Can you use the ZBM release EFI binary + UEFI Secure Boot?

[bkshoemaker]

I'm interested in enabling Secure Boot on my machine but I'm unclear if the premade EFI binaries on the release page can work in that capacity. Are they signed already, and if so would the keys need to be enrolled on my machine (if I understand this process correctly)? If not, can I sign them myself somehow?

Forgive me if I've missed anything in the docs, but I've been unable to find definitive info on the subject (and my unfamiliarity with Secure Boot in general isn't helping), so any advice on best practices or links to resources I've missed would be helpful in getting started.

[zdykstra]

The EFI binaries we provide are not signed. You can enroll your own keys and sign the binary, though. Any generic secure boot guide will apply to our EFI binary.

[bkshoemaker]

Thank you for the info here, I was able to sign the EFI release binary from this repo and boot it successfully with Secure Boot enabled.

Another question: Is Secure Boot also enforced on the subsequent Linux kernel that ZBM launches with kexec, or is it exempt?

My system is Debian stable (with kernel from backports), and after enabling SB, ZBM booted fine and then also booted the Debian kernel fine (but then halted on the ZFS kernel module not being signed with my custom key, which is a separate problem for me to solve). What I'm wondering is whether SB was enforced on the kernel from Debian backports and passed the check (maybe because it's distributed signed by Microsoft's standard key), or whether SB did not in fact apply to the second Debian kernel since the UEFI had already started ZBM's kernel via EFI stub.