I wanted to share my experience with trying to get something signed for Secure Boot with my imaging program. It basically comes down to that it’s very difficult for open source projects to get something signed.
First of all you need to get your bootloader signed by Microsoft, no way around it. Second it requires an EV code signing certificate. These are expensive and you can only get them if you are a legitimate business. You must use a shim, otherwise every change to a kernel or bootloader would require resigning them from Microsoft which is not feasible. Also, shim does not currently support Proxy DHCP servers. The basic workflow is this:
Compile the shim with a self signed CA baked in, then you can sign your kernels and bootloaders against the CA without the needing resign the shim with MS for every change.
Submit the shim and your EV certificate to Microsoft
They will reach out to the shim maintainers who will ask you a bunch of questions about how you will use the shim. If you tell them you are going to use it with iPXE they probably won’t approve it. You need to tell them you are using Grub. If they catch you signing anything other than what you say, they will blacklist your shim.
If everything checks out then they’ll send you the precious signed shim.
I personally scrapped the idea of trying to get a signed shim because of the business requirement. Too much extra cost, not to mention the hassle of doing taxes with a business that doesn’t actually make any money.
The future looks dim because of secure boot