
+++ b/models/darp8/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/galp2/edk2.config
+++ b/models/galp2/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/galp3-b/edk2.config
+++ b/models/galp3-b/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/galp3-c/edk2.config
+++ b/models/galp3-c/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/galp3/edk2.config
+++ b/models/galp3/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/galp4/edk2.config
+++ b/models/galp4/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/galp5/edk2.config
+++ b/models/galp5/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/galp6/edk2.config
+++ b/models/galp6/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/gaze14_1650/edk2.config
+++ b/models/gaze14_1650/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/gaze14_1660ti/edk2.config
+++ b/models/gaze14_1660ti/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/gaze15/edk2.config
+++ b/models/gaze15/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/gaze16-3050/edk2.config
+++ b/models/gaze16-3050/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/gaze16-3060-b/edk2.config
+++ b/models/gaze16-3060-b/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/gaze16-3060/edk2.config
+++ b/models/gaze16-3060/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/gaze17-3050/edk2.config
+++ b/models/gaze17-3050/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/gaze17-3060-b/edk2.config
+++ b/models/gaze17-3060-b/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/lemp10/edk2.config
+++ b/models/lemp10/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/lemp11/edk2.config
+++ b/models/lemp11/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/lemp9/edk2.config
+++ b/models/lemp9/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/oryp10/edk2.config
+++ b/models/oryp10/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/oryp11/edk2.config
+++ b/models/oryp11/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/oryp5/edk2.config
+++ b/models/oryp5/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/oryp6/edk2.config
+++ b/models/oryp6/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/oryp7/edk2.config
+++ b/models/oryp7/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/oryp8/edk2.config
+++ b/models/oryp8/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/oryp9/edk2.config
+++ b/models/oryp9/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/qemu/edk2.config
+++ b/models/qemu/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE
--- a/models/serw13/edk2.config
+++ b/models/serw13/edk2.config
@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE