Like the title says: UEFI secure-boot has some annoying properties where we need to decide if we want to support it, and if so, how.
Currently, we can
- Not support secure-boot
- Support secure-boot the Ubuntu-way, where we ship an Microsoft-signed shim, but don't validate the kernel images (meaning that we don't actually use secure-boot, but bypass it)
- Use a proper implementation, e.g. with the Linux Foundation's shim loader
All of those solutions, except for the first, would require us to ship a signed BLOB in the main archive (we have the source-code for it, but can't reproduce it due to missing signing-keys).
Solution 2 would allow us to make installations easier by bypassing secure-boot, so users don't need to fiddle with the UEFI settings if they want to install Tanglu. Solution 3 would be the proper implementation.
So, I think we should likely go from 1 -> 2 -> 3 when implementing it - but I would like to have some feedback if we can and should ship a signed BLOB in the archive for boot (naturally, this feels like something for non-free, but we can't enable non-free by default just to have users boot their system).