edk2: Enable Secure Boot support

This enables *support* for Secure Boot. It is not recommended to enable
Secure Boot. There is no firmware UI for managing the state or keys.

The system will default to disabled in Setup Mode:

    $ mokutil --sb-state
    SecureBoot disabled
    Platform is in Setup Mode

This is sufficient to install Windows 11.

Signed-off-by: Tim Crawford <tcrawford@system76.com>

CHANGELOG.md

@@ -7,6 +7,7 @@ date followed by an underscore and a short git revision.
 ## unreleased
 
 - Updated coreboot to upstream commit decbf7b4d975
+- Enabled support for Secure Boot
 
 ## 2022-11-21
 

models/addw1/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/addw2/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/addw3/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/bonw14/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/darp5/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/darp6/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/darp7/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/darp8/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/galp2/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/galp3-b/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/galp3-c/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/galp3/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/galp4/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/galp5/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/galp6/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze14_1650/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze14_1660ti/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze15/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze16-3050/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze16-3060-b/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze16-3060/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze17-3050/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze17-3060-b/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/lemp10/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/lemp11/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/lemp9/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/oryp10/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/oryp11/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/oryp5/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/oryp6/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/oryp7/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/oryp8/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/oryp9/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/qemu/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/serw13/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE