Also posted in a repository by Bottomley are a set of tools that can be used to sign EFI binaries, he said.

"The current state is that I've managed to lock down the Secure Boot virtual platform with my own PK and KEK and verified that I can generate signed EFI binaries that will run on it (and that it will refuse to run unsigned efi binaries)," Bottomley explained. "Finally I've demonstrated that I can sign elilo.efi ... and have it boot an unsigned Linux kernel when the platform is in secure mode (I've booted up to an initrd root prompt)."

'Far From Rock Solid'

The Linux Foundation Technical Advisory Board began looking into the situation "because it turns out to be rather difficult to lay your hands on real UEFI Secure Boot enabled hardware," Bottomley pointed out.

This new contribution, however, is still "very alpha," he warned. "The Tianocore firmware that does Secure Boot is only a few weeks old, and the sbsigning tools weren't really working up until yesterday, so this is very far from rock solid."