edk2: Enable Secure Boot support

This enables *support* for Secure Boot. It is not recommended to enable
Secure Boot. There is no firmware UI for managing the state or keys.

The system will default to disabled in Setup Mode:

    $ mokutil --sb-state
    SecureBoot disabled
    Platform is in Setup Mode

This is sufficient to install Windows 11.

Signed-off-by: Tim Crawford <tcrawford@system76.com>

CHANGELOG.md

@@ -4,6 +4,10 @@ Changes are identified by the date of the released firmware including them. If
 you are running System76 Open Firmware, opening the boot menu will show this
 date followed by an underscore and a short git revision.
 
+## unreleased
+
+- Enabled support for Secure Boot
+
 ## 2022-11-21
 
 - lemp11: Added workaround to force S0ix entry on suspend

models/addw1/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/addw2/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/addw3/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/bonw14/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/darp5/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/darp6/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/darp7/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/darp8/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/galp2/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/galp3-b/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/galp3-c/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/galp3/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/galp4/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/galp5/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/galp6/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze14_1650/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze14_1660ti/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze15/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze16-3050/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze16-3060-b/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze16-3060/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze17-3050/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/gaze17-3060-b/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/lemp10/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/lemp11/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/lemp9/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/oryp10/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/oryp11/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/oryp5/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/oryp6/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/oryp7/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/oryp8/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/oryp9/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/qemu/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE

models/serw13/edk2.config

@@ -2,7 +2,7 @@ BOOTLOADER=COREBOOT
 DISABLE_SERIAL_TERMINAL=TRUE
 PLATFORM_BOOT_TIMEOUT=2
 PS2_KEYBOARD_ENABLE=TRUE
-#SECURE_BOOT_ENABLE=TRUE
+SECURE_BOOT_ENABLE=TRUE
 SERIAL_DRIVER_ENABLE=FALSE
 SHELL_TYPE=NONE
 TPM_ENABLE=TRUE